Jump to content


Photo

Upgrading to 8.0.1


  • Please log in to reply
27 replies to this topic

#1 Michael Manning

Michael Manning
  • Members
  • 257 posts
  • LocationOhio, USA

Posted 12 September 2019 - 01:57 PM

OK, first, I'm not in a rush to do this, but I was reading the migrations notes and it is explicitly called out that Barracuda recommends to do a clean install due to the following reasons...

 

"Firmware 8.0.1 has been refactored to meet the increasing storage demands also for upcoming releases. For this, the internal disk of the firewall must be repartitioned to provide enough space already at the startup of the firewall. This is the best opportunity to prepare your firewall for future firmware releases with increasing storage demands."

 

I'm assuming this means for ALL devices? Fresh install of 8.0.1 off a USB drive onto my F280?

 

Thanks



#2 Joel Herda

Joel Herda
  • Members
  • 2 posts

Posted 13 September 2019 - 03:25 PM

I have a brand-new F400 that shipped with 7.2 on it, and before starting any testing or deployment, I updated to the brand-new 8.0.1 firmware by using the download-and-update feature in the dashboard.  This is our first NextGen/CloudGen firewall, we have about eight other Barracuda devices.

 

Instructions (or a link to instructions) on how to do a "clean install" versus "update" right in the Release Notes or in the Migration documentation would have been a big help. 

 

Searching for "clean install" in the product documentation search yields no results.

 

Is there any documentation for people with implementations already configured on how to "migrate" or restore a config after doing a clean install? (Not that I have anything in my config yet other than what was needed to get the box up and running with an accessible network connection for administration.)

 

I'm pretty amazed by the lack of information and documentation.



#3 JeWe

JeWe
  • Members
  • 107 posts
  • LocationGermany, NDS

Posted 14 September 2019 - 04:46 PM

>> I'm pretty amazed by the lack of information and documentation.

 

Same here. As 8.0 was for cloud only, first question for me was: Can I also upgrade?  Looked into dashboard (we run 7.24), upgrade is offered. Hm... Information is pretty thin. No interest in upgrading and reconfigure for hours and hours. If this is sufficient, don't know if we have configured which something which won't run afterwards.

First idea: We have a spare unit and I'll try a fresh install next week (booting with 8.01-ISO), then I try to restore our 7.24-config. Just to get a first impression and see possible things we can stumble about.



#4 Joel Herda

Joel Herda
  • Members
  • 2 posts

Posted 16 September 2019 - 09:55 AM

The answer from Support for a clean instalkl was: Go to the "Support" page, "Downloads", "CloudGen Firewall", then click no the left on "Firmware" for the ISO and "Utility" for the Barracuda Firewall Install 8.0.1 utility.



#5 JeWe

JeWe
  • Members
  • 107 posts
  • LocationGermany, NDS

Posted 16 September 2019 - 09:58 AM

Captain Obvious!  :-)

 

The question is: What happens to my config?



#6 Frank Dauer

Frank Dauer
  • Barracuda Team Members
  • 28 posts
  • LocationInnsbruck

Posted 17 September 2019 - 08:50 AM

If you update your appliance using the update package your configuration will be preserved and migrated.

 

The suggested "clean/fresh" installation means: Reimage the box from USB with a .par file that you saved from a running 7.x version. During installation your configuration will also be migrated.



#7 JeWe

JeWe
  • Members
  • 107 posts
  • LocationGermany, NDS

Posted 17 September 2019 - 10:44 AM

Frank, thanks for your posting!

 

That would be cool indeed. What about any deprecated services I may use?  Will I get a warning? Or does it just don't work anymore?



#8 Frank Dauer

Frank Dauer
  • Barracuda Team Members
  • 28 posts
  • LocationInnsbruck

Posted 19 September 2019 - 08:16 AM

On the firewall there is no warning before the update. The services will just no longer function afterwards and they will have to be manually removed from the configuration.

