For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

lhutapea_297238's avatar
lhutapea_297238
Icon for Nimbostratus rankNimbostratus
Jul 17, 2017

Upgrade BIG-IP Software From 11 to 13

Hi all,   need help, anyone have experience upgrade big-ip software major from 11.0 to 13.0,? can i upgrade the BIG-IP software from 11.0 to 13.0 used generally procedure software upgrade , just ...
application delivery
BIG-IP
TMOS
MichealRP_61305's avatar
MichealRP_61305
Icon for Nimbostratus rankNimbostratus
Sep 20, 2017

I realize that this is an older post, but I've made two attempts myself to go from 11.6.x HF1 to 13.x HF2 and have had issues during both attempts.

 

It would appear that the primary issue is with a contention issue between APM and ASM. In my specific case, I have some virtual servers that are internet facing and have APM policies in place for user authentication and also ASM policies in place. Also, during the last attempt, I found out the hard way that an ASM policy in Transparent mode isn't really that transparent and still can impact traffic. So, I'm now in the midst of surgically disabling ASM from the virtual servers that also have APM policies and getting ready to try this upgrade again at some point in the near future.

 

Now, as for the actual configuration copy and rebooting into 13.x, that part actually went well, although I've had to go into the system shell and run cpcfg to copy the configurations as I'm on a viprion chassis and when selecting the boot partition the option to copy the configuration is grayed out. Also, using the cpcfg allows me to ensure that the most current configuration is copied over to the 13.x boot partition so it doesn't spin up without a config.

 

  • MichealRP_61305's avatar
    MichealRP_61305
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2017

    I was finally able to upgrade from 11.6.x to 13.x HF2 without major incident. There are some things to note, starting in v12.x, if you're also using APM, apm policies now have a specific scope setting. Prior to version 12.x, these policies were all considered Global. Meaning someone authenticating to one APM policy on one virtual server, would also be authenticated to any other virtual server. Especially if you're using the same auth domain. Such as .auth.com. Whereas after upgrading, all profiles are set in the Profile scope, which will allow authentication to any over virtual server that uses that same apm policy.

     

    This can cause some issues, at least in our case, as our apm policies were all set for .auth.com (sanatized), so if a virtual server such as test1.stage.auth.com and test2.auth.com use the same access policy, and are connected via the same browser, but different tabs, it can result in a page not found error due to inconsistencies in the fqdn, auth domain, and policy. The way around that is to create a duplicate apm policy, and specify .stage.auth.com on the policy applied to test1.stage.auth.com domain to maintain some separation.

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Oct 26, 2017

    Thanks for sharing your upgrade experience.