Bigip Update Upgrade Guide
Bigip Update Upgrade Guide
Bigip Update Upgrade Guide
Overview
This document guides you through the steps to update or upgrade your BIG-IP system.
Once you have tested and certified a release of BIG-IP code for deployment, there are six main steps for updating or upgrading your
BIG-IP systems:
However, the steps are likely to be nuanced based on deployment environment and deployment configuration. The deployment
environment is defined based on whether BIG-IP is installed in BIG-IP systems (such as iSeries), as BIG-IP VE software, in BIG-IP
VIPRION, or as BIG-IP on virtual machines offered by major cloud providers (AWS, Azure and Google Cloud Platform).
The update and upgrade processes are almost identical for BIG-IP systems and BIG-IP VE software, however additional steps and
variations arise when performing updates or upgrades on VIPRION or in a public cloud environment. The deployment configuration
refers to whether BIG-IP is deployed as a standalone instance or a high availably (HA) pair.
You have the choice of using the BIG-IP Configuration utility or the TMOS Shell to perform the update or upgrade. Where applicable,
this guide includes procedures for both the Configuration utility and the TMOS shell.
Deployment Guide version 1.1 (see Document Revision History on page 85)
Note: Make sure you are using the most recent version of this deployment guide, available at
https://www.f5.com/pdf/deployment-guides/bigip-update-upgrade-guide.pdf
To provide feedback on this deployment guide or other F5 solution documents, contact us at [email protected].
Contents
Deployment-Based Navigation Guide 3
Section 1: Overview 4
Reasons to keep your BIG-IP up-to-date 4
Microsoft Azure 49
Section Section
1 7
Section Updating or upgrading
VIPRION HA Pair 4 BIG-IP on VIPRION
HA pair
Overview Advanced tools
and automation
2 8
Section Updating or upgrading
h U
nless specifically noted, performing the procedures in this guide should not have a negative impact on the BIG-IP system.
The procedures where there may be a impact are marked with "Impact of Procedure:" and a description.
h T
here are a number of links to resources on websites that are not owned or controlled by F5. While we do our best to
consistently check links, the third-party could remove or change these links without our knowledge.
h F
or a current list of F5 trademarks and service marks, see http://www.f5.com/about/guidelines-policies/trademarks/.
All other product and company names in this document may be trademarks of their respective owners.
h See Section 8: Top 10 recommended practices for keeping your BIG-IP up-to-date on page 80 for advice on keeping
your BIG-IP current.
h T
his guide contains a number of links to F5 Knowledge Base articles that you can visit to get additional information. It may
be useful to view this PDF while online so you can access some of this additional information.
The challenge is that traditional applications tend to be quite brittle because they have been developed in languages that are no
longer widely known, traffic patterns to those applications have changed, or the security vulnerabilities in these applications remain
unaddressed.
For most organizations, the priority around traditional applications is to maximize operational efficiency and minimize the total cost
of ownership. To deliver and protect an older application and get the most out of it, you need a flexible wrapper or a scaffolding with
application security and delivery technology that can solve the issues in the application itself.
This is done by integrating application delivery with application security, using programmability around application services to fill
the gaps in the application itself, and pushing the boundaries on automation. To make all this work together to its full potential, it is
important to invest the time and resources to ensure you are running the latest versions and getting the latest capabilities, and ensure
the shielding around those fragile traditional applications do not become as fragile as the traditional application itself.
h R
educe TCO by decreasing the cost of monitoring, managing and troubleshooting BIG-IP systems by keeping them up to
date and consistent across the full estate.
h M
itigate business disruption risks by ensuring that BIG-IP systems powering mission critical apps have the latest bug
fixes, security updates and performance enhancements.
h Increase business agility by driving more automation and consolidating application delivery and application security based
on a best of suite approach.
For operators
h S
implify operations by standardizing on a common version across the entire estate of BIG-IP installations and adopting
consistent operation models across the enterprise.
h Increase automation and respond to business needs quickly by taking advantage of the improved programmatic interfaces,
API enhancements and management tool capabilities.
h Keep systems secure by ensuring the latest security improvements, critical fixes and vulnerability mitigates are deployed.
h Improve application delivery performance and reliability by taking advantage of the bug fixes, performance
improvements, scale optimizations and hardware support.
h Get access to new features across application delivery and application security to improve the digital experiences.
h Upgrades:
This involves moving to versions that introduce new features, new hardware support, or specific performance
improvements. An upgrade involves installing software with a more recent major release version or minor release version
(for example, upgrading from 14.1.3 to 15.1.2.1). This is also referred to as moving to a more recent code branch.
Software Release
Description Requirements Installation Considerations
Type
Upgrade
Significant new functionality and changes to -A
ssess whether the new functionality
Major release
default behavior applies to your environment.
Upgrade required to move to new
Material new functionality and changes to major releases
Minor release -P
lan for certification, validation, and
default behavior maintenance windows.
Update
-M
ay not require certification and validation
Maintenance release Includes only vulnerability fixes, defect fixes, steps because there are no changes in
potentially new diagnostic supportability Update required to move to new default behavior in the release.
improvements, minor functional improvements, maintenance releases
Point release and new hardware support - Install critical updates with security fixes in
an expeditious manner.
Note T
he four-digit format including point release was first introduced December 19, 2017 with the release of BIG-IP
13.1.0.1. Point release replaces the previous method of using HF to note the hotfix version. For example, a hotfix
previously designated as 13.1.0 HF1, is now designated as 13.1.0.1. Security advisory status tables may include both
formats, depending on the BIG-IP versions affected.
• T
he destination partition can be absent (installing to a new partition), it can hold a different major or minor release
(overwriting old partition) or it can have the base release/hotfix/point release on which the engineering hotfix is based.
Regardless of the state of the destination, the installation requirements for an engineering hotfix remain the same.
• E
ngineering hotfix images always require the base image from which it is created to be present in the image files (located in
/shared/images) along with the engineering hotfix image file. This because they are considering partial installation files and
consequently need the base image to be present to complete an installation. Using the example above, the hotfix must be
copied to BIG-IP alongside the 12.1.5.3 base ISO.
Point releases include the full software (which replaced hotfixes for 13.1.0.1+), so you do not need to have a base image.
For more information on installing Engineering hotfixes, see K13123: Managing BIG-IP product hotfixes and K55025573: Engineering
hotfix installation overview.
F5 recommends that customers continuously update or upgrade their BIG-IP software to take advantage of vulnerability fixes,
hardening, and new functionality in the latest released versions.
• L
ong-Term Stability Release versions have 1 for their minor release number (x.1.x), and they are not available for a period of
time after a major release (x.0.x).
• The latest maintenance release of a Long-Term Stability Release version (x.1.latest) can be between x.1.0 and x.1.n.
We recommend you review K5903: BIG-IP software support policy so that you know:
• Which BIG-IP versions currently have Long-Term Stability Release versions (x.1.x) or only major release versions (x.0.x).
• The latest maintenance release for each Long-Term Stability Release version (x.1.latest) or major release version (x.0.latest).
• T
he date when each BIG-IP version reaches—or has already reached—End of Software Development (EoSD) and End of
Technical Support (EoTS).
We also recommend you review K8986: F5 software lifecycle policy for complete details on the definitions of each release type, and
the duration of time that F5 supports major release and Long-Term Stability Release versions.
You must determine which software release best meets the needs of your specific environment. The best practice is to regularly
update to the most recent maintenance release and latest point release, if applicable, for each Long-Term Stability Release version.
This ensures you have the latest security fixes and maximum stability, as updating to a maintenance or point release will not introduce
a change in existing default behavior for that Long-Term Stability Release version.
Note T
o ensure you have the most advanced features, new protocol support, and security capabilities, F5 recommends that
you update or upgrade your BIG-IP appliances to at least BIG-IP 14.1.0 and your BIG-IP VEs to at least BIG-IP 15.1.0.
For more information, see the release notes for BIG-IP 14.1.0 and BIG-IP 15.1.0.
You can also refer to F5 iHealth for general update or upgrade suggestions (requires an account). From https://ihealth.f5.com/, click
the QKView, then click to Status > Overview if necessary. In the Diagnostic section, look at the Evaluation row. There you see
general update and upgrade suggestions.
F5 recommends you review the release notes for the release you select for details about new features, release fixes, behavior
changes, and known issues, module combination and memory considerations, and additional user documentation for the release. See
https://support.f5.com/csp/knowledge-center/software/BIG-IP and select your product module and version.
Also see Section 8: Top 10 recommended practices for keeping your BIG-IP up-to-date on page 80 for F5 recommended steps for
keeping your BIG-IP current.
h B
IG-IP hardware platforms
Hardware platforms have a model name and a platform type. Additionally, you must know if you have a BIG-IP hardware
platform, or BIG-IP hardware platform with the Virtual Clustered Multiprocessing (vCMP) module.
To determine your BIG-IP model and platform type, see K13144: Determining the BIG-IP model and platform type.
h B
IG-IP VE platforms
There are two types of BIG-IP Virtual Edition (VE) platforms: cloud type and hypervisor type.
h F
or BIG-IP hardware platforms
Refer to K9476: The F5 hardware/software compatibility matrix.
If you are upgrading a vCMP host or guest, to determine the BIG-IP software versions that are compatible between your
hosts and guests, refer to K14088: vCMP host and compatible guest version matrix.
h F
or BIG-IP VE platforms
If you have a BIG-IP VE cloud, refer to Cloud platforms: BIG-IP VE supported platforms on clouddocs.f5.com.
If you have BIG-IP VE hypervisor, refer to Hypervisors: BIG-IP VE supported platforms on clouddocs.f5.com.
Successfully updating or upgrading the BIG-IP system requires some planning and preparation, such as checking the current health of
the system and backing up the configuration to a safe place on your network. Some steps are optional but recommended to ensure a
better experience. Failure to perform these procedures may lead to unexpected down time and extended maintenance windows.
• T
he time required to complete the reboot into the new boot location. During this time, the active BIG-IP has no backup.
When the active BIG-IP becomes unavailable before the standby completes rebooting, traffic is down until at least one
BIG-IP comes up.
• T
he time required to confirm all the services are running as expected. For example, it is possible that after the failover, your
network drops some gratuitous ARP (GARP) announcements and keeps forwarding some IP addresses to the BIG-IP that
are no longer active. For more information, refer to K7332: GARPs may be lost after a BIG-IP failover event. The more virtual
addresses you configured under the BIG-IP, the more time it usually takes to confirm they all are operational.
• T
he time required to roll back to the previous boot location. After an update or upgrade, if your applications are not functioning
as expected, you may need to restore services before you can begin troubleshooting.
Prerequisites
You must meet the following prerequisites to use the procedures in this section.
• Y
ou have access to the Configuration utility and the command line: (TMOS Shell (tmsh) and the Advanced shell (bash)). For
information about accessing TMSH, see K12029: Accessing the TMOS Shell.
Note C
onfirm local admin and root user passwords before you begin in case you have to perform troubleshooting
during the process.
• Y
ou installed SSH and secure copy protocol (SCP) client utilities on your local computer to access the BIG-IP system. Linux
and Mac OS systems typically already have these utilities installed, but Windows users must install third party tools such as
PuTTY and WinSCP.
For more information about transferring files, see K175: Transferring files to or from an F5 system.
2. From the BIG-IP Product Family, select the appropriate Product Line, such as BIG-IP v16.x.
3. From the drop-down list at the top of the page, ensure the proper version is selected (the latest version appears by default).
5. On the EULA page, click I Accept to accept the end user license agreement.
6. O
n the Select a Download page, click the appropriate ISO (such as BIGIP-16.0.1-0.0.3.iso) and MD5 (such as BIGIP-
16.0.1-0.0.3.iso.md5). The checksum file is a text file that contains the calculated checksum value for the corresponding
image file.
7. Click the download location closest to your physical location. The file downloads.
This procedure depends on whether you are using a Windows or Mac OS/Linux system.
Windows systems
On Windows 7 and later, use the certutil utility to generate a hash checksum. See certutil for more information on this application.
1. F
rom the Windows Command prompt (cmd), use the cd command to change directories to where you downloaded the BIG-IP
update or upgrade image and MD5 checksum file. For example: c:\Users\JohnDoe>cd Desktop.
The hash string from the certutil utility should be identical to the hash string value provided in the MD5 text file, as seen in this
example.
1. F
rom a command terminal, use the cd command to change directories to where you downloaded the BIG-IP update or upgrade
image and MD5 checksum file.
2. U
se the following command syntax to calculate the BIG-IP image checksum and compare to the MD5 checksum file:
md5sum <image_file.iso> && cat <image_file.iso.md5>
For example:
md5sum BIGIP-16.0.1-0.0.3.iso && cat BIGIP-16.0.1-0.0.3.iso.md5
The output appears similar to the following:
6760c417c853f73def9aeb7f9773667c BIGIP-16.0.1-0.0.3.iso
6760c417c853f73def9aeb7f9773667c BIGIP-16.0.1-0.0.3.iso
The hash string from the md5sum utility should be identical to the hash string value provided in the MD5 text file, as seen in this
example.
To generate a QKView file, see Generating a QKView file for upload to F5 iHealth on page 81.
3. Click Create.
4. In the File Name box, type a unique name for the UCS file.
5. Optional: If you want to encrypt the UCS archive file, from the Encryption list, select Enabled. Type and confirm a passphrase.
You must supply this passphrase to restore the encrypted UCS archive file.
6. Optional: If you want to exclude SSL private keys from the UCS archive, from the Private Keys list select Exclude.
7. Clicked Finished.
10. Click the name of the UCS file you just created.
11. Click Download: <filename.ucs> to download the UCS file, then save to a secure remote location.
For instructions, see Creating a backup of the root crontab file on page 82.
Verify the service check date of your license using the following procedure.
2. Use one of the following commands to view the service check date of your license:
• TMSH
tmsh show sys license | grep "Service Check Date"
• Advanced shell:
grep "Service check date" bigip.license
3. You see the output similar to the following based on how you ran the command:
• TMSH
Service Check Date 2020/06/07
• Advanced shell:
Service check date : 20200607
The date format is year-month-day, so this example output is June 7, 2020.
