- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: MDSM R81.10 --> R81.20 Upgrade
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MDSM R81.10 --> R81.20 Upgrade
Dear Community,
I am looking to upgrade my MDSM from R81.10 JHF Take 110 to the new R81.20.
When I check the CPUSE it is the latest version 2237.
When I check for updates it is no longer showing me the "Major Versions" with R81.20. I only see the following:-
Hotfixes - R81.10 JHF Take 110 installed
Minor Versions (HFAs) - R81.10 SmartConsole BBuilds 418, 414 & 410
Blink Packages - R81.10
- R81.10 MDS + JHF T110 - Available
- R81.10 SM + JHF T110 - Available
- R81.10 MDS + JHF T79 - Downloaded
Has something changed because when I check the R81.20 SK173903 page it shows "Upgrading MDSM" use the CPUSE and Major Versions route.
Any suggestions would be greatly appreciated as I do not really want offload and reload all the current Domains and logs.
Best regards
Andrew
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i've did recently MDSM upgrade from r81.10 to r81.20, due to bad partitioning when MDS and MLM were build (system installed over two virtual disks on Dell R730xd) since r80.10 to r81.10 it was not problem, but there is new requirement for partitioning. If you don't see options for r81.20 upgrade, it might be due to that, when you try to import upgrade package from cloud it should appear in your list and then you can run verifier for that package to see what is reason. In my case it required to perform mds_backup, transfer it somewhere, doing clean install of r81.10 + corresponding JHF and mds_restore, then i could see without any interaction that i can upgrade to r81.20 via cpuse..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andrew
According to logs the issue is:
- Your partitions are not in Check Point standard format, and an upgrade is not possible. Reinstall your system and verify correct partitioning.
I suggest you contact TAC to get more details regarding what exactly is wrong with the way the system is partitioned.
Indeed I see it as a problem that the package is not seen - we will fix it so the message will appear only on verify stage
Sorry for the inconvenience
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok avid readers, time for the final update.
Successfully managed to migrate the MDSM off the badly provisioned hardware (NOTE: Be very aware of the CORRECT partition requirements!).
I managed with a lot of SCP copying to get all the logs off the MDSM onto the MDLM (only to find that they had also incrorrectly provisioned the hardware - 2 discs instead of the 1 !!).
After getting a new hardware provisioned with the correct partition config I was able, again with many hours of SCP copying of log files, to migrate the MDLM to the valid hardware.
Now that both systems were on valid hardware I was eventually able to upgrade both systems to R81.20. Not easy but with many reboots and a lot of patience, eventually I got there.
Thank you everybody for your support during these difficult times.
Best regards
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know this should still be possible.
Recommend a TAC case here: https://help.checkpoint.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have heard that CP suggests to wait with an R81.20 upgrade at least until the next Jumbo HF 8)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit: Sorry, ignore me. I just noticed they're still the R81.10 packages.
Can't the Blink packages be used to do an upgrade?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using a Smart-1, an open server, or a VM of some kind?
Check Point cuts off support for their own hardware really quickly and artificially prevents newer versions from being installed on it, even if the hardware is more than capable of running the software version. R81.20 won't install on any of the 2014 Smart-1 units (205, 210, 225, 3050, 3150).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is all running on an Open Server - VMWare ESXi environment.
I have my own lab environment where I tested this and in the lab environment I still had the R81.20 after installing the JHF T110. However, in my lab environment it is complaining:-
No Partial Domain Verification
The following objects do not have a Legacy Server in the database - this indicates that there is a partial domain in the database which should be fixed prior to the upgrade (refer to sk113134).
The problem now is that the SK says contact Check Point and this is my lab environment so I am now going round in circles to find a way to get support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, they definitely wont help you if its a lab. Can you not just reinstall it?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Andy,
The whole point of using the LAB environment was to test the different aspects when importing the 3 different domains into the MDSM.
Now the idea was to test the upgrade on the LAB environment to see if there was anything weird and there was.
