Updating BIG-IP HA systems with a point release
ฝัง
- เผยแพร่เมื่อ 21 ก.ค. 2024
- In this video, AskF5 shows you how to update your BIG-IP high availability (HA) system to the latest point release. This demo uses BIG-IP 15.1.0.4, which resolves the CVE-2020-5902 vulnerability.
For upgrading VIPRION, vCMP, and other systems, go to my.f5.com/manage/s/article/K4....
The video refers to the following articles:
• K7727: License activation may be required before a software upgrade for the BIG-IP or Enterprise Manager system (my.f5.com/manage/s/article/K7727)
• K167: Downloading software and firmware from F5 (my.f5.com/manage/s/article/K167)
• K8337: Verifying the MD5 checksum for the downloaded F5 software file (my.f5.com/manage/s/article/K8337)
• K52145254: TMUI RCE vulnerability CVE-2020-5902 (my.f5.com/manage/s/article/K5...)
0:00 Intro
0:13 Part 1: Installing the point release on the first device
0:40 Validating the configuration
1:53 Verifying the Service check date
3:23 Synchronizing the configuration
4:32 Creating and saving a UCS archive
5:52 Importing the ISO file
6:30 Importing the MD5 checksum file (click the card - • Importing a software i... )
7:05 Verifying the MD5 checksum
7:45 Disabling the "Automatic with Incremental Sync" option
8:30 Installing and rebooting to the new version
14:16 Verifying the new point release version is active on the newly patched system
15:00 Forcing a failover
16:20 Part 2: Installing the point release on the next device
16:25 Repeat these steps
16:49 Verifying the new point release version is active on the newly patched system
17:46 Forcing a failover
19:25 Part 3: Performing the final ConfigSync
21:21 Optional: Restoring the “Automatic with Incremental Sync” option
For more information about BIG-IP system software upgrades, refer to support.f5.com/csp/article/K8....
Thank you....you explain every steps in easy way
Thank you for the feedback!
Thanks, it was very well explained and I was able to Update my F5 GTM successfully
Thanks Rahim! I'm glad the video was helpful.
Great video! Thank you for the work!
Great video. Thank you!
I'm glad you liked it. Thanks for the feedback!
10 on 10, fantastic job leaving no doubt behind, it would be better if you also mention the Roll-back step instead of opening TAC case. Sometimes customers are very noisy and don't give you time to troubleshoot.
Thanks for the feedback! If you run into a problem during the upgrade, such as the configuration fails to load, you can boot the system back to the previous software version. For example, if you were running 15.1.0 on HD1.1 and installed 15.1.0.4 on HD1.2, you can always boot back to 15.1.0 in the event that you run into problems with the 15.1.0.4 installation. However, time permitting, it is recommended to run the 'tmsh load /sys config' command from the BIG-IP command line to observe any error messages before rolling back to the previous version.
@@AskF5 Awesome. Thanks
Great explanation ... Thanks a lot
Many Thanks. Very well explained! You might want to update the checksum command as the one in the video didn't work for me. It should be 'md5sum --check BIGIP-17.1.0.3-0.0.4.iso.md5'
You're welcome. Glad the explanation was easy to understand. So the "-c" option is the short version of "--check" and both should work. Just to be sure I tested "md5sum -c" on a couple lab systems and the command succeeded:
# md5sum --help
...
-c, --check read MD5 sums from the FILEs and check them
# md5sum -c BIGIP-17.1.0.3-0.0.4.iso.md5
BIGIP-17.1.0.3-0.0.4.iso: OK
Thanks you are right. It must have been a typo on my part!!
Thanks for the video it was very helpful when I updated to a new maintenance release recently. Now I have to upgrade to a new major release, and the procedure looks pretty much the same based on the K articles I’m reading. Are there any differences in the two and are there any pitfalls I need to watch out for? Thank you!
Thanks for the question. There are a few notable differences between updating to a maintenance release and upgrading to a major release. When upgrading to a major release you are moving to a new code branch which involves some additional planning. For example, you should verify that your platform supports the major release to which you plan to upgrade. Also, you should review the supported upgrade paths to determine whether you can upgrade directly to the desired release or whether you need to plan for an incremental upgrade. Included below is a link to the BIG-IP upgrade guide. We recommend reviewing chapters 2-4 and then locating your platform instructions in the later chapters:
K84205182: Guide contents | BIG-IP update and upgrade guide
support.f5.com/csp/article/K84205182
thanks a lot bro!
You're welcome! Thanks for watching!
Thank you Sir
remote code execution huh? Does F5 have that basically every year? I can't believe you can just login to F5 gui as admin without knowing any credentials, with the latest vulnerability..But good video, very helpful for someone who never done these upgrades. Thank you
Tip for the upgrade. It was painfully slow to upload the image over gui. I switched to winscp and uploaded it to shared/images location and speed increased from 40mbps to around 350mbps.
Thanks. When we failover from active to standby devices, would we notice a small blip for the vip's or not ?
Typically, yes, it would take a few seconds to complete a failover. However, depending on your environment, the time varies. E.g. whether you have SSL connection mirroring configured, type of failover, and the number of resources on the system to failover and so on.
