Administration Guide vA2(1.0), Cisco ACE Application Control Engine Module
Upgrading Your ACE Software
Downloads: This chapterpdf (PDF - 194.0KB) The complete bookPDF (PDF - 6.0MB) | Feedback

Upgrading Your ACE Software

Table Of Contents

Upgrading Your ACE Software

Overview of Upgrading ACE Software

Before You Begin

Changing the Admin Password

Changing the www User Password

Checking Your Configuration for FT Priority and Preempt

Creating a Checkpoint

Updating Your Application Protocol Inspection Configurations

ACE Software Upgrade Quick Start

Copying the Software Upgrade Image to the ACE

Configuring the ACE to Autoboot the Software Image

Setting the Boot Variable

Configuring the Configuration Register to Autoboot the Boot Variable

Verifying the Boot Variable and Configuration Register

Reloading the ACE Module

Recovering the ACE from the ROMMON Utility

Booting the ACE from ROMMON with the Correct Image Name

Copying the ACE Image to the Supervisor Engine

Displaying Software Image Information


Upgrading Your ACE Software


This appendix provides information to upgrade your Cisco Application Control Engine (ACE) module. It contains the following major sections:

Overview of Upgrading ACE Software

Before You Begin

ACE Software Upgrade Quick Start

Copying the Software Upgrade Image to the ACE

Configuring the ACE to Autoboot the Software Image

Reloading the ACE Module

Recovering the ACE from the ROMMON Utility

Displaying Software Image Information

Overview of Upgrading ACE Software

Your ACE comes preloaded with the operating system software. To take advantage of new features and bug fixes, you can upgrade your ACE with a new version of software when it becomes available.

In the Admin context, you will use the copy command in Exec mode to manually install the software on each ACE. After the software installation is finished, set the boot variable and configuration register to autoboot the software image. Then, reload the modules to load the new image.

To minimize any disruption to existing network traffic during a software upgrade or downgrade, deploy your ACE modules in a redundant configuration. For details about redundancy, see Chapter 6, Configuring Redundant ACE Modules.


Note Software version A2(1.0) introduces hardware-assisted SSL (HTTPS) probes.For that reason, the ACE uses the all option for the default SSL version and uses the routing table (which may bypass the real server IP address) to direct HTTPS probes to their destination regardless of whether you specify the routed option or not in the ip address command. If you are using HTTPS probes in your A1(6.x) configuration with the default SSL version (SSLv3) or without the routed option, you may observe that your HTTPS probes behave differently with version A2(1.0). For more information about HTTPS probes, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.


Before You Begin

Before you upgrade your ACE software, please read this appendix in its entirety so that you fully understand the entire upgrade process. Please be sure that your ACE configurations meet the upgrade prerequisites in the following sections:

Changing the Admin Password

Changing the www User Password

Changing the www User Password

Creating a Checkpoint

Updating Your Application Protocol Inspection Configurations

Changing the Admin Password

Before you upgrade to software version A2(1.1) or higher, you must change the default Admin password if you have not already done so. Otherwise, after you upgrade the ACE software, you will be able to log in to the ACE only through the console port or through the supervisor engine of the Catalyst 6500 series switch or the Cisco 7600 series router until you chang the default Admin password. For details about changing the Admin password, see Chapter 1, Setting Up the ACE.

Changing the www User Password

Before you upgrade to software version A2(1.1) or higher, you must change the default www user password if you have not already done so. Otherwise, after you upgrade the ACE software, the www user will be disabled and you will not be able to use Extensible Markup Language (XML) to remotely configure an ACE until you change the default www user password. For details about changing the www user password, see Chapter 2, Configuring Virtualization in the Cisco Application Control Engine Module Virtualization Configuration Guide. In this case, the username would be www.

Checking Your Configuration for FT Priority and Preempt

If you want the currently active ACE to remain active after the software upgrade, be sure that the active ACE has a higher priority than the standby (peer) ACE and that the preempt command is configured. To check the redundant configuration of your ACEs, use the show running-config ft command. Note that the preempt command is enabled by default and does not appear in the running-config.

