Applies To:

Show Versions Show Versions

Manual Chapter: Upgrading Active-Standby Systems
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Upgrading BIG-IP active-standby systems

A BIG-IP system active-standby pair for version 10.x includes one BIG-IP system operating in active mode (Device A) and one BIG-IP system operating in standby mode (Device B).

version 10.x active-standby pairA version 10.x active-standby pair

After preparing the devices for an upgrade to version 11.x, you install version 11.x onto Device B (the standby device). When you finish the installation of version 11.x onto Device B, it creates a traffic group called traffic-group-1. The version 11.x traffic group is in standby state on Device B, and Device A (the version 10.x device) is in active mode. Note that the Unit ID that was used in version 10.x becomes obsolete in version 11.x.

10.x device in standby mode and a version 11.x traffic group in active     state A version 10.x device in active mode and a version 11.x traffic group in standby state
With version 11.x installed on Device B and traffic-group-1 in standby state, you can install version 11.x onto Device A, force Device A to standby mode, which changes Device B to active state so that it can pass traffic, and reboot Device A to the location of the 11.x software image. When you complete upgrading both devices to version 11.x, the BIG-IP configuration includes a traffic group in active state on Device B, a traffic group in standby state on Device A, and a device group that includes both devices.
11.x traffic group in active and standby states A version 11.x traffic group in active and standby states

An upgrade of BIG-IP active-standby systems to version 11.x involves the following tasks.

Task Description
Preparing Device A (the active mode BIG-IP 1 system) and Device B (the standby mode BIG-IP 2 system) In preparing to upgrade the active-standby BIG-IP systems to version 11.x, you need to understand any specific configuration or functional changes from the previous version, and prepare the systems. You also download the new version of software from the AskF5 web site (www.askf5.com) and import the files onto each device.
Upgrading Device B (the standby mode BIG-IP 2 system) When you complete preparation of Device B, you can upgrade the software on that device.
Upgrading Device A (the standby mode BIG-IP 1 system) When you complete upgrading Device B, you can prepare Device A and upgrade the software on Device A.
Verifying the upgrade Finally, you should verify that your active and standby BIG-IP systems are functioning properly.
Configuring module-specific settings According to your understanding of the configuration and functional changes from the previous version, you can reconfigure any customized module settings.

DSC components

Device service clustering (DSC) is based on a few key components.

Devices
A device is a physical or virtual BIG-IP system, as well as a member of a local trust domain and a device group. Each device member has a set of unique identification properties that the BIG-IP system generates.
Device groups
A device group is a collection of BIG-IP devices that trust each other and can synchronize, and sometimes fail over, their BIG-IP configuration data. You can create two types of devices groups: A Sync-Failover device group contains devices that synchronize configuration data and support traffic groups for failover purposes when a device becomes unavailable. A Sync-Only device group contains devices that synchronize configuration data, such as policy data, but do not synchronize failover objects.
Traffic groups
A traffic group is a collection of related configuration objects (such as a virtual IP address and a self IP address) that run on a BIG-IP device and process a particular type of application traffic. When a BIG-IP device becomes unavailable, a traffic group can float to another device in a device group to ensure that application traffic continues to be processed with little to no interruption in service.
Device trust and trust domains
Underlying successful operation of device groups and traffic groups is a feature known as device trust. Device trust establishes trust relationships between BIG-IP devices on the network, through mutual certificate-based authentication. A trust domain is a collection of BIG-IP devices that trust one another and can therefore synchronize and fail over their BIG-IP configuration data, as well as exchange status and failover messages on a regular basis. A local trust domain is a trust domain that includes the local device, that is, the device you are currently logged in to.
Folders and sub folders
Folders and sub-folders are containers for the configuration objects on a BIG-IP device. For every administrative partition on the BIG-IP system, there is a high-level folder. At the highest level of the folder hierarchy is a folder named root. The BIG-IP system uses folders to affect the level of granularity to which it synchronizes configuration data to other devices in the device group.

What is a traffic group?

