This document provides the installation instructions and workflow for Cisco Crosswork Network Controller version 7.1.3, including details on patch file versions.

Patch installation workflow

Summary

These are the stages of the high-level workflow for installing the Crosswork Network Controller 7.1.3 patch.

Crosswork Network Controller release 7.1.3 supports upgrades from 7.1.0 and sequential upgade from 7.1.07.1.17.1.2.

Upgrade process considerations

The upgrade process is disruptive and should be performed during a planned maintenance window. While the upgrade is deploying, some processes will temporarily report as unhealthy or degraded. This is expected behavior and will resolve automatically once the upgrade completes. The time required for each application or system patch can vary significantly, depending on factors such as the number of nodes in your deployment, the number of microservices being patched, and the overall system load.

  • After a patch is applied, application services can take time to return to a Healthy status. Most applications typically recover within 30 minutes, while system patches can take 45–75 minutes, especially in larger deployments. In multi-node clusters, the overall recovery time can increase based on the number of nodes. Before you install the next patch file, wait until the system status reflects Healthy.
  • If the system status does not return to "Healthy" within the expected time for your environment, or if you encounter any errors during patch installation, contact your Cisco Customer Experience representative for assistance before taking further steps.

Workflow

  1. Ensure that your environment meets all the Patch installation prerequisites.
  2. Compare the versions of your current Crosswork Network Controller components with the new patch versions to determine which components need an upgrade. See Crosswork Network Controller 7.1.3 component patch files for the versions you need.
  3. Extract and validate patch files the Crosswork Network Controller 7.1.3 patch files.
  4. Apply kube-proxy patch (only for EC2 deployments) to ensure CAPP installations proceed smoothly. This step should be completed before applying patches.
  5. Verify the inventory information on Crosswork Network Controller UI. If the information is not available, you cannot proceed with the patch installation. See Verify the inventory details.
  6. Add and install system OS patch.
  7. Add and install 7.1.3 patch files in the Crosswork Network Controller UI.
  8. (Optional) Install Geo Redundancy patch.
     Note

    If you are not using geo redundancy, you do not need to install this patch.

  9. Install the Cisco NSO function packs.

Patch installation prerequisites

Before you install the Crosswork Network Controller 7.1.3 patch, complete these prerequisites:

  • Install Crosswork Network Controller version 7.1.0.
  • Ensure that Python version 3.11.x or later is installed on the system where Cisco NSO runs.
  • If you use Crosswork Workflow Manager, install version 7.1.0.
  • Verify that you have Cisco Crosswork Controller Administrator user credentials.
  • Identify the Management IP address (either a physical IP address or the Virtual IP address) used for your Crosswork VM deployment.
  • Back up your data. For more information, see Manage Crosswork Network Controller Backup and Restore. Additionally, the server being patched should have sufficient space to unarchive and copy the files.
    • At least 5GB of free space in the /home/cw-admin/ directory.
    • At least 1GB of free space in the /tmp/ directory.
  • For deployments that use a standalone external NSO VM, the NSO version must be 6.4.11. If the NSO version is earlier than 6.4.11, plan to upgrade NSO after upgrading Crosswork Network Controller to 7.1.3. For upgrade instructions, refer to the Upgrade NSO section.
     Note

    This prerequisite does not apply to eNSO on SVM. During migration from 7.1.0 to 7.1.3, the required patch files are upgraded automatically.

  • Prerequisites for geo-redundant deployments: Before you apply the patch in a geo-redundant deployment, confirm the following:
    • The required components are installed on both the active and standby clusters:
      • Crosswork Network Controller cluster
      • Application CAPPs
      • Data Gateways
    • The backup status is healthy.
    • The most recent cross-cluster synchronization completed successfully and without errors.
       Note
      Schedule the patch upgrade during a maintenance window when no periodic synchronization is expected to run.
    • Before applying the patch, disable periodic synchronization from the Cross Cluster settings page by turning off Sync. Do not run on-demand or periodic synchronization until:
      • the patch upgrade is complete, and
      • all services are healthy on both the active and standby clusters.
      For more information, refer to Configure Cross Cluster Settings in the Cisco Crosswork Network Controller 7.1 Installation Guide.

