Solved: Re: Blink upgrade Smart-1 appliance from R81.20 to...

Alex- · ‎2025-08-07

Smart-1 600M appliance running R81.20 T105. CPUSE tools up to date.

R82+T34 Blink Package for SMS was downloaded, verifier returns that upgrade is allowed.

When upgrading, it goes up to 97% then stops and rolls back to R81.20. Tried two times with the same result.

The log doesn't provide clear indication on what's happening. We will open a TAC SR, maybe some Mates can share a similar experience and how they handled this?

[2025-08-07 - 08:27:53][11939 21734]:Its a management machine.
[2025-08-07 - 08:27:53][11939 21734]:Exporting management configuration.
[2025-08-07 - 08:27:53][11939 21734]:------ Exporting Database:  ------
[2025-08-07 - 08:27:53][11939 21734]:Exporting management configuration from source.
[2025-08-07 - 08:27:53][11939 21734]:Testing file: /mnt/fcd//sysimg/CPwrapper/linux/upgrade_tools/linux/ngm_upgrade_wrapper_998001093_1.tgz >>> tar=yes, gzipped=yes
[2025-08-07 - 08:27:53][11939 21734]:About to execute command: nice -n 19 gtar  --use-compress-program=pigz -xvf /mnt/fcd//sysimg/CPwrapper/linux/upgrade_tools/linux/ngm_upgrade_wrapper_998001093_1.tgz -C /mnt/fcd//sysimg/CPwrapper/linux/upgrade_tools/linux/rpm --checkpoint=100
[2025-08-07 - 08:27:53][11939 21734]:-- extraction completed successfully --
[2025-08-07 - 08:27:53][11939 21734]:Installed build=998001165, FCD build=998001093.
[2025-08-07 - 08:27:53][11939 21734]:Installing source upgrade tools on FCD.
[2025-08-07 - 08:27:53][11939 21734]:deploying ngm upgrade tools on partition: /mnt/fcd.
[2025-08-07 - 08:27:53][11939 21734]:Checking ngm upgrade tools package=ngm_upgrade_wrapper_997000853_1.tgz, installed=yes, skipped=no, installed_on='Thu May 22 14:56:53 2025' relevant=no
[2025-08-07 - 08:27:53][11939 21734]:Checking ngm upgrade tools package=ngm_upgrade_wrapper_998001165_1.tgz, installed=yes, skipped=no, installed_on='Wed Jul 23 17:42:17 2025' relevant=yes
[2025-08-07 - 08:27:53][11939 21734]:Installing ngm_upgrade_wrapper_998001165_1.tgz
[2025-08-07 - 08:27:53][11939 21734]:Testing file: /var/log/CPda/repository/CheckPoint#UpgradeTools#All#6.0#5#6#UPG_TOOLS_R82#998001165/ngm_upgrade_wrapper_998001165_1.tgz >>> tar=yes, gzipped=yes
[2025-08-07 - 08:27:53][11939 21734]:About to execute command: nice -n 19 gtar  --use-compress-program=pigz -xvf /var/log/CPda/repository/CheckPoint#UpgradeTools#All#6.0#5#6#UPG_TOOLS_R82#998001165/ngm_upgrade_wrapper_998001165_1.tgz -C /var/log/CPda/repository/CheckPoint#UpgradeTools#All#6.0#5#6#UPG_TOOLS_R82#998001165/rpm --checkpoint=100
[2025-08-07 - 08:27:53][11939 21734]:-- extraction completed successfully --
[2025-08-07 - 08:27:53][11939 21734]:rpm file copied to : /mnt/fcd
[2025-08-07 - 08:27:53][11939 21734]:About to execute command: . /opt/CPshared/5.0/tmp/.CPprofile.sh >/dev/null 2>&1 ;UPGRADE_CONTEXT=cpuse rpm -Uv --force /CPupgrade-tools-R82-00-00.i386.rpm
[2025-08-07 - 08:27:53][11939 21734]:Executing command under chroot: . /opt/CPshared/5.0/tmp/.CPprofile.sh >/dev/null 2>&1 ;UPGRADE_CONTEXT=cpuse rpm -Uv --force /CPupgrade-tools-R82-00-00.i386.rpm
[2025-08-07 - 08:27:53][11939 21734]:. /opt/CPshared/5.0/tmp/.CPprofile.sh >/dev/null 2>&1 ;UPGRADE_CONTEXT=cpuse rpm -Uv --force /CPupgrade-tools-R82-00-00.i386.rpm command summary:
Return code = 0
Output = error: failed to stat /sys/fs/cgroup: No such file or directory
Preparing packages for installation...
CPupgrade-tools-R82-00-00

[2025-08-07 - 08:27:53][11939 21734]:ngm_upgrade_wrapper_998001165_1.tgz was not installed. marked_as_installed=yes, installed_on=Wed Jul 23 17:42:17 2025
[2025-08-07 - 08:27:53][11939 21734]:Deployed 1 ngm upgrade tools packages on partition: /mnt/fcd.
[2025-08-07 - 08:27:54][11939 21734]:Changing permissions (recursively) of /web/htdocs2/html_reports to Bitmask: 755.

