Manual Chapter :
Migration of Devices Running Different Version Software
Applies To:
Show VersionsBIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Migration of Devices Running Different Version Software
About migrating
devices running different software versions
What is device
migration?
Device migration
enables you to replace
the devices in a BIG-IP device group running earlier
version software with newer upgraded devices running software version 12.1.3, or later. It
enables you to take an existing configuration on a device group's source device and easily
replicate it on a newer target
device. Supported
platforms
Supported source and target platforms include appliances, VIPRION® platforms, virtual edition (VE) devices, and vCMP® guests.
Supported software
versions
You can migrate the configuration of any BIG-IP version
11.x.x, 12.0.0, 12.1.0, or 12.1.2 source device to a BIG-IP version 12.1.3, or
later, target device.
Configuration
Dependencies
Migration to newer devices running software version 12.1.3, or later,
ignores the following configuration objects. If your configuration includes dependencies on any
of these objects, you must reconfigure them on the new device before you load the UCS file onto
that device.
You must reconfigure the following objects on the new target device to
use the same names as the objects on the source device, before you load the UCS file onto that
device
- Interfaces
- Interface bundles
- Management IP address
- Management route
Migration of a device group to newer
devices
When you migrate the source devices in a device group running earlier version software to new
target devices running BIG-IP software version 12.1.3, or later, the
following sequence of steps applies. This sequence migrates a device group composed of source
devices 1 and 2 to a device group composed of new target devices 1 and 2.
- For a device group, migration functionality reestablishes the device group with the target devices when you load an archive onto the second target device.
- During migration, do not make any additional configuration changes. Reconfiguration during migration can cause unexpected behavior.
- Devices run different software versions during migration, preventing normal config sync functionality until migration completes.
Step 1. Migrate source device 1 to target device 1.
- Prepare each source device in the device group.
- Create and save an archive for each device.
- Download an archive file for each device.
- Force source device 1 offline, and observe that source device 2 becomes active.
- Shut down source device 1.
- Install target device 1.
- Prepare target device 1.
- Upload the source device 1 archive, and load the archive onto the target device 1.
Step 2. Migrate source device 2 to target device 2.
- Force source device 2 offline, and observe that target device 1 becomes active.
- Shut down source device 2.
- Install target device 2.
- Prepare target device 2.
- Upload the source device 2 archive, and load the archive onto the target device 2, reestablishing the device group.
About migrating to a target device
You can easily take an existing configuration on a source device (appliance, VIPRION®, VE, or vCMP® guest) and replicate it on a target device
(appliance, VIPRION, VE, or vCMP guest). The migration process includes the following steps:
- Prepare the source device
- Archive and download the UCS file
- Shut down the source device
- Set up the target device
- Upload the archived UCS file
- Load the archived UCS file onto the target device
For a device group, the migration functionality reestablishes the device group with the target
devices when you load an archive onto the second target device.
Preparing BIG-IP modules for an upgrade
from version 11.x, or later
Before you upgrade the BIG-IP system from version 11.x, or later, to the new version, you
might need to manually prepare settings or configurations for specific
modules.
Application Acceleration Manager preparation
BIG-IP
Application Acceleration Manager™ (AAM®) modules
require specific preparation tasks and changes to upgrade from version 11.x, or later, to the
new version software. No additional configuration is required after completing the upgrade to
the new version software.
Preparation activities
Before you upgrade the BIG-IP
Application Acceleration Manager™ (AAM®) modules
from version 11.x, or later, to the new version software, you need to prepare the systems,
based on your configuration. The following table summarizes the applicable tasks that you
need to complete.
Feature or Functionality |
Preparation Task |
---|---|
Unpublished policies |
You must publish any policies that you want to migrate to the new version
software. Only published policies are migrated into the new version
software. |
Advanced Firewall Manager system preparation
The BIG-IP
Advanced Firewall Manager™ (AFM™) system does not
require specific preparation when upgrading from version 11.x, or later, to the new version
software. No additional configuration is required after completing the upgrade to the new
version software.
Access Policy Manager system preparation
The Access Policy Manager system does not require specific
preparation when upgrading from version 11.x, or later, to the new version software. However,
additional configuration might be required after completing the upgrade to the new version
software.
Supported high availability configuration for Access Policy Manager
Access Policy Manager is supported in an active-standby configuration with two BIG-IP systems only.
Access Policy Manager is not supported in an active-active
configuration.
