Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andrew-OCD
Contributor
Jump to solution

MDSM R81.10 --> R81.20 Upgrade

Dear Community,

I am looking to upgrade my MDSM from R81.10 JHF Take 110 to the new R81.20.

When I check the CPUSE it is the latest version 2237.

When I check for updates it is no longer showing me the "Major Versions" with R81.20. I only see the following:-

Hotfixes - R81.10 JHF Take 110 installed

Minor Versions (HFAs) - R81.10 SmartConsole BBuilds 418, 414 & 410

Blink Packages - R81.10

- R81.10 MDS + JHF T110 - Available

- R81.10 SM + JHF T110 - Available

- R81.10 MDS + JHF T79 - Downloaded

 

Has something changed because when I check the R81.20 SK173903 page it shows "Upgrading MDSM" use the CPUSE and Major Versions route.

Any suggestions would be greatly appreciated as I do not really want offload and reload all the current Domains and logs.

Best regards

Andrew

0 Kudos
3 Solutions

Accepted Solutions
Martin_Valenta
Advisor

i've did recently MDSM upgrade from r81.10 to r81.20, due to bad partitioning when MDS and MLM were build (system installed over two virtual disks on Dell R730xd) since r80.10 to r81.10 it was not problem, but there is new requirement for partitioning. If you don't see options for r81.20 upgrade, it might be due to that, when you try to import upgrade package from cloud it should appear in your list and then you can run verifier for that package to see what is reason. In my case it required to perform mds_backup, transfer it somewhere, doing clean install of r81.10 + corresponding JHF and mds_restore, then i could see without any interaction that i can upgrade to r81.20 via cpuse..

View solution in original post

0 Kudos
Boaz_Orshav
Employee
Employee

Hi Andrew

  According to logs the issue is:

- Your partitions are not in Check Point standard format, and an upgrade is not possible. Reinstall your system and verify correct partitioning.

  I suggest you contact TAC to get more details regarding what exactly is wrong with the way the system is partitioned.

  Indeed I see it as a problem that the package is not seen - we will fix it so the message will appear only on verify stage

Sorry for the inconvenience

View solution in original post

0 Kudos
Andrew-OCD
Contributor

Ok avid readers, time for the final update.

Successfully managed to migrate the MDSM off the badly provisioned hardware (NOTE: Be very aware of the CORRECT partition requirements!).

I managed with a lot of SCP copying to get all the logs off the MDSM onto the MDLM (only to find that they had also incrorrectly provisioned the hardware - 2 discs instead of the 1 !!).

After getting a new hardware provisioned with the correct partition config I was able, again with many hours of SCP copying of log files, to migrate the MDLM to the valid hardware.

Now that both systems were on valid hardware I was eventually able to upgrade both systems to R81.20. Not easy but with many reboots and a lot of patience, eventually I got there.

Thank you everybody for your support during these difficult times.

 

Best regards

Andrew

View solution in original post

21 Replies
PhoneBoy
Admin
Admin

As far as I know this should still be possible.
Recommend a TAC case here: https://help.checkpoint.com

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I have heard that CP suggests to wait with an R81.20 upgrade at least until the next Jumbo HF 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
khodgson_bts
Contributor

Edit: Sorry, ignore me. I just noticed they're still the R81.10 packages.

 

Can't the Blink packages be used to do an upgrade?

0 Kudos
Bob_Zimmerman
Authority
Authority

Are you using a Smart-1, an open server, or a VM of some kind?

Check Point cuts off support for their own hardware really quickly and artificially prevents newer versions from being installed on it, even if the hardware is more than capable of running the software version. R81.20 won't install on any of the 2014 Smart-1 units (205, 210, 225, 3050, 3150).

0 Kudos
Andrew-OCD
Contributor

This is all running on an Open Server - VMWare ESXi environment.

I have my own lab environment where I tested this and in the lab environment I still had the R81.20 after installing the JHF T110. However, in my lab environment it is complaining:-

No Partial Domain Verification

The following objects do not have a Legacy Server in the database - this indicates that there is a partial domain in the database which should be fixed prior to the upgrade (refer to sk113134).

The problem now is that the SK says contact Check Point and this is my lab environment so I am now going round in circles to find a way to get support.

0 Kudos
the_rock
Legend
Legend

Well, they definitely wont help you if its a lab. Can you not just reinstall it?

 

Andy

0 Kudos
Andrew-OCD
Contributor

Dear Andy,

 

The whole point of using the LAB environment was to test the different aspects when importing the 3 different domains into the MDSM.

Now the idea was to test the upgrade on the LAB environment to see if there was anything weird and there was.

Now I have tried to restore from a backup but I get even more problems since there are different IP addresses in the LAB compared to the Production.

