Applies To:

Show Versions Show Versions

Manual Chapter: Upgrading BIG-IP Active-Active Systems to Version 11.X
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Upgrading BIG-IP active-active systems

A BIG-IP system active-active pair for version 10.x includes two BIG-IP systems operating in active mode (Device A and Device B).

A version 10.x active-active pair

After preparing the devices for an upgrade to version 11.x, you force Device B to standby mode and install version 11.x onto Device B (the standby device).

A version 10.x active-standby pair

When you finish the installation of version 11.x onto Device B, it creates two traffic groups called traffic-group-1 and traffic-group-2. Both version 11.x traffic groups fail over to active state on Device B, and Device A (the version 10.x device) changes to standby mode. Note that the Unit ID that was used in version 10.x becomes obsolete in version 11.x.

A version 10.x device in standby mode and version 11.x traffic groups in active state
You then install version 11.x onto Device A. When you complete upgrading both devices to version 11.x, the BIG-IP configuration includes a traffic group in active state on Device B, a traffic group in active state on Device A, and a device group that includes both devices.
Version 11.x traffic groups in active state on two different devices

An upgrade of BIG-IP active-active systems to version 11.x involves the following tasks.

Task Description
Preparing Device A (active mode on the BIG-IP 1 system) and Device B (active mode on the BIG-IP 2 system) In preparing to upgrade the active-active BIG-IP systems to version 11.x, you need to understand any specific configuration or functional changes from the previous version, and prepare the systems. You also download the new version of software from the AskF5 web site (www.askf5.com) and import the files onto each device.
Forcing Device B to standby mode When you complete preparing the Device B, you can force Device B to standby mode.
Upgrading Device B (the standby mode BIG-IP 2 system) Once Device B is in standby mode, you can upgrade the software on that device.
Upgrading Device A (the standby mode BIG-IP 1 system) When you complete upgrading Device B, you can prepare Device A, and upgrade the software on Device A.
Verifying the upgrade Finally, you should verify that your active traffic groups on the BIG-IP systems are functioning properly.
Configuring module-specific settings According to your understanding of the configuration and functional changes from the previous version, you can reconfigure any customized module settings.

Configuration components

BIG-IP redundant system configuration is based on a few key components.

Devices

A device is a physical or virtual BIG-IP system, as well as a member of a local trust domain and a device group. Each device member has a set of unique identification properties that the BIG-IP system generates.

Device groups

A device group is a collection of BIG-IP devices that trust each other and can synchronize, and sometimes fail over, their BIG-IP configuration data.

Important: To configure redundancy on a device, you do not need to explicitly specify that you want the BIG-IP device to be part of a redundant configuration. Instead, this occurs automatically when you add the device to an existing device group.

You can create two types of devices groups:

Sync-Failover
A Sync-Failover device group contains devices that synchronize configuration data and support traffic groups for failover purposes when a device becomes unavailable. Devices in a Sync-Failover device group must match with respect to hardware platform, product licensing, and module provisioning.
Sync-Only
A Sync-Only device group contains devices that synchronize configuration data, such as policy data, but do not synchronize failover objects.

A BIG-IP device can be a member of only one Sync-Failover group. However, a device can be a member of both a Sync-Failover device group and a Sync-Only device group.

Traffic groups

A traffic group is a collection of related configuration objects (such as a virtual IP address and a self IP address) that run on a BIG-IP device and process a particular type of application traffic. When a BIG-IP device becomes unavailable, a traffic group can float to another device in a device group to ensure that application traffic continues to be processed with little to no interruption in service.

Device trust and trust domains

Underlying successful operation of device groups and traffic groups is a feature known as device trust. Device trust establishes trust relationships between BIG-IP devices on the network, through mutual certificate-based authentication. A trust domain is a collection of BIG-IP devices that trust one another and can therefore synchronize and fail over their BIG-IP configuration data, as well as exchange status and failover messages on a regular basis. A local trust domain is a trust domain that includes the local device, that is, the device you are currently logged in to.