Post-upgrade activities
When you finish upgrading to the new version software, you should consider the
following feature or functionality changes that occur for the Access Policy Manager systems.
Depending on your configuration, you might need to perform these changes after you upgrade
your systems.
Feature or Functionality | Description |
---|---|
Sessions | All users currently logged in while the upgrade occurs will need to log in
again. |
Authentication agents and SSO methods | If you have deployments using ActiveSync or Outlook Anywhere, where the domain
name is part of the user name, you should enable the Split domain from
username option in the login page agent if the authentication method
used in the access policy requires only the user name for authentication. |
Application Security Manager system preparation
The BIG-IP
Application Security Manager™ (ASM™) system does not
require specific preparation when upgrading from version 11.x, or later, to the new version
software. No additional configuration is required after completing the upgrade to the new
version software.
What to expect after upgrading a redundant system
If you update two redundant systems that are running as an active-standby pair with BIG-IP
Application Security Manager (ASM) and BIG-IP
Local Traffic Manager (LTM) provisioned, the
system maintains the active-standby status and automatically creates a Sync-Failover device
group and a traffic group containing both systems. The device group is enabled for BIG-IP
ASM (because both systems have ASM provisioned).
You can manually push or pull the updates (including BIG-IP LTM and ASM configurations and
policies) from one system to the other (
, click the name of a device, and then choose Sync Device to
Group
or Sync Group to Device
).Global Traffic Manager system preparation and configuration
BIG-IP Global Traffic Manager systems require specific
preparation and configuration when upgrading from version 11.x, or later, to the new version
software.
Preparation activities
You should complete these activities before upgrading Global Traffic Manager systems from
version 11.x, or later, to the new version software (BIG-IP DNS).
In BIG-IP version 12.0, BIG-IP Global Traffic Manager is renamed to
BIG-IP DNS. After you upgrade, you will see the new name in the product and
documentation.
Activity |
Instructions |
---|---|
Verify that the device certificates are current, and that expiration does not
occur until after upgrading. |
|
Disable configuration synchronization and DNS zone files synchronization. To use a backup UCS file without synchronizing the GTM
configuration, disable synchronization. If synchronization is enabled, restoring
the UCS backup file loads the configuration and initiates
synchronization. |
|
Post-upgrade activities
You should complete these tasks after upgrading BIG-IP DNS systems from 11.x, or later, to
the new version software.
In BIG-IP version 12.0, BIG-IP Global Traffic Manager is renamed to
BIG-IP DNS. After you upgrade, you will see the new name in the product and
documentation.
- From the command line, run thebig3d_installscript on the first BIG-IP DNS system that you upgraded, so that you can monitor other BIG-IP DNS systems.Run this script only once, only from the first BIG-IP DNS system that you upgraded. This step momentary degrades monitoring performance as newbig3dagents start.
- On each device, verify the configuration.
- On each device, test queries against listeners.
- On each device, verify iQuery® connections by using thetmshcommandtmsh show /gtm iquery all.
- Enable synchronization on each device.
- Verify configuration synchronization by using a dummy test object; for example, by using an object that can be deleted after the configuration synchronization is verified as operational.
Link Controller system preparation
The BIG-IP
Link Controller™ (LC™) system does not require specific
preparation when upgrading from version 11.x, or later, to the new version software. No
additional configuration is required after completing the upgrade to the new version
software.
Local Traffic Manager system preparation
The BIG-IP
Local Traffic Manager (LTM) system does not require
specific preparation when upgrading from version 11.x, or later, to the new version software. No
additional configuration is required after completing the upgrade to the new version
software.
HTTP Class profiles
F5 Networks® replaced the HTTP Class profile in BIG-IP version 11.4.0, and later, with the introduction of the Local Traffic Policies
feature. During an upgrade to BIG-IP version 11.4.0, if your configuration contains an HTTP
Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent
local traffic policy. For additional support information regarding the change of HTTP Class
profiles to Local Traffic Policies, refer to SOL14409 on
www.askf5.com
.Policy Enforcement Manager system preparation
The BIG-IP
Policy Enforcement Manager™ (PEM™) system does not
require specific preparation when upgrading from version 11.x, or later, to the new version
software. No additional configuration is required after completing the upgrade to the new
version software.
Preparing RAID drives for an
upgrade
If your configuration includes redundant array of independent disks (RAID) drives,
you need to verify that the RAID drives are ready for upgrading. If a RAID drive shows
errors before upgrading, you will want to contact F5 customer support to resolve the
errors before initiating the upgrade.
