HFA Install on IPSO 4.0 with VRRP

[jparnell]

Hi,
I was wondering if anyone is able to offer any advice..
We are currently running two IP350s with VRRP, and then on top we have NGX R60 HFA02 with ISP redundancy.

We would like to install HFA03. Please could any one tell me how we should do this- without any downtime? The firewalls are in active/passive, so in theory I should be able to work on the passive firewall and not affect the active one.

Do I need to stop the cluster service or somehow stop the cluster? Will it matter if one firewall is on HFA02 whilst the other is on HFA03? The plan is once we are happy the upgrade has been ok, we can fail over and repeat the process on the other firewall. Any help would be brilliant.

Thanks

[luisrocha]

You could begin reading the release notes for the HFA, but if you copy the hfa file to the passive nokia run a cpstop and install the hfa, reboot....when is done switch the passive to the active, test if everything is working, and do the same thing on the other node you will not have downtime

Luis Rocha

[fwman]

Hi,
did the update went well?

I had an unpleasant event when I tried to do a fcu (Full Connectivity Update) for the update from R60 to R60 HFA_02 using the following sequence of commands (as described in the upgrade guide):

1.) Installed HFA_02 on the backup system and rebooted the system: State-sync was "ready"
2.) On the backup system i issued a fw fcu <primary IP>
It reported a successful full-sync and the active Clusternode stopped processing traffic (ups!).
3.) I changed the VRRP-priority so that the backup system got the higher priority, still no traffic was processed.
4.) I installed the HFA_02 (which issues a cpstop) on the other node, still no traffic
5.) The cluster started to work again after the reboot of the second cluster node.

So the cluster was down for several minutes which should not happen again.

I posted this to the FW1-Mailinglist. I got confirmation that i'm not the only one with this problem. One suggested not to change the VRRP priority which is not clear to me because VRRP and CP are not influencing each other on IPSO.

[asieber]

The one on the mailing list was me ;-)

today i once again made a Full Connectivity Upgrade from HFA 02 to HFA 03. No problems - worked great. Here the step by step guide:

1. issue a "cphaconf set_ccp broadcast" on all cluster members
2. upgrade backup node ( i´ve used smartupdate )
3. check ha status : "cphaprob stat" - upgraded node should be down and the active node should be active or active attention
4. issue following command on the upgraded machine "fw fcu <here the ip of the sync interface of the other node>"
5. issue a "cphastop" on the active node -> now ipso will fail over and the upgraded node will become master
6. upgrade the remaining node, after the node is upgraded it will return to master state and process the traffic again
7. issue a cphaconf set_ccp multicast on all members to return to sync via multicast (optional)

this guide assumes that you are already running ngx - do not try when running NG AI

Best regards,
Alex

[doswell]

Hi Alex,

Just wondering what impact there is after issuing the "fw fcu" command.
Does this sync the connections and then suspend the active node from accepting new connections - Until the updated node becomes active(master)?

Thanks,

[northlandboy]

No, the active node will still process new connections, and it will sync them with the updated member.

[doswell]

Thanks for the confirmation.