Folders and sub folders

Folders and sub-folders are containers for the configuration objects on a BIG-IP device. For every administrative partition on the BIG-IP system, there is a high-level folder. At the highest level of the folder hierarchy is a folder named root. The BIG-IP system uses folders to affect the level of granularity to which it synchronizes configuration data to other devices in the device group. You can create sub-folders within a high-level folder, using tmsh.

Note: In most cases, you can manage redundancy for all device group members remotely from one specific member. However, there are cases when you must log in locally to a device group member to perform a task. An example is when resetting device trust on a device.

About traffic groups

A traffic group is a collection of related configuration objects that run on a BIG-IP device. Together, these objects process a particular type of traffic on that device. When a BIG-IP device becomes unavailable, a traffic group floats (that is, fails over) to another device in a device group to ensure that application traffic continues to be processed with little to no interruption in service. In general, a traffic group ensures that when a device becomes unavailable, all of the failover objects in the traffic group fail over to any one of the devices in the device group, based on the current workload of those devices.
Important: Although a specific traffic group can be active on only one device in a device group, the traffic group actually resides and is in a standby state on all other device group members, due to configuration synchronization.

Only certain types of configuration objects can belong to a traffic group. Examples of traffic group objects are self IP addresses and virtual IP addresses.

An example of a set of objects in a traffic group is an iApps application service. If a device with this traffic group is a member of a device group, and the device becomes unavailable, the traffic group floats to another member of the device group, and that member becomes the device that processes the application traffic.

When a traffic group fails over to another device in the device group, the device that the system selects to run the traffic group is normally the device that is most available. However, when you initially create the traffic group on a device, you specify the device in the group that you prefer that traffic group to run on whenever possible. Note that the system considers the most available device in a device group to be the device that contains the fewest active traffic groups at any given time.
Note: A Sync-Failover device group can support a maximum of 15 traffic groups.

Task summary

The upgrade process involves preparation of the two BIG-IP devices (Device A and Device B) configured in an active-active implementation, followed by the installation and verification of version 11.x on each device. When you upgrade each device, you perform several tasks. Completing these tasks results in a successful upgrade to version 11.x on both BIG-IP devices, with an active traffic group configured properly on each device.

Preparing BIG-IP modules for an upgrade from version 10.x to version 11.x

Before you upgrade the BIG-IP system from version 10.x to version 11.x, you might need to manually prepare settings or configurations for specific modules.

Access Policy Manager system preparation

Access Policy Manager is not supported in an Active-Active configuration.

Supported high availability configuration for Access Policy Manager

Access Policy Manager is supported in an Active-Standby configuration with two BIG-IP systems only.

Important: Access Policy Manager is not supported in an Active-Active configuration.

Application Security Manager system preparation

The BIG-IP Application Security Manager(ASM) system does not require specific preparation when upgrading from version 10.x to version 11.x. No additional configuration is required after completing the upgrade to version 11.x.

If you update two redundant systems that are running as an active-standby pair with BIG-IP Application Security Manager (ASM) and BIG-IP Local Traffic Manager(LTM) provisioned, the system maintains the active-standby status and automatically creates a Sync-Failover device group and a traffic group containing both systems. The device group is enabled for BIG-IP ASM (because both systems have ASM provisioned).

You can manually push or pull the updates (including BIG-IP LTM and ASM configurations and policies) from one system to the other (Device Management > Device Groups, then click Config Sync and choose Synchronize TO/FROM Group).

Global Traffic Manager system preparation and configuration

BIG-IP Global Traffic Manager (GTM) systems do not require any preparation to upgrade from version 10.x to version 11.x.

The following feature or functionality changes occur after you complete the upgrade process to version 11.x.

Feature or Functionality Description
Assigning a BIG-IP system to probe a server to gather health and performance data Assigning a single BIG-IP system to probe a server to gather health and performance data, in version 10.x, is replaced by a Prober pool in version 11.x.

Link Controller system preparation

The BIG-IP Link Controller (LC) system does not require specific preparation when upgrading from version 10.x to version 11.x. No additional configuration is required after completing the upgrade to version 11.x.

Local Traffic Manager system preparation

The BIG-IP Local Traffic Manager (LTM) system does not require specific preparation when upgrading from version 10.x to version 11.x. No additional configuration is required after completing the upgrade to version 11.x.

