Forum Discussion

Nathan_Vitiritt's avatar
Nathan_Vitiritt
Icon for Nimbostratus rankNimbostratus
Feb 28, 2014

Upgrade from 11.2 to 11.4

I'm planning an upgrade of our LTM HA pair this weekend from 11.2.0 HF2 to 11.4.1 HF2. I have already ran the iHealth and performed a backup of the configuration on both devices along with doing my best to ensure our iRules aren't going to cause a problem after the upgrade. So when I start the upgrade I'm going to install on the backup/secondary device of the pair first, fail-over, and perform any testing. If all is well then I will move on the the primary device in the pair. If it goes horrible bad I will be just failing back and running on the primary device until everything is resolved. Everything that I have read and the fact that the upgrade in still is the 11.x family it all looks straight forward.

 

I still thought that I would just post here and see if I can get some insight into others experience doing this upgrade. Besides any tips or gotchas things like the time needed for the upgraded would be nice as this will be a 3 AM job on Sunday and getting out of the data center sooner than later would be nice.

 

Thanks.

 

7 Replies

  • I can't comment on 11x because I've not yet upgraded to it, but I like to wait a few days before upgrading the second box. Sometimes things look good, but a few hours of full prod traffic prove otherwise.

     

    Chris

     

  • Hi mate

     

    I did 11.3 -> 11.4 earlier this week and it was a breeze. We have quite a number of iRules and none of them had any issues. As a matter of fact, I've yet to see problems with iRules when upgrading within the 11.x version range. Maybe I've just bee lucky?

     

    Good practice is to reactivate the license before you install the 11.4 image and reboot the devices.

     

    Good luck!

     

    /Patrik

     

  • Thanks for the responses.

     

    The update went pretty smooth though ran into one minor glitch which I suspect is because I didn't upgrade the primary device first as a reboot of the secondary resolved it. I was getting messages like "master_decrypt failed during rekey" which wasn't allowing the confsync between the devices to work. Once a final reboot of the secondary device was done this resolved itself.

     

    Other things that I noticed was it took about 11 minutes for each of the LTMs to reboot which isn't to bad except for the fact that at 3 in the morning it seems like an eternity before the pings start coming back. I also had new features after the re-activation of the license keys which wasn't expected but didn't cause any problems. Overall the upgrade took just over an hour to complete.

     

    When it was all said and done I followed this procedure for the upgrade: 1. Run iHealth against configs on both devices 2. Re-activate the license keys on both devices 3. Install new image and HF on secondary device, reboot on new partition 4. Fail-over to secondary and perform verification of services 5. Perform step 3 on primary device, currently temporarily in standby 6. Fail back over so primary is active and verify services 7. Restart the standby device to get confsync working

     

    In the future I will deal with some extra fail-overs and perform the update on the primary/active device first.

     

    Thanks again!

     

    • Patrik_Jonsson's avatar
      Patrik_Jonsson
      Icon for MVP rankMVP
      If you're worried during the reboot it might be worth it to activate the aom (basically serial interface over IP). :)
  • Hello Nathan -

     

    Your post was very helpful to me. I just upgraded my LTM 1600s fom v11.2.1 to v11.4.1 HF8. The process went smoothly and I didn't have to perform "7. Restart the standby device to get confsync working" as both units automatically came to "Changes pending" state after the reboot of the primary unit.

     

    Maybe HF 8 works different, I don't know but it worked fine.

     

    Thanks again for your post.

     

    Jayanth

     

    • weblead_151334's avatar
      weblead_151334
      Icon for Nimbostratus rankNimbostratus
      Folks-I am opting for migration from F5 Version: 10.2.4 to Viprion is installed -TMSH-VERSION: 11.5.1 ...we have a huge infrastructure (200 virtual servers http & https with one connect ,ssl profiles & 7 common I rules across all VIP ) ...currently viprion VERSION: 11.5.1 is installed & one of the site has been migrated successfully but remaining 200 virtual server's needs to be migrated within a time period of 1 month so...would like to know the best practices for migration ..Is there any ways to mimic the existing virtual servers along with associated I rules & corresponding pools over viprion in an automated ways either via tmsh command line so....During cutover the vip can be disabled over F5 & enabled over Viprion ....Please advise ...secondarily during recent pen test we have discovered few security vulnerabilities which needs to be migrated ... 1.TLS/SSL Renegotiation 2.SSL Weak Cipher Suites Supported 3.BIG-IP cookie remote information disclosure 4.Secure cookie attribute not set 5.SSL/TLS RC4 Cipher Suites Supported we are using cookie based persistent profile but due to SSL offloading over F5 the cookie is not encrypted. Development is looking to carry SSL traffic for backend servers weblogic from F5(later Viprion one month) Shall i migrate one instance over Viprion & start SSL testing there instead of F5 ? If so please advise over the process of enabling SSL over Viprion please advise how to encrypt LTM cookie. Can it be enabled just by selecting the option Encrypt Cookies over profile attached to VS My observation over client ssl profile tied to VS Renegotiation enabled Renegotiate Period-Indefinite Renegotiate Size -Indefinite Cipher used over client ssl profile-ALL:!ADH:!MD5:!EXP:!LOW:HIGH:MEDIUM LTM cookie is n't encrypted anyone can see via fiddler/wireshark etc. Would like to know how to set the cookie encrypted No SSLV2 No SSLV3 Is the ciphers are different over F5 & Viprion ?
    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      i would advise you to start a new question, because this really isn't related to the original question anymore. you could also consider making separate questions as you ask a lot of questions. finally first please search, because most of your pen test results are very common and have been discussed before here.