Bob_Zimmerman · ‎2025-08-08

Blink also failed to upgrade several of my management and log server VMs from R81.20 jumbo 98 to R82 jumbo 34 last week. I ended up taking them to R82 with the normal upgrade package, then installing jumbo 34 separately. Both steps went perfectly.

View solution in original post

cdav

Turns out the issue was that the global domain had both appliances marked as active.

For example:

[Expert@CPMGMT01-A:0]# psql_client cpm postgres -x -c "select objid,name,objclass,domainid,dlesession,deleted from dleobjectderef_data where not deleted and dlesession=0 and objid in (select mds from domainserver_data where domain='1e294ce0-367a-11e3-aa6e-0800200c9a66' and not deleted and dlesession=0);"
-[ RECORD 1 ]------------------------------------------------------------
objid | c7e06651-e93e-41ed-8fcd-e5859e9bf0a9
name |CPMGMT01-A
objclass | com.checkpoint.management.mgmt_blade.objects.CpNetworkObject
domainid | a0eebc99-afed-4ef8-bb6d-fedfedfedfed
dlesession | 0
deleted | f
-[ RECORD 2 ]------------------------------------------------------------
objid | 0cc52cdb-2205-4e41-bd67-f634a335cabd
name |CPMGMT01-B
objclass | com.checkpoint.management.mgmt_blade.objects.CpNetworkObject
domainid | a0eebc99-afed-4ef8-bb6d-fedfedfedfed
dlesession | 0
deleted | f

[Expert@CPMGMT01-A:0]# psql_client cpm postgres -x -c "select * from domainserver_data where domain='1e294ce0-367a-11e3-aa6e-0800200c9a66' and not deleted and dlesession=0;"
-[ RECORD 1 ]---------------+-------------------------------------
objid | 142f23b2-346d-47fb-b800-958e5e85522c
active | t

-[ RECORD 2 ]---------------+-------------------------------------
objid | 60c65504-b312-433d-b42f-0950f4b8f90b
active | t

Once the secondary was set to false database export was successful and subsequently R82 upgrade.

View solution in original post

the_rock · ‎2025-08-07

Hey @Alex-

I recall couple of years ago had similar errors when helping customer with the upgrade (not Smart-1 mind you), but even though it showed upgrade was allowed, kept failing. We figured out after 2 times it would be a good idea to delete some more disk space and once we did that, worked fine.

Andy

Alex- · ‎2025-08-07

There's plenty of disk space as there's another dedicated Smart-1 for logging. Deleted some more backups and revisions but it doesn't help.

It might be linked to SK175089 but the fix of that SK doesn't create the file.

We'll follow-up with TAC.

the_rock · ‎2025-08-08

Not sure if that sk might be applicable, but maybe TAC can confirm for sure.

Bob_Zimmerman · ‎2025-08-08

Blink also failed to upgrade several of my management and log server VMs from R81.20 jumbo 98 to R82 jumbo 34 last week. I ended up taking them to R82 with the normal upgrade package, then installing jumbo 34 separately. Both steps went perfectly.

Max_Frankl · ‎2025-08-11

MGMT HA and Log server are not supported with blink yet - should be in the near future

Bob_Zimmerman · ‎2025-08-11

These were two primary managements with no secondary managements. One of them had a separate log server, the other didn't even have that.

Alex- · ‎2025-08-12

Tried this, went well until 97% again. This time it didn't roll back but reboot. I thought it was done and would start in R82 and go on with the import; but it started again perfectly in R81.20. This box went from all the versions since R80.40 without issues, only this one is challenging.

I guess I'll follow up with TAC.

Bob_Zimmerman · ‎2025-08-12

Annoying, though if it was R80.40, it probably has the partition misalignment which was only fixed in R81.20. I would probably do a 'migrate export', reinstall from scratch, and 'migrate import' on the primary management anyway.

Alex- · ‎2025-08-12

That's what I'd do, but this is here a completely hardware implementation. I can't easily spin a VM next to the existing one and go from there, furthermore I have to contend with change management procedures.

As far as we know, we can't image Smart-1 appliances from scratch, using, say, an USB stick; we can only make a clean install to the FCD.

