F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP Systems: Upgrading Software
  5. Upgrading Version 10.x BIG-IP Active-Standby Systems
Manual Chapter : Upgrading Version 10.x BIG-IP Active-Standby Systems

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP Link Controller

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP PEM

  • 17.1.1

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Upgrading BIG-IP active-standby systems

A BIG-IP® system active-standby pair for version 10.x includes one BIG-IP system operating in active mode (Device A) and one BIG-IP system operating in standby mode (Device B).
Important: In order to upgrade version 10.0.0 or 10.0.1 to the new version software, you must first upgrade to version 10.1.0 or 10.2.x, and then upgrade version 10.1.0 or 10.2.x to the new version software. Additionally, you can only upgrade version 10.1.0 or 10.2.x to version 12.x if you have not provisioned Global Traffic Manager™ (GTM™).
version 10.x active-standby pair

A version 10.x active-standby pair

After preparing the devices for an upgrade to the new version software, you force Device B to offline mode, and then install the new version software onto Device B (the offline device). When you finish the installation of the new version software onto Device B, it creates a traffic group called traffic-group-1. The new version software traffic group is in standby state on Device B, and Device A (the version 10.x device) is in active mode. Note that the Unit ID that was used in version 10.x becomes obsolete in the new version software.

Important: Once Device B reboots, if the BIG-IP system is configured to use a network hardware security module (HSM), you must reinstall network HSM client software on Device B before upgrading Device A, to ensure that traffic groups using the network HSM function properly.
10.x device in standby mode and the new version software traffic group in active state

A version 10.x device in active mode and a new software version traffic group in standby state

With the new version software installed on Device B and traffic-group-1 in standby state, you can force Device A to offline mode, changing Device B to active state so that it can pass traffic, and then install the new software version onto Device A. When installation of the new version software onto Device A completes, you can reboot Device A to the location of the new version software image.
Important: Once Device A reboots, if the BIG-IP system is configured to use a network HSM, you must reinstall network HSM client software on Device A to ensure that traffic groups using the network HSM function properly.

When you complete upgrading both devices to the new version software, the BIG-IP configuration includes a traffic group in active state on Device B, a traffic group in standby state on Device A, and a device group that includes both devices.

The new version software traffic group in active and standby states

A new version software traffic group in active and standby states

An upgrade of BIG-IP active-standby systems to the new version software involves the following tasks.

Task Description
Preparing Device A (the active mode BIG-IP 1 system) and Device B (the standby mode BIG-IP 2 system) In preparing to upgrade the active-standby BIG-IP systems to the new version software, you need to understand any specific configuration or functional changes from the previous version, and prepare the systems. You also download the new version of software from the AskF5 web site (http://support.f5.com/kb/en-us.html) and import the files onto each device.
Forcing Device B to offline mode When you complete preparation of Device B, you can force Device B to offline mode.
Upgrading Device B (the offline mode BIG-IP 2 system) Once Device B is in offline mode, you can upgrade the software on that device, and then reboot Device B to the location of the new version software image. Device B completes rebooting with traffic-group-1 in standby state.
Important: Once Device B reboots, if the BIG-IP system is configured to use a network hardware security module (HSM), you must reinstall network HSM client software on Device B before upgrading Device A, to ensure that traffic groups using the network HSM function properly.
Forcing Device A to offline mode When Device B completes rebooting to the location of the new version software image, you can force Device A to offline mode, changing traffic-group-1 on Device B to active state.
Upgrading Device A (the offline mode BIG-IP 1 system) Once Device A is in offline mode, you can upgrade the software on Device A, and then reboot Device A to the location of the new version software image. When Device A completes rebooting, traffic-group-1 is in standby state on Device A and in active state on Device B.
Important: Once Device A reboots, if the BIG-IP system is configured to use a network HSM, you must reinstall network HSM client software on Device A to ensure that traffic groups using the network HSM function properly.
Verifying the upgrade Finally, you should verify that your active and standby BIG-IP systems are functioning properly.
Configuring module-specific settings According to your understanding of the configuration and functional changes from the previous version, you can reconfigure any customized module settings.

DSC components

Device service clustering (DSC®) is based on a few key components.

