Upgrading vm-series plugin version cause one of HA units transition to "Non-Functional" state

Upgrading vm-series plugin version cause one of HA units transition to "Non-Functional" state

3747
Created On 10/11/23 00:23 AM - Last Modified 05/08/25 22:24 PM


Symptom


  • VM-series plugin version on one of HA units being upgraded
  • There is a mismatch on vm-series plugin version between PA-VM HA units (ex: PA-VM-1: v2.1.4; PA-VM-2: v2.1.0)
  • HA peer unit with lower vm-series plugin version transitioned to "Non-Functional" state

Environment


  • VM Series Firewalls
  • PAN-OS 9.1 and above
  • High Availability 
  • VM-Series Plugin

Cause


Per design, HA device with lower vm-series plugin version compared to HA peer will transition to "Non-Functional" state
 

Resolution


  1. When installing the plugin on VM-Series firewalls in an HA pair, install the higher version VM-Series plugin on the active peer before the passive peer.
  2. After installing the plugin on the active peer it transitions the passive peer to a non-functional state.
  3. Installing the plugin later on the passive peer returns the passive peer to a functional state.
  4. The information is documented at PAN-OS Upgrade Guide: Upgrade the VM-Series PANOS Software (HA Pair)  
Plugin Upgrade Procedure:
  1. Check the latest Release Notes for details on whether a new VM-Series plugin affects your environment.
  2. Log in to the VM-Series firewall and check the dashboard to view the plugin version or CLI (> show system info | match vm_series).
  3. Select Device > Plugins  to view the plugin version. Use Check Now to check for updates.
  4. Select the version of the plugin and click Install in the Action column to install the plugin.

Additional Information


Example:
  • Suspend PA-VM-1 (passive) and upgrade the vm-series plugin from 2.1.0 to 2.1.4
PA-VM-1(suspended)> show system info | match vm_series
vm_series: vm_series-2.1.4    (vm-series plugin version upgraded from 2.1.0 to 2.1.4)

PA-VM-1(suspended)> show log system opaque contains Plugin
YYYY/MM/DD hh:mm:ss info     general        general 0  Plugin vm_series-2.1.4 installed.
  • Now the active PA-VM-2: will transition to Non-Functional state because it has the lower vm-series plugin 
PA-VM-2(non-functional)>  show system info | match vm_series
vm_series: vm_series-2.1.0   (lower vm-series plugin version)

PA-VM-2(non-functional)> show log system start-time equal YYYY/MM/DD@hh:mm:ss
YYYY/MM/DD hh:mm:ss high     ha             peer-ve 0  HA Group 1: VMS version only compatibility matches 
YYYY/MM/DD hh:mm:ss critical general        general 0  Chassis Master Alarm: HA-event
YYYY/MM/DD hh:mm:ss critical ha             state-c 0  HA Group 1: Moved from state Active to state Non-Functional
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgqICAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language