Hi all
We plan to upgrade MWG v7.8 to v9.2.8 and I have some questions.
1. I check some documents and found MWG 8.2.0 and later include the replacement for the
McAfee Network Driver (MFEND), it means Proxy HA behavior changes after v8.2.0.
So I test upgrading in my lab. Unit 1 and unit 2 are in the mode HA proxy with the same version v7.8.I upgrade unit2 from v7.8 to v9.2.8 directly. After upgrading unit 2,I changed priority of unit 1 to 70 and priority of unit 2 is 80. I found owner of virtual IP was still unit1. If I can't HA switch with changing priority, service will be impacted during updating. Is there any additional step I have to do?
2.Is there a step that I can following to upgrade MWG from v7.8 to new version and makes no service
impact during updating?
Hello,
in general, this should work.
1) not sure what exactly happens but I guess that proxy HA mode is improperly configured and therefore there are communication errors causing this. Normally, you can transfer VIP and then remove port redirects and make sure that backup node does not receive any traffic. Then you can upgrade and do same vice versa.
2) Our best practices about upgrading are described here in this KB:
https://kc.mcafee.com/corporate/index?page=content&id=KB89192
Further, if you need another details for proxy HA mode config with haproxy, we have 2 KB articles and 2 community articles (which do contain clear example configuration with IP addresses):
KB:
https://kc.mcafee.com/corporate/index?page=content&id=KB91848
https://kc.mcafee.com/corporate/index?page=content&id=KB91849
Community:
https://community.mcafee.com/t5/Enterprise-Documents/Example-Proxy-HA-configuration-using-HAProxy-mf...
https://community.mcafee.com/t5/Enterprise-Documents/Example-Transparent-Proxy-configuration-using-H...
If all this does not help and you still encounter the issue, please create a feedback file from each node and open a ticket with that so that support can check.
Hi mkutrieba
This is my setting.
MWG1 192.168.52.61/24 VIP 192.168.52.63/32 VRRP 51 priority 90
MWG2 192.168.52.62/24 VIP 192.168.52.63/32 VRRP 51 priority 80
Before I upgrade MWG2, MWG2 could become active unit when I adjust priority to 70 on MWG1.
This step is to make sure VRRP is working before upgrade.
I upgrade MWG2 from 7.8 to 9.2 first, it means the active unit is MWG1.
After upgrading MWG2 successfully, I can't make MWG2 to become active by changing priority.
I tried to add configuration of scanner on MWG2 and it didn't work.
What configuration should I check or add after I upgrade one unit to 9.2 so that VRRP could work fine between v7.8 and v9.2?
Hello,
based on this I cannot help much, but it sounds like proxy HA configuration still needs to adjusted as MFEND got replaced with haproxy where configuration changes (scanner table entries, change listener from 0.0.0.0:port to MWGIP:port and so one) are mandatory to get it back to work.
I suggest to create a feedback file and then open a ticket and PM me the SR number, then I will take it over, analyse the file and come back to you via ticket.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA