I am planning to upgrade My F5 from 10.2.4 to 11.6. what upgrade process i have to follow?

Hello,

Please find some of the known issues below.

1. SSL Profiles "inherit-certchain" setting is screwed up - does not migrate correctly. You'll have to manually go over the config file to fix it. Relevant if you use parent SSL profiles that are something else than the default profile "clientssl"
2. SSL default timeout is reduced from 60 seconds to 10 seconds. Not relevant in most cases, but very severe for some applications. If relevant for you, you'll have to manually modify it.
3. In addition to SSL handshake timeout, hundreds of default values have changed, you'll find nothing about most of them in the release notes. I wish F5 just had a tickbox "Retain default values from current version - Yes/No", but unfortunately new values are pushed into TMOS whether you want them or not.
4. HTTPClass objects are deprecated (if you have any, remove them before creating an image snapshot). You'll have to create new LTM policies (or iRules) to replace the functionality of your HTTPClass objects.
5. Issues with iRules. For instance, some system-provided variables e.g

   $static::tcl_platform(machine)

   have been removed. After the upgrade, you can expect to see some TCL errors such as "TCL error... variable not found" in /var/log/ltm.

So what can you do? Look into F5 SOL articles. Search for "upgrading F5 software", the articles explain the standard upgrade procedure quite well. To upgrade your F5, you should start by re-activating the license; follow up by installing the desired software on a new partition. When done, you reboot your system from the new partition and hope everything works. Hint: you will be disappointed 4 times out of 5. As you encounter errors which prevent the configuration from loading, you have two options: a) modify some settings of the conflicting object b) remove the conflicting object. You can try either of the options by working with the snapshot config files in

/config/bigpipe

/usr/libexec/bigpipe daol

Hope this helps!

I have the same requirement to migrate the 200 VIP from 10.2.4 to Viprion 11.5.1 (2400).Currently Viprion is installed with few partitions like Dev,QA,prod ...we would like to retain the same VLAN ....the test site has been migrated successfully ...but I would like to know the steps how to migrate the remaining virtual servers,pools,profiles from F5 to Viprion in phases & have them in ARP disabled till GO live .During GO live I can disable over F5 & enable over Viprion...could you please list out the migration check list & share the steps for migration & what are the significant changes over Viprion...There are 10 I rules which are data group based ....

is this an upgrade or will you have to migrate the configs from another machine to the VIPRIONs? Also, have you already completed the work?

Hello Rapp,

could you please elaborate first point? we have upgraded F5 from 11.4.1 to 11.6.0 and noticed SSL is not working. We are using Thales HSM for key storage and encryption. While checking F5 log, found "tmm7[22268] 01260010 FIPS acceleration device failure: cannot locate key" I verified that key is available on F5, i am not sure why F5 detects key is not available. I tried to reassign the key and cert in SSL profile, still no success. F5 support is clueless and ready to blame it on HSM.

"SSL Profiles "inherit-certchain" setting is screwed up - does not migrate correctly. You'll have to manually go over the config file to fix it. Relevant if you use parent (clientside or serverside) SSL profiles that are something else than the default profile "clientssl"."

Hello Rapp,

Thank you for valuable feedback, i will check into it.

Again thank you.