Juniper NETWORKS Paragon Active Assurance Software User Guide
- June 16, 2024
- JUNIPER NETWORKS
Table of Contents
- General
- Special Upgrade Procedures
- Upgrade Procedure
- Compute checksums for the repositories and verify that they match the
- SHA256 checksums provided on the download page
- Start the installation
- Troubleshooting
- References
- Read User Manual Online (PDF format)
- Download This Manual (PDF format)
- Compute the checksum for the tar file and verify that it is equal to the
- checksum provided on the download page export CC_VERSION=4.2.0.54
Paragon Active Assurance Upgrade Guide
Published
2023-07-07
RELEASE 4.2
General
Upgrade Paths
If you are upgrading from an old Netrounds version, the following steps are
essential:
- Upgrading from version 2.34 to replace Ubuntu 16.04 with Ubuntu 18.04.
- Upgrading to version 4.0 to start using a Juniper license.
The following upgrade paths are recommended:
Source version | Target version | Note |
---|---|---|
< 2.28.99 | 2.28.99 | For these upgrades, please contact Juniper support (see |
below).
2.28.99| 2.29.2|
2.29.2| 2.34.4
2.30.x| 2.34.4
2.31.x| 2.34.4
2.32.0| 2.34.4
2.33.x| 2.34.4
2.34.x| 2.35.6| See Upgrading Control Center from Version 2.34.
(Continued)
Source version | Target version | Note |
---|---|---|
2.35.x | 4.2.0 | See “Special Procedures for Upgrade to 3.0 or Later” on age |
- 2.36.x| 4.2.0
3.0.x| 4.2.0
3.1.x| 4.2.0
3.2.x| 4.2.0
3.3.x| 4.2.0
3.4.x| 4.2.0
4.0.x| 4.2.0
4.1.x| 4.2.0
To contact Juniper technical support, file a ticket at
support.juniper.net/support/requesting-
support.
Please also contact technical support whenever you want to upgrade from a
version or between versions that are EoS.
Release Notes
Before starting the upgrade, please always read the Release Notes for the
version you are upgrading to.
These notes describe new features and also inform you of important under-the-
hood changes such as new configuration files.
If you are upgrading across multiple versions, please read the Release Notes
for all intermediate versions.
Special Upgrade Procedures
Special Procedures for Upgrade to 4.2
When upgrading to version 4.2, you need to follow the document Upgrading
Control Center to 4.2 rather than the present generic upgrade guide.
Special Procedures for Upgrade to 3.0 or Later
Obtaining a License
On upgrading to version 3.0 or later, you need a new license from Juniper
Networks to be able to use the product.
To prevent Control Center downtime in connection with the upgrade, we
recommend that you obtain the new license before doing the upgrade. To get the
license from the Juniper EMS Portal, you need to provide the UUID of the
system where Control Center is installed.
-
Run this command on the Control Center machine: ncc license license-request
The output includes a UUID in plain-text format. -
Log in to the Juniper EMS Portal at license.juniper.net/licensemanage/ with the credentials you have received from Juniper.
-
In the My Product Licenses view, click the Activate button for the relevant license.
-
In the dialog that appears, under SW Version, leave the default choice 3.0 and Above.
-
Under Universal Unique ID (UUID), enter the UUID string you generated with the ncc license licenserequest command.
-
Click the Activate button at the bottom of the screen.
-
A license key will now be generated. Download it and save it as a plain-text file cc_license.txt.
-
Perform the Paragon Active Assurance upgrade according to the present document.
-
Finally, activate the license in Control Center using the command ncc license activate cc_license.txt
Plugin Configuration File
This version introduces a new configuration file /etc/netrounds/plugin.yaml.
During installation, this file needs to be updated with the correct database
connection details if the latter have been changed from the default.
Special Procedure for Upgrade from 2.34
The upgrade from 2.34 to a later version involves an Ubuntu upgrade from
version 16.04 to version 18.04. It is covered in the document Upgrading
Control Center from Version 2.34.
Finding Out Your Paragon Active Assurance
Software Version
To find out what version of Paragon Active Assurance you currently have
installed, you can use this command:
Upgrade Procedure
WARNING: If you are upgrading from 2.34, please make sure you use the
special upgrade procedure described in the document Upgrading Netrounds
Control Center from Version 2.34.
