PDA

View Full Version : NGAI to NGX VSX Upgrade



dr-spoof
2006-04-04, 08:18
Has anyone upgraded VSX from NGAI to NGX? If so what was your experience. Having played with NGX in the lab it is very different from the NGAI version and I have not installed the NGAI version. My lab is to primative to try a test upgrade with in the lab. Any thoughts or experience on this would be appreciated.

tedesco
2006-07-17, 06:24
Sorry for the late answer, but it might still help someone:

Ugrading has been very difficult but now I have managed to upgrade 3 of my VSXs.

Problems:

on MDS - P-1 for VSX
- Upgrade process on MDS broken due to some soft link loop. See sk31372
- we had problem with vsx_util on some large VSX. (fwm times up on a request from the vsx_util.) Got a fixe for libCmaForwardingLayer.so at /opt/CPsuite-R60/fw1/lib/

- cpd seems to dies periodically, and I did not find yet the exact reason.


On VSX:
- We had a dbedit script to automatically create users under NGAI. After upgrade users got corrupted. (some fields set to NULL and can not be edited. user has to be deleted.
- under NGAI, we had gotten some driver for intel quad card e1000 and had to modif. /etc/modules to use for example e1000.5.2.30.1 under NGX, the last driver is e1000 so
- under ngai, we used the driver tg3 for the onboard card BROADCOM Corporation NetXtreme BCM5703X Gigabit Ethernet. Under NGX, the driver that should be use seems to be bcm5700 (Could not find the tg3 and the bcm5700 seems to work)

- VSX froze/overloaded when usering secureXL. + whould not come fully up after reboot. (stoped on some VS) I had to disable secureXL.
- License for upgraded VSX are automatically detached. After upgrade, do not forget to re-attache the license or the demo lic. will expire after 15 days... and secure client users will get blocked...
- fw stat <VS> does not work for VS on VSX upgraded to NGX. Checkpoint has a fixe that works for this. (Does not work yet for clustered VS)
- if you use radius server to auth. users, take care to modify the parameter "shared_external_servers" to false (CP has modified the default behavior here, it is documented, poorly, but documented.)
- we had modified the Max concurrent connection for a VS to 99000, the values got lost after upgrade, and set back to 15000.
- get the patch refered in sk31358
- install VSX NGX HFA_V30_01: It fixes some serious problem for secure client (after upgrading to NGX, return packet from Secureclient not sent in tunnel)
- if you have some site-to-site vpn that implement some "hub mode" routing (the remote vpn boxe route all traffic toward the VS, including traffci to default route) then you might get some problem. We got a fix for a file called /opt/CPvsxngxcmp-R60/bin/fw_loader (located on mds)

- Seems that /bin/backup_start is wrong again: it uses cpwd_admin start -name CPD -path \"$CPDIR/bin/cpd_admin\" -command \"cpd_admin start
But cpd_admin does not have "start" as a possible parameter (only stop, list, ver and debug...) So the correct way to start cpd after backup is probably: cpwd_admin start -name CPD -path \"$CPDIR/bin/cpd\" -command \"cpd\"
(Note that cpwd_admin is also badly initialised after reboot... I did not have time yet to fix this)

Otherwise, NGX requires 3 time more disk space during the upgrade on the MDS. ( NGAI/R55 is duplicated to backware comp. under NGX disk space and NGX/R60 takes more place the NGAI)
It also requires more memory...

Good luck!!!