Upgrading an HA pair from PAN-OS 9.1 to 10.0 results in a split-brain condition when HA1 link encryption is enabled

Upgrading an HA pair from PAN-OS 9.1 to 10.0 results in a split-brain condition when HA1 link encryption is enabled

7268
Created On 06/04/21 16:37 PM - Last Modified 07/07/25 14:35 PM


Symptom


  • Upgrading an HA pair from PAN-OS 9.1.x to 10.0.x can trigger a split-brain condition between the units
  • The ha_agent logs indicate that the SSH tunnel was reset  
    HA Group 38: Staying in Active state after split-brain recovery (split-brain duration: 1s)
Error: ha_peer_disconnect(src/ha_peer.c:1860): Group 38 (HA1-MAIN): peer connection error msg set: SSH Tunnel reset
Error: ha_peer_disconnect(src/ha_peer.c:1860): Group 38 (HA1-BKUP): peer connection error msg set: SSH Tunnel reset

Environment


  • Palo Alto Networks Firewall
    PAN-OS 9.1.x
  • PAN-OS 10.0.x
  • HA1 link encryption is enabled

Cause


In PAN-OS 9.1, HA communication is configured to use aes128-cbc, whereas PAN-OS 10.0 uses aes128-ctr
This is because in PAN-OS 10.0 the OpenSSH version was upgraded from 6.4 to 7.7 and in 7.7 the aes128-cbc cipher is not part of the default list of ciphers

Resolution


To avoid a split-brain scenario during the upgrade, disable HA1 encryption before starting the upgrade process. Once both firewalls are running the same PAN-OS version, you can re-enable HA1 encryption.

The setting is found under Device > High Availability > General > Control Link (HA1) > Encryption Enabled

Additional Information


If a PAN-OS 9.1 device attempts to connect to a PAN-OS 10.0 device, or vice versa, the connection will fail due to a cipher mismatch.
How to enable encryption on HA1
PAN-OS 10.0 Upgrade/Downgrade Considerations
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VYtCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language