If you have previously upgraded from 2.34 and are now going to upgrade to 3.0
or later, you must begin by undoing a step performed in the 2.34 upgrade. Run
this command: sudo apt-mark unhold python-django python-django-common You can
then follow the instructions below.
Below are general instructions for upgrading Control Center. Note that for
specific releases, additional actions may be required; separate instructions
are then given in each case in what follows.
Be sure to refer to the current Installation Guide.
-
Disable the apache2 and netrounds-callexecuter services completely:
sudo systemctl disable apache2
sudo systemctl disable netrounds-callexecuter -
Stop all Paragon Active Assurance services:
sudo systemctl stop “netrounds-*” apache2 openvpn@netrounds -
Make backups according to the Operations Guide, chapter Backing Up Product Data, starting with the section “Backing Up the PostgreSQL Database”.
-
Verify the integrity of the tarball containing the new Control Center version:
Compute the checksum for the tar file and verify that it is equal to the
SHA256
checksum provided on the download page export CC_VERSION=4.2.0.54
sha256sum paa-control-center_${CC_VERSION}.tar.gz
-
Unpack the Control Center tarball: tar -xzf paa-control-center_${CC_VERSION}.tar.gz
-
Install new Control Center packages.
In the file /etc/netrounds/netrounds.conf you can optionally configure the SPEEDTEST_ADDRESS setting (if you are going to use Speedtest). This can either point to the same IP address that SITE_URL resolves to, or it can have a hostname of its own.
WARNING: You will now be prompted about overwriting existing
configuration files.
Before proceeding, please read all the information about settings below.
NOTE:
- We highly recommend that you first inspect the difference between your old configuration and the new one using the “D” choice. In most cases you will then want to keep your old settings by pressing “N” (do not overwrite).
- New optional and updated settings may be available in the example configuration files provided in the packages. We recommend that you review these and add new options as appropriate for your installation.
WARNING: For the Apache configuration files found in /etc/apache2/sites-
available/ you need to press “Y”, which is the “package maintainer’s version”.
If you have installed proper SSL certificates (as recommended) instead of the
default snakeoil ones, you will have to modify the file again to point to the
correct path in the SSLCertificateFile and SSLCertificateKeyFile settings
after the Debian package installation
has completed. See the Installation Guide, chapter Service Configuration,
section “SSL Certificate Configuration”.
sudo apt-get update
sudo apt-get install ./paa-control-center_${CC_VERSION}/*.deb
- Run the database migration:
WARNING: If you have changed the database password from the default, make sure you also change this in the db-password setting in the /etc/netrounds/plugin.yaml file before running ncc migrate. Otherwise, the command will fail.
NOTE:
-
This is a sensitive command, and care should be taken when executing it on a remote machine. In such a scenario it is strongly recommended that you use a program like screen (generally installed by default on popular Linux distributions) or tmux (run sudo apt-get install tmux to install) so that the migrate command will continue running even if the ssh session breaks.
-
This command takes considerable time to execute.
sudo ncc migrate -
Restart all Paragon Active Assurance services: sudo ncc services restart
-
Install the new Test Agent repository and plugins.
The plugins are used by Test Agent Applications.
TA_APPLIANCE_BUILD=4.2.0.34
TA_APPLICATION_BUILD=4.2.0.20
PLUGIN_BUILD=4.2.0.29
Compute checksums for the repositories and verify that they match the
SHA256 checksums provided on the download page
sha256sum paa-test-agent_${TA_APPLIANCE_BUILD}all.deb
sha256sum paa-test-agent-application${TA_APPLICATION_BUILD}all.deb
sha256sum paa-test-agent-plugins${PLUGIN_BUILD}_all.deb
Start the installation
sudo apt-get install ./paa-test-agent_${TA_APPLIANCE_BUILD}all.deb
sudo apt-get install ./paa-test-agent-
application${TA_APPLICATION_BUILD}all.deb
sudo apt-get install ./paa-test-agent-plugins${PLUGIN_BUILD}_all.deb
-
Enable services as follows:
sudo ncc services enable apache2
sudo ncc services enable kafka
sudo ncc services enable callexecuter -
Restart all Paragon Active Assurance services:
NOTE: You must do this to get the services up and running again after the upgrade.