Devices
A device is a physical or virtual BIG-IP® system, as well as a member of a local trust domain and a device group. Each device member has a set of unique identification properties that the BIG-IP system generates. For device groups configured for failover, it is important that the device with the smallest capacity has the capacity to process all traffic groups. This ensures application availability in the event that all but one device in the device group become unavailable for any reason.
Device groups
A device group is a collection of BIG-IP devices that trust each other and can synchronize, and sometimes fail over, their BIG-IP configuration data. A Sync-Failover device group contains devices that synchronize configuration data and support traffic groups for failover purposes when a device becomes unavailable. The BIG-IP system supports either homogeneous or heterogeneous hardware platforms within a device group.
Important: BIG-IP module provisioning must be equivalent on all devices within a device group. For example, module provisioning is equivalent when all device group members are provisioned to run BIG-IP® Local Traffic Manager™ (LTM®) and BIG-IP® Application Security Manager™ (ASM™) only. Maintaining equivalent module provisioning on all devices ensures that any device in the device group can process module-specific application traffic in the event of failover from another device.
Traffic groups
A traffic group is a collection of related configuration objects (such as a virtual IP address and a self IP address) that run on a BIG-IP device and process a particular type of application traffic. When a BIG-IP device becomes unavailable, a traffic group can float to another device in a device group to ensure that application traffic continues to be processed with little to no interruption in service.
Device trust and trust domains
Underlying the success of device groups and traffic groups is a feature known as device trust. Device trust establishes trust relationships between BIG-IP devices on the network, through mutual certificate-based authentication. A trust domain is a collection of BIG-IP devices that trust one another and is a prerequisite for creating a device group for config sync and failover operations. The trust domain is represented by a special system-generated and system-managed device group named device_trust_group, which is used to synchronize trust domain information across all devices.
Folders
Folders are containers for the configuration objects on a BIG-IP device. For every administrative partition on the BIG-IP system, there is a high-level folder. At the highest level of the folder hierarchy is a folder named root. The BIG-IP system uses folders to affect the level of granularity to which it synchronizes configuration data to other devices in the device group.

About traffic groups

Traffic groups are the core component of failover. A traffic group is a collection of related configuration objects, such as a floating self IP address, a floating virtual IP address, and a SNAT translation address, that run on a BIG-IP® device. Together, these objects process a particular type of application traffic on that device.

When a BIG-IP® device goes offline, a traffic group floats (that is, fails over) to another device in the device group to make sure that application traffic continues to be processed with minimal interruption in service.

A traffic group is first active on the device you created it on. If you want an active traffic group to be active on a different device than the one you created it on, you can force the traffic group to switch to a standby state. This causes the traffic group to fail over to (and become active on) another device in the device group. The device it fails over to depends on how you configured the traffic group when you created it.

Note: A Sync-Failover device group can support a maximum of 127 floating traffic groups.

Task summary

The upgrade process involves preparation of the two BIG-IP® devices (Device A and Device B) configured in an active-standby implementation, followed by the installation and verification of the new version software on each device. When you upgrade each device, you perform several tasks. Completing these tasks results in a successful upgrade to the new version software on both BIG-IP devices, with a traffic group configured properly for an active-standby implementation.
Important: In order to upgrade version 10.0.0 or 10.0.1 to the new version software, you must first upgrade to version 10.1.0 or 10.2.x, and then upgrade version 10.1.0 or 10.2.x to the new version software. Additionally, you can only upgrade version 10.1.0 or 10.2.x to version 12.x if you have not provisioned Global Traffic Manager™ (GTM™).

Preparing BIG-IP modules for an upgrade from version 10.x to the new version software

Before you upgrade the BIG-IP® system from version 10.x to the new version software, you might need to manually prepare settings or configurations for specific modules.

Access Policy Manager system preparation

The Access Policy Manager® system does not require specific preparation when upgrading from version 10.x to the new version software. However, additional configuration might be required after completing the upgrade to the new software version.

Supported high availability configuration for Access Policy Manager

Access Policy Manager is supported in an Active-Standby configuration with two BIG-IP® systems only.

Important: Access Policy Manager is not supported in an Active-Active configuration.
Post-upgrade activities

When you complete upgrading to the new version software, you should consider the following feature or functionality changes that occur for the Access Policy Manager systems. Depending on your configuration, you might need to perform these changes after you upgrade your systems.