Crosswork Network Controller 7.1.3 component patch files

Release 7.1.3 includes patch updates for a subset of components in the 7.1.x release line.

Each component follows its own patch version within the 7.1.x series. When you upgrade to 7.1.3, use the versions included with this release for the components that are updated. For components that are not updated in 7.1.3, continue using the latest available version from an earlier 7.1.x release.

As a result, the components in your deployment can have different patch version numbers after the upgrade. For example, one component might be at 7.1.3, another at 7.1.2, and another at 7.1.0, depending on when each component last received a patch.

This behavior is expected.

Collector patch types

In this release, collector patches are provided in two formats:

  • Crosswork Data Gateway through the Crosswork Infrastructure patch for Crrosswork Network Controller cluster deployments, where collectors run on external Data Gateways.
  • Single VM (SVM) deployments use the Embedded Collectors patch to update embedded collectors.

Both patch types contain the same collector fixes. Use the patch type that matches your deployment.

Installation sequence

Download these patch files from the Cisco Crosswork Network Controller 7.1.3 Software Download page to a local machine that can be accessed via SCP by Crosswork Network Controller.

Install the patch files in the specified sequence.

  • Cluster deployments: Install all required patches.
  • SVM deployments: Install all cluster patches, and then install the additional Embedded Collectors and eNSO patches.
  • Essential tier deployments: Install the Crosswork System patch, Crosswork Infrastructure patch, Element Management Function patch, and Embedded Collectors patches.
  1. Crosswork System patch: signed-cnc-system-patch-7.1.3-109.tar.gz
  2. Crosswork Infrastructure: signed-cw-na-infra-patch-7.1.3-15-release-260411.tar.gz
  3. Element Management Function: signed-cw-na-element-management-functions-patch-7.1.3-9-release-260416.tar.gz
  4. Crosswork Optimization Engine: signed-cw-na-coe-patch-7.1.3-2-release-260225.tar.gz
  5. NSO TSDN: tsdn-7.1.3-official-bundle-nso-6.4.11.20260227.f3d4631d.tar.gz
     Note

    Additional components to be installed on NSO are listed in the Install the Cisco NSO function packs.

    These instructions apply only to external NSO VMs integrated with Crosswork Network Controller. The containerized NSO included in SVM deployments is upgraded as part of the SVM upgrade. Any configuration-specific patches are documented within the SVM upgrade procedure.

  6. Crosswork Workflow Manager-Solutions: signed-cw-na-cwm-sol-2.0.3-4-releasecwms203-260310.tar.gz. Download this patch file from the Cisco Crosswork Workflow Manager 2.0.2 Software Download page.
     Note

    Crosswork Workflow Manager and Crosswork Workflow Manager Solutions CAPPs are supported only on cluster deployment for Crosswork Network Controller 7.1.3.

  7. Embedded Collectors: signed-cw-na-collectors-patch-7.1.3-3-release-260308.tar.gz
  8. Embedded NSO: signed-cw-na-enso-patch-7.1.3-14-releasecnc713-260409.tar.gz

Extract and validate patch files

This section explains how to extract and validate the downloaded 7.1.3 patch files.

Step 1

Navigate to the folder where the tar file was downloaded. As an example, consider the Crosswork Infrastructure signed patch image signed-cw-na-infra-patch-7.1.3-15-release-260411.tar.gz for this procedure.

cd <folder where the tar file was downloaded>

Step 2

Extract the signed file using this command.

tar -xzvf <signed image file>

The signed image package contains the patch file (.tar.gz) and relevant certificates for validation.

Example:

tar -xzvf signed-cw-na-infra-patch-7.1.3-15-release-260411.tar.gz

Output:

README
cw-na-infra-patch-7.1.3-15-release-260411.tar.gz

cw-na-infra-patch-7.1.3-15-release-260411.tar.gz
.tar.gz.signature
CW-CCO_RELEASE.cer
cisco_x509_verify_release.py3
cisco_x509_verify_release.py

Step 3

Validate the extracted patch file using this command.

python3 cisco_x509_verify_release.py3 -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512
 Note

You must include this command as a single line, and the tool will wrap it according to the screen width.

