**Juniper NETWORKS Paragon Active Assurance User Guide

**

General

Upgrade Paths

If you are upgrading from an old Netrounds version, the following steps are essential:

• Upgrading from version 2.34 to replace Ubuntu 16.04 with Ubuntu 18.04.
• Upgrading to version 4.0 to start using a Juniper license.

The following upgrade paths are recommended:

below).
2.28.99| 2.29.2
2.29.2| 2.34.4| –
2.30.x| 2.34.4
2.31.x| 2.34.4
2.32.0| 2.34.4
2.33.x| 2.34.4
2.34.x| 2.35.6| See Upgrading Control Center from Version 2.34.
Source version| Target version| Note
2.35.x| 4.3.0| See “Special Procedures for Upgrade to 3.0 or Later” on page 3.If you are upgrading from Release4.1.X or earlier releases to Release 4.3, you need to upgrade the Ubuntu version to 22.04. See Alternative Upgrade Procedure.
2.36.x| 4.3.0
3.0.x| 4.3.0
3.1.x| 4.3.0
3.2.x| 4.3.0
3.3.x| 4.3.0
3.4.x| 4.3.0
4.0.x| 4.3.0
4.1.x| 4.3.0
4.2.x| 4.3.0

To contact Juniper technical support, file a ticket at support.juniper.net/support/requesting- support.

Please also contact technical support whenever you want to upgrade from a version or between versions that are EoS.

Release Notes

Before s|-rঞn] the upgrade, please always read the Release Notes for the version you are upgrading to. These notes describe new features and also inform you of important under-the-hood changes such as new conC]†r-ঞon CѴ;sĺ

If you are upgrading across m†ѴঞrѴ; versions, please read the Release Notes for all intermediate versions.

Special Upgrade Procedures

Special Procedures for Upgrade to 4.3

When upgrading to version 4.3, you need to follow the document Upgrading Control Center to 4.3 rather than the present generic upgrade guide.

Special Procedures for Upgrade to 3.0 or Later

Obtaining a License

On upgrading to version 3.0 or later, you need a new license from Juniper Networks to be able to use the product.

To prevent Control Center 7ownঞm; in conn;cঞon with the upgrade, we recommend that you obtain  the new license before doing the upgrade. To get the license from the Juniper EMS Portal, you need to provide the UUID of the system where Control Center is insta

• Run this command on the Control Center machine:
  ncc license license-request
  The output includes a UUID in plain-text format.

• Log in to the Juniper EMS Portal at license.juniper.net/licensemanage/ with the cr;7;nঞ-Ѵs you have received from Juniper.

• In the My Product Licenses view, click the cঞv-|; b†‚on for the relevant license.

• In the dialog that appears, under SW Version, leave the default choice 3.0 and Above.

• Under Universal Unique ID (UUID), enter the UUID string you generated with the ncc license licenserequest command.

• Click the cঞv-|; b†‚on at the bo‚om of the screen.

• A license key will now be generated. Download it and save it as a plain-text CѴ; cc_license.txt.

• Perform the Paragon cঞv; Assurance upgrade according to the present document.

• Finally, -cঞv-|; the license in Control Center using the command

ncc license activate cc_license.txt

Plugin ComC]†r-ঞom File

This version introduces a new conC]†r-ঞon CѴ; /etc/netrounds/plugin.yaml. During bns|-ѴѴ-ঞonķ this CѴ; needs to be updated with the correct database conn;cঞon details if the Ѵ-‚;r have been changed from the default.

Special Procedure for Upgrade from 2.34

The upgrade from 2.34 to any release up to 3.3 involves an Ubuntu upgrade from version 16.04 to version 18.04. It is covered in the document Upgrading Control Center from Version 2.34.

