Showing results for 
Search instead for 
Did you mean: 

Upgrading SA 2500 HA Pair

Not applicable

Upgrading SA 2500 HA Pair

I am helping someone upgrade their SA 2500 SSL VPN which is in a HA configuration. What is the recommended order of upgrading the pair? I assume the primary first, and then secondary? What is the best practice? Thanks in advance.

Regular Contributor

Re: Upgrading SA 2500 HA Pair

check the clustersettings and look which one is the active member (if using active/passive cluster). upgrade the one thats inactive and waiting for completion. it takes a while and then instructs the master to upgrade automatically while taking over the VIP.

actually its not important which one is done first (if you planned a downtime), cause it will instruct the other member automatically anyway.

Valued Contributor

Re: Upgrading SA 2500 HA Pair

If it is an active / passive cluster then you simply login to the VIP address and issue the ugprade command. The cluster will handle availability and it will be transparent to the user base.

Active / Active is where you will need to control the upgrade process.

Frequent Contributor

Re: Upgrading SA 2500 HA Pair

For an active / active cluster an upgrade on node1 will initiate successive upgrades on other nodes after completion.

If there is a load balancer which is accepting all incoming connections, the users should not see any difference as sessions are synchronized across nodes in an active / active cluster.

It is important to ensure that the nodes have adequate licenses to handle the additional user load coming from the node that is currently upgrading.

Respected Contributor

Re: Upgrading SA 2500 HA Pair

As others have said; the order doesn't matter.

You will want a downtime, in the event something unexpected happens, but once you start the upgrade on any node, it will complete and then push to the other node (and so-on until all nodes are upgraded).