Note: If you configured MAC Masquerade addresses for VLANs on the version 10.x devices, one of the addresses will be included automatically in the MAC Masquerade Address field for traffic-group-1 during the upgrade.

Protocol Security Module preparation

The BIG-IP Protocol Security Module (PSM)does not require specific preparation when upgrading from version 10.x to version 11.x. No additional configuration is required after completing the upgrade to version 11.x.

WebAccelerator system preparation and configuration

BIG-IP WebAccelerator systems require specific preparation tasks and changes to upgrade from version 10.x to version 11.x.

Preparation activities

Before you upgrade the WebAccelerator systems from version 10.x to version 11.x, you need to prepare the systems, based on your configuration. The following table summarizes the applicable tasks that you need to complete.

Feature or Functionality Preparation Task
Symmetric deployment You must reconfigure symmetric WebAccelerator systems as asymmetric systems before you upgrade them from version 10.x to version 11.x.
Important: Version 11.x does not support symmetric WebAccelerator systems.
Unpublished policies You must publish any policies that you want to migrate to version 11.x. Only published policies are migrated into version 11.x.
Signed policies Signed policies are not supported in version 11.x. If you use signed policies, you must replace them with predefined or user-defined policies before upgrading.
Configuration files Upgrading from version 10.x to version 11.x does not include custom changes to configuration files. After upgrading to version 11.x, you need to manually restore any customizations made to your configuration files by using the Configuration utility or Traffic Management Shell (tmsh). The following list includes examples of configuration files that might have been customized:
  • /config/wa/globalfragment.xml.10.x.0; in version 11.x, all objtype entries are provided in tmsh.
  • /config/wa/pvsystem.conf.10.x.0
  • /config/wa/pvsystem.dtd.10.x.0
  • /config/wa/transforms/common.zip.10.x.0; version 11.x does not include transforms.
Debug Options X-PV-Info response headers in version 10.x are changed to X-WA-Info response headers in version 11.x. The default setting for X-WA-Info Headers is None (disabled). To use X-WA-Info response headers, you will need to change this setting, and update any associated iRules or scripts, accordingly.
Post-upgrade activities

When you complete upgrading to version 11.x, you should consider the following feature or functionality changes that occur for the WebAccelerator systems. Depending upon your configuration, you might need to perform these changes after you upgrade the systems.

Feature or Functionality Description
Web acceleration Web acceleration functionality requires configuration of the Web Acceleration profile.
Important: You must enable a WebAccelerator application in the Web Acceleration profile to enable the WebAccelerator system.
Compression Compression functionality requires configuration of the HTTP Compression profile in version 11.x.
Request logging Request logging does not migrate to version 11.x. You must recreate the configuration after upgrading by using the Request Logging profile.
Policy logging Policy logging does not migrate to version 11.x. You must recreate the configuration after upgrading by using the Request Logging profile.
URL normalization URL normalization is not supported in version 11.x.
iControl backward compatibility Backward compatibility for iControl Compression and RAM Cache API settings in the HTTP profile is not supported in version 11.x. These settings appear in the HTTP Compression and Web Acceleration profiles in version 11.x.

WAN Optimization Manager preparation

BIG-IPWAN Optimization Manager (WOM)systems do not require specific preparation when upgrading from version 10.x to version 11.x. However, in a redundant system configuration, you must upgrade the standby system first (to avoid interrupting traffic on the active system), and then upgrade the other system. No additional configuration is required after completing the upgrade to version 11.x.

