Forum Discussion

swo0sh_gt_13163's avatar
swo0sh_gt_13163
Icon for Altostratus rankAltostratus
May 14, 2015

Post upgrade from 11.2.0 to 11.5.1 - ASM Policies didn't migrate

Hello Folks,

 

While working on a customer case, I was simulating their backup to my lab appliance before upgrading the production appliances.

 

Before upgrade: Big-IP - 2000 series model. Firmware - 11.2.1 HF13 Modules subscribed - LTM / ASM / AVR

 

Lab upgrade exercise Big-IP - 4000 series Firmware - 11.2.1 -> Restored the backup successfully -> Upgraded to 11.5.1 Modules - LTM / ASM / AVR

 

Now, post upgrade, I realize that my lab box shows "Active Policies", which were "Inactive" in 11.2.1, that means I don't have any active ASM policies visible after upgrading to 11.5.1. What I need to do now is, importing all the ASM policies manually one by one, and mapping it with LTM policies (as HTTP classes are no longer available).

 

Is there a way to recover previously applied ASM policies on 11.5.1?

 

Thank you, Darshan

 

security

3 Replies

Sort By
  • Max_Q_factor's avatar
    Max_Q_factor
    Icon for Cirrocumulus rankCirrocumulus
    May 14, 2015

    I would restore the UCS archive again and I would look at the upgrade logs (system) to see if there was a problem with the http class name. there were a lot of changes from 11.3 to 11.4 with regards to the HTTP class to traffic policy conversion and that's usually where I find issues like that. also review the release notes about it:

     

    New features introduced in 11.4.0

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    May 14, 2015

    Darshan - to add to the above from AWS-ASA-3468, the Overview - Summary screen does sometimes highlight issues with an ASM upgrade. Is there anything there? Also, prior to upgrade I would've exported my ASM security policies (XML format) so I could re-import them if required post-upgrade. If you can restore back to 11.2.1 then I would recommend this.

     

    N

     

  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    May 14, 2015

    Thanks gentlemen for your replies.

     

    Yes, I agree with AWS_ASA_3468, that HTTP Classes are no longer in use from 11.4.0 onwards. I found that all the classes were converted to LTM Policies. Also I noticed that the Virtual Servers, which had more than one HTTP Class applied, was merged into a single LTM Policy, and within the LTM Policy, there are 2 rules, for each HTTP Class.

     

    I will try to reload the configuration again to see if it shows any changes.

     

    @Nathan, I didn't see any errors in Configuration Utility for ASM. I have the exported ASM Policies, using the same for time being. I was just wondering if this is a known behavior or not.

     

    I will update the thread once I successfully apply the ASM.

     

    Thank you, Darshan