Manual Chapter : Restoring the BIG-IQ and Data Collection Device Cluster to Pre-upgrade State

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.1.0
Manual Chapter

Restoring the BIG-IQ and Data Collection Device Cluster to Pre-upgrade State

What are the post-upgrade tasks?

Once you have upgraded the BIG-IQ system with a DCD cluster, you need to:
  • Add the secondary BIG-IQ to the primary BIG-IQ.
  • Re-discover devices and re-import services (You can do this either manually or using a script).
  • Install the vCenter host root certificate on BIG-IQ

Add the secondary BIG-IQ system to the primary BIG-IQ system

After you upgrade both F5 BIG-IQ Centralized Management systems in an HA configuration, you can re-associate the secondary system with the primary BIG-IQ system.
Add the secondary BIG-IQ system to the primary BIG-IQ system to re-establish the high availability pair.
  1. Log in to primary BIG-IQ system with your administrator user name and password.
  2. At the top of the screen, click
    System
    .
  3. On the left, click
    BIG-IQ HA
    .
  4. Click the
    Add Secondary
    button.
  5. In the
    IP Address
    field, type the discovery address you specified on the BIG-IQ system during setup.
    This is the same IP address the peers in a high availability confirmation use to communicate.
  6. Type the administrative
    User name
    and
    Password
    for the system.
  7. Type the
    Root Password
    for the system.
  8. Click the
    Add
    button to add this device to this high availability configuration.
Even though you can log in to the secondary BIG-IQ after the you re-establish the HA configuration, the system continues some database re-indexing processes in the background. For larger configurations, that can take up to an hour. If you perform any searches on objects before it's done re-indexing, BIG-IQ might not return the expected results.
After the HA configuration is re-established, you'll be automatically logged out of the primary BIG-IQ system for a few minutes while the secondary BIG-IQ system restarts.
After the secondary system restarts, you can log back into the primary BIG-IQ system.

What are my options for re-discovering and re-importing devices?

After you upgrade F5 BIG-IQ Centralized Management, you must re-discover and re-import services for your managed devices so you can start managing those devices with the new features introduced in this release. You can do this in bulk, or you do it for each device and service individually.
Regardless of which option you choose, you specify how to handle any conflict between objects in the BIG-IQ system's working configuration.
  • When you re-discover and re-import in bulk, all conflicts are resolved the in the same way.
  • When you re-discover devices and re-import services manually, you specify how to resolve conflicts on an individual basis.

Re-discover and re-import services in bulk

After you upgrade F5 BIG-IQ Centralized Management, you must rediscover and reimport services for your managed devices so you can start managing those devices with the new features introduced in this release. Use this procedure to re-discover and re-import services in bulk. You'll have the option to decide how to manage any conflict between objects in the BIG-IQ system's working configuration and objects in the same way for each type of object.
If you upgraded a BIG-IQ system that's managing BIG-IP devices running Network Security or Web App Security services, you'll see evaluation differences for the default logging profile objects imported from BIG-IP devices (global-network, log all requests, log illegal requests, and local-dos). This is expected because the new version of BIG-IQ imports information about default logging profiles that were not present in the previous version. After you complete the upgrade to the latest version and re-import your Network Security or Web Application Security service, these differences should no longer occur.
  1. At the top of the screen, click
    Devices
    .
  2. Select the check box next to the devices for which you want to rediscover and reimport services.
  3. Click the
    More
    button and select
    Re-discover and Re-import
    .
  4. In the
    Name
    field, type a name for this task.
  5. For all of the Conflict Resolution Policies, we recommend you select
    Use BIG-IP
    , to replace any conflicting shared objects in its working configuration with the objects it's importing from the BIG-IP device.
    When you select
    Use BIG-IP
    to resolve conflicts, the BIG-IP device used to resolve those conflicts should appear last in the re-import list. If two or more BIG-IP devices contain the same object with different values, only the value in the last imported BIG-IP is used to resolve the conflict for all the BIG-IP devices.
  6. To create a snapshot of the BIG-IQ configuration before discovering and importing services, select the
    Snapshot
    check box.
    Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
  7. Click the
    Create
    button at the bottom of the screen.
After the services reimport, devices displays in the BIG-IP Devices inventory list with their services. You can now manage these BIG-IP devices from BIG-IQ.

Re-import and re-discover services individually

After you upgrade F5 BIG-IQ Centralized Management, you must re-discover and re-import services for your managed devices so you can start managing those devices with the new features introduced in this release. Use this procedure to re-discover and re-import services for each device, and handle any conflict any conflict between objects in the BIG-IQ system's working configuration on an individual bases from the Services screen.
  1. At the top of the screen, click
    Devices
    .
  2. Click the name of the BIG-IP device you want to re-discover and re-import services for.
  3. On the left, click
    Service
    .
  4. Select the
    Create a snapshot of the current configuration before importing
    check box for each service you want a snapshot of.
  5. Click the
    Re-discover
    button for each service this BIG-IP device is licensed for.
    BIG-IQ re-discovers the service.
  6. Click the
    Re-import
    button for each service this BIG-IP device is licensed for.
  7. For all of the Conflict Resolution Policies, we recommend you select
    Use BIG-IP
    , to replace any conflicting shared objects in its working configuration with the objects it's importing from the BIG-IP device.
After the services reimport, this device displays in the BIG-IP Devices inventory list with its services. You can now manage this BIG-IP device from BIG-IQ.

Install the vCenter host root certificate on BIG-IQ after upgrading

If you have a VMware service scaling group (SSG) associated with a vCenter certificate that is self-signed or untrusted, after you upgrade BIG-IQ Centralized Management, you'll need to re-add the vCenter host root certificate. For this procedure, you must have root access to the BIG-IQ system's command line.
Providing BIG-IQ the vCenter host root certificate ensures secure communication between BIG-IQ and the vCenter.
  1. From the BIG-IQ system's command line, copy the root certificate from the vCenter host cert
    /etc/vmware-sso/key/ssoserverRoot.crt
    file to the BIG-IQ system's
    /config/ssl/ssl.crt
    file.
  2. Type this command to create a symbolic link to this certificate using the certificate's hash:
    ln -s ssoserverRoot.crt `openssl x509 -hash -noout -in ssoserverRoot.crt`.0
    .
  3. Type this command to restart
    gunicorn
    :
    bigstart restart gunicorn