Feature or Functionality Description
Sessions All users currently logged in while the upgrade occurs will need to log in again.
Authentication agents and SSO methods If you have deployments using ActiveSync or Outlook Anywhere, where the domain name is part of the user name, you should enable the Split domain from username option in the login page agent if the authentication method used in the access policy requires only the user name for authentication. In the BIG-IP® APM® new version software, authentication agents and SSO methods no longer separates the domain name from the user name internally.
iRule for processing URI If you have deployments where an iRule is used to perform processing on internal access control URI, for example, /my.policy, /myvpn or other URIs suc as APM system's login page request, you need to enable the iRule events for internal access control URIs because by default, BIG-IP APM new version software does not raise iRule events for internal access control URIs. However, this can be achieved by adding the following code to the iRule: 
when CLIENT_ACCEPTED {
                ACCESS::restrict_irule_events disable
                }
OAM support Manually remove all the OAM server-related configurations and reconfigure OAM on BIG-IP APM new version software. OAM configuration is modified to support various OAM 11G related use cases.
Citrix support functionality The Citrix iRule is no longer visible to the administrator because it is integrated natively in BIG-IP APM new version software. If you have not modified the iRule, then you must enable the Citrix Support setting on the virtual server to use Citrix. If you modified the F5-provided Citrix support iRule and want to use the modified iRule, you need to contact F5 support and work with them to replace natively integrated iRules® with your own version of Citrix-supported iRules®.
Reporting functionality If you used the adminreports.pl script for your logging or reporting purposes, this script is no longer available in BIG-IP APM new version software. You need to migrate to the new and enhanced reporting and logging functionality available as a built-in functionality on the new software version.

Application Security Manager system preparation

The BIG-IP® Application Security Manager™ (ASM™) system does not require specific preparation when upgrading from version 10.x to the new version software. No additional configuration is required after completing the upgrade to the new software version.

What to expect after upgrading a redundant system

If you update two redundant systems that are running as an active-standby pair with BIG-IP Application Security Manager (ASM) and BIG-IP® Local Traffic Manager™ (LTM®) provisioned, the system maintains the active-standby status and automatically creates a Sync-Failover device group and a traffic group containing both systems. The device group is enabled for BIG-IP ASM (because both systems have ASM provisioned).

You can manually push or pull the updates (including BIG-IP LTM and ASM configurations and policies) from one system to the other ( Device Management > Overview , click the name of a device, and choose Sync Device to Group or Sync Group to Device).

Global Traffic Manager system preparation and configuration

BIG-IP® Global Traffic Manager™ systems require specific preparation tasks and changes to upgrade from version 10.x to the new version software.

Preparation Activities

Before you upgrade Global Traffic Manager systems that are in a synchronization group, from any software version to the new version software, you must install the software on an inactive volume on each device using Live Install. After you upgrade each device, you then switch all devices to the new volume at the same time. This is required because devices in a synchronization group that includes the new version software device, cannot effectively probe each other.

Post-upgrade changes
Important: In BIG-IP version 12.0, BIG-IP Global Traffic Manager is renamed to BIG-IP DNS. After you upgrade, you will see the new name in the product and documentation.

The following feature or functionality changes occur after you complete the upgrade process to the new version software:

Feature or Functionality Description
Assigning a BIG-IP system to probe a server to gather health and performance data Assigning a single BIG-IP system to probe a server to gather health and performance data, in version 10.x, is replaced by a Prober pool in the new software version.

Link Controller system preparation

The BIG-IP® Link Controller™ (LC™) system does not require specific preparation when upgrading from version 10.x to the new version software. No additional configuration is required after completing the upgrade to the new version software.

Local Traffic Manager system preparation

The BIG-IP® Local Traffic Manager™ (LTM®) system does not require specific preparation when upgrading from version 10.x to the new version software. No additional configuration is required after completing the upgrade to the new version software.

MAC masquerade addresses for VLANs
Note: If you configured MAC Masquerade addresses for VLANs on the version 10.x devices, one of the addresses will be included automatically in the MAC Masquerade Address field for traffic-group-1 during the upgrade.
HTTP Class profiles
F5 Networks® replaced the HTTP Class profile in BIG-IP® version 11.4.0, and later, with the introduction of the Local Traffic Policies feature. During an upgrade to BIG-IP version 11.4.0, if your configuration contains an HTTP Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent local traffic policy. For additional support information regarding the change of HTTP Class profiles to Local Traffic Policies, refer to SOL14409 on www.askf5.com.