Finding Out Your Paragon cঞv; Assurance “o[w-r; Version

To Cn7 out what version of Paragon cঞv; Assurance you currently have installed, you can use this command:

dpkg -l | grep paa

Upgrade Procedure

WARNING: If you are upgrading from 2.34, please make sure you use the special upgrade procedure described in the document Upgrading Netrounds Control Center from Version 2.34.

If you have previously upgraded from 2.34 and are now going to upgrade to 3.0 or later, you must begin by undoing a step performed in the 2.34 upgrade. Run this command:

sudo apt-mark unhold python-django python-django-common

You can then follow the bns|r†cঞons below.

Below are general bns|r†cঞons for upgrading Control Center. Note that for sr;cbCc releases, -77bঞon Ѵ -cঞons may be required; separate bns|r†cঞons are then given in each case in what follows.

Be sure to refer to the current ns|-ѴѴ-ঞon Guide

• Disable the apache2 and netrounds-callexecuter services completely: sudo systemctl disable apache2 sudo systemctl disable netrounds-callexecuter

• Stop all Paragon cঞv; Assurance services: sudo systemctl stop “netrounds-*” apache2 openvpn@netrounds

• Make backups according to the r;r-ঞons Guide, chapter Backing Up Product Data, s|-rঞn] with the s;cঞon “Backing Up the PostgreSQL Database”.

• Verify the integrity of the tarball containing the new Control Center version:

• Compute the checksum for the tar file and verify that it is equal to the SHA256

• checksum provided on the download page

• export CC_BUILD=4.3.0.15

• sha256sum paa-control-center_${CC_BUILD}.tar.gz

• Unpack the Control Center tarball:
  tar -xzf paa-control-center_${CC_BUILD}.tar.gz

• Install new Control Center packages.
  In the CѴ; /etc/netrounds/netrounds.conf you can orঞon-ѴѴy conC]†r; the SPEEDTEST_ADDRESS s;মn] (if you are going to use Speedtest). This can either point to the same IP address that SITE_URL resolves to, or it can have a hostname of its own.

WARNING: You will now be prompted about overwriting existing configuration files. Before proceeding, please read all the information about settings below.

NOTE:

• We highly recommend that you Crs| inspect the 7b@;r;nc; between your old conC]†r-ঞon and the new one using the “D” choice. In most cases you will then want to keep your old s;মn]s by pressing “N” (do not overwrite).
• New orঞon-Ѵ and updated s;মn]s may be available in the example conC]†r-ঞon CѴ;s provided in the packages. We recommend that you review these and add new orঞons as appropriate for your bns|-ѴѴ-ঞonĺ

WARNING: For the Apache conC]†r-ঞon CѴ;s found in /etc/apache2/sites- available/ you need to press “Y”, which is the “package maintainer’s version”.

If you have installed proper SSL c;rঞCc-|;s (as recommended) instead of the default snakeoil ones, you will have to modify the CѴ; again to point to the correct path in the SSLCertificateFile and SSLCertificateKeyFile s;মn]s -[;r the Debian package bns|-ѴѴ-ঞon has completed. See the ns|-ѴѴ-ঞon Guide, chapter Service onC]†r-ঞon, s;cঞon “SSL ;rঞCc-|; onC]†r-ঞonŞĺ

sudo apt-get update
sudo apt-get install ./paa-control-center_${CC_BUILD}/*.deb

Run the database mb]r-ঞonĹ

WARNING: If you have changed the database password from the default, make sure you also change this in the db-password s;মn] in the /etc/netrounds/plugin.yaml CѴ; before running ncc migrate. Otherwise, the command wil

NOTE:

• This is a s;nsbঞv; command, and care should be taken when ;x;c†ঞn] it on a remote machine. In such a scenario it is strongly recommended that you use a program like screen (generally installed by default on popular Linux 7bs|rbb†ঞonső or tmux (run sudo apt-get install tmux to install) so that the migrate command will conঞn†; running even if the ssh session breaks.
• This command takes considerable ঞm; to execute.

