Solved: ASR9001 Upgrade path and root cert issues

MattHunt1980 · ‎08-02-2016

I am running a 9001 IOS-XR image - Currently 5.1.3.

I need to upgrade this to the newest code of 6.0.2, but I am unsure of the upgrade path, can I go straight from 5.1.3 to 6.0.2 or will have to increment to specify versions?

Also I have seen an issue with the root certificate, a certificate that has been installed previous to 5.3.1 has an expiry date of 2015 and we need to upgrade to a newer version. From what I read this is only affecting upgrade of PIE files (i am not 100% on what each technical term is).

This is my first upgrade and I cannot find any informative guides as the Cisco ones are somewhat convoluted (no offense).

So far I have downloaded ASR9K-iosxr-px-6.0.2.tar, but a few questions including the one above are;

Does the tar file include the new root certificate (I assume this tar file needs to be unpacked and cert installed separately if included)?
What is the difference between teh following TAR files:
Cisco ASR 9000 IOS XR Software
ASR9K-iosxr-px-6.0.2.tar
&
Cisco ASR 9000 IOS XR Software
asr9k-ncs500x-nV-px-6.0.2.tar

Any recommendations of upgrade guides other than the Cisco guides.

There maybe more questions to add as I run through the documentation to get more information.

Thanks for the input in advance

smailmilak · ‎08-03-2016

Hey Matt,

Looking at the packages that are now active

disk0:asr9k-mini-px-5.1.3
      disk0:asr9k-k9sec-px-5.1.3
      disk0:asr9k-mgbl-px-5.1.3
      disk0:asr9k-fpd-px-5.1.3
      disk0:asr9k-px-5.1.3.CSCus22641-1.0.0
      disk0:asr9k-px-5.1.3.CSCut52232-1.0.0
      disk0:asr9k-px-5.1.3.sp5-1.0.0

You should do this "admin install activate disk0:asr9k-mini-px-6.0.2 disk0:asr9k-k9sec-px-6.0.2 disk0:asr9k-mgbl-px-6.0.2 disk0:asr9k-fpd-px-6.0.2 test

It's asking for those packages because they are already activated. If you don't want to install e.g "K9SEC" then you have to deactivate it first before upgrading to 6.x.

View solution in original post

smailmilak · ‎08-02-2016

Hi Matt,

1. You should open the archive and install only the packages you need. Check what packages you are running now (admin show install active summary) and install the same from the 6.x version.

Do not try to install the whole .tar because it will take forever, believe me. I think it's fixed on 5.3.3+ though...not sure yet.

You can then check if the install procedure will be successful by adding "test" at the end of the command line.

I am pretty sure that you will need to install the post-expiry SMU and new cert. Download it first

"asr9k-px-5.1.3.CSCut52232.tar"

2. Looking at the filename the second is for NCS as nV Satellite on A9K. Skip that.

Regarding the upgrade procedure, first check if all packages are installed with "show install inactive", then try to activate them with install activate disk0:package1 disk0:package2 disk0:package3 test

The system will tell you if the upgrade will succeed or not.

smilstea · ‎08-03-2016

6.0.2 does not include the root certificate, you will need to install the root certificate in 5.1.3 only.

http://www.cisco.com/c/en/us/td/docs/routers/technotes/MOP-CSS-to-Abraxas.html

the ncs500x-nv tar file is specifically for the ncs5000 series routers to run as an nv satellite.

I don't have any recommended non-cisco guides, but I do recommend this page for Cisco guides: http://www.cisco.com/web/Cisco_IOS_XR_Software/index.html?mdfid=286141019

Thanks,

Sam

MattHunt1980 · ‎08-03-2016

OK, so its going - Slowly... I have worked out all what I need to do so far, although I am getting some errors thrown at me, when installing the packages:

--+

Install operation 50 '(admin) install activate disk0:asr9k-mini-px-6.0.2 test' started by user 'czmb71bz' via CLI at 15:12:54 CES
Warning: No changes will occur due to 'test' option being specified. The following is the predicted output for this install comm
Error:    Cannot proceed with the activation because of the following package incompatibilities:
Error:      asr9k-k9sec-supp-5.1.3 needs iosxr-fwding-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-k9sec-supp-5.1.3 needs iosxr-infra-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-k9sec-supp-5.1.3 needs iosxr-os-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-mgbl-5.1.3 needs iosxr-routing-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-mgbl-5.1.3 needs iosxr-fwding-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-mgbl-5.1.3 needs iosxr-infra-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-mgbl-5.1.3 needs iosxr-os-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-mgbl-supp-5.1.3 needs iosxr-fwding-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-mgbl-supp-5.1.3 needs asr9k-fwding-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-mgbl-supp-5.1.3 needs asr9k-base-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-mgbl-supp-5.1.3 needs iosxr-infra-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-mgbl-supp-5.1.3 needs asr9k-os-supp-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-mgbl-supp-5.1.3 needs iosxr-os-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-fpd-5.1.3 needs asr9k-os-supp-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-fpd-5.1.3 needs iosxr-infra-5.1.3, or equivalent, to be active on the same nodes.
Error:      asr9k-fpd-5.1.3 needs iosxr-os-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-security-5.1.3 needs iosxr-fwding-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-security-5.1.3 needs iosxr-infra-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-security-5.1.3 needs iosxr-os-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-security-5.1.3.CSCus22641-1.0.0 needs iosxr-fwding-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-security-5.1.3.CSCus22641-1.0.0 needs iosxr-infra-5.1.3, or equivalent, to be active on the same nodes.
Error:      iosxr-security-5.1.3.CSCus22641-1.0.0 needs iosxr-os-5.1.3, or equivalent, to be active on the same nodes.
Error:    Suggested steps to resolve this:
Error:     - check the installation instructions.
Error:     - activate or deactivate the specified packages on the specified nodes.
Install operation 50 failed at 15:13:25 CEST Wed Aug 03 2016.