A traffic group is a collection of related configuration objects, such as a floating self IP address and a virtual IP address, that run on a BIG-IP device. Together, these objects process a particular type of traffic on that device. When a BIG-IP device becomes unavailable, a traffic group floats (that is, fails over) to another device in a device group to ensure that application traffic continues to be processed with little to no interruption in service. In general, a traffic group ensures that when a device becomes unavailable, all of the failover objects in the traffic group fail over to any one of the devices in the device group, based on the number of active traffic groups on each device.

An example of a set of objects in a traffic group is an iApps application service. If a device with this traffic group is a member of a device group, and the device becomes unavailable, the traffic group floats to another member of the device group, and that member becomes the device that processes the application traffic.

Task summary

The upgrade process involves preparation of the two BIG-IP devices (Device A and Device B) configured in an active-standby implementation, followed by the installation and verification of version 11.x on each device. When you upgrade each device, you perform several tasks. Completing these tasks results in a successful upgrade to version 11.x on both BIG-IP devices, with a traffic group configured properly for an active-standby implementation.

Preparing BIG-IP modules for an upgrade from version 10.x to version 11.x

Before you upgrade the BIG-IP system from version 10.x to version 11.x, you might need to manually prepare settings or configurations for specific modules.

Access Policy Manager system preparation

The Access Policy Manager system does not require specific preparation when upgrading from version 10.x to version 11.x. However, additional configuration might be required after completing the upgrade to version 11.x.

Post-upgrade activities

When you complete upgrading to version 11.x, you should consider the following feature or functionality changes that occur for the Access Policy Manager systems. Depending upon your configuration, you might need to perform these changes after you upgrade your systems.

Feature or Functionality Description
Sessions All users currently logged in while the upgrade occurs will need to log in again.
Authentication agents and SSO methods If you have deployments using ActiveSync or Outlook Anywhere, where the domain name is part of the username, you should enable the Split domain from username option in the login page agent if the authentication method used in the access policy requires just the username for authentication. In BIG-IP APM 11.x.x, authentication agents and SSO methods no longer separates the domain name from the username internally.
iRule for processing URI If you have deployments where an iRule is used to perform processing on internal access control URI, for example, /my.policy, /myvpn or other URIs like APM system's logon page request, you need to enable the iRule events for internal access control URIs because by default, BIG-IP APM 11.x.x does not raise iRule events for internal access control URIs. However, this can be achieved by adding the following code to the iRule: when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }
OAM support Manually remove all the OAM server-related configurations and reconfigure OAM on BIG-IP APM 11.x.x. OAM configuration has been modified to support various OAM 11G related use-cases.
Citrix support functionality The Citrix iRule is no longer visible to the administrator because it is integrated natively in BIG-IP APM 11.x.x. If you have not modified the iRule, then you have to enable the Citrix Support setting on the virtual server to use Citrix. If you modified the F5 provided Citrix support iRule and want to use the modified iRule, you need to contact F5 support and work with them to replace natively integrated iRules with your own version of Citrix supported iRules.
Reporting functionality If you used the adminreports.pl script for your logging or reporting purposes, this script is no longer available in BIG-IP APM 11.x.x. You need to migrate to the new and enhanced reporting and logging functionality available as a built-in functionality on version 11.x.x.

Application Security Manager system preparation

The BIG-IP Application Security Manager (ASM) system does not require specific preparation when upgrading from version 10.x to version 11.x. No additional configuration is required after completing the upgrade to version 11.x.

What to expect after upgrading a redundant system

If you update two redundant systems that are running as an active-standby pair with BIG-IP Application Security Manager (ASM) and BIG-IP Local Traffic Manager (LTM) provisioned, the system maintains the active-standby status and automatically creates a Sync-Failover device group and a traffic group containing both systems. The device group is enabled for BIG-IP ASM (because both systems have ASM provisioned).

You can manually push or pull the updates (including BIG-IP LTM and ASM configurations and policies) from one system to the other (Device Management > Device Groups, then click Config Sync and choose Synchronize TO/FROM Group).