 

On the CC you will get a warning when you try to migrate a cluster that has deprecated services configured.



#9 JeWe

JeWe
  • Members
  • 107 posts
  • LocationGermany, NDS

Posted 24 September 2019 - 07:54 AM

Thanks for your explanations.

 

- Now I took our spare firewall, installed 7.2.4 with our configuration and switched the cables. Works.

- Install our 'production firewall' with 8.01 and our configuration with a USB drive (boot with USB drive)

- As this is done, switched back the cables. Works. Uhm, not exactly, there is an DHCP configured (separate VLAN) and no one get's an IP from our firewall. Why?  Don't know.

- Restart DHCP service with no luck.

- Restart the whole firewall.

- Now nobody has an internet connection?!?

- ping www.google.com won't work, neither does ping 8.8.8.8 (can't connect to network)

 

OK, we use a BGP connection, logs say:

InternetProviderIPNumber1 unrecognized capability code: 5 - ignored

InternetProviderIPNumber2 unrecognized capability code: 5 - ignored

 

So maybe it worked, as long as the connection hasn't to be rebuild anew after reboot of the firewall. But, in this case, why no one get's a DHCP IP anymore?

 

Is this related to the Replacement of Virtual Servers by a New 2-Layer Architecture (Release Notes for 8.01) ?

There is said 'Virtual servers will no longer be supported in upcoming firmware releases.'. What does this mean?

In another document, I found the info, that the 7.2.4-configtree will also be in 8.01, as I used the 7.2.4-configfile. 

 

Do I have to migrate the assigned services, so that the virtual server isn't needed anymore?  If so, how am I to do that?



#10 nic schmietenknop

nic schmietenknop
  • Members
  • 7 posts

Posted 24 September 2019 - 01:21 PM

We upgraded to 8.01 and had to re-image and down grade as the DHCP wan connections kept cutting out or not coming up at all. 



#11 JeWe

JeWe
  • Members
  • 107 posts
  • LocationGermany, NDS

Posted 24 September 2019 - 02:58 PM

Thanks for sharing this info!

 

I'll open a ticket tomorrow and post the result here.

 

Don't want to hijack this thread, I thought this could be useful to others. Please let me know if a completely new thread would be better for this.



#12 JeWe

JeWe
  • Members
  • 107 posts
  • LocationGermany, NDS

Posted 25 September 2019 - 09:06 AM

Support says, there is a known bug in NTP services: You have to put in IP addresses, DNS names won't work, so several firewall services can't start. 

Tried this one, at least there is a internet connection now, even after reboot.

 

DHCP don't work, users don't get an IP address.

Maybe just for users of specific time zones: We set „Set Hardware Clock to UTC“ before, now time differs 6 hours plus regarding real time.

Update element says "Updates disabled" even though they are enabled in settings.

 

This is, what I've experienced, didn't test further, back to 7.2.4

 

Seems more than a bit buggy...



#13 Frank Dauer

Frank Dauer
  • Barracuda Team Members
  • 28 posts
  • LocationInnsbruck

Posted 25 September 2019 - 10:27 AM

Thanks for sharing your experience.

 

The problems with NTP servers are fixed in Hotfix 1015 and in the new update package 8.0.1-0383. If you want to install with .par file, you may copy the hotfix to the /appliance/hotfixes folder on the installation USB drive and it will be automatically installed during the reimaging process.

 

For the DHCP server issues: are you using VLANs or bridge interfaces? If you use VLANs, please try to disable header reordering. And if you are using bridge interfaces, Hotfix 1015 should resolve your issue.

 

The clock jumps should only be observable after the first boot.



#14 Ed Ellks

Ed Ellks
  • Members
  • 1 posts

Posted 26 September 2019 - 11:38 AM

I have about 5 of these NG appliances in service.  Being at a remote office, I always apply the latest here and after testing, deploy at our other locations around the world.

