[andrew]

I hope this post is still useful even though I do not have the exact error language that would make it turn up in searches. In the haste to correct problems I didn't make notes.

We decided to upgrade from R55 to R60 because we were told that R60 supported Dynamic DNS in objects. We're hoping this allows us to configure site-to-site VPNs with telecommuters that possess dynamic IPs, such as cable modem customers.

The upgrade documentation suggested that the first step would be to verify eligibility for and to upgrade the FW licensing for NGX with the license_upgrade utility. The utility is OS dependent and was to be located on the R60 CD within the corresponding OS directory, however for Secure Platform, the util wasn't there. I assumed the license_upgrade found in the Linux folder would work, but instead we received a missing library error that prevented license_upgrade from starting. SmartUpdate, (a method we'd used in the past) after downloading the license from the CP user center, worked. The documentation included with the CDs doesn't mention SmartUpdate and instead gives explicit instruction on license_upgrade.

I spoke to CP support prior to the upgrade and left with the impression that R55 would function with R60 licenses installed. However, after applying the R60 licenses, VPNs ceased to function, and multiple 'No license for VPN' errors appeared in the Tracker. Rather than revert, I applied the OS and program upgrade with the patch add cd command. The installation quit with Error Code 2 after verifying upgrade readiness and then again when backing up the configuration. I think this may have had to do with SmartUpdate still being open on an admin machine, because after closing it patch add ran perfectly.

After the reboot, I could not connect to SmartCenter with the R60 utilities, though it ended up not having anything to do with the FW module but the local network interface. The FW hardware links up to a GBIC on a Cisco 3550, which requires Gigabit negotiation, but the 10/100/1000 NIC on server did not autonegotiate. This of course seems more like a hardware issue, but I mention it because R55 ran for more than a year with multiple reboots on the older version of SPlat and always brought the interface up without issue. Forcing the interface to gigabit with ifconfig resolved the problem.

Finally running I noticed no traffic in the SmartView tracker, and the SmartView Monitor reported that the policy server wasn't up. Installing the policy from the dashboard failed with a mismatch width error in the static table or static_table on a line in our .pf file. CP support (thanks Joe!) helped us determine that the problem was in our static NAT table, and by disabling NAT rules and process of elimination, we discovered an offending rule. This was a NAT rule that functioned fine under R55.
After removing the NAT the policy installed appropriately.

Unresolved issues are lack of ISP redundancy and errors with IP Telephony over VPN. When these are taken care of I'll add to this thread.

To this point the upgrade has required about 6 hours. None of the issues have made us regret the decision to upgrade, however without CP the static_table problem may have been a complete stumper.

Thanks

Andrew