Global Traffic Manager system preparation and configuration

BIG-IP Global Traffic Manager (GTM) systems do not require any preparation to upgrade from version 10.x to version 11.x.

The following feature or functionality changes occur after you complete the upgrade process to version 11.x.

Feature or Functionality Description
Assigning a BIG-IP system to probe a server to gather health and performance data Assigning a single BIG-IP system to probe a server to gather health and performance data, in version 10.x, is replaced by a Prober pool in version 11.x.

Link Controller system preparation

The BIG-IP Link Controller (LC) system does not require specific preparation when upgrading from version 10.x to version 11.x. No additional configuration is required after completing the upgrade to version 11.x.

Local Traffic Manager system preparation

The BIG-IP Local Traffic Manager (LTM) system does not require specific preparation when upgrading from version 10.x to version 11.x. No additional configuration is required after completing the upgrade to version 11.x.

Note: If you configured MAC Masquerade addresses for VLANs on the version 10.x devices, one of the addresses will be included automatically in the MAC Masquerade Address field for traffic-group-1 during the upgrade.

Protocol Security Module preparation

The BIG-IP Protocol Security Module (PSM)does not require specific preparation when upgrading from version 10.x to version 11.x. No additional configuration is required after completing the upgrade to version 11.x.

Acceleration Manager preparation and configuration

BIG-IP Acceleration Managers require specific preparation tasks and changes to upgrade from version 10.x to version 11.x.

Preparation activities

Before you upgrade the Acceleration Managers from version 10.x to version 11.x, you need to prepare the systems, based on your configuration. The following table summarizes the applicable tasks that you need to complete.

Feature or Functionality Preparation Task
Symmetric deployment You must reconfigure symmetric Acceleration Managers as asymmetric systems before you upgrade them from version 10.x to version 11.x.
Important: Version 11.x does not support symmetric Acceleration Managers.
Unpublished policies You must publish any policies that you want to migrate to version 11.x. Only published policies are migrated into version 11.x.
Signed policies Signed policies are not supported in version 11.x. If you use signed policies, you must replace them with predefined or user-defined policies before upgrading.
Configuration files Upgrading from version 10.x to version 11.x does not include custom changes to configuration files. After upgrading to version 11.x, you need to manually restore any customizations made to your configuration files by using the Configuration utility or Traffic Management Shell (tmsh). The following list includes examples of configuration files that might have been customized:
  • /config/wa/globalfragment.xml.10.x.0; in version 11.x, all objtype entries are provided in tmsh.
  • /config/wa/pvsystem.conf.10.x.0
  • /config/wa/pvsystem.dtd.10.x.0
  • /config/wa/transforms/common.zip.10.x.0; version 11.x does not include transforms.
Debug Options X-PV-Info response headers in version 10.x are changed to X-WA-Info response headers in version 11.x. The default setting for X-WA-Info Headers is None (disabled). To use X-WA-Info response headers, you will need to change this setting, and update any associated iRules or scripts, accordingly.
Post-upgrade activities

When you complete upgrading to version 11.x, you should consider the following feature or functionality changes that occur for the Acceleration Managers. Depending upon your configuration, you might need to perform these changes after you upgrade the systems.

Feature or Functionality Description
Web acceleration Web acceleration functionality requires configuration of the Web Acceleration profile.
Important: You must enable an Acceleration Manager application in the Web Acceleration profile to enable the Acceleration Manager.
Compression Compression functionality requires configuration of the HTTP Compression profile in version 11.x.
Request logging Request logging does not migrate to version 11.x. You must recreate the configuration after upgrading by using the Request Logging profile.
Policy logging Policy logging does not migrate to version 11.x. You must recreate the configuration after upgrading by using the Request Logging profile.
URL normalization URL normalization is not supported in version 11.x.
iControl backward compatibility Backward compatibility for iControl Compression and RAM Cache API settings in the HTTP profile is not supported in version 11.x. These settings appear in the HTTP Compression and Web Acceleration profiles in version 11.x.