Preparing BIG-IP active-active systems for an upgrade

The following prerequisites apply when you upgrade BIG-IP active-active devices from version 10.x to 11.x.
  • The BIG-IP systems (Device A and Device B) are configured as an active-active pair.
  • Each BIG-IP device is running the same version of 10.x software.
  • The BIG-IP active-active devices are the same model of hardware.
When you upgrade a BIG-IP active-active pair from version 10.x to 11.x, you begin by preparing the devices.
  1. For each device, complete the following steps to prepare the configuration and settings.
    1. Examine the Release Notes for specific configuration requirements, and reconfigure the systems, as necessary. For example, you must reconfigure version 10.x symmetric WebAccelerator systems as asymmetric systems before upgrading to version 11.x.
    2. Examine the Release Notes for specific changes to settings that occur when upgrading from version 10.x to 11.x, and complete any in-process settings. For example, you must publish any unpublished WebAccelerator policies in order for them to migrate to version 11.x.
  2. For each device, synchronize the configuration.
    1. On the Main menu, click System > High Availability > Device Connectivity > ConfigSync. A message appears for the Status Message.
    2. As indicated by the Status Message, click one of the following buttons.
      • Synchronize TO Peer
      • Synchronize FROM Peer
  3. For each device, reactivate the license.
    1. On the Main menu, click System > License.
    2. Click Re-activate.
  4. For each device, disable the VLAN Fail-safe setting.
    1. On the Main menu, click System > High Availability > Fail-safe > VLANs.
    2. Select the check box for the VLAN Fail-safe name that you want to disable.
    3. Click Remove, and click OK. The VLAN Fail-safe entry is removed from the list.
  5. For each device, disable the Gateway Fail-safe setting.
    1. On the Main menu, click System > High Availability > Fail-safe > Gateway.
    2. Select the check box for the Gateway Fail-safe name that you want to disable.
    3. Click Remove, and click OK. The Gateway Fail-safe entry is removed from the list.
  6. For each device, click System > High Availability > Redundancy, and, from the Redundancy State Preference list, select None.
  7. For each device, create a backup file.
    1. Access the tmsh command line utility.
    2. At the prompt, type save /sys config file name.
    1. Copy the backup file to a safe location on your network.
  8. Download the BIG-IP version 11.x .iso and .md5 files from the AskF5 downloads web site (https://www.downloads.f5.com) to a preferred location.
  9. Import the version 11.x software image and MD5 files to each device.
    1. On the Main menu, click System > Software Management > Image List > Import.
    2. Click Choose File, locate and click the image file, click Open, and click Import.
      Important: You need to import the version 11.x .md5 file and the .iso file.
    3. When the software image file completes uploading to the BIG-IP device, click OK. A link to the image file, but not to the .md5 file, appears in the Software Image list.
  10. Force Device B (the BIG-IP 2 device) into standby mode.
    1. On the Main menu, click System > High Availability > Redundancy.
    2. Click Force to Standby. Device B is now in standby mode.
  11. Do one of the following steps to disconnect Device B (the standby BIG-IP 2 device) from the network.
    • Disconnect all network cables, except for the management interface cable.
    • Shut down the interfaces on the upstream device.
The BIG-IP devices are now prepared to install the version 11.x software onto Device B (the standby BIG-IP 2 device).

Upgrading the standby BIG-IP 2 system

The following prerequisites apply for this task.
  • Device A (the active BIG-IP 1 system) and Device B (the standby BIG-IP 2 system) must be prepared to upgrade Device B with version 11.x software.
  • The version 11.x software image and MD5 files have been downloaded and are available.
After you prepare Device A (the active BIG-IP 1 system) and Device B (the standby BIG-IP 2 system) for upgrading the software, you can perform these steps to install the version 11.x software onto Device B.
  1. On the Main menu, click System > Software Management > Image List.
  2. In the Available Images area, select the check box for the version 11.x software image.
  3. Select a location to install the image, and click Install.
    Important: In the Install Status list for the specified location, a progress bar indicates the status of the installation. Ensure that installation successfully completes, as indicated by the progress bar, before proceding.
  4. Reboot the device to the location of the installed version 11.x software image.
    1. On the Main menu, click System > Software Management > Boot Locations.
    2. In the Boot Location list, click the boot location of the installed version 11.x software image.
    3. Click Activate. The BIG-IP device reboots to the version 11.x boot location.
  5. Do one of the following steps to disconnect Device A (the version 10.x active BIG-IP 1 device) from the network.
    • Disconnect all network cables, except for the management interface cable.
    • Shut down the interfaces on the upstream device.
  6. Do one of the following steps to connect Device B (the version 11.x BIG-IP with traffic-group-1) to the network.
    • Reconnect all network cables.
    • Enable the interfaces on the upstream device.
  7. Flush the Level 2 databases on the upstream devices to start passing traffic to the Device B traffic-group-1 in active state.
Version 11.x software is now installed on Device B, with traffic-group-1 and traffic-group-2 in active state, passing traffic.

