Security

So when you;ve got a cluster of servers and you say upgrade the cluster, why oh why isn't there an option to select the max no of concurrent upgrades to do at once?

Sitting here watching all my slave servers drop into upgrad mode wondering if one will; come back before all of them are donig it!

Grrrrrrrrrr

Hi,

If you have cluster of servers and doing manually is not an option for you then you can use cluster upgrade tool where you can install tool on publisher and have package ready for all the server , tool will automatically upgrade publisher first and later subscribers. We will have option to choose which subscriber need to be upgraded.

Whether manually or upgrade tool,  publisher will upgrade first.

Hi Pavan, 

Yup I'm using the tool, and now at the state where everything has upgraded other than the insight cluster member.... which annoyingly is also the node where you have to delete the VM network interfaces and recreate them when it comes back/

Couldn't find and docn about whether you can select a few cluster members, upgrade them and then go back and do the rest later on.

The thing I was worried about was seeing all my cluster members switch into upgrading state and then more than 1 leaping over to rebooting state. When you only use some of your cluster members for authentication  and you see all the ones doing authentication  rebooting you do start to panic a wee bit.

Luckily we;ve got more than 1 cppm cluster and I could also point auths at that so as far as our users were concerned service as usual.

Would be nice to have a "only process 'n' cluster members at a time" option when selecting the whole cluster, or is that what the checkboxes to select cluster nodes are for?

o.k. Now at stage where I'm restoring the session data.

Just to check,  these are the checkboxes I need to set.. its the Warning message at the bottom thats concerning

A 

That is a general warning and it is meant for config database restore. You can restore the session log in the cluster node.

Have you got all the subscribers upgraded?

Still waiting on the insight server to finish. Rest are done.

Started upgrade at 8:15 this morning, rest of them finished about noon.

So when you say 

If you are upgrading ClearPass from 6.5.x or 6.6.x to 6.7.0 on a VMware ESXi server, and only if the MAC address of Network adapter1 is higher than that of Network adapter2, additional steps are required after the upgrade. (#41698)

After upgrading, follow the steps below in order for ClearPass to have network connectivity:.......

What do you define as after the upgrade. Master publisher says upgrade complete now in reboot and data migration stage ... is it waiting for me to reconfigure the network interfaces ?

So the VM console says the following ...

Hi

"only if the MAC address of Network adapter1 is higher than that of Network adapter2"
you need to follow the steps stated in guide, else ignore.From CLI it looks all services are up and running.

Were you able to access the GUI of publisher and all the subscribers showing in sync?

point is 

1. cant ping any addresses ( preseumably because of VM network issue)

2. ..so can;t ssh to it

3. Console doesn;t respond to keyboard ..... and just as I typed that it sporang into life .... that VM has been unavailable since 8:15 this mornnig as part of the upgrade process. Just getting systems to redefine the network interfaces

That;s a LONG time

So now the node ( clearpass7) is flagged in the cluster as disabled. In the cluster upgrade tool, its in the reboot state and not available. I can ping it and http to the network interface and get the new style startup page and get to an admin login page.

Also I've got a login prompt at the console

What needs to hapen now is for the upgrde tool to recognise its back up and running and  finish off the upgrade

A

logging into clearapas7 as appadmin and doing a cluster list shows that its a standalone device and not a member of a cluster

On the master publisher, If I go to Admin/Server Manager/Server Configuration and select clearpass7 . there is a message saying "Failed to verify server certificate(s) "

Hi Alex,

Please open TAC ticket to look in to this issue. If clearpass 7 showing not part of cluster then we need to readd the server back to cluster.

http://www.arubanetworks.com/support-services/contact-support/

So, 

Logged into clearpass7 and uploaded our http/radius certs replacing the self signed one

By the time I went to check the cluster upgrade tool  it said that the upgrade had completed.

clearpass7 still thinks its standalone and the cluster stillthinks its disabled

But at least I don;t have the upgrade tool running now

So current state is 

Upgrade tool thinks its completed

cluster thingks clearspass7 is disabled

clearpass7 thinks its standalone

If clearpass 7 showing not part of cluster then we need to readd the server back to cluster.

open TAC ticket if you are not sure how to drop and rejoin subscriber.

Was the ClearPass7 configured as standby publisher?

And we're back.

Now have a cluster running 6.7.0

Need to import session data, but I'll start that tomorrow

Then we can upgrade to 6.7.1 Joy!

Not the best 9 hours of my life, but didn;t disrupt the service and users didn't notice

Would dearly love to know what happend though