Hi to all,
We've two PaloAlto firewalls PA-2020 with 3.1.6 software image version and HA licensed.Both have active gold maintenance support. Last week we tried to update to the last version 4.0.4 and the upgrade process failed.
We started with the first firewall downloading the image base 4.0.1 version and all was ok. We didn't install because, in theory,it's not necessary.
We downloaded the 4.0.4 image version and all was ok.
We installed the 4.0.4 image version from the https web interface. The PaloAlto informed that all the process was ok andasked for a reboot. Then problems started.
The starting process take - more or less - 10 minutes, and when we logged to the https web interface the Paloaltofirewall was with a red ballon and saying in eternum "System not yet ready" (see paloalto-erro-p0.jpg image attached).Also we could see at the system logs widget "Autocommit job failed" for a lot of entries.
The firewall didn't never started fine, so we thought it was a good idea to try another hot reboot by going to the Device tab -> Setup andthen click onto "Reboot device" at the web interface.
Step 5No luck. It was even worse, we couldn't log to the https web interface. It wasn't available. Only the power led light was on(see paloalto-error-p3.jpg image attached). So, we connected a laptop to the console port. We advertised that the firewall was stopped at the line
"Generating SSH2 DSA host key"
We discovered later that if you wait sometime and press enter the loading process continues and you will see some FAILED errors(see paloalto-error-p2.jpg and paloalto-error-p1.jpg images attached)
We asked for localized PaloAlto support (case number 5793 at Exlusive Networks in Spain) and they recommended to restore the factory image base by the CLI and manintenance interface.
We restore the image factory and then the xml backup configuration. Now all is ok at the 3.1.6 image version but some questions arise:
I've read some similar issues at this forum with the 4.0.4 version so,
Is it better to upgrade to the 4.0.1 -> 4.0.3 and wait for another release?
Thanks in advance.
PD: I have also the thechsupport file if needed.
Your issue is actually different from the one mentioned in another post here.
For that case, the user couldn't even start the installation.
For your case, actually you were at rgw final stage of the upgrade. Please keep in mind that upgrading from 3.1.x to 4.0.x will take some time as we need to convert the existing DB structure. I will say if possible, try to wait for 20-30 mins. If it still cannot complete, keep the box at that status and request our support to remote access it for a look.
the autocommit failures would provide useful data in determining the root cause of the delay in booting the device.
using the following command can help determine what failed in the auto-commit:
show jobs id <job #>
The output of this command will help determine if there is an issue with the configuration that can be addressed without having to reset the device.
If you upgrade from one version to another you can revert to the previous version using the following commands:
debug swm revert
request restart system
This is usually faster than doing a factory reset.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!