High Availability Deployments : Updating firmware on an HA cluster
 
Updating firmware on an HA cluster
Installing firmware on an HA cluster is similar to installing firmware on a single, standalone appliance.
To ensure minimal interruption of service to clients, use the following steps.
 
If downgrading to a previous version, do not use this procedure. The HA daemon on a member node might detect that the primary node has older firmware, and attempt to upgrade it to bring it into sync, undoing your downgrade.
Instead, switch out of HA, downgrade each node individually, then switch them back into HA mode.
To update the firmware of an HA cluster:
1. Verify that the cluster node members are powered on and available on all of the network interfaces that you have configured. If required ports are not available, HA port monitoring could inadvertently trigger an additional failover, resulting in traffic interruption during the firmware update.
2. Log into the web UI of the primary node as the admin administrator.
3. Install the firmware on the primary node. For details, see “Upgrading firmware”.
After the new firmware has been installed, the system reboots. When the system is rebooting, a secondary node assumes primary status.
4. Log into the secondary node and upgrade its firmware as soon as possible. HA requires same firmware version on all nodes.
In an active-passive deployment, log into the secondary appliance as soon as it assumes primary status. Time is of the essence because you cannot log into an appliance that is in standby status.
In an active-active deployment, you can log into nodes at any time because the nodes are in active mode. Nonetheless, we recommend you upgrade secondary nodes at the same time to avoid potential mismatches.
After the member nodes reboot and indicate via the HA heartbeat that they are up again, the system determines whether the original node becomes the primary node, according to the HA Override setting:
If Override is enabled, the cluster considers the Device Priority setting. Both nodes usually make a second failover in order to resume their original roles.
If Override is disabled, the cluster considers uptime first. The original primary node will have a smaller uptime due to the order of reboots during the firmware upgrade. Therefore it will not resume its active role; instead, the node with the greatest uptime will remain the new primary node. A second failover will not occur.
Reboot times vary by the appliance model, and also by differences between the original firmware version and the firmware version you are installing.