WAN Optimization Manager preparation

BIG-IP WAN Optimization Manager (WOM) systems do not require specific preparation when upgrading from version 10.x to version 11.x. However, in a redundant system configuration, you must upgrade the standby system first (to avoid interrupting traffic on the active system), and then upgrade the other system. No additional configuration is required after completing the upgrade to version 11.x.

Preparing BIG-IP active-standby systems for an upgrade

The following prerequisites apply when you upgrade BIG-IP active and standby devices from version 10.x to 11.x.
  • The BIG-IP systems (Device A and Device B) are configured as an active-standby pair.
  • Each BIG-IP device is running the same version of 10.x software.
  • The BIG-IP active-standby devices are the same model of hardware.
When you upgrade a BIG-IP active-standby pair from version 10.x to 11.x, you begin by preparing the devices.
Note: If you prefer to closely observe the upgrade of each device, you can optionally connect to the serial console port of the device that you are upgrading.
  1. For each device, complete the following steps to prepare the configuration and settings.
    1. Examine the Release Notes for specific configuration requirements, and reconfigure the systems, as necessary. For example, you must reconfigure version 10.x symmetric WebAccelerator modules as asymmetric systems before upgrading to version 11.x.
    2. Examine the Release Notes for specific changes to settings that occur when upgrading from version 10.x to 11.x, and complete any in-process settings. For example, you must publish any unpublished BIG-IP WebAccelerator module policies in order for them to migrate to version 11.x.
  2. From the device that is running the latest configuration, synchronize the configuration to the peer unit.
    1. On the Main menu, click System > High Availability > ConfigSync. A message appears for the Status Message.
    2. Click Synchronize TO Peer.
  3. For each device, reactivate the license.
    1. On the Main menu, click System > License.
    2. Click Re-activate.
    3. In the Activation Method area, select the Automatic (requires outbound connectivity) option.
    4. Click Next. The BIG-IP software license renews automatically.
  4. For each device, click System > High Availability > Redundancy, and, from the Redundancy State Preference list, select None.
  5. For each device, create a backup file.
    1. Access the tmsh command line utility.
    2. At the prompt, type save /sys ucs /shared/filename.ucs.
    3. Copy the backup file to a safe location on your network.
  6. Download the BIG-IP version 11.x .iso file from the AskF5 downloads web site (https://www.downloads.f5.com) to a preferred location.
  7. Using a tool or utility that computes an md5 checksum, verify the integrity of the BIG-IP version 11.x .iso file.
  8. Import the version 11.x software image file to each device.
    1. On the Main menu, click System > Software Management > Image List > Import.
    2. Click Choose File, locate and click the image file, click Open, and click Import.
    3. When the software image file completes uploading to the BIG-IP device, click OK. A link to the image file, but not to the .md5 file, appears in the Software Image list.
The BIG-IP devices are prepared to install the version 11.x software onto Device B (the standby BIG-IP 2 device).

Upgrading the standby BIG-IP 2 system

The following prerequisites apply for this task.
  • Device A (the active BIG-IP 1 system) and Device B (the standby BIG-IP 2 system) must be prepared to upgrade Device B with version 11.x software.
  • The version 11.x software image file is downloaded and available.
After you prepare Device A (the active BIG-IP 1 system) and Device B (the standby BIG-IP 2 system) for upgrading the software, you can perform these steps to install the version 11.x software onto Device B.
  1. On the Main menu, click System > Software Management > Image List.
  2. In the Available Images area, select the check box for the version 11.x software image.
  3. Select a location to install the image, and click Install.
    Important: In the Install Status list for the specified location, a progress bar indicates the status of the installation. Ensure that installation successfully completes, as indicated by the progress bar, before proceeding.
  4. Reboot the device to the location of the installed version 11.x software image.
    1. On the Main menu, click System > Software Management > Boot Locations.
    2. In the Boot Location list, click the boot location of the installed version 11.x software image.
    3. Click Activate. The BIG-IP device reboots to the version 11.x boot location with traffic-group-1 in standby state.
      Note: If the device appears to be taking a long time to reboot, do not cycle the power off and on. Instead, verify the status of the device by connecting to its serial console port. The device might be performing firmware upgrades.
Version 11.x software is installed on Device B, with traffic-group-1 in standby state.

