Thursday, February 24, 2011

MGMT direct upgrade from R65 to R71.10 - beware

I have had an exiting weekend working with one of my customers in Geneva to upgrade Provider-1 system to R71.10 from R65.

While the lab test were showing success, the actual production upgrade failed badly.

The failure was only detected when we started pushing policy from the upgraded system. Suddenly we have started getting syntax errors during policy compilation. These error did not make any sense, they seem to be just random lines of INSPECT code failing. There we no actual problem with syntax, at least I have not managed to find any obvious one.

Rest of the functionality, including VSX provisioning ad logging, was perfectly fine.

We have tried to update IPS definitions, because the problem seemed similar to old R55 to R60 errors. No luck, the problem remained even after IPS update.

With service windows closing on us we had to roll back to R65.

The problem is reproducible in the lab. Nevertheless new lab tests we made this week show that while R65 to R71 upgrade fails, R65 to R70 upgrade path seems to be still working.

So here is my recommendation: do not skip major versions while going up from R65 on your management system. Otherwise you have a good chance to pull some extra hours as I have done. Guys, it is no fun.


  1. Hey - quick thought, check and see if there's reserved words in existing objects. "broadcast" is one I recall is now a reserved word, but used in existing objects, that would cause something like this perhaps....

  2. Checked that, it is not the case. Thanks for a hint though.

  3. did you made a Smartdefense Upgrade BEFORE upgrading the mgmt? in my scenarios this was sometimes the resolving hint...

  4. Hi Tom!

    Thanks for the suggestion, but the customer does not use SD at all. There is no subscription, there is no Internet access. Any way, I do not understand why R65 to R70 works and R65 to R71 does not.

    Should not be that different.

  5. i usually do a fresh installation and used migrate tools. Seems to cause less issues.

  6. did not work in this specific case, sorry

  7. I've upgraded R65 SC to R71.30 directly. Were was error as you describe while pushing policy and IPS update doesn't solve them. I have copied IPS files from clean R71.30 system to upgraded systems and then updated IPS definitions. After that policy was installed successfully. And I haven't IPS Blade enabled too, but it still affects policy compilation.

  8. did you copy just R71 files or also R65 BC files?