I had a few questions about BigIP TMOS upgrades through BigIQ i.e. upgrading the TMOS ver of the managed devices from BigIQ CM
How does BigIQ handle OS upgrade for Active-Standby device pair. We see the below screen while we select the devices , either we can select the Devices or we can select Group/Cluster wherein there is no option to select DSC cluster (which as we understand are Sync pair), we get option to select only DNS sync pair
We ended up using the Device option, wherein we add the individual devices. All our deployment are Active- Standby, is BigIQ able to identify a failover pair if I add them as individual devices as I do not have an option to add them as DSC cluster.
Presently our OS upgrades are done manually and with zero downtime, we would want to achieve the same with BigIQ with zero touch. Need your feedback
Will BigIQ undertake the OS upgrade for the Standby device , failover then upgrade the other device. This is not documented properly
we are referring to this article
Like Nikoolayy1 said, testing is always the best way to proceed of you can.
But indeed, I don't remember there beeing an option to perform a "full DSC group upgrade" in BIG-IQ, and even if there was I would be very weary about using it. Do you *really* want to upgrade all devices without testing traffic in the new version? Having an asymmetric cluster allows you to rollback in a very short time in case you find any issues after the upgrade of the first device.
My upgrade process in a 2-device cluster is always like this:
1. Upload images and prepare boot volumes, take backups.
2. Single traffic group? Go to step 4.
3. Multiple traffic groups and active/active config? Force active TGs to standby so that one of the devices is fully on standby.
4. Take the standby device and force it offline.
5. Upgrade the standby device.
6. Get the newly upgraded device online, force TGs to standby on the other one.
7. Test traffic - and this is up to your requirements... I'm used to ISPs asking for about 24 hours on this step.
8. Get the other device offline, upgrade it, get it online.
9. In case of multiple TGs, distribute active/standby as required.
So, you see... BIG-IQ is not exactly a good choice for my method. I prefer having more control over the whole process than letting some external platform do all the steps. My method also allows you to do the time-consuming step of preparing boot volumes beforehand.
Thanks Mike for the very detailed response. The steps that you shared for the upgrade are exactly what we do to upgrade our device pairs. With the frequency of vulnerability's increasing and our frequency of upgrade cycles increasing, we thought of exploring a zero touch OS upgrade approach. But unfortunately that does seem to be the case. Appreciate you for your response sir
I always create two rollout from Big-IQ. I run a script that tells which are standby. Roll out upgrades to that group. Once done, failover to active, monitor, then run all formerly active (now standby) devices. Big-IQ will reboot all of your devices at one time if you put them in one group. Trust me, it is quick, nerve-wracking, but not efficient as you will take down time unless you manually divide and conquer. It is more work than originally hoped for but less than performing manual upgrades. Hope this helps!