Creating a Checkpoint

We strongly recommend that you create a checkpoint in the running-configuration file of each context in your ACE. A checkpoint creates a snapshot of your configuration that you can later roll back to in case a problem occurs with an upgrade and you want to downgrade the software to a previous release. Use the checkpoint create command in Exec mode in each context for which you want to create a configuration checkpoint and name the checkpoint. For details about creating a checkpoint and rolling back a configuration, see Chapter 4, Managing the ACE Software. For information about downgrading your ACE, see the Downgrading Your ACE Software section in the Release Note for the Cisco Application Control Engine Module.

Updating Your Application Protocol Inspection Configurations

Because the ACE version A2(1.x) software has stricter error checks for application protocol inspection configurations than A1(x) software versions, be sure that your inspection configurations meet the guidelines that follow. The error checking process in A2(1.x) software denies misconfigurations in inspection classifications (class maps) and displays error messages. If such misconfigurations exist in your startup- or running-configuration file before you load the A2(1.x) software, the standby ACE in a redundant configuration may boot up to the STANDBY_COLD state. For information about redundancy states, see Chapter 6, Configuring Redundant ACE Modules.

If the class map for the inspection traffic is generic (match . . . any or class-default is configured) so that noninspection traffic is also matched, the ACE displays an error message and does not accept the inspection configuration. For example:

switch/Admin(config)# class-map match-all TCP_ANY
switch/Admin(config-cmap)# match port tcp any
 
switch/Admin(config)# policy-map multi-match FTP_POLICY
switch/Admin(config-pmap)# class TCP_ANY 
switch/Admin(config-pmap-c)# inspect ftp
Error: This class doesn't have tcp protocol and a specific port

The following examples show some of the generic class-map match statements and an ACL that are not allowed in A2(1.x) inspection configurations:

match port tcp any

match port udp any

match port tcp range 0 65535

match port udp range 0 65535

match virtual-address 192.168.12.15 255.255.255.0 any

match virtual-address 192.168.12.15 255.255.255.0 tcp any

access-list acl1 line 10 extended permit ip any any

For application protocol inspection, the class map must have a specific protocol (related to the inspection type) configured and a specific port or range of port numbers.

For HTTP, FTP, RTSP, Skinny, and ILS protocol inspection, the class map must have TCP as the configured protocol and a specific port or range of ports. For example, enter the following commands:

host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match port tcp eq www

For SIP protocol inspection, the class map must have TCP or UDP as the configured protocol and a specific port or range of ports. For example, enter the following commands:

host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match port tcp eq 124

or

host1/Admin(config-cmap)# match port udp eq 135

For DNS inspection, the class map must have UDP as the configured protocol and a specific port or range of ports. For example, enter the following commands:

host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match port udp eq domain

For ICMP protocol inspection, the class map must have ICMP as the configured protocol. For example, enter the following commands:

host1/Admin(config)# access-list ACL1 extended permit icmp 
192.168.12.15 255.255.255.0 192.168.16.25 255.255.255.0 echo

host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match access-list ACL1

ACE Software Upgrade Quick Start

Table A-1 provides a quick overview of the steps required to upgrade the software on each ACE. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections that follow Table A-1. For clarity, the original active ACE is referred to as ACE-1 and the original standby ACE is referred to as ACE-2 in the following quick start.

Table A-1 ACE Software Upgrade Quick Start 

Task and Command Example

1. Log in to each ACE. The Exec mode prompt appears at the CLI. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the Admin context. If necessary, log directly in to, or change to the Admin context by entering the changeto command.

ACE-1/Admin# 

2. Save the running configurations of every context by entering the write memory all command in Exec mode in the Admin context of each ACE.

