...
Before upgrading, Infoblox recommends that all members in the Grid be connected to the network and operating normally. If one or more members are offline when you upgrade the Grid, they automatically receive the distributed software and upgrade when they join the Grid or come back online.
| Note |
|---|
Note
|
| Note |
|---|
CautionDo not attempt to add or remove a member, or convert an HA pair to single members or vice versa during a distribution or upgrade. |
Upgrade Guidelines
Upgrade to NIOS 9.0.1 fails in the following scenarios:
...
When you upgrade to NIOS 9.0.1 and you upgrade or replace your X5 series appliance with an X6 series appliance and you have valid X5 series license, then you can use the X5 series on an X6 series appliance till the license expires. However, you need to contact Infoblox Support to generate a new X5 series license so that it will work with the X6 series appliance. The new license is generated with an X6 series appliance hardware ID and will have the X5 series license validity.
...
If you try to upgrade to NIOS 9.0.1, distribution fails if CA certificates with the
md5WithRSAEncryption or sha1WithRSAEncryption ciphers are present. Infoblox recommends that you delete the certificates before upgrading.
...
Upgrading to NIOS 9.0.1 is restricted, subject to the following checks:
CA certificates violating RFC: Subject Key Identifier MUST exist if CA=TRUE
Certificate validity dates
Restrict MD5 and SHA1 for Apache certificates and CA certificates
OpenVPN certificates. If you have old OpenVPN certificates, contact Infoblox Support before proceeding with the distribution.
...
If the Dual Engine DNS license is present in your Grid in the deleted or expired state (can be validated by running the show license CLI command on the node), contact Infoblox Support to have it removed. The NIOS upgrade fails if the license is not deleted.
...
Unbound upgrade guidelines:
If an Unbound license is present in the Grid, then upgrading to 9.0.1 will fail. You must manually remove the Unbound license and then proceed with the upgrade.
If you have offline Grid members and are not able to delete the Unbound license, then you must bring the Grid members online, remove the license, and then proceed with the upgrade. You can also contact Infoblox Support about creating a hotfix to clean up the Unbound licenses for the offline members.
If you had a temporary Unbound license that you deleted from Grid Manager, the license will still be present in the database and the upgrade will fail. Please contact Infoblox Support to completely remove the temporary license.
If Unbound is configured, the upgrade test fails to indicate that references to Unbound are being completely destroyed during the upgrade process.
...
Upgrade to NIOS 9.0.0 fails in the following scenarios:
Upgrading a NIOS 8.x Grid that is configured with Thales HSM to NIOS 9.0 is not supported. Also,
configuring Thales HSM in a new NIOS 9.0.0 Grid is not supported.Using an unsupported algorithm such as, RSAMD5(1), DSA (3), DSA-NSEC3-SHA1(6).
Using invalid key size for RSASHA1(5), RSA-NSEC3-SHA1(7), RSASHA256(8) (should be within range [1024 to 4096]).
BIND performance may be poor if the DNS load originates from a small number of source IP addresses or ports.
Manually creating (through the import keyset) a DS record with an unsupported algorithm or digest type SHA-1.
If you are using Ubuntu and a CA certificate of key length 1024 and some unsupported ciphers, after a NIOS upgrade, services that depend on the unsupported ciphers cease to work.
In NIOS 9.0, the Cisco ISE endpoint (Cisco pxGrid 1.0) has been deprecated.
Infoblox recommends that you use a minimum size of 100 GB when using discovery resizable images. This applies even when upgrading a resizable discovery image whose size is lower than 100 GB.
Infoblox recommends using a minimum size of 70 GB for any of the files that has resizable as
part of the file name and you can resize them depending on your requirement and
deployment.If you are logging on to NIOS using SSO, in IDP Configuration you must enter the following
URL in the SP Entity ID field: <grid_virtual IP address>:8765/metadata. If you are using Okta,
the SP Entity ID field is also called the Audience URI field.The shared secret that you enter when adding a RADIUS authentication server in the Add
RADIUS Authentication Service wizard > RADIUS Servers > Shared Secret field must be
between 4 and 64 characters (inclusive) in length. Otherwise, the upgrade will fail.