- Open the Traffic Management Shell (tmsh).tmshThis startstmshin interactive shell mode and displays thetmshprompt:(tmos)#.
- Verify the health of RAID disks, ensuring that the drives are not failed or undefined.(tmos)# show sys raidSys::Raid::Array: MD1 -------------------- Size (MB) 305245 Sys::Raid::ArrayMembers Bay ID Serial Number Name Array Member Array Status --------------------------------------------------------- 1 WD-WCAT18586780 HD2 yes failed 2 WD-WCAT1E733419 HD1 yes okIn this example, the array is labeled MD1 and disk HD2 indicates an error.
- VerifyCurrent_Pending_Sectordata displays aRAW_VALUEentry of less than1on RAID systems.For version 11.4.0, and laterRun the platform check utility:(tmos)# run util platform_checkFor version 11.3.x, and earlierAt the command line, run the smartctl utility:smartctl -t long -d ata /dev/<sda|sdb|hda|hdc>
In this example, the197 Current_Pending_Sector 0x0032 200 200 000 Old_age Always - 0RAW_VALUEentry is0. - Verify that no known issues appear in the following log files.
- Check/var/log/user.logfor LBA messages indicating failure to recover, for example,recovery of LBA:226300793 not complete.
- Check/var/log/kern.logfor ATA error entries.
The health of all RAID drives is assessed, enabling you to resolve any issues before
proceeding with the BIG-IP software upgrade.
Preparing a source
device
You can use these steps to prepare a source device
for migration to a target device.
- Open the Traffic Management Shell (tmsh).tmshThis startstmshin interactive shell mode, and displays thetmshprompt:(tmos)#.
- Set the device master key to prompt for a password.(tmos)# modify sys crypto master-key prompt-for-passwordThis master key password is used when configuring the source and target devices. You will want to remember or safely record it for configuration of source and target devices.
- Enter a password.enter password:type_password
- Confirm the password.password again:type_password
- On the Main tab, click.In the Devices area of the screen, in the Sync Status column, view the sync status of each device:
- If all devices show a sync status of green, the configurations of all device members are synchronized, and you do not need to perform a config sync operation.
- If any device shows a sync status of Changes Pending, you must synchronize the configuration on that device to the other members of the device group.
A status ofChanges Pendingfor a device indicates that the device contains recent configuration changes that have not yet been synchronized to the other members of the device group. - For each device, sync the configuration:
- On the Main tab, click.
- In the Device Groups area of the screen, in the Name column, select the name of the relevant device group.The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
- In the Devices area of the screen, in the Sync Status column, select a device.
- From theSyncoptions list, select a sync option.OptionDescriptionSync Device to GroupSelect this option to synchronize the configuration of the selected device to the device group.Sync Group to DeviceSelect this option to synchronize the configuration of the device group to the selected device.
- ClickSync.
The source device is prepared for migration to a target device
Create and save an archive using the Configuration utility
You can use the BIG-IP Configuration utility to create and save archives on the BIG-IP system.
Any UCS file that you create includes the host name of the BIG-IP system as part of the data stored in that file. Later, when you specify this UCS file while restoring configuration data to a BIG-IP system, the host name stored in this UCS file must match the host name of the system to which you are restoring the configuration data. Otherwise, the system does not fully restore the data. Also, if your configuration data includes SSL keys and certificates, make sure to store the archive file in a secure environment.
- Force the source device to the offline state.
- On the Main menu, click.
- Click the name of the source.The device properties screen opens.
- ClickForce Offline.The source device changes to the offline state.Once the source device changes to the offline state, ensure that traffic passes normally for all active traffic groups on the other devices.WhenForce Offlineis enabled, make sure to manage the system using the management port or console. Connections to self IP addresses are terminated whenForce Offlineis enabled.
- On the Main tab, click.The Archives screen displays a list of existing UCS files.
- ClickCreate.If theCreatebutton is unavailable, you do not have permission to create an archive. You must have the Administrator role assigned to your user account.
- In theFile Namefield, type a unique file name for the archive.F5 recommends that the file name match the name of the BIG-IP system. For example, if the name of the BIG-IP system isbigip2, then the name of the archive file should bebigip2.ucs.
- To encrypt the archive, for theEncryptionsetting, selectEnabled.If theEncryptionsetting is unavailable, you must configure theArchive Encryptionsetting located on the Preferences screen.
