Segui

HA migration procedure from 3.0 to 5.0

Version 3.0

Applies to platform: All UTM 3.0, except for ARM 

1. Before the migration is started.

Prerequisites and System / Hardware requirements.

The system / hardware requirements for the HA cluster upgrade do not differ from a normal single system upgrade, please refer to this article for further information on which hardware appliances can be upgraded, and the minimum hardware requirements for the software / virtual installations.Make sure to have a laptop with an Ethernet cable and a serial cable ready to connect to any appliance as required during the procedure.

Warning

If your HA cluster has a Switchboard module , or you have a Hotspot Master / satellite configuration, do not proceed any further, instead open a Support ticket and specify your scenario.

The success of this procedure highly depends on not skipping any steps mentioned in the procedure, strictly following every step is highly advisable.

 

Short summary of the procedure and planned downtime.

This document will guide you through the steps to successfully upgrade an HA cluster of Endian UTM appliances from the 3.0.(5) to the latest 5.1 version.

 Preparation for the Upgrade.

  1. The systems will be reinstalled with 5.1 images (ISO or otherwise for virtual appliances), and each of them will be disconnected from the network (WAN/LAN) during the reinstall procedure to not cause disturbances.
  2. The logistic position of the cluster will be swapped (the old master will become the new slave and the old slave will become the new master) , as well the cables will be swapped in order to minimize the downtime.
  3. The downtime is planned to be minimal (1~2 min), or the time required to swap the cables from one appliance (in use) to the other (the newly installed).

 

2. Preparing to migrate the 3.0 appliances.

  1. For Virtual Appliances make a snapshot of both nodes (master & slave).
  2. Update both systems (first the slave, then the master) installing the latest updates of the 3.0 channel by issuing via SSH (copy/paste the following)
    root@endian~#: efw-update update && efw-update upgrade && en-client -svu
    Verify on https://network.endian.com that on both Master and Slave reinstall_as_5.0.png has appeared and you don't see any updates available.
  3. On Master : Make sure "Use custom MAC address" is enabled in Networks > Interfaces > Main Uplink > Advanced Settings on Master and the current mac address of the main uplink interface's is saved.
    The same "MAC address cloning" must be applied on the rest of the uplinks as well.
    Each Use custom MAC address settings of each uplink should have the MAC address of it's own Uplink interface. The Main uplink should have the MAC address of the Main uplink interface , uplink1 it's uplink MAC address physical interface and so on.
    Below an example :
    1.png
    The eth3 interface is our main uplink's interface and I have specified it's MAC address under the Advanced Settings.
    You can find the MAC address of the desired interface under Status > Network Status as below:
    2.png
  4. Make two backups on the Master (the slave backup is not required), the first one a full backup including settings, database dumps, logs and log archives which usually is big and it's to be saved locally and kept accordingly to the legal requirements of your country (not to be used to restore the settings on the appliance).
    The second backup is to be made by selecting only the settings and the database dumps. (We will use this later to restore on the new Master.)
    Make sure to save both backups on your laptop, or working device.
  5. On Endian Network click the reinstall_as_5.0.png of the Slave unit, this will only change the channel from 3.0 to 5.0 , will not start any actual migration.
    1. For Virtual and Software Appliances : Download the 5.1 image after you clicked reinstall_as_5.0.png by going to https://download.endian.com/your-slave-activation-code
    2. For Hardware appliances instead you can download the images from https://network.endian.com/downloads_eos_50.php
  6. For Software / Hardware appliance, create the 5.1 installation medium following this article
  7. For virtual appliances instead you can use the image included in the .zip file.