...
Before you upgrade to NIOS 9.0.x, check the validity of the CA certificates uploaded. If the certificate is
invalid, install a new certificate that is in compliance with RFCs (for example RFC 5280). Failure to do so may result in the Grid Manager UI/WAPI not being accessible after the upgrade. However, NIOS will
continue to be functional. To check the validity of the certificate, contact Infoblox Support.
...
A downgrade from NIOS 9.0.x to NIOS 8.4.x is not supported. Auto-synchronization from NIOS 9.0.x to NIOS 8.4.x is not supported.
...
If there are Threat Protection members in your Grid for the 8.3 and later features (Grid Master Candidate test promotion, forwarding recursive queries to BloxOne Threat Defense Cloud, and CAA records), ensure that you upload the latest Threat Protection ruleset for these features to function properly.
...
Infoblox recommends that you enable DNS Fault Tolerant Caching right after you upgrade to NIOS 8.2.x and later and keep this feature enabled to handle unreachable authoritative servers. Note that enabling this feature requires a DNS service restart, which will clear the current cache. Therefore, if you enable this when you are trying to mitigate an ongoing attack on an authoritative server that is outside of your control, it will clear the DNS cache, which will magnify the issues that your system is experiencing.
...
During a scheduled full upgrade to NIOS 8.1.0 and later versions, you can use only IPv4 addresses for
NXDOMAIN redirection. You cannot use IPv6 addresses for NXDOMAIN redirection while the upgrade is in progress.
...
If you set up your Grid to use Infoblox Threat Insight but have not enabled automatic updates for Threat Analytics module sets, you must manually upload the latest module set to your Grid or enable automatic updates before upgrading. Otherwise, your upgrade will fail.
...
After a scheduled upgrade to NIOS 8.6.3 and later is complete, you must run the
command on the Grid Master to get the Cloud DNS Sync service to be update_rabbitmq_password
functional. Until that time, Route 53 synchronization does not start because the service has not been started.
...
After an upgrade to NIOS 8.6.3 and later, the Cloud DNS Sync service starts automatically on the Grid
member that is assigned to the Route 53 synchronization groups.
...
After an upgrade to NIOS 8.6.3 and later, the Disable Default Search Path and the Additional Search
Paths fields will no longer be displayed in the Add Active Directory Authentication Service > Step 1 of 1
wizard.
...
If you upgrade to NIOS 8.6.3 or later, all IB-FLEX appliances or Grids that have the FLEX Grid Activation
license or the MSP license will have the ReportingSPLA external attribute assigned automatically for
supported Grid members.
...
After an upgrade to NIOS 8.6.3 and later, only 5% of allowed blocklist subscribers is supported for virtual DNS Cache Acceleration (vDCA).
...
The shared secret that you enter when adding a RADIUS authentication server in the Add RADIUS
Authentication Service wizard > RADIUS Servers > Shared Secret field must be between 4 and 64
characters (inclusive) in length. Otherwise, the upgrade will fail.
...
|
| Note |
|---|
Caution Do not attempt to add or remove a member, or convert an HA pair to single members or vice versa during a distribution or upgrade. |
Uploading NIOS Software
After you download the NIOS software upgrade to your management station, upload it to the Grid Master, as follows:
...
The appliance uploads the file and displays the status of the upload in the status bar. You can click the Stop icon in the status bar to stop the upload. Ensure that you do not navigate away from the Upgrade tab until after the upload is complete. Otherwise, the upload process stops.
| Note |
|---|
Note When you upload the NIOS software upgrade to an HA Grid Master, only the active node receives the software. The passive node does not. Therefore, if the Grid Master fails over before a distribution starts, you must upload the software again. If you do not, the distribution fails because the new active node does not have the uploaded software. |
...
