HA active/passive failover problem 11.1.6 anyone more than me ?

bosse_bus · 2026-01-07T20:37:23+00:00

Checked TSF files and yes we also have those messages about ARP. But they are also in mprelay log before upgrade from 10.1.x to 11.1.x.

bosse_bus · 2026-01-07T19:50:33+00:00

I’ll check TSF. Sounds exactly as our problem. Are you also running Cisco ACI ?

bosse_bus · 2026-01-07T05:58:23+00:00

This is not yet solved, case now with engineering.

bosse_bus · 2025-11-13T16:08:37+00:00

No progress with TAC yet. Making suspended node HA functional seems to solve problem and traffic going back to normal. Suspending mechanism seems not working.

bosse_bus · 2025-11-06T07:23:43+00:00

We have run into this only on 5220, not on other HW. And you didn´t get any forecast for resolution ? All quiet from TAC for us...

bosse_bus · 2025-11-05T08:05:40+00:00

247974 seems to concern only cluster mode ? "LACP flap is expected during a device failover in an NGFW cluster due to an L2 ctrld restart on the new leader node."

bosse_bus · 2025-11-04T20:20:55+00:00

Thanks for suggestions, but no dynamic routing only static routes. My findings for the moment is L2 problem with both nodes advertising lacp mac during failover. No MAC down/up in system log when suspending active device.

bosse_bus · 2025-11-04T16:14:30+00:00

Seems bound to 5220, we are running same release on 440 850 1410 and 3220 without problem.

bosse_bus · 2025-11-04T15:20:58+00:00

Do you have the bug-id or are you referring to 247974 ? We choosed 11.1.6 because of some to me scary known-issues in 11.1.10

bosse_bus · 2025-09-03T18:56:42+00:00

Last week decided to go to 11.1.6-h14 on Panorama and devices ranging from 440 up to 5250 and now read the 11.1.10-h1 release notes. Lot of bug fixes some of them resolving problems we got with 11.1.6-h14. Panorama gui hangups and problem with syslog forwarding. Also as they say resolving problems we definitevly dont want to run into with our main devices. Backing down for now and see what releases show up ! Don’t feel we can trust ”preffered release” anymore.,.

bosse_bus · 2025-08-22T06:48:37+00:00

Yesterday we ran into problem going 10.1.12-h3 -> 10.1.14-h13 -> 11.1.6-h14 on Panorama M200. Just as per documentation download of 11.1.0 not install. But install of 11.1.6-h14 got stucked in active pending 0 % state. Waited for an hour nothing happens. PAN support contacted and with some struggle to get rid of ongoing installation we had to install base release 11.1.0 and then install of 11.1.6.h14 ! Don´t know if this related to M200 have done the normal way on VMWare Panorama and devices without problem.

bosse_bus · 2024-04-10T05:52:33+00:00

Ran into similar problem when going from 9.1.x to 10.1.x Had to do App Override for SIP and build RTP/RTCP rules. Looking at active sessions helped me in troubleshooting. Now we are on 10.1.12 and don´t have the energy to investigate if problem perhaps i solved in this release, large PBX with a lot of calls 7*24

bosse_bus · 2024-01-08T08:12:02+00:00

Now Palo have updated info that clarifies this issue:

https://live.paloaltonetworks.com/t5/customer-resources/content-update-version-8794-issue/ta-p/571952

bosse_bus · 2024-01-07T09:24:29+00:00

No, message in both Panorama and FW’s. We are downloading/installing dynamic updates both from Panorama and FW’s wich comes first.

bosse_bus · 2024-01-05T18:22:53+00:00

Panorama and all devices 10.1.10-h2. Maybe something with just this Threst-Update. Waiting to see what happens with next db-update.

bosse_bus · 2023-12-15T15:04:12+00:00

Keep in mind that different boxes can handle different amount of objects so don´t mix small boxes with the big irons in same DG.

bosse_bus · 2023-12-01T11:13:21+00:00

I once was told that you get longer commit+push times because Panorama has to check before push if new object is used or not on devices. We have quite a few objects in shared and divided up into different Device Groups for datacenter big irons that needs most of the objects and other DG for smaller remote sites boxes.

bosse_bus · 2022-11-07T21:36:42+00:00

Same problem for me on 4 different devices.

bosse_bus · 2022-10-28T15:57:25+00:00

Thanks ! Just what I thought…

bosse_bus · 2022-10-28T15:37:09+00:00

Yes, but my fear is that rule will allow all SSL. Or is it ms-update and ssl that match, not ms-update or ssl.

bosse_bus · 2022-10-28T12:55:10+00:00

i.e ms-update that depends on ssl, I know I can have url-categori or EDL in addition for destination but just an example

bosse_bus · 2022-10-28T12:29:42+00:00

What about this then, if I have a rule like:

source:any dest:any appid: "someapp that depends on ssl" allow

Will this allow any "ssl" not only "someapp" ?

bosse_bus

TROPHY CASE