Troubleshoot Your PAN-OS Upgrade
What troubleshooting can I do for my PAN-OS upgrade?
To troubleshoot your PAN-OS upgrade, use the following table to review possible issues and how to resolve them.
The software warranty license expired.
From the CLI, delete the expired license key:
The latest PAN-OS software versions were not available.
You can only see software versions that are one feature release ahead of the current installed version. For example, if you have an 8.1 release installed, only 9.0 releases will be available to you. To see 9.1 releases, you first have to upgrade to 9.0.
Checking for dynamic updates failed.
This issue occurs due to a network connectivity error. See the KnowledgeBase article Dynamic Updates Display Error After Clicking On Check Now Button.
No valid device certificate was found.
In PAN-OS 9.1.3 and later versions, a device certificate must be installed if you are leveraging a Palo Alto Networks cloud service. To install the device certificate:
The software image file failed to load onto the software manager due to an image authentication error.
To update the software image list, click
Check Now. This establishes a new connection to the update server.
The VMware NSX plugin version was not compatible with the new software version.
The VMware NSX plugin was automatically installed upon upgrade to 8.0. If you are not using the plugin, you can uninstall it.
The reboot time after upgrading to PAN-OS 9.1 was longer than expected.
Upgrade to Applications and Threats Content Release Version 8221 or later. For more information on minimum software and content versions, see <xref to 10.2 Associated Software and Content Versions>.
The device did not have support even when licenses are active.
This updates the licensing information on the firewall by establishing a new connection to the update server.
If this does not work from the web interface, use
request system software check.
The firewall did not have a DHCP address assigned to it by the DHCP server.
Configure a security policy rule allowing the traffic from the ISP DHCP server to the internal networks.
The firewall continuously boots into maintenance mode.
In the CLI, Access the Maintenance Recovery Tool (MRT). In the MRT window, select
. Select either
Reinstall <current version>or
Revert to <previous version>. Once the revert or reinstall operation completes, select
In an HA configuration, the firewall goes into a suspended state after upgrading the peer firewall with an error that the firewall is too old.
Upgrading one firewall to a version that is more than one major release ahead will result in a network outage. You must upgrade both firewalls only one major release ahead before upgrading to the next major release.
Downgrade the peer firewall to the version that the suspended firewall stopped at.
Recommended For You
Recommended videos not found.