Upgrading ASM

Question

&nbsp;
 &nbsp;
 &nbsp;
 &nbsp;
Hi guys,&nbsp;
 &nbsp;
I'm usually a "LTM guy" but this time I Have the task of upgrading a couple 3600 ASM boxes. I'm really concerned about the information backup since almost all business operations go through this array of controllers (you know how this stuff work).&nbsp;
 &nbsp;
Before I proceed with any normal (LTM) upgrade,  I like to review the architecture and configuration in order to identify problems that could arise during the window.Also, I ALWAYS do a backup of the current configuration (each controller), but this time (ASM), I'm not sure what to backup!!!.&nbsp;
 &nbsp;
Obviously first I have to backup the config via the system&gt;archives procedure but what else should I backup?&nbsp;
 &nbsp;
I was thinking about about policies and signatures, Am I right? Any recommendations, ideas, thoughts, experience, jokes?&nbsp;
 &nbsp;
Any comment is welcome&nbsp;
 &nbsp;
and thanks in advanced!!!&nbsp;
 &nbsp;
 &nbsp;
HH&nbsp;

mike_maher · Answer

HH,  
&nbsp; I have few questions.  
&nbsp;  
&nbsp; What version is running currently and what version are going to? 
&nbsp;  
&nbsp; How many application policies do you have? 
&nbsp;  
&nbsp; Do any of your policies have XML profile? 
&nbsp;  
&nbsp; Do you have any ASM specific iRules? 
&nbsp;  
&nbsp; Taking an archive will back up all your ASM policies along with the rest of your configuration.  If you are really nervous about this though you can also (depending on how many policies you have) export each of the policies and save them off too.   
&nbsp;  
&nbsp; I have been managing ASMs since they were TrafficShield and have gone through a few major rev upgrades.  It is not all that different than LTM, in fact during my last upgrade I think I had 2 ASM policy issues and the rest were LTM related bugs that I ran into.  I am happy to help where I can.

nathe · Answer

HH, 
&nbsp; To add to Mike's post I can agree that this upgrade is similar to the LTM upgrade. Although I took both an Archive and a Policy Export I actually setup the LTM bit from scratch and then exported / imported the existing ASM security policy. The only issue I had with the ASM policy import was because I was going from v9 to v11 we had a Validation error - but this was more to do with how we had one particular setting setup that v9 was happy with but not v11. Application Security - Overview - Summary detailed what we needed to do for the ASM to be happy. 
&nbsp;  
&nbsp; Hope this helps, 
&nbsp; N

pascal_tene_910 · Answer

&nbsp;  
&nbsp; http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11318.html?sr=26995633 
&nbsp; There is an "ASM consideration" section which may be of use if at some point you need to use the saved archives. 
&nbsp; there is also a link for v9.x and v11.x. above link is for 10.x 
&nbsp;  
&nbsp; Thanks, 
&nbsp; P.

hheredia_36237 · Answer

Thanks Guys!!!, 
&nbsp;  
&nbsp; It's good to know ASM upgrade should be  an "LTM-like" procedure. The configuration is not big enough to avoid exporting policies so I'd prefer to do that, just for the case something happens. 
&nbsp;  
&nbsp; We're going from 10.2.x to 10.2.4 because the platform it's been experimenting failover (couple times in the last 3 months) , so we filled a support ticket, and while f5 hasn't yet tell us the root cause of the problem, it's recommendation was to do this minor upgrade in order to solve some  bug about swapping. 
&nbsp;  
&nbsp; We're programming the upgrade this next thursday , if I am still alive I 'll let you know how was it :). 
&nbsp;  
&nbsp; Gracias! 
&nbsp; P.S. The provisioning thing it's a good tip, thanks!

hheredia_36237 · Answer

Hi Guys, 
&nbsp;  
&nbsp; Just to let you know that everything went OK. It  was like an LTM upgrade, as you suggested. The controllers' disk-formatting scheme were already volumes so I just had to install online (stby unit) and then boot in the installed partition. After the big-ip went up it took like 5 minutes to load ASM module.I noticed that when I clicked the ASM&gt;Overview menu and got something  like BIG-IP ASM wasn't loaded. Almost died but it was only a matter of time to get things work perfect. 
&nbsp;  
&nbsp; Thanks everybody again for the support!!! 
&nbsp;  
&nbsp; HH

Forum Discussion

Upgrading ASM

5 Replies

Recent Discussions

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Related Content

Software Upgrade

Upgrade to 15.1.10

Getting Started with BIG-IP Next: Upgrading Instances

Getting Started with BIG-IP Next: Upgrading Central Manager

upgrade os version 14.1 to 17.1 concern on apm and asm