This document provides the installation instructions and workflow for Cisco Crosswork Network Controller version 7.2.1, including details on patch file versions.

Patch installation workflow

Summary

Crosswork Network Controller release 7.2.1 supports upgrade from releases 7.2.0.

Upgrade process considerations

The upgrade process is disruptive and should be performed during a planned maintenance window. While the upgrade is deploying, some processes will temporarily report as unhealthy or degraded. This is expected behavior and will resolve automatically once the upgrade completes. The time required for each application or system patch can vary significantly, depending on factors such as the number of nodes in your deployment, the number of microservices being patched, and the overall system load.

  • Most applications return to healthy status within 30 minutes per application. System patch may require additional time (45–75 minutes), especially in larger deployments. For multi-node clusters, allow extra time proportional to the number of nodes.
  • Wait until the system status reflects "Healthy" before proceeding to install the next patch file.
  • If the system status does not return to "Healthy" within the expected time for your environment, or if you encounter any errors during patch installation, contact your Cisco Customer Experience representative for assistance before taking further steps.

Workflow

  1. Ensure that your environment meets all the Patch installation prerequisites.
  2. Compare the versions of your current Crosswork Network Controller components with the new patch versions to determine which components need an upgrade. Refer to Crosswork Network Controller 7.2.1 component patch files.
  3. Extract and validate patch files the Crosswork Network Controller 7.2.1 patch files.
  4. Verify the inventory information on Crosswork Network Controller UI. If the information is not available, you cannot proceed with the patch installation. Refer to Verify the inventory details.
  5. Add and install system OS patch file in the Crosswork Network Controller UI.
  6. Add and install 7.2.1 patch files.
  7. (Optional) Install Geo Redundancy patch.
     Note

    If you are not using geo redundancy, you do not need to install this patch.

  8. Install the Cisco NSO function packs.
     Note
    The Essentials tier does not require installation of NSO function packs.

Patch installation prerequisites

Before you install the Crosswork Network Controller 7.2.1 patch, complete these prerequisites:

  • Ensure that the Python version 3.0 or later is installed.
  • Install Crosswork Network Controller version 7.2.0.
  • Verify that you have Cisco Crosswork Controller Administrator user credentials.
  • Identify the Management IP address (either a physical IP address or the Virtual IP address) used for your Crosswork VM deployment.
  • Back up your data. For more information, see Manage Backup and Restore..
  • Ensure sufficient disk space on the server. The upgrade fails if space is insufficient.
    • At least 5 GB of free space in the /home/cw-admin/ directory
    • At least 1 GB of free space in the /tmp/ directory
  • For deployments that use a standalone external NSO VM, the NSO version must be 6.4.11. If the NSO version is earlier than 6.4.11, plan to upgrade NSO after upgrading Crosswork Network Controller to 7.2.1. For upgrade instructions, refer to the Upgrade NSO section.
     Note

    This prerequisite does not apply to Embedded NSO on SVM. During migration from 7.2.0 to 7.2.1, the required patch files are upgraded automatically.

Prerequisites for geo-redundant deployments

Before you apply the patch in a geo-redundant deployment, confirm the following:
  • The primary and backup servers meet all of the prerequsisites identified in the previous patch install prerequisite section.
  • The backup status is healthy.
  • The most recent cross-cluster synchronization completed successfully and without errors.
     Note

    Run on-demand or periodic synchronization only after the patches are upgraded and all services are healthy on both the active and standby clusters.

    For more information, refer to Configure Cross Cluster Settings in the Cisco Crosswork Network Controller 7.2 Installation Guide.

Crosswork Network Controller 7.2.1 component patch files

Release 7.2.1 includes patch updates for a subset of components in the 7.2.0 release line.

Each component follows its own patch version within the 7.2.0. When upgrading to 7.2.1, use the versions included in this release for components that are updated. For components not updated in 7.2.1, continue using version 7.2.0.

