Communication between DMZ & Internal devices

Hi Mahjoub,

Short answer; probably not.

Long answer; probably not, but... ;)

What versions of software are you going from/to? The smaller the jump, the less likely that there are any behaviour changes or unexpected communication issues. And what modules are you using? Only LTM, or any other ones as well? And are the two DMZ systems in any way clustered with the internal systems? I suspect not, and that they are two separate clusters, but if you do have all 4 of them in one big cluster, a bit more caution is needed (though still not a big problem).

Also, are you using BigIP DNS (formerly known as GTM)? If so, and you are using iQuery for the communication between the systems, keep an eye on that as well.

An idea to help you get a bit more confidence with the upgraded system before fully committing to it; after upgrading the standby member, keep an eye on its monitors (assuming you are monitoring most of the internal resources from the DMZ cluster). These should all be reporting as Green again (all good) and if you are happy that everything looks good, you can fail over to this newly upgraded system. Rather than directly upgrading the second DMZ system, you can keep running on this newly upgraded system for a day or so and fail back to the not-yet upgraded system if you do come across any issues. You can then even reboot back into the old partition of the upgraded system to be completely back to the beginning.

Please be aware though that if you are running different versions within a cluster, you do not have stateful failover and should not be making any config changes during that time.

By the way, have you seen F5's upgrade document? https://support.f5.com/csp/article/K84205182 It's a really helpful tool to run through and doublecheck that you haven't forgotten anything. It also helps you make sure you follow best-practise during the upgrade process.

Hope this helps.