"Content version mismatch due to device update" On Active Firewall in HA pair
4750
Created On 01/05/23 20:08 PM - Last Modified 06/11/25 20:16 PM
Symptom
- "Content version mismatch due to device update" is seen on Active device even when both the HA pair devices have same App and Threat and Antivirus version installed
- Mismatch/match log in ha_agent.log/system logs for all contents even if there is no change
mp ha_agent.log 2022-12-29 05:00:02 2022-12-29 05:00:02.236 -0500 HA peer URL Database set to Mismatch
mp ha_agent.log 2022-12-29 05:01:00 2022-12-29 05:01:00.349 -0500 HA peer Application Content set to Mismatch
mp ha_agent.log 2022-12-29 05:01:00 2022-12-29 05:01:00.351 -0500 HA peer Anti-Virus set to Mismatch
mp ha_agent.log 2022-12-29 05:01:00 2022-12-29 05:01:00.352 -0500 HA peer Threat Content set to Mismatch
mp ha_agent.log 2022-12-29 05:01:00 2022-12-29 05:01:00.355 -0500 HA peer Device Security Content set to Match
- Active Device "Show system info"
app-version: 8659-7774
app-release-date: 2022/12/28 20:24:22 EST
av-version: 4316-4829
av-release-date: 2023/01/02 07:26:39 EST
threat-version: 8659-7774
threat-release-date: 2022/12/28 20:24:22 EST
- Active Device High-Availability status
Version Compatibility:
Software Version: Match
Application Content Compatibility: Mismatch <----
Device Security Content Compatibility: Match
Anti-Virus Compatibility: Mismatch <-----
Threat Content Compatibility: Mismatch
VPN Client Software Compatibility: Match
- Passive Device "Show system info"
app-version: 8659-7774
app-release-date: 2022/12/28 20:24:22 EST
av-version: 4316-4829
av-release-date: 2023/01/02 07:26:39 EST
threat-version: 8659-7774
threat-release-date: 2022/12/28 20:24:22 EST
- Passive Device High-Availability status
Version Compatibility:
Software Version: Match
Application Content Compatibility: Match <---
Device Security Content Compatibility: Match
Anti-Virus Compatibility: Match <---
Threat Content Compatibility: Match
VPN Client Software Compatibility: Match
Environment
- Palo Alto Network Firewall
- PAN-OS 10.0.x, 10.1.x
- Upgrade from PAN-OS 9.1.x to 10.x
- HA Active/Passive or Active/Active
Cause
Sdb node is marked none & modified each time when there is a content update
mp ha_agent.log 2022-12-29 04:35:42 2022-12-29 04:35:42.817 -0500 debug: ha_sysd_general_vers_string(src/ha_sysd_version.c:1829): Got new Application Content: 8659-7774; for local value
mp ha_agent.log 2022-12-29 04:35:42 2022-12-29 04:35:42.819 -0500 HA Group 1: Application Content version mismatch due to device update
mp ha_agent.log 2022-12-29 04:35:42 2022-12-29 04:35:42.820 -0500 HA peer Anti-Virus set to Mismatch
mp ha_agent.log 2022-12-29 04:35:42 2022-12-29 04:35:42.820 -0500 HA peer Threat Content set to Match
mp ha_agent.log 2022-12-29 04:35:42 2022-12-29 04:35:42.820 -0500 debug: ha_sysd_general_vers_string(src/ha_sysd_version.c:1829): Got new Threat Content: 8659-7774; for local value
mp ha_agent.log 2022-12-29 04:35:42 2022-12-29 04:35:42.821 -0500 HA Group 1: Threat Content version mismatch due to device updateResolution
- The mismatch/match logs observed are cosmetic & can be ignored. There is no issue in functionality (only a display issue)
- This issue is fixed as part of PAN-201721. Release version yet to be decided
Additional Information
Please refer PAN-201721