After the upgrade, components in your deployment may run different patch versions. For example, one component might be at 7.2.1 while another remains at 7.2.0, depending on whether it was updated in this release. This behavior is expected.

Collector patch types

In this release, collector patches are provided in two formats:

  • Crosswork Data Gateway through the Crosswork Infrastructure patch for Crosswork Network Controller cluster deployments, where collectors run on external Data Gateways.
  • Single VM (SVM) deployments use the Embedded Collectors patch to update embedded collectors.

Both patch types contain the same collector fixes. Use the patch type that matches your deployment.

Installation sequence

Download the patch files from the Cisco Crosswork Network Controller 7.2.1 Software Download page to a local machine that can be accessed via SCP by Crosswork Network Controller.

Install the patch files in the specified sequence.

  • Cluster deployments: Install all required patches.
  • SVM deployments: Install the Crosswork System patch and any patches required for the applications installed on your system. Then, install the Embedded Collectors and Embedded NSO. Refer to Single VM deployment patch files.

Cluster deployment patch files

Use this section if you are deploying a Crosswork Network Controller in a cluster deployment.

 Note
The files are listed in the order in which they must be installed.
  1. Crosswork System patch: signed-cnc-system-patch-7.2.1-19.tar.gz
  2. Crosswork Infrastructure: signed-cw-na-infra-patch-7.2.1-15-release-260414.tar.gz
  3. Element Management Function: signed-cw-na-element-management-functions-patch-7.2.1-15-release-260422.tar.gz
  4. Service Health: signed-cw-na-aa-patch-7.2.1-5-release-260305.tar.gz
  5. Crosswork Workflow Manager: signed-cw-na-cwm-2.1.1-12_releasecwm211-260409.tar.gz
  6. Crosswork Workflow Manager Solutions: signed-cw-na-cwm-sol-patch-2.1.1-866-releasecwms211-260408.tar.gz. Download this patch file from the Cisco Crosswork Workflow Manager 2.1.0 Software Download page.
  7. TSDN NSO: cnc-function-packs-7.2.1.signed.bin. Download and extract the bin file to access the individual function pack files used for installation or upgrade. Refer to Install the Cisco NSO function packs.
     Note

    These instructions apply only to external NSO VMs integrated with Crosswork Network Controller. The containerized NSO included in SVM deployments is upgraded as part of the SVM upgrade. Any configuration-specific patches are documented within the SVM upgrade procedure.

  8. Crosswork Optimization Engine: signed-cw-na-coe-patch-7.2.1-2-release-260326.tar.gz

Single VM deployment patch files

Use this section if you are deploying a Crosswork Network Controller on a single VM.

 Note
The files are listed in the order in which they must be installed.
  1. Embedded Collectors: signed-cw-na-collectors-patch-7.2.1-3-release-260307.tar.gz
  2. Embedded NSO: signed-cw-na-enso-patch-7.2.1-16-releasecnc721-260414.tar.gz

Extract and validate patch files

This section explains how to extract and validate the downloaded 7.2.1 patch files.

Step 1

Navigate to the folder where the tar file was downloaded. As an example, consider the Crosswork Infrastructure signed patch image signed-cw-na-infra-patch-7.2.1-15-release-260414.tar.gz for this procedure.

cd <folder where the tar file was downloaded>

Step 2

Extract the signed file using this command.

tar -xzvf <signed image file>

The signed image package contains the patch file (.tar.gz) and relevant certificates for validation.

Example:

tar -xzvf signed-cw-na-infra-patch-7.2.1-15-release-260414.tar.gz

Output:

README
cw-na-infra-patch-7.2.1-15-release-260414.tar.gz

cw-na-infra-patch-7.2.1-15-release-260414.tar.gz
.tar.gz.signature
CW-CCO_RELEASE.cer
cisco_x509_verify_release.py3
cisco_x509_verify_release.py

Step 3

Validate the extracted patch file using this command.

python3 cisco_x509_verify_release.py3 -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512
 Note

You must include this command as a single line, and the tool will wrap it according to the screen width.

