HA Non functional with Error message: "Nat oversubscription mismatch" after upgrade.

• One of the PA firewalls in an HA pair has been upgraded to a newer PAN-OS version.
• HA message "Non-functional (Nat oversubscription mismatch)" is seen after the PAN-OS upgrade.

admin@PA-5410(non-functional)> show high-availability state
Group 1:
  Mode: Active-Passive
  Local Information:
    Version: 1
    Mode: Active-Passive
    State: non-functional (last 22 minutes)
    State Reason: NAT oversubscription mismatch	<<<

• Palo Alto Firewall.
• PAN-OS 9.0.11, 9.1.5, 10.0.1 or above.
• HA (High Availability) Configured.
• Software Upgrade.

• By default, the NAT oversubscription rate on a Palo Alto Firewall is set to a default value. This setting may have changed from X to Y in later PAN-OS versions.
• When one of the firewalls in the HA pair is upgraded, this rate can become unsynchronized with the non-upgraded peer, resulting in the error message being displayed.

There are two possible solutions:

1. Solution-1

• Upgrade the second peer to match the peer PAN-OS. Now the "NAT oversubscription rate" setting will be in sync across both the HA firewalls. Once the Active device is suspended, the Non-functional (Nat oversubscription mismatch) Firewall takes over as Active.
• ATTENTION: Failover might result in downtime because session synchronization does not work when the firewall is in a non-functional state. We recommend following solution #2 first before proceeding with the upgrade of the second peer.

2. Solution-2

• Statically configure the oversubscription rate on both devices. Figure out the default rate in the platform guide, and scroll down to "Default DIPP pool oversubscription". (e.g PA-5410 default rate is 8x)
• Revert to the default value on both devices after the upgrade.

• Official documentation
• Modify the Oversubscription Rate for DIPP NAT
• How to Change the NAT Oversubscription Rate
• How to Check the Oversubscription on a NAT Rule