Now I have tried to restore from a backup but I get even more problems since there are different IP addresses in the LAB compared to the Production.
I have to admit to starting to think about the non-ideal solution: Install a fresh R81.20 MDS and try to restore into it the R81.10 MDS but I do not like this solution at all.
Best regards
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, R81.20 would not restore into R81.10, as versions are different. I see @Boaz_Orshav asked you couple of weeks ago to send him the logs? Did you ever end up doing that?
Cheers,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just sent them over.
I meant to export the R81.10 Production environment and import into the fresh install f R81.20.
But as I say this is not a preferred option since it will lose some of the logs since everything is running on a single machine at the moment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, its an option, though you are right, probably not the optimal one...
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would verify with TAC, because I remember when I had mds lab in R81.10, it gave all packages to upgrade to R81.20
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep in the LAB it appeared to be fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Can you please send me the tgz created by running "da_cli collect_logs" to boazo@checkpoint.com ?
When a package is not seen on the CPUSE page it is might be because it fails a validation and I'd like to take a look at the logs to understand which validation failed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear,
I have sent over a link to a large transfer site where you can download the logs file.
Best regards
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i've did recently MDSM upgrade from r81.10 to r81.20, due to bad partitioning when MDS and MLM were build (system installed over two virtual disks on Dell R730xd) since r80.10 to r81.10 it was not problem, but there is new requirement for partitioning. If you don't see options for r81.20 upgrade, it might be due to that, when you try to import upgrade package from cloud it should appear in your list and then you can run verifier for that package to see what is reason. In my case it required to perform mds_backup, transfer it somewhere, doing clean install of r81.10 + corresponding JHF and mds_restore, then i could see without any interaction that i can upgrade to r81.20 via cpuse..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andrew
According to logs the issue is:
- Your partitions are not in Check Point standard format, and an upgrade is not possible. Reinstall your system and verify correct partitioning.
I suggest you contact TAC to get more details regarding what exactly is wrong with the way the system is partitioned.
Indeed I see it as a problem that the package is not seen - we will fix it so the message will appear only on verify stage
Sorry for the inconvenience
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear,
After working with a TAC engineer we were able to find the Partial domain Verification error and fix it by editing the DB.
For the partition problem you are absolutely right I will need to perform a backup and then install a fresh R81.10 with the correct partition then restore into it.
In the mean time I decided to install a dedicated MDS Log Server so I could offload the logs from the system so that we do not lose them, however, this is now posing a small problem associated with establishing the SIC and I am looking through the support sites for suggestions on how to address this. I will continue my search and if I can't find anything I will open a new post here on Check Mates so I can clearly share my solution with all.
Thanks for all of your support so far fellow Check Mates.
I will come back to you all once I have had the chance to try the upgrade in the LAB.
Best regards
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the update @Andrew-OCD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK time for an update.
I found out that the CPCA was not running on the main MDS in the MDSM server. This was probably due to the fact that I had to stop the MDS for changing the IPs. To fix this problem I performed a full "mdsstop" and "mdsstart" then monitored to see that everything came back to normal and it did.
I managed to create the new Multi-Domain Log Server and all of it's needed Domain Log Servers.
Now for the fun part: trying to get the logs transferred from the MDSM over to the Domain Log Servers before cleaning and performing the upgrade.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok avid readers, time for the final update.
Successfully managed to migrate the MDSM off the badly provisioned hardware (NOTE: Be very aware of the CORRECT partition requirements!).
I managed with a lot of SCP copying to get all the logs off the MDSM onto the MDLM (only to find that they had also incrorrectly provisioned the hardware - 2 discs instead of the 1 !!).
After getting a new hardware provisioned with the correct partition config I was able, again with many hours of SCP copying of log files, to migrate the MDLM to the valid hardware.
Now that both systems were on valid hardware I was eventually able to upgrade both systems to R81.20. Not easy but with many reboots and a lot of patience, eventually I got there.
Thank you everybody for your support during these difficult times.
Best regards
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good job! Thanks for the update.
Cheers,
Andy