sudo ncc migrate

• Restart all Paragon cঞv; Assurance services:
  sudo ncc services restart

• Install the new Test Agent repository and plugins.
  The plugins are used by Test Agent rrѴbc-ঞonsĺ
  TA_APPLIANCE_BUILD=4.3.0.16
  TA_APPLICATION_BUILD=4.3.0.16
  PLUGIN_BUILD=4.3.0.24

  Compute checksums for the repositories and verify that they match the

  SHA256 checksums provided on the download page sha256sum paa-test- agent_${TA_APPLIANCE_BUILD}all.deb sha256sum paa-test-agent- application${TA_APPLICATION_BUILD}all.deb sha256sum paa-test-agent- plugins${PLUGIN_BUILD}all.deb
  # Start the installation
  sudo apt-get install ./paa-test-agent${TA_APPLIANCE_BUILD}all.deb sudo apt-get install ./paa-test-agent-application${TA_APPLICATION_BUILD}all.deb sudo apt-get install ./paa-test-agent-plugins${PLUGIN_BUILD}_all.deb

• Enable services as follows:
  sudo ncc services enable apache2
  sudo ncc services enable kafka
  sudo ncc services enable callexecuter

• Restart all Paragon cঞv; Assurance services:
  NOTE: You must do this to get the services up and running again -[;r the upgrade.
  sudo ncc services restart

• To -cঞv-|; the new conC]†r-ঞonķ you also need to run:
  sudo systemctl reload apache2

• Check that the system is up and running with the commands

• ncc status
  sudo systemctl status “netrounds-*”

• Run the following script to enable the latest version of all plugins in all accounts: xport PORT=49900 while true; do
  if netstat -lnt | grep “:$PORT ” > /dev/null; then echo “$(date): Plugin service is listening on port $PORT” echo “Enabling latest plugins for all accounts” sudo ncc plugins edit enabled-version –all-plugins –latest-version –all-accounts — exit-on-failure=false –verbose break
  fi echo “Waiting for plugin service listening on $PORT” sleep 3 done
  If you encounter the following error -[;r you run the script, create a support case by -‚-c_bn] the script output in order to troubleshoot the error. 2023-11-17T09:22:46Z ERR ../../app/api/handlers/update_plugin.go:246 > Failed to change enabled plugin version error=”unknown account shortname account_name” host=ip-10-0-0-11 service=plugin-service short_name=account_name src=core
  For more bn=orm-ঞon on how to manage plugins using the Control Center CLI, see the in-app help under “Plugins”.

• Log in to the Control Center GUI and go to the Test Agents view. Next to each Test Agent for which an upgrade is available, an up-arrow icon appears. Click that icon to go ahead wi

Troubleshooting

Password †|_;mঞc-ঞom Failed For User

If the ncc migrate command fails with an error message

Failed to connect to database error=”pq: password authentication failed for user \”netrounds\”” db-host=localhost db-name=paa-plugins db-port=5432 …

you must update the variable db-password in the /etc/netrounds/plugin.yaml CѴ; as explained in the “warning above” on page 7. Edit this CѴ; and then rerun ncc migrate.

Target WSGI Script Not Found

If you accidentally selected “N” for the Apache conC]†r-ঞon CѴ;s (see “this step above” on page 6) and got an error message like the one below

[wsgi:error] [pid 29401:tid 140567451211520] [client 127.0.0.1:37172] Target WSGI script not found or unable to stat: /usr/lib/python2.7/dist- packages/netrounds/wsgi.py

run the following commands to get back on track:

• export CC_BUILD=4.3.0.15
• dpkg-deb –fsys-tarfile paa-webapp_${CC_BUILD}_all.deb | tar -x –wildcards
• ./etc/apache2/sitesavailable/*.conf –strip-components 4
• sudo mv netrounds*.conf /etc/apache2/sites-available/
• sudo chown -R root:root /etc/apache2/sites-available/
• sudo systemctl reload apache2

This overwrites the old conC]†r-ঞon with the new one in the updated package.

