Saucepan

User Tools

Site Tools

Trace: dhcp datasheets reporting aws_gwlb import_firewall_into_panorama
infoblox_nios:upgrade

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_nios:upgrade [2025/12/10 00:27] – [Notes] bstaffordinfoblox_nios:upgrade [2026/03/19 23:06] (current) – [Upgrades to NIOS 9.1] bstafford
Line 56: Line 56:
  
 After you complete the downgrade procedure, all data in the database is lost. The downgrade process does not preserve data but does preserve license information and basic network settings. After you complete the downgrade procedure, all data in the database is lost. The downgrade process does not preserve data but does preserve license information and basic network settings.
 +
 +===== Upgrades to NIOS 9.1 =====
 +SSH into GM and disable TLS 1.0 and TLS 1.1
 +
 +<code>set ssl_tls_settings override
 +set ssl_tls_protocols disable TLSv1.0
 +set ssl_tls_protocols disable TLSv1.1</code>
 +You will need to restart the GUI manually. Navigate to the Grid tab -> Grid Manager tab -> Members tab, select the member checkbox, expand the Toolbar, and click Control -> Restart GUI
 +
 +You may also get the following error logs in the GM syslog based on one or more of the Trusted Root CA in your CA store in NIOS
 +<code>Upgrade check failed, SKI doesn't exist in CA-certificate subject=</code>
  
 ===== Upgrades to NIOS 9.0 ===== ===== Upgrades to NIOS 9.0 =====
Line 62: Line 73:
  
 You should install Hotfix-NIOS-98022 BEFORE upgrading to NIOS 9.0 (but AFTER distribution of NIOS 9.0.x code) to ensure that all OpenVPN connections (Grid communication) is using a correct certificate. Failure to do this can result in members going offline (not connecting to GM) and/or GM entering a reboot loop. From NIOS 9.0.6 onwards, Upgrade Test and Upgrade will fail if OpenVPN certificates are not correct. More details [[https://support.infoblox.com/s/article/How-to-recover-NIOS-from-old-certificate-related-issues|here]]. You should install Hotfix-NIOS-98022 BEFORE upgrading to NIOS 9.0 (but AFTER distribution of NIOS 9.0.x code) to ensure that all OpenVPN connections (Grid communication) is using a correct certificate. Failure to do this can result in members going offline (not connecting to GM) and/or GM entering a reboot loop. From NIOS 9.0.6 onwards, Upgrade Test and Upgrade will fail if OpenVPN certificates are not correct. More details [[https://support.infoblox.com/s/article/How-to-recover-NIOS-from-old-certificate-related-issues|here]].
 +
 +Consider setting the following after upgrading to 9.0 to ensure that DNS restarts don't take longer. named_max_exit_wait - default is to wait until exit happens. This command sets a max (e.g. 3 or 5 seconds)
 +
  
 In NIOS 9.0 and higher, if you use LDAP authentication and you need the LDAP connection to egress the MGMT interface, you must put a static route on the NIOS box to force the traffic to use the MGMT interface.  This is because in NIOS 9.0.0, LDAP requests to the LDAP server and Active Directory server cannot be sent using the MGMT IP address, because OpenLDAP version 2.4.49 (Ubuntu) removed the options of binding the source IP address on the client. Therefore, an LDAP request or an Active Directory authentication request is always sent through the LAN IP address, even though you have enabled the Connect through Management Interface option. In NIOS 9.0 and higher, if you use LDAP authentication and you need the LDAP connection to egress the MGMT interface, you must put a static route on the NIOS box to force the traffic to use the MGMT interface.  This is because in NIOS 9.0.0, LDAP requests to the LDAP server and Active Directory server cannot be sent using the MGMT IP address, because OpenLDAP version 2.4.49 (Ubuntu) removed the options of binding the source IP address on the client. Therefore, an LDAP request or an Active Directory authentication request is always sent through the LAN IP address, even though you have enabled the Connect through Management Interface option.
Line 145: Line 159:
  
 The following command is available from NIOS 9.0 onwards The following command is available from NIOS 9.0 onwards
 +<code>set enable_strict_ca_cert_check</code>
 <code>set disable_strict_ca_cert_check</code> <code>set disable_strict_ca_cert_check</code>
 <code>show strict_ca_cert_check</code> <code>show strict_ca_cert_check</code>
infoblox_nios/upgrade.1765326470.txt.gz · Last modified: by bstafford