Forum Discussion
DanS_24772
Nimbostratus
Nimbostratusporting config from older hardware to newer (both v11.4.1)
Hi,
We're upgrading 3 pairs from 1600 to 10000 units and I'm having trouble importing the configs between old and new. Any suggestions on the best way to do this?
What I've done so far:
-
started by getting basic networking and VLANs working, configuration, along with HA. All pairs now appear OK and configsync and failover is configured.
-
then I imported certs by export/import and that appears OK.
-
so I guess next up is irules/datagroups/pools/vips, etc... But I get tons of errors importing bigip.conf... datagroup files complaining (ignoring for now), most worrysome for now is:
01070313:3: Error reading key PEM file /config/filestore/files_d/Common_d/certificate_key_d/:Common:NAME_2.key_19719_1 for profile /Common/NAME: error:0906A065:PEM routines:PEM_do_header:bad decrypt
Any ideas? Should I copy cert files manually from /Common_d ? Is there a way to partially import a UCS, except for networking info? (so I won't overwrite already done config)? Should I use tmsh or bash?
Thanks
What_Lies_Bene1Cirrostratus
How are you doing 3. exactly?
DanS_24772overwrite current bigip.conf file with a new one (combining all the old vips/pools/irules/etc with some current info, asm and certs imported) tmsh load sys config
I'm open to suggestions though - very likely there might be an easier way - or a way to get everything all at once that I'm missing, which won't overwrite my base networking config...
nitassEmployee
Should I copy cert files manually from /Common_d ?
i do not think so.
Is there a way to partially import a UCS, except for networking info? (so I won't overwrite already done config)? Should I use tmsh or bash?
if configuration is huge, shouldn't it be easier to restore ucs and then modify network later?
- What_Lies_Bene1
I'd concur with Nitass but if things are more complex perhaps it would be better to pull an SCF from the old box and merge the relevant parts using tmsh?
- DanS_24772
Thanks for the advice. I hadn't known about SCF, sounds like something worth trying (frankly gathering info about this whole migration process has been tough, can't find good SOLs or more specific steps).
Found this about the SCF though, will try it: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-4-0/30.html
Not sure if that will help me on the certs problems...
I've been looking through SOL
- What_Lies_Bene1
What you need is a good book cough cough.
What's the problem with the certs?
- What_Lies_Bene1
Oh, I just remember too;
Gotcha: If you want to attach the new device to the network, with the full configuration of the existing one (except Self IP addresses), don’t forget that even with all Virtual Servers disabled, the new device will respond to ARP and ICMP requests unless all Virtual Addresses are also disabled. Also applies if a 0/0 forwarding VS is in play.
- DanS_24772
We've shut the interfaces from the router side for now so the f5 won't be able to get/send requests to those networks. So having vips enabled along with other network settings shouldn't be a problem.
Is there a way to selectively import parts of a UCS - like say I wanted all the folders/files and certs and non obvious conf stuff, but edit a new bigip.conf or just keep a particular conf file?
So my base networking / hostname / self ips / etc wouldn't be removed?
Makengo_134399Altostratus
DanS,
Migration can be difficult sometimes and moving stuff can make you crazy. I did an upgrade a couple of days ago from 11.4.1 to 11.5.1 HF2 and got problems like the F5 want recognize old passphrase (decrypt error) but I found a walk around the problem. Let me know if you need any help, we can try to sort it out. Thanks
- DanS_24772
Thanks, I guess I'm slowly sorting through the problems...
yeah I had decrypt error and rekeyed the system, that seemed to work
now having trouble importing bigip.conf because external data group / class files not present, trying to import by hand.
plugging away.