Thread: Zero Down Time Upgrade (from NGR55 to NGX61) on a Cluster (VRRP)
View Single Post
  #2 (permalink)  
Old 2006-08-23
northlandboy northlandboy is offline
Senior Member
  
Join Date: 2006-07-28
Location: New Zealand
Posts: 862
Rep Power: 3
northlandboy has an average reputation (10+)
Default Re: Zero Down Time Upgrade (from NGR55 to NGX61) on a Cluster (VRRP)
Since you're running VRRP, things should be much easier - you shouldn't have to go through all the steps detailed in the upgrade guide, and you shouldn't have the problems that others have experienced.

Here's the way I would do it if I was you:

1/ On your backup firewall, upgrade the IPSO and Check Point.

2/ Within SmartDashboard, change the cluster version to NGX. Install policy on the cluster, but uncheck the box that causes it to back out the install if it can't install on all cluster members. Policy should only be installed on the upgraded module - you'll get a version error on the other one.

3/ Once policy is installed, and you're happy with that, bump up the VRRP priorities on your upgraded module. At this point, it should go into VRRP master, and start taking all traffic. Note that this is a zero-downtime upgrade, not a full connectivity upgrade - so any sessions that were running across the R55 module will get broken.

4/ Sit and watch that for a while. Do your service tests. Make sure you're happy with the way everything is working. If you've got any problems, you can just drop the VRRP priorities back down, and traffic will go back across the R55 box.

5/ Once you're happy with everything, upgrade the IPSO and CP versions on the R55 box. It will come up, you can then push policy to the cluster again, which should complete with no problems. Sync should start working between the R61 nodes, but you may find that only delta sync works, and no full sync has been done - in that case you'll see a consistently higher number of connections on the master node than the one you upgraded second - but there will still be a few connections on the backup node. In that case, do a cpstop;cpstart on the module you upgraded second, so that a full sync is forced.

6/ If everything is OK, then switch your VRRP priorities back to make sure everything is still cool running on your normal master.

7/ There is no step 7

8/ Profit!

I haven't done exactly what you're doing with those particular versions, but I have done many, many VRRP upgrades in the past, and this is how I'd handle it.

Things are a little different if you're using ClusterXL, or IP Clustering.
Reply With Quote