How to Upgrade from PAN-OS 8.0.14 or 8.1.5 in HA Mode

How to Upgrade from PAN-OS 8.0.14 or 8.1.5 in HA Mode

Created On 03/29/19 21:21 PM - Last Modified 08/19/20 22:18 PM


  • Successfully upgrade from PAN-OS 8.0.14 or 8.1.5 with High Availability enabled. 
  • Upgrading to these versions or from these versions can cause the firewall to go into a reboot loop and enter maintenance mode.  
  • This article will explain how to work around the upgrade issues in PAN-OS 8.0.14 and 8.1.5.


  • Palo Alto Firewall.
  • PAN-OS 8.0.14 or 8.1.5 
  • The issue only occurs when in High Availability (HA) mode.
  • The dataplane restarts when an IPSec rekey event occurs and causes a tunnel process (tund) failure when one—but not both—HA peers is running PAN-OS 8.0.14 or 8.1.5.
  •   Any hardware or VM platforms.


NOTE: Disable config sync on both peers (Device > High Availability > General > Setup and clear the Enable Config Sync check box) and then re-enable it after the upgrade is complete on both peers.
  1. Suspend the passive device
  2. Disable HA sync on both devices
  3. Upgrade the passive
  4. Keep config sync off until both devices are upgraded and on the same PAN-OS version.


Additional Information

Additional Workarounds
Temporarily modify the IKE phase 2 lifetime for both peers ( Network > Network Profiles IPSec Crypto) to increase the interval between rekey events (default is one hour) and to avoid a rekey event before you complete the upgrade on the second peer. Alternatively, remove the HA configuration, upgrade both firewalls, and then restore the HA configuration.

  • Print
  • Copy Link

Choose Language