cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Level 14
Report Inappropriate Content
Message 1 of 7

HA Questions - When upgrading appliances

I've been having an e-mail conversation with one of my customers and I'd like to seek clarification on some points.

The customer has a pair of S3008 appliances running 8.3.0 in an active/passive (peer-to-peer) HA cluster. He is looking at the process of upgrading and the correct procedure for doing so.

Basically everythig he has proposed is correct - upgrade Firewall B to 8.3.1 (the domant member), perform a failover to bring it online (making Firewall A domant), check to make sure the new version of software doesn't cause any issues, upgrade Firewall A to the same version and (optionally) forcing another HA event to make A the active member once again. He then posed some questions which I answered to his satisfaction. He did, however, ask two which I wasn't immediately sure of:-

If B is primary, and changes made will A sync to primary once upgraded & rebooted?

What I was absolutely certain of was that while the two appliances were running different versions that changes made to the active member wouldn't be synchronized to the passive member. However, I wasn't 100% sure if once the other applince was upgraded to the same version whether is would definitely inherit any changes made in the interim.

With different versions it will still do a graceful handover on scheduled shutdown/reboot? Where transfer of connection starts 30 mins prior to shutdown/reboot.

This, oddly, isn't something I've conciously tried. I've pulled network cables, power cables and such like to force a failover, but am not 100% sure if a scheduled reboot of the active member would allow the other member to still take over 'gracefully' while there is still a disparity between the two software versions. I'm again assuming that it will be "yes" as there will still be a functioning channel of communication over the HA link and even though there's temporary minor difference between the two appliances, there's still enough compatibility between the two for one to let the other know that it needs to take over, rather than waiting for some kind of actual failure event where the secondary box suddenly realises that it is no longer able to communicate with the primary.

Many thanks.

-Phil.

6 Replies
Highlighted
Level 13
Report Inappropriate Content
Message 2 of 7

Re: HA Questions - When upgrading appliances

Hello Phil,

>If B is primary, and changes made will A sync to primary once upgraded & rebooted?

I'm sorry if I'm misunderstanding, but are you wondering if changes made to firewall B while it is primary will sync to firewall A when it is upgraded and rebooted? Yes, when A is booting up it will check to see if it has the correct policy and will synchronize if necessary.

>With different versions it will still do a graceful handover on scheduled shutdown/reboot? Where

>transfer of connection starts 30 mins prior to shutdown/reboot.

This one I am not actually sure about either. I am leaning towards this not working in the manner that the customer would want, but I think it is something that needs to be  tested. Because of the version difference, I expect there might be a problem with that communication chain.

-Matt

Highlighted
Level 14
Report Inappropriate Content
Message 3 of 7

Re: HA Questions - When upgrading appliances

Hi Matt.

In the case of the first question, you have it spot on and your conclusion seems to agree with mine.

In the case of the second question I am a little more surprised, because my gut feeling though it would work. Even though the two appliances are running different versions there is (I thought) still a functioning channel of communication over the heartbeat interface. If I had the appliances with which to test it for myself I would give it a try. Had I been asking about a pair of 8.2.x appliances and one had been upgraded to 8.3, I would have been less surprised if you had said "No, this is unlikely to work", but 8.3.0 & 8.3.1?...

If you could ponder this with your colleagues I'd be grateful.

In the meantime I will relay your thoughts on the first point over to the customer.

Thanks.

-Phil.

Level 13
Report Inappropriate Content
Message 4 of 7

Re: HA Questions - When upgrading appliances

Hello,

Got some information for you:

Session sync does not uses firewall version. It has its own protocol version, as long as there is no change in session message/protocol across two versions it should work. If there is change, you will see error message with:

“IP Filter: old version number in state sharing message

IP Filter: old version number(v2) in state sharing message”

AFAIK, there is no change in session  message for 8.3.0 and 8.3.1 so I think it should work.

-Matt

Highlighted
Level 14
Report Inappropriate Content
Message 5 of 7

Re: HA Questions - When upgrading appliances

Many thanks, Matt.

I have relayed this over to the customer and he is very grateful.

-Phil.

Highlighted

Re: HA Questions - When upgrading appliances

Hello,

About that, I am thinking upgrade de Fw since 8.2.1 to 8.3.1. I have two nodes in HA Cluster, load-sharing mode. So, for upgrade HA cluster is it necesary break the cluster before instalation package?

thanks in advance

Highlighted
Level 13
Report Inappropriate Content
Message 7 of 7

Re: HA Questions - When upgrading appliances

Hello,

No it is not necessary to break the cluster before updating.

-Matt

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community