4. C
ompare the output from step 2 to the license check date for your BIG-IP version based on the License Check Date in K7727:
License activation may be required before a software upgrade for the BIG-IP or Enterprise Manager system. If the service check
date is earlier than the License Check date, you need to reactivate your license.
i Important T
he license reactivation process may reload the configuration and temporarily interrupt traffic processing. F5
recommends performing this procedure during a scheduled maintenance window.
2. From the navigation pane, click System > License > Re-activate.
3. If your system has outbound Internet access, in the Activation Method row, select Automatic.
If your system does not have Internet access to the F5 license server, you must use Manual.
From the BIG-IP command line, run the following command: tmsh save sys config. The system confirms the configuration has been
saved.
Performing a test restart of the BIG-IP system prior to update or upgrade (optional)
Because BIG-IP systems with high up times can have issues that go unnoticed over time, consider scheduling a test restart prior to
performing an update or upgrade. For instructions, see Restarting the BIG-IP system prior to an update or upgrade on page 82.
i Important T
his section is only necessary if you are updating or upgrading BIG-IP systems in an HA configuration. If you are
not using an HA configuration, continue with Completing prerequisite checks on page 13.
HA communication functions between major software branches using network failover, and you should use network failover for the
duration of the update or upgrade process. For example, a pair of BIG-IP systems running BIG-IP 13.1.0 and 14.1.0 can negotiate
active-standby status using network failover. For more information, refer to K8665: BIG-IP redundant configuration hardware and
software parity requirements.
Configuration synchronization (ConfigSync) does not operate between different major software branches. For example, you cannot
synchronize configurations from a system running BIG-IP 14.1.0 to a system running BIG-IP 13.1.0. You must wait for both systems
to update or upgrade before ConfigSync can operate. For more information, refer to K13946: Troubleshooting ConfigSync and device
service clustering issues.
Note T
o reduce the time required for an update or upgrade, you can perform the procedures in this section prior to an update
or upgrade, in a separate maintenance window
i Important W
hen you disable Automatic Sync, you must manually synchronize configuration changes within the device
group.
2. From the navigation pane, click Device Management > Device Groups.
4. In the Configuration section, from the Sync Type list, select either Manual with Incremental Sync or Manual with Full
Sync.
i Important If you renew a device certificate on a BIG-IP system that is monitored using iQuery by BIG-IP DNS or a BIG-IP
system that is part of a BIG-IP DNS sync-group, you must copy the new certificate to the trusted device certificate
store on the remote BIG-IP DNS systems in the iQuery sync-group. For more information, refer to K6353:
Updating an SSL device certificate on a BIG-IP system.
Note that viewing device certificate expiration should not have a negative impact on your system, but renewing the device certificate
requires you to reauthenticate if you are using the Configuration utility.
2. F
rom the navigation pane, click System > Certificate Management > Device Certificate Management > Device
Certificate.
3. In the Certificate Properties section, look at the Expires row and check the certification expiration.
• If the certificates have not expired, go to the next section Performing a ConfigSync between device group systems.
• If the certificates have expired, continue with step 4.
4. Click Renew.
5. R
eview the Certificate Properties, and then click Finished.
Your browser prompts you to accept the new certificate, and the Configuration utility prompts you to reauthenticate.
3. For Device Groups, select the name of the device group you want to synchronize.
4. For Devices, select the name of the device from which you want to perform the synchronization action.
6. Click Sync.
Meticulously performing these prerequisite checks avoid surprises during the update or upgrade process itself and sets you up for a
smooth and successful experience.
Once you have completed the preparation, continue with the section applicable to your BIG-IP:
Prerequisites
The following are prerequisites for upgrading and updating a standalone or HA pair of BIG-IP systems or VEs.
• H
A Configuration: In BIG-IP HA configurations, you first perform the update or upgrade on the standby system, then failover
and test applications, before you switch to the peer BIG-IP systems. You must have access to all associated BIG-IP systems.
4. In the Hostname field, type the management IP address of your BIG-IP system.
HA Configuration: If you are using an HA configuration, this is on the standby device.
9. In the left pane, locate the BIG-IP update or upgrade image you downloaded in Downloading a BIG-IP image and matching
MD5 checksum file on page 8, and move it to the /shared/images directory of your BIG-IP system on the right pane.
Continue with Performing the software update or upgrade on page 15.
2. U
se the SCP utility to upload the BIG-IP update or upgrade image to your BIG-IP system.
For example, to upload the BIGIP-16.0.1-0.0.3.iso image, you enter the following command:
scp BIGIP-16.0.1-0.0.3.iso [email protected]:/shared/images/
3. W
hen prompted, enter your BIG-IP root user password.
HA Configuration: If you are using an HA configuration, this is on the standby device.
Using the Configuration utility to import and upload the software image
Use the following procedure to upload the software image using the BIG-IP Configuration utility.
1. L
og in to the Configuration utility with administrative privileges.
HA Configuration: If you are using an HA configuration, this is on the standby device.
2. F
rom the navigation pane, click System > Software Management.
You see information about the current BIG-IP installed images.
3. In the Available Images section, click the Import button on the right.
4. Click the Choose File button, and then browse to the location you saved the BIG-IP software image from Downloading a BIG-
IP image and matching MD5 checksum file on page 8.
5. Click Import. Do NOT leave the page before the import is complete.
Ensure your system is already booted into the software volume that contains the configuration you are planning to update or upgrade.
If the system is not already booted into that volume, restart your system to that software volume before you begin the following
procedure. By default, during the process, the BIG-IP system imports the current running configuration from the active volume into the
target volume. To prevent the system from importing the configuration during the update or upgrade process, see K13438: Controlling
configuration import when performing software installations.
Impact of procedure: If the BIG-IP system serves high volume traffic, we recommend you perform the entire update or upgrade during
a maintenance window, to lessen the impact on a busy system.
You can use the Configuration utility (next) or TMSH (skip to Updating or upgrading the software using TMSH on page 16).
2. From the navigation pane, click System > Software Management > Image list.
3. Click the check box next to the new image you are installing.
6. In the Volume set name box, enter a new name, or select an existing volume to overwrite.
Note Y
ou can use any combination of lowercase alphanumeric characters (a-z, 0-9) and the hyphen (-). The volume
set name can be from 1 to 32 characters in length but cannot be only one 0 (zero) character (for example HD1.0
or MD1.0). For instance, if the HD1 disk is active and you enter Development into Volume set name, the system
creates a volume set named HD1.Development and installs the specified software to the new volume set.
If the string you enter does not match an existing volume set, the system creates the volume set and installs the
software.
7. Click Install. To see the installation progress, in the Installed Images section, see the Install Status column.
Continue with Rebooting to the new version on page 17.
1. L
og in to the command line of the BIG-IP system.
HA Configuration: If you are using an HA configuration, this is on the standby device.
2. U
se the following command to view information about the software images that are available for installation on the BIG-IP
system: tmsh list sys software image
The output appears similar to the following:
sys software image BIGIP-14.1.0-0.0.116.iso {
build 0.0.116
build-date "Wed Nov 14 18 41 56 PST 2018"
checksum acb4537e37557ada7f60267d5f946387
file-size "2238 MB"
last-modified "Tue Sep 8 08:36:50 2020"
product BIG-IP
verified yes
version 14.1.0
}
3. U
se the following command to view information about the current BIG-IP installed images:
tmsh show sys software status
Make a note of the Volume name, such as HD1.1, so you can use it when you install the update or upgrade image.
The output appears similar to the following example:
------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
------------------------------------------------------
HD1.1 BIG-IP 14.1.0 0.0.116 yes complete
For example, to create a volume named HD1.2 and install the BIGIP-16.0.1-0.0.3.iso image to that volume, you enter the
following command:
tmsh install sys software image BIGIP-16.0.1-0.0.3.iso volume HD1.2 create-volume
Note If you are installing over an existing volume that is not currently active, omit the create-volume option. You cannot
install over the current active volume. Additionally, when selecting the new volume name, you can use any
combination of lowercase alphanumeric characters (a-z, 0-9) and the hyphen (-). The volume set name can be
from 1 to 32 characters in length but cannot be only one 0 (zero) character (for example HD1.0 or MD1.0). For
example, volume names can be project related, such as HD1.Development, or they can be simply numeric, such
as HD1.2.
5. Enter the following command to view the installation status: tmsh show sys software status
The output appears similar to the following example, with the percent (pct) installed status incrementing until installation is
complete:
------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
------------------------------------------------------------------
HD1.1 BIG-IP 14.1.0 0.0.116 yes complete
HD1.2 BIG-IP 16.0.1 0.0.3 no installing 10.000 pct
6. You can also use the watch utility to monitor the installation status. For example you enter the following command syntax:
watch -n 30 "tmsh show sys software status"
This causes the screen to refresh every 30 seconds and provide the current installation status. Use Ctrl+c to exit the utility.
Impact of procedure: This procedure requires you restart the system. During this time, the system is not available to process traffic.
F5 recommends you perform this procedure during a maintenance window. Additionally, the first time that you
restart and boot to the new volume, the process may take 30 or more minutes, depending on the size of the
configuration.
Impact of procedure: The standby system is not available to process traffic when in Offline state.
1. Log in to the Configuration utility of the standby BIG-IP system with administrative privileges.
2. F
rom the navigation pane, click System > Software Management > Boot Locations to view the current active BIG-IP boot
location.
3. S
elect the Boot Location of the newly installed software volume. This is the name from step 6 of Updating or upgrading the
software using Configuration utility on page 15. For example, HD1.newimage.
4. Click Activate to restart the system and boot to the specified location.
Note If there have been no changes since you performed the update or upgrade, you do not need to set Install
Configuration to Yes when activating the new volume. By default, during the update or upgrade process,
the BIG-IP system imports the current configuration from the active volume into the target volume. If you
have modified the BIG-IP configuration since the update or upgrade was performed, you can set Install
Configuration to Yes to update the target volume before rebooting to that volume. For more information, refer to
K14704: Installing a configuration when activating a boot location.
i Important A
fter you click OK, the system immediately begins restarting. All existing connections are dropped, and no traffic
passes until the restart completes and the BIG-IP configuration loads.
2. Use the following command to view the current active BIG-IP boot location: tmsh show sys software status
The output appears similar to the following example, where HD1.1 is the current active boot location:
------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
------------------------------------------------------
HD1.1 BIG-IP 14.1.0 0.0.116 yes complete
HD1.2 BIG-IP 16.0.1 0.0.3 no complete
3. Optional: Use the following syntax to copy the configuration from the current active configuration to the new boot location prior
to restarting and booting into the new volume.
cpcfg --source=<volume name to copy the configuration from> <newly installed software volume>
Note W
hen you install a new image, the configuration from the current active volume is automatically installed to the
new boot location. If no changes have occurred to the configuration since installing the new image, skip this step
and proceed to step 4.
For example, to copy the configuration from the active volume HD1.1 to the newly installed volume HD1.2, use the following
command: cpcfg --source=HD1.1 HD1.2
The output appears similar to the following example:
info: Getting configuration from HD1.1
info: Copying configuration to HD1.2
info: Applying configuration to HD1.2
i Important A
fter you enter this command, the system immediately begins restarting. All existing connections are dropped,
and no traffic passes until the restart completes and the BIG-IP configuration loads.
1. L
og in to the Configuration utility of the BIG-IP system.
HA Configuration: If you are using an HA configuration, this is on the standby device.
2. G
o to various places in the Configuration utility, such as Local Traffic > Network Map, Network > VLANs, to visually confirm
the expected configuration objects exist and are in the expected state.
3. Test the different use cases of your client applications to ensure that services are running as expected.
4. Create a QKView file and review iHealth Diagnostics for currently known issues.
a. Go to System > Support to create a QKView diagnostic file.
b. U
pload the diagnostic file to iHealth and review.
For more information and instructions, see Generating a QKView file for upload to F5 iHealth on page 81.
5. If you are not using an HA configuration, continue with Troubleshooting failures on page 21.
1. L
og in to the command line of the BIG-IP system.
HA Configuration: If you are using an HA configuration, this is on the standby device.
2. Spot-check configuration objects to visually confirm that the expected configuration exists and is in the expected state.
For example, you can use the following commands to review common configuration elements.
list /ltm virtual <virtual_name>,
show /ltm virtual <virtual_name>
list /net vlan <vlan_name>
Note tmsh interactive mode provides tab completion for command options. When at the tmsh prompt, select the
Tab key to see possible command options. For most objects, you can use the list command to see configured
object parameters and the show command to see statistical information for the object. Also, if there are multiple
objects of a certain type, such as virtual servers, you can usually specify one of those objects by entering the
object name in the command. Leaving off the object name shows all objects of that type.
3. C
reate a QKView diagnostic file by typing the following command: run /util qkview
By default, the qkview utility creates the file /var/tmp/<hostname of the BIG-IP>.qkview.
4. U
se your SCP client utility to download the QKView file from your BIG-IP system to your desktop computer, then upload the file
to iHealth and review.
If you are not using an HA configuration, continue with Troubleshooting failures on page 21.
Impact of procedure: Depending on your HA configuration and state, releasing the BIG-IP system from Force Offline may result in the
system becoming Active. F5 recommends that you perform this procedure during a maintenance window.
1. Log in to the Configuration utility of the active BIG-IP system with administrative privileges.
5. Click OK to confirm.
Impact of procedure: This procedure interrupts traffic during failover. F5 recommends that you perform this procedure during a
maintenance window. If you encounter any problems with the newly updated or upgraded system after failover,
you must repeat this procedure on the newly updated or upgraded system to fail back to the previously active
system.
3. Hover over the status icon of the devices to determine the active system.
Note Y
ou cannot force the active system to standby using the Configuration utility of the standby system.
5. Click the Force to Standby button. This forces the active BIG-IP system into standby mode and moves the updated or
upgraded system to the active role.
6. Test client traffic to the updated or upgraded BIG-IP system to confirm the system is processing traffic as expected.
7. Important: After confirming the health of the updated or upgraded system, repeat all of the steps on the peer BIG-IP system.