 

Version 8.0.1 was scary. In fact with so many issues, I would suggest waiting until at least 8.0.2 comes out as some of these are DHCP-related.  But the steps were rather straightforward if you have a reliable USB drive between 2GB and 32GB.

 

1> Download the following 3 items:

    a. "Barracuda Firewall Install 8.0.1" utility.  The current file name as I'm writing this is NGInstall_8.0.1-29.exe

    b. The ISO of the firmware you want to install.

    c. The PAR file from your current config unless you want to reconfigure from scratch.  From the Firewall Admin utility, go to Configuration, Configuration Tree, right-click on Box and "Create PAR file..."

 

2> Using the NGinstall utility, do the following:

   a. Insert your USB stick which will be reformatted.

   b. Choose Auto Installation USB Flash Drive, next.

   c. Under "Installation-script files", change the "Save to" to be your USB stick.  Click Next

   d. Under USB Flash Drive Settings:

       1> Check the box for "Format USB flash drive"

       2> Click the Import button next to "Image", then "Copy ISO Image".  Select your firmware ISO for your appliance.

       3> Click on the Modify box next to "PAR Files", click Import, then select your PAR file that you saved in step 1c, then select Close after the PAR file shows in the box.

       4> Click Next.

   e. Click Finish and let the utility build your bootable flash drive

(I also created a second USB stick with the 7.2.4 firmware in case I needed to roll back, which I would recommend doing)

 

3> Take that USB stick and put it into the appliance to upgrade.

4> Power the unit off, then back on.

5> Let it do the upgrade - do not interrupt it !  It will say "System Down" a couple of times, so don't get excited.  It takes about 10 minutes and will beep a few times when complete.  I waited an extra minute after the 3 beeps and the display said "System Down".

6> After you have heard the 3 beeps and waited a minute, power the unit off and remove the USB drive.

7> Boot the unit back up.  It may restart after loading your config, so just let it do its thing.

 

Doing those steps had my site back up and online within about 10 minutes.  But again, there are so many issues with this firmware version that I would consider it more of a public beta than a production release.  I would strongly recommend waiting another release or two before considering the upgrade.



#15 JeWe

JeWe
  • Members
  • 107 posts
  • LocationGermany, NDS

Posted 26 September 2019 - 01:58 PM

Thanks for your detailed description.

 

>> I waited an extra minute after the 3 beeps and the display said "System Down".

As you said, the display can be quite confusing and sometimes it gives you inaccurate info. To be really sure, I connect my laptop to the console. Then I start Putty and I can see in more detail, what's happening at the appliance.

 

I'll give it a try tomorrow, big thanks to Frank Dauer for posting here! Your help is highly appreciated, I'll post the results then. I'm quite unsure regarding your tip 'disable header ordering'. We are using VLAN and help text in configuration says, I should activate this if I have problems with DHCP... So this is a bug also?  Or is this best practice?



#16 Michael Manning

Michael Manning
  • Members
  • 257 posts
  • LocationOhio, USA

Posted 26 September 2019 - 02:57 PM

Thanks for sharing this info!

 

I'll open a ticket tomorrow and post the result here.

 

Don't want to hijack this thread, I thought this could be useful to others. Please let me know if a completely new thread would be better for this.

You aren't hijacking at all as far as I am concerned. All the information that has been contributed so far is very useful I think to anybody who finds and read this thread.



#17 JeWe

JeWe
  • Members
  • 107 posts
  • LocationGermany, NDS

Posted 27 September 2019 - 04:15 PM

Thanks Michael!

 

Had a remote session with Barracuda support today and got the following:

- Installed Hotfix 1015, fixed nothing for me (maybe the NTP problem with DNS names, but I already entered IP addresses here, so I don't care)

- Even with Hotfix 1015, showed version is 8.0.1-376. Shouldn't this tell 8.0.1-383?

