Upgrading from IOS-XE to SD-WAN Code
Recently I was building out a lab to iron out a migration onto the Cisco SD-WAN (Viptela) solution. As part of that process existing ISR 4k routers were going to be used at the edge devices. This process, while fairly straight forward, came with a few “gotchas” and “snags” that I had to work through. In this post I will cover the upgrade of the ISR onto SD-WAN code. In the next post I will cover the bootstrap process as well as a couple of caveats related to vManage and the ISR4k routers.
Naturally the first step involved is going to be to download the appropriate SD-WAN software image for your ISR router. Use your standard discretionary practice for which code to run however, with the ISR platform being a fairly recent addition (In terms of the Viptela product) I would suggest the Gold Star for your ISR model. You will see the download name consists of the 4k series followed by “ucmk9”. This is what indicates to you that it is the SD-WAN image and not the standard IOS-XE image. Here is a sample of the Gold Star file name as of the time of writing (isr4400-ucmk184.108.40.206.SPA.bin)
This brings me to my first “gotcha”/caveat that I want to mention. The software images are getting larger and depending on the version and hardware platform the image may be over 512MB. This is where I pulled my hair out for a bit. It was my own fault as I didn’t watch the boot process once I loaded the image on but I discovered that you need to be over a certain ROMMON version to expand and run a software image over 512MB. Reference BugID CSCur94666 In this case I needed to upgrade the ROMMON to a rev above 16.7(4r). This is documented in the Software Installation and Upgrade for Cisco IOS XE Routers located on the SD-WAN Docs page. To check your ROMMON version you can run the following command. Below outline the errors you will see if you are on an incompatible ROMMON versions as well as the command and output to verify your ROMMON version. I would like to also call out that this would occur upgrading IOS-XE code in the same way, however I am covering here as part of an SD-WAN conversation.
Boot image size = 634173974 (0x25ccba16) bytes Package header rev 1 structure detected Calculating SHA-1 hash...done validate_package: SHA-1 hash: calculated a8e62f09:6afaf802:b6f3471b:763d18bd:2bf8f147 expected a8e62f09:6afaf802:b6f3471b:763d18bd:2bf8f147 Signature verification failed for key# 2 Signature verification failed for key# 3 Failed to validate digital signature Signature verification failed for key# 2 Signature verification failed for key# 3 Failed to validate digital signature RSA Signed REVOCATION Image Signature Verification Failed. Package Load Test Latency : 14381 msec Unsigned package found, aborting ... boot: error executing "boot bootflash:isr4400-ucmk220.127.116.11a.SPA.bin" autoboot: boot failed, restarting...
Router#show rom-monitor R0 System Bootstrap, Version 15.4(3r)S, RELEASE SOFTWARE Copyright (c) 1994-2014 by cisco Systems, Inc.
Seeing as to I was on a version of ROMMON less than 16.7(4r). I needed to upgrade. This is as easy as downloading the appropriate ROMMON image, uploading it to the router, and issuing the following command.
upgrade rom-monitor filename bootflash:isr4400_rommon_169_1r_SPA.pkg R0
The router will upgrade the ROMMON (which takes around 5 minutes of watching the water boil) and then requests a reboot. Allow for the reboot and verify your version has successfully upgraded using the same show rom-monitor R0 command. Once this is confirmed we return to the normal IOS upgrade process.
Upload your desired SD-WAN image into bootflash. Again, remember the SD-WAN image name contains ucmk9 in it’s file name indicating it is for SD-WAN. Once your file is uploaded set your boot marker just like you did in the past by first removing all previous boot marker statements and adding the new SD-WAN image as the first (or only) option.
boot-start-marker boot system flash bootflash:isr4400-ucmk18.104.22.168.SPA.bin boot-end-marker
When all of the above steps have been successful the ISR should boot onto the SD-WAN image. This will be most notable when you first log into the router and realize conf t doesn’t work anymore. It is now config-transaction.
Look for the next post relating to ISR and SD-WAN bootstrap and vManage caveats and need to knows.