Last Updated: 6/27/2024 @ 4pm
Change Notes:
- 6/27/24 - modified grep command to search all restnoded logs, not just the current file.
I have added my tips and links to the official upgrade steps.
Because we are jumping major TMOS versions (which greatly improve the SSLO configuration architecture), The upgrade involves two phases:
- upgrading the TMOS .ISO from 15.1.x to 17.1.x
- upgrade of the SSLO RPM from 7.x to 11.x. When this happens, a one-time migration occurs of the SSLO configuration in Section 4.
- All non-SSLO references to SSLO objects must be removed. Under local traffic -> Virtual Servers -> Frontdoor -> Resources, notice there is no pool configured. Static variable references in iRules is safe.
- Complete Pre-Upgrade Checklist here: https://my.f5.com/manage/s/article/K64003555#link_02_01 Stop when you get to Upgrade procedure
- Verify SSL Orchestrator configuration readiness
- Perform a UCS backup of all SSL Orchestrator systems
- Verify HA state readiness -
PROTIP!- use the restcurl commands in this section to do this: https://my.f5.com/manage/s/article/K64003555#link_03_01_02
Upgrade steps here: https://my.f5.com/manage/s/article/K64003555#link_03_01 Stop at Verify the gossip protocol is working between the HA devices
- Perform the upgrade on the standby device.
- Force the standby device offline.
- Restart the forced-offline device and boot to the newly upgraded software volume.
- Perform the upgrade on the active device.
- Restart the active device and boot to the newly upgraded software volume.
- Release the forced-offline device and reactivate it to standby.
-
Because the system has upgraded past 15.1.7, we need to address a behavior change with the way restjavad is given extra memory. To do that, just run these commands:
tmsh modify sys db provision.restjavad.extramb value 600
bigstart restart restjavad
tmsh list sys db provision.restjavad.extrambshould show updated value of 600 -
Follow the verification steps here before proceeding with RPM upgrade: https://my.f5.com/manage/s/article/K64003555#link_03_01_02 Stop at Update the SSL Orchestrator software and configuration
-
Review Upgrade Flowchart here: https://clouddocs.f5.com/sslo-troubleshooting-guide/procs/troubleshooting-upgrade.html
-
Log in to the Configuration utility of the active SSL Orchestrator device.
-
Log in to the Configuration utility of the standby SSL Orchestrator device.
-
Open SSH session to active SSL Orchestrator device. (OPTIONAL) Run command
tail -f /var/log/restnoded/restnoded.logto watch SSLO log file. -
Open SSH session to standby SSL Orchestrator device. (OPTIONAL) Run command
tail -f /var/log/restnoded/restnoded.logto watch SSLO log file. -
Perform steps 7 and 8 in close succession (few seconds ideally):
-
On the active SSL Orchestrator device, Go to SSL Orchestrator > Configuration. Doing so starts the SSL Orchestrator rpm upgrade automatically on the current device
-
On the standby SSL Orchestrator device, Go to SSL Orchestrator > Configuration. Doing so starts the SSL Orchestrator rpm upgrade automatically on the current device
-
Go grab a coffee and come back in 10 minutes. The GUI is going to make you think the upgrade failed for the next ~10 minutes, when it's actually still running fine and shouldn't be interrupted.
-
After 10 minutes, Check which device is the upgrade pilot with this command:
grep "Responsible For Upgrade" /var/log/restnoded/restnoded*and look forResponsible For Upgrade: true -
On the device responsible for the upgrade (true) run this command to see if the upgrade finished successfully:
grep "Upgrade Finished" /var/log/restnoded/restnoded*and look for[upgradeWorker] --- Upgrade Finished --- -
IMPORTANT: perform a config sync FROM upgrade pilot device (device that said
Responsible For Upgrade: true) TO non-upgrade pilot (device that saidResponsible For Upgrade: false)
-
Redeploy all SSLO topologies with no functional changes (change description of each topology) HTTPS traffic works fine after upgrade. HTTP-only works after re-deploying the topology and changing the description. No functional changes needed to topology. Replicated this twice now. Reboot without re-deploy of topology does NOT fix the issue.
-
On each topology in-t-4 VS remove the "copy" clientSSL profile and attach the profile created by SSLO SSLO upgrade is removing the clientSSL profile and replacing it with a “copy” of the CA certificate. I then have to modify the virtual server to put the SSLO authored CA certificate back on. Until I do that, SSLO GUI will not let me modify the CA certificate for the topology.