Monitoring, Management & Location Tracking

Airwave upgrade fails due to IP tables rules

Aruba Employee

Environment : When upgrading Airwave server from 7.4.7 to 7.5.5 or for upgrade from any version we might encounter an error with IP tables.
This article helps in resolving the issue and ensuring the upgrade is successful.

 

 

During upgrade of AMP server from 7.4.7 to 7.5.5 you may see the following:

 

STEP 1: Moving old version aside. STEP 2: Unpacking upgrade package. STEP 3: Checking for compatibility.

 

STEP 4: Stopping AMP services. STEP 5: Installing upgrade. Migrating interface bandwidth AWRRDs to increase max storable value. Finished migrating interface bandwidth AWRRDs to increase max storable value. make: Leaving directory `/root/svn/mercury' Unloading iptables modules: [ OK ] Applying iptables firewall rules: iptables-restore v1.3.5: error creating chain 'acct~i':File exists Error occurred at line: 59 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [FAILED] make[1]: *** [conf_common_post_install] Error 1 make[1]: Leaving directory `/root/svn/mercury' make: *** [upgrade] Error 2 make: Leaving directory `/root/svn/mercury' Upgrade aborted.
 
This is typically a result of changes made to the Iptables file under /root/etc/sysconfig. These changes are deliberate or changes automatically made during an upgrade. Please open this file from CLI of server and compare the contents of it to the data present below. Confirm if changes were made to suite the network and inform engineer the Ip tables have to be the same as mentioned below.
 
Note : Any firewall rules one wants to add should be out side of AMP rules either above the AMP rules before “—Begin AMP IP Tables--- or after the aMP rules, i.e, after “---End AMP IP Tables---“ some thing like this

Below is a sample of the IP tables file and the same format and lines must exist for the upgrade to be successful.
 
 
*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# BEGIN AMP IPTABLES RULES
:acct~i - [0:0]
:acct~o - [0:0]
-I INPUT -j acct~i
-I OUTPUT -j acct~o
# INPUT (traffic clients initiated)
-A acct~i -i eth0 -p tcp -m tcp --dport 23
-A acct~i -i eth0 -p tcp -m tcp --dport 22
-A acct~i -i eth0 -p tcp -m tcp --dport 80
-A acct~i -i eth0 -p tcp -m tcp --dport 443
-A acct~i -i eth0 -p udp -m udp --dport 161
-A acct~i -i eth0 -p udp -m udp --dport 162
# INPUT (traffic we initiated)
-A acct~i -i eth0 -p tcp -m tcp --sport 23
-A acct~i -i eth0 -p tcp -m tcp --sport 22
-A acct~i -i eth0 -p tcp -m tcp --sport 80
-A acct~i -i eth0 -p tcp -m tcp --sport 443
-A acct~i -i eth0 -p udp -m udp --sport 161
-A acct~i -i eth0 -p udp -m udp --sport 162
# OUTPUT (traffic clients initiated)
-A acct~o -o eth0 -p tcp -m tcp --sport 23
-A acct~o -o eth0 -p tcp -m tcp --sport 22
-A acct~o -o eth0 -p tcp -m tcp --sport 80
-A acct~o -o eth0 -p tcp -m tcp --sport 443
-A acct~o -o eth0 -p udp -m udp --sport 161
-A acct~o -o eth0 -p udp -m udp --sport 162
# OUTPUT (traffic we initiated)
-A acct~o -o eth0 -p tcp -m tcp --dport 23
-A acct~o -o eth0 -p tcp -m tcp --dport 22
-A acct~o -o eth0 -p tcp -m tcp --dport 80
-A acct~o -o eth0 -p tcp -m tcp --dport 443
-A acct~o -o eth0 -p udp -m udp --dport 161
-A acct~o -o eth0 -p udp -m udp --dport 162
# Airbus access: root, apache, visualrf, radiusd
-I OUTPUT -m owner -p tcp --dport 8558 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8558 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8558 --uid-owner 496 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8558 --uid-owner 95 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 8558 -d 127.0.0.1 -j REJECT
# Tuplespace access
-I OUTPUT -m owner -p tcp --dport 9999 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 9999 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 9999 --uid-owner 95 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 9999 -d 127.0.0.1 -j REJECT
-I OUTPUT -m owner -p tcp --dport 8888 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8888 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8888 --uid-owner 95 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 8888 -d 127.0.0.1 -j REJECT
-I OUTPUT -m owner -p tcp --dport 7777 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 7777 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 7777 --uid-owner 95 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 7777 -d 127.0.0.1 -j REJECT
# Postgresql access
-I OUTPUT -m owner -p tcp --dport 5432 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 5432 --uid-owner 496 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 5432 -d 127.0.0.1 -j REJECT
# VisualRF access
-I OUTPUT -m owner -p tcp --dport 6654 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 6654 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 6654 -d 127.0.0.1 -j REJECT
# END AMP IPTABLES RULES


If there are any changes, edit the file and remove the changes. And then run a make. The upgrade will be successful.

 

Version history
Revision #:
1 of 1
Last update:
‎07-04-2014 04:55 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.