Upgrading the active BIG-IP 1 system

The following prerequisites apply in upgrading Device A (the BIG-IP 1 system).
  • Device A (the version 10.x BIG-IP 1 system) must be prepared to upgrade the software to version 11.x.
  • Device A is in active mode.
  • Device B (the version 11.x BIG-IP device with traffic-group-1) is in standby state.
After you prepare Device A (the standby BIG-IP 1 system) for upgrading the software, you can perform these steps to upgrade the software to version 11.x.
  1. On the Main menu, click System > Software Management > Image List.
  2. In the Available Images area, select the check box for the version 11.x software image.
  3. Select a location to install the image, and click Install.
    Important: In the Install Status list for the specified location, a progress bar indicates the status of the installation. Ensure that installation successfully completes, as indicated by the progress bar, before proceding.
  4. Force the BIG-IP device (Device A) to standby mode.
    1. On the Main menu, click System > High Availability > Redundancy
    2. Click Force to Standby The BIG-IP device (Device A) changes to standby mode and the peer BIG-IP device (Device B) changes to active state.
      Important: Once the peer BIG-IP device (Device B) changes to active state, ensure that it passes traffic normally.
  5. Reboot the BIG-IP device (Device A) to the location of the installed version 11.x software image.
    1. On the Main menu, click System > Software Management > Boot Locations.
    2. In the Boot Location list, click the boot location of the installed version 11.x software image.
    3. Click Activate. The BIG-IP device (Device A) reboots to the version 11.x boot location with traffic-group-1 in standby state.
      Note: If the device appears to be taking a long time to reboot, do not cycle the power off and on. Instead, verify the status of the device by connecting to its serial console port. The device might be performing firmware upgrades.
  6. On the Main tab, click Device Management > Overview.
  7. In the Devices area of the screen, in the Sync Status column, select the device that shows a sync status of Changes Pending.
  8. From the Sync list, select Sync device to group.
  9. Click Sync.
Version 11.x software is installed on Device A (the BIG-IP system with traffic-group-1 in standby state).

Verifying a BIG-IP active-standby upgrade

When you have completed upgrading the BIG-IP active-standby pair from version 10.x to version 11.x, you should verify that the upgraded configuration is working properly. Perform the following steps to verify the version 11.x upgrade.
  1. Verify the Platform configuration for each device.
    1. On the Main menu, click System > Platform.
    2. For the Root Folder Device Group setting, verify that the device group is identical on the pair of devices.
    3. From the Root Folder Traffic Group list, verify that the correct traffic group (traffic-group-1) is selected.
  2. Verify the configuration for each device.
    1. On the Main menu, click Device Management > Devices.
    2. Verify the following information for the device and the peer device.
      • active-standby status
      • device name
      • management IP address
      • hostname
      • TMOS version
    3. On the Main menu, click Device Management > Device Trust > Peer List.
    4. Verify that the peer device is specified as a Peer Authority Device.
      Note: Ensure that all information for the peer device appears correctly and complete.
  3. Verify the traffic groups for each device.
    1. On the Main menu, click Network > Traffic Groups.
    2. Click traffic-group-1.
    3. If you configured MAC Masquerade addresses for VLANs on the version 10.x devices, verify that the traffic-group-1 includes an address in the MAC Masquerade Address field.
    4. Verify that the floating traffic group is correct.
    5. Verify that the failover objects are correct.
  4. Verify the Current ConfigSync State for each device.
    1. On the Main menu, click Device Management > Overview.
    2. In the Devices area of the screen, in the Sync Status column, verify that each device shows a sync status of green.

Implementation result

Your upgrade of the BIG-IP active-standby pair from version 10.x to version 11.x is now complete. The version 11.x configuration includes a device group with two devices (Device A and Device B) and a traffic group (traffic-group-1), with the traffic group on one device (Device B) in active state and the traffic group on the other device (Device A) in standby state.

version 11.x device group and traffic group A version 11.x device group and traffic group
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)