8. A
fter completing all updates or upgrades and testing, create a new set of UCS archive files to retain backups of the new BIG-IP
version configuration. For instructions, see Creating a backup of the BIG-IP configuration on page 9.
2. Enter the following command to view the current active BIG-IP system: tmsh show cm failover-status
Note Y
ou cannot directly promote the standby system to active; you can only force the active system to standby, while
logged into the active system
onfirm the standby system you updated or upgraded is listed in the Remote Device section, and the Status is listed as Ok. If
C
this is not the case, go back to the standby BIG-IP system and troubleshoot.
3. U
se the following command to force the active BIG-IP system into standby mode, moving the updated or upgraded system to
the active role: tmsh run sys failover standby
5. Test client traffic to the updated or upgraded BIG-IP system to confirm the system is processing traffic as expected.
6. Important: After confirming the health of the updated or upgraded system, repeat all of the steps on the peer BIG-IP system.
7. A
fter completing all updates or upgrades and testing, create a new set of UCS archive files to retain backups of the new BIG-IP
version configuration. For instructions, see Creating a backup of the BIG-IP configuration on page 9.
Troubleshooting failures
Use this section to troubleshoot in the event the update or upgrade was unsuccessful.
2. F
rom the navigation pane, click System > Software Management > Boot Locations to view the current active BIG-IP boot
location.
2. Use the following command to view the current active BIG-IP boot location: tmsh show sys software status
The output appears similar to the following example, where HD1.2 is the current active boot location:
------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
------------------------------------------------------
HD1.1 BIG-IP 14.1.0 0.0.116 no complete
HD1.2 BIG-IP 16.0.1 0.0.3 yes complete
3. Use the following command syntax to restart the system and boot to the updated or upgraded software volume.
tmsh reboot volume <volume name>
For example, to boot to the volume named HD1.1, enter the following command:
tmsh reboot volume HD1.1
You see a message stating the system will reboot momentarily.
i Important A
fter you enter this command, the system immediately begins restarting. All existing connections are dropped,
and no traffic passes until the restart completes and the BIG-IP configuration loads.
Errors in the BIG-IP configuration Reactive the license (see Reactivating the
The configuration fails to load and one or both of the following
BIG-IP license on page 10)
messages are observed in the Configuration utility: Issues with license enforcement
The configuration has not yet loaded. If From the command line, run tmsh load
this message persists, it may indicate a sys config. If the configuration loads, the
configuration problem. issue is resolved.
This BIG-IP system has encountered a If it does not, see K02091043: Error
configuration problem that may prevent Message: The configuration has not yet
the Configuration utility from functioning loaded. If this message persists, it may
properly.
indicate a configuration problem.
Additionally, should an event arise on the active system that prevents it from processing traffic, it can fail over to the one you are
upgrading. The secondary system can process traffic while it is installing the update or upgrade.
For more information about the Force Offline behavior of VIPRION systems, see K15122: Overview of the Force Offline option for
devices and traffic groups.
Prerequisites
Complete the following tasks before you start updating or upgrading your VIPRION systems:
• V
erify the management interface for each slot is physically wired to an external switch, so you can maintain connectivity to
the management port if the primary blade designation changes after you reboot to the boot location with the new update or
upgrade.
• M
ake sure you have performed the relevant tasks in Section 2: Preparing to Update or Upgrade on page 7, such as
verifying the service check date, creating a UCS archive, and importing the software image.
• Consult K02251382: B2250 VIPRION Fails to boot After Upgrade to 13.1.3.3 or 13.1.3.4 if you have a VIPRION B2250
blade and you are updating or upgrading your host to BIG-IP 13.1.3.3 or 13.1.3.4.
1. Log in to the command line for the system you are updating or upgrading.
3. Check the output for any errors that indicate problems with the configuration.
1. Log in to the Configuration utility for the system you are not upgrading.
3. Under Device Groups, select the device group you want to sync.
6. Click Sync.
4. Click Update.
2. At the bottom of the page, in the Status column, ensure the status for each slot displays as green.
Using TMSH
1. From the command line, enter the following command: tmsh show /sys clu
1. F
rom the command line, enter the following command: clsh ls -1 /shared/images
The system displays each slot.
2. Ensure the ISO file you imported displays under each slot.
1. From the navigation pane, go to System > Software Management > Image List.
2. Under Available Images, check the box for the ISO file you imported.
Note W
e recommend you update or upgrade to a version of BIG-IP that is no earlier than BIG-IP 14.1.2.6
3. Click Install.
4. In the Volume set name box, enter a new name, or select an existing volume to overwrite.
Note Y
ou can use any combination of lowercase alphanumeric characters (a-z, 0-9) and the hyphen (-). The volume
set name can be from 1 to 32 characters in length but cannot be only one 0 (zero) character (for example HD1.0
or MD1.0). If the string you enter does not match an existing volume set, the system creates the volume set and
installs the software.
2. From the navigation pane, click System > Software Management > Image List.
3. Under Installed Images, in the row for the update or upgrade you just installed, under Install Status, ensure the status is
complete.
4. T
o verify the system installed the update or upgrade on all the slots, go to System > Disk Management.
Note the tabs at the top of the page and that you are on the Slot 1 page.
5. Click HD1.
6. Under Contained Software Volumes, in the Version column, locate the update or upgrade you just installed.
8. For each additional slot, click Disk Management again, select the tab for the slot, and repeat the previous three steps.
3. In the output, in the Version column, ensure the update or upgrade you installed displays for all slots.
1. From the Configuration utility, click System > Software Management > Boot Locations.
2. Under Boot Locations, click the location that has your new update or upgrade.
3. Under Installed Images, in the row for the update or upgrade you just installed, under Active, ensure the system displays Yes.
4. From the navigation pane, click Local Traffic > Virtual Servers.
5. E
nsure the status for each virtual server displays as green.
This status indicates the virtual servers are available, the monitors are working and sending out probes, and the nodes in your
pool are responding and available.
7. At the bottom of the page, in the Status column, ensure the status for each slot you are using displays as green.
3. In the system output, next to Last Configuration Load Status, ensure the system displays full-config-load-succeed.
4. To check the clusters, enter the following command: tmsh show /sys clu.
5. Under Address, ensure the IP addresses display correctly and, under State, ensure the system displays enabled for each
cluster.
1. Log in to the Configuration utility for the system you did not update or upgrade.
2. From the navigation pane, click Device Management > Traffic Groups.
3. Select the traffic group you want to force to Standby status, and then click Force to Standby.
4. Under Force to Standby Options, in Target Device, ensure the system you updated or upgraded displays, and then select
Force to Standby.
When the page refreshes, the system status displays as STANDBY.
1. Log in to the Configuration utility for the system you updated or upgraded.
2. F
rom the navigation pane, click Statistics > Module Statistics > Traffic Summary, and monitor the activity to ensure the
system is passing traffic.
4. Under Local Traffic Summary, ensure your objects display in the Available column.
5. Under Display Options, in the Statistics Type list, select Virtual Servers.
6. In the Connections column, ensure the virtual servers you expect to take traffic have current connections.
1. Return to Updating or upgrading the first system on page 23, and repeat all of the procedures you performed on the second
system, except for the following steps:
• Ensuring the systems are in sync
• Disabling automatic sync
3. Click Sync.
3. Under Configuration, on the Sync Type list, select Automatic with Incremental Sync.
4. Select Update.
• Y
ou want to update or upgrade your BIG-IP Virtual Clustered Multiprocessing (vCMP) host systems with a new version of
BIG-IP software.
• You want to update or upgrade a vCMP guest high availability (HA) device group that is running on the vCMP host.
The VIPRION system can run the vCMP module, which you can provision on VIPRION and other platforms. vCMP allows you to run
multiple instances of BIG-IP software on the same platform.
A vCMP host is the system-wide hypervisor that makes it possible for you to create and view BIG-IP instances, known as guests.
A vCMP guest is an instance of BIG-IP software you create on the vCMP system. The guest enables you to provision one or more
BIG-IP modules to process application traffic.
• For high availability (HA) configurations, run the vCMP hosts as standalone systems and the guests in HA device groups.
• Update or upgrade the vCMP host before the guests; hosts and guests are updated or upgraded independently.
• W
e recommend you configure your vCMP host to run the same BIG-IP version as the latest version used by any of its vCMP
guests.
• Software images that are stored and managed on the vCMP host are available for vCMP guests to install.
• O
nly update or upgrade one vCMP guest, per slot, at a time. You can update or upgrade guests on separate slots at the
same time.
• E
ach guest inherits the license of the vCMP host, and the host license includes all BIG-IP modules available for use with
vCMP guest instances. If you need to reactivate the license, you reactivate it at the vCMP host only.
Prerequisites
Complete the following tasks before you start updating or upgrading your VIPRION systems:
• V
erify that the management interface for each slot is physically wired to an external switch, so you can maintain connectivity
to the management port if the primary blade designation changes during the update.
• M
ake sure you have performed the relevant tasks in Section 2: Preparing to Update or Upgrade on page 7, such as
reviewing the vCMP host and compatible guest version matrix, verifying the service check date, creating a UCS archive, and
importing the software image.
• Consult K02251382: B2250 VIPRION Fails to boot After Upgrade to 13.1.3.3 or 13.1.3.4 if you have a VIPRION B2250
blade and you are upgrading your host to BIG-IP 13.1.3.3 or 13.1.3.4.
Note this only applies to hosts and not guests.
• Updating or upgrading the first vCMP host and standby vCMP guest systems, on this page
• Changing the updated or upgraded vCMP guest system from standby to active on page 32
Updating or upgrading the first vCMP host and standby vCMP guest systems
This part shows you how to update or upgrade the first vCMP host and standby guest systems.
4. Fail over to the guest on the host you are not updating or upgrading (if necessary):
a. Log in to the Configuration utility for the guest on the host you are updating or upgrading.
b. Go to Device Management > Traffic Groups.
c. In the list, select the traffic group for this device.
d. Click Force to Standby, and then click Force to Standby again.
e. Next, check the status of the guest you failed over to by looking at the Failover status and ensuring it is Active.
f. From the navigation pane, click Local Traffic > Virtual Servers.
g. In the list, ensure the icon for the virtual server is green, which indicates it is active.
5. V
alidate the host configuration to ensure the host system does not have issues that will prevent the configuration from loading
after you update or upgrade.
a. Open the command line for the host you are upgrading.
b. E
nter the following command: tmsh load sys config verify
This command verifies the configuration without making any changes to the running configuration.
c. Check the system output for any issues.
6. You should have already performed the following tasks in the Preparation section:
a. C
reated a UCS archive for the host. If you have not, return to Creating a backup of the BIG-IP configuration on page
9 and create one.
7. S
hut down the guest on the host (you already failed over the guest on the host you are upgrading to the guest on the other
VIPRION host. Before you update or upgrade, shut down the guest on the host you are upgrading).
a. Go to vCMP > Guest List.
b. In the row for the guest you want to shut down, click the check box, and then click Configure.
c. Click OK.
d. Click Install.
e. T
o monitor the progress of the installation, periodically select the Image List tab to refresh the page. Under Installed
Images, in the Install Status column, you can monitor the progress of the installation.
When the software finishes installing, Install Status displays as complete. You can see the version and boot location,
and that the version is not active.
3. C
heck the update or upgrade (after the host restarts, ensure the system is running the update or upgrade and the chassis slots
are active and functioning properly).
a. After the host restarts, log in to the Configuration utility.
b. Go to Software Management > Image List.
c. Under Installed Images, in the row for the version you just installed, in the Active column, ensure the update or
upgrade you just installed is the active version.
d. Go to System > Clusters > Properties.
e. At the bottom of the page, verify the status for the slots you are using is green.
1. D
eploy the guest before you update or upgrade (before you updated or upgraded the host, you shut down the guest. Now you
must restart it by deploying it).
a. Go to vCMP > Guest List.
b. In the row for the guest you want, click the check box, and then click Deploy.
You can watch the deployment progress in the Status column. This process can take a few minutes.
c. After the guest finishes deploying, in the Management IP Address column, note the IP address.
d. Go to vCMP > Guest Status.
3. Validate the guest configuration to ensure the guest does not have any issues that will prevent the configuration from loading.
a. Open the command line for the guest you are upgrading.
b. Enter the following command: tmsh load sys config verify
c. Check the system output for any issues.
4. S
ynchronize the guests, when necessary (when you make changes or changes are pending on a guest, you must synchronize
the changes to the other guest before you update or upgrade).
a. Open the Configuration utility for the guest you are upgrading.
b. Go to Device Management > Overview.
c. Under Sync Issues, in the box for each pending change, click Sync.
5. C
reate a UCS archive for the guest and download it to your local system. If you encounter a problem during the update or
upgrade, you can use it to restore the guest configuration.
To create the archive for the guest, return to Creating a backup of the BIG-IP configuration on page 9.
6. S
et the device group to manual sync (if the device group is set to synchronize automatically, before the upgrading the guest,
change the setting so that it synchronizes manually).
a. Go to Device Management > Device Groups.
b. In the list, select the device group name.
c. Under Configuration, in the Sync Type list, select Manual with Incremental Sync.
d. Click Update.
7. F
orce the guest offline (as a precautionary measure, to prevent the guest you are upgrading from becoming active during the
update or upgrade or when it goes back online after you update or upgrade, you must force it into Offline status).
a. Go to Device Management > Devices.
b. Select this guest, which has (Self) in its name.
c. At the bottom of the page, click Force Offline, and then click OK.
d. When the page refreshes, in Status, the icon that displays indicates the change.
d. Click Install.
e. T
o monitor the progress of the installation, periodically select the Image List tab to refresh the page. Under Installed
Images, in the Install Status column, you can monitor the progress of the installation.
3. Check the update or upgrade (after the guest restarts, ensure the system is running the update or upgrade).
a. After the guest restarts, log in to the Configuration utility.
b. Go to Software Management > Image List.
c. Under Installed Images, in the row for the version you just installed, in the Active column, ensure the update or
upgrade you just installed is the active version.