ACE-1/Admin# write memory all

3. Create a checkpoint in each context of both ACEs by entering the checkpoint create command in Exec mode.

ACE-1/Admin# checkpoint create ADMIN_CHECKPOINT
ACE-1/Admin# changeto C1
ACE-1/C1# checkpoint create C1_CHECKPOINT

4. Enter either the copy ftp, copy sftp, or the copy tftp command in Exec mode to copy the new software image to the image: directory of each ACE. For example, to copy the image with the name c6ace-t1k9_A2_1.bin using FTP, enter:

ACE-1/Admin# copy ftp://server1/images/c6ace-t1k9-mz.A2_1.bin 
image:

5. If you are running software version A2(1.2) or later, check the MD5 checksum of the new software image on both ACEs to ensure that the new image is the same as the image posted on Cisco.com. For example, enter:

ACE-1/Admin# show file image:c6ace-t1k9-mz.A2_3_0.bin md5sum

6. Configure ACE-1 to automatically boot from the new image. To set the boot variable and configuration register to 1, use the boot system image: and config-register commands in configuration mode. For example, enter:

ACE-1/Admin# config
ACE-1/Admin(config)# boot system image:c6ace-t1k9-mz.A2_1.bin
ACE-1/Admin(config)# config-register 1
ACE-1/Admin(config)# exit
ACE-1/Admin# 

You can set up to two images through the boot system command. If the first image fails, the ACE tries to boot from the second image.


Note Use the no boot system image: command to remove the previously configured boot variable.


7. Verify that the boot variable was synchronized to ACE-2 by entering the following command on ACE-2:

ACE-2/Admin# show bootvar
BOOT variable = "disk0:c6ace-t1k9-mz.A2_1.bin"
Configuration register is 0x1
ACE-2/Admin#

8. Enter the show ft group detail command in Exec mode to verify the state of each module. Upgrade the ACE that has its Admin context in the STANDBY_HOT state (ACE-2) first by entering the reload command in Exec mode. After ACE-2 boots up, it may take a few minutes to reach the STANDBY_HOT state again. Configuration synchronization is still enabled and the connections through ACE-1 are still being replicated to ACE-2.


Note Do not add any more commands to the ACE-1 configuration. At this point in the upgrade procedure, any incremental commands that you add to the ACE-1 configuration may not be properly synchronized to the ACE-2 configuration.


ACE-2/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes]

9. Disable preemption on ACE-1.

ACE-1/Admin# config
ACE-1/Admin(config)# ft group 1
ACE-1/Admin(config-ft-group)# no preempt
Press Ctrl-z to return to Exec mode.

10. Perform a graceful failover of all contexts from ACE-1 to ACE-2 by entering the ft switchover all command in Exec mode on ACE-1. ACE-2 becomes the new active ACE and assumes mastership of all active connections with no interruption to existing connections.

ACE-1/Admin# ft switchover all

11. Upgrade ACE-1 by reloading it and verify that ACE-1 enters the STANDBY_HOT state (may take several minutes) by entering the show ft group detail command in Exec mode. Because both ACE-1 and ACE-2 are running the same version of software now, configuration mode is enabled. The configuration is synchronized from ACE 2 (currently active) to ACE-1.

ACE-1/Admin# reload

12. Reenable preempt on ACE-2. If ACE-1 is configured with a higher priority and preempt is configured on the FT group, ACE-1 reasserts mastership after it has received all configuration and state information from ACE-2, making ACE-2 the new standby. ACE-1 becomes the active ACE once again.

ACE-2/Admin# config
ACE-2/Admin(config)# ft group 1
ACE-2/Admin(config-ft-group)# preempt
Press Ctrl-z to return to Exec mode.

13. Enter the show ft group detail command to verify that ACE-1 is in the ACTIVE state and ACE-2 is in the STANDBY_HOT state.


Copying the Software Upgrade Image to the ACE

To copy a software image to the ACE, use the copy command in the Admin context from the Exec mode. You can copy a software image to the ACE from a variety of sources, including:

FTP server

SFTP server

TFTP server

The copy command allows you to rename the image copied to the ACE.

The syntax of this command is as follows:

copy {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]} image:[name]

The keywords, arguments, and options are as follows:

ftp://server/path[/filename]—Specifies the URL of the software image located on an FTP server. This path is optional because the ACE prompts you for this information if you omit it.

sftp://[username@]server/path[/filename]—Specifies the URL of a software image on a secure FTP server. This path is optional because the ACE prompts you for this information if you omit it.

tftp://server[:port]/path[/filename]—Specifies the URL of a software image on a trivial FTP server. This path is optional because the ACE prompts you for this information if you omit it.

image:[name]—Specifies the name for the software image copied to the ACE. If you do not enter the name argument, the ACE uses the default name of the image.

