Live Demo:

Zero Interruption Upgrade of Nokia VRRP ClusterYasushi Kono (ComputerLinks Germany)

Scenario:

Two Nokia boxes (IP 260) with IPSO 4.1

and Check Point version NGX R61 in

a VRRP cluster configuration.

SmartConsole R60

SmartCenter Server R60

Gateway A IPSO 4.1/ NGX R60

Gateway B IPSO 4.1/ NGX R60 Which component do we

have to upgrade first?

• First: Install SmartConsole R62

• Then: Upgrade SmartCenter to R62

• Upgrade the Standby Gateway to R62

But which one is the Standby Gateway?

• Command to identify the standby gateway:

• iclid> show vrrpor

• echo show vrrp | iclid

• What to do prior to upgrading….

• Set the Cluster Control Protocol into broadcast mode:

cphaconf set_ccp broadcast

• Check, whether the CCP mode is broadcast or multicast:cphaprob –a if

• Should you have to upgrade IPSO first,

the command therefor is:

newimage –i –k-i: interactive mode

-k: keep previously installed packages activated!

Do you know other upgrade options to upgrade IPSO?

Prior to upgrading to NGX R62 our environment is as follows….

SmartConsole R62

SmartCenter Server R62

Gateway A IPSO 4.1/ NGX R60 (Active)

Gateway B IPSO 4.1/ NGX R60 (Standby)

You have to alter the cluster configuration in the following ways:

• Don‘t forget another important setting:

This option is to be activated, otherwise existing connections will be disconnected during upgrade!!!!

Not mentioned in the Upgrade Guide of Check Point!

Gateway B:

IPSO 4.1/ NGX R60 (Standby)

Command to Upgrade Check Point:

[gatewayB]# newpkg

! Don‘t use the –i switch here, unless you want to use it explicitly!

After upgrading GateB:1. Reboot it

2. Check the Install Policy option „For Gateway Cluster install on all members, if it fails do not install at all“

3. Change the Cluster version in SmartDashboard to NGX R62 and install the Policy

At this stage, GateA is still the active node.

• You have to transfer the State Table to GateB (to be shown in the next slide)

• You have to disable the cluster service of GateA

• GateB shall take over almost all connections!

If not, you don‘t have a second chance!

Transferring the State Table of GateA to GateB:[GateB]# fw fcu <IP Address GateA>

Before disabling cluster service from GateA, wait until the following message is being displayed:[GateB]# Full sync connection finished successfully

Disabling Cluster Service from GateA:

[GateA]# cphastop

After that, GateB should have taken over almost all connections.

Now, you can upgrade GateA with the commands already used.

GateB will process all requests.

After upgrading, reboot GateA and install the last policy on both cluster members!

Important information for you:

There are some connections which will be disrupted anyway:– User Authentication Connections– Connections with Resources (SMTP, URI,

FTP)– Client Authentication (partially automatic and

fully automatic for HTTP, FTP, Telnet, rlogin)

But what if….?

What do you need in the case of failing upgrade procedure?

If you would like to escape from your customer‘s site

Thus, my recommendation is:

Plan for downtime!

• DISCLAIMER:

I am not responsible for sponsoring you a race car should your attempt to upgrade the cluster failing!

Thank you for attending this presentation!