Performing a software upgrade involves rebooting the appliances and then running the new software. Essentially, each appliance switches between the two software partitions on its system, activating the staged software and saving the previously active software and database as backup.
| Note |
|---|
Note Before you upgrade the software, Infoblox recommends that you back up the current configuration and database. For information, see Backing Up and Restoring Configuration Files. |
...
From the Grid tab, select the Upgrade tab, and then click Upgrade -> Upgrade Now from the Toolbar.
| Note |
|---|
Note The Grid upgrades immediately and if there is an active upgrade schedule, it becomes inactive. |
...
After the Grid Master has been upgraded, you can choose to immediately upgrade a specific member that has not been upgraded yet. This function is available only for scheduled Grid upgrades from NIOS 6. 4.0 to a later release. You can upgrade a single member only when the Grid upgrade is paused, and you cannot upgrade the Grid Master, reporting appliance, and an offline member. Once the member has been manually upgraded, the appliance skips this member when its scheduled upgrade time is reached.
To upgrade a specific member now:
...
Reverting a Single Member
During an upgrade from NIOS 6.4.0 to a later release, you can revert a specific member that has already been upgraded and is within its revert time window. The revert single member feature is useful when you want to troubleshoot issues, such as service outages, on a specific member after it has been upgraded. You can revert a member only when the Grid upgrade is paused, and you cannot revert the Grid Master, reporting appliance, and an offline member. If the upgrade is paused and you have reverted a member in an upgrade group that has already completed the upgrade, you must move the member to another upgrade group that has not been upgraded before you can proceed with the upgrade.
Once a member is upgraded, the appliance starts counting down and displays the time that is left for you to revert this member. You can revert the member before the revert time window expires. The default time window to revert a member is 24 hours. You can view the time that is left to revert the member in the Member List view, as described in Grid and Memeber status below. You can also use the CLI commands set default_revert_window to configure the default revert time window for the Grid. For information about this command, refer to the Infoblox CLI Guide. Once a member exits the revert time window, you must revert the entire Grid in order to revert the member.
| Note |
|---|
Note You may potentially lose some data when you revert a member. The appliance keeps information about DHCP leases and DNS records intact. |
...
When an upgrade starts, Grid Manager checks if the nodes of an HA Grid Master have the same NIOS software version on their alternate partitions. If they do not have the same software version, the upgrade process stops. Grid Manager displays an error message and if it is a scheduled upgrade, Grid Manager deactivates the schedule as well. Otherwise, the upgrade process continues.
| Note |
|---|
Note During the upgrade, you can view the status of the Grid Master in the serial console. |
...
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Note |
|---|
Note Grid members that do not have the correct NIOS version on their alternate partitions due to an incomplete distribution automatically resynchronize the NIOS version with the Grid Master, and then upgrade. |
...
Member: The name of the Grid member.
Group: The upgrade group to which the member belongs.
HA: Indicates whether the member is an HA pair or not.
Status: The current distribution or upgrade status. This can be Running (green) or Offline (red).
IPv4 Address: The IPv4 address of the member.
IPv6 Address: The IPv6 address of the member.
Running Version: The NIOS software version that is currently running on the member.
Alternate Version: Displays the NIOS software version to which the appliance can revert.
Distribution/Upgrade Status: The current distribution or upgrade status. When the distribution or upgrade is in progress, Grid Manager displays a progress bar in this field to indicate the percentage of completion.
Hotfix: The name of the hotfix that was last run on the member.
Status Time: The date, time, and time zone of the status displayed.
Member Revert: Indicates whether the member has been reverted or not. This appears only when the member has been upgraded from NIOS 6.4.0 to a later NIOS release.
Time to Revert: The time (in HH:MM:SS format) left to revert a member. This appears only when the member has been upgraded from NIOS 6.4.0 to a later NIOS release.
Site: The location to which the member belongs. This is one of the predefined extensible attributes. The appliance automatically refreshes the information in this panel.
...