IBM Support

QRadar: High Availability software upgrades can results in "[ERROR] Copied patch file to standby host, but MD5 sums do not match."



High Availability (HA) pair fails to apply a software update with the following message in patches.log: [ERROR] Copied patch file to standby host, but MD5 sums do not match.

The issue described in this technical note is officially reported in APAR IJ12252.


Look for similar messages in /var/log/setup-<QRadar_version>/patches.log:
Copying file /storetmp/732_QRadar_interimfix- to host /storetmp:/storetmp/732_QRadar_interimfix-
cp: cannot create regular file 'root@/storetmp:/storetmp/732_QRadar_interimfix-': No such file or directory
[ERROR] Couldn't copy patch file FILE to host /storetmp.
[ERROR] Copied patch file to standby host, but MD5 sums do not match.
[ERROR](a-i-has-testmode) HOSTNAME-secondary : patch test failed.
[ERROR](a-i-has-testmode) Patching can not continue
Patch Report for IP-ADDRESS, appliance type: 1828
HOSTNAME-primary : patch test succeeded.
Copied patch file to standby host, but MD5 sums do not match.


This error message is generated when an SFS or ISO file is deleted from disk before the administrator unmounts the file from  /media/updates/. Deleting the software without typing the unmount command leaves the mount point active on the appliance and can cause future software update errors.

Diagnosing The Problem

  1. Using SSH, log in to the QRadar high-availability appliance that failed to update as the root user.
  2. To determine whether duplicate mount point exists for /media/updates, type:  mount | grep media
  3. Review the output to determine whether multiple mount points are commented as "(deleted) on /media/updates".

    For example, administrators might see multiple mounts to /media/updates: 
    [root@qradar-example.lab]# mount | grep media
    /storetmp/732_QRadar_interimfix- (deleted) on /media/updates type squashfs (ro,relatime)
    /storetmp/732_QRadar_interimfix- (deleted) on /media/updates type squashfs (ro,relatime)

Resolving The Problem

To resolve the issue, the administrator must to use the unmount command to remove deleted mount points in QRadar. 
  1. To remove the deleted mounts, type: umount /media/updates
    CAUTION: Do NOT attempt to use to unmount files from servers if software updates are in progress in the QRadar deployment.
  2. Optional. To unmount a file from all QRadar appliances and secondaries from the QRadar Console, type:   /opt/qradar/support/ -C -k "umount /media/updates"
  3. To verify that deleted volumes are removed, type:  mount | grep media 
  4. If mount multiple points continue to display (deleted), repeat step 1.

    After all deleted mounts are removed from the primary and secondary appliance, the administrator can mount the SFS or ISO and type /installer to continue the software update.  For a list of QRadar software versions and release notes, see:

Document Location


[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"High Availability","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021