Example:

python3 cisco_x509_verify_release.py3 -e CW-CCO_RELEASE.cer -i cw-na-infra-patch-7.1.3-15-release-260411.tar.gz
 -s cw-na-infra-patch-7.1.3-15-release-260411.tar.gz
.signature -v dgst -sha512

Output:

Retrieving CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully retrieved and verified crcam2.cer.
Retrieving SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully retrieved and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from CW-CCO_RELEASE.cer.
Successfully verified the signature of cw-na-infra-patch-7.1.3-15-release-260411.tar.gz
 using CW-CCO_RELEASE.cer
 Note

After applying the infrastructure patch, Data Gateways may remain in an error state for 10–15 minutes. This is expected. The Data Gateways recover automatically.

Step 4

Repeat these steps for each patch file you plan to install.

Apply kube-proxy patch (only for EC2 deployments)

This section describes how to apply the kube-proxy.sh script for AWS EC2 deployments. Apply the script before installing the 7.1.3 patch files. The script is included in the 7.1.3 patch bundle; no separate download is required.

Run these commands on any Crosswork Network Controller cluster VM or node by connecting via CLI.

Step 1

Make the script executable.

Run chmod +x scripts/patch-kube-proxy.sh

Step 2

Verify if the kube-proxy patch is already applied.

Run ./scripts/patch-kube-proxy.sh --verify-only

  1. If the patch is not applied, apply the patch. Run ./scripts/patch-kube-proxy.sh.

What to do next

To view help and usage information, run ./scripts/patch-kube-proxy.sh --help. To back up the configuration, run ./scripts/patch-kube-proxy.sh --backup-only.

Verify the inventory details

This step describes the pre-patch verification step to confirm cluster or single VM health, node visibility, and service readiness across hybrid and worker nodes. Performing this verification can help identify potential issues such as resource discrepancies, VM status mismatches, or communication failures before patching begins. Although this step is optional, performing it can reduce the risk of patch failures during sequential updates.

Step 1

Verify the inventory details.

  1. From the main menu, go to Administration > Crosswork Manager, then click System Summary.

    For cluster deployments, the Cluster Management window opens. For single VM deployments, the SVM window opens.

  2. Verify that the upper-left corner of the Cluster Management screen shows values for total VM nodes, Crosswork image, IP addresses, and other system details.

Step 2

Import the inventory file.

  1. Navigate to the import inventory file for your deployment.

    • For cluster deployment, from the Cluster Management window, choose Actions > Import inventory to display the Import Inventory dialog box.
    • For single VM deployment, from the System Summary, window click and select Import Inventory.

  2. (Optional) Click Download sample template file to download the template.

  3. Update the file with information about the VMs in your cluster or single VM environment, and include the data center parameters. Then, verify the contents of the template file. For information about the parameters, see Installation parameters in the Cisco Crosswork Network Controller 7.1 Installation Guide.

     Note

    Uncomment or set the OP_Status = 2 parameter while importing the cluster inventory file manually. If you do not, the VM may incorrectly appear as "Initializing" even after becoming functional.

  4. Click Browse and select the cluster inventory file.

  5. Click Import to complete the operation.

For more details and supporting documentation, see:

The inventory is updated, and Crosswork Network Controller displays correct VM and node details.

Add and install system OS patch

This section explains how to add and install an OS patch from the Crosswork Network Controller UI.

 Note

For geo-redundant cluster setups, install this patch on the active, standby, and arbiter VMs.

Before you begin

For non-Docker-based deployments, before you install the OS patch, verify that all inventory details appear on the System Summary page.

If the inventory details are missing, import the inventory file (.tfvars) into Crosswork Network Controller before you continue.

 Important

If the inventory file is not imported, the patch installation fails. Crosswork Network Controller also cannot deploy or remove VM nodes in the cluster until the inventory file is imported. For instructions to import an inventory file, see Import cluster inventory in the Cisco Crosswork Network Controller 7.1 Installation Guide.

Step 1

Create a new backup if you do not already have one. Refer to Manage Crosswork Network Controller Backup and Restore.

Step 2

From the main menu, choose Administration > Crosswork Manager.