WebAccelerator module preparation and configuration

BIG-IP® WebAccelerator modules require specific preparation tasks and changes to upgrade from version 10.x to the new version software.

Preparation activities

Before you upgrade the BIG-IP® WebAccelerator™ modules from version 10.x to an Application Acceleration Manager new software version, you need to prepare the systems, based on your configuration. The following table summarizes the applicable tasks that you need to complete.

Feature or Functionality Preparation Task
Symmetric deployment You must reconfigure symmetric WebAccelerator modules as asymmetric systems before you upgrade them from version 10.x to the new version software.
Unpublished policies You must publish any policies that you want to migrate to the new software version. Only published policies are migrated into the new version software.
Signed policies Signed policies are not supported in the new version software. If you use signed policies, you must replace them with predefined or user-defined policies before upgrading.
Configuration files Upgrading from version 10.x to the new version software does not include custom changes to configuration files. After upgrading to the new version software, you need to manually restore any customizations made to your configuration files by using the Configuration utility or Traffic Management Shell (tmsh). The following list includes examples of configuration files that might have been customized:
  • /config/wa/globalfragment.xml.10.x.0; in the new software version, all objtype entries are provided in tmsh.
  • /config/wa/pvsystem.conf.10.x.0
  • /config/wa/pvsystem.dtd.10.x.0
  • /config/wa/transforms/common.zip.10.x.0; the new software version does not include transforms.
Debug Options X-PV-Info response headers in version 10.x are changed to X-WA-Info response headers in the new software version. The default setting for X-WA-Info Headers is None (disabled). To use X-WA-Info response headers, you will need to change this setting, and update any associated iRules® or scripts, accordingly.
Post-upgrade activities

When you complete upgrading to the new version software, you should consider the following feature or functionality changes that occur for the Application Acceleration Manager modules. Depending upon your configuration, you might need to perform these changes after you upgrade the systems.

Feature or Functionality Description
Web acceleration Web acceleration functionality requires configuration of the Web Acceleration profile.
Important: You must enable an Application Acceleration Manager module application in the Web Acceleration profile to enable the Application Acceleration Manager module.
Compression Compression functionality requires configuration of the HTTP Compression profile in the new version software.
Request logging Request logging does not migrate to the new version software. You must recreate the configuration after upgrading by using the Request Logging profile.
Policy logging Policy logging does not migrate to the new version software. You must recreate the configuration after upgrading by using the Request Logging profile.
URL normalization URL normalization is not supported in the new version software.
ESI functionality Edge Side Include (ESI) functionality in the Application Acceleration Manager module is not supported in the new version software, with the exception of ESI invalidations.
iControl® backward compatibility Backward compatibility for iControl Compression and RAM Cache API settings in the HTTP profile is not supported in the new version software. These settings appear in the HTTP Compression and Web Acceleration profiles in the new software version.

WAN Optimization Manager preparation

BIG-IP® WAN Optimization Manager™ (WOM®) systems do not require specific preparation when upgrading from version 10.x to the new version software. However, in a redundant system configuration, you must upgrade the standby system first (to avoid interrupting traffic on the active system), and then upgrade the other system. No additional configuration is required after completing the upgrade to the new version software.

Preparing RAID drives for an upgrade

If your configuration includes redundant array of independent disks (RAID) drives, you need to verify that the RAID drives are ready for upgrading. If a RAID drive shows errors before upgrading, you will want to contact F5 customer support to resolve the errors before initiating the upgrade.
  1. Open the Traffic Management Shell (tmsh).
    tmsh
    This starts tmsh in interactive shell mode and displays the tmsh prompt: (tmos)#.
  2. Verify the health of RAID disks, ensuring that the drives are not failed or undefined.
    (tmos)# show sys raid 
    Sys::Raid::Array: MD1
--------------------
Size (MB) 305245

Sys::Raid::ArrayMembers
Bay ID Serial Number Name Array Member Array Status
---------------------------------------------------------
1 WD-WCAT18586780 HD2 yes failed
2 WD-WCAT1E733419 HD1 yes ok

    In this example, the array is labeled MD1 and disk HD2 indicates an error.