4. Bring the guest back online (when you bring the guest back online, it is available to load balance traffic).
a. Go to Device Management > Devices.
b. Select this guest, which has (Self) in its name.
c. At the bottom of the page, select Release Offline, and then select OK.
d. When the page refreshes, in Status, the status should display as Standby.
Changing the updated or upgraded vCMP guest system from standby to active
The next main task is to change the updated or upgraded vCMP guest from standby to active. The guest you did not update or
upgrade is active and running the older version of software. Switch the traffic from that guest to the updated or upgraded guest. To do
so, on the guest you did not update or upgrade, force the Failover status for the traffic group to Standby.
1. Verify the guest you did not update or upgrade is still passing traffic
a. Open the Configuration utility for the guest you did not update or upgrade.
b. Go to Local Traffic > Virtual Servers.
c. In the row for each virtual server, in the Status column, ensure the icon is green.
2. Failing over to the updated or upgraded system to force the guest you did not update or upgrade to Standby status:
a. Go to Device Management > Traffic Groups.
b. In the list, select the traffic group for this device.
c. At the bottom of the page, select Force to Standby, and then select Force to Standby again.
You should consider using this procedure under the following condition:
• Y
ou want to update or upgrade your BIG-IP Virtual Clustered Multiprocessing (vCMP) host systems with a new version of
BIG-IP software.
• You want to update or upgrade a vCMP guest high availability (HA) device group that is running on the vCMP host.
You can update or upgrade a pair of standalone non-VIPRION BIG-IP vCMP host systems and vCMP guests configured in an HA
device group.
A vCMP host is the system-wide hypervisor that makes it possible for you to create and view BIG-IP instances, known as guests.
A vCMP guest is an instance of BIG-IP software that you create on the vCMP system. The guest enables you to provision one or more
BIG-IP modules to process application traffic.
• U
pdating or upgrading non-VIPRION BIG-IP vCMP systems involves fewer steps and less time than VIPRION vCMP
systems. For example, a VIPRION chassis with vCMP guests spanning multiple blades takes longer to finish the boot
process than a non-VIPRION vCMP platform.
• For HA configurations, run the vCMP hosts as standalone systems and the guests in HA device groups.
• U
pdate or upgrade the vCMP host before the guests; hosts and guests are updated or upgraded independently of one
another.
• W
e recommend you configure your vCMP host to run the same BIG-IP version as the latest version used by any of its vCMP
guests.
• Software images that are stored and managed on the vCMP host are available for vCMP guests to install.
• E
ach guest inherits the license of the vCMP host, and the host license includes all BIG-IP modules available for use with
vCMP guest instances. If you need to reactivate the license, you reactivate it at the vCMP host only.
Prerequisites
Complete the following tasks before you start updating or upgrading your BIG-IP systems:
• M
ake sure you have performed the relevant tasks in Section 2: Preparing to Update or Upgrade on page 7, such as
reviewing the vCMP host and compatible guest version matrix, verifying the service check date, creating a UCS archive, and
importing the software image.
• Review the release notes for the version you want to install.
• Updating or upgrading the first vCMP host and standby vCMP guest systems, on this page
• Changing the updated or upgraded vCMP guest system from standby to active on page 37
• Updating or upgrading the other systems on page 37
Updating or upgrading the first vCMP host and standby vCMP guest systems
In this section, you update or upgrade the first vCMP host and standby vCMP guest systems.
1. C
heck the status of the guest to ensure it is in Standby status before you update or upgrade. If it is, you can skip the next step.
If the guest is active, in the next step, you fail over to the guest on the host you are not updating or upgrading.
a. Go to vCMP > Guest List.
b. In the list, identify the guests that are on your host.
c. Go to vCMP > Guest Status.
d. Under Prompt Status, check the status of the guest. If it is Standby, you can skip the next step, and continue with step
3. If it is not Standby, continue with step 2 to fail over to the guest on the host you are not updating or upgrading.
2. Fail over to the guest on the host you are not updating or upgrading (if necessary):
a. Log in to the Configuration utility for the guest on the host you are upgrading.
b. Go to Device Management > Traffic Groups.
c. In the list, select the traffic group for this device.
d. Click Force to Standby, and then click Force to Standby again.
e. Next, check the status of the guest you failed over to by looking at the Failover status and ensuring it is Active.
f. Go to Device Management > Traffic Groups.
g. Under Failover Status, ensure the status is Active.
h. From the navigation pane, click Local Traffic > Virtual Servers.
i. In the list, ensure the icon for the virtual server is green, which indicates it is active.
3. V
alidate the host configuration to ensure the host system does not have issues that will prevent the configuration from loading
after you update or upgrade.
a. Open the command line for the host you are updating or upgrading.
b. E
nter the following command: tmsh load sys config verify
This command verifies the configuration without making any changes to the running configuration.
c. Check the system output for any issues.
4. You should have already performed the following tasks in the Preparation section:
a. C
reated a UCS archive for the host. If you have not, return to Creating a backup of the BIG-IP configuration on page
9 and create one.
b. Imported and verified the software image. If you have not, return to Downloading a BIG-IP image and matching MD5
checksum file on page 8
5. S
hut down the guest on the host (you already failed over the guest on the host you are upgrading to the guest on the other
VIPRION host. Before you update or upgrade, shut down the guest on the host you are updating or upgrading).
a. Go to vCMP > Guest List.
b. In the row for the guest you want to shut down, click the check box, and then click Configure.
c. Click OK.
d. Click Install.
e. T
o monitor the progress of the installation, periodically select the Image List tab to refresh the page. Under Installed
Images, in the Install Status column, you can monitor the progress of the installation.
When the software finishes installing, Install Status displays as complete. You can see the version and boot location, and
that the version is not active.
3. Check the update or upgrade (after the host restarts, ensure the system is running the update or upgrade):
a. After the host restarts, log in to the Configuration utility.
b. Go to Software Management > Image List.
c. Under Installed Images, in the row for the version you just installed, in the Active column, ensure the update or
upgrade you just installed is the active version.
1. D
eploy the guest before you update or upgrade (before you updated or upgraded the host, you shut down the guest. Now you
must restart it by deploying it).
a. Go to vCMP > Guest List.
b. In the row for the guest you want, click the check box, and then click Deploy.
You can watch the deployment progress in the Status column. This process can take a few minutes.
c. Go to vCMP > Guest Status.
d. In the row for the guest, in the Prompt Status column, you can see that the guest is in Standby status.
2. V
alidate the guest configuration to ensure the guest does not have any issues that will prevent the configuration from loading
after you update or upgrade.
a. Open the command line for the guest you are updating or upgrading.
b. Enter the following command: tmsh load sys config verify
c. Check the system output for any issues.
3. S
ynchronize the guests, when necessary (when you make changes or changes are pending on a guest, you must synchronize
the changes to the other guest before you update or upgrade).
a. Open the Configuration utility for the guest you are updating or upgrading.
b. Go to Device Management > Overview.
c. Under Sync Issues, in the box for each pending change, click Sync.
4. C
reate a UCS archive for the guest and download it to your local system. If you encounter a problem during the update or
upgrade, you can use it to restore the guest configuration.
To create the archive for the guest, return to Creating a backup of the BIG-IP configuration on page 9.
6. F
orce the guest offline (as a precautionary measure, to prevent the guest you are updating or upgrading from becoming active
during the update or upgrade or when it goes back online after you update or upgrade, you must force it into Offline status).
a. Go to Device Management > Devices.
b. Select this guest, which has (Self) in its name.
c. At the bottom of the page, click Force Offline, and then click OK.
d. When the page refreshes, in Status, the icon that displays indicates the change.
d. Click Install.
e. T
o monitor the progress of the installation, periodically select the Image List tab to refresh the page. Under Installed
Images, in the Install Status column, you can monitor the progress of the installation.
When the software finishes installing, Install Status displays as complete. You can see the version and boot location, and
that the version is not active.
3. Check the update or upgrade (after the guest restarts, ensure the system is running the update or upgrade).
a. After the guest restarts, log in to the Configuration utility.
b. Go to Software Management > Image List.
c. Under Installed Images, in the row for the version you just installed, in the Active column, ensure the update or
upgrade you just installed is the active version.
4. Bring the guest back online (when you bring the guest back online, it is available to load balance traffic).
a. Go to Device Management > Devices.
b. Select this guest, which has (Self) in its name.
c. At the bottom of the page, select Release Offline, and then select OK.
d. When the page refreshes, in Status, the status should display as Standby.
1. Verify the guest you did not update or upgrade is still passing traffic:
a. Open the Configuration utility for the guest you did not update or upgrade.
b. Go to Local Traffic > Virtual Servers.
c. In the row for each virtual server, in the Status column, ensure the icon is green.
2. Fail over to the updated or upgraded system to force the guest you did not update or upgrade to Standby status:
a. Go to Device Management > Traffic Groups.
b. In the list, select the traffic group for this device.
c. At the bottom of the page, select Force to Standby, and then select Force to Standby again.
1. Logs in to the BIG-IP system using SSH, and iControl to create a user configuration set (UCS) archive.
3. Sets the DeleteOnTermination value of the elastic network interfaces (ENIs) in your BIG-IP instance to False, so they can be
re-used.
4. Terminates your original BIG-IP instance, detaching its ENIs for re-use.
5. O
pens a new BIG-IP instance from an Amazon Machine Image (AMI) of your choice. This is your new, updated or upgraded
BIG-IP AWS instance.
6. Installs the license for bring-your-own-license (BYOL) from the RegKey in the source AMI instance or option.
7. F
or BIG-IP BYOL systems, uses the RegKey from the source AMI image or from the command line option you specified to install
the license on the system.
8. R
estores the UCS archive on the new updated or upgraded BIG-IP instance (with the no-license flag so as not to overwrite the
new license).
• If you previously used a continuous integration/continuous delivery (CI/CD) orchestration or automation tool such as Ansible
or Terraform to deploy your BIG-IP AWS instance, you should continue using the same tool to perform the update or
upgrade.
• If your BIG-IP AWS instance has two boot locations, you can also use the traditional method of downloading a BIG-IP ISO
file from F5 Downloads, install it, and boot to the new location.
Prerequisites
The following are prerequisites for updating or upgrading your BIG-IP instance on AWS:
• Y
ou have a Linux remote client machine that has SSH and Secure Copy (SCP) protocol access to the management interface
of the BIG-IP instance.
• You have the SSH PEM file and administrative credentials to log in to the BIG-IP instance.
• You have the aws_access_key_id and aws_secret_access_key credentials to log in to the AWS portal.
• F
or BIG-IP BYOL systems, the script uses the registration key from the source AMI image or from the command line
option you specified to install the license on the system automatically. This means your BIG-IP instance must have internet
connectivity to the F5 license server (https://secure.f5.com/Infopage/index.jsp).
When this is not possible, you must manually perform the licensing and UCS archive restore on the BIG-IP system after the
script launches the new BIG-IP instance. For more information, refer to K7752: Licensing the BIG-IP system.
Creating backups
First, create backups of your BIG-IP AWS instance and the BIG-IP configuration.
1. Backup your BIG-IP AWS instance using a tool such as AWS Backup.
2. E
nsure you have the UCS archive you created in Creating a backup of the BIG-IP configuration on page 9. If you did not,
create one now.
Although the f5-aws-migrate.py script generates a backup file and saves it in your local remote directory, we recommend you
generate one and save it locally as well.
With these two backups in place, you can easily recover your BIG-IP instance if necessary.
Determining the AMI ID of the image to which you want to update or upgrade
The f5-aws-migrate.py script requires you to provide the AMI ID to launch the new BIG-IP instance.
i Important P
roviding an invalid or incompatible AMI image to the script results in failure to update or upgrade and you
may have to manually perform the update or upgrade by launching the correct instance and associating AWS
resources.
4. Click Launch new instance for the AMI image you want to use.
5. Software Version lists the latest version available, if you require a different version, select full AWS Marketplace website.
8. Note the AMI ID number at the bottom of the form. You must provide the AMI ID when you run the f5-aws-migrate.py script.
For example, you note the following AMI ID: AMI ID: ami-034ae61881d640103
Installing the f5-aws-migrate.py script and required files on your remote client
The next task is to install the f5-aws-migrate.py, restore-clean-ucs, and save-clean-ucs files on your remote Linux client
machine. These files are all available on the F5 GitHub site (https://github.com/f5devcentral/f5-aws-migrate).
1. Go to f5-aws-migrate on GitHub.
2. Click f5-aws-migrate.py.
4. Copy the contents, and then paste into an editor on your client machine.
6. R
epeat steps 1-5 for the restore-clean-ucs and save-clean-ucs files.
When you finish, you have three files in the same directory.
1. Go to the hidden AWS directory in your user home directory using the following command: cd ~/.aws
2. Create a file named credentials using the following command: touch credentials
aws_access_key_id = APOPJOYHFXYCWHKZDJ3Q
aws_secret_access_key = MYsVrwik4ArWSvhgitcqUu6CIDG+Fvg2D5jp9aJ5
4. Create a file named config using the following command: touch config
5. Use a text editor to paste the following text into the file:
[default]
• If your new (target) BIG-IP instance is pay-as-you-go (PAYG) and does not require a registration key, continue with the next
procedure.
• If you are using an F5 BYOL license, you must first revoke your BYOL license for reuse on the new BIG-IP instance.
In BIG-IP VE 12.1.3.3 and later, and in BIG-IP 13.1.0.2 and later, you can revoke a BYOL license from a BIG-IP VE system
and re-use the license on a different BIG-IP VE system. For more information, refer to K41458656: Reusing a BIG-IP VE
license on a different BIG-IP VE system.
Impact of procedure: Revoking the license results in a disruption of services. F5 recommends performing this procedure during a
scheduled maintenance window.
1. Record your BIG-IP license key so you can use it to relicense the new BIG-IP.
2. F
rom the BIG-IP command line, use the following command: revoke /sys license
You can now install the license on the new BIG-IP VE system.
To run the script, use the script example in the following table that is appropriate for your update or upgrade and licensing case.
o display the Help menu for a list of options you can include, use the following command: python f5-aws-migrate.py -h.
