4 Replies Latest reply on Oct 9, 2015 4:29 AM by lubomir.cerny

    Failed upgrade MWG 7.4.2.11 to 7.5.2.2

    lubomir.cerny

      Hi folks.

      I started upgrade from 7.4.2.11 in HA to 7.5.2.2.

      First I started with slave node in HA as usual, but update freezed during updating mwg-config-7.5.2.2.0-19971.mlos2.mwg.x86_64

       

      Now the appliance has only local loopback network interface and process can not continue.

      How to recover from this ? I tried yum-complete-transaction but no success.

       

      Any advice please ?

      On lab, the upgrade went ok from 7.4.2.11 to 7.5.2.2. On production HA, no :-(

       

      Running rpm_check_debug

      Running Transaction Test

      Transaction Test Succeeded

      Running Transaction

        Updating   : zlib-1.2.3-29.mlos2.mwg.x86_64

        Updating   : libcom_err-1.41.12-21.mlos2.x86_64

        Installing : xerces-c-3.0.1-20.mlos2.mwg.x86_64

        Updating   : libselinux-2.0.94-5.8.mlos2.x86_64

        Updating   : krb5-libs-1.10.3-33.mlos2.mwg.x86_64

        Updating   : openssl-1.0.1p-1.mlos2.mwg.x86_64

        Updating   : expat-2.1.0-10.mlos2.x86_64

        Updating   : 1:net-snmp-libs-5.5-50.mlos2.mwg.x86_64

        Updating   : openssh-5.3p1-106.mlos2.x86_64

        Installing : libtasn1-2.3-6.mlos2.x86_64

        Installing : p11-kit-0.18.5-2.mlos2.x86_64

        Installing : log4cpp-1.0-13.mlos2.mwg.x86_64

        Installing : mwg-credstore-migration-1.0.1-4.mlos2.mwg.noarch

        Updating   : mwg-certs-2.0.1-4.mlos2.mwg.noarch

        Updating   : tomcat6-servlet-2.5-api-6.0.43-1.mlos2.mwg.4.noarch

        Installing : xml-common-0.6.3-32.mlos2.noarch

        Updating   : udns-0.2-4.mlos2.x86_64

        Updating   : mwg-mfetsc-7.5.2.2.0-19971.mlos2.mwg.x86_64

        Updating   : tomcat6-jsp-2.1-api-6.0.43-1.mlos2.mwg.4.noarch

        Installing : p11-kit-trust-0.18.5-2.mlos2.x86_64

        Updating   : ca-certificates-2014.1.98-67.0.mlos2.noarch

        Updating   : 1:java-1.7.0-openjdk-1.7.0.71-2.mlos2.x86_64

        Updating   : 1:net-snmp-5.5-50.mlos2.mwg.x86_64

        Updating   : tomcat-native-1.1.32-1.mlos2.mwg.x86_64

        Updating   : ipmitool-1.8.11-21.mlos2.x86_64

        Updating   : ruby-libs-1.8.7.374-3.mlos2.x86_64

        Updating   : ruby-1.8.7.374-3.mlos2.x86_64

        Installing : xalan-c-1.10.0-7.mlos2.mwg.1.x86_64

        Installing : xml-security-c-1.6.0-2.mlos2.mwg.x86_64

        Installing : xmltooling-1.4.2-5.mlos2.mwg.x86_64

        Installing : opensaml-2.4.3-4.mlos2.mwg.x86_64

        Updating   : e2fsprogs-libs-1.41.12-21.mlos2.x86_64

        Updating   : libss-1.41.12-21.mlos2.x86_64

        Updating   : ircli-8.00.16-2.mlos2.mwg.x86_64

        Updating   : 2:ethtool-3.5-1.4.mlos2.x86_64

        Updating   : mwg-config-7.5.2.2.0-19971.mlos2.mwg.x86_64

       

      I can login to console and can see no eth0, eth1 nor bond0 interface only localhost with 127.0.0.1 IP.

      command ifconfig bond0 outputs:

       

      [ 2967.763192] Loading kernel module for network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-bond0 instead

      bond0     Link encap:Ethernet     HWaddr 00:00:00:00:00:00

                     BROADCAST MASTAR MULTICAST     MTU:1500     Metric:1

        • 1. Re: Failed upgrade MWG 7.4.2.11 to 7.5.2.2
          lubomir.cerny

          OK, so after some backup recovery+reimaging time, I am back on 7.4.2.11 and also has found important issue in 7.5.2.2 Release notes document.

          There is statement:

                    When running version 7.5.2.1, an earlier 7.5.x, a 7.4.x, or a 7.3.x version, you can immediately

                    upgrade to the new version. See Perform an upgrade.

           

          But in older 7.5.2 Release notes document, there is warning about bounding interfaces:

               If you have implemented a bonding configuration, which was available as an unsupported

               feature before the release of Web Gateway 7.5.2, remove any settings of this configuration

               before upgrading to this new version. Otherwise you risk creating an unstable state on the

               appliance.

           

          This means, when users follows current 7.5.2.2 Release notes direction it will lead to corrupted deployment !

           

          So please update current Release notes document to continue warn users before update from 7.4 version !

           

          Meanwhile I will try to disable bonding on our NICs and do update.

          • 2. Re: Failed upgrade MWG 7.4.2.11 to 7.5.2.2
            Jon Scholten

            Hi Lubomir,

             

            I'm sorry you ran into this!

             

            In addition to the release notes for 7.5.2, this was something we also send an SNS (McAfee SNS Subscription Center) about -- trying to be proactive, knowing that customers may have an unsupported bonding configuration.

             

            We also tried reaching out to any customers who opened a case about bonding in case they set it up on their own.

             

            Additionally we tried posting to any Community discussions where bonding was discussed in detail:

            Re: can web gateway do link aggregate?

            Re: Web Gateway 7 Interface Teaming

             

            Best Regards,

            Jon

            • 3. Re: Failed upgrade MWG 7.4.2.11 to 7.5.2.2
              lubomir.cerny

              Hi Jon.

              thank you for your time and ways McAfee invested in. Even this I think it should be noticed in current release notes as this is huge show stoper.

               

              However I've disabled bond and tried update HA slave node again from 7.4.2.11 to 7.5.2.2. This time update process finish ok (done via yum upgrade yum yumconf\* and yum upgrade) but after node reboot I can see errors running antimalware engine.

               

              "Cannot load 32 bit AV engines.Waiting for an update to get 64bit engines."

              2015-08-26 07_34_26-McAfee _ Web Gateway - proxy01 - 10.255.252.20.png

              Even update has finished, the user can not use this node as still reports the issue with AV engine:

               

              (14000) internal antivirus filter error: cannot load Anti-Malware engine.

               

              I had to revert back to 7.4.2.11 on slave node.

               

              So, please what is correct way to upgrade from 7.4.2.11 to new main release 7.5.2.2 ?

               

              thx.

              • 4. Re: Failed upgrade MWG 7.4.2.11 to 7.5.2.2
                lubomir.cerny

                Hi there.

                Today I tried to do upgrade using MWG version 7.5.2.3.

                 

                • The console upgrade via yum finished OK.
                • Shared data has synchronized OK
                • There was still Warning about 32bit AV engines:
                • Whole cluster node update took aprx. 42 minutes
                • Slave node update has finished OK:

                 

                So it seems, that 7.5.2.2 has some trouble and 7.5.2.3 is OK.

                I will wait some time for any issues and then upgrade also master node.

                 

                Hope this helps others.