  3. Verify Current_Pending_Sector data displays a RAW_VALUE entry of less than 1 on RAID systems.
    Option Description
    For version 11.4.0, and later Run the platform check utility: (tmos)# run util platform_check
    For version 11.3.x, and earlier At the command line, run the smartctl utility: smartctl -t long -d ata /dev/<sda|sdb|hda|hdc> 
    197 Current_Pending_Sector  0x0032  200  200  000  Old_age  Always  -  0
    In this example, the RAW_VALUE entry is 0.
  4. Verify that no known issues appear in the following log files.
    • Check /var/log/user.log for LBA messages indicating failure to recover, for example, recovery of LBA:226300793 not complete.
    • Check /var/log/kern.log for ATA error entries.
The health of all RAID drives is assessed, enabling you to resolve any issues before proceeding with the BIG-IP® software upgrade.

Preparing BIG-IP active-standby systems for an upgrade

The following prerequisites apply when you upgrade BIG-IP® active and standby devices from version 10.x to the new version software.
  • The BIG-IP systems (Device A and Device B) are configured as an active-standby pair.
  • Each BIG-IP device is running the same version of 10.x software.
  • The BIG-IP active-standby devices are the same model of hardware.
When you upgrade a BIG-IP active-standby pair from version 10.x to the new version software, you begin by preparing the devices.
Note: If you prefer to closely observe the upgrade of each device, you can optionally connect to the serial console port of the device that you are upgrading.
  1. For each device, complete the following steps to prepare the configuration and settings.
    1. Examine the Release Notes for specific configuration requirements, and reconfigure the systems, as necessary.
      For example, you must reconfigure version 10.x symmetric BIG-IP® WebAccelerator™ modules as asymmetric systems before upgrading to the new version software.
    2. Examine the Release Notes for specific changes to settings that occur when upgrading from version 10.x to the new version software, and complete any in-process settings.
      For example, you must publish any unpublished WebAccelerator module policies in order for them to migrate to the new software version.
  2. From the device that is running the latest configuration, synchronize the configuration to the peer unit.
    1. On the Main menu, click System > High Availability > ConfigSync .
      A message appears for the Status Message.
    2. Click Synchronize TO Peer.
  3. For each device, click System > High Availability > Redundancy , and, from the Redundancy State Preference list, select None.
  4. For each device, create a backup file.
    1. Access the tmsh command line utility.
    2. At the prompt, type save /sys ucs /shared/filename.ucs.
    3. Copy the backup file to a safe location on your network.
    Note: For additional support information about backing up and restoring BIG-IP system configuration files, refer to SOL11318 on www.askf5.com.
  5. Download the BIG-IP new version software .iso file, and, if available, the latest hotfix .iso file from the AskF5™ downloads web site (https://downloads.f5.com) to a preferred location.
  6. Import either the latest BIG-IP hotfix image file, if available, or the new version software upgrade image file to each device.
    Option Description
    Import the latest BIG-IP system hotfix image and SIG file
    1. On the Main menu, click System > Software Management > Hotfix List > Import .
    2. Click Browse, locate and click the SIG file (Hotfix-BIGIP-hf-xx.x.x.x.x.xxxx.HFx.iso.384.sig), click Open, and click Import.
    3. Click Browse, locate and click the image file, click Open, and click Import.
    4. When the hotfix image file completes uploading to the BIG-IP device, click OK. A link to the image file appears in the Software Image list.
    Import the new version software image and SIG file
    1. On the Main menu, click System > Software Management > Image List > Import .
    2. Click Browse, locate and click the SIG file (BIGIP-13.x.x.x.x.xxxx.iso.384.sig), click Open, and click Import.
    3. Click Browse, locate and click the upgrade image file, click Open, and click Import.
      Note: BIG-IP version 13.x, and later, provides upgrade and recovery image files. An upgrade image file (for example, BIGIP-13.x.x.x.x.xxx.iso) omits End User Diagnostics (EUD) software, which includes tests that report on hardware components. A recovery image file (for example, BIGIP-RECOVERY-13.x.x.x.x.xxx.iso) includes EUD software.
    4. When the software image file completes uploading to the BIG-IP device, click OK. A link to the image file appears in the Software Image list.
  7. Optional: Verify the integrity of the imported software image file.
    Option Description
    Use SIG verification (recommended)
    1. At the command line, determine the filename of the applicable public key file.

      Example: # ls /usr/lib/install/archive.pubkey*pem. The list of archive.pubkey files appears.

