10-01-2024 08:17 AM
Hello,
i'm stuck while upgrading panorama to 11.1.4-H1, to be honest, every next release after 11.1.2-H4 (that is my current version) is showing the following errors:
2024/10/01 14:33:17 14:33:17 4802617 SWInstall FIN FAIL 14:33:21
Warnings:
Details:Failed to install 11.1.2-h9 with the following errors.
SW version is 11.1.2-h9
Nothing pending to cancel
Error: Traceback (most recent call last):
File "/opt/panrepo/releases/11.1.2-h9/validate", line 357, in <module>
(min([dts['min'] for dts in log_type_intv_dir.values() if dts['min']]).strftime('%Y-%m-%d'),
ValueError: min() arg is an empty sequence
Failed to install version 11.1.2-h9 type cms
</result></response>
in the logs below you see 11.1.2-h9, but it happens with every release to the 11.1.4-H1 icluded
i don't know how to fix this issue, i tried both on cli and gui, furthermore, 11.1.4-H1 is the version needed to fix this bug PAN-257615, which is not alllowing me to see any logs from panorama after upgrading from 10.2.8.
Do you have any tips?
Thank you
10-21-2024 08:01 AM - edited 10-21-2024 08:02 AM
Hi, gents. There is a solution. You may need to help your TAC engineer so they can find the solution. Ask them to review case#: 03253466 (notes below:)
"I have gone through the error that you have shared. This issue is because of the old indices in the elastic search, and it can be removed by logging into the root.
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown secure setting [xpack.security.transport.ssl.secure_key_passphrase] please check that any required plugins are installed, or check the breaking changes documentation for removed settings at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.8.23.jar:6.8.23] at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.8.23.jar:6.8.23
Also, I have gone through the following article.
https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-upgrade-panorama-to-11-1-4-h1/td...
There is a workaround and there are other PAN-OS targeted fixes for this issue.
Thanks and Regards,
Vignesh S R | Palo Alto Networks Technical Support | PCNSE
Technical Support Team"
TAC was able to resolve our elastic search conflict and we are clear to upgrade. We scheduled our upgrade for 11/2. But if you need to fix the issue urgently please refence the notes above in itallic and discuss with your TAC engineer for resolution.
Let me know if you have any questions. Glad to provide assistance.
10-01-2024 01:02 PM
Hello @MAerre
The issue has already been identified, and a fix will be applied in the upcoming release of version 11.1.5, scheduled for 10/10.
Regards
10-11-2024 02:54 AM - edited 10-11-2024 02:59 AM
Hi @jpomachagua,
i checked the release update but i'm still not able to see the 11.1.5.
Do you know when it will be scheduled?
I'm still stuck with the upgrade.
Thank you
Regards
10-15-2024 09:22 AM
Hi, we are going through this same nightmare. Where did you find reference to the 11.1.5 version? We had to downgrade back to 11.0.4-h2 and now have no Panorama logs because elasticsearch keeps restarting in a loop.
10-16-2024 01:55 PM - edited 10-16-2024 01:56 PM
Palo Alto has a solution for the elastic search problem, reach out to TAC, Esteban Carvajal was especially helpful, and his professionalism was top notch if you have problems with elasticsearch and logs. It turns out the problem for elastic search only arises when DOWNGRADING from 11.1.* to 11.0.*, 10.2.* or 10.1.*
To identify if it is the same issue preventing logs from populating in Panorama after downgrading Panorama software version, run the following command: "show system software status | match elasticsearch"
It will return: "Process elasticsearch running (pid: <####>)" Then run the same command again, if the pid # changes then it is the same issue described. Reach out to TAC and let them know you need them to root in to fix the elasticsearch restart loop.
10-18-2024 04:23 PM
I'd like to inform everyone that the 11.1.5 version has been released.
Regards
10-20-2024 11:31 PM
Thanks. Unfortunately the Update still is not installable for us:
Failed to install 11.1.5 with the following errors.
SW version is 11.1.5
Nothing pending to cancel
Error: Traceback (most recent call last):
File "/opt/panrepo/releases/11.1.5/validate", line 399, in <module>
(min([dts['min'] for dts in log_type_intv_dir.values() if dts['min']]).strftime('%Y-%m-%d'),
ValueError: min() arg is an empty sequence
Failed to install version 11.1.5 type cms
We have a TAC ticket open since two weeks but still no solution. We are extremely pissed.
10-21-2024 12:42 AM
Hi, same issue here. let us know if you find a solution.
10-21-2024 08:01 AM - edited 10-21-2024 08:02 AM
Hi, gents. There is a solution. You may need to help your TAC engineer so they can find the solution. Ask them to review case#: 03253466 (notes below:)
"I have gone through the error that you have shared. This issue is because of the old indices in the elastic search, and it can be removed by logging into the root.
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown secure setting [xpack.security.transport.ssl.secure_key_passphrase] please check that any required plugins are installed, or check the breaking changes documentation for removed settings at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.8.23.jar:6.8.23] at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.8.23.jar:6.8.23
Also, I have gone through the following article.
https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-upgrade-panorama-to-11-1-4-h1/td...
There is a workaround and there are other PAN-OS targeted fixes for this issue.
Thanks and Regards,
Vignesh S R | Palo Alto Networks Technical Support | PCNSE
Technical Support Team"
TAC was able to resolve our elastic search conflict and we are clear to upgrade. We scheduled our upgrade for 11/2. But if you need to fix the issue urgently please refence the notes above in itallic and discuss with your TAC engineer for resolution.
Let me know if you have any questions. Glad to provide assistance.
10-26-2024 01:43 PM
Hello,
unfortunately even with 11.1.5 there's always the same error, i had to open a tac to fix
10-26-2024 01:45 PM
Hi @RodyDeLaRosa ,
thanks for the advice.
at the end i had to raise a case too, the tac engineer logged to root and cleaned the elastic search, after that i was able to install 11.1.4-H1 version.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