sudo ncc services restart -
To activate the new configuration, you also need to run: sudo systemctl reload apache2
-
Check that the system is up and running with the commands ncc status sudo systemctl status “netrounds-*”
-
Do the following to enable the latest version of all plugins in all accounts:
ncc plugins edit enabled-version –all-plugins –latest-version –all-accounts
For more information on how to manage plugins using the Control Center CLI, see the in-app help under “Plugins”. -
Log in to the Control Center GUI and go to the Test Agents view. Next to each Test Agent for which an upgrade is available, an up-arrow icon appears. Click that icon to go ahead with the upgrade.
Troubleshooting
Password Authentication Failed For User
If the ncc migrate command fails with an error message
Failed to connect to database error=”pq: password authentication failed for
user \”netrounds\”” db-host=localhost db-name=paa-plugins db-port=5432 … you
must update the variable db-password in the /etc/netrounds/plugin.yaml file as
explained in the “warning above” on page 7. Edit this file and then rerun ncc
migrate.
Target WSGI Script Not Found
If you accidentally selected “N” for the Apache configuration files (see “this
step above” on page 6) and got an error message like the one below
[wsgi:error] [pid 29401:tid 140567451211520] [client 127.0.0.1:37172] Target
WSGI script not found or unable to stat: /usr/lib/python2.7/dist-
packages/netrounds/wsgi.py run the following commands to get back on track:
export CCVERSION=4.2.0.54
dpkg-deb –fsys-tarfile paa-webapp${CC_VERSION}_all.deb | tar -x –wildcards
./etc/apache2/
sites-available/.conf –strip-components 4
sudo mv netrounds.conf /etc/apache2/sites-available/
sudo chown -R root:root /etc/apache2/sites-available/
sudo systemctl reload apache2
This overwrites the old configuration with the new one in the updated package.
Again, if you have installed proper SSL certificates (as recommended) instead
of the default snakeoil ones, you will have to modify the file again to point
to the correct path in the SSLCertificateFile and SSLCertificateKeyFile
settings after the Debian package installation has completed. See the
Installation Guide, chapter Service Configuration, section “SSL Certificate
Configuration”.
Same Origin Policy Disallows Reading the Remote Resource
This or some similar error may occur if you hav e set SITE_URL and
SPEEDTEST_ADDRESS to different valuesin /etc/netrounds/netrounds.conf. You
then need to change ALLOWED_ORIGINS in /etc/netrounds/restol.conf to allow
both of these values in the restol.conf file. The simplest way to achieve this
is to delete any value previously assigned to ALLOWED_ORIGINS. That setting
will then get a default value which allows SITE_URL and
SPEEDTEST_ADDRESS as found in /etc/netrounds/netrounds.conf.
Test Agent Appliance Does Not Come Online After Control Center Upgrade
If you upgrade Control Center 3.1 or 3.2 to version 3.3 or later and you are
using Test Agent Appliance 3.3, it may happen that a Test Agent Appliance on
which a Test Agent Application is run (this is supported from version 3.3.1
onward) will not come online but remain gray in Control Center. This is
because traffic on port 6800 is filtered by a DROP rule.
Resolve this issue by running the following command on the Control Center
machine: sudo iptables -I INPUT -i tun0 -p tcp –dport 6800 -j ACCEPT
Rollback in Case of Failed Upgrade
If a Control Center upgrade fails, here is how to return the system to its
state immediately before the upgrade:
- Make a clean Ubuntu installation according to the Installation Guide, chapter Installing Required OS and Software.
- Install the version of Control Center that you were using before the upgrade. Again, follow the Installation Guide, chapter Installing Control Center and Related Tasks.
- Recover your data from backup as explained in the Operations Guide, chapter Restoring Product Data from Backup.
Note on Control Center YANG Models
Upgrading Control Center, and specifically the netrounds-
confd_
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Copyright © 2023 Juniper Networks, Inc. All rights reserved.
References
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>