Upgrade a Fabric IPsec Gateway VM

If Extreme Networks makes a new version of the Fabric IPsec Gateway available, disable or uninstall the original virtual service, and then install the newer virtual service.

Before you begin

  • Ensure the image version is compatible with the NOS release that runs on the switch. For compatibility statements, see Fabric Engine Release Notes. If necessary, upgrade the NOS image before you upgrade the virtual service image.

  • Note

    Note

    The Fabric IPsec Gateway image includes no integrity check. Use SCP to copy the file to the switch and confirm the file size before installation.

About this task

Steps in this procedure include examples or links to background procedures if you are unfamiliar with how to complete a particular step.

Procedure

  1. Within the VM, save the configuration. For more information, see Save Running Configuration to a File. 
    Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#virtual-service figwOld console 
Connected to domain figw5.2 Escape character is ^Y 
FIGW> save config 
File already exists, do you want to overwrite [y/n]: y 
FIGW>
  2. Copy the configuration files (*.cfg), the shadov.txt file, which is an encrypted file that contains the authentication keys for the IPsec tunnels, and the default-config-file.txt file from the VM to intflash within the NOS. For more information, see Run a VM command from Network Operating System (NOS) CLI and Copy VM Files. 
    Switch:1(config)#mkdir figw
Switch:1(config)#virtual-service figwOld exec-command "ls /home/rwa/configs/"
    config.cfg 
    figw.cfg 
    figw_cli.log 
    new.cfg 
    shadov.txt
Switch:1(config)#exit
Switch:1#virtual-service copy-file figwOld:/home/rwa/configs/config.cfg /intflash/figw/config.cfg
Switch:1#virtual-service copy-file figwOld:/home/rwa/configs/new.cfg /intflash/figw/new.cfg
Switch:1#virtual-service copy-file figwOld:/home/rwa/configs/figw.cfg /intflash/figw/figw.cfg
Switch:1#virtual-service copy-file figwOld:/home/rwa/default-config-file.txt /intflash/figw/default-config-file.txt
Switch:1#virtual-service copy-file figwOld:/home/rwa/configs/shadov.txt /intflash/figw/shadov.txt
  3. Verify the file copy: 
    Switch:1#ls figw/ 
Listing Directory /intflash/figw/: 
drwxr-xr-x 2 0 0 4096 Jun 17 13:46 ./ 
drwxr-xr-x 31 0 0 4096 Jun 17 13:43 ../ 
-rw-r--r-- 1 0 0 851 Jun 17 13:44 config.cfg 
-rw-r--r-- 1 0 0 8 Jun 17 13:46 default-config-file.txt 
-rw-r--r-- 1 0 0 0 Jun 17 13:45 figw.cfg 
-rw-r--r-- 1 0 0 851 Jun 17 13:45 new.cfg 
-rw-r--r-- 1 0 0 32 Jun 17 13:45 shadov.txt
  4. Enter Global Configuration mode:

    enable

    configure terminal

  5. Disable the virtual service:

    no virtual-service WORD<1-128> enable

    Note

    Note

    If you instead uninstall the original virtual service, the system removes the complete virtual service configuration from the configuration file.

  6. Return to Privileged EXEC mode:

    end

  7. Install the virtual service package using the new image:

    virtual-service WORD<1-128> install package WORD<1-512>

  8. Reconfigure the virtual service. For more information, see Configure a Virtual Service.
  9. Copy the files you saved from the old VM to the same folder path in the new VM: 
    Switch:1(config)#exit
Switch:1#virtual-service copy-file /intflash/figw/config.cfg figwNew:/home/rwa/configs/config.cfg
Switch:1#virtual-service copy-file /intflash/figw/figw.cfg figwNew:/home/rwa/configs/figw.cfg
Switch:1#virtual-service copy-file /intflash/figw/new.cfg figwNew:/home/rwa/configs/new.cfg
Switch:1#virtual-service copy-file /intflash/figw/shadov.txt figwNew:/home/rwa/configs/shadov.txt
Switch:1#virtual-service copy-file /intflash/figw/default-config-file.txt figwNew:/home/rwa/default-config-file.txt
  10. Verify the file copy: 
    configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#virtual-service figwNew exec-command "ls /home/rwa/configs"
config.cfg 
figw.cfg 
figw_cli.log 
new.cfg 
shadov.txt
  11. Reboot the Fabric IPsec Gateway VM. For more information, see Reboot Fabric IPsec Gateway VM.
    Tip

    Tip

    As an alternative, you can disable and reenable the Fabric IPsec Gateway virtual service.

  12. Verify the running configuration of the new VM matches the configuration of the old VM: 
    Switch:1(config)#virtual-service figwNew figw-cli "show running-config"
set global ipsec-tunnel-src-vlan 30 
set global ipsec-tunnel-src-ip 30.30.30.2/24 
set global lan-intf-vlan 100 
set global lan-intf-ip 100.100.100.2/24 
set global lan-intf-gw-ip 100.100.100.102 
set global fe-tunnel-src-ip 102.102.102.102 
set global wan-intf-gw-ip 30.30.30.102 
set global mtu 1950 
set global services sshd enable 
set ipsec 104 auth-key ****** 
set ipsec 104 responder-only true 
set ipsec 104 fe-tunnel-dest-ip 104.104.104.104 
set ipsec 104 fragment-before-encrypt enable 
set ipsec 104 admin-state enable 
set ipsec 105 auth-key ****** 
set ipsec 105 responder-only true 
set ipsec 105 fe-tunnel-dest-ip 105.105.105.105 
set ipsec 105 fragment-before-encrypt enable 
set ipsec 105 admin-state enable 
set ipsec 107 auth-key ****** 
set ipsec 107 responder-only true 
set ipsec 107 fe-tunnel-dest-ip 192.168.22.107 
set ipsec 107 admin-state enable
  13. Remove the original image from the /var/lib/insight/packages/ directory on the switch:

    remove WORD<1-255>

9037469-00 Rev AB