- To include private keys, for thePrivate Keyssetting, selectInclude.Make sure to store the archive file in a secure environment.
- ClickFinished.
Downloading a copy of an archive to a management workstation
You can use the Configuration utility to download a copy of an archive to a management workstation. This provides an extra level of protection by preserving the configuration data on a remote system. In the unlikely event that you need to restore the data, and a BIG-IP® system event prevents you from accessing the archive in the BIG-IP system directory, you still have a backup copy of the configuration data.
- On the Main tab, click.The Archives screen displays a list of existing UCS files.
- In the File Name column, click the name of the archive that you want to view.This displays the properties of that archive.
- For theArchive Filesetting, click theDownload: <filename>.ucsbutton.A confirmation screen appears.
- ClickSave.The BIG-IP system downloads a copy of the UCS file to the system from which you initiated the download.
Shutting down a source device
Before you shut down a source device during the migration process, download a copy
of the archive file to a management workstation.
You can shut down a BIG-IP source device, as needed, when
migrating a configuration to a new target device.
- Complete one of these steps.
- For BIG-IP software version 11.x.x, typehalt. When a message appears indicating that the device is halted, turn off the power.
- For BIG-IP software version 12.0.0, and later, typeshutdown.
The BIG-IP source device is shut down.
Installing a target device
You can install a target device when migrating from an older source device to a new
target device.
- Install and license the new target device in accordance with the platform guide installation instructions for the device.When installing the new target device, use the Configuration utility to specify the same IP address, Netmask, and Management Route as the source device.
- Provision the target device according to the provisioning of the source device.
The target device is installed, licensed, and
provisioned.
Preparing a target device for migration
You can prepare a target device for migration.
- Open the Traffic Management Shell (tmsh).tmshThis startstmshin interactive shell mode, and displays thetmshprompt:(tmos)#.
- Set the device master key to prompt for a password.(tmos)# modify sys crypto master-key prompt-for-passwordThis master key password is used when configuring the source and target devices. You will want to remember or safely record it for configuration of source and target devices.
- Enter a password.enter password:type_password
- Confirm the password.password again:type_password
- Save the configuration.(tmos)# save sys config
The target device is prepared for migration.
Uploading an archive from a management workstation
If you previously downloaded a copy of an archive to a management workstation, you can upload that archive to the BIG-IP® system at any time. This is useful when a BIG-IP system event has occurred that has caused the archive stored on the BIG-IP system to either become unavailable or corrupted.
You can use the Configuration utility to upload a copy of an archive stored on a management workstation.
When you upload a copy of an archive, you must specify the exact path name for the directory in which the downloaded archive copy is stored.
- On the Main tab, click.The Archives screen displays a list of existing UCS files.
- ClickUpload.The Upload screen opens.
- For theFile Namesetting, clickBrowse.
- For theOptionssetting, select theOverwrite existing archive filecheck box if you want the BIG-IP system to overwrite any existing archive file.The BIG-IP system overwrites an existing file with the uploaded file only when the name of the archive you are uploading matches the name of an archive on the BIG-IP system.
- ClickUpload.The specified archive is now uploaded to the/var/local/ucsdirectory on the BIG-IP system.
Loading an archive
using tmsh
Migration to newer devices running software version 12.1.3, or
later, ignores the following configuration objects. If your configuration includes
dependencies on any of these objects, you must reconfigure them on the new device
before you load the UCS file onto that device.
You must reconfigure the following objects on the new
target device to use the same names as the objects on the source device, before
you load the UCS file onto that device
- Interfaces
- Interface bundles
- Management IP address
- Management route
You can use
tmsh
to load and migrate data from an archive file. The /var/local/ucs
directory is the only
location on the BIG-IP system from which you
can migrate an archive. If no archive exists in that directory, then you cannot migrate
configuration data. The host name stored in the archive file must match the host name of the target
BIG-IP device; otherwise, the system does not fully migrate the
data.
- Connect to the system using the serial console.
- Open the Traffic Management Shell (tmsh).tmshThis startstmshin interactive shell mode, and displays thetmshprompt:(tmos)#.
- Load the configuration contained in a specified UCS file.(tmos)# load sys ucs my_file.ucs platform-migrateWhen you load the configuration for a second device in a device group, the migration functionality reestablishes the device group.The UCS is loaded into the running configuration of the device.