Forum Discussion

Cyclohexane_187's avatar
Cyclohexane_187
Icon for Nimbostratus rankNimbostratus
Dec 14, 2011

Upgrading FirePass HA pair

Hi all,

 

 

Apologies if this isn't the correct forum/group for this question. I'm a bit confused which one to use for FirePass questions.

 

 

We have an HA pair of FirePass 4300's and I'd like to be able to upgrade the firmware without causing an outage for our users. The current method I follow (which does cause an outage, although brief) is:

 

 

-Must upgrade active controller first.

 

-Lock out all new users.

 

-Disconnect all existing users.

 

-Apply firmware.

 

-Repeat on other controller (which is now active because the first one has rebooted).

 

-Remove user lock out.

 

 

Is there a different method I should use? Or should we have the pair configured differently?

 

 

Thanks
BIG-IP Access Policy Manager (APM)
remote access
security

4 Replies

Sort By
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Dec 19, 2011
    It's been a while since I've upgraded on a HA pair. I do remember you can reboot the active Firepass which will cause it to go to the seconday box. Upgrade the device to whatever you want and once completed, reboot the slave which became primary. This will cause the initial primary to take connections. This also depends on what versions your're upgrading from and to.
  • Cyclohexane_187's avatar
    Cyclohexane_187
    Icon for Nimbostratus rankNimbostratus
    Dec 19, 2011
    Hi Mike,

     

     

    Thanks for the reply. It may well just be my misunderstanding, but here's a copy and paste from the manual:

     

     

    When you update clusters and failover pairs, make sure to apply the update to the primary or active member first; otherwise, synchronization wipes out all upgrade activity.

     

     

    So if I reboot the currently active box before I begin, all I've achieved is making the secondary be the primary, and that's now the one I have to upgrade first, so I'll still cause an outage?
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Dec 20, 2011
    Yeah, Syncing is generally lost when you upgrade major versions anyway. Going from 6.0.3 to 6.1 or 7.0 for example. If you do minor versions, the upgrade path may be best suited as in the manual. We always had about a 30-45 second outage for network access folks but they eventually reconnected. We lost all contact when doing major versions for some reason anways ;(

     

     

    I would consider moving off of Firepass just a FYI and move onto the Edge Gateway.