The Crosswork Manager page is displayed with System Summary and Crosswork Platform Infrastructure tiles. If the 7.1.2 CAPPs are installed, the corresponding CAPP tiles appear on the Crosswork Manager page.

Step 3

Click the System Management tab.

Step 4

Click Add OS patch.

  1. In the popup window choose either URL or SCP as your preferred protocol. Based on your selection, fill in the additional fields with the required information.

    Individual jobs are created to add the patch to repository, and to apply the package to each node in your cluster.

  2. Click Add to proceed.

Step 5

Click System Management > Job History.

Monitor patch and upgrade progress, and review the jobs created for each node in the cluster. To see the operations performed on a node, open the corresponding Job Details page.

Step 6

After the jobs complete successfully, verify that the OS patch is listed in the System updates tab.

  1. To install the OS patch, in the OS patches tile, click the vertical ellipsis (⋮), and select Install.

  2. To upgrade an installed OS patch, click the vertical ellipsis (⋮), and select Upgrade.

Step 7

(Optional) To see patch details, select the patch file and click Package details. You’ll see information such as package name, version, and description.

Step 8

(Optional) After all jobs are completed successfully, verify the updated package list for each node by navigating to Administration > Crosswork Manager > System Summary > <Node-Name> > View details > Package details tab.

Add and install 7.1.3 patch files

This section explains how to add and install the 7.1.3 patch files in the Crosswork Network Controller UI.

 Important

The infrastructure patch must be applied on the active, standby, and arbiter VMs. All other application patches should be applied only on the active and standby VMs.

Before you begin

Extract and validate the required 7.1.3 patch files using the instructions in Extract and validate patch files.

Step 1

Check the health status of your system. If any components are unhealthy or degraded, resolve the issues or contact your Cisco Customer Experience representative before proceeding.

Step 2

Click on Administration > Crosswork Management > Application Management tab. The Platform Infrastructure and any applications that are added are displayed here as tiles.

Step 3

Click Add new file > Upload application bundle (.tar.gz).

The Add Application Bundle (.tar.gz) dialog box is displayed.

Step 4

In the dialog box, choose either URL or SCP as your preferred protocol. Based on your selection, fill in the additional fields with the required information. Click Add to proceed.

 Note

When installing a Crosswork Network Controller package, there is no need to untar the package. You can add the package tarball as-is to the Crosswork UI and the applications within are automatically added. You can then install the individual applications as needed.

Step 5

Once the patch file is added, you can observe the existing application tile displaying an upgrade prompt. Click the upgrade prompt to install the patch file.

Step 6

In the Upgrade pop-up screen, select the new version that you want to upgrade to, and click Upgrade. Click on Job History to see the progress of the upgrade operation.

Monitor patch and upgrade progress, and review the jobs created for each node in the cluster. To see the operations performed on a node, open the corresponding Job Details page.

Step 7

Repeat steps 2 to 7 to add and install the remaining Crosswork Network Controller application patch files that you need.

Step 8

After the installation is complete, go to Administration > Crosswork Manager and confirm all of the applications are reporting a Healthy status.

What to do next

If your deployment uses a standalone external NSO VM and the NSO version is earlier than 6.4.11, upgrade NSO to version 6.4.11 after upgrading Crosswork Network Controller to 7.1.3. For upgrade instructions, refer to the Upgrade NSO section.

Install Geo Redundancy patch

If geo HA is not installed or is not at the required version, install geo HA using the artifacts from 7.1 before you continue. This section guides you through the process of enabling geo-redundancy and applying the required geo redundancy patch in the Crosswork Network Controller.

 Note

Geo-HA applies only to Crosswork Network Controller clusters where Geo-HA is enabled. The patch must be installed on both the active and standby clusters. If you are not using geo redundancy, you do not need to install this patch.

