- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-20-2022 03:24 AM - edited 04-20-2022 03:34 AM
Hi All,
I have two PA-3020 that are HA setup, version 9.1.9.
Since the beginning of March, I have found that dynamic updates often fail. Strictly speaking, downloading images is normal. However, one firewall updates normally and the other fails to update, causing the two firewall versions to mismatch. But it does not always fail to update automatically, and the probability of occurrence is about 50%.
active one:
passive one:
At the beginning of April, we updated the firewall version to 9.1.12. After two weeks of observation, I found that the problem still exists.
If I install the image file directly, there will be an error.
At present my solution is: delete the downloaded image file -> manually download the image file -> manually install the latest version
How can I fix this problem?
Thanks.
04-20-2022 10:17 AM
It's not recommended to have both active/passive units set to use the same exact dynamic update scheduled, especially with sync-to-peer enabled. Offset these so that both units aren't kicking off at the exact same time.
04-20-2022 09:18 PM
Hi @DevonFan ,
"Sync-to-peer" is intended when the HA secondary has no path to the Internet from the management interface. I would disable it. Also, this article reiterates what @BPry said.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrnCAC
Thanks,
Tom
04-21-2022 02:26 PM
I recommend the same as @TomYoung : disable the sync-to-peer option and your problem should be solved. In order to have the updates installed as soon as possible, think about changing the update values to checks more often. Mainly the antivirus update foe the case when it is released at another time than normal. I do also the same for the apps and threats updates, but I configured a threshold to avoid problems with bugs in these updates. Only in situations of emergency updates or when important vulnerability signatures are released, I install the update manually prior to the threshold time specified.
04-21-2022 07:35 PM
Hi all,
Thanks for the suggestion, I'll modify it and see if it improves.
But I have another pair of firewall PA-820 and they have the same situation yesterday.
I'm wondering if it's the sync to peer settings that caused the installation to fail?
(Please ignore the miss of Antivirus on 4/20, there was a problem with network to Internet on that day and the download and update were not scheduled.)
04-21-2022 10:05 PM
Hi @DevonFan
In this case probably your disk is full. Try to remove the old content updates and also PAN-OS images. Here you can find some more information about cleaning the root partition: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaJCAS
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!