07-17-2024 02:47 AM - edited 07-17-2024 02:49 AM
Hi,
We recently upgraded our Palo Alto 1410 Firewall to PAN-OS-11.1.2-h3 from PAN-OS-11.0.4-h1.
After Upgrade there was no incoming traffic from external networks. There were no hits or logs showing incoming traffic.
Internet Outbound traffic was going through normally.
IPSEC VPN tunnels were working normally.
Support team checked and wanted us to downgrade to the previous version.
Is this a bug in PAN-OS 11.1 ?
Has anyone ever faced this issue after PAN-OS upgrades ?
Should we install the base image for 11.1 before we upgrade to 11.1.2-h3?
Any ideas and suggestiions are welcome.
Thanks
Hari
07-18-2024 01:42 AM
Can't say i've encountered this issue before due to a bug, but have seen similar things happen due to ARP issues. have you checked upstream MAC and ARP tables, are arp requests for the public IP of the firewall being replied to when inbound packets arrive, are tables updated accordingly?
you could set up packetcapture and follow global counters to see what is happening on the firewall side, also packewt capture the upstream device and see what's going on
in regards to upgrading: you don't need to install the base image, it just needs to be downloaded for you to be able to install maintenance packages
07-18-2024 02:40 AM
Thanks for the update. We hace asked for support from Palo Alto as well. Once i successfully upgrade our 11.0 image to 11.1 image, will keep you updated on the procedure.
07-19-2024 09:06 AM
Hello,
Please have the support team open a ticket with engineering to have them take a look into the issue and obtain the next steps from them. Also as mentioned earlier, base image only needs to be downloaded during the upgrade process.
Thanks,
07-28-2024 10:27 PM
Hi,
No incoming traffic after trying to upgrade 3 different versions of PAN-OS with PA1410 firewall.
On all the 3 occassions we had to revert back to the version which was running on the firewall.
There were no log hits on the "Monitor" showing incoming traffic.
We did see some icmp traffic but not http / https traffic.
From PANOS 11.0.2-h2 to PANOS 11.1.0 - no incomming traffic after upgrade
From PANOS 11.0.4-h1 to PANOS 11.1.2-h3 - no incomming traffic after upgrade
From PANOS 11.0.4-h1 to PANOS 11.0.5 - no incomming traffic after upgrade
We were able to upgrade a version inbetween from 11.0.2 to 11.04 without any issues.
Palo Alto support is still working on the issue.
Any ideas ?
Thanks
Hari
08-23-2024 11:44 AM
I have the exact same issue on a PA-1410 HA pair. ARP is not updating. If you are in a HA pair, clear the arp manually and see that the arp table is no longer populated after the upgrade.
I've upgraded from 11.0.4-h1 to 11.0.5 (no arp), same for 11.0.4-h1 to 11.1.4-h1 (no arp). Something is seriously wrong, I guess it's PA-1410 related.
08-28-2024 10:37 AM
this issue has been fixed in 11.1.2-h9 release.
I'm running 11.1.2-H3, traffic is available with no issues.
09-04-2024 08:33 AM
I'm running 11.1.2-h3, and I see no logs in my Panorama instance. We did try to upgrade to 11.1.2-h9, and we got an error:
We opened a case with TAC, and they said we need to wait until 11.1.5 comes out.
09-04-2024 09:03 AM
The error message you’re encountering during the installation of PAN-OS 11.1.2-h9 on your Palo Alto firewall points to a problem in the validation script, specifically an UnboundLocalError caused by a variable cdate being referenced before it's assigned. try this:
Cancel Pending Jobs: Even though you mentioned nothing pending, double-check that there are no pending jobs or incomplete installations.
Check and Clean Installation Directory: If applicable, look for and clean up old installation directories or files in /opt/panrepo/releases/.
i'm running the 11.1.2-H9 on my new 1420 in HA with traffic flowing.
09-04-2024 09:18 AM
Thanks!
On Step 2 and 3, do you have a list of commands to run for those?
09-04-2024 09:46 AM
Step 2:
pending, running, or stalled.Step 3:
List Directory Contents:
ls /opt/panrepo/releases/
Check Disk Space:
show system disk-space
Remove Old Files (Be Cautious):
rm -rf /opt/panrepo/releases/old-version-directory
Verify Current Software Version:
show system info
Check for Ongoing Jobs:
show job all
Always be cautious when using rm -rf as it can permanently delete files and directories. Ensure you only remove files or directories that are no longer needed and not required for current operations. If in doubt, consult Palo Alto Networks support or documentation. good luck
09-04-2024 10:09 AM
I appreciate it. Looks like Step 2 is squared away. However, when running any ls commands, I get this:
admin@PAN-01> ls
Unknown command: ls
admin@PAN-01>
09-04-2024 10:48 AM
i think the ls command is accessed on the Shell level on PA, which is disabled and only TAC can have access to it.. this to prevent the rm -rf commands from being executed. i think if you need the list you might need to have TAC check on it for you. the PAs can be rooted, but it will void your warranty and support which I'm sure you don't want. so if the command did not work it is because of the root access limitation.
09-23-2024 05:07 AM
Hi,
i am also experiencing a similar issue:
Our panorama is on 11.0.5. When we want to upgrade, we are receiving the following error message:
Failed to install 11.1.4-h1 with the following errors.
SW version is 11.1.4-h1
Nothing pending to cancel
Error: Traceback (most recent call last):
File "/opt/panrepo/releases/11.1.4-h1/validate", line 359, in <module>
(min([dts['min'] for dts in log_type_intv_dir.values() if dts['min']]).strftime('%Y-%m-%d'),
ValueError: min() arg is an empty sequence
Failed to install version 11.1.4-h1 type cms
Any ideas? I also opened a TAC case. Unfortunately they did not found a solution yet.
09-23-2024 05:14 AM
i think you need to download 11.1.0 before you jump from 11.0.5 to 11.1.4-h1. do you have 11.1.0 downloaded in Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
