Upgrading BIGIP-F5 LTM from 10.2.2 to 11.5.3

Question

Good day everyone,&nbsp;
My company has had a "hands-off" approach when it comes to maintaining our F5s. They've been working flawlessly for the past couple of years without any issues what-so-ever. However, a recent security audit uncovered some vulnerabilities that we'd like to patch with some of the latest fixes included in version 11.5.3. I've been tasked with performing the upgrade, and I'd like to share my upgrade strategy with the community to see if any experienced admins here can share their thoughts. &nbsp;
We currently have a pair of devices operating in an Active/Standby configuration.&nbsp;
Upgrade Plan&nbsp;

Force current standby device to offline status&nbsp;

Reactive License on standby device&nbsp;

Perform upgrade by installing 11.5.3 base image to an unused volume.&nbsp;

Once the upgrade to 11.5.3 is complete, I plan to install the 11.5.3HF1 hotfix&nbsp;

Change the default boot partition to the new volume I selected in step 3. &nbsp;

Reboot the standby device&nbsp;

Fail-over from the Active device to the standby device and test.&nbsp;

If all is well perform the upgrade on the other device. &nbsp;

Are there any glaring holes in my plan? &nbsp;
I appreciate your thoughts.&nbsp;
Thank you&nbsp;

hannes_rapp · Answer

What modules are you using, is it just LTM? In any case you should go for 11.5.3 HF2, because in HF1 the LTM data-groups are bugged and unmanageable via GUI.&nbsp;

rybificus_22774 · Answer

Hannes - &nbsp;
I'm a little embarrassed to ask this but how do I verify which modules are installed? I believe we're only using LTM but I'd like to be sure. &nbsp;

hannes_rapp · Answer

In GUI, go to System -&gt; Resource Provisioning
Check for modules that have "nominal", "minimum" or "dedicated" as their provisioning status.

rybificus_22774 · Answer

Thanks. We are currently only licensed for LTM.

hannes_rapp · Answer

Therefore, your chances for success are not too bad. Give it a try and let me know about your experience. Make sure you take time to investigate /var/log/ltm files to increase your chances of spotting any problems.

Here are a couple of issues you may or may not encounter: a) Cluster not synchonizing after the upgrade due to removal of default.crt and default.key files from the clientside SSL default profile. b) Image installation fails because you have HTTP class objects that are depcrecated since 11.4. c) Configuration fails to load after the reboot as the new TMOS no longer counts your configuration as valid, this would be the worst of three scenarios and will require extended troubleshooting and possibly suppression of several conflicting objects.

Forum Discussion

Upgrading BIGIP-F5 LTM from 10.2.2 to 11.5.3

5 Replies

Recent Discussions

VPN fragmented IP packets dropped

minimum tmos software version for connect CIS (openshift)

security patch release

redirect not working

Reliable resources for identifying IP addresses

Related Content

F5 BIGIP WAF AND F5 DNS

Integrating the F5 BIGIP with Azure Sentinel

Software Upgrade

F5 BIGIP showing wrong time

Upgrade to 15.1.10