For example, to copy the image c6ace-t1k9-mz.A2_1.bin located on an FTP server to the ACE, enter:

host1/Admin# copy ftp://server1/images/c6ace-t1k9-mz.A2_1.bin image:

To set the boot variable and configure the ACE to autoboot this image, see the "Configuring the ACE to Autoboot the Software Image" section.

Configuring the ACE to Autoboot the Software Image

After you copy the image on to the ACE, configure it to autoboot the image by setting the boot variable and the configuration register. The boot variable specifies the image from which the ACE boots at startup. The configuration variable can be set to autoboot the image defined by the boot variable.

This section contains the following topics:

Setting the Boot Variable

Configuring the Configuration Register to Autoboot the Boot Variable

Verifying the Boot Variable and Configuration Register

For detailed information on the boot variable and configuration register, see Chapter 1, Setting Up the ACE.

Setting the Boot Variable

To set the boot variable, use the boot system image: command in the Admin context in configuration mode. The syntax of this command is as follows:

boot system image:image_name

The image_name argument is the name of the installed image.


Caution If you set a single image through the boot system image: command, be sure to enter the image name correctly. Otherwise, when you attempt to reload the ACE, it uses the incorrect image name, fails the reload, and accesses the ROMMON utility. For information on recovering from this problem, see the "Recovering the ACE from the ROMMON Utility" section.

You can set up to two images through the boot system command. If the first image fails, the ACE tries the second image.

For example, to set the boot variable with the c6ace-t1k9-mz.A2_1.bin image, enter:

host1/Admin(config)# boot system image:c6ace-t1k9-mz.A2_1.bin 

Use the no boot system image: command to unset the previously configured boot variable.

Configuring the Configuration Register to Autoboot the Boot Variable

To configure the ACE to autoboot the system image identified in the boot environment variable, use the config-register command in the Admin context from the configuration mode and set the configuration register to 1.


Note A config-register setting of 0 instructs the ACE to boot to the rommon prompt upon a reboot. The ACE remains in ROMMON mode at startup.


For example, to set the register to 1, enter:

host1/Admin(config)# config-register 1

Verifying the Boot Variable and Configuration Register

To verify the boot variable and configuration register, use the show bootvar command in the Admin context from the Exec mode. For example, enter:

host1/Admin# show bootvar
BOOT variable = "disk0:c6ace-t1k9-mz.A2_1.bin"
Configuration register is 0x1
host1/Admin#

The 0x1 indicates that the configuration register is set to 1.

Reloading the ACE Module

To allow the ACE to use the installed software upgrade, reload the ACE module. To reload the ACE, use the reload command in the Admin context in Exec mode. The syntax of this command is as follows:

reload

For example, enter:

host1/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes]

If you reload the ACE and rommon mode prompt appears, a problem with the upgrade or the ACE has occurred. See the "Recovering the ACE from the ROMMON Utility" section for more information.

Recovering the ACE from the ROMMON Utility

If you reload the ACE and the rommon mode prompt appears, one of the following problems may have occurred:

You entered the installed image name incorrectly. This problem assumes that you correctly installed the image on the ACE.

The downloaded ACE image is corrupted.

The ACE compact Flash had a hardware failure.

If you incorrectly entered the image name, boot the ACE from the rommon prompt and then after the ACE reboots, correct the image name in the boot variable. For more information, see the "Booting the ACE from ROMMON with the Correct Image Name" section.

If the downloaded image is corrupted or the compact Flash failed, copy the ACE image on the supervisor engine and boot the ACE from the supervisor engine. For more information, see the "Copying the ACE Image to the Supervisor Engine" section.

Booting the ACE from ROMMON with the Correct Image Name

If you set a single image through the boot system command, you must enter the image name correctly for the ACE to reload successfully. Otherwise, when you attempt to reload the ACE, it uses the incorrect image name, fails the reload, and accesses the ROMMON utility as indicated by the rommon mode prompt.

After the attempted reload, a boot message (similar to the following) appears in the CLI indicating that the image could not load:

boot: cannot load "disk0:c6ace-t1k9mz.A2_1.bin"

Verify whether the image name is correct. If it is, then the problem could be a corrupted image or a compact Flash failure. For more information on how to reload the ACE from these conditions, see the "Copying the ACE Image to the Supervisor Engine" section.

