This section has important information about issues that may prevent the system working properly after an upgrade. Before
you upgrade, please review this section and complete any tasks that apply to your deployment.
Expressway and Cisco VCS systems before X8.11.4 need a two-stage upgrade
If you are upgrading a system which is running software earlier than version X8.11.4, you must first upgrade to an intermediate release before you install X14.2 software (this requirement applies to all upgrades X8.11.x and later versions). Depending on the existing system version,
the upgrade will fail. We recommend upgrading to X8.11.4 as the intermediate release.
All deployments
If you are upgrading from X12.6 or X12.6.1 and use the alarm-based email notifications feature
Note |
In X12.6.2 the email ID length is limited to 254 characters maximum. Before you upgrade make sure that all destination email
IDs are no longer than 254 characters.
|
We do not support downgrades. Do not install a previous Expressway/Cisco VCS version onto a system that is running a newer version; the system configuration will be lost.
Note |
From X8.11.x, when the system restarts after the upgrade it uses a new encryption mechanism. This is due to a unique root
of trust for every software installation that was introduced in that release.
|
X8.8 and later versions are more secure than earlier versions. Upgrading could cause your deployments to stop working as expected,
and you must check for the following environmental issues before you upgrade to X8.8 or later:
-
Certificates: Because certificate validation was tightened up in X8.8, you must verify the following items to avoid validation failures:
-
Try the secure traversal test before and after upgrade (
) to validate TLS connections.
-
If Unified Communications nodes are deployed, do they use valid certificates that were issued by a CA in the Expressway-C/Cisco VCS Control trust list?
-
If you use self-signed certificates, are they unique? Does the trusted CA list on Expressway/Cisco VCS have the self-signed certificates of all the nodes in your deployment?
-
Are all entries in the Expressway/Cisco VCS trusted CA list unique? Remove any duplicates.
-
If TLS verify mode is enabled on connections to other infrastructure (always on by default for Unified Communications traversal zone, and optional
for zones to Unified Communications nodes), make sure that the hostname is present in the CN or SAN field of the host's certificate.
We do not recommend disabling TLS verify mode, even though it may be a quick way to resolve a failing deployment.
-
DNS entries: Do you have forward and reverse DNS lookups for all infrastructure systems that the Expressway/Cisco VCS interacts with? From X8.8, you need forward and reverse DNS entries for all Expressway-E/Cisco VCS Expressway systems, so that systems making TLS connections to them can resolve their FQDNs and validate their certificates. If the Expressway/Cisco VCS cannot resolve system hostnames and IP addresses, complex deployments like MRA may not work as expected after the upgrade.
-
Cluster peers: Do they have valid certificates? If they are using default certificates you should replace them with (at least) internally
generated certificates and update the peers trust lists with the issuing CA. From X8.8, clustering communications use TLS
connections between peers instead of IPSec. By default, TLS verification is not enforced after the upgrade, and an alarm will
remind you to enforce it.
How and when rebooting is necessary as part of the upgrade
Upgrading the System platform component is a two-stage process. First, the new software image is uploaded onto the Expressway/Cisco VCS. At the same time, the current configuration of the system is recorded, so that this can be restored after the upgrade. During
this initial stage the system will continue running on its existing software version, and all normal system processes will
continue.
The second part of the upgrade involves rebooting the system. It is only during the reboot that the Expressway/Cisco VCS installs the new software version and restores the previous configuration. Rebooting causes all current calls to terminate,
and all current registrations to be ended. This means that you can upload the new software at any time, and then wait until
a convenient moment (for example, when no calls are taking place) to switch to the new version by rebooting the system. Any
configuration changes made between the software upload and the reboot will be lost when the system restarts with the new software version.
Upgrades for components other than the System platform do not involve a system reboot, although the services provided by that component are temporarily stopped while the upgrade
process completes.
Deployments that use MRA
This section only applies if you use the Expressway/Cisco VCS for MRA (mobile and remote access with Cisco Unified Communications products).
-
Minimum versions of Unified Communications infrastructure software apply - some versions of Unified CM, IM and Presence Service,
and Cisco Unity Connection have been patched with CiscoSSL updates. Before you upgrade Expressway/Cisco VCS check that you are running the minimum versions listed in the Mobile and Remote Access Through Expressway Deployment Guide.
IM and Presence Service 11.5 is an exception. You must upgrade Expressway/Cisco VCS to X8.8 or later before you upgrade IM and Presence Service to 11.5.
-
Expressway-C/Cisco VCS Control and Cisco Expressway-E/VCS Expressway
should both be upgraded in the same upgrade "window"/timescale (this is also a general recommendation for non-MRA deployments). We don't recommend operating with Expressway-C/Cisco VCS Control and Expressway-E/Cisco VCS Expressway on different versions for an extended period.
-
This item applies if you are upgrading a Expressway/Cisco VCS that is used for MRA, with clustered Unified CMs and endpoints running TC or Collaboration Endpoint (CE) software. In this
case you must install the relevant TC or CE maintenance release listed below (or later) before you upgrade the Expressway/Cisco VCS. This is required to avoid a known problem with failover. If you do not have the recommended TC/CE maintenance release, an
endpoint will not attempt failover to another Unified CM if the original Unified CM to which the endpoint registered fails
for some reason. Bug ID CSCvh97495 refers.
From X8.10.x, the MRA authentication (access control) settings are configured on Expressway-C/Cisco VCS Control and not on Expressway-E/Cisco VCS Expressway as in earlier releases, and default values are applied if it is not possible to retain the existing settings. To ensure correct
system operation, after the upgrade reconfigure the access control settings on the Expressway/Cisco VCS, as described later in these instructions.
Deployments that use FIPS mode cryptography
If the Expressway/Cisco VCS has FIPS mode enabled, after the upgrade, manually change the default SIP TLS Diffie-Hellman key size from the default 1024
bits, to 2048 or greater, as described later in these instructions.
Deployments that use X8.7.x or earlier with Cisco Unified Communications Manager IM and Presence Service 11.5(1)
X8.7.x (and earlier versions) of Expressway/Cisco VCS are not interoperable with Cisco Unified Communications Manager IM and Presence Service 11.5(1) and later. This is caused
by a deliberate change in that version of IM and Presence Service, which has a corresponding change in Expressway/Cisco VCS X8.8 and later. To ensure continuous interoperability, upgrade the Expressway/Cisco VCS systems before you upgrade the IM and Presence Service systems. The following error on Expressway/Cisco VCS is a symptom of this issue: Failed Unable to Communicate with <IM&P node address>. AXL query HTTP error "'HTTPError:500'"
Deployments that use Cisco Webex Hybrid Services
The Management Connector must be up to date before you upgrade Expressway/Cisco VCS. Authorize and accept any Management Connector upgrades advertised by the Cisco Webex cloud before you try to upgrade Expressway/Cisco VCS. Failure to do so may cause issues with the connector after the upgrade. For details about which versions of Expressway/Cisco VCS are supported for hybrid connector hosting, see Connector Host Support for Cisco Webex Hybrid Services.