Manual Chapter :
Restoring the BIG-IQ and
Data Collection Device Cluster to Pre-upgrade State
Applies To:
Show VersionsBIG-IQ Centralized Management
- 6.1.0
Restoring the BIG-IQ and
Data Collection Device Cluster to Pre-upgrade State
What are the
post-upgrade tasks?
Once you have upgraded the BIG-IQ system with a DCD cluster, you need to:
- Add the secondary BIG-IQ to the primary BIG-IQ.
- Re-discover devices and re-import services (You can do this either manually or using a script).
- Install the vCenter host root certificate on BIG-IQ
Add the secondary
BIG-IQ system to the primary BIG-IQ system
After you upgrade both F5 BIG-IQ
Centralized Management systems in
an
HA configuration, you can re-associate the secondary system with the primary
BIG-IQ system.
Add the secondary BIG-IQ system to the primary
BIG-IQ system to re-establish the high availability pair.
- Log in to primary BIG-IQ system with your administrator user name and password.
- At the top of the screen, clickSystem.
- On the left, clickBIG-IQ HA.
- Click theAdd Secondarybutton.
- In theIP Addressfield, type the discovery address you specified on the BIG-IQ system during setup.This is the same IP address the peers in a high availability confirmation use to communicate.
- Type the administrativeUser nameandPasswordfor the system.
- Type theRoot Passwordfor the system.
- Click theAddbutton to add this device to this high availability configuration.
Even though you can log in to the secondary BIG-IQ
after the you re-establish the HA configuration, the system
continues some database re-indexing processes in the background. For
larger configurations, that can take up to an hour. If you perform
any searches on objects before it's done re-indexing, BIG-IQ might
not return the expected results.
After the HA configuration is re-established, you'll
be automatically logged out of the primary BIG-IQ system for a few
minutes while the secondary BIG-IQ system restarts.
After the secondary system restarts, you can log back
into the primary BIG-IQ system.
What are my
options for re-discovering and re-importing devices?
After you upgrade F5 BIG-IQ Centralized Management, you must
re-discover and re-import services for your managed devices so you can start managing
those devices with the new features introduced in this release. You can do this in bulk,
or you do it for each device and service individually.
Regardless of which option you choose, you specify how to handle any
conflict between objects in the BIG-IQ system's working configuration.
- When you re-discover and re-import in bulk, all conflicts are resolved the in the same way.
- When you re-discover devices and re-import services manually, you specify how to resolve conflicts on an individual basis.
Re-discover and
re-import services in bulk
After
you upgrade F5 BIG-IQ Centralized Management, you must rediscover and reimport services
for your managed devices so you can start managing those devices with the new features
introduced in this release. Use this procedure to re-discover and re-import services in
bulk. You'll have the option to decide how to manage any conflict between objects in the
BIG-IQ system's working configuration and objects in the same way for each type of
object.
If you upgraded a BIG-IQ system
that's managing BIG-IP devices running Network Security or Web App Security
services, you'll see evaluation differences for the default logging profile objects
imported from BIG-IP devices (global-network, log all requests, log illegal
requests, and local-dos). This is expected because the new version of BIG-IQ
imports information about default logging profiles that were not present in the
previous version. After you complete the upgrade to the latest version and re-import
your Network Security or Web Application Security service, these differences should
no longer occur.
- At the top of the screen, clickDevices.
- Select the check box next to the devices for which you want to rediscover and reimport services.
- Click theMorebutton and selectRe-discover and Re-import.
- In theNamefield, type a name for this task.
- For all of the Conflict Resolution Policies, we recommend you selectUse BIG-IP, to replace any conflicting shared objects in its working configuration with the objects it's importing from the BIG-IP device.When you selectUse BIG-IPto resolve conflicts, the BIG-IP device used to resolve those conflicts should appear last in the re-import list. If two or more BIG-IP devices contain the same object with different values, only the value in the last imported BIG-IP is used to resolve the conflict for all the BIG-IP devices.
- To create a snapshot of the BIG-IQ configuration before discovering and importing services, select theSnapshotcheck box.Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
- Click theCreatebutton at the bottom of the screen.
After the services reimport, devices displays in the BIG-IP
Devices inventory list with their services. You can now manage these BIG-IP devices from
BIG-IQ.
Re-import and re-discover services individually
After you upgrade F5 BIG-IQ Centralized Management,
you must re-discover and re-import services for your managed devices so you can start
managing those devices with the new features introduced in this release. Use this
procedure to re-discover and re-import services for each device, and handle any conflict
any conflict between objects in the BIG-IQ system's working configuration on an
individual bases from the Services screen.
- At the top of the screen, clickDevices.
- Click the name of the BIG-IP device you want to re-discover and re-import services for.
- On the left, clickService.
- Select theCreate a snapshot of the current configuration before importingcheck box for each service you want a snapshot of.
- Click theRe-discoverbutton for each service this BIG-IP device is licensed for.BIG-IQ re-discovers the service.
- Click theRe-importbutton for each service this BIG-IP device is licensed for.
- For all of the Conflict Resolution Policies, we recommend you selectUse BIG-IP, to replace any conflicting shared objects in its working configuration with the objects it's importing from the BIG-IP device.
After the services reimport, this device displays in
the BIG-IP Devices inventory list with its services. You can now manage this BIG-IP
device from BIG-IQ.
Install the vCenter host root certificate on BIG-IQ after
upgrading
If you have a VMware service scaling group (SSG)
associated with a vCenter certificate that is self-signed or untrusted, after you upgrade
BIG-IQ Centralized Management, you'll need to re-add the vCenter host root certificate. For
this procedure, you must have root access to the BIG-IQ system's command line.
Providing BIG-IQ the vCenter host root
certificate ensures secure communication between BIG-IQ and the vCenter.
- From the BIG-IQ system's command line, copy the root certificate from the vCenter host cert/etc/vmware-sso/key/ssoserverRoot.crtfile to the BIG-IQ system's/config/ssl/ssl.crtfile.
- Type this command to create a symbolic link to this certificate using the certificate's hash:ln -s ssoserverRoot.crt `openssl x509 -hash -noout -in ssoserverRoot.crt`.0.
- Type this command to restartgunicorn:bigstart restart gunicorn