R55 to R60 Advice

[raggy]

Hi

I performed an upgrade of my management server from R55 to R60. All went well apart from my site to site VPN's. All of the edge devices were disconnected.
Is there anything i should be doing here? I expected them to just continue working. Anyway ive reverted back to R55 and the VPN's are back working.
Any help would be greatly appreciated as im desperate to move from NG to NGX.

Thanks

[northlandboy]

Random thoughts:

* Why not go to R61, rather than R60?

* What version are your Edge devices? I think there can be problems if they are pre-5.0.

* Check the release notes. On page 18 of the R61 release notes, there is this section:
"After upgrading a pre-NGX SmartCenter Server to NGX, existing VPN connections will be dropped the first time policy is installed if the enforcement modules are not also upgraded to NGX. New connections will succeed as expected. For connections with static source-destination ports (for example, GRE connections), reinitialize them by running cpstop/cpstart on the module."
From memory, this also applies to R60.

* What behaviour did you see with your VPNs? What were your logs telling you? What happened when you tried to initiate traffic? Error messages? Did they even try to form a tunnel?

[raggy]

Thanks for the reply..

Ive tried the same with R61 today and got the same results.

Another issue which i didn't notice before was the management server stopped logging so i am unable to check what the logs said. Is this a known issue or just something else ive done wrong!?

All my edge devices are above the 5.0 firmware so no problems there.

It may also be worth noting that I have left (for now) the firewalls on R55 HFA04 but i don't think that should have an impact on upgrading the management server.

The weird thing is as soon as i restore r55 and push policy, everything reconnects perfectly.

[northlandboy]

R55 on the modules shouldn't be a problem - it's a supported upgrade path to upgrade the management first, then sort out the modules some time later.

Do you have a mix of Edge and non-Edge devices in your network? Do you have any non-VPN traffic?

After you upgrade, but before pushing policy, what happens? No logging? But traffic still works on your modules? Is it only after pushing policy your modules stop working?

I take it this is an in-place upgrade?

I know that when you do a CMA migration, logging won't work until you either install database on the CMA, or push policy (which also does a database install). Does doing a database install get logging working?

[raggy]

I only have Edge devices on my network so no external traffic other than the vpn's.

When i upgrade, the logging stops and the VPN's work fine. As soon as i push policy the edge devices become disconnected.

Yeah its an in place upgrade. Ive tried building a new server (new hardware), doing an upgrade_export of R55 and upgrade_import of R61 too. Exactly same results again.

Ill look into the logging issue tomorrow. As this is a production firewall im limited to how much downtime i can have so ill have to attempt the policy push's out of hours.

Thx for your patience!

[northlandboy]

I don't have experience with the Edge platforms, so there's not much help I can offer.

What I would say though, is that if I'd done an upgrade, I would be checking my logging pretty much straight away, and I would be loathe to push policy if logging wasn't working. Try a DB install, rather than a policy push, see if logging starts. Also try and look at historical logs from the modules during the time you were upgraded - see if they offer any clues as to why it didn't work last time you tried.

Upgrading in place is a bit of a pain, due to these sorts of problems - you don't get a lot of time to fix it, if it's not working!

Check out your libsw versions, make sure they are up to date.

[raggy]

I was wondering about libsw but i assumed putting R61 on would make these the latest anyway.
Ill have a go over the coming week and report my findings.


Thx again..

[northlandboy]

Yes, you're right, it should do that. Is it updating them in both
/opt/CPsuite-R60/fw1/libsw and
/opt/CPEdgecmp/libsw ?

[seanmac1904]

Hello,

I just saw this in my lasted Checkpoint Security Expert Newsletter

How to configure SmartCenter NGX R60 Server to manage a VPN-1 Edge... sk31690

this may or may not be of use

cheers

Sean

[raggy]

Thanks Sean, I think thats more for new installs.


I did notice this sk31831

In SmartDashboard, select 'Policy > Global Properties > SmartDashboard Customization'.

Click 'Configure', and select 'VPN Advance Properties > VPN IKE properties'.

Enable 'Keep_IKE_SAs' and click 'OK'.

Might be worth a try!