The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
WSG Release 4.0 and later supports inter-chassis, stateful 1:1 redundancy for high availability. The PPC of the active WSG syncs its state to the corresponding PPC of the redundant WSG. An upgrade to the software image can be performed on both the active and the standby WSG in a redundant setup with minimal to no service disruption.
This appendix describes the recommended procedure for upgrading from WSG Release 3.0 to WSG Release 4.0 software. WSG Release 4.0 also provides a path for a graceful downgrade in the event that the attempted upgrade was not successful. However, the graceful downgrade is only available when all the existing tunnels and their respective states are still intact. Otherwise, the downgrade is not graceful.
Note Graceful upgrade and downgrade are only available between WSG Release 3.0 and Release 4.0. There is no support for graceful upgrade and downgrade between WSG Release 2.0 and Release 4.0.
Note Do not execute the copy running-config startup-config command at any time during the upgrade or downgrade process. Only execute the command when the upgrade or downgrade process is complete.
Note When there is an ha-revertive configuration active, the revertive action will not kick in during an upgrade or downgrade process. Once the upgrade or downgrade process is complete, re-configure ha-revertive in the running configuration on the active card, and execute the copy running-config startup-config command.
Perform the following steps to upgrade from WSG Release 3.0 to WSG Release 4.0 software:
Step 1 Copy the running configuration to the startup configuration by executing the copy running-config startup-config command on all SAMIs.
This will save the configurations on the SUP bootflash as a SLOT<slot>SAMI<processor>.cfg file.
Step 2 Back up the saved WSG configurations of all the PPCs on all the SAMIs to a backup disk or network storage location (outside of the Cisco 7600 chassis). Use the copy <config> <backup> command on the SUP.
Step 3 Copy the Release 4.0 image from the TFTP server to the SUP disk0: or disk1:. This image will then be used to upgrade the image on both the active and standby SAMIs.
Step 4 Identify the SAMI currently operating as the standby WSG by executing the show ha info comand on the WSG. Verify that the current state indicates Standby. Also, verify that the preferred role for the standby is Secondary and the bulk sync status is Success.
If the preferred role for the standby is not Secondary, execute the hw-module mode <active-slot> reset command on the SUP to reset the active SAMI. This triggers a switchover. Once the switchover is complete and redundancy is restored (typically after 8 to 10 minutes), use the show ha info command to verify the current state and preferred role of the current standby SAMI.
Step 5 To verify that all tunnels are synched from the active to the standby, use the show crypto isakmp summary command on the standby WSG. Verify that the IKE and IPSec SA counts are the same as on the active WSG.
Note If SA re-keying is in progress, the SA counts may be slightly higher on the standby WSG. This is acceptable.
Step 6 Start the upgrade on the standby SAMI by executing the upgrade hw-module slot <slot> software <location> command on the SUP.
Step 7 Reset the standby SAMI by executing the hw-module module <slot> reset command on the SUP in order for the upgrade to take effect.
Step 8 Wait for the standby SAMI to come up (typically after 8 to 10 minutes). Verify that the upgrade has taken effect on the standby WSG by executing the show version command on the WSG.
Step 9 Now the standby WSG is running Release 4.0 while the active WSG is running Release 3.0. Use the show ha info, show running-config, and show crypto isakmp summary commands to verify the state, configuration sync, tunnel sync, and data traffic is flowing on the upgraded standby WSG.
Step 10 Perform a card switchover by executing a hw-reset on the currently active card running WSG Release 3.0. The standby card running WSG Release 4.0 will become the active card. Verify that the configuration is valid and the tunnels are passing traffic.
Step 11 After the standby running WSG Release 3.0 comes up, verify that all tunnels, states, and configurations are synched.
Step 12 At this point, if there are any issues with the upgrade process, it is still okay to abort the upgrade without affecting service provided that all tunnels and their states are still intact. To complete the upgrade, skip to Step 13. To abort the upgrade and restore the active SAMI to WSG Release 3.0, follow these steps:
a. Reload the WSG Release 3.0 software image onto the active SAMI by executing the upgrade hw-module slot <slot> software <location> command.
b. Reset the active SAMI by executing the hw-module module <slot> reset command on the SUP.
c. The current standby card will assume the active role running WSG Release 3.0. Verify that the standby WSG takes over as the new active WSG by executing the show ha info command.
d. Verify that the configuration is valid and the tunnels are passing traffic. After the standby SAMI comes up, verify that all tunnels, states, and configurations are synched. Verify that the standby SAMI is running the restored software version by executing the show version command on the WSG.
e. Use the show ha info, show running-config, and show crypto isakmp summary commands to verify the state, configuration sync, tunnel sync, and data traffic is flowing on the standby WSG. At this point, the upgrade process has been aborted successfully and both cards are again running WSG Release 3.0.
Step 13 To upgrade the standby SAMI to WSG Release 4.0, start by executing the upgrade hw-module slot <slot> software <location> command.
Step 14 Reset the standby SAMI by executing the hw-module mode <slot> reset command on the SUP.
Step 15 Wait for the standby SAMI to come up (typically after 8 to 10 minutes). Verify that the upgrade has taken effect on the standby WSG by executing the show ha info and show version commands on the WSG.
Step 16 Now that both the active and standby WSGs are running Release 4.0 software, use the show ha info, show running-config, and show crypto isakmp summary commands to verify the state, configuration sync, tunnel sync, and data traffic is flowing on the upgraded standby WSG.
Step 17 Copy the running configuration to the startup configuration by executing the copy running-config startup-config command on all PPCs on all SAMIs.
Once the software upgrade is complete where both cards are running WSG Release 4.0, it is not possible to go back to WSG Release 3.0 without disrupting service. To reload WSG Release 3.0 software, perform the following steps:
Step 1 Copy the previously saved configurations for all PPCs back to the bootflash: or bootdisk: on the SUP.
Step 2 Reload the WSG Release 3.0 software image onto the active SAMI by executing the upgrade hw-module slot <slot> software <location> command.
Step 3 Reload the WSG Release 3.0 software image onto the standby SAMI.
Step 4 After both SAMIs are reloaded with the WSG Release 3.0 software, reset the active SAMI by executing the hw-module mode <active_slot> reset command on the SUP.
Step 5 Reset the standby SAMI by executing the hw-module mode <standby_slot> reset command on the SUP.
Step 6 After both SAMIs come back up, verify that they are both running WSG Release 3.0 software by executing the show version command.
Step 7 Now that both the active and standby WSGs are running Release 3.0 software, use the show ha info, show running-config, and show crypto isakmp summary commands to verify the state, configuration sync, tunnel sync, and data traffic is flowing on the upgraded standby WSG. Verify that all tunnels are re-established and service has resumed.