Upgrading 4.07 to 4.1.2 in HA environment

Reply
Highlighted
L0 Member

Thanks, followed your document to perform the upgrades on our PA-500 HA Pair.  Much appreciated.

Highlighted
L2 Linker

Hello everyone,

I wanted to upgrade our PAN 2050 yesterday evening from 4.1.8 to 5.0.1
directly and had issue with error message on my active unit seeing that (peer
non functional and peer version no compatible or not the same as local,
something like that).

After searching and didn't find any doc that explain the process upgrade
from 4.1.x to 5.0.X I did a downgrade, and today I saw this discussion that is
very helpful. do you thing that I have follow the same process described here
to upgrade to 5.0.1 and do you thing that is really mandatory to pass first by
5.0.0 before going to 5.0.1.?

Thanks for your help

BES

Highlighted
L5 Sessionator

Hi BES,

When upgrading to a major release in you case from 4.1.8 to 5.0.1 you have to always install the base release of the Major release.

So in other words when upgrading from 4.1.8 you first have to download 5.0.0 and then download and install 5.0.1.

Hopefully this helps.

Thank you

Numan

Highlighted
L2 Linker

Thanks for your quick answer, but in fact I already did that, i mean I downloaded on both my devices active and passive first v5.0.0 (without installing as was specified by the device, just download) and after that I downloaded the v5.0.1 and installed on passive unit, but after the reboot of the passive unit I had the status non fonctional and on the active I saw the HA status ( something like peer non fonctional (peer version nocompatible or mismatch) so I did the downgrade.

Could be very helpfull from Palo to have a official process or doc for that, I really dont understand way there is no doc for that.

thanks alot

BES

Highlighted
L3 Networker

Here is a nice 'how to' doc:

https://live.paloaltonetworks.com/docs/DOC-4043

Cheers,

Mike

Highlighted
L2 Linker

Hello,

Thanks for the link, but I followed the process described on
this doc till point 4. And I had the status of the HA (no fonctional “peer
version mismatch or not the same”)  and
at this point my understanding is that the HA is not functional and if I went
to point 6  to suspend the second device I
have had a loss of connectivity and didn’t know if the upgraded device will
take the active role and if yes after how many time, as I didn’t plan on this
evening any downtime of our internet line I did a rollback

  1. First suspend the active unit
    from the CLI run the command:
    > request high-availability state suspend

    or

    From the GUI go to Device > High Availability > Operations > Suspend
    local device.

    Note: This will cause an HA failover. It is recommended to do this first
    to verify the HA functionality is working before initiating the upgrade.
  2. Verify network stability on
    the new active device with the previously active device suspended.
  3. Install the new PAN-OS on the
    suspended device, then reboot the device to complete the install.
  4. When the upgraded
    device is rebooted, the CLI prompt should show
    passive
    (or non-operational, if on a different major release ie 4.0 to 4.1) and the
    PAN-OS version should reflect the new version.
  5. On current passive device,
    verify auto commit completes successfully (FIN OK) by running command:
    show
    jobs all
    before proceeding to the next step.
  6. Suspend second device (should
    be current active device).
  7. Upgrade the second device,
    then reboot it. When second device restarts, the first device that was already
    upgraded takes over as
    active.
  8. As HA functionality was
    verified (step 1) and the config was successfully pushed to the dataplane on
    the new PAN-OS (step 5), the failover should be seamless.
  9. When the second unit reboots
    it will come up as the passive unit. Validate the auto commit completes on this
    device by running command:
    show jobs all
    on this device (as done in step 5) to complete the upgrade. The original active
    device before the upgrade will be the active device now.

Thanks for your comment

BES

Highlighted
L3 Networker

I get why you'd be concerned, and the document could be improved by describing what is expected to happen at step 6.  As you stated, it appears like you have a broken cluster and so FUD creeps in and so you are reluctant to pull the trigger and finish the upgrade.

In reality, all is well and when you suspend the active device at step 6, the newly upgraded device will take over, it just isn't documented or explained anywhere that I've seen.  You might drop a couple of pings but that's it.

I'd like to hear from PAN support to explain what's going on at step 6.  If I had to guess, it would have something to do with the HA interfaces being smart and taking action on the cluster, even though it looks broken at the time.

Open a support case and talk to them about it, then give it a shot!

Cheers,

Mike

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!