Hardwire vs network failover: support.f5.com/csp/article/K2397
Timer configuration: support.f5.com/csp/article/K7249
SSL conn mirroring: support.f5.com/csp/article/K17391
On production systems, F5 recommends performing a failover during a scheduled maintenance.
Does it make sense to disable Auto-Sync before taking the ucs?
So in case you need to restore the sync keep in manual state.
If the configuration fails to load after the upgrade, you would typically work with the installed configuration (with auto sync already disabled) to get it to load into memory per K02091043; however, If you had to perform a disaster recovery that involved a UCS install, and you don't want any sync'ing to occur when you install the UCS on the devices, yes it makes sense to disable auto sync before creating the UCS. The BIG-IP updates the CID time when you load the configuration so the devices would sync to each other.
Also make sure that devices are in sync before you begin the upgrade process and do not allow any changes to be made until after it's complete then auto sync being enabled is less of a concern.
nice video. how fast the traffic will swing from bigip1 to 2? will there b any downtime? thanks
Typically it would take a few seconds to complete a failover. However, depending on your environment, the time varies. For example, if SSL connection mirroring is configured, the type of failover (hardwired versus network) etc. You may want to refer to the following list of articles related to failover:
Hardwire vs network failover: support.f5.com/csp/article/K2397
Timer configuration: support.f5.com/csp/article/K7249
SSL conn mirroring: support.f5.com/csp/article/K17391
For a production environment, F5 recommends performing a failover during a scheduled maintenance.
@ 6:20 you have just imported .iso file but when you did cd images/ than ls ..... how did you get .iso.md5 ? please Explain ?
Nice catch! We missed the step for uploading the md5 checksum file. After uploading the .iso file, you should repeat the same process and upload the corresponding .iso.md5 file. Here is an example of what that looks like, using a different BIG-IP version: th-cam.com/video/XG0vrIbKXQo/w-d-xo.html.
Thanks for letting us know!
Hi Sir, do u have any advance level videos for F5(LTM and GTM) ? Especially Architecture level, design level, migration level
Reply from u would be greatly appreciated..!!
This would really depend on what platform you're running and what your objectives/topics of interest are... "K84554955: Overview of BIG-IP system software upgrades" links you to more articles. Feel free to go to the AskF5 website. You'll find more articles and also LTM/GTM manuals that contain more detail. Refer to "K98133564: Tips for searching AskF5 and finding product documentation" which is a good guide to find exactly what you're looking for.
How do you come out of Tmos shell? I tried to enter “q” but it’s closing the session down.
If your BIG-IP user account is configured with TMOS Shell (tmsh) for the Terminal Access option, then you will be logged out of the BIG-IP system once you exit tmsh. If your BIG-IP user account is configured with Advanced shell (bash) for the Terminal Access option, then you will return to bash when you exit tmsh. For more information, refer to support.f5.com/csp/article/K12029
I already have HD1.1 , HD1.2 and HD1.3 created in my F5 GTM and my active iso is running on HD1.3, is it ok if i can install new point release iso in HD1.1 which has old iso and then activate on HD1.1?
Hi Rahim. Yes, it is OK - in fact probably best practice if the image on HD1.1 and any data on that partition is no longer needed and otherwise taking up disk space. Note that if you install a new image there, everything on partition HD1.1 will be overwritten.
@@askf5aris171 When i am taking configuration backup from my GTM, it is taking the backup successfully but throwing me an error "ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)" is it still fine to proceed with the point release Update, do we need to be concerned of this error before the Update?
@@rahimhaleem Any errors prior to upgrade may be of concern. It would be best to open a support ticket with F5 Support before proceeding.
@@askf5aris171 When i updated my standby unit and after it came back up, it was showing status as ONLINE (STANDBY) Disconnected. why it is showing disconnected where in your video after Update it is showing as ONLINE (STANDBY) Changes Pending. Is it something to be concerned of or is it expected and continue with Force to Standby in my Active device?
Any tutorial on BIG IP DNS software upgrade??
When preparing to upgrade BIG-IP DNS systems, it is recommended to review K11661449: Overview of BIG-IP DNS system software upgrades. We don't currently have a video for K11661449, but we'll put it on the roadmap.
can we directly upgrade the F5 HA from 12.x.x. to 14.x.x ?
Hello Shriram, from support.f5.com/csp/article/K13845, we see that to upgrade to 14.x, you must be running BIG-IP 12.x through 14.x... You can upgrade directly.
@@askf5-kinh364 but i m getting error like, need to sync with last config as its working on 12.x
@@shriramtrimal1357 There could be different reasons for the error you're seeing. It is recommended to have both BIG-IP "In synced" before performing the upgrade. Here's an upgrade guide which may be helpful: support.f5.com/csp/article/K84205182... Chapters 7 and 8 refer to BIG-IP HA systems.
@@askf5-kinh364 current both are in sync with 12.1.6 but when its upgraded to 14.x then it show above error
@@askf5-kinh364 page getting error as its outdated