Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
seanmc12
Contributor
Jump to solution

Upgrade CP Management/Log Server without disconnecting clients from the GWs

I am upgrading my FWs tomorrow. I am planning to upgrade the Management, then the log servers, then the Gateways. Someone told me at work that I can't upgrade the Mgmt server or log servers without disconnecting clients. Can anyone verify? I think I have upgraded the mgmt servers in the past without disconnecting users from the Gateways.

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

100% you can. Clients dont vpn into log or mgmt server, but the gateways.

Best,

Andy

View solution in original post

(1)
23 Replies
the_rock
Legend
Legend

100% you can. Clients dont vpn into log or mgmt server, but the gateways.

Best,

Andy

(1)
seanmc12
Contributor

That is exactly what I thought....but, I was talking to their their tech support about something else...on chat... and the tech told me to call in to verify because clients WILL get disconnected from the security gateway if I upgrade the management server. So frustrating. So...now I'm calling in to verify that it won't impact clients.

0 Kudos
the_rock
Legend
Legend

Not sure why he would tell you that. In 16 years dealing with CP I must have done 100+ upgrades, at least, NEVER had an issue where upgrading mgmt server would have caused this problem.

Best,

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

SmartConsole users will need to be disconnected from Mgmt prior. Which type of clients do you have connecting?

Note you can temporarily disable CRL checks if the Management is planned to be offline for an extended period.

CCSM R77/R80/ELITE
0 Kudos
seanmc12
Contributor

The only clients connecting are those connecting via VPN to the Gateways. I'm thinking their Chat Tech is giving me the wrong info. I should be able to upgrade the Mgmt and Log servers without effecting User client connections to the GWs

the_rock
Legend
Legend

100% he is giving you the WRONG info

Best,

Andy

0 Kudos
seanmc12
Contributor

Thanks man. Lots of boxes to check on this and the right info is pretty key. Happy Holidays to .

the_rock
Legend
Legend

Here comes my corny joke, last time for 2023 lol

For you mate, no charge...EXCEPT Iphone charge. You dont need to laugh -:)

Best,

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority

In case you will upgrade management: Clients will be disconnected from MANAGEMENT ONLY, NOT from the gateways.

In case you will upgrade gateways: depending on gateway's current version, it might be possible that clients will be disconnected from upgraded GATEWAY. If management is connected behind same affected gateway, then also clients from management will be disconnected.

Please double-check drawings/topology what is in place to avoid surpises. Proper and up-to-date documentation is a key 😉

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend

All valid points @JozkoMrkvicka 

Best,

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
0 Kudos
Amir_Senn
Employee
Employee

Not only that it won't disconnect (users, if admins have a session open to a server that is going upgrade naturally it will be disconnected ongoing session), if you have more than 1 log server you can totally avoid local logging on GW.

Kind regards, Amir Senn
JozkoMrkvicka
Authority
Authority

your statement about local logging in not correct. If one of configured log server is down, gateway starts to log locally even second log server is up and logs are sending there.

Kind regards,
Jozko Mrkvicka
Tomer_Noy
Employee
Employee

If you used the "Distribute Logs" check box in the log servers configuration page on the gateway / cluster editor, the logs will simply be sent to the available log server when one goes down, without logging locally.

This is a feature from R81 and very useful for better load handling of logs, and log resiliency.

the_rock
Legend
Legend

100% true, had customer scenario as such recently.

Best,

Andy

0 Kudos
Lloyd_Braun
Collaborator

That is very interesting. That SK says it is "expected behavior" and they are going to change it in the future but it seems more like a bug to me. Certainly not what I would expect/not intuitive that it would behave that way.

JozkoMrkvicka
Authority
Authority

My assumption is that they "fixed" it by the "Dynamic log distribution" feature which Tomer mentioned above, but forgot to update SK.

Kind regards,
Jozko Mrkvicka
(1)
the_rock
Legend
Legend

That makes total sense @JozkoMrkvicka 

Best,

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority

The relevant article about local logging has been updated 🙂 Now it is crystal clear when the gateway starts to log locally.

Without Dynamic Log Distribution, when the Primary Log Server is down, the Backup Server works with ...

Kind regards,
Jozko Mrkvicka
Amir_Senn
Employee
Employee

aee681fb-b418-408a-b35f-dfd789e7db2a_text.gif

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend

@Amir_Senn 🤣🤣🤣🤣

0 Kudos
Lloyd_Braun
Collaborator

serenity now!! 😆😆

the_rock
Legend
Legend

SerenityNowGIF.gif

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events