Troubleshoot Your PAN-OS Upgrade

What troubleshooting can I do for my PAN-OS upgrade?
To troubleshoot your PAN-OS upgrade, use the following table to review possible issues and how to resolve them.
The software warranty license expired.
From the CLI, delete the expired license key:
  1. Enter
    delete license key <software license key>
  2. Enter
    delete license key Software_Warranty<expiredate>.key
The latest PAN-OS software versions were not available.
You can only see software versions that are one feature release ahead of the current installed version. For example, if you have an 8.1 release installed, only 9.0 releases will be available to you. To see 9.1 releases, you first have to upgrade to 9.0.
Checking for dynamic updates failed.
This issue occurs due to a network connectivity error. See the KnowledgeBase article Dynamic Updates Display Error After Clicking On Check Now Button.
No valid device certificate was found.
In PAN-OS 9.1 and later versions, a device certificate must be installed. To install the certificate:
  1. Log in to the Customer Support Portal.
  2. Select
    Generate OTP
    Device Certificates
  3. In
    Device Type
    , select
    Generate OTP for Next-Gen Firewalls
  4. Select your PAN-OS device serial number.
  5. Generate OTP
    and copy the one-time-password.
  6. Log in to the firewall as an admin user.
  7. Select
    Device Certificate
    Get Certificate
  8. Paste the OTP and click
The software image file failed to load onto the software manager due to an image authentication error.
To update the software image list, click
Check Now
. This establishes a new connection to the update server.
The VMware NSX plugin version was not compatible with the new software version.
The VMware NSX plugin was automatically installed upon upgrade to 8.0. If you are not using the plugin, you can uninstall it.
The reboot time after upgrading to PAN-OS 9.1 was longer than expected.
Upgrade to Applications and Threats Content Release Version 8221 or later. For more information on minimum software and content versions, see <xref to 10.1 Associated Software and Content Versions>.
The device did not have support even when licenses are active.
, click
Check Now
This updates the licensing information on the firewall by establishing a new connection to the update server.
If this does not work from the web interface, use
request system software check
The firewall did not have a DHCP address assigned to it by the DHCP server.
Configure a security policy rule allowing the traffic from the ISP DHCP server to the internal networks.
The firewall continuously boots into maintenance mode.
In the CLI, Access the Maintenance Recovery Tool (MRT). In the MRT window, select
Disk Image
. Select either
Reinstall <current version>
Revert to <previous version>
. Once the revert or reinstall operation completes, select
In an HA configuration, the firewall goes into a suspended state after upgrading the peer firewall with an error that the firewall is too old.
Upgrading one firewall to a version that is more than one major release ahead will result in a network outage. You must upgrade both firewalls only one major release ahead before upgrading to the next major release.
Downgrade the peer firewall to the version that the suspended firewall stopped at.

Recommended For You