: Troubleshoot Your PAN-OS Upgrade
Focus
Focus

Troubleshoot Your PAN-OS Upgrade

Table of Contents

Troubleshoot Your PAN-OS Upgrade

What troubleshooting can I do for my PAN-OS upgrade?
To troubleshoot your PAN-OS upgrade, use the following table to review possible issues and how to resolve them.
Symptom
Resolution
The software warranty license expired.
From the CLI, delete the expired license key:
  1. Enter delete license key <software license key>.
  2. Enter delete license key Software_Warranty<expiredate>.key.
The latest PAN-OS software versions were not available.
You can only see software versions that are one feature release ahead of the current installed version. For example, if you have an 8.1 release installed, only 9.0 releases will be available to you. To see 9.1 releases, you first have to upgrade to 9.0.
Checking for dynamic updates failed.
This issue occurs due to a network connectivity error. See the KnowledgeBase article Dynamic Updates Display Error After Clicking On Check Now Button.
No valid device certificate was found.
In PAN-OS 9.1.3 and later versions, a device certificate must be installed if you are leveraging a Palo Alto Networks cloud service. To install the device certificate:
  1. Log in to the Customer Support Portal.
  2. Select Generate OTP (AssetsDevice Certificates).
  3. In Device Type, select Generate OTP for Next-Gen Firewalls.
  4. Select your PAN-OS device serial number.
  5. Generate OTP and copy the one-time-password.
  6. Log in to the firewall as an admin user.
  7. Select Device Certificate (DeviceSetupManagementDeviceCertificate and Get Certificate.
  8. Paste the OTP and click OK.
The software image file failed to load onto the software manager due to an image authentication error.
To update the software image list, click Check Now. This establishes a new connection to the update server.
The VMware NSX plugin version was not compatible with the new software version.
The VMware NSX plugin was automatically installed upon upgrade to 8.0. If you are not using the plugin, you can uninstall it.
The reboot time after upgrading to PAN-OS 9.1 was longer than expected.
Upgrade to Applications and Threats Content Release Version 8221 or later. For more information on minimum software and content versions, see <xref to 11.0 Associated Software and Content Versions>.
The device did not have support even when licenses are active.
In DeviceSoftware, click Check Now.
This updates the licensing information on the firewall by establishing a new connection to the update server.
If this does not work from the web interface, use request system software check.
The firewall did not have a DHCP address assigned to it by the DHCP server.
Configure a security policy rule allowing the traffic from the ISP DHCP server to the internal networks.
The firewall continuously boots into maintenance mode.
In the CLI, Access the Maintenance Recovery Tool (MRT). In the MRT window, select ContinueDisk Image. Select either Reinstall <current version> or Revert to <previous version>. Once the revert or reinstall operation completes, select Reboot.
In an HA configuration, the firewall goes into a suspended state after upgrading the peer firewall with an error that the firewall is too old.
Upgrading one firewall to a version that is more than one major release ahead will result in a network outage. You must upgrade both firewalls only one major release ahead before upgrading to the next major release.
Downgrade the peer firewall to the version that the suspended firewall stopped at.