Unable to upgrade Panorama to 11.1.4-H1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to upgrade Panorama to 11.1.4-H1

L2 Linker

Hello,

 

i'm stuck while upgrading panorama to 11.1.4-H1, to be honest, every next release after 11.1.2-H4 (that is my current version) is showing the following errors:

 

2024/10/01 14:33:17 14:33:17 4802617 SWInstall FIN FAIL 14:33:21
Warnings:

Details:Failed to install 11.1.2-h9 with the following errors.
SW version is 11.1.2-h9
Nothing pending to cancel
Error: Traceback (most recent call last):
File "/opt/panrepo/releases/11.1.2-h9/validate", line 357, in <module>
(min([dts['min'] for dts in log_type_intv_dir.values() if dts['min']]).strftime('%Y-%m-%d'),
ValueError: min() arg is an empty sequence

Failed to install version 11.1.2-h9 type cms


</result></response>

 

MAerre_0-1727795650578.png

 

in the logs below you see 11.1.2-h9, but it happens with every release to the 11.1.4-H1 icluded

 

i don't know how to fix this issue, i tried both on cli and gui, furthermore, 11.1.4-H1 is the version needed to fix this bug PAN-257615, which is not alllowing me to see any logs from panorama after upgrading from 10.2.8.

 

Do you have any tips?

Thank you

1 accepted solution

Accepted Solutions

L2 Linker

Hi, gents. There is a solution. You may need to help your TAC engineer so they can find the solution. Ask them to review case#: 03253466 (notes below:)

 

"I have gone through the error that you have shared. This issue is because of the old indices in the elastic search, and it can be removed by logging into the root.

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown secure setting [xpack.security.transport.ssl.secure_key_passphrase] please check that any required plugins are installed, or check the breaking changes documentation for removed settings at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.8.23.jar:6.8.23] at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.8.23.jar:6.8.23

Also, I have gone through the following article. 
https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-upgrade-panorama-to-11-1-4-h1/td...
There is a workaround and there are other PAN-OS targeted fixes for this issue.

Thanks and Regards,
Vignesh S R | Palo Alto Networks Technical Support | PCNSE
Technical Support Team"

 

TAC was able to resolve our elastic search conflict and we are clear to upgrade. We scheduled our upgrade for 11/2. But if you need to fix the issue urgently please refence the notes above in itallic and discuss with your TAC engineer for resolution.

 

Let me know if you have any questions. Glad to provide assistance. 

 

Roderick De La Rosa, PCNSA
Information Security Analyst

View solution in original post

11 REPLIES 11

L3 Networker

Hello @MAerre 

 

The issue has already been identified, and a fix will be applied in the upcoming release of version 11.1.5, scheduled for 10/10.

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.

Hi @jpomachagua,

i checked the release update but i'm still not able to see the 11.1.5.

Do you know when it will be scheduled?

I'm still stuck with the upgrade.

 

Thank you

Regards

L3 Networker

Hello @MAerre 

 

The release has been postponed to 17/10.

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.

L2 Linker

Hi, we are going through this same nightmare. Where did you find reference to the 11.1.5 version? We had to downgrade back to 11.0.4-h2 and now have no Panorama logs because elasticsearch keeps restarting in a loop.

Roderick De La Rosa, PCNSA
Information Security Analyst

L2 Linker

Palo Alto has a solution for the elastic search problem, reach out to TAC, Esteban Carvajal was especially helpful, and his professionalism was top notch if you have problems with elasticsearch and logs. It turns out the problem for elastic search only arises when DOWNGRADING from 11.1.* to 11.0.*, 10.2.* or 10.1.*

 

To identify if it is the same issue preventing logs from populating in Panorama after downgrading Panorama software version, run the following command: "show system software status | match elasticsearch"

 

It will return: "Process elasticsearch running (pid: <####>)" Then run the same command again, if the pid # changes then it is the same issue described. Reach out to TAC and let them know you need them to root in to fix the elasticsearch restart loop.

Roderick De La Rosa, PCNSA
Information Security Analyst

L3 Networker

I'd like to inform everyone that the 11.1.5 version has been released.

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.

Thanks. Unfortunately the Update still is not installable for us:

 

Failed to install 11.1.5 with the following errors.

SW version is 11.1.5

Nothing pending to cancel

Error: Traceback (most recent call last):

File "/opt/panrepo/releases/11.1.5/validate", line 399, in <module>

(min([dts['min'] for dts in log_type_intv_dir.values() if dts['min']]).strftime('%Y-%m-%d'),

ValueError: min() arg is an empty sequence

 

Failed to install version 11.1.5 type cms


We have a TAC ticket open since two weeks but still no solution. We are extremely pissed.

Hi, same issue here. let us know if you find a solution.

L2 Linker

Hi, gents. There is a solution. You may need to help your TAC engineer so they can find the solution. Ask them to review case#: 03253466 (notes below:)

 

"I have gone through the error that you have shared. This issue is because of the old indices in the elastic search, and it can be removed by logging into the root.

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown secure setting [xpack.security.transport.ssl.secure_key_passphrase] please check that any required plugins are installed, or check the breaking changes documentation for removed settings at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.8.23.jar:6.8.23] at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.8.23.jar:6.8.23

Also, I have gone through the following article. 
https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-upgrade-panorama-to-11-1-4-h1/td...
There is a workaround and there are other PAN-OS targeted fixes for this issue.

Thanks and Regards,
Vignesh S R | Palo Alto Networks Technical Support | PCNSE
Technical Support Team"

 

TAC was able to resolve our elastic search conflict and we are clear to upgrade. We scheduled our upgrade for 11/2. But if you need to fix the issue urgently please refence the notes above in itallic and discuss with your TAC engineer for resolution.

 

Let me know if you have any questions. Glad to provide assistance. 

 

Roderick De La Rosa, PCNSA
Information Security Analyst

Hello,

unfortunately even with 11.1.5 there's always the same error, i had to open  a tac to fix

Hi @RodyDeLaRosa ,

 

thanks for the advice.

at the end i had to raise a case too, the tac engineer logged to root and cleaned the elastic search, after that i was able to install 11.1.4-H1 version.

  • 1 accepted solution
  • 4620 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!