 

3. Slave migration to 5.1 (the new master)

  1. Unplug all network cables from the 3.0.5 Slave unit , connect your device's (laptop/PC) Ethernet interface to the unit's Green interface,.
  2. Follow this screencast (only for software version ) in order to install the system with the 5.1 version,otherwise,follow this one (point 2. Installation) for Hardware appliances .In case the appliance is not booting from the USB, make sure that the boot record is set to start from USB following this howto.
  3. Once the installation is done and the system is asking for the first configuration, import the master's backup (the one with only settings and database) and when you are asked to include Endian Network configuration, choose not to do so, in order to not create any conflict with the active master.
    NOTE :
    from this point on we will be calling this system (ex-slave) as the new master.
  4. Delete the Master / Slave association on the new master Services -> High Availability by clicking the trash icon.mceclip1.png
  5. Network downtime starting: Disconnect all the network cables from the 3.0.5 old-Master appliance and connect them into the new-master 5.1 appliance. being careful to connect them into the right ports.
  6. Network downtime finished: If all the network cables were connected into the right ports, network connectivity should be restored and everything should work correctly now.
  7. Register the new-master to Endian Network by using the correct activation code (it's the old-slave's activation code, do not use the activation code of the old-master on the new master.).

 

4. Master migration to 5.1 (the new slave)

  1. The old 3.0 Master should already be disconnected from the HA cluster at this point and the new master should be already up and running. Click reinstall_as_5.0.png on Endian Network to switch the channel.
  2. Follow this screencast (only for software version ) in order to install the system with the 5.1 version,otherwise,follow this one (point 2. Installation) for Hardware appliances .In case the appliance is not booting from the USB, make sure that the boot record is set to start from USB following this howto.
  3. Into initial configuration wizard, select No uplink mode and configure the appliance in order to have 2 GREEN interfaces and a free static IP belonging to the GREEN network, where one will be the port on which you are already connected with the notebook, while the other will be the one you will connect to existing LAN network.

    Warning

    The network interface that will be connected to the existing LAN network must be the same configured on Master. if on master the NIC used on green is eth0,configure the same interface on new-slave and plug it on the switch.
  4. When you are asked to register the appliance skip the step and as well do not import any backups.
  5. Plug the cable to the interface connected to the switch and from SSH/console of this appliance, try to ping the GREEN IP of the other appliance without any packet loss.
  6. Configure the old-master as Slave from Service > High availability (See Configure the HA Slave Unit) and apply.
  7. Connect at this point the uplink(s) cable(s) as well and at this moment you should have internet access on the new-Slave and it should be in Slave status.
  8. Register the firewall on Endian Network.

 

5. Last steps and failover test.

  1. Update the new-slave as follows:
    root@endian~#: efw-update update && efw-update upgrade && en-client -svu
    and when the entire process is finished reboot the slave.
  2. Do the same update operation for the Master but at the end instead of rebooting it poweroff the appliance.
  3. Verify that the Slave has taken over correctly and all services are working as they should.
  4. Turn the Master back on and verify that the Master has taken over and the Slave is back in dormant state. Below is how the slave should look like when it's in a stand-by state.
    root@slave:~ # ds ha.settings
    Settings HA.SETTINGS

    Name                                                      Type      Size     Value
    BRIDGE_PRIORITY                               Value        -        2
    HA_CURRENT_STATE                          Value       -        slave
    HA_ENABLED                                        Value        -        on
    HA_LOG_ROTATE                                 Value        -
    HA_MANAGEMENT_PORT                   Value        -        br0
    HA_NODE                                              Value        -        2
    HA_PRIORITY                                        Value        -        2
    HA_SLAVE_MANAGEMENT_PORT      Value        -        br0
    HA_STATE                                             Value        -        slave
    KEEPALIVED_LOG_ROTATE                Value        -
    STP                                                         Value        -        off

    Total of 11 items.

    root@slave:~ # ip route
    default via 192.168.177.1 dev br0
    192.168.177.0/24 dev br0  proto kernel  scope link  src 192.168.177.2
Questo articolo ti è stato utile?
Utenti che ritengono sia utile: 0 su 0
Altre domande? Invia una richiesta

Commenti