I have to admit to starting to think about the non-ideal solution: Install a fresh R81.20 MDS and try to restore into it the R81.10 MDS but I do not like this solution at all.

Best regards

Andy

0 Kudos
the_rock
Legend
Legend

Well, R81.20 would not restore into R81.10, as versions are different. I see @Boaz_Orshav asked you couple of weeks ago to send him the logs? Did you ever end up doing that?

Cheers,

Andy

0 Kudos
Andrew-OCD
Contributor

I just sent them over.

I meant to export the R81.10 Production environment and import into the fresh install f R81.20.

But as I say this is not a preferred option since it will lose some of the logs since everything is running on a single machine at the moment.

0 Kudos
the_rock
Legend
Legend

Well, its an option, though you are right, probably not the optimal one...

Andy

0 Kudos
the_rock
Legend
Legend

I would verify with TAC, because I remember when I had mds lab in R81.10, it gave all packages to upgrade to R81.20

Andy

0 Kudos
Andrew-OCD
Contributor

Yep in the LAB it appeared to be fine.

0 Kudos
Boaz_Orshav
Employee
Employee

Hi

  Can you please send me the tgz created by running "da_cli collect_logs" to boazo@checkpoint.com ?

  When a package is not seen on the CPUSE page it is might be because it fails a validation and I'd like to take a look at the logs to understand which validation failed.

0 Kudos
Andrew-OCD
Contributor

Dear,

I have sent over a link to a large transfer site where you can download the logs file.

Best regards

Andy

0 Kudos
Martin_Valenta
Advisor

i've did recently MDSM upgrade from r81.10 to r81.20, due to bad partitioning when MDS and MLM were build (system installed over two virtual disks on Dell R730xd) since r80.10 to r81.10 it was not problem, but there is new requirement for partitioning. If you don't see options for r81.20 upgrade, it might be due to that, when you try to import upgrade package from cloud it should appear in your list and then you can run verifier for that package to see what is reason. In my case it required to perform mds_backup, transfer it somewhere, doing clean install of r81.10 + corresponding JHF and mds_restore, then i could see without any interaction that i can upgrade to r81.20 via cpuse..

0 Kudos
Boaz_Orshav
Employee
Employee

Hi Andrew

  According to logs the issue is:

- Your partitions are not in Check Point standard format, and an upgrade is not possible. Reinstall your system and verify correct partitioning.

  I suggest you contact TAC to get more details regarding what exactly is wrong with the way the system is partitioned.

  Indeed I see it as a problem that the package is not seen - we will fix it so the message will appear only on verify stage

Sorry for the inconvenience

0 Kudos
Andrew-OCD
Contributor

Dear,

After working with a TAC engineer we were able to find the Partial domain Verification error and fix it by editing the DB.

For the partition problem you are absolutely right I will need to perform a backup and then install a fresh R81.10 with the correct partition then restore into it.

In the mean time I decided to install a dedicated MDS Log Server so I could offload the logs from the system so that we do not lose them, however, this is now posing a small problem associated with establishing the SIC and I am looking through the support sites for suggestions on how to address this. I will continue my search and if I can't find anything I will open a new post here on Check Mates so I can clearly share my solution with all.

Thanks for all of your support so far fellow Check Mates.

I will come back to you all once I have had the chance to try the upgrade in the LAB.

Best regards

Andy

the_rock
Legend
Legend

Thanks for the update @Andrew-OCD 

0 Kudos
Andrew-OCD
Contributor

OK time for an update.

I found out that the CPCA was not running on the main MDS in the MDSM server. This was probably due to the fact that I had to stop the MDS for changing the IPs. To fix this problem I performed a full "mdsstop" and "mdsstart" then monitored to see that everything came back to normal and it did.

I managed to create the new Multi-Domain Log Server and all of it's needed Domain Log Servers.

Now for the fun part: trying to get the logs transferred from the MDSM over to the Domain Log Servers before cleaning and performing the upgrade.

0 Kudos
Andrew-OCD
Contributor

Ok avid readers, time for the final update.

Successfully managed to migrate the MDSM off the badly provisioned hardware (NOTE: Be very aware of the CORRECT partition requirements!).

I managed with a lot of SCP copying to get all the logs off the MDSM onto the MDLM (only to find that they had also incrorrectly provisioned the hardware - 2 discs instead of the 1 !!).

After getting a new hardware provisioned with the correct partition config I was able, again with many hours of SCP copying of log files, to migrate the MDLM to the valid hardware.

Now that both systems were on valid hardware I was eventually able to upgrade both systems to R81.20. Not easy but with many reboots and a lot of patience, eventually I got there.

Thank you everybody for your support during these difficult times.

 

Best regards

Andrew

the_rock
Legend
Legend

Good job! Thanks for the update.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events