Example:

python3 cisco_x509_verify_release.py3 -e CW-CCO_RELEASE.cer -i cw-na-infra-patch-7.2.1-15-release-260414.tar.gz
 -s cw-na-infra-patch-7.2.1-15-release-260414.tar.gz
.signature -v dgst -sha512

Output:

Retrieving CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully retrieved and verified crcam2.cer.
Retrieving SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully retrieved and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from CW-CCO_RELEASE.cer.
Successfully verified the signature of cw-na-infra-patch-7.2.1-15-release-260414.tar.gz
using CW-CCO_RELEASE.cer

Step 4

Repeat these steps for each patch file you plan to install.

Verify the inventory details

This step describes a recommended pre-patch verification step to confirm cluster or single VM health, node visibility, and service readiness across hybrid and worker nodes. Performing this verification can help identify potential issues such as resource discrepancies, VM status mismatches, or communication failures before patching begins. Although this step is optional, performing it can reduce the risk of patch failures during sequential updates.

Step 1

Verify the inventory details.

  1. From the main menu, go to Administration > Crosswork Manager, then click System Summary.

    For cluster deployments, the Cluster Management window opens. For single VM deployments, the SVM window opens.

  2. Verify that the upper-left corner of the Cluster Management screen shows values for total VM nodes, Crosswork image, IP addresses, and other system details.

Step 2

Import the inventory file.

  1. Navigate to the import inventory file for your deployment.

    • For cluster deployment, from the Cluster Management window, choose Actions > Import inventory to display the Import Inventory dialog box.
    • For single VM deployment, from the System Summary, window click and select Import inventory.

  2. (Optional) Click Download sample template file to download the template.

  3. Update the file with information about the VMs in your cluster or single VM environment, and include the data center parameters. Then, verify the contents of the template file. For information about the parameters, see Installation parameters in the Cisco Crosswork Network Controller 7.2 Installation Guide.

     Note

    When importing the cluster inventory file manually, ensure that OP_Status is set to 2. Otherwise, the VM may continue to appear as Initializing even after it is functional.

    For non-vCenter deployments, also set the nonvcenter flag to True.

  4. Click Browse and select the cluster inventory file.

  5. Click Import to complete the operation.

For more details and supporting documentation, see:

The inventory is updated, and Crosswork Network Controller displays correct VM and node details.

Add and install system OS patch

This section explains how to add and install an OS patch from the Crosswork Network Controller UI.

 Note

In a geo-redundant setup, install the OS patch on all applicable VMs, including the active, standby, and arbiter VMs, for both cluster and single-VM deployments.

Before you begin

For non-Docker-based deployments, before you install the OS patch, verify that all inventory details appear on the System Summary page.

If the inventory details are missing, import the inventory file (.tfvars) into Crosswork Network Controller before you continue.

 Important

If the inventory file is not imported, the patch installation fails. Crosswork Network Controller also cannot deploy or remove VM nodes in the cluster until the inventory file is imported.

For instructions to import an inventory file, see Import Cluster Inventory in the Cisco Crosswork Network Controller 7.2 Installation Guide.

Step 1

Create a new backup if you do not already have one. Refer to Manage Backup and Restore.

Step 2

From the main menu, choose Administration > Crosswork Manager.

The Crosswork Manager page is displayed with System Summary and Crosswork Platform Infrastructure tiles. If the 7.2.0 CAPPs are installed, the corresponding CAPP tiles appear on the Crosswork Manager page.

Step 3

Click the System Management tab.

Step 4

Click Add OS patch.

  1. In the popup window choose either URL or SCP as your preferred protocol. Based on your selection, fill in the additional fields with the required information.

    Individual jobs are created to add the patch to repository, and to apply the package to each node in your cluster.