Which calls for a rectification of my post, the Smart-1 went from R81, not R80.40, it is the gateways who were in that version. FCD image on that series is R81.

So the path here would be to migrate_export to R82 a file, test it in a R82 VM to check if it's valid, FCD the Smart-1 to R81, upgrade it to R82 + JHF, make the necessary setup then import the R82 file if the case doesn't progress quickly enough.

emmap · ‎2025-08-12

What's preventing you from imaging from scratch? ISOMorphic works on Smart-1 appliances.

Alex- · ‎2025-08-12

It didn't seem to accept the drive I usually use on appliances. I tried only once and not in this scenario, as I need a security clearance to get in that DC and so on. I'd rather have it done via CPUSE for all the reasons. I will follow-up with TAC.

emmap · ‎2025-08-13

I understand. The downside is that you don't get all the benefits of the R81.20 partitioning changes unless you clean install directly to it. Depending on the model of Smart-1, you might be able to install it via mounting the ISO via the LOM?

Alex- · ‎2025-08-14

That's an option, but they're due for an hardware upgrade anyway so we'll go along for the time being.

Alex- · ‎2025-08-14

I tried again the upgrade from the base image off-peak hours and it worked, although it took quite some time. I would think the infrastructure deployment outpaced the initial sizing of these servers.

Bob_Zimmerman · ‎2025-08-14

Possible. The partition misalignment in pre-R81.20 versions also has dramatic performance impact on operations which involve a lot of small files like upgrades and updates. It's really bad on hard drives, but even slows down SSDs noticeably.

The upgrade to R82 also just takes a while. I upgraded an MDS environment yesterday (primary MDS, secondary MDS, two MLMs; upgraded primary, upgraded secondary and one MLM, upgraded second MLM, installed jumbo on MDSs and one MLM, installed jumbo on second MLM), and it took almost five hours even with VMs on really fast storage.

Max_Frankl · ‎2025-08-11

Is your setup MGMT HA?

Please share the SR if possible

Thanks

Alex- · ‎2025-08-11

Yes, HA as far as I understand, Blink should work on the Primary but we need clean install on the Log/Secondary. Or is it something specific to R82?

We will probably try @Bob_Zimmerman's approach int he coming days.

I will send you a PM with the SR.

cdav

I tried upgrading relatively new HA primary smart-1 600 using normal clean/upgrade package but it failed after 2 hours of exporting database at 86%.

I see a comment around HA management not being supported but I am guessing this is now resolved?

I will try the blink package with JHF T39 tomorrow hopefully wont run into the same issues you did. I recall issues with migrate_import/export when refreshing hardware a couple of months ago to no real solution from TAC other than using ISO morphic and GAIA backup/restore.

the_rock

Was there any error?

Andy

cdav

Unfortunately same error. Stuck on DB export at 86%. I did test DB export after with a migrate_server export and this failed. So something is causing an issue with exporting database.

I have a TAC case open but if anyone has any avenues to explore then please let me know.

the_rock

I know this might be asking for too much and I totally get if you are not allowed to do it, but if you are, Im happy to try import this in the lab. I know we transfer is free platform used to send large files.

Let me know, I am happy to give it a go.

Andy

cdav

I very much appreciate the offer but unfortunately thats not something I could do.

Thank you!

the_rock

No problem, all I can do is offer hehe : - )

Anyway, you can try the method I used in the post below, thats how I got it working for Azure mgmt server, I mean CP server in Azure.

Andy

https://community.checkpoint.com/t5/Management/Migrate-server-issue-on-Azure-CP-management-server/m-...

cdav

The inclusion of ignore warning and skip upgrade tools check has not made a difference 😞

Exporting the Management Database
Operation started at Mon Sep 22 07:59:24 BST 2025

Verification failed:
1. Upgrade operation is not supported when a domain has more than one active domain server.
Select one active domain server for each domain and set the rest to standby.
Relevant Domains : Global

Notes:
1. It is recommended to use the latest upgrade tools package. The latest package is installed automatically on online environments, for upgrade of offline environments refer to sk135172.
2. Only latest revision will be upgraded. It is recommended to publish important changes before upgrade. Unpublished changes will be lost.
3. Run the upgrade verification on all servers in your environment before you upgrade.

Operation finished at Mon Sep 22 08:00:27 BST 2025

the_rock

Thats more MDS related error, not migrate server.

Andy

cdav

Interesting as I do not have an multi domain environment/configuration.

the_rock

Wait...are you saying its single CMA?

cdav

Its not a multi domain environment. Just a standard highly available management environment on Smart-1 600M appliances.

the_rock

Does it show anything if you run mdsenv?

Andy

Are you a member of CheckMates?

Blink upgrade Smart-1 appliance from R81.20 to R82 fails