Tip T
NOTE: Y
ou need to use the -r switch to specify your license registration key for the new (updated or
upgraded) BIG-IP instance.
python f5-aws-migrate.py -k /home/john/.ssh/keypair.pem -i i-155b46d2 -m
From BYOL instance to a new PAYG utility instance 10.0.0.245 -u admin -p ‘strongpassword’ -d ami-5fe81c3f -r ZJQWC-EXJMJ-
HEKVX-KNJTB-LGUCGVZ -R us-west-2 --debug-level
Troubleshooting failures
The list at the beginning of Amazon Web Services on page 38 lists the tasks the script performs. Follow the output the system
displays to ensure the command completes all of the tasks.
Note It is possible for the system to log errors and then run the script completely
When the script finishes running, the system displays output similar to the following example:
/var/local/ucs/f5-i-0bd6843b0d3629e1a.ucs is loaded.
_____BIG-IP Migration Completed_____
When the script finishes running, it saves the following files in the local directory for verification, backup, and restoration purposes:
The following table lists common issues, possible causes, and resolutions.
Log in to the BIG-IP system using your SSH key PEM file and
There could be errors in the UCS archive restoration. manually restore the UCS archive.
Refer to K4423: Overview of UCS archives.
You did not provide a registration key or you provided License the new BIG-IP instance manually. Refer to K4423:
an invalid registration key to the script. Overview of UCS archives.
If you are already using Terraform to manage your GCP resources, continue to use your existing Terraform infrastructure to perform the
update or upgrade.
Use this section if you want to get started with Terraform, and your primary objective is simply to update or upgrade a set of BIG-IP
VMs on GCP with minimal Terraform setup required.
This procedure uses the google_compute_instance Terraform resource to deploy a new, updated or upgraded, BIG-IP VM. After
performing the update or upgrade, you can build on the Terraform TF file you created in this procedure to use Terraform to manage
more GCP resources.
• T
he procedures in this chapter do not apply when your BIG-IP virtual machine is an instance in a GCP autoscaling instance
group.
• T
his chapter describes the use of the Terraform tool to manage GCP resources. GCP and Terraform may update or revise
their features, and specific steps in this article may change as a result.
• Most of the procedures in this chapter involve editing the Terraform TF file. The modifications you make include the following:
» Define the BIG-IP version to which you want to update or upgrade.
» R
emove illegal parameters. The Terraform TF file contains unique IDs of your VM resources, such as IP addresses and
virtual machine IDs, which you cannot include in a template file used for deployment.
• T
he GCP resources for your BIG-IP GCP VM system may go through changes during its uptime. You may need to remove
additional parameters not listed in this article that are specific to your environment. These are reported when you run the
Terraform plan command. If this occurs, you can remove the offending parameter(s).
• If necessary, review the articles referenced in Section 2: Preparing to Update or Upgrade on page 7:
» K13845: Overview of supported BIG-IP upgrade paths and an upgrade planning reference
» BIG-IP VE Supported Platforms
• A
fter you decide on a supported version, you can get the version string by running the following command on Google Cloud
Shell or on a Linux machine with Google SDK installed.
gcloud compute images list --project=f5-7626-networks-public
Note the string for later because it is required when editing the Terraform file.
• Verify you have a GCP VM backup and restore plan.
• R
eview BIG-IP licensing requirements during the update or upgrade process. Depending on the BIG-IP license that you
have, refer to one of the following:
» F
or bring-your-own-license (BYOL) licenses, depending on your BIG-IP version, you need to revoke the license on your
BIG-IP system for reuse during the update or upgrade process. For more information, refer to K41458656: Reusing a
BIG-IP VE license on a different BIG-IP VE system.
» F
or pay-as-you-go (PAYG) licenses, depending on your BIG-IP version, you no longer need to reactivate your license. For
more information, refer to K82564652: BIG-IP VE PAYG cloud marketplace images no longer require license reactivation
when upgrading.
You replace only the BIG-IP VM and its associated disk while reusing the existing GCP resources, such as virtual network, subnets,
interfaces, and firewall rules. You do so by doing the following:
2. In the upper left, select the main menu icon, and then go to Compute Engine > Metadata.
4. Click Edit
6. Enter both your public SSH key and admin username, for example:
ssh-rsa AAAAB3NzaC1yc2EA[...] admin
7. Click Save.
2. In the upper left, select the main menu icon, and then go to Compute Engine > VM instances.
4. Click Edit.
5. In the Custom metadata section for startup-script, copy and backup the script.
7. Click Save.
9. C
opy and paste the REST specification of your VM instance as backup.
Optionally, you can generate this same specification after the update or upgrade for comparison.
• O
n the GCP console, on the top navigation, next to the Help icon, click Activate Cloud Shell.
For more information about Cloud Shell, refer to Using Cloud Shell in the Google documentation.
• Install and configure Terraform on your own Linux client.
1. Create the Terraform file bigip.tf, by entering the following empty declaration:
resource "google_compute_instance" "mybigip1" {
# (resource arguments)
}
2. If you have a GCP instance group, to ensure the BIG-IP VM instance is a member of the group after you update or upgrade,
import it by appending the following in the bigip.tf file:
resource "google_compute_instance_group" "instancegroup" {
# (resource arguments)
}
4. To import your BIG-IP VM as a Terraform resource, enter the following command syntax :
terraform import google_compute_instance.{{bigip_name}} {{project}}/{{zone}}/{{name}}
For example, to import a BIG-IP VM named mybigip1, you enter the following command:
terraform import google_compute_instance.mybigip1 project-name/us-west1-a/bigip1-mybigip1
Terraform creates a new state file, terraform.tfstate, containing the BIG-IP VM instance as a resource.
5. If you added a GCP instance group in step 2, perform this step to import it by using the following command syntax:
terraform import google_compute_instance_group.{{instance_group_name}} {{project}}/{{zone}}/{{name}}
For example, to import a Google instance group named instancegroup, you enter the following command:
terraform import google_compute_instance_group.instance project-name/us-west1-a/instancegroup-ig
6. To overwrite the bigip.tf Terraform file using the state file, enter the following command:
terraform show -no-color > bigip.tf
You have now imported and saved your BIG-IP VM instance configurations in the bigip.tf file.
2. U
sing the error output from the terraform plan command, remove lines containing illegal parameters, such as unique IDs and
fingerprints. Terraform does not allow these parameters in a generic template file used for deployment.
4. Return to step 1 and repeat the steps in this procedure until there are no errors from the terraform plan command output.
5. Replace
the image value in the boot_disk > initialize_params stanzas, and specify the BIG-IP image and version to which you
want to update or upgrade.
This is the value you noted in Planning the update or upgrade on page 43.
For example:
image = "https://www.googleapis.com/compute/v1/projects/project-name/global/images/f5-bigip-16-0-1-0-0-3-
payg-best-25mbps-201020174709"
i Important Perform this procedure on a single browser tab; do NOT use multiple browser tabs.
Impact of procedures: P
erforming these procedures results in service disruption. Perform these procedures during a scheduled
maintenance window.
Verifying and modifying the 'Delete disk' value on the BIG-IP VM instance
During the update or upgrade process, Terraform deletes the BIG-IP VM and its boot disk, and launches the new BIG-IP VM instance
from a new boot disk. If the When deleting instance value is set to Keep disk, the new BIG-IP VM instance retains the same data
and version, and the update or upgrade fails.
Set the value to Delete disk by performing the following procedure:
Note T
erraform creates the new and updated or upgraded BIG-IP VM instance with the original value imported from the
previous procedure.
2. In the upper left, select the main menu icon, and then go to Compute Engine > VM instances.
4. Click Edit.
5. In the Boot Disk section, ensure the When deleting instance value is set to Delete disk.
• If you have a BYOL license and you want to use the license on another BIG-IP VE system, record the license, and then
from the command line enter: revoke /sys license during a maintenance window, as revoking the license disables
traffic management features and returns the BIG-IP system to an unlicensed state. Refer to K41458656: Reusing a BIG-IP VE
license on a different BIG-IP VE system for complete instructions and eligibility.
• If you have a PAYG utility license, you do not need to revoke the license, and you can continue to the following procedure.
1. To deploy the new BIG-IP VM, on your Linux client device, enter the following command: terraform apply
[...]
3. To ensure you do not need to make additional changes, repeat step 1 by running the terraform apply command.
1. L
og in to the new VM instance using the external address eth0 and the SSH key from the Configure SSH keys in the VM
instance metadata section.
Note e
th0 is the default management interface for a newly launched VM instance.
2. Modify the password for the admin user by entering the following command:
modify auth user admin prompt-for-password
3. U
se the following code syntax to upload your UCS archive using the SSH private key from Configuring SSH keys in the VM
instance metadata on page 44:
scp -i <key_name>.pem <ucs_filename>.ucs admin@<ip address of BIG-IP>:/var/tmp
5. U
se the following code syntax to restore the UCS archive on the BIG-IP system and reboot.
To maintain connection to the VM, run the reboot command right after the UCS restore, as follows, because in multiple network
interface instances, the management interface may be at eth1.
i Important A
fter you start restoring the UCS, the system uses the credentials in the UCS archive. Ensure you have
these credentials first.
For more information, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive.
6. Log in to the BIG-IP VM instance using the external address of the management interface.
This may be eth0 for single network interface VMs, or eth1 for multiple network interfaces or high availability (HA) systems.
7. If your BIG-IP VM instance is a member of any GCP groups, such as a GCP instance group or load balancer, verify its
membership.
After completing this procedure, you updated or upgraded your BIG-IP GCP VM instance. With Terraform managing your BIG-IP VM
instance, by modifying the BIG-IP image version value for the boot disk, you can easily rollback to the original version or update or
upgrade to a later version.
1. Edit the bigip.tf file, setting the image value in the boot_disk > initialize_params stanzas back to its original value.
2. Perform the procedures in Performing the software update or upgrade on page 46.
The following table describes common issues, possible causes, and resolutions.
When restoring the UCS archive, license activation The BYOL license in the original BIG-IP was
fails and you observe the following error: not revoked before the update or upgrade. See
Revoking the license on your BIG-IP system, if Contact F5 Support and request a license Allow-
Unable to grant license key: Error required on page 46, or refer to K36582218: Move.
51092, This license has already been Error 51092: This license has already been
activated on a different unit. activated on a different unit.
• Using Azure Portal to deploy an Azure Resource Manager (ARM) template directly, on this page.
• U
sing Terraform to deploy an ARM template on page 56
If you are already using Terraform to manage your Azure resources, continue to use your existing Terraform infrastructure to
perform the update or upgrade.
• U
sing Ansible to deploy an ARM template on page 63
If you are already using an Ansible inventory to manage your Azure resources, continue to use your existing Ansible
infrastructure to perform the update or upgrade.
Important considerations
Before you use the Azure ARM template to perform your update or upgrade, you should understand the following:
• T
his procedure uses the Azure portal ARM template feature. Microsoft may update or revise Azure portal and the template
features, and specific steps in this article may change as a result. For more information on ARM templates, see Azure ARM
templates in the Microsoft documentation.
• Most of the procedures involve editing the exported template.json file. The modifications you make include the following:
» D
efine the initial SSH key and username/password to login to the new (updated or upgraded) virtual machine for the
first time.
» Define the BIG-IP version to which you want to upgrade.
» R
emove illegal parameters. The exported template.json file contains unique IDs of your VM resources, such as the
OsDisk, which you cannot include in a template file used for deployment.
» R
emove optional parameters that are already defined in the template file, such as storageAccountName and
storageAccountKey.
• A
zure resources for your BIG-IP Azure VM system may go through changes during its uptime. You may need to remove
additional parameters not listed in this procedure that are specific to your environment. These are reported when the
deployment fails. If this occurs, you can remove the offending parameter(s) and re-deploy.
• If necessary, review the articles referenced in Section 2: Preparing to Update or Upgrade on page 7:
» K13845: Overview of supported BIG-IP upgrade paths and an upgrade planning reference
» BIG-IP VE Supported Platforms
• A
fter deciding on a supported version, you can get the version string from f5-azure-arm-templates on GitHub. Note the
string for later because it is required when editing the Azure ARM template.
• Verify you have an Azure VM backup and restore plan. For information, see Backup and restore VE images in the cloud.
Note T
he UCS archive and ARM template you create in this section enables you to restore your Azure VM.
• R
eview BIG-IP licensing requirements during the update or upgrade process. Depending on the BIG-IP license that you
have, refer to one of the following:
» F
or bring-your-own-license (BYOL) licenses, depending on your BIG-IP version, you need to revoke the license on your
BIG-IP system for reuse during the update or upgrade process. For more information, refer to K41458656: Reusing a
BIG-IP VE license on a different BIG-IP VE system.
• Review the network topology of your BIG-IP VM. To do so, perform the following procedure:
» Go to Home > Virtual machines, and select the name of your BIG-IP VM.
» On your VM blade, under Settings, select Networking.
» Select Topology.
» Identify the BIG-IP VM to update or upgrade and verify it has no dependents.
You replace only the BIG-IP VM and its associated disk while reusing the existing Azure resources, such as virtual network, subnets,
interfaces, and security groups. You do so by doing the following:
2. Edit the template (entering the new BIG-IP version, credentials, and other information).
1. From the Azure Portal, go to Home > Resource Groups, and then select the name of your resource group.
5. Click Download.
6. Click OK.
You can perform the same procedure after the update or upgrade to compare the differences between the two files, ensuring the
required settings are maintained. You can also use this file to deploy your VM if required.
2. Do one of the following, depending on whether you see the following objects in your file:
• If you do not see the three extensions_start_*** objects in the parameter stanza as shown below, skip to the next step.
• If you do see the three extensions_start_*** objects in the parameter stanza as shown below, remove them, as illustrated
in the following code syntax.
These objects display when you previously deployed your BIG-IP VM from an F5 Azure ARM template.
4. L
ook for the line that contains version and then replace your current BIG-IP version with the target version.
Refer to Planning the update or upgrade on page 49 to retrieve your version.