---

RP/0/RSP0/CPU0:BR1-dkbaqrt01iaaafm(admin)#sho install active
Wed Aug 3 15:15:20.378 CEST
Secure Domain Router: Owner

Node 0/RSP0/CPU0 [RP] [SDR: Owner]
    Boot Device: disk0:
    Boot Image: /disk0/asr9k-os-mbi-5.1.3.sp5-1.0.0/0x100000/mbiasr9k-rp.vm
    Active Packages:
      disk0:asr9k-mini-px-5.1.3
      disk0:asr9k-k9sec-px-5.1.3
      disk0:asr9k-mgbl-px-5.1.3
      disk0:asr9k-fpd-px-5.1.3
      disk0:asr9k-px-5.1.3.CSCus22641-1.0.0
      disk0:asr9k-px-5.1.3.CSCut52232-1.0.0
      disk0:asr9k-px-5.1.3.sp5-1.0.0

Node 0/0/CPU0 [LC] [SDR: Owner]
    Boot Device: mem:
    Boot Image: /disk0/asr9k-os-mbi-5.1.3.sp5-1.0.0/lc/mbiasr9k-lc.vm
    Active Packages:
      disk0:asr9k-mini-px-5.1.3
      disk0:asr9k-px-5.1.3.CSCut52232-1.0.0
      disk0:asr9k-px-5.1.3.sp5-1.0.0

--+

Now I assume that the packages that are missing need to be activated before upgrading the device. This would mean one reload to allow the active packages to take effect and then activte the new 6.0.2 packages and reload again..?

What I cannot understand is why its asking for the packages, did the previous upgrade install all these packages and then we manually disabled the ones not needed or is the upgrade just incompatible. (*Head scratch)....

smilstea · ‎08-03-2016

When you upgrade you need to upgrade all packages at once. From your show install active you have the mini, k9sec, mgbl, and fpd packages. Your install command was only specifying the mini package in 6.0.2, if you specify all 4 packages in 6.0.2 then you will not get the error message.

Thanks,

Sam

smailmilak · ‎08-03-2016

Hey Matt,

Looking at the packages that are now active

disk0:asr9k-mini-px-5.1.3
      disk0:asr9k-k9sec-px-5.1.3
      disk0:asr9k-mgbl-px-5.1.3
      disk0:asr9k-fpd-px-5.1.3
      disk0:asr9k-px-5.1.3.CSCus22641-1.0.0
      disk0:asr9k-px-5.1.3.CSCut52232-1.0.0
      disk0:asr9k-px-5.1.3.sp5-1.0.0

You should do this "admin install activate disk0:asr9k-mini-px-6.0.2 disk0:asr9k-k9sec-px-6.0.2 disk0:asr9k-mgbl-px-6.0.2 disk0:asr9k-fpd-px-6.0.2 test

It's asking for those packages because they are already activated. If you don't want to install e.g "K9SEC" then you have to deactivate it first before upgrading to 6.x.

MattHunt1980 · ‎08-03-2016

Thats great, I didnt try to test all packages at in one go, I was going to test one by one, which is not possible.

OK everything seems to pass. So I assume after this, it will upgrade and auto reload and then thats the end of the job..?

If thats the case, I will have this processed and approved and I will get back to you all once complete and (hopefully) successful.

smailmilak · ‎08-03-2016

That's correct.

Don't forget to upgrade the firmware on the LC's. You can configure fpd auto-upgrade under admin - configure terminal or you can do it later. Command is "upgrade hw-module fpd all..."

Please note that the Power Supply firmware will not be automatically upgraded, you have to do it manually, one by one. That's how I am doing it.

p.s. if you want to run multicast, then install the mcast package or mpls package for MPLS etc.

smilstea · ‎08-03-2016

Don't forget to do install commit after the router reload. Once you have upgraded to 6.0.2 do you checks, make sure everything is fine, and then do install commit. If anything is wrong and you want to back out to the prior version of code just reload the router and it will revert to the old code, but once you do the install commit you would have to do the install activate step in order to downgrade.

And yes don't forget FPDs :)

Sam