when in process of upgrading OS for pa-500 active/passive pair, on the passive devic i upgraded from 7.115 -- 8.0.0(download)-->8.0.20(install) -->8.1.0(download) -->8.1.12(install)
now passive device is 2 major os version ahed , looking for ideas how can I perform upgrade on active ideas. now if i enable HA , i think one device being ahead of 2 major os version and preemption enabled it will cause all sort of weird issues any smart ideas other then downgrading passive device .?
Best practice, is to fail traffic to the passive as the first step after disabling pre-empt(personally I have it off all the time anyway.)
Then step through each iteration, switching firewalls at each step to confirm the upgrade is successful and traffic still passes.
From what you say you have upgraded the passive all the way in one go. You could disable pre-empt now and fail the traffic over and see if it works but your more likely to see and issue.
Better option would be to downgrade the passive and then fail over to it and do one step at a time on each. That way they are only ever one version different be it Major, Minor or Increment.
as long as one device is at a higher version, it will be 'non-functional' and the lower version member will be active
preemption will not interfere here
the only way to change that is by suspending the passive member, so you can upgrade it while the already ugraded member takes the traffic
as soon as you unsuspend the lower version member it will take on the active role
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!