5.2.5 has a nasty bug in which has affected a few hundred remote worker staff as we rolled it out..
Problem 1 - Hotfix now available
The IP6 and IP4 conflict for DNS resolution when sending AAAA and A requests
Problem 2 - Hotfix is seen as older version and will not auto update users
we then see the Hotfix is released to fix this issue, however the Hotfix is seen as a LOWER version of 5.2.5.
It doesn't deploy from the firewall with Allow Transparent upgrade.
When you do the MSI it says there is a new version of Global Protect already installed!
Can Palo Alto Fix this?
Other random Problem related to this
we also tested rolling out to 5.2.5 on a number of users with no issues except for anyone on 5.2.4 got caught in an update/download loop with allow transparent upgrades.
I think reading the Hotfix notes this is fixed, but not a major problem for us as we only had a small number of users on 5.2.4.
I personally can't wait for 5.2.6 but part of me tells me this will have major issues given the recent disruption 5.2.5 has given us!
This has caused so much stress for all afflicted by this. Maybe Palo Alto can widen their test pools to avoid such issues?
I totally agree with your post. We have lots of issues on GlobalProtect 5.2.5. Split tunnel, Captive Portal, Client sometimes lock access to the network, repair issues. I just wish PaloAlto put the time and effort to make sure their next client release well tested and work as advertised. There should be at least one client release that works without issues.
I was able to research this a little.. and found this info..
You cannot directly run 5.2.5-c84 on top of another 5.2.5 because they are the same product id and on the same release.
The only way you can upgrade to 5.2.5-c84 from another 5.2.5-x is to uninstall the old 5.2.5 first, and then install 5.2.5-c84. But if is using portal upgrade, it will be OK.
Further more, if the machine installed 5.2.4 or older release, and run 5.2.5-c84 on top of it, it should be OK. but again, there is always some risk by directly clicking on a msi if you have GP running already, also need be sure the user has the administrative privilege.
Directly click on msi should be only recommended for the initial installation when there is no other GP in the system.
I hope this helps a little
To me it sounds like a Bug, how am i supposed to update 3700+ laptops in the field in an enterprise environment where users do not have adm rights. with remote working we have 200 + users we cannot really call into sites. (we are disabling IP6 as a quick fix on both PANGP and the wifi adapters!)
We opted to use the firewalls to update so users have a brief disconnect/reconnect upon logon before they got too engrossed in work.
Once we started getting a number of calls in we stopped the updates to users, but as the bug is so random it can affect a working user half way trough the day, or allow a broken user to come to life half way through the day where as some users are permanently broken.
Extremely frustrating this hotfix not being a newer version than it's major release version. Please Palo Fix!
As an update.. not sure about the release of 5.2.6, but for now here is a KB article that talks about the upgrade here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!