Again, if you have installed proper SSL c;rঞCc-|;s (as recommended) instead of the default snakeoil ones, you will have to modify the CѴ; again to point to the correct path in the SSLCertificateFile and SSLCertificateKeyFile s;মn]s -[;r the Debian package bns|-ѴѴ-ঞon has completed. See the ns|-ѴѴ ঞon Guide, chapter Service onC]†r-ঞon, s;cঞon “SSL ;rঞCc-|; onC]†r-ঞonŞĺ

Same Origin Policy Disallows Reading the Remote Resource

This or some similar error may occur if you have set SITE_URL and SPEEDTEST_ADDRESS to 7b@;r;n| values in /etc/netrounds/netrounds.conf. You then need to change ALLOWED_ORIGINS in /etc/netrounds/restol.conf to allow both of these values in the restol.conf CѴ;ĺ The simplest way to achieve this is to delete any value previously assigned to ALLOWED_ORIGINS. That s;মn] will then get a default value which allows SITE_URL and SPEEDTEST_ADDRESS as found in /etc/netrounds/netrounds.conf.

Test Agent Appliance Does Not Come Online [;r Control Center Upgrade

If you upgrade Control Center 3.1 or 3.2 to version 3.3 or later and you are using Test Agent Appliance 3.3, it may happen that a Test Agent Appliance on which a Test Agent rrѴbc-ঞon is run (this is supported from version 3.3.1 onward) will not come online but remain gray in Control Center. This is because |r-Lc on port 6800 is CѴ|;r;7 by a DROP rule.

Resolve this issue by running the following command on the Control Center m

sudo iptables -I INPUT -i tun0 -p tcp –dport 6800 -j ACCEPT

Rollback in Case of Failed Upgrade

If a Control Center upgrade fails, here is how to return the system to its state immediately before the upgrade:

• Make a clean Ubuntu bns|-ѴѴ-ঞon according to the ns|-ѴѴ-ঞon Guide, chapter Installing Required OS and “o[w-r;.
• Install the version of Control Center that you were using before the upgrade. Again, follow the ns|-ѴѴ-ঞon Guide, chapter Installing Control Center and Related Tasks.
• Recover your data from backup as explained in the r;r-ঞons Guide, chapter Restoring Product Data from Backup.

Applying Ubuntu Updates

NOTE: If you want to apply updates to Ubuntu 22.04, you Crs| need to hold rrd packages with the command.

sudo apt-mark hold librrd8 python3-rrdtool rrdtool

Then you can apply the updates with

sudo apt dist-upgrade

The hold command is necessary because the or;r-ঞn] system will by default remove Paragon cঞv; Assurance packages:

(output from sudo apt dist-upgrade below)

The following packages will be REMOVED:
paa-callexecuter paa-common paa-license-daemon paa-test-agent-compat paa-test- agent-login paawebapp The following packages will be upgraded: librrd8 python3-rrdtool rrdtool 3 upgraded, 0 newly installed, 6 to remove and 0 not up

Note on Control Center YANG Models

Upgrading Control Center, and sr;cbCc-ѴѴy the netrounds-confd_all.deb package, may replace the Control Center YANG model with a newer version. This is relevant for orc;s|r-ঞon soѴ†ঞons which rely on that YANG model and on the NETCONF & YANG API. The Control Center YANG model netroundsncc.yang is found under /opt/netrou

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r;sr;cঞv; owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this r †bѴbc-ঞon without noঞc;ĺ Copyright © 2023 Juniper Networks, Inc. All rights reserved.

References

• Example Domain
• Hosted by one.com
• license.juniper.net/licensemanage/
• Downloads
• ubuntu.com/server/docs/mail-postfix
• license.juniper.net/licensemanage/
• Downloads
• How To Use Journalctl to View and Manipulate Systemd Logs | DigitalOcean

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>