Unable Sync Configuration between HA Pair after downgrade from PANOS 10 to 9.1.7

cancel
Showing results for 
Search instead for 
Did you mean: 

Unable Sync Configuration between HA Pair after downgrade from PANOS 10 to 9.1.7

L1 Bithead

Hello everyone.

 

I'm stuck in a bit of an odd situation here with my two PA-850 firewalls unable to sync between each other. 

Initially both firewalls were on PANOS 9.1.7.  Fully syched and configuration backed up.

 

The problem occurred because I upgraded the secondary-standby unit all the way to 10.1.6-H6 and then had to rollback to 9.1.7.The primary-active unit was not touched during this process.   After having the secondary-standby unit rolled back to 9.1.7, I noticed that I was not able to sync the running config between the two firewalls.

 

Palo TAC unfortunately haven't been very useful and despite providing tech-support files of both firewalls, the assigned engineer failed to notice the problem.  Researching further into the issue, I came across the 'show high-availability all' command which help reveal the problem:

 

Configuration Synchronization:
Enabled: yes
Running Configuration: not synchronized
Out-of-sync Reason: Version mismatch with Peer for DLP

 

After sharing this with Palo TAC, they suggested to upgrade both firewalls to 9.1.8 as the Auto deletion of DLP directory/plugin on downgrade to 9.1 is only fixed in 9.1.8.  So I upgraded the Secondary-standby firewall unit to 9.1.8 and restored the original 9.1.7 configuration to it, however the problem still persists.

 

I don't want to upgrade the Primary-Active unit at all, until this situation is resolved.

 

Can anyone provide some guidance or assistance?

 

Many thanks,



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
4 REPLIES 4

L1 Bithead

Just thought I'd reply and post back the solution I tried and worked for me.

 

To cut a long story short, I upgraded the secondary-standby firewall to 10.0.0, manually removed the DLP plugin using the CLI command "request plugins uninstall dlp", then downgraded to 9.1.7 and it worked as expected.  I could sync configuration between the two firewalls again.

 

TAC support was not helpful as I ended up finding the root cause and took a different approach to the one they provided (which was to upgrade both firewalls to 9.1.8 - which wouldnt have worked anyway).

 

Thanks.

Hi @cpartsenidis ,

Thanks for sharing your experience. Can you share the reason why you rollback from 10.1 back to 9.1?

Apologies - I should have made it clear why I rolled back.  I upgraded the secondary standby unit from 9.1.7 all the way to 10.1.6-H6 but then couldn't fail over because of the major differences in the PANOS versions, so I wanted to rollback the change and start again, but hit the issue of the two firewalls unable to sync their config even after the secondary standby unit was back on 9.1.7.

 

Reason they were unable to sync was because of the DLP plugin which got installed from PANOS 10.0 onwards 😉

 

Hope that makes it clear now.

 

Cheers,

Cyber Elite
Cyber Elite

@cpartsenidis,

Just going forward; I know a lot of people don't like the maintenance window required to properly upgrade multiple major versions in an HA pair, but you really shouldn't allow the peer members to be more than one major version ahead of each other. 

There's plenty of people that do exactly as you've done and then just bring the primary firewall on the older code down manually and remove it to get it back in sync with the updated secondary firewall. There's additional risk when you follow this process that I'm not personally a fan of if you have a choice of just extending the maintenance window to walk them both through the required upgrades. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!