This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2021-04-22 07:41 AM
Jump to solution

R80.40 MVC Upgrade

I am looking to upgrade my VSX Cluster running 2 Virtual Systems from R80.10 to R80.40..i went through the following guide.

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Installation_and_Upgrade_Gui...

 

My query is that here it is not mentioned when the cluster member will be switched..Suppose i have 2 members in Active/Standby..i upgraded the Standby member to R80.40.. now for first member do i do a manual failover or it happens automatically in once MVC is switched on ?

 

Also, the policy to be installed after each member upgrades..is it only Cluster object policy or VS policy as well ?

 

Secondly..

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Installation_and_Upgrade_Gui...

at the bottom of this link a note states..

When Cluster Members of different versions are on the same network, Cluster Members of the new (upgraded) version remain in the state Ready, and Cluster Members of the previous version remain in state Active Attention.

Cluster Members in the state Ready do not process traffic and do not synchronize with other Cluster Members.

this is the condition before switching on MVC and will change once MVC is switched on.. is my understanding correct ?

The method described after that to remove the cables Physically and all that ..is it for the scenario where only one member is upgraded to test the latest version ?

 

sorry for the long post.. any help is appriciated.

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-04-25 09:51 PM
Jump to solution

The way I understand the documentation anyway, when you upgrade one cluster member to R80.40, the members on earlier versions will not properly recognize the upgraded member.
Once you enable the MVC mechanism, the other members will recognize it and start syncing connections.
I don't believe the failover occurs until you force it (either by upgrading or disconnecting the other members).

 

View solution in original post

Kaspars_Zibarts
Employee Employee
Employee
‎2021-04-25 11:53 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy is totally correct.

Before you turn MVC on, upgraded member will be in READY state. Once MVC is turned ON, members will synchronise and cluster will appear in "normal" state ACTIVE/STANDBY. 

There is no automatic failover. Depending on your cluster type (VSLS or HA) or you may chose own approach. On our VSLS VSX we did fail over one VS at a time by clusterXL_admin down on a specific VS. This way upgrade is extremely controlled. With HA cluster you of course will fail over all at once. But in principle we use the same clusterXL_admin down command on VS0 only

I do suggest to check your connections tables on both members before cutover - for some reason on our HA VSX cluster large chunk of connections was no synchronised. Still have no explanation to as why. What "saved" us was the fact the we allow"out of state" connections during upgrades. So technically no ongoing connections will be dropped.

One thing that it is missing from upgrade documents is turning off MVC after upgrade! It did byte us on the backside when we performed rollback to R80.30, created quite a mess..

Below are two articles I wrote about our VSX upgrade experience, you might want to read just in case to avoid same problems potentially

https://community.checkpoint.com/t5/Security-Gateways/Problems-with-large-VSX-platforms-running-R80-...

https://community.checkpoint.com/t5/Security-Gateways/VSX-appliance-upgrade-to-R80-40-T78-first-impr...

 

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2021-04-25 09:51 PM
Jump to solution

The way I understand the documentation anyway, when you upgrade one cluster member to R80.40, the members on earlier versions will not properly recognize the upgraded member.
Once you enable the MVC mechanism, the other members will recognize it and start syncing connections.
I don't believe the failover occurs until you force it (either by upgrading or disconnecting the other members).

 

Kaspars_Zibarts
Employee Employee
Employee
‎2021-04-25 11:53 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy is totally correct.

Before you turn MVC on, upgraded member will be in READY state. Once MVC is turned ON, members will synchronise and cluster will appear in "normal" state ACTIVE/STANDBY. 

There is no automatic failover. Depending on your cluster type (VSLS or HA) or you may chose own approach. On our VSLS VSX we did fail over one VS at a time by clusterXL_admin down on a specific VS. This way upgrade is extremely controlled. With HA cluster you of course will fail over all at once. But in principle we use the same clusterXL_admin down command on VS0 only

I do suggest to check your connections tables on both members before cutover - for some reason on our HA VSX cluster large chunk of connections was no synchronised. Still have no explanation to as why. What "saved" us was the fact the we allow"out of state" connections during upgrades. So technically no ongoing connections will be dropped.

One thing that it is missing from upgrade documents is turning off MVC after upgrade! It did byte us on the backside when we performed rollback to R80.30, created quite a mess..

Below are two articles I wrote about our VSX upgrade experience, you might want to read just in case to avoid same problems potentially

https://community.checkpoint.com/t5/Security-Gateways/Problems-with-large-VSX-platforms-running-R80-...

https://community.checkpoint.com/t5/Security-Gateways/VSX-appliance-upgrade-to-R80-40-T78-first-impr...

 

LostBoY
Advisor
‎2021-04-29 07:32 AM
In response to Kaspars_Zibarts
Jump to solution

Thank you for the detailed explanation..very useful

0 Kudos
LostBoY
Advisor
‎2021-04-29 07:39 AM
In response to Kaspars_Zibarts
Jump to solution

I just having a hard time contemplating the note section at the bottom of 

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Installation_and_Upgrade_Gui...

Why will there be any need to physically remove cables , shut interfaces etc when the system will auto correct itself once MVC is switched on 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events