For example, you update or upgrade your system to BIG-IP 15.1.0.4 by entering the following code syntax:
"version": "15.1.004000"
5. In the resources > properties > storageProfile > osDisk > managedDisk property, remove the line that contains the id
parameter.
For example, you remove the id parameter and the comma in the preceding line:
"managedDisk": {
storageAccountType": "Premium_LRS",
id": "[resourceId('Microsoft.Compute/disks', concat(parameters('virtualMachines_example_name'), '_
OsDisk_1_xxxxxxx3543f19c34bc10db483319'))]"
},
"diskSizeGB": 84
6. If the SSH public key does not display, copy and paste it in to the osProfile > linuxConfiguration stanza.
For example, for the keyData parameter only, you replace its value with the value from your public key.
Note If you do not have an SSH key, create one. On Azure portal, click +Create a resource, enter and select SSH
Key, and complete the wizard.
7. S
et the SSH public username and password by searching for the adminUsername parameter and adding your
adminPassword after it. Ensure it meets the BIG-IP password complexity requirements.
i Important Y
ou must set a secure password. If you use a password that does not meet the security policy of the
updated or upgraded BIG-IP system, the system logs you out without your SSH key. For more information,
refer to K10612010: Root and admin users must reset default passwords. In addition, you must not use
characters defined in K2873: Characters that should not be used in passwords on F5 products.
For example, you add the second line in the following code syntax:
"adminUsername": "azureuser",
"adminPassword": "<complicated_password>",
"requireGuestProvisionSignal": true
"storageAccountName": "[parameters('extensions_start_storageAccountName')]",
"storageAccountKey": "[parameters('extensions_start_storageAccountKey')]",
i Important Perform this procedure on a single browser tab; do NOT use multiple browser tabs.
Impact of procedures: P
erforming these procedures results in service disruption. Perform these procedures during a scheduled
maintenance window.
• If you have a BYOL license and you want to use the license on another BIG-IP VE system, record the license, and then
from the command line enter: revoke /sys license during a maintenance window, as revoking the license disables
traffic management features and returns the BIG-IP system to an unlicensed state. Refer to K41458656: Reusing a BIG-IP VE
license on a different BIG-IP VE system for complete instructions and eligibility.
• If you have a PAYG utility license, you do not need to revoke the license, and you can continue to the following procedure.
1. From Azure Portal, go to Home > Resource groups, and then select the name of your resource group.
2. Click the check box for the BIG-IP VM, and then click the check box next to its associated disk.
5. Click the bell icon to verify the two objects are deleted.
3. Click Create.
6. Select the template.json file you prepared in Preparing for the update or upgrade on page 50.
7. Click Save.
11. Click the bell icon, and then select Deployment in progress to verify the operation completes.
12. Depending on how you initially deployed your BIG-IP VM, you may encounter errors. Do one of the following:
• If you do not encounter errors, skip to the next step.
• If you do encounter errors, click the bell icon and then More events in the activity log to identify any illegal parameters,
remove them from your template.json file, and then return to step 1 to repeat the deployment.
1. E
nter the following code syntax to upload your UCS archive using the SSH private key that corresponds to the public key you
specified in the template.json file:
scp -i <key_name>.pem <ucs_filename>.ucs admin@<ip address of BIG-IP>:/var/tmp
2. U
se the following code syntax to log in to the BIG-IP system using the SSH private key that corresponds to the public key you
specified in the template.json file.
ssh -i <key_name>.pem admin@<ip address of BIG-IP>
For more information, refer to K13132: Backing up and restoring BIG-IP configuration files with a UCS archive.
4. If your BIG-IP virtual machine was deployed from an F5 Azure ARM template that includes post-deployment configuration steps,
complete those steps.
For example, for a BIG-IP virtual machine that is part of a high availability (HA) cluster, active-standby, using the Cloud Failover
Extension through the API, you must edit the /usr/libdata/configsync/cs.dat file. For specific information, refer to the
readme.md file for the F5 azure ARM template on GitHub.
Troubleshooting
In the event that you need to revert to the original BIG-IP software version, modify the version parameter in the template.json file
and repeat the Performing the software update or upgrade on page 53.
The following table describes common issues and possible causes and resolution.
When restoring the UCS archive, license activation The BYOL license in the original BIG-IP was
fails and you observe the following error: not revoked before the update or upgrade. See
Revoking the license on your BIG-IP system, if Contact F5 Support and request a license Allow-
Unable to grant license key: Error required on page 53, or refer to K36582218: Move.
51092, This license has already been Error 51092: This license has already been
activated on a different unit. activated on a different unit.
This procedure uses the azurerm_linux_virtual_machine Terraform resource to deploy a new, updated or upgraded, BIG-IP VM. After
performing the update or upgrade, you can build on the Terraform TF file you create in this procedure to use Terraform to manage
more Azure resources.
Important considerations
Before you use Terraform to perform your update or upgrade, you should understand the following:
• The procedures in this section do not apply when your BIG-IP virtual machine is an instance in an Azure VM scale set.
• T
his section describes the use of the Terraform tool to manage Azure resources. Microsoft Azure and Terraform may update
or revise their features, and specific steps may change as a result. For more information on Terraform on Azure, refer to Azure
ARM templates in the Azure documentation.
• Most of the procedures in this chapter involve editing the Terraform TF file. The modifications you make include the following:
» Define the initial SSH key and username/password to log in to the updated or upgraded VM for the first time.
» Define the BIG-IP version to which you want to update or upgrade.
» R
emove illegal parameters. The Terraform TF file contains unique IDs of your VM resources, such as IP addresses and
virtual machine IDs, which you cannot include in a template file used for deployment.
• T
he Azure resources for your BIG-IP Azure VM system may go through changes during its uptime. You may need to remove
additional parameters not listed in this article that are specific to your environment. These are reported when you run
the Terraform plan command. If this occurs, you can remove the offending parameter(s) and re-deploy.
• If necessary, review the articles referenced in Section 2: Preparing to Update or Upgrade on page 7:
» K13845: Overview of supported BIG-IP upgrade paths and an upgrade planning reference
» BIG-IP VE Supported Platforms
• A
fter deciding on a supported version, you can get the version string from f5-azure-arm-templates on GitHub. Note the
string for later because it is required when editing the Azure ARM template.
• V
erify you have an Azure VM backup and restore plan. For specific information, see Backup and restore VE images in the
cloud.
Note T
he UCS archive and ARM template you create in this section enables you to restore your Azure VM.
• R
eview BIG-IP licensing requirements during the update or upgrade process. Depending on the BIG-IP license that you
have, refer to one of the following:
» F
or bring-your-own-license (BYOL) licenses, depending on your BIG-IP version, you need to revoke the license on your
BIG-IP system for reuse during the update or upgrade process. For more information, refer to K41458656: Reusing a
BIG-IP VE license on a different BIG-IP VE system.
» F
or pay-as-you-go (PAYG) licenses, depending on your BIG-IP version, you no longer need to reactivate your license. For
more information, refer to K82564652: BIG-IP VE PAYG cloud marketplace images no longer require license reactivation
when upgrading.
• Review the network topology of your BIG-IP VM. To do so, perform the following procedure:
» Go to Home > Virtual machines, and select the name of your BIG-IP VM.
» On your VM blade, under Settings, select Networking.
2. Edit the Terraform file (enter the new BIG-IP version, credentials, and other information).
1. From the Azure Portal, go to Home > Resource Groups, and then select the name of your resource group.
5. Click Download.
6. Click OK.
You can perform the same procedure after the update or upgrade to compare the differences between the two files, ensuring the
required settings are maintained. You can also use this file to deploy your VM if required.
• O
n the Azure portal, on the top navigation, next to the bell icon, open Azure Cloud Shell. For information about Cloud
shell, see Start Cloud Shell.
This procedure is only necessary if you do not have an SSH key. If you have one, continue with the next procedure.
1. If you do not have an SSH key, on the Azure portal, select +Create a resource, enter and select SSH Key, and complete the
wizard.
2. To define Azure as a provider, create the Terraform file provider.tf by entering the following declaration:
provider "azurerm" {
features {}
3. Create the Terraform file bigip.tf by entering the following empty declaration:
resource "azurerm_linux_virtual_machine" "bigip" {
For more information on this Terraform resource, see azurerm_linux_virtual_machine in the Terraform documentation.
5. To import your BIG-IP VM as a Terraform resource, enter the following command syntax :
terraform import azurerm_linux_virtual_machine.bigip /subscriptions/<subscription id>/
resourceGroups/<resource group>/providers/Microsoft.Compute/virtualMachines/<VM name>
For example, to import a BIG-IP VM named bigipvm001, you enter the following command:
terraform import azurerm_linux_virtual_machine.bigip /subscriptions/xxxx-e0b6-xxxx-b82e-xxxx/
resourceGroups/exampleRG/providers/Microsoft.Compute/virtualMachines/bigipvm001
6. To overwrite the Terraform file bigip.tf using the state file, enter the following command:
terraform show -no-color > bigip.tf
2. Under the admin_username line, add your admin_password as in the following example:
admin_username = "azureuser"
admin_password = "<complicated_password>"
i Important Y
ou must set a secure password. If you use a password that does not meet the security policy of the
updated or upgraded BIG-IP system, the system logs you out without your SSH key. For more information,
refer to K10612010: Root and admin users must reset default passwords. In addition, you must not use
characters defined in K2873: Characters that should not be used in passwords on F5 products.
4. Using the error output from the terraform plan command, remove lines containing illegal parameters from bigip.tf.
The following table lists illegal parameters such as unique IDs and IP addresses that are not allowed by Terraform in a generic
template file used for deployment. Terraform may display more illegal parameters depending on your environment.
- private_ip_address="x.x.x.x"
ip address - private_ip_addresses=[ "x.x.x.x", ]
- public_ip_addresses=[x.x.x.x]
- principal_id="537eb9e3-4ab9-4da3-99da-722aae139082"
Identity IDs
- tenant_id="20aab298-91a4-40cf-a457-a4c0b7fc16b0"
managed_disk_id="/subscriptions/xx-e0b6-xx-xx/resourceGroups/exampleRG/providers/Microsoft.Compute/disks/
managed disk id
bigipvm001_OsDisk_1_xxxx
5. Repeat steps 3 and 4 until there are no more errors from the terraform plan command.
6. T
o define your SSH public key, copy and paste the following admin_ssh_key stanza above the boot_diagnostics stanza.
You will use this key to log in to the updated or upgraded BIG-IP VM.
admin_ssh_key {
public_key = file("~/.ssh/id_rsa.pub")
username = "azureuser"
}
boot_diagnostics {
[...]
}
Note If you receive an error later, use the tab character instead of spaces before the public_key and username
parameters.
7. L
ook for the line that contains version and then replace your current BIG-IP version with the target version.
Refer to Planning the update or upgrade on page 56 to retrieve your version.
For example, you update or upgrade your system to BIG-IP 15.1.0.4 by entering the following code syntax:
"version": "15.1.004000"
8. Save the bigip.tf file. You use this file to deploy your new BIG-IP VM.
i Important Perform this procedure on a single browser tab; do NOT use multiple browser tabs.
Impact of procedures: P
erforming these procedures results in service disruption. Perform these procedures during a scheduled
maintenance window.
• If you have a BYOL license and you want to use the license on another BIG-IP VE system, record the license, and then
from the command line enter: revoke /sys license during a maintenance window, as revoking the license disables
traffic management features and returns the BIG-IP system to an unlicensed state. Refer to K41458656: Reusing a BIG-IP VE
license on a different BIG-IP VE system for complete instructions and eligibility.
• If you have a PAYG utility license, you do not need to revoke the license, and you can continue to the following procedure.
1. To deploy the new BIG-IP VM, on your Linux client device, enter the following command: terraform apply
3. When the command completes, the system displays output similar to the following example:
[...]
Apply complete! Resources: 1 added, 0 changed, 1 destroyed.
[...]
1. U
se the following code syntax to upload your UCS archive using the SSH private key that corresponds to the public key you
specified in the bigip.tf file:
scp -i <key_name>.pem <ucs_filename>.ucs admin@<ip address of BIG-IP>:/var/tmp
3. Use the following code syntax to restore the UCS archive on the BIG-IP system and reboot.
i Important A
fter you start restoring the UCS, the system uses the credentials in the UCS archive. Ensure you have
these credentials first.
For more information, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive.
4. If you deployed your BIG-IP virtual machine from an F5 Azure ARM template that includes post-deployment configuration steps,
complete those steps.
For example, for a BIG-IP virtual machine that is part of a high availability (HA) cluster, active-standby, using the Cloud Failover
Extension through API, you must edit the /usr/libdata/configsync/cs.dat file. For more information, refer to the readme.md
file for the F5 Azure ARM template on GitHub.
Troubleshooting
In the event that you need to revert to the original BIG-IP software version, you can use one of the following options:
• U
se Terraform to launch the original BIG-IP software image and restore the UCS archive. You do so by modifying the
version parameter in the bigip.tf file and repeating the procedures in Performing the software update or upgrade on page
59.
• E
dit and deploy the Azure ARM template you created in Exporting the Azure ARM template on page 57, and restore the UCS
archive.
For more information on editing and deploying the Azure ARM template, refer to Editing the 'template.json' ARM template on
page 50 and Performing the software update or upgrade on page 53 procedures in Using the Azure portal to deploy an
ARM template on page 49.
When you attempt to revoke your BIG-IP system with Your BIG-IP system does not have DNS configured Contact F5 Support and request a license Allow-
tmsh revoke sys license, it fails to activate.f5.com or there is no route to the internet. Move.
When restoring the UCS archive, license activation The BYOL license in the original BIG-IP was
fails and you observe the following error: not revoked before the update or upgrade. See
Revoking the license on your BIG-IP system, if Contact F5 Support and request a license Allow-
Unable to grant license key: Error required on page 46, or refer to K36582218: Move.
51092, This license has already been Error 51092: This license has already been
activated on a different unit. activated on a different unit.