  2. Click Add to proceed.

Step 5

Click System Management > Job History.

Monitor patch and upgrade progress, and review the jobs created for each node in the cluster. To see the operations performed on a node, open the corresponding Job Details page.

Step 6

After the jobs complete successfully, verify that the OS patch is listed in the System updates tab.

  1. To upgrade an installed OS patch, click the vertical ellipsis (⋮), select Upgrade, and in the System Upgrade dialog, click Proceed.

  2. To monitor the progress of the upgrade, navigate to System Management > Job History.

Step 7

(Optional) To see patch details, select the patch file and click Package details. You will see information such as package name, version, and description.

Step 8

(Optional) After all jobs are completed successfully, verify the updated package list for each node by navigating to Administration > Crosswork Manager > System Summary > <Node-Name> > View details > Package details tab.

Add and install 7.2.1 patch files

This section explains how to add and install the 7.2.1 patch files in the Crosswork Network Controller UI.

 Important

The infrastructure patch must be applied on the active, standby, and arbiter VMs. All other application patches should be applied only on the active and standby VMs.

Before you begin

Extract and validate the required 7.2.1 patch files using the instructions in Extract and validate patch files.

Step 1

Check the health status of your system. If any components are unhealthy or degraded, resolve the issues or contact your Cisco Customer Experience representative before proceeding.

Step 2

Click on Administration > Crosswork Management > Application Management tab. The Platform Infrastructure and any applications that are added are displayed here as tiles.

Step 3

Click Add new file > Upload application bundle (.tar.gz).

The Add Application Bundle (.tar.gz) dialog box is displayed.

Step 4

In the dialog box, choose either URL or SCP as your preferred protocol. Based on your selection, fill in the additional fields with the required information. Click Add to proceed.

 Note

When installing a Crosswork Network Controller package, there is no need to untar the package. You can add the package tarball as-is to the Crosswork UI and the applications within are automatically added. You can then install the individual applications as needed.

Step 5

Once the patch file is added, you can observe the existing application tile displaying an upgrade prompt. Click the upgrade prompt to install the patch file.

Step 6

In the Upgrade pop-up screen, select the new version that you want to upgrade to, and click Upgrade.

Monitor patch and upgrade progress, and review the jobs created for each node in the cluster. To see the operations performed on a node, open the corresponding Job Details page.

Step 7

Repeat steps 2 to 7 to add and install the remaining Crosswork Network Controller application patch files that you need.

Step 8

After the installation is complete, go to Administration > Crosswork Manager and confirm all of the applications are reporting a Healthy status.

What to do next

If your deployment uses a standalone external NSO VM and the NSO version is earlier than 6.4.11, upgrade NSO to version 6.4.11 after upgrading Crosswork Network Controller to 7.2.1. For upgrade instructions, refer to the Upgrade NSO section.

Install Geo Redundancy patch

This section guides you through the process of enabling geo-redundancy and applying the required geo redundancy patch in the Crosswork Network Controller.

 Note

Geo-HA applies only to Crosswork Network Controller clusters where Geo-HA is enabled. The patch must be installed on both the active and standby clusters. If you are not using geo redundancy, you do not need to install this patch.

Before you begin

  • In a geo-redundant setup, install all required patches on the active cluster first, and then repeat the installation on the standby cluster. Ensure that all relevant components such as the Crosswork Network Controller cluster, application CAPPs, and Data Gateways are updated on both clusters.
  • Disable periodic synchronization by toggling off the Sync button on the Cross Cluster settings page before applying patches. No on-demand or periodic synchronization should be performed until the patch upgrades are completed and all services are confirmed to be healthy in both active and standby clusters. See Update an Application After Enabling Geo Redundancy.
  • Ensure that you have enabled Geo Redundancy in the Crosswork Network Controller UI. See Enable Geo Redundancy Solution.
  • Create a backup of your Crosswork cluster. Follow the instructions in Manage Backups chapter in Cisco Crosswork Network Controller 7.2 Administration Guide.
     Note

    Importing the cross cluster inventory template cannot be undone if there is no pre-existing backup of the system before the template is loaded.