In this example, the image name is incorrect. The c6ace-t1k9mz.A2_1.bin image in the message should be c6ace-t1k9-mz.A2_1.bin.

To boot the ACE with the correct image name from rommon mode and correct the image name in the boot variable, perform the following steps:


Step 1 Access the disk0: directory to view the correct image name.

rommon 1> dir disk0:
Directory of disk0:

20903		28583947			-rw- c6ace-t1k9-mz.A2_1.bin <correct image
2		74448896			-rw- TN-CONFIG
....
rommon 2> 

Step 2 Set the boot image that is on ACE.

rommon 2> BOOT=disk0:c6ace-t1k9-mz.A2_1.bin

Step 3 Verify the boot image in the configuration variables.

rommon 3> set
PS1=rommom !>
RELOAD_REASON=reload command by admin
?=0
BOOT=c6ace-t1k9-mz.A2_1.bin
rommon 4> 

Step 4 Boot the image on the ACE.

rommon 4> boot
Loading disk0:c6ace-t1k9-mz.A2_1.bin. Please wait...

The boot process may take several minutes to finish.

Step 5 When the login prompt appears, log in to the ACE.

host1 login: admin
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
host1/Admin#

Step 6 Access configuration mode in the Admin context and unset the previously configured boot variable by using the no boot system image: command.

host1/Admin# config
host1/Admin(config)# no boot system image:c6ace-t1k9mz.A2_1.bin 

Step 7 Reset the boot variable with the correct image name by using the boot system image: command.

host1/Admin(config)# boot system image:c6ace-t1k9-mz.A2_1.bin 

Step 8 To verify that the boot variable has the correct image name, use the show bootvar command in the Admin context from the Exec mode.

host1/Admin# show bootvar
BOOT variable = "c6ace-t1k9-mz.A2_1.bin"
Configuration register is 0x1
host1/Admin#


Copying the ACE Image to the Supervisor Engine

If you download a corrupted ACE image or the ACE compact Flash has failed, you can boot the ACE from an image copied to the supervisor engine.

From the supervisor engine CLI, perform the following steps:


Step 1 Copy the ACE image to disk0: on the supervisor engine by using the copy command. For example, to copy c6ace-t1k9-mz.3.0.0_A1_4.bin image from an TFTP server to disk0:, enter:

Router# copy tftp://192.168.144.14/tftpboot/c6ace-t1k9-mz.A2_1.bin 
disk0:
Destination filename [c6ace-t1k9-mz.A2_1.bin]?
Accessing tftp://192.168.144.14/tftpboot/c6ace-t1k9-mz.A2_1.bin ...
Loading /tftpboot/c6ace-t1k9-mz.A2_1.bin from 192.168.144.14 (via VLAN 
12):!!!!!!!!!!!!!!!!!!!!!!!!...
[OK - 29251568 bytes]

29251568 bytes copied in 81.600 secs (358475 bytes/sec)
Router# 

Step 2 After the image is copied to the supervisor engine, access configuration mode and set the boot variable for the ACE and the image. For example, to access configuration mode and set the boot variable if the ACE is in slot 3, enter:

Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#boot device module 3 disk0:c6ace-t1k9-mz.A2_1.bin
Device BOOT variable = disk0:c6ace-t1k9-mz.A2_1.bin
Warning: Device list is not verified
Router#


From the ACE, perform the following steps:


Step 1 Boot the ACE from the image on the supervisor engine by using the boot eobc command.

rommon 1> boot eobc:

Step 2 When the login prompt appears, log in to the ACE.

host1 login: admin
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
host1/Admin#

Step 3 If the image on the ACE is corrupted, copy another image onto the ACE as described in the "Copying the Software Upgrade Image to the ACE" section. Then configure the ACE to autoboot the image as described in the "Configuring the ACE to Autoboot the Software Image" section.

If the compact Flash on the ACE had a hardware failure, contact TAC support for assistance.


Displaying Software Image Information

To display the software image on the ACE, use the show version command in Exec mode. The syntax of this command is as follows:

show version

For example, enter:

host1/Admin# show version