The password for bigip.tf does not meet the Perform one of the following steps:
requirements set out in the following articles: - Log in with your SSH PEM key with the following
You are unable to log in to the BIG-IP VM using the
- K2873: Characters that should not be used in command syntax: ssh -i <privatekey_name>.
username and password you defined in the
passwords on F5 products pem admin@<IP address>
bigip.tf file.
- K10612010: Root and admin users must reset - Reset your password. For more information, refer to
default passwords Azure password reset on clouddocs.f5.com.
If you are already using an Ansible inventory to manage your Azure resources, continue to use your existing Ansible infrastructure to
perform the update or upgrade.
This procedure uses the azure_rm_deployment Azure module for Ansible to deploy a new, updated or upgraded, BIG-IP VM from
an ARM template. After performing the update or upgrade, you can build on the Ansible playbook you created in this procedure to use
Ansible to manage more Azure resources.
Important considerations
Before you use the Azure ARM template to perform your update or upgrade, you should understand the following:
• This information in this section does not apply when your BIG-IP virtual machine is an instance in an Azure VM scale set.
• T
his section uses the Azure portal ARM template feature. Microsoft or Ansible may update or revise Azure portal and the
template features, and specific steps in this article may change as a result. For more information on ARM templates, refer to
Azure ARM templates in the Azure documentation.
• Most of the procedures involve editing the exported template.json file. The modifications you make include the following:
» D
efine the initial SSH key and username/password to log in to the updated or upgraded virtual machine for the first
time.
» Define the BIG-IP version you want to upgrade to.
» R
emove illegal parameters. The exported template.json file contains unique IDs of your VM resources, such as the
OsDisk, which you cannot include in a template file used for deployment.
» Remove optional
parameters that are already defined in the template file, such as storageAccountName and
storageAccountKey.
• T
he Azure resources for your BIG-IP Azure VM system may go through changes during its uptime. You may need to remove
additional parameters not listed in this article that are specific to your environment. These are reported when the deployment
fails. If this occurs, you can remove the offending parameter(s) and re-deploy.
• If necessary, review the articles referenced in Section 2: Preparing to Update or Upgrade on page 7:
» K13845: Overview of supported BIG-IP upgrade paths and an upgrade planning reference
» BIG-IP VE Supported Platforms
• A
fter deciding on a supported version, you can get the version string from f5-azure-arm-templates on GitHub. Note the
string for later because it is required when editing the Azure ARM template.
• V
erify you have an Azure VM backup and restore plan. For specific information, see Backup and restore VE images in the
cloud.
Note T
he UCS archive and ARM template you create in this section enables you to restore your Azure VM.
• R
eview BIG-IP licensing requirements during the update or upgrade process. Depending on the BIG-IP license that you
have, refer to one of the following:
» F
or bring-your-own-license (BYOL) licenses, depending on your BIG-IP version, you need to revoke the license on your
BIG-IP system for reuse during the upgrade process. For more information, refer to K41458656: Reusing a BIG-IP VE
license on a different BIG-IP VE system.
» F
or pay-as-you-go (PAYG) licenses, depending on your BIG-IP version, you no longer need to reactivate your license. For
more information, refer to K82564652: BIG-IP VE PAYG cloud marketplace images no longer require license reactivation
when upgrading.
You replace only the BIG-IP VM and its associated disk while reusing the existing Azure resources, such as virtual network, subnets,
interfaces, and security groups. You do so by doing the following:
1. From the Azure Portal, go to Home > Resource Groups, and then select the name of your resource group.
5. Click Download.
6. Click OK.
You can perform the same procedure after the update or upgrade to compare the differences between the two files, ensuring the
required settings are maintained. You can also use this file to deploy your VM if required.
1. On the Azure portal, in the top navigation, next to the bell icon, launch Cloud Shell.
Note If this is your first time using Azure Cloud Shell, you must select a subscription account and then select Create
Storage to persist your work.
2. Enter the following command to create your Ansible playbook: touch deploy_bigip.yml
3. C
opy and paste the contents of the ARM template you downloaded in Exporting the Azure ARM template on page 64 to the
template.json file.
2. Do one of the following, depending on whether you see the following objects in your file:
• If you do not see the three extensions_start_*** objects in the parameter stanza as shown below, skip to the next step.
• If you do see the three extensions_start_*** objects in the parameter stanza as shown below, remove them, as illustrated
in the following code syntax.
These objects display when you previously deployed your BIG-IP VM from an F5 Azure ARM template.
"parameters": {
"extensions_start_storageAccountName": {
"type": "SecureString"
},
"extensions_start_storageAccountKey": {
"type": "SecureString"
},
"extensions_start_commandToExecute": {
"type": "SecureString"
},
[...]
}
4. L
ook for the line that contains version and then replace your current BIG-IP version with the target version.
Refer to Planning the update or upgrade on page 63 to retrieve your version.
For example, you update or upgrade your system to BIG-IP 15.1.0.4 by entering the following code syntax:
"version": "15.1.004000"
5. In the resources > properties > storageProfile > osDisk > managedDisk property, remove the line that contains the id
parameter.
For example, you remove the id parameter and the comma in the preceding line:
"managedDisk": {
storageAccountType": "Premium_LRS",
id": "[resourceId('Microsoft.Compute/disks', concat(parameters('virtualMachines_example_name'), '_
OsDisk_1_xxxxxxx3543f19c34bc10db483319'))]"
},
"diskSizeGB": 84
6. If the SSH public key does not display, copy and paste it in to the osProfile > linuxConfiguration stanza.
For example, for the keyData parameter only, you replace its value with the value from your public key.
Note If you do not have an SSH key, create one. On Azure portal, click +Create a resource, enter and select SSH
Key, and complete the wizard.
"linuxConfiguration": {
disablePasswordAuthentication": false,
"ssh": {
"publicKeys": [
{
"path": "/home/azureuser/.ssh/authorized_keys",
"keyData": "ssh-rsa AAAAB3 [...] a+KiE=generated-by-azure\n"
}
]
}
},
7. S
et the SSH public username and password by searching for the adminUsername parameter and adding your
adminPassword after it. Ensure it meets the BIG-IP password complexity requirements.
i Important Y
ou must set a secure password. If you use a password that does not meet the security policy of the
updated or upgraded BIG-IP system, the system logs you out without your SSH key. For more information,
refer to K10612010: Root and admin users must reset default passwords. In addition, you must not use
characters defined in K2873: Characters that should not be used in passwords on F5 products.
"adminPassword": "<complicated_password>",
"requireGuestProvisionSignal": true
"storageAccountName": "[parameters('extensions_start_storageAccountName')]",
"storageAccountKey": "[parameters('extensions_start_storageAccountKey')]",
i Important Perform this procedure on a single browser tab; do NOT use multiple browser tabs.
Impact of procedures: P
erforming these procedures results in service disruption. Perform these procedures during a scheduled
maintenance window.
• If you have a BYOL license and you want to use the license on another BIG-IP VE system, record the license, and then
from the command line enter: revoke /sys license during a maintenance window, as revoking the license disables
traffic management features and returns the BIG-IP system to an unlicensed state. Refer to K41458656: Reusing a BIG-IP VE
license on a different BIG-IP VE system for complete instructions and eligibility.
• If you have a PAYG utility license, you do not need to revoke the license, and you can continue to the following procedure.
2. Click the check box for the BIG-IP VM, and then click the check box next to its associated disk.
5. Click the bell icon to verify the two objects are deleted.
Deploying the new BIG-IP VM system from the template using Ansible
The next task is to deploy the new BIG-IP from the template using Ansible.
1. On the Azure portal, on the top navigation, next to the bell icon, launch Cloud Shell.
2. To run the Ansible playbook you prepared, enter the following command:
ansible-playbook deploy_bigip.yml
Depending on how you intially deployed your BIG-IP VM, you may encounter errors.
3. T
o identify illegal parameters, click the bell icon and then More events in the activity log, remove it from your template.json
file, and repeat the deployment.
1. E
nter the following code syntax to upload your UCS archive using the SSH private key that corresponds to the public key you
specified in the template.json file:
scp -i <key_name>.pem <ucs_filename>.ucs admin@<ip address of BIG-IP>:/var/tmp
2. U
se the following code syntax to log in to the BIG-IP system using the SSH private key that corresponds to the public key you
specified in the template.json file.
ssh -i <key_name>.pem admin@<ip address of BIG-IP>
For more information, refer to K13132: Backing up and restoring BIG-IP configuration files with a UCS archive.
4. If your BIG-IP virtual machine was deployed from an F5 Azure ARM template that includes post-deployment configuration steps,
complete those steps.
For example, for a BIG-IP virtual machine that is part of a high availability (HA) cluster, active-standby, using the Cloud Failover
Extension through the API, you must edit the /usr/libdata/configsync/cs.dat file. For specific information, refer to the
readme.md file for the F5 azure ARM template on GitHub.
Troubleshooting
In the event that you need to revert to the original BIG-IP software version, you can use one of the following options:
• U
se Ansible to launch the original BIG-IP software image and restore the UCS archive by modifying the version parameter in
the template.json file and repeating the procedure in Performing the software update or upgrade on page 67.
• E
dit and deploy the Azure ARM template you created in Exporting the Azure ARM template on page 64, and restore the UCS
archive.
For more information on editing and deploying the Azure ARM template, refer to the Editing the 'template.json' ARM template
on page 50 and Performing the software update or upgrade on page 53 procedures in Using the Azure portal to deploy
an ARM template on page 49.
When restoring the UCS archive, license activation The BYOL license in the original BIG-IP was
fails and you observe the following error: not revoked before the update or upgrade. See
Revoking the license on your BIG-IP system, if Contact F5 Support and request a license Allow-
Unable to grant license key: Error required on page 53, or refer to K36582218: Move.
51092, This license has already been Error 51092: This license has already been
activated on a different unit. activated on a different unit.
You have BIG-IP systems in HA using Cloud Failover Perform the workaround in ID 929213:
Extension (CFE). Failover does not work after the
The package needs to be uninstalled and installed
update or upgrade and logs the following in /var/
log/restnoded/restnoded.log: again for use.
severe: [RestOperationDispatcher] - From GUI, Navigate to iApps -> Package
This is due to ID 929213.
'shared/cloud-failover/trigger' not Management LX
found.
- Select the package to uninstall and click Uninstall
severe: [ErrorHandlingModule]
- Click Import and provide the path of package to
RestOperation failed: "/shared/cloud-
failover/trigger". install again.
• C
opies the software image from the BIG-IQ to all managed BIG-IPs you want to update or upgrade and, after copying the
image, you can optionally wait to update or upgrade until a later time.
• Captures the state of certain objects before the update or upgrade so you can compare their states before and after.
• Creates backups pre- and post-update or upgrade.
The following video F5 video on YouTube demonstrates how to update or upgrade managed BIG-IP devices:
How to Upgrade Managed Devices to New Versions of TMOS with BIG-IQ
The following video demonstrates how to re-discover and re-import BIG-IP devices after an update or upgrade (this video is part of
separate series, but the same procedure applies to this article):
Completing the post-upgrade process: Reimporting devices and services
1. From the BIG-IQ, go to Devices > Software Management > Software Images.
5. Click Upload.
3. From the Software Image list, select the image you uploaded in the previous procedure.
5. S
elect an installation option.
For details about each option, in the upper right, click Help (?).
11. Under Devices and Target Volume, in the row for each device, enter a new volume on which to install it.
For example, you enter the following new volume: HD1.2
14. Under Installation Properties, in Status, watch for the change to Paused status.
As the system steps through the update or upgrade, it pauses for confirmation or input when it reaches various steps and
options you selected. You continue the update or upgrade by selecting the appropriate button in Process.
15. T
o continue the update or upgrade, each time the system pauses (Process displays the message Paused <name of the next
process>), click the button that displays, or if two buttons display, click Continue.
If you did not select the Perform pre and post installation assessment option, skip to step 16.
If you did select this option, perform these additional steps.
Pre-assessment
» When Process displays Paused: Waiting to start pre-assessment, click Run Pre-assessment.
» In the Assessment Options box, select the check boxes for the for objects you want to include in the pre-assessment,
and then click OK.
Post-assessment
» When Process displays Paused for assessments: Waiting to complete upgrade, under Device Status, in the
Assessments column, click Run Post-assessment for each device.
» In the same column, select Compare Assessments for each device, review any changes to objects between the pre-
and post-assessments, and then click Close.
Note O
bjects in the assessment may appear unavailable or down until the BIG-IP has completed the boot-
up process. If this is the case, wait a short period, select Run Post-assessment again after boot-up is
complete, and then select Compare Assessments again.
16. When you complete the update or upgrade, in Process, click Mark Finished.
For more information and procedures for upgrading using BIG-IQ, refer to the BIG-IP Software Upgrades chapter of the Managing
BIG-IP Devices from BIG-IQ guide for your version.
For information about how to locate the guide for your version of BIG-IQ, refer to K98133564: Tips for searching AskF5 and finding
product documentation.
2. To select all of your devices, at the top of the first column, click the check box.
7. Under Selected, ensure the list contains all the managed devices you want to import.
8. Click Create.
9. I n the Services column, you can see the status of your importing task. If you receive an import error in this column, do the
following:
• Select the error.
• In Configuration Import, select Re-import.
• Under Name, click the listed objects to see the discrepancies between the devices you already imported in to the BIG-IQ
and the device you are importing now.
he system displays the object properties that differ between the BIG-IQ and BIG-IP systems. You have the option to use
T
either the version the BIG-IQ already has or the version on the BIG-IP system you are importing, whichever works best for
your environment.
10. In Conflict Resolution, select Device Specific Objects, to see if there are any additional conflicts.
13. In the upper-left, click Back. Under Device Name and Services, you can see that the system re-imported the devices and
services.
Prerequisites
You must meet the following prerequisites to use these procedures:
Example playbook
The example playbook (see Example Playbook on page 75) does the following:
3. Copy the contents of the example playbook (see Example Playbook on page 75).
5. If you are copying from a Windows system, use sed or a similar utility to remove any \r control characters that you copied in the
file. For example, if you use sed run the following command on your control machine:
sed -i 's/\r$//' upgrade_bigip_software.yml
8. In the vars parameter, customize the provider variable by adding your BIG-IP connection details.
Additional information:
The example uses group variables from the group to which the hosts belong. The playbook references the provider variable in
the provider parameter of the F5 Modules.
