How to Upgrade from PAN-OS 8.0.14 or 8.1.5 in HA Mode
17972
Created On 03/29/19 21:21 PM - Last Modified 08/19/20 22:18 PM
Objective
- Successfully upgrade from PAN-OS 8.0.14 or 8.1.5 with High Availability enabled.
- Upgrading to these versions or from these versions can cause the firewall to go into a reboot loop and enter maintenance mode.
- This article will explain how to work around the upgrade issues in PAN-OS 8.0.14 and 8.1.5.
Environment
- Palo Alto Firewall.
- PAN-OS 8.0.14 or 8.1.5
- The issue only occurs when in High Availability (HA) mode.
- The dataplane restarts when an IPSec rekey event occurs and causes a tunnel process (tund) failure when one—but not both—HA peers is running PAN-OS 8.0.14 or 8.1.5.
- Any hardware or VM platforms.
Procedure
NOTE: Disable config sync on both peers (Device > High Availability > General > Setup and clear the Enable Config Sync check box) and then re-enable it after the upgrade is complete on both peers.
- Suspend the passive device
- Disable HA sync on both devices
- Upgrade the passive
- Keep config sync off until both devices are upgraded and on the same PAN-OS version.
Additional Information
Additional Workarounds
Temporarily modify the IKE phase 2 lifetime for both peers ( Network > Network Profiles IPSec Crypto) to increase the interval between rekey events (default is one hour) and to avoid a rekey event before you complete the upgrade on the second peer. Alternatively, remove the HA configuration, upgrade both firewalls, and then restore the HA configuration.