Alex Lam

MDS R77.30 upgrade to R80.10

Discussion created by Alex Lam on Oct 14, 2018
Latest reply on Oct 16, 2018 by Yair Shahar

Hello

 

I see that there are few discussion on this topic, some being successful(but with some fixing) and some hit a brick wall.

 

We are one of them, hitting the brick wall. This is not a smooth upgrade compare to the older versions... #sigh

There were few things to fix, that is removing SCTP service/protocol which is ok, then there are fixing the DHCP legacy protocols/ports and then update IPS definition which we have IPS turned off. 

This is quite frustrating and not a smooth upgrade. 

 

Here’s the error that we got

 

Warnings: It is recommended to resolve the following problems.

==============================================================

 

 

Title: Legacy DHCP Relay Services - Change in behavior in R80 and higher.

-----

* Description: Legacy DHCP Relay services were found in the security rule base. Action is required in order for DHCP Relay to function properly post-upgrade.

 

Two possible options to solve the problem:

1). Remove legacy DHCP Relay services and add new DHCP Relay services. See sk104114 for instructions. This is the recommended action if managing only R77.20 gateways and above.

2). Keep legacy DHCP Relay services and make changes to the Gateways and the Security Management Servers. See sk98839 for instructions. Do this if managing any gateways which are older than R77.20.

 

Legacy DHCP Relay service(s):

bootp, bootps, dhcp-relay, dhcp-rep-localmodule, dhcp-req-localmodule

 

Some of the legacy DHCP Relay service(s) are members of the following rulebase(s):

Policy ##Firewall, rules: 1, 2, 3.

 

For more information, see sk104114 or sk98839.

 

 

Title: Deactivate IPS protections by categories

-----

* Description: Deactivating IPS protections by categories will be supported for pre R80 gateways only.

 

When using the profile with R80.10 gateway it will not be supported.

We recommend you to move to the new tag based activation for IPS protections

 

Profile name:

Default_Protection

 

So now, we have rollback to R77.30 with the new DHCP protocols as per SKs.

Now, the problem is that, there are few services are broken using the new DHCP protocols and we have to re-roll back to the legacy DHCP.

In R80.10 or R80.20, how would this be addressed?

 

TAC was already raised. 

We were following the steps described as per installation and upgrade guide of R80.10 which is similar to the method that we did the upgrade from previous versions, e.g. R67 -> R75 -> R77 using ./mdsseup export and migrate import.

 

high level,  from R77.30 -> R80.10: 

- Using ./mdssetup, export, fix whatever the error message it spills out

- Once all done, Using migrate import

 

Regards

Alex

Outcomes