Before you begin

  • In a geo-redundant setup, ensure that all relevant files, such as the Crosswork Network Controller cluster, application CAPPs, and Data Gateways are installed on both the active and standby clusters.
  • Disable periodic synchronization by toggling off the Sync button on the Cross Cluster settings page before applying patches. No on-demand or periodic synchronization should be performed until the patch upgrades are completed and all services are confirmed to be healthy in both active and standby clusters. See Update an Application After Enabling Geo Redundancy.
  • Download the latest Geo Redundancy patch from cisco.com.
  • Extract and validate the Geo Redundancy 7.1.2 patch, signed-cw-na-geo-patch-7.1.2-5-release-251024.tar.gz, using the instructions in Extract and validate patch files.
  • Ensure that you have enabled Geo Redundancy in the Crosswork Network Controller UI. See Enable Geo Redundancy Solution.
  • Create a backup of your Crosswork cluster. Follow the instructions in Manage Backups chapter in Cisco Crosswork Network Controller 7.1 Administration Guide.
     Note

    Importing the cross cluster inventory template cannot be undone if there is no pre-existing backup of the system before the template is loaded.

Step 1

On both the active and standby clusters, complete Steps 2 and 3 to apply the patch file and provide the required details.

Step 2

Apply the Crosswork System, Crosswork Infrastructure, and Geo Redundancy Manager patches in this order with the active node first, then the standby node, and finally the arbiter node.

  1. In the Crosswork Network Controller UI, navigate to Administration > Crosswork Management > Application Management tab.

  2. Click on the Add File (.tar.gz) option to add the patch file. The Add File (tar.gz) via Secure Copy popup window is displayed.

  3. Enter the relevant information and click Add.

  4. Once the patch file is added, you can observe the existing application tile displaying an upgrade prompt. Click the upgrade prompt to install the patch file.

  5. In the Upgrade pop-up screen, select the new version that you want to upgrade to, and click Upgrade. Click on Job History to see the progress of the upgrade operation.

Step 3

After the installation is complete, go to Administration > Crosswork Manager and confirm all of the applications are reporting a Healthy status.

Install the Cisco NSO function packs

The steps you follow depend on your NSO deployment type.

eNSO (SVM-based deployment)

If you are upgrading to 7.1.3, the required patch files are automatically upgraded.

These patch files are included in the NSO function pack bundle and are deployed through NSO Deployment Manager in the Crosswork Network Controller UI.

For more information, see Install Cisco NSO Function Pack Bundles from Crosswork UI.

Standalone NSO (external NSO VM or NSO LSA deployment)

If you are using a standalone NSO deployment, including an external NSO VM or an NSO LSA deployment, you must manually install or upgrade the Cisco NSO function packs to ensure compatibility with Crosswork Network Controller 7.1.3.

The Cisco Crosswork Network Controller Function Pack (cnc-function-packs-7.1.3.tar.gz) for release 7.1.3 includes these function pack files:

  • T-SDN core function pack: tsdn-7.1.3-nso-6.4.11.20260227.f3d4631d.tar.gz
  • Device Lifecycle Management (DLM) function pack: dlm-7.1.3-nso-6.4.11.20260223.2e48151.tar.gz
  • Telemetry Traffic Collector (TM-TC) function pack: tmtc-7.1.3-nso-6.4.11.20260223.68a57273.tar.gz
  • Change Automation (CA) function pack: nca-7.1.3-nso-6.4.11.20260223.73b7e20.tar.gz
  • TE Manager function pack: temanager-7.1.3-nso-6.4.11.20260227.f3d4631d.tar.gz

Before you begin

  • Determine whether you want to perform a fresh installation or upgrade your existing NSO function packs.
  • Ensure that NSO version 6.4.11 is installed on the external NSO VM. For upgrade instructions, see Upgrade NSO documentation.

Step 1

Install or upgrade NSO function packs.

Step 2

Update the ncs.conf file to enable and configure NSO keepalive settings for stable RESTCONF integration.

Add the keepalive and keepalive-timeout configuration under both the <tcp> and <ssl> transport configurations. 

<webui>
    <enabled>true</enabled>
    <transport>
      <tcp>
        <enabled>true</enabled>
        <keepalive>true</keepalive>       
        <keepalive-timeout>3600</keepalive-timeout>
      </tcp>
      <ssl>
        <enabled>true</enabled>
         <keepalive>true</keepalive>   
         <keepalive-timeout>3600</keepalive-timeout>
      </ssl>
    </transport>
  </webui>
......
</webui>

Step 3

Restart NSO for the configuration in ncs.conf to take effect.

sudo systemctl restart ncs