You can encrypt BIG-IP passwords for the playbook by placing them in the vault. For more information, refer to K64450989:
Using the 'ansible-vault' command to encrypt BIG-IP passwords used in a playbook.
9. Y
ou can leave the vars_prompt section as is, or remove it to use another method for including a variable for the BIG-IP
software you want to install. For more information, refer to the Using Variables page of the Ansible User Guide.
Example Playbook
This playbook performs these tasks only if the BIG-IP system is in the standby failover state. However, if you want the play to run on all
hosts, you can comment-out or not include the conditional statement.
1 - name: Upgrade BIG-IP software
2 hosts: my_bigips
3 gather_facts: False
4 vars:
5 provider:
6 password: "{{ bigip_password }}"
7 server: "{{ ansible_host }}"
8 user: "{{ bigip_username }}"
9 validate_certs: False
10 vars_prompt:
11 - name: version
12 prompt: "Version and build from ISO"
13 private: no
14 tasks:
15 - name: Get failover state
16 shell: tmsh show sys failover | awk '{print $2}'
17 register: failover_state
18 - block:
19 - name: Verify running configuration of the BIG-IP
20 command: tmsh load sys config verify
21 - name: Reactivate BIG-IP with existing reg key
22 shell: SOAPLicenseClient --basekey $(grep Reg /config/bigip.license | awk '{print $4}')
23 - name: Wait for configuration to finish loading
24 wait_for:
25 timeout: 45
26 delegate_to: localhost
27 - name: Get current time on BIG-IP
28 command: date "+%H%M%S-%m%d%y"
29 register: date
30 - name: Download a new UCS
31 bigip_ucs_fetch:
32 src: "{{ inventory_hostname + '-' + date.stdout + '-backup.ucs' }}"
33 dest: "{{ 'files/' + inventory_hostname + '-' + date.stdout + '-backup.ucs' }}"
34 provider: "{{ provider }}"
35 delegate_to: localhost
36 - name: Upload image to the BIG-IP
37 bigip_software_image:
38 image: "{{ 'files/BIGIP-' + version + '.iso' }}"
39 provider: "{{ provider }}"
40 delegate_to: localhost
41 - name: Get available volume number to use
42 script: files/get_vol_number.bash
43 register: vol
44 - name: Install BIG-IP software
45 bigip_software_install:
46 image: "{{ 'BIGIP-' + version + '.iso' }}"
47 state: activated
48 volume: "{{ vol.stdout }}"
49 provider: "{{ provider }}"
50 delegate_to: localhost
51 async: 45
52 poll: 0
53 when: failover_state.stdout == 'standby'
To avoid having to add when statements to multiple tasks, you simply add this once to the block statement. Directives
you apply to the block are inherited by all the tasks enclosed within it.
b. V
erify running configuration of the BIG-IP
This task uses the command module to verify the BIG-IP configuration by performing a test load with tmsh load sys
config verify. If a host produces a validation error, it fails the task and takes it out of the play, and thus the system does
not update or upgrade it.
c. R
eactivate BIG-IP with existing reg key
If your system's service check date is earlier than the license check date, you may need to reactivate the license. See
Reactivating the BIG-IP license on page 10.
Unless you reactivate the license on a regular basis, you will likely need to reactivate it before you perform an update
or upgrade. To automatically reactivate the license, the Reactivate BIG-IP with existing reg key task with the shell
module runs the SOAPLicenseClient command. This task requires your BIG-IP devices have internet connectivity to
reach the activate.f5.com service.
2. If your BIG-IP systems do not have internet connectivity, remove the Reactivate BIG-IP with existing reg key task (lines 21
and 22 in the example).
Note If you remove the task, you must manually reactivate the BIG-IP systems before running the playbook
3. Adjust the timeout value for the Wait for configuration to finish loading task to meet the needs of your environment.
Additional information:
Because reactivating the license also reloads the configuration, the Wait for configuration to finish loading task with the
wait_for module stops the play to ensure the configuration has time to finish loading before moving on.
Adjust the timeout value (which is in seconds) to be shorter or longer depending on your environment. For example, if the user
configuration set (UCS) operation in the Download a new UCS task fails because the mcpd process is not in the running
phase, lengthen the timeout.
In the Get current time on BIG-IP task, the command module gets the current time on the target BIG-IP system and uses
register to store the result in the variable named date. The play uses this in the file name of the UCS file that you download in the
next task.
4. For the Download a new UCS task, ensure you have a files directory within your playbooks directory.
The Download a new UCS task uses the bigip_ucs_fetch module to create a new UCS backup before the update or upgrade.
The BIG-IP system saves the running configuration to disk before creating the UCS. For the src parameter string, the system
uses concatenation to include the date variable. The date includes seconds in the name so the task will always create a new
UCS file.
5. S
tore the BIG-IP image you downloaded in Downloading a BIG-IP image and matching MD5 checksum file on page 8 in the
files directory. If you have not downloaded an image, do that now, and store it in the files directory.
a. If you have not already, verify the MD5 checksum of the ISO file you downloaded (see Verify the MD5 checksum of the
BIG-IP update or upgrade image on page 8).
6. Optional: If the Install BIG-IP software task fails because it cannot find the BIG-IP image you uploaded, try waiting 30
seconds for the image to become available for installation by including the following task after the Upload image to the BIG-IP
task:
This procedure uses a bash script created by F5 to automatically determine the next available volume set number to use for the
volume parameter in the bigip_software_install module. For example, if the highest volume set number in use is HD1.3 or MD1.3,
the script returns HD1.4 or MD1.4. The script requires that volume sets use a number such as HD1.2 instead of a name such as
HD1.example.
When you use a dynamic value for this parameter, you avoid conflicts that may occur when you set the value statically. For example, if
you manually set the parameter value to HD1.2, and a host is active on that volume set, the install task fails.
h If you do not want to automatically determine the next available volume set number, or if your BIG-IP systems use volume
set names, remove the Get available volume number to use task and continue with Customizing the update or upgrade
task and conditional on the block statement on page 77.
Note If you remove the task, you must manually set the volume in the volume parameter of the bigip_software_install
task
h If you want to automatically determine the next available volume set number, use the following steps:
a. Save and close the upgrade_bigip_software.yml file.
b. O
n your control machine, in the files directory that is within your playbooks directory, create a file named
get_vol_number.bash.
c. Copy the script in the Bash script to use in the script module on page 79 and paste it into the file.
d. Save and close the get_vol_number.bash file.
e. If you are copying from a Windows system, use sed or a similar utility to remove any \r control characters that were
copied in the file.
If you use sed, run the following command on your control machine: sed -i 's/\r$//' get_vol_number.bash
Customizing the update or upgrade task and conditional on the block statement
The final task in the block statement uses the bigip_software_install module to update or upgrade the BIG-IP device.
3. If you only want to install the software but not reboot to the new boot location, change the value of the state parameter to
installed. The state parameter in the example is set to activated, which reboots the BIG-IP system to the newly updated or
upgraded boot location. You can change value to installed to only install the software and not reboot to the new boot location.
Note B
y default, the BIG-IP system installs the configuration to the new boot location upon completion of the update or
upgrade; therefore, when you boot to the new version, the system loads the same configuration that was running
on the previous version. For more information, refer to K13438: Controlling configuration import when performing
software installations.
5. If you want the tasks to run on all hosts in the play, regardless of their failover state, remove the when statement.
Additional information:
The when statement at the block level tells the tasks within the block to only run when the host failover state is standby.
Otherwise, the task skips the host. If you want the tasks to run on all hosts in the play, regardless of their failover state, you can
remove or comment out this when statement.
• The BIG-IP system briefly interrupts traffic on active systems when it reloads the configuration during license activation.
• T
here may be a performance impact when the BIG-IP system serves a high volume of traffic, and you update or upgrade a
standalone system or the active system in a device group.
• If the state parameter is set to activated in the bigip_software_install task, the system reboots the device. This interrupts
traffic processing on an active system.
The output from the command appears similar to the following example. Note that bigip1 is the active device, so the tasks in the
block skip this host.
h Invest the time and resources to ensure you are running the latest versions and getting the latest capabilities.
You have to make sure you have the highest quality, most secure code, and many of the most advanced value propositions
are only accessible on later versions of BIG-IP.
h S
tandardize on a consistent version across the installed base. A homogenous install base helps drive common
operating procedures and reduces management complexity, increases ease of tracking, and reduces time to update or
upgrade BIG-IP instances.
h F
ocus on automation and creating repeatable procedures for performing updates and upgrades of your BIG-IP instances.
Use the update and upgrade events to build new capabilities that can be replicated in future events.
h R
eview the release notes carefully for the software release you select for details about new features, release fixes,
behavior changes, and known issues. Ensure you use Bugtracker to understand any known issues with the release you are
updating or upgrading to, so you can proactively plan for any mitigations.
h A
lways make backups before updating or upgrading an existing instance, and store the backed up configurations to a
secure location. This creates a snapshot of the current configuration.
h C
ollaborate closely with application owners and plan to perform testing both before and after the upgrade, to ensure
their tests are functional prior to making any changes. Updates are likely to require fewer and targeted sanity checks given
that they do not add major functionality or introduce breaking changes.
h U
pgrade or update the standby device in an HA pair first, ensure the devices are still in sync, fail over, and then
upgrade or update the formerly active unit.
h L
everage the "iHealth Upgrade Advisor" to determine if any configuration modification is needed before/after the
update or upgrade. Use the qkview utility to create a QKView diagnostics file, and upload it to F5 iHealth to diagnose the
health and proper operation of your BIG-IP system before and after the update or upgrade procedure.
h P
erform troubleshooting before reverting to a previous version in the unlikely event of a failure. If you do not perform
troubleshooting before reverting changes, it may be difficult to determine a root cause for failure. If possible, contact F5
Support while the issue is occurring so you can perform relevant data gathering, such as creating a new QKView file.
h O
pen a proactive service request with F5 Support to reduce the wait time to speak with an F5 Support engineer, in
case you have any technical issues during the procedure.
You can also watch Generating and uploading a QKView file to F5 iHealth on YouTube.
The procedure varies whether you are using BIG-IP 13.0.0 and later, or BIG-IP 12.1.x and earlier.
7. When the QKView file generation is complete, to download the output file, click Download.
Impact of procedure: The qkview utility runs a large number of commands when collecting information. This behavior may cause an
additional performance burden on systems that are already under heavy load.
4. Click Start.
5. When prompted, click Download Snapshot File to download the output file.
2. Click Upload.
3. Click Choose.
4. After selecting the QKView file you downloaded, select Upload QKView(s).
Note T
he iHealth site prompts you when it finishes processing your QKView file. After it finishes, you can move to the
next step.
2. Click LTM.
3. S
elect one of the following: Virtual Servers, Pools, or Nodes.
The configuration objects display in a table that you can sort and filter by column.
Note D
o not overwrite the new /var/spool/cron/root file after booting to the newly installed BIG-IP system. Use the backup
file only as a reference to re-add your customizations.
1. Log in to the command line of the BIG-IP system using the Advanced shell (bash).
2. View the contents of the root user crontab by entering the following command: cat /var/spool/cron/root
The output looks similar to the following:
MAILTO=""
1-59/10 * * * * /usr/bin/diskmonitor
0 */4 * * * /usr/bin/diskwearoutstat
20 03 * * * /usr/bin/updatecheck -a
20 03 11 * * /usr/bin/phonehome_upload
13 * * * * /usr/bin/copy_rrd save
3. Copy the output from the terminal window and save it to a text file on your local system.
2. Go to System > Configuration > Device > General.
3. In the Operations section, click Reboot.
4. The BIG-IP system prompts with the message Are you sure you want to reboot this device?
After you complete the update or upgrade, analytics chart data from prior to the update or upgrade is still available on the device for
you to examine. However, when you export the charts beforehand, you have a snapshot of multiple metrics you can share with others
in your organization who do not have access to the BIG-IP or BIG-IQ systems. If you need to troubleshoot issues after the update or
upgrade, you may find it useful to be able to readily compare pre- and post-update or upgrade analytics data.
If you use a third-party tool to gather statistics from the BIG-IP, refer to the vendor's documentation to learn how to export the data.
2. Go to Statistics > Analytics, and then select an analytics data type, such as HTTP or TCP, or a sub-category of a type.
3. At the top of the Overview page, use the time settings to select and filter by a specific time period.
5. Select the option to save the file on your computer, and then click Export.
For more information, refer to the Examining and Exporting Application Statistics chapter of the BIG-IP Analytics:
Implementations guide. For information about how to locate F5 product manuals, refer to K98133564: Tips for searching AskF5
and finding product documentation.
2. Select Monitoring > Dashboards, and then the analytics data you want to see, such as Local Traffic > HTTP (Not every
dashboard has the option to export).
3. On the right, in the filters pane, select the appropriate filters and options to display the analytics data you want.
For example, you select BIG-IP Host Names, and then select the managed BIG-IP device you want to update or upgrade.
4. At the top of the page, use the time and Display filters to display the analytics data you want.
6. Use the Print box to save the chart as a PDF on your computer. The Print box differs depending on the OS of your computer.
For more information, refer to the Statistics Monitoring Overview chapter of the BIG-IQ: Monitoring and Reports guide.
For information about how to locate F5 product manuals, refer to K98133564: Tips for searching AskF5 and finding product
documentation.
6. Wait a few minutes and return to AWS Marketplace Subscriptions to select the AMI image.
Note If you want F5 to provide full planning assistance during your update or upgrade, you can contact Professional Services.
F5 Support answers specific questions regarding your update or upgrade but cannot provide start-to-finish update or
upgrade assistance. For more information, refer to Scope of Support.
1.0 New guide for upgrading and updating the BIG-IP 03-10-2021
1.1 Added a new section: Engineering hotfixes for versions prior to 13.1.0.1 on page 5 03-12-2021
©2021 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified
at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 0412