02-16-2022 02:10 AM
Hi @palomed ,
Palo Alto will use the HA Group ID to identify which devices are part of the cluster. If one if the members in the group is with different OS version the one with highest OS version will automatically switch to Non-Functional state. Once you reboot the second member (the one with old version), if I am not mistaken, the one will automatically switch to active (since no other member in the group is present). In that moment you will need to switch your ASA cluster member (if there is no physical connection between PAN02 and ASA01). If your clusters are not cross connected you will definately have some interruption (while both cluster switch).
Reagarding the versions - Palo Alto recomments to follow the full path 8.1 -> 9.0 -> 9.1 when upgrading.
As you can see it you need to download the base image and the latest maintenance release and install only the maintenance. However this means that you need to download 9.0, 9.0.latest, 9.1 and 9.1.latest. So it is possible that not your device is not able to hold all images at once. But if does, I believe you can actually install straight 9.1.latest (skipping 9.0), but you may have some unexpected issues, caused by configuration not properly migrated.
I would suggest you to follow the recommended path and either have longe rmaintenance windows that you can reboot firewalls several times, or split the upgrade and have it upgraded to 9.0 first and upgrade it to 9.1 after couple of day later.
