F5 Upgrade Hotfix and Point Release in a HA Pair

Order of Operation:

1. Upgrade STANDBY
2. Then Upgrade PRIMARY

A point release or hotfix is going from 15.1.0 to 15.1.0.x.

1. Validating the Configuration

On F5-B (STANDBY):

tmsh
load /sys config verify

This command doesn’t load it but does a ‘test’ load. You are checking to see if there are any problems uploading after the upgrade.

2. Verify the Service Check Date

When looking at the images on the F5 site, look for “License Check Date” and make sure you have a later date than what’s posted on the site.

For example; if it’s 2019-11-05, it has to be a date past that, like 2019-12-01

q
grep "Service check date" bigip.license

If you are before the date, you will have to relicense the F5. Check out:
“K7727: License activation may be required before a software upgrade for the BIG-IP or Enterprise Manager system”
“K7752: Licensing the BIG-IP system”

3. Synchronizing the Config

Make sure the configuration is in synch before upgrading; if you are not in Sync, you need to sync it here:

On F5-A (ACTIVE):

Device Management > Overview

You want to sync with the device with the most recent changes.

4. Creating and Saving a UCS Archive (AKA BACKUP)

On F5-B (STANDBY):

System > Archives

Click on archive name, download, and save to a separate secure location

5. Importing the ISO File

System > Software Management > Image List > Import…

You will see it in the “Available images” list.

Check out:
“K167: Downloading software and firmware from F5”

6. Verifying the MD5 checksum

cd images/
ls
md5sum -c "filname.iso.md5"

Check out:
“K8337: Verifying the MD5 checksum for the downloaded F5 software file”

7. Disabling the “Automatic with Incremental Sync” Option (ON PRIMARY F5)

If your sync type is set to automatic, you should temporarily set it manual.

On F5-A (ACTIVE):

Device Groups > {Group Name} > Sync Type

Three Options:
1. Automatic with Incremental Sync
2. Manual with Incremental Sync
3. Manual with Full Sync

You want to change it from option 1 above to option 2 temporarily.

Select “Update” to commit Sync Type change

8. Installing and Rebooting to the New Version

On F5-B (STANDBY):

System > Software Management

Look at the “Boot Location” that’s both active and default. If it’s HD1.1, then create a new one HD1.2.

a. Check the box next to the new available image
b. Click “Install
c. “Select Disk” – you might have more than one, but it’s typically HD1 or MD1
d. “Volume set name:” type in 2
e. Click “Install

Verify status:

watch "tmsh show sys sof status"

ctrl-c to break out

f. Go to “Boot Locations
g. Click on new HD#
h. Keep “Install Configuration” to No – this is only if you made any config changes
i. Click “Activate

Verify Progress:
Use console connection

On F5-A (ACTIVE), you will see “Disconnected” for the Current ConfigSync State.

When you log back onto the F5-B, you will see its status is “Changes Pending.

IMPORTANT:
When they are on different versions, you do NOT want to synchronize!

9. Verifying the New Point Release Version is Active on the Newly Patched System

On F5-B (STANDBY):

System > Software Management

You should see that the new version is both Active and Default Boot.

Verify your Virtual Servers have loaded:

Local Traffic > Virtual Servers

10. Force Failover to Newly Patched System

After verifying everything loaded OK, it’s now ready to take Traffic.

On F5-A (ACTIVE):

Device Management > Traffic Groups

Check the box for the Traffic Group
Click “Force to Standby…
Click “Force to Standby

Look at the top left to the status; you should see F5-A is “STANDBY.

On F5-B (STANDBY):

You should see the F5-B is “ACTIVE,” but the with “Changes Pending” still.

Verify Traffic Flow:
Check to make sure Traffic is flowing properly

REPEAT PROCEDURES FOR A!

11. Repeat these Steps for F5-A

Validating the configuration
Verifying the Server check date
Creating and saving the UCS archive
Importing the ISO
Verifying the MD5 checksum
Installing and rebooting to the new version

12. Installing and Rebooting to the New Version & Verifying the New point Release Version is Active on the Newly Patched System

On F5-A (ACTIVE):

System > Software Management > Boot Locations

Click on new HD# and Verify Info
Click “Activate

Look for error messages and verify the Virtual Servers (pool members) are up.

13. Forcing a Failover Back to F5-A

On F5-B (STANDBY):

Device Management > Traffic Groups

Check the box for the Traffic Group
Click “Force to Standby…
Click “Force to Standby

On F5-A (ACTIVE):

You should see it’s “ACTIVE” and both are running the same point release.

Check both:

System > Software Management > Image List

Look to see if the new image is “Yes” for both Active and Default Boot.

14. Performing the Final ConfigSync

Now that both F5 are running the same code version, it’s time to Sync.

On F5-A (ACTIVE):

Device Management > Overview

Devices:
Recent Changes – should be on the F5-A, and it will show A because it’s the most recent loaded after the reboot and upgrade

BEST PRACTICE – DO NOT MAKE ANY CHANGES DURING AN UPGRADE

Make sure you select the F5-A
Make sure “Sync Options” is set to “Push the selected device configuration to the group”
Click “Sync

Everything should be back to normal and synced.

15. OPTIONAL: Restoring the “Automatic with Incremental Sync” Option

If this was set to automatic before this whole process, we could now restore it.

Device Groups > {Group Name} > Sync Type

Three Options:
1. Automatic with Incremental Sync
2. Manual with Incremental Sync
3. Manual with Full Sync

You want to change if from option 2 above back to option 1

Select “Update” to commit Sync Type change