Manual Chapter :
Completing the Upgrade of a BIG-IQ with a Data Collection Device Cluster
Applies To:
Show Versions
BIG-IQ Centralized Management
- 8.2.0, 8.1.0
Completing the Upgrade of a BIG-IQ with a Data Collection Device Cluster
Post-upgrade checklist
Following device upgrade, some tasks are necessary, depending on your
BIG-IQ configuration and services. Evaluate the tasks below to ensure they are required for
your post-upgrade process.
- If the post-upgrade process does not happen immediately, manually run the post-upgrade process.If the post-upgrade is running DO NOT conduct a manual post-upgrade.
- (For BIG-IQ systems using a private Venafi SSL certificate only) Import the private Venafi SSL certificate.
- (For BIG-IQ systems in a high availability configuration only) Add port TCP 5432 to a self IP.
- (For BIG-IQ systems in a high availability configuration only) Add the standby BIG-IQ to the active BIG-IQ.
- Re-discover and re-import BIG-IP devices and services. This process is required for collecting new data from managed BIG-IP devices.
- Install the vCenter host root certificate on BIG-IQ.
- Confirm post-upgrade AS3 version.
- (Optional) In the event of system version roll back, perform the appropriate roll-back procedure.
Run the post-upgrade process manually
The post-upgrade process
should occur automatically. Perform this manual procedure only if BIG-IQ returns a post-upgrade error message, and/or the
status of your DCD does not show it is running post upgrade tasks.
- Verify that you need to run post upgrade manually:
- Go to .
- Select the link in the Lst Upgrade column for one of your DCDs.
- Check theStatusfield forRunning post upgrade tasks.
If your DCDs are running the post upgrade tasks DO NOT proceed with this process. - Go to .The first time you access this screen after performing an upgrade, it triggers a dialog box that prompts you to start the post upgrade processing tasks.
- ClickContinue.The BIG-IQ system is returning the devices in your DCD cluster to their pre-upgrade state. This includes restoring the data snapshot. If you have a substantial amount of data, data snapshot restoration takes an extended amount of time.
- Once the post upgrade processing is complete, click and confirm that each service you had enabled before the upgrade is still enabled. If there are any services that are not enabled, re-enable them now.
- To activate the services you want to monitor on each DCD, on the BIG-IQ Data Collection Devices screen, in the Services column, clickAdd Services.The Services screen for the data collection device opens.
- For the service you want to add, confirm that theListener Addressspecifies the correct self IP address on the data collection device, and then clickActivate.For Web Application Security, you can resolve insecure connection issues between devices and the Centralized Policy Builder. To establish a secure connection, clickEnableunder the Secure Policy Builder field.When the service is successfully added, theService Statuschanges toActive.
Once your cluster is back online, rediscover
your devices and re-discover their services to complete the upgrade.
Import Venafi private SSL certificate
If you've integrated the Venafi Trust
Protection Platform with BIG-IQ for certificate and key management and you are using a
private SSL certificate, you must import that private SSL certificate to BIG-IQ.
- Log in to the BIG-IQ command line and issue the following commands:$ mount -o remount,rw /usr $ /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el6_10.x86_64/jre/lib/security/cacerts -alias example.com -file /home/admin/venafi.example.com.pem $ mount -o remount,ro /usr
- When prompted for a password, contact F5 Support athttps://www.f5.com/services/support.
Add TCP port 5432 to a self-IP address
If you have a high availability BIG-IQ device configuration, and you are using self-IP for discovery, you must add TCP port 5432. If you do not have and active standby configuration, you do not need to proceed with this procedure.
Add TCP port 5432 to a self-IP to enable HA pair connectivity following the device upgrade.
- Log in to the command line of the system using an account with root access.
- Run the following commandtmsh
- Add TCP port 5432 to a self-IP.modify net self <name> allow-services add { tcp:5432 }
Create an HA pair for your active and standby devices.
Add the standby BIG-IQ to the active BIG-IQ (manual failover
configuration only)
After you upgrade your F5 BIG-IQ Centralized
Management systems in an HA configuration, you can re-associate the standby BIG-IQ with
the active BIG-IQ.
Add the standby
BIG-IQ to the primary BIG-IQ to re-establish the manual failover high availability
configuration.
- Log in to active BIG-IQ system with your administrator user name and password.
- At the top of the screen, clickSystem.
- On the left, clickBIG-IQ HA.
- Click theAdd Standbybutton.
