This solution applies to the Barracuda SSL VPN, all firmware versions.
Upgrading the firmware on a Cluster
With Firmware 2.1, clustering has been changed so that configuration files, as well as the database, now get clustered. This allows us to synchronize the SSL server certificate and user client certificates and keys amongst other things. This means that features which previously didn't work in a cluster, such as Certificate Authentication, should now work properly. Because of this change, there will be an initial replication of files from one cluster node to the other(s).
There are cases where this could fail if either:-
a) There is a disconnect or network issue during the replication.
b) There is already some underlying issue or corruption of a config file on one node.
A fix is now in the 2.1 release which will cache copies of replicated files, and match file hashes before being copied to the final location (rather than just replicating direct from source to destination). It is now considered best practice to perform an upgrade of a cluster in the following way to minimize any chances of bad configurations causing a failure.
- It should not be absolutely necessary to de-cluster once you're upgrading from 2.1 upwards, but it is always good idea.
- In the SSL VPN web interface, go to the ADVANCED > Linked Management page on one system in the cluster, and remove the Cluster Shared Secret, and click Save Changes.
- Only when Simple HA is configured: When back at the login page, log in and navigate back to ADVANCED > Linked Management, in Simple High-Availability, clear the value of the IP address if it exists (you may only need to do this on the first system) and click Save Changes.
- When back at the log in page, log in and navigate back to ADVANCED > Linked Management. In the list of Clustered Systems, delete all entries apart from the node for the system you are logged in to, by clicking the bin icon then OK. (This step is not required when de-clustering from firmware 2.1).
- Repeat steps 1 through 3 for each unit in the cluster.
- In the SSL VPN Web Interface, navigate to the ADVANCED > Firmware Update page for each system in the cluster.
- Download the firmware version you wish to use onto each system. Do NOT apply the update yet.
- Apply the firmware on one Barracuda SSL VPN appliance. After the update has finished, the system will reboot.
- After the system reboots, verify that the firmware has been applied successfully and the unit is operating as expected.
- Repeat steps 2 through 4 for each unit in the cluster until all systems have been updated.
- In the Web Interface , navigate to the ADVANCED > Linked Management page on one system in the cluster, set a new Cluster Shared Secret and Click Save Changes. Repeat for all other units to be clustered.
- Now, choose which SSL VPN unit you want to pull the configuration from and log into one of the other SSL VPN systems and navigate back to ADVANCED > Linked Management. In Clustered Systems > Add System, add the IP address of the system to pull the configuration from (this will overwrite all configuration on the system you are logged on to) and click Join Cluster.
- Wait for a couple of minutes to give the cluster time to initiate and replicate, then refresh the Linked Management page to confirm you can see all cluster systems and that they have a green status.13. Repeat steps 1 and 2 for any other cluster systems you wish to add (only valid if you have a 3 way or higher cluster).