Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Patching CPPM within major version with zero downtime

This thread has been viewed 1 times

  • 1.  Patching CPPM within major version with zero downtime

    Posted Jun 27, 2016 09:22 AM

    Hi All,

     

    Just sanity checking this..

     

    We have 2 x CPPM on 6.5.1 and want to upgrade them to 6.5.6. They are in a cluster with VIP & standby publisher configured. AAA and captive portals are pointing at CPPM VIP (wasn't me).

     

    CPPM1: pub

    CPPM2: sub (standby pub)

     

    I want to upgrade with zero downtime.

     

    This is how I plan to do it:

     

    1. Disabled standby publisher (enable publisher failover false)

    2. Upgrade CPPM1

    3. VIP will failover and auth & captive portals will continue to work

    5. Ensure CPPM1 is back up  (event viewer shows upgrade complete)

    6. VIP fails back (possibly?)

    7. Upgrade CPPM2

    8. VIP definately fails back to CPPM1 (if it didn't in step 6) Can someone clarify this?

    9. Ensure CPPM2 is back up  (event viewer shows upgrade complete)

    10. Verify cluster sync is showing "ENABLED"

    11. Enable standby publisher

    12. Party time!

     

    I know this is simplified in terms of what to do in each step but can someone verify that this should work as planned with zero downtime?

     

    Cheers

    James



  • 2.  RE: Patching CPPM within major version with zero downtime

    Posted Jun 27, 2016 12:08 PM

    Changed my mind. Manually changing the VIP primary/secondary devices so getting rid of any uncertainty regarding VIP failing over. Also gets rid of the 10 seconds ittake for VIP to failover.



  • 3.  RE: Patching CPPM within major version with zero downtime

    Posted Jun 28, 2016 05:36 AM

    FYI this worked and there was zero downtime.



  • 4.  RE: Patching CPPM within major version with zero downtime

    Posted Jun 29, 2016 10:29 AM

    I usually follow very similar procedure, but after a few upgrades, I became a slacker.  My procedures now:  

    1. Upgrade PUB, wait until it tells you “go out have a beer because it will take awhile” (or something like that), then you go out have a beer.
    2. Come back and check PUB, if no error, upgrade SUB, go out have one or two beers.
    3. Verify the cluster sync, then party time.

    Watchout when you go for major upgrade.  When I upgraded from 6.5 to 6.6, the cluster was broken because a “static route” in PUB was lost during upgrade.  TAC resolved the case by created the route manually.

    If you configured controller to use both PUB and SUB then the authentication will never go down.  Even when the cluster had the sync problem that mentioned above.

     



  • 5.  RE: Patching CPPM within major version with zero downtime

    Posted Jun 30, 2016 04:03 AM

    As much as I'd like it, it wasn't really possible for me to go for a beer during the upgrade as it was for a customer!



  • 6.  RE: Patching CPPM within major version with zero downtime

    Posted Jun 30, 2016 06:52 PM

    if you go to 6.6, a major upgrade, you really need something to fill in the time because it is long.  The waiting is worst than watching paint dry.

     



  • 7.  RE: Patching CPPM within major version with zero downtime

    EMPLOYEE
    Posted Jun 30, 2016 06:56 PM
    It's also dependent on equipment, resources, Db eat for some it's quick but others it may take longer.