Forum Discussion

Icon for Nimbostratus rank

Nimbostratus

Nov 21, 2020

F5 Migration

Hi Dears, If I wanna migrate from two F5 devices in HA mode to a new one device, Should I extract the UCS file before splitting the HA or it is normal to generate the UCS file in HA mode?

application delivery

ASM Advanced WAF

Icon for Cirrus rank

Cirrus

Mar 18, 2021

We have received 2 i5800 boxes that will replace 5050 (HA pair).

Besides Common there are multiple partitions. We have LTM and ASM in place. New platform will have Adv WAF.

I'm thinking migrating the config offline if it loads without error then just replace the hardware in network.

What strategy should we take? Can I have some high level guideline?

ecce
Cirrostratus
Mar 19, 2021
High Level: Join the new hardware in the DSC group, sync config, test, remove old devices from group. :)

Here is a little more detailed procedure from how I did it, but I write this from memory, but it should be fairly accurate. Of course, there might be configuration in your current setup that makes this not perfectly suitable to your situation.

Match version of software on the new hardware
Do basic configuration on the new device. Configure everything that does not sync, like license activation, hostname, device cert, VLAN, SelfIP (non floating), LACP Trunks, Route domains and so on.
Match Port Lockdown settings on new device. I prefer to set Allow Default on an isolated HA VLAN. tmsh show cm failover-status will show you if you have port lockdown errors.
Configure ConfigSync VLAN and Failover settings on new device.
Verify connection to new devices.
Set the new device to Forced Offline, to ensure this does not go active before configuration is synced. I've seen that happen.
Log in to the active device in the current cluster
Set sync to manual and turn off failback if that is configured. There might be considerations regarding HA Group if you use that.. not sure, have never used it.
While logged in the a device in the current cluster, Add Device trust for the new device. This will sync the master key to the new device.
Sync config in the Sync-Only Group
Add the new device to the Failover Group
Sync config from the active device to the group. This will be a full sync with a warning.
Verify settings in the new device. Remember that Forced Offline makes Health monitors show weird values, they are not updated until forced offline is removed.
Remove Forced Offline on the new device.
Failover to new device.
Run acceptance tests
Remove old devices from cluster.
Turn on automatic sync, failback etc if thats should be used

Of course it is always a good idea to have backups, preferably stored offline and also backup the master key. I always to a tmsh load sys config verify before creating UCS files, since I have seen errors in configs being written to UCS files and then when you restore them it does not work.

I think that's about it... not sure if ASM > AWAF could be an issue... Good luck!

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming