Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Patrick_Hanel
Participant

Running R80.20 pre-upgrade verifier on a MDS

Geatings o'mighty Checkmates

Reading through all the upgrade, limitations and known issues documentation, I got stuck on this:

In the R80.20 installation and upgrade guide it states that you need to do mdstop before running the pre-upgrade verifier.

I get cautious and paranoid when this needs to be done on a mds with multiple domains and gateways.

I couldn't find any explanation why this needs to be done and can it be avoided, if avoided what "scary-end-of-the-world" -issues will surface. Is it enough that Dashboard/ssh/Webgui connections to the mds and domains are blocked?

--Patrick

0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend

I do not understand you fears - to cpstop a GW will stop all traffic to and from the Internet, but cpstop on SMS / MDS will only stop services independant from the GW(s). You will not be able to install policy before you have issued cpstart, but that is all . I assume that the verifier needs to access some files usually open by CP processes or daemons. No harm in that...

Only helpfull additional hint i can give here is to make sure that all Dashboard Users are logged out from MDS before you issue cpstop to prevent corruption.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Patrick_Hanel
Participant

There has been issues with VPN's when the management is down. Gateways haven't been able to do CRL checks from the ICA, that has caused VPN issues.

Maybe I'm too paranoid, but I have had my share of "horror errors" 

0 Kudos
G_W_Albrecht
Legend
Legend

This kind of paranoia is really not bad and may actually safe you from harm ! But as the pre-upgrade verifier will not take very long this should be acceptable, if it needs to, in a maintenance window.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Petr_Hantak
Advisor
Advisor

Actually this is a good point regarding CRL checks and VPN issues. On the other hand it is not taking so long time and in case you are able to find not so busy period for VPN traffic during day time. Then it could be a good to plan maintenance window there and take those steps.

0 Kudos
G_W_Albrecht
Legend
Legend

Also, loading CRL for internal CP SA is not so very necessary 😉 It will sometimes just be disabled following sk21156.

CCSE CCTE CCSM SMB Specialist
JozkoMrkvicka
Mentor
Mentor

VPNs go down within 24 hours after primary Security Management server goes down 

But you will lost VPNs in case you have only 1 management server available (Primary), or in "Fetch Policy" tab you have only 1 management selected.

Kind regards,
Jozko Mrkvicka

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events