    2. Using the openssl utility, verify the integrity of the imported software image file.
      Example: # openssl dgst -sha384 -verify usr/lib/install/archive.pubkey.xxxxxxxxx.pem -signature shared/images/BIGIP-13.x.x.x.x.xxxx.iso.384.sig shared/images/BIGIP-13.x.x.x.x.xxxx.iso
      Note: You must use openssl version 1.0.0, or later. Type openssl version at the command line to determine the version.

      The openssl utility verifies the integrity of the software image file and displays the results.

      # openssl dgst -sha384 -verify usr/lib/install/archive.pubkey.xxxxxxxxx.pem -signature shared/images/BIGIP-13.x.x.x.x.xxxx.iso.384.sig shared/images/BIGIP-13.x.x.x.x.xxxx.iso

      Verified OK

    Use an MD5 checksum
    • Using a tool or utility that computes an md5 checksum, you can verify the integrity of the BIG-IP system latest hotfix .iso file or new version .iso file.
The BIG-IP devices are prepared to install the latest hotfix or new version software onto Device B (the standby BIG-IP 2 device).

Upgrading the standby BIG-IP 2 system

The following prerequisites apply for this task.
  • Device A (the active BIG-IP® 1 system) and Device B (the standby BIG-IP 2 system) must be prepared to upgrade Device B with the new software version software.
  • Either the latest hotfix image file, if available, or the new version software image file is downloaded and accessible.
After you prepare Device A (the active BIG-IP 1 system) and Device B (the standby BIG-IP 2 system) for upgrading the software, you force Device B offline, reactivate the software license, and install the new version software onto Device B.
  1. Force Device B to offline mode.
    1. On the Main menu, click System > High Availability > Redundancy .
    2. Click Force Offline.
      The BIG-IP device (Device B) changes to offline mode.
  2. Reactivate the software license.
    1. On the Main menu, click System > License .
    2. Click Re-activate.
    3. For the Activation Method setting, select the Automatic (requires outbound connectivity) option.
    4. Click Next.
      The BIG-IP software license renews automatically.
    5. Click Continue.
  3. Install either the latest hotfix image, if available, or the new software version.
    Option Description
    Install the latest hotfix image
    1. On the Main menu, click System > Software Management > Hotfix List .
    2. In the Available Images area, select the check box for the hotfix image, and click Install. The Install Software Hotfix popup screen opens.
    3. From the Volume set name list, select the location of the new version software volume to install the hotfix image, and click Install.
      Important: In the Install Status list for the specified location, a progress bar indicates the status of the installation. Ensure that installation successfully completes, as indicated by the progress bar, before proceeding.
    Install the new version software
    1. On the Main menu, click System > Software Management > Image List .
    2. In the Available Images area, select the check box for the new software version image, and click Install. The Install Software Image popup screen opens.
    3. From the Volume set name list, select a location to install the image, and click Install.
      Important: In the Install Status list for the specified location, a progress bar indicates the status of the installation. Ensure that installation successfully completes, as indicated by the progress bar, before proceeding.
  4. Reboot the device to the location of the installed new version software software image.
    Important: Once Device B reboots, if the BIG-IP system is configured to use a network hardware security module (HSM), you must reinstall network HSM client software on Device B before upgrading Device A, to ensure that traffic groups using the network HSM function properly.
    1. On the Main menu, click System > Software Management > Boot Locations .
    2. In the Boot Location list, click the boot location of the installed new version software software image.
    3. Click Activate.
      The BIG-IP device reboots to the new version software boot location with traffic-group-1 in standby state.
      Note: If the device appears to be taking a long time to reboot, do not cycle the power off and on. Instead, verify the status of the device by connecting to its serial console port. The device might be performing firmware upgrades.
The new version software is installed on Device B, with traffic-group-1 in standby state.

