Beware of 8.0.11 PAN-OS on PA-5000 series!


#1

A friend at another company warned me today of a major issue with 8.0.11 on his PA-5020’s that is a known issue with the Dataplane. Be very careful if upgrading 5000 series boxes to 8.0.11. At least go into it with a plan to roll back quickly.

He stated that the code does work well on his 3020’s and 820’s but all his 5020’s were pure failure killing the firewalls overnight and forcing him to downgrade the OS within 24hrs of upgrading.

Note the errors below regarding DataPlane and High Availability.

This is just a small subset of the errors:
time_generated: 2018/07/05 22:09:50
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name:pa5020-a
vsys_id: 0
vsys:
eventid: general
object:
fmt: 0
id: 0
module: general
severity: high
opaque: gdb: 18 tracked gdbs, calling early dp down fail

time_generated: 2018/07/05 22:09:58
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: hdq-pa5020-a
vsys_id: 0
vsys:
eventid: general
object:
fmt: 0
id: 0
module: general
severity: high
opaque: all_pktproc_6: exiting because missed too many heartbeats

time_generated: 2018/07/05 22:10:04
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: pa5020-a
vsys_id: 0
vsys:
eventid: general
object:
fmt: 0
id: 0
module: general
severity: high
opaque: gdb: 18 tracked gdbs, calling failure event

time_generated: 2018/07/05 22:10:05
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: pa5020-a
vsys_id: 0
vsys:
eventid: general
object:
fmt: 0
id: 0
module: general
severity: high
opaque: all: forcing exit, tell parent

time_generated: 2018/07/05 22:10:04
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: pa5020-a
vsys_id: 0
vsys:
eventid: general
object:
fmt: 0
id: 0
module: general
severity: high
opaque: all_pktproc_10: got max gdb failure event, telling all group to restart

time_generated: 2018/07/05 22:09:20
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: pa5020-a
vsys_id: 0
vsys:
eventid: general
object:
fmt: 0
id: 0
module: general
severity: high
opaque: gdb: 17 tracked gdbs, calling early dp down fail

time_generated: 2018/07/05 22:07:22
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: pa5020-a
vsys_id: 0
vsys:
eventid: state-change
object:
fmt: 0
id: 0
module: general
severity: critical
opaque: HA Group 1: Moved from state Non-Functional to state Suspended

time_generated: 2018/07/05 22:07:22
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: pa5020-a
vsys_id: 0
vsys:
eventid: state-change
object:
fmt: 0
id: 0
module: general
severity: critical
opaque: HA Group 1: Moved from state Non-Functional to state Suspended

time_generated: 2018/07/05 22:07:22
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: pa5020-a
vsys_id: 0
vsys:
eventid: non-functional-loop
object:
fmt: 0
id: 0
module: general
severity: critical
opaque: HA Group 1: Going to Suspended state due to detection of a Non-Functional loop after 3 loops allowed

time_generated: 2018/07/05 22:07:22
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: pa5020-a
vsys_id: 0
vsys:
eventid: dataplane-down
object:
fmt: 0
id: 0
module: general
severity: critical
opaque: HA Group 1: Dataplane is down: too many dataplane processes exited

time_generated: 2018/07/05 22:02:09
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
device_name: pa5020-a
vsys_id: 0
vsys:
eventid: general
object:
fmt: 0
id: 0
module: general
severity: high
opaque: all: forcing exit, tell parent


#2

Hi Brad,
Thanks so much for flagging. PAN-OS 8.0.11 has been replaced by 8.0.11-h1 and the posted a customer advisory is available here:

https://live.paloaltonetworks.com/t5/Customer-Advisories/URGENT-Import-Information-Regarding-PAN-OS-8-0-11/ta-p/220980

Please see this above link for more information and to resolve the issue.

Thanks,
Palo Alto Networks Customer Support


#3

@SBurke My friend that provided me the information about 8.0.11 stated his issue is not resolved with 8.0.11h1. I’ll check for more detail once he returns from PTO on 7/18.

Can you verify that the errors seen in my post are directly related to the bug fix??

Thanks!
Brad


#4

Hi Brad, Thanks again for following up. I really can’t say for certain without additional details. If your friend can open a support ticket when he gets back from PTO (or if someone else can in the interim) we can dive into the specifics and make that determination. Thanks!


#5

Are there any other issues with Indeni and PAN 7.1.16?


#6

@kingman112 Are there specific issues you have already experienced with Indeni and PAN 7.1.16? I’m not aware of version specific issues. Do you have a ticket opened with Indeni Support?


#7

Finally heard back that 8.0.11h1 did fix the issue.