Upgrade PanOS On/Off Site Spare failure

Reply
Highlighted
L3 Networker

Upgrade PanOS On/Off Site Spare failure

Hi all,

 

Figured I'd ask here before contacting support. Last weekend I upgraded my production PA's from 9.0.9 to 9.1.5. Everything went smooth. Due to company requirements we are to upgrade the software on the OSS box, yet it fails with content update.

 

Capture1.PNG

I have downloaded the latest content, panupv2-all-apps-8336-6373, and was able to upload it through the GUI. When I hit OK to apply it it first comes up with this

 

Capture2.PNG

 

I click Yes, and then it comes up with this

Capture3.PNG

 

I am kind of stumped here. Any input would be appreciated.

____________________

Just another I.T. Guy


Accepted Solutions
Highlighted
L3 Networker

@BPry 

 

Thanks for your input, it did lead me down the correct path, though inadvertantly. Show all jobs didn't show anything. I checked both the masterd and paninstaller logs, but didn't find anything that stuck out to me.

 

What I did do was make a change to the configuration and commit it. It came back with a  commit failure, use 'commit force'. Something about auto-commit stuck failure. Ok, so I go into the cli and do a commit force, it came back with some validation errors due to the absence of licenses for some of my objects, "URL Filtering" to be exact. Once I removed the objects causing the validation error, I was able to commit the configuration. After that I was able to commit the panupv2-all-apps-8336-6373 update. Then after that I was able to go from 9.0.9 to 9.1.5.

 

This command was very helpful in the debugging of the issue, 'tail follow yes mp-log ms.log'

____________________

Just another I.T. Guy

View solution in original post


All Replies
Highlighted
Cyber Elite

@VincentPresogna 

 

Please read below url it explains if device is registered as OSS then it will not work as design

 

https://live.paloaltonetworks.com/t5/general-topics/on-site-spare-using/m-p/289087#M76931

 

Regards

 

 

MP
Highlighted
L3 Networker

Thanks, but that doesn't answer anything. According to this, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltxCAC, under the Maintaining the OSS device section it states, "The following steps will keep the OSS on the same PAN-OS release as the production device. Perform these steps each time the production device is upgraded."

 

So why does step 2 fail?

____________________

Just another I.T. Guy

Highlighted
Cyber Elite

@VincentPresogna 

 

First check how your OSS device is registers under PA support website?

That link does not work for me.

 

Regards

 

MP
Highlighted
L3 Networker

It is registered, and has been since I received it. I have followed this procedure before with out issue. Don't know why you can see the link.

____________________

Just another I.T. Guy

Highlighted
Cyber Elite

@VincentPresogna,

So I'd actually seperate this from being an OSS device; it sounds like you're following instructions and you're using the apps only bundle so you're good there and that wouldn't cause this issue. 

On the OSS box if you run show jobs all is there anything pending or in progress when you attempt to schedule the install? Usually I would point you towards the masterd_detail and the paninstaller_content logs, but since you aren't even getting it to schedule I'd just look at the masterd_detail logs. 

Highlighted
L3 Networker

@BPry 

 

Thanks for your input, it did lead me down the correct path, though inadvertantly. Show all jobs didn't show anything. I checked both the masterd and paninstaller logs, but didn't find anything that stuck out to me.

 

What I did do was make a change to the configuration and commit it. It came back with a  commit failure, use 'commit force'. Something about auto-commit stuck failure. Ok, so I go into the cli and do a commit force, it came back with some validation errors due to the absence of licenses for some of my objects, "URL Filtering" to be exact. Once I removed the objects causing the validation error, I was able to commit the configuration. After that I was able to commit the panupv2-all-apps-8336-6373 update. Then after that I was able to go from 9.0.9 to 9.1.5.

 

This command was very helpful in the debugging of the issue, 'tail follow yes mp-log ms.log'

____________________

Just another I.T. Guy

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!