- In theIP Addressfield, type the discovery address you want to set up as the standby BIG-IQ.This is the same IP address the peers in a high availability configuration use to communicate.IPv6 short form addresses are not supported.
- Type the local administrativeUsernameandPasswordfor the system.
- Type theRoot Passwordfor the system.
- Click theAddbutton to add this device to this high availability configuration.
Even though you can log in to the standby BIG-IQ after
the you re-establish the HA configuration, the system continues some database
re-indexing processes in the background. For larger configurations, that can take up to
an hour. If you perform any searches on objects before it's done re-indexing, BIG-IQ
might not return the expected results.
After the HA configuration
is re-established, you'll be automatically logged out of the active BIG-IQ for a few
minutes while the standby BIG-IQ restarts.
After the standby BIG-IQ restarts, you can log back
into the primary BIG-IQ.
Add a standby BIG-IQ to the active BIG-IQ (Auto Failover Configuration
only)
Before you can add a standby BIG-IQ for an HA configuration with auto fail over, you must have a BIG-IQ system licensed and running, a second BIG-IQ system licensed, as well as a Data Device Cluster (DCD). If you don't have a DCD set up, you can do that during this procedure.
When configuring auto failover, you'll also create or select an existing Data Collection Device (DCD) as a quorum device. A
quorum DCD
is used as the deciding vote to determine which BIG-IQ becomes active if communication is disrupted between the active and standby BIG-IQ in the HA pair, by determining which BIG-IQ it can communicate with. The quorum DCD can be part of a DCD cluster, but is not used as a standby BIG-IQ in an HA configuration.- At the top of the screen, clickSystem.
- On the left, clickBIG-IQ HA.
- Click theAdd Standbybutton.
- In theIP Addressfield, type the discovery address you want to set up as the standby BIG-IQ.This is the same IP address the peers in a high availability configuration use to communicate.IPv6 short form addresses are not supported.
- Type the local administrativeUsernameandPasswordfor the system.
- Type theRoot Passwordfor the system.
- For theFailover setting, selectAuto Failover.For auto failover to work, you must have the following ports open on the active and standby BIG-IQ as well as the quorum DCD.
- TCP port 2224
- UDP port 5404
- UDP port 5405
- For auto failover, you must associate a quorum DCD. If you do not have a DCD set up, click theSet Up Quorum Devicebutton to specify the DCD you want to use. If you've already have a Quorum DCD for auto failover, select it from the list and type itsRoot Password.
- If you do not have a DCD set up, click theSet Up Quorum Devicebutton to specify the DCD you want to use.
- you already have a Quorum DCD for auto failover, select it from the list and type itsRoot Password.
- If you want BIG-IQ to use a floating IP address when automatically failing over to the standby BIG-IQ, select theEnable Floating IPEnablecheck box and type the address.The floating IP address must be on the same network (this configuration uses Gratuitous ARP packets) as the active and standby BIG-IQ systems’ local management address (interface eth0) and not any of the discovery self IP addresses. This does not restrict HA traffic; HA traffic can be on any of the available interfaces. Floating IP addresses are not supported if your active and standby BIG-IQ systems are in a public cloud environment, such as AWS, Azure, or VMware.If you choose not to use a floating IP address and the active BIG-IQ fails over, you'll have to provide all users access to the newly active BIG-IQ by providing the IP address.
- Click theAddbutton to add this device to this high availability configuration.
The active BIG-IQ discovers the standby BIG-IQ and displays its status.
Re-discover and re-import BIG-IP devices
After you upgrade F5 BIG-IQ Centralized Management, you must
re-discover your devices and re-import services for your managed devices so you can start managing
those devices with the new features introduced in this release. You can do this in bulk,
or you do it for each device and service individually.
Regardless of which option you choose, you specify how to handle any
conflict between objects in the BIG-IQ system's working configuration.
- When you re-discover and re-import in bulk, all conflicts are resolved the in the same way.
- When you re-discover devices and re-import services manually, you specify how to resolve conflicts on an individual basis.
Re-discover and
re-import services in bulk
After
you upgrade F5 BIG-IQ Centralized Management, you must rediscover and re-import services
for your managed devices so you can start managing those devices with the new features
introduced in this release. Use this procedure to re-discover and re-import services in
bulk. You'll have the option to decide how to manage any conflict between objects in the
BIG-IQ system's working configuration and objects in the same way for each type of
object.
