Live Demo Zero Interruption Upgrade of Nokia VRRP

Live Demo: Zero Interruption Upgrade of Nokia VRRP Cluster Yasushi Kono (Computer. Links Germany)

Scenario: Two Nokia boxes (IP 260) with IPSO 4. 1 and Check Point version NGX R 61 in a VRRP cluster configuration.

Smart. Console R 60 Smart. Center Server R 60 Gateway A IPSO 4. 1/ NGX R 60 Gateway B IPSO 4. 1/ NGX R 60 Which component do we have to upgrade first?

• First: Install Smart. Console R 62 • Then: Upgrade Smart. Center to R 62 • Upgrade the Standby Gateway to R 62 But which one is the Standby Gateway?

• Command to identify the standby gateway: • iclid> show vrrp or • echo show vrrp | iclid

• What to do prior to upgrading…. • Set the Cluster Control Protocol into broadcast mode: cphaconf set_ccp broadcast • Check, whether the CCP mode is broadcast or multicast: cphaprob –a if

• Should you have to upgrade IPSO first, the command therefor is: newimage –i –k -i: interactive mode -k: keep previously installed packages activated!

Do you know other upgrade options to upgrade IPSO?

Prior to upgrading to NGX R 62 our environment is as follows….

Smart. Console R 62 Smart. Center Server R 62 Gateway A IPSO 4. 1/ NGX R 60 (Active) Gateway B IPSO 4. 1/ NGX R 60 (Standby)

You have to alter the cluster configuration in the following ways:

• Don‘t forget another important setting: This option is to be activated, otherwise existing connections will be disconnected during upgrade!!!! Not mentioned in the Upgrade Guide of Check Point!

Gateway B: IPSO 4. 1/ NGX R 60 (Standby) Command to Upgrade Check Point: [gateway. B]# newpkg ! Don‘t use the –i switch here, unless you want to use it explicitly!

After upgrading Gate. B: 1. Reboot it 2. Check the Install Policy option „For Gateway Cluster install on all members, if it fails do not install at all“ 3. Change the Cluster version in Smart. Dashboard to NGX R 62 and install the Policy

At this stage, Gate. A is still the active node. • You have to transfer the State Table to Gate. B (to be shown in the next slide) • You have to disable the cluster service of Gate. A • Gate. B shall take over almost all connections! If not, you don‘t have a second chance!

Transferring the State Table of Gate. A to Gate. B: [Gate. B]# fw fcu <IP Address Gate. A> Before disabling cluster service from Gate. A, wait until the following message is being displayed: [Gate. B]# Full sync connection finished successfully

Disabling Cluster Service from Gate. A: [Gate. A]# cphastop After that, Gate. B should have taken over almost all connections.

Now, you can upgrade Gate. A with the commands already used. Gate. B will process all requests. After upgrading, reboot Gate. A and install the last policy on both cluster members!

Important information for you: There are some connections which will be disrupted anyway: – User Authentication Connections – Connections with Resources (SMTP, URI, FTP) – Client Authentication (partially automatic and fully automatic for HTTP, FTP, Telnet, rlogin)

But what if…. ? What do you need in the case of failing upgrade procedure? If you would like to escape from your customer‘s site

Thus, my recommendation is: Plan for downtime!

• DISCLAIMER: I am not responsible for sponsoring you a race car should your attempt to upgrade the cluster failing!

Thank you for attending this presentation!