Step 1

On both the active and standby clusters, complete Steps 2 and 3 to apply the patch file and provide the required details.

Step 2

Apply the Crosswork System, Crosswork Infrastructure, and Geo Redundancy Manager patches in this order with the active node first, then the standby node, and finally the arbiter node.

  1. In the Crosswork Network Controller UI, navigate to Administration > Crosswork Management > Application Management tab.

  2. Click on the Add File (.tar.gz) option to add the patch file. The Add File (tar.gz) via Secure Copy popup window is displayed.

  3. Enter the relevant information and click Add.

  4. Once the patch file is added, you can observe the existing application tile displaying an upgrade prompt. Click the upgrade prompt to install the patch file.

  5. In the Upgrade pop-up screen, select the new version that you want to upgrade to, and click Upgrade. Click on Job History to see the progress of the upgrade operation.

Step 3

After the installation is complete, go to Administration > Crosswork Manager and confirm all of the applications are reporting a Healthy status.

Install the Cisco NSO function packs

The steps you follow depend on your NSO deployment type.

Embedded NSO (SVM-based deployment)

If you are upgrading to 7.2.1, the required patch files are automatically upgraded.

These patch files are included in the NSO function pack bundle and are deployed through NSO Deployment Manager in the Crosswork Network Controller UI. The bundle is

For more information, see Install Cisco NSO Function Pack Bundles from Crosswork UI.

Standalone NSO (external NSO VM or NSO LSA deployment)

If you are using a standalone NSO deployment, including an external NSO VM or an NSO LSA deployment, you must manually install or upgrade the Cisco NSO function packs to ensure compatibility with Crosswork Network Controller 7.2.1.

The Cisco Crosswork Network Controller Function Pack (cnc-function-packs-7.2.1.signed.bin) for release 7.2.1 includes these function pack files:

  • T-SDN core function pack: tsdn-7.2.1-official-bundle-nso-6.4.11.20260227.3bb55f9f.tar.gz
  • Device Lifecycle Management (DLM) function pack: dlm-7.2.1-nso-6.4.11.20260220.c864195.tar.gz
  • Telemetry Traffic Collector (TM-TC) function pack: tmtc-7.2.1-nso-6.4.11.20260220.08e44e14.tar.gz
  • Change Automation (CA) function pack: nca-7.2.1-nso-6.4.11.20260220.6be05db.tar.gz
  • TE Manager function pack: temanager-7.2.1-nso-6.4.11.20260227.3bb55f9f.tar.gz

Before you begin

  • Determine whether you want to perform a fresh installation or upgrade your existing NSO function packs.
  • Ensure that NSO version 6.4.11 is installed on the external NSO VM. For upgrade instructions, see Upgrade NSO documentation.

Step 1

Install or upgrade NSO function packs.

Step 2

Update the ncs.conf file to enable and configure NSO keepalive settings for stable RESTCONF integration.

Add the keepalive and keepalive-timeout configuration under both the <tcp> and <ssl> transport configurations. 

<webui>
    <enabled>true</enabled>
    <transport>
      <tcp>
        <enabled>true</enabled>
        <keepalive>true</keepalive>       
        <keepalive-timeout>3600</keepalive-timeout>
      </tcp>
      <ssl>
        <enabled>true</enabled>
         <keepalive>true</keepalive>   
         <keepalive-timeout>3600</keepalive-timeout>
      </ssl>
    </transport>
  </webui>
......
</webui>

Step 3

Restart NSO for the configuration in ncs.conf to take effect.

sudo systemctl restart ncs

What to do next

After installing the NSO function pack, verify that the installation completed successfully and that the system is healthy.