- Select the check box next to the devices for which you want to rediscover and reimport services.
- Click theMorebutton and selectRe-discover and Re-import.
- In theNamefield, type a name for this task.
- To create a snapshot of the BIG-IQ configuration before importing services, select theSnapshotcheck box.Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
- If BIG-IQ detects a conflict for services between the working configuration on BIG-IQ and the current configuration on BIG-IP, select a conflict resolution policy option for each object type.
- Use BIG-IQ
- Keep the object settings in the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites the object settings to match the settings defined on BIG-IQ.
- Use BIG-IP
- Use the object settings from this BIG-IP device's configuration to replace the object in the BIG-IQ working configuration. The next time you deploy a configuration to your BIG-IP devices, BIG-IQ replaces that object settings for all of your managed BIG-IP devices to match the object settings on this BIG-IP device.
- Create Version
- For LTM monitors or profiles only, you can create and store a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. The next time you deploy a configuration, BIG-IQ replaces that object for all the managed BIG-IP devices running that specific version with the object on this BIG-IP. You can store multiple versions of LTM monitors or profiles. BIG-IQ deploys the appropriate stored version to your managed devices. BIG-IQ automatically resolves conflicts against the appropriate version the next time it imports services that contain LTM monitors or profiles.
After the services re-import, devices displays in the BIG-IP
Devices inventory list with their services. You can now manage these BIG-IP devices from
BIG-IQ.
Re-import and re-discover services
After you upgrade F5 BIG-IQ Centralized Management,
you must re-discover and re-import services for your managed devices so you can start
managing those devices with the new features introduced in the new release.
- Select the check box next to the BIG-IP device you want to re-discover and re-import services for.
- Click theMorebutton and selectRe-discover and Re-import.
- Type a name for this task and then select the conflict resolution options you want to use if BIG-IQ finds differences between its working configuration and the configuration on the BIG-IP device.The BIG-IQ conflict resolution policy options are:
- Use BIG-IQ
- Keep the object settings specified in the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites the object settings to match the settings defined on BIG-IQ.
- Use BIG-IP
- Use the object settings specified in the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. For shared objects, the next time you deploy a configuration to a managed device, BIG-IQ replaces the settings for that object on the target device.
- Create Version
- For LTM monitors or profiles, you can create and store a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. For shared objects, the next time you deploy a configuration to a managed device, BIG-IQ replaces the settings for that object if that BIG-IP device is running that specific version. This option allows you to store multiple versions of LTM monitors or profiles knowing that BIG-IQ will deploy the appropriate stored version to your managed devices. The next time you import services that contain LTM monitors or profiles, BIG-IQ automatically resolves conflicts against the appropriate version.
- From theAvailablelist, select the device you want to re-discover and re-import services for and move them to theSelectedlist.
- Click theCreatebutton.
Install the vCenter host root certificate on BIG-IQ after
upgrading
If you have a VMware service scaling group
(SSG) associated with a vCenter certificate that is self-signed or untrusted, after you
upgrade BIG-IQ Centralized Management, you'll need to re-add the vCenter host root
certificate. For this procedure, you must have root access to the BIG-IQ system's
command line.
Providing BIG-IQ the vCenter host root
certificate ensures secure communication between BIG-IQ and the vCenter.
- From the BIG-IQ system's command line, copy the root certificate from the vCenter host cert/etc/vmware-sso/key/ssoserverRoot.crtfile to the BIG-IQ system's/config/ssl/ssl.crtfile.
- Type this command to create a symbolic link to this certificate using the certificate's hash:ln -s ssoserverRoot.crt `openssl x509 -hash -noout -in ssoserverRoot.crt`.0.
- Type this command to restartgunicorn:bigstart restart gunicorn
Confirm post-upgrade AS3 version
If the version of AS3 software that was running on the BIG-IQ before
you upgraded was newer than the AS3 software version post upgrade, then you need to
perform additional steps to restore full AS3 functionality to the upgraded BIG-IQ.
These additional steps are detailed in an F5 knowledge base article
K54909607. Please refer to this
article if you are upgrading a BIG-IQ for which a newer version of AS3 software was
installed prior to the upgrade.
Post upgrade version roll back
BIG-IQ supports version rollback following the upgrade, when necessary.
The rollback procedure varies based on the success of the upgrade to the newest version.
For more details regarding rollback procedures, refer to the AskF5 article
Rolling back a BIG-IQ upgrade
K73599085 found on support.f5.com
. 
