Cannot upgrade to new SFOS version!

Question

Hello, 
 We have a XGS3100 with SFOS version 19.0.3 MR3 that we want to upgrade to 20.0.1 MR1. During upgrade, configuration cannot migrated to new version and also backup restore to new version is not working. In control center, we received it shows following alert: 
 
 You can't upgrade to 19.5 MR1 and later versions. Routes configured through the Zebra advanced shell CLI commands in earlier versions become unavailable in these versions. See KB-000044696. 
 
 Also there is following log in applog.log: 
 ul 10 08:47:09Z Migration/Restore from pre19.5 build, Zebra config is present in tblroutinginfo Jul 10 08:47:09Z Migration/Restore is blocked! This appliance has custom Zebra CLI configuration. Jul 10 08:47:09Z Failed to restore. Reverting back to old breakout config if applicable. 
 
 I couldn't find how to remove Zebra config from advanced shell CLI as KB-000044696 suggested but I queried PSQL database table " tblroutinginfo" and here is the result: 
 
 XGS3100_RL01_SFOS 19.0.3 MR-3-Build517# /bin/psql -U nobody -d corporate -Atc "select * from tblroutinginfo;" pim|# This is the configuration file for "pimd", an IP multicast router. 
 cand_bootstrap_router priority 0 group_prefix 224.0.0.0 masklen 4 switch_data_threshold rate 50000 interval 20 # 50kbps (approx.) switch_register_threshold rate 50000 interval 20 # 50kbps (approx.) 
 ospf|! ! OSPFD configuration file ! hostname ospf 
 log stdout 
 line vty no login ! 
 rip|! ! RIPD configuration file ! hostname rip 
 log stdout 
 line vty no login ! 
 bgp|! ! BGPD configuration file ! hostname bgp 
 log stdout 
 line vty no login ! 
 zebra|! ! Zebra configuration saved from vty ! 2024/07/10 07:54:24Z ! hostname router log stdout ! interface Port1 ! interface Port2 ! interface Port3 ! interface Port4 ! interface Port5 ! interface Port6 ! interface Port7 ! interface Port8 ! interface PortF1 ! interface PortF2 ! interface PortF3 ! interface PortF4 ! interface PortMGMT ! interface erspan0 ! interface gre0 ! interface gretap0 ! interface ifb0 ! interface ip6tnl0 ! interface ipsec0 ! interface lo ! interface mvmgmt0 ! interface oct0 ! interface pport_l0 ! interface pport_l0s0p0 ! interface pport_l254 ! interface sit0 ! interface spq ! interface tun0 ! interface tun1 ! ip route 192.168.60.0/24 192.168.80.1 Port61 ip route 192.168.70.0/24 192.168.80.1 Port61 ip route 192.168.80.0/24 192.168.80.1 Port61 ip route 192.168.90.0/24 192.168.80.1 Port61 ! ! ! line vty no login !

All the following records are stale records from previous migrations from CROS and there are no static route in GUI for them. 
 ip route 192.168.60.0/24 192.168.80.1 Port61 ip route 192.168.70.0/24 192.168.80.1 Port61 ip route 192.168.80.0/24 192.168.80.1 Port61 ip route 192.168.90.0/24 192.168.80.1 Port61

Here is result for "route -n" and "ip route" which does not show these routes:

XGS3100_RL01_SFOS 19.0.3 MR-3-Build517# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.139.1.0 0.0.0.0 255.255.255.0 U 0 0 0 Port6
31.130.182.48 0.0.0.0 255.255.255.248 U 0 0 0 Port4
85.185.237.248 0.0.0.0 255.255.255.248 U 0 0 0 Port5
172.30.23.0 0.0.0.0 255.255.255.0 U 0 0 0 Port7
172.172.172.0 0.0.0.0 255.255.255.0 U 0 0 0 PortF3
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 Port1
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 Port1
192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 Port3
192.168.9.0 0.0.0.0 255.255.255.0 U 0 0 0 PortF4
192.168.21.0 0.0.0.0 255.255.255.0 U 0 0 0 Port8
192.168.52.0 0.0.0.0 255.255.255.0 U 0 0 0 PortF4
192.168.80.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
192.168.81.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
192.168.82.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
192.168.83.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
192.168.201.0 0.0.0.0 255.255.255.128 U 0 0 0 tun0
192.168.201.128 0.0.0.0 255.255.255.128 U 0 0 0 tun1

XGS3100_RL01_SFOS 19.0.3 MR-3-Build517# ip route 10.139.1.0/24 dev Port6 proto kernel scope link src 10.139.1.3 31.130.182.48/29 dev Port4 proto kernel scope link src 31.130.182.50 85.185.237.248/29 dev Port5 proto kernel scope link src 85.185.237.250 172.30.23.0/24 dev Port7 proto kernel scope link src 172.30.23.2 172.172.172.0/24 dev PortF3 proto kernel scope link src 172.172.172.8 192.168.1.0/24 dev Port1 proto kernel scope link src 192.168.1.8 192.168.3.0/24 dev Port1 proto kernel scope link src 192.168.3.8 192.168.6.0/24 dev Port3 proto kernel scope link src 192.168.6.8 192.168.9.0/24 dev PortF4 proto kernel scope link src 192.168.9.5 192.168.21.0/24 dev Port8 proto kernel scope link src 192.168.21.8 192.168.52.0/24 dev PortF4 proto kernel scope link src 192.168.52.8 192.168.80.0/24 dev Port2 proto kernel scope link src 192.168.80.5 192.168.81.0/24 dev Port2 proto kernel scope link src 192.168.81.5 192.168.82.0/24 dev Port2 proto kernel scope link src 192.168.82.5 192.168.83.0/24 dev Port2 proto kernel scope link src 192.168.83.5 192.168.201.0/25 dev tun0 proto kernel scope link src 192.168.201.1 192.168.201.128/25 dev tun1 proto kernel scope link src 192.168.201.129 
 
 So how should I remove these stale records from DB table directly or by cli command?

Erick Jan · Accepted Answer

Hi Farshid, 
 Thank you for reaching out to Sophos Community. 
 Can you upgrade to V19.5 before going to V20.0 MR1 for testing purposes? I recommend creating a case with Sophos Support to have this checked further and for the workaround stated in 
 https://support.sophos.com/support/s/article/KB-000044696?language=en_US 
 Suggested Workaround 
 Remove the static routes in the backend config from the Zebra advanced shell CLI and add the same configuration on Sophos Firewall web admin under Routing > Static routes in your current version before upgrading to 19.5 and later releases. Contact the support team for assistance in finding those routes

Farshid · Answer

Thanks Erick, I upgraded to 19.5.3 and then to 20.0.1 and it worked!

Cannot upgrade to new SFOS version!

Top Replies