cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Running R80.20 pre-upgrade verifier on a MDS

Geatings o'mighty Checkmates

Reading through all the upgrade, limitations and known issues documentation, I got stuck on this:

In the R80.20 installation and upgrade guide it states that you need to do mdstop before running the pre-upgrade verifier.

I get cautious and paranoid when this needs to be done on a mds with multiple domains and gateways.

I couldn't find any explanation why this needs to be done and can it be avoided, if avoided what "scary-end-of-the-world" -issues will surface. Is it enough that Dashboard/ssh/Webgui connections to the mds and domains are blocked?

--Patrick

0 Kudos
6 Replies

Re: Running R80.20 pre-upgrade verifier on a MDS

I do not understand you fears - to cpstop a GW will stop all traffic to and from the Internet, but cpstop on SMS / MDS will only stop services independant from the GW(s). You will not be able to install policy before you have issued cpstart, but that is all . I assume that the verifier needs to access some files usually open by CP processes or daemons. No harm in that...

Only helpfull additional hint i can give here is to make sure that all Dashboard Users are logged out from MDS before you issue cpstop to prevent corruption.

0 Kudos

Re: Running R80.20 pre-upgrade verifier on a MDS

There has been issues with VPN's when the management is down. Gateways haven't been able to do CRL checks from the ICA, that has caused VPN issues.

Maybe I'm too paranoid, but I have had my share of "horror errors" 

0 Kudos

Re: Running R80.20 pre-upgrade verifier on a MDS

This kind of paranoia is really not bad and may actually safe you from harm ! But as the pre-upgrade verifier will not take very long this should be acceptable, if it needs to, in a maintenance window.

0 Kudos
Petr_Hantak
Silver

Re: Running R80.20 pre-upgrade verifier on a MDS

Actually this is a good point regarding CRL checks and VPN issues. On the other hand it is not taking so long time and in case you are able to find not so busy period for VPN traffic during day time. Then it could be a good to plan maintenance window there and take those steps.

0 Kudos

Re: Running R80.20 pre-upgrade verifier on a MDS

Also, loading CRL for internal CP SA is not so very necessary 😉 It will sometimes just be disabled following sk21156.

JozkoMrkvicka
Platinum

Re: Running R80.20 pre-upgrade verifier on a MDS

VPNs go down within 24 hours after primary Security Management server goes down 

But you will lost VPNs in case you have only 1 management server available (Primary), or in "Fetch Policy" tab you have only 1 management selected.

Kind regards,
Jozko Mrkvicka