- DCAgent 7.1.76-0 won't work anymore (can't connect, have to wait for a new version)

- DHCP still won't work. I didn't try to disable header reordering, as the DHCP request doesn't seem to reach the firewall at all. There are no hints in the FW-Log.

- In dashboard, updates are not visible, as the box says, it is not configured. Though it is.

- NTP is quite ... bumpy. Even though I configured "Start NTP with firewall" it takes several minutes to get the right time. Rebooted, same effect.

 

Support compares our config for 7.2.4 and 8.0.1 now, advice from the supporter: Would be better to wait with migration... I also can't say I'm very eager to upgrade now. Many bugs / things which don't work and I didn't even start testing. Just the essential things for me and ... see above.

I think I'll take supporters advice, but I gladly post further experiences.



#18 Thomas Clark

Thomas Clark
  • Members
  • 2 posts

Posted 30 September 2019 - 06:12 AM

This is all very interesting.  I'm glad I'm not the only one having weird issues.  I have not been able to do a fresh install with our current config as the services never fully start and I can only SSH in.  I was wondering if anyone else had that issue.  I will do the install on a spare unit with console connected to maybe get an idea of what's going on when I get a chance.

 

I was able to successfully update from 7.2.4 with our config.  NTP is definitely not working right here either but I needed to get on this version to play around with MFA for VPN as I'm being pushed hard to implement this.



#19 JeWe

JeWe
  • Members
  • 107 posts
  • LocationGermany, NDS

Posted 30 September 2019 - 06:25 AM

>> NTP is definitely not working right here either 

Have you tried to enter IP addresses? Have you installed the hotfix? As I said, is a little bumpy, but it works.

I choosed to wait for the first bigger update package, as our DHCP problem can't be solved even with help from the support...



#20 Frank Dauer

Frank Dauer
  • Barracuda Team Members
  • 28 posts
  • LocationInnsbruck

Posted 30 September 2019 - 09:35 AM

Thanks again for your reports.

 

Concerning the hotfix: It solves a problem where name resolution of the NTP servers took too long and so starting the firewall services timed out. For installations with .par files it is therefore neccessary to install the hotfix during the reinstallation process. (Thanks Ed Ellks for the very detailed description!) In order to do so, please copy the hotfix to the \appliance\hotfixes folder after you created the USB stick.

 

D:\>dir appliance\hotfixes
 Volume in drive D is PHIONINST
 Volume Serial Number is 4C6D-EF18
 
 Directory of D:\appliance\hotfixes
 
23.09.2019  13:00    <DIR>          .
23.09.2019  13:00    <DIR>          ..
19.09.2019  09:49        21.943.798 cumulative-1015-8.0.1-68877267.tgz
               1 File(s)     21.943.798 bytes
               2 Dir(s)   6.346.047.488 bytes free
 
D:\>
 
And then reimage using this stick.
 
With this hotfix it should no longer be neccessary to use IP addresses for NTP servers.
 
As for DHCP and VLANs, the hotfix does not include a fix. Please try disabling the option "Header Reordering" despite the help text talks about enabling it. This actually is a bug in 8.0.1 which we will fix in 8.0.2. We are aware that you shoud not have to enable this setting again after patching to 8.0.2 ;)
 
Even with Hotfix 1015, showed version is 8.0.1-376. Shouldn't this tell 8.0.1-383?

 

 

After the hotfix the version stays at 8.0.1-376 which is perfectly fine. Having 8.0.1-376 plus the hotfix gives you the same fixes as 8.0.1-383 would give you.

 

DCAgent 7.1.76-0 won't work anymore (can't connect, have to wait for a new version)

 

 

Thanks for the report, we will check this.

 

In dashboard, updates are not visible, as the box says, it is not configured. Though it is.

 

 

And also this.

 

NTP is quite ... bumpy. Even though I configured "Start NTP with firewall" it takes several minutes to get the right time. Rebooted, same effect.

 

 

And also this :) 

 

Thanks a lot

Frank