vSphere upgrade saga: Upgrading to vCNS 5.1
vCNS 5.1 replaces vShield 5.1, and if you do not add new nodes during your installation, you can easily perform all upgrades without removing any components of vShield. vCNS upgrades will upgrade all components of vShield. (Unfortunately, the typical approach to upgrade did not work for me.)
Here's a step-by-step walkthrough of the process you should follow, with some notes from my experience.
1. Make a backup of all your vShield Edge and App rules. While you can backup the database it is now restorable within vShield Manager 5.1.x, so the way I did this was to cut-and-paste the setup screens into a word document. Include the following:
Configuration of each Edge Device (external and internal interfaces)
Rules for each Edge and App device
NAT (SNAT and DNAT) rules for each Edge Device
Static Routes for each Edge Device
Load Balancer, DHCP, and VPN settings for each Edge device
2. Create a vSphere Snapshot of your vShield Manager
3. Go into vShield Manager and use the upgrade mechanism within the web pages. My upgrade failed due to lack of disk space.
I mounted the virtual disk into a Linux VM and removed the previously copied dist file. This is NOT recommended unless you know exactly what you are doing. But this still did not free up enough space.
I attempted to upgrade from 5.0.0 to 5.0.2 first but ran into the same lack of disk space issues.
Solution was to instead upgrade to vCNS 5.1.1 using the information found in KB 2034699 which requires you to install a maintenance bundle to free up disk space, then perform the upgrade, backup your database, redeploy from OVA, and eventually restore from your previously saved DB. Before you redeploy from OVA, shut down your old vShield Manager and rename it to a unique name. This way if there is a problem you can always go back to the snapshot you made.
4. Clear your cookies before trying to access vShield Manager. I had a problem where it would say system functionality was not available until cookies were cleared.
5. Upgrade your vShield Edge, App, and Endpoint devices. If you do not restore your DB properly, then these devices will not be seen.
6. Then delete your old vShield Manager.
If you add new nodes at this time and happen to uninstall your vShield App and Endpoint components before the update, you will need to reinstall them before you can make use of Host Profiles as bits of the virtual switch configuration hang out for vShield App and Edge, which makes applying host profiles rather difficult. More on that when we get to post processing and ESXi upgrades.
Next up: upgrading vCloud Director.