Keeping up to date with your firmware is important, especially if it’s a public facing device. You would want to keep those newly discovered exploits closed as well as take advantage of new functionality from newer versions.
In this article I’ll give a quick tour on how to update a KEMP loadbalancer, or any product of KEMP as they use mostly the same UI. You’ll need a KEMP account to access the support center, and a KEMP loadbalancer (duh) which you can get for free at freeloadbalancer.org. Note that the free version can’t be upgraded, but if you’re lucky maybe someone from KEMP will give you a free temporary license.
First things first
How much fun it sounds to be the first in discovering things, that’s something you typically want to prevent on your production environment. To prevent bringing down your company website and spending hours on recovery here are some guidelines:
- Make a backup!
- Read the release notes, is this version bringing any improvements for your environment?
- Never run the latest version, instead run major-1 or something like that.
- Install the new version on some non-important testing environment, but keep in mind to have some workloads to test your production functionality.
- Backup, backup, backup, backup, and just to be sure, make another backup. Pressing a backup button should be a natural reflex.
Enough about that, let’s get on with the fun stuff! KEMP keeps their firmware downloads on a single page which you can follow so you get notified as soon as a new firmware gets posted. You can find the page here.
What should we do first? A backup you say?
Even if you have automated backups in place you would still want to have a backup to include the latest changes. Having a backup on your own system also comes in handy when something actually hits the fan. Nothing is better then that warm cozy feeling of being fully prepared.
After logging in you see the home screen with information about the license and version. In the menu find the “Backup/Restore” option.
Here you create, restore and automate your backups. The first is rather straightforward, click the backup button and you receive a full backup.
When restoring a backup you can chose which part of the configuration you want to restore. This way you can restore only the virtual services to another loadbalancer or restore the full configuration in case of a replacement. This option is also valuable when replacing a loadbalancer.
With the automated backup you can periodically make a backup and transfer it to a remote server using ftp. Remote/Automated backups is also an option in KEMP 360 Central which will be discussed in another article (no promises!). If possible, I would prefer using Central to make the backups.
When working with an HA pair, don’t forget to backup the passive unit.
Now it’s time to do the exciting part of the job, load the new firmware and wait for the loadbalancer to return fully functional. The “Update software” option is conveniently placed above the “Backup/Restore” option. We will start with the passive unit, do a failover and (when you have tested basic functionality) we will update the other unit.
In case you haven’t found out yet, by clicking on the green squares in the top right you can open the individual loadbalancers. Clicking the one without an A (Active) in it opens the passive unit.
In this screen you can see all the versions you had previously installed, in my case this is the first time updating this unit. When something goes wrong and all hell breaks loose, you can use this page to revert to the previous version.
On with the show! Select the update you downloaded from KEMP and hit the “Update Machine” button. Don’t worry, you’re not starting an uncontrollable process where you don’t know what’s happening.
Upon clicking, the new firmware will be uploaded, validated, confirmed and installed. After that you will have the choice to reboot and make the new version active or, for some reason, do a reboot later.
Since this is the passive unit, reboot the unit and return to the active unit. Wait until the HA status returns to normal (the boxes in the top right).
Login on the passive unit again and check if all your services and config are still there. On the dashboard you can check the version information and it should show the one we installed.
Although running different versions in a HA pair is not recommended, it will work. This way we can do a controlled failover where, most of the time, the end user doesn’t even notice it.
Important to know, in an HA pair your loadbalancers are either in “first” or “second” mode. Be sure to know which loadbalancer is first or second. To check, click on the HA squares and see on which loadbalancer you end up.
You can find the HA settings in the menu, from there we can initiate the failover.
Sidenote, the protocol used for HA is VRRP. Keep that in mind when configuring the HA Virtual ID in a network where there are more devices using VRRP.
To make sure your end users don’t notice the failover, check the “Inter HA L4 TCP Connection Updates” and “Inter HA L7 Persistency Updates” boxes. These options synchronise the session information between the units.
With the “Switch to preferred Server” setting you can make sure one of the units is always the active one. For example, when rebooting the first unit when it is active it will re-assume the active role when coming back online. I tend to keep this setting to “No Preferred Host” so I stay in control of which unit is active.
To initiate a manual failover we are going the change the preferred host setting. In my case the first host is active to I’m going to set the preferred host to “Prefer Second HA”. Do not mess around with this dropbox! Once you select a value it will start acting on it, no confirmation needed.
After selecting the preferred unit your HA status may change to “OMG”. Dont panic, hit refresh and after logging in the WUI is back.
Notice the new version. Before you wander off gazing upon new features or raging about a change in the menu. Don’t forget to thoroughly test the functions you use. After confirming a successful update, repeat the steps above and update the other unit. If needed, change the preferred unit configuration back to the setting it had before starting the update.