Upgrading the standby BIG-IP 1 system

The following prerequisites apply in upgrading Device A (the BIG-IP 1 system).
  • Device A (the version 10.x BIG-IP 1 system) must be prepared to upgrade the software to version 11.x.
  • Device A is in standby mode.
  • Device B has version 11.x installed with traffic-group-1 and traffic-group-2 in active state.
After you prepare Device A (the standby BIG-IP 1 system) for upgrading the software, you can perform these steps to upgrade the software to version 11.x.
  1. On the Main menu, click System > Software Management > Image List.
  2. In the Available Images area, select the check box for the version 11.x software image.
  3. Select a location to install the image, and click Install.
    Important: In the Install Status list for the specified location, a progress bar indicates the status of the installation. Ensure that installation successfully completes, as indicated by the progress bar, before proceding.
  4. Reboot the device to the location of the installed version 11.x software image.
    1. On the Main menu, click System > Software Management > Boot Locations.
    2. In the Boot Location list, click the boot location of the installed version 11.x software image.
    3. Click Activate. The BIG-IP device reboots to the version 11.x boot location.
  5. Stop the services on the device.
    1. Access the tmsh command-line utility.
    2. At the prompt, type stop sys service all.
  6. Do one of the following steps to connect Device A to the network.
    • Reconnect all network cables.
    • Enable the interfaces on the upstream device.
  7. Start the services on Device A.
    1. Access the tmsh command-line utility.
    2. At the prompt, type start sys service all.
    Device A restarts, with traffic-group-2 in active state and traffic-group-1 in standby state.
  8. For each device, create the VLAN Fail-safe setting.
  9. For each device, create the Gateway Fail-safe setting.
  10. For each device, click System > High Availability > Redundancy, and, from the Redundancy State Preference list, select None.
Version 11.x software is now installed on Device A, with traffic-group-2 in active state and traffic-group-1 in standby state.

Verifying a BIG-IP system active-active upgrade

Prerequisite: You must complete a software upgrade of the BIG-IP active-active pair from version 10.x to version 11.x.
When you have completed upgrading the BIG-IP active-active pair from version 10.x to version 11.x, you should verify that the upgraded configuration is working properly. Perform the following steps to verify the version 11.x upgrade.
  1. Verify the Platform configuration for each device.
    1. On the Main menu, click System > Platform.
    2. From the Sync root folder using device group list, verify that the correct device group is selected to synchronize the configuration from the root folder and child folders.
    3. From the Default Traffic Group list, verify that the correct traffic group is selected to use when failover objects are created.
  2. Verify the configuration for each device.
    1. On the Main menu, click Device Management > Devices.
    2. Verify the information for the device and the peer device.
    3. On the Main menu, click Device Management > Device Trust > Local Domain.
    4. Verify that the peer device is specified as a Peer Authority Device.
  3. Verify the traffic groups for each device.
    1. On the Main menu, click Network > Traffic Groups.
    2. Click traffic-group-1.
    3. If you configured MAC Masquerade addresses for VLANs on the version 10.x devices, verify that the traffic-group-1 includes an address in the MAC Masquerade Address field.
    4. Click traffic-group-2.
    5. If you configured MAC Masquerade addresses for VLANs on the version 10.x devices, verify that the traffic-group-2 includes an address in the MAC Masquerade Address field.
    6. Verify that the floating traffic group is correct.
    7. Verify that the failover objects are correct.
  4. Verify the Current ConfigSync State for each device.
    1. In the area at right of the F5 logo, click Sync Recommended.
    2. Do one of the following steps to synchronize the configuration.
      • Click Synchronize TO Group.
      • Click Synchronize FROM Group.

Implementation result

Your upgrade of the BIG-IP active-active pair from version 10.x to version 11.x is now complete. The version 11.x configuration includes a device group with two devices (Device A and Device B) and two traffic groups (traffic-group-1 and traffic-group-2), with the first traffic group on one device (Device B) in active state and the second traffic group on the other device (Device A) in active state.

A version 11.x device group and two traffic groups in active state on different devices
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)