Upgraded Device in HA Group Reports Status: suspended (Peer version too old)

Upgraded Device in HA Group Reports Status: suspended (Peer version too old)

26436
Created On 09/25/18 18:47 PM - Last Modified 11/05/21 07:25 AM


Symptom
After upgrading one device in the HA group, the device is unable to become active and the dashboard reports the status as: suspended (Peer version too old).
User-added image


Environment
PA firewalls are in Active/Passive HA.
Upgrade of one of the Peers in HA is being performed. 


Cause
The device has been upgraded at least Two Feature Releases away from the peer device in the HA group.
 


Resolution

When upgrading an HA group, each version upgrade has to be performed on both the devices in the HA group before upgrading to the next version.

For Simplicity we will consider Firewall-A is in version 10.1.2 and Firewall-B is in 9.1.7.
If Firewall-A is in suspended state with dashboard showing Peer version too old
1. Either upgrade Firewall-B to a 10.0.x version which will cause a downtime because Firewall-A is in Suspended state.
2. Or, downgrade Firewall-A to a 10.0.x version, then upgrade Firewall-B to same 10.0.x version and then continue to upgrade both to 10.1.2 version. 

Note :
Using option 2 downtime can be minimised because once Firewall-A is downgraded to 10.0.x version, the firewall will join the HA and traffic failover can be done. 

owner: nchong



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQo&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language