ACOS non-FTA Code Upgrade from 2.7.2 to 4.1.4
arnel
Member ✭✭
If anyone has successfully perform an upgrade from 2.7.2 to 4.1.4 on ACOS non-FTA Code on two TH3030s with VCS and VRRP setup, it will be greatly appreciated if you can share some tips and recommendations. I've read some A10 documents about it but I'd like to hear if from those who actually perform the upgrade. Thank you in advance.
0
Comments
I have assisted / seen a number of customers upgrade their TH3030S from 2.x to 4.x with success. Regardless of the platform, there are some significant changes within the ACOS CLI and API which occur during the upgrade. An automated upgrade script will run on first boot of 4.x code and will convert the configuration. Most of the time, this is a very successful process, but it is important to check the config afterward. A 2.x to 4.x upgrade guide is included in all the latest 4.1.4 documentation files.
Another pre-validation option you can explore is backing up your configuration, and restoring the config into a virtual thunder in a lab environment.
Thanks. We have some configuration that we are more concerned like the GSLB, RBA, Aflex scripts, SLB templates, SSL Certs/Cipher Suites, etc. Did you experience any of those configuration got affected after the upgrade or not at all?
Please take note we just configured RBA to separate applications/services but not for role-based access purposes. Only our team have admin access to these devices.
I have seen some specific abnormalities with a couple of these. Regarding Aflex scripts, syntax normally ports over fine, but some scripts which were used in 2.x (such as redirecting from http to https) can now be done in native SLB config which is more efficient. Here are some examples.
GSLB: the dns-a-records within the zone services were added alphabetically in 4.x which was the inverse of the customer's original configuration. This may not cause an issue in traditional round robin configuration, but this customer relied on the dns-a-record order for stickiness.
SSL Cipher Suites: Post upgrade, some cipher suites appeared to be missing from a cipher template. Manually adding them back was no issue.
Testing the upgrade in a virtual A10 is a worthwhile exercise. If you already have access to the product support page, you can download, deploy, and test the upgrade on an unlicensed VM. Also, your local account team may be able to assist you further, and TAC is available for any post-upgrade issues you face.
Noted. Thanks for your help. We'll keep in mind your tips and recommendations. It's good to know that redirection from http to https can be done in SLB config rather than using Aflex which we've implemented to number of our VIPs.