Upgrading the active BIG-IP 1 system

The following prerequisites apply in upgrading Device A (the BIG-IP® 1 system).
  • Device A (the version 10.x BIG-IP 1 system) must be prepared to upgrade to the new version software.
  • Device A is in active mode.
  • Device B (the the new version software BIG-IP device with traffic-group-1) is in standby state.
  • The new version software image file is downloaded and available.
  • If available, the latest hotfix image file is downloaded and available.
After you prepare Device A (the standby BIG-IP 1 system) for upgrading the software, you can perform these steps to upgrade to the new version software.
  1. Force Device A to offline mode.
    1. On the Main menu, click System > High Availability > Redundancy .
    2. Click Force Offline.
      The BIG-IP device (Device A) changes to offline mode and the peer BIG-IP device (Device B) changes to active state.
      Important: Once the peer BIG-IP device (Device B) changes to active state, ensure that it passes traffic normally.
  2. Reactivate the software license.
    1. On the Main menu, click System > License .
    2. Click Re-activate.
    3. For the Activation Method setting, select the Automatic (requires outbound connectivity) option.
    4. Click Next.
      The BIG-IP software license renews automatically.
    5. Click Continue.
  3. Install either the latest hotfix image, if available, or the new version software.
    Option Description
    Install the latest hotfix image
    1. On the Main menu, click System > Software Management > Hotfix List .
    2. In the Available Images area, select the check box for the hotfix image, and click Install. The Install Software Hotfix popup screen opens.
    3. From the Volume set name list, select the location of the new version software volume to install the hotfix image, and click Install.
      Important: In the Install Status list for the specified location, a progress bar indicates the status of the installation. Ensure that installation successfully completes, as indicated by the progress bar, before proceeding.
    Install the new version software
    1. On the Main menu, click System > Software Management > Image List .
    2. In the Available Images area, select the check box for the new version software image, and click Install. The Install Software Image popup screen opens.
    3. From the Volume set name list, select a location to install the image, and click Install.
      Important: In the Install Status list for the specified location, a progress bar indicates the status of the installation. Ensure that installation successfully completes, as indicated by the progress bar, before proceeding.
  4. Reboot the BIG-IP device (Device A) to the location of the installed new version software image.
    1. On the Main menu, click System > Software Management > Boot Locations .
    2. In the Boot Location list, click the boot location of the installed the new version software image.
    3. Click Activate.
      The BIG-IP device (Device A) reboots to the new version software boot location with traffic-group-1 in standby state.
      Note: If the device appears to be taking a long time to reboot, do not cycle the power off and on. Instead, verify the status of the device by connecting to its serial console port. The device might be performing firmware upgrades.
  5. On the Main tab, click Device Management > Overview .
  6. In the Devices area of the screen, choose the device that shows a sync status of Changes Pending.
  7. In the Sync Options area of the screen, select Push the selected device configuration to the group.
  8. Click Sync.
The new version software is installed on Device A (the BIG-IP system with traffic-group-1 in standby state).

Verifying a BIG-IP active-standby upgrade

When you have completed upgrading the BIG-IP active-standby pair from version 10.x to the new version software, you should verify that the upgraded configuration is working properly. Perform the following steps to verify the new version software upgrade.
  1. Verify the Platform configuration for each device.
    1. On the Main menu, click System > Platform .
    2. For the Root Folder Device Group setting, verify that the device group is identical on the pair of devices.
    3. From the Root Folder Group list, verify that the correct traffic group (traffic-group-1) is selected.
  2. Verify the configuration for each device.
    1. On the Main menu, click Device Management > Devices .
    2. Verify the following information for the device and the peer device.
      • active-standby status
      • device name
      • management IP address
      • hostname
      • TMOS version
    3. On the Main menu, click Device Management > Device Trust > Peer List .
    4. Verify that the peer device is specified as a Peer Authority Device.
      Note: Ensure that all information for the peer device appears correctly and complete.
  3. Verify the traffic groups for each device.
    1. On the Main menu, click Device Management > Traffic Groups .
    2. Click traffic-group-1.
    3. If you configured MAC Masquerade addresses for VLANs on the version 10.x devices, verify that the traffic-group-1 includes an address in the MAC Masquerade Address field.
    4. Verify that the floating traffic group is correct.
    5. Verify that the failover objects are correct.
  4. Verify the Current ConfigSync State for each device.
    1. On the Main menu, click Device Management > Overview .
    2. In the Devices area of the screen, in the Sync Status column, verify that each device shows a sync status of green.

Implementation result

Your upgrade of the BIG-IP® active-standby pair from version 10.x to the new version software is now complete. The new version software configuration includes a device group with two devices (Device A and Device B) and a traffic group (traffic-group-1), with the traffic group on one device (Device B) in active state and the traffic group on the other device (Device A) in standby state.

The new version software device group and traffic group

A new version software device group and traffic group

Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information