IOS XR Upgrade Changes: Certificate Expiration (Abraxas), Corrupt Pie File (SWIMS), and RPM Signage (eXR 64-bit)

Available Languages

Download Options

  • PDF     (44.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (82.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (79.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 3, 2018
Document ID:213745

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    When going to upgrade IOS XR, either 32-bit or 64-bit there have been some changes to how our certificates and signage for pacakages are done which will gate an upgrade.

    Upgrade Documentation

    Documentation, PDFs, for upgrading to a certain release used to be contained here:

    http://www.cisco.com/web/Cisco_IOS_XR_Software/index.html

    However, due to the deprecation of this webpage we now store IOS XR upgrade documentation in a few different formats under the software download page for a particular release for a particular product..

    • For products that only support 32-bit or 64-bit as docs.tar.
    • For ASR9K as px-docs.tar for 32-bit and x64-docs.tar for 64-bit.

    32-bit IOS XR Certificate Expiry (Abraxas)

    Affected Releases

    • Pre-5.3.1 does not contain the new Abraxas code or certificate and XR code needed to install SMUs after Oct 17 2015
    • 5.3.0 contains the workaround but not the integration of the CSS server

    Error Message

    When trying to install or add a SMU/PIE post October 17 2015, you will run into the below error due to the expiration of the CSS certificate on Oct 17, 2015.

    Error: Cannot proceed with the add operation because the code signing
    Error: certificate has expired.
    Error: Suggested steps to resolve this:
    Error: - check the system clock using 'show clock' (correct with 'clock set' if necessary).
    Error: - check the pie file was built within the last 5 years using '(admin) show install pie-info

    Workaround

    There are SMUs and new certificates in some releases which will allow installing of packages post Oct 17 2015.

    For older releases you will need to turboboot the router.

    Field Notice

    Upgrade MOP

    32-bit IOS XR Corrupt Pie File (SWIMS)

    Affected Releases

    • Pre-5.3.2 does not contain the SWIMS signing and only supports Abraxas or the legacy Code Signing Server (CSS) software which is now completly deprecated
    • 5.3.2 to 6.3.1 support both Abraxas and SWIMS
    • 6.3.2 and above supports only SWIMS signing
    • Some latest SMU created after Abraxas server decommission (after 5.3.4 SP9) are also signed with SWIMS only

    Since 5.3.1 and prior releases supports only Abraxas (after Oct 17 2015) and 6.3.2 and above supports only SWIMS signing, routers cannot be upgraded from one to the other. If you are running 5.3.1 or prior then you must upgrade to 5.3.2-6.3.1 first and then to 6.3.2 or higher.

    Examples

    Question: I am running 5.3.1 and wish to upgrade to 6.4.2. Will this work?

    Answer: No, you must first upgrade to an intermediary release that supports SWIMS.

    Question: I am running 5.3.4 and wish to upgrade to 6.4.2. Will this work?

    Answer: Yes, as 5.3.4 supports both Abraxas and SWIMS.

    Question: I am running 5.3.1 and wish to upgrade to 5.3.4 plus latest SMU. Will this work?

    Answer: Upgrade to 5.3.4 first and then installing SMU on top will work. However activating both 5.3.4 + latest SMU at once will fail as 5.3.1 won't understand SMU signage.

    Error Message

        Error:    Cannot proceed with the add operation because the pie file
        Error:    '/tmp/install/tar/instdir/8918452_223000000/asr9k-video-px.pie-6.
        Error:    3.3' is corrupt.

    Workaround

    • Upgrade to 5.3.x first and then to a version of code which needs SWIMS
    • Turboboot

    64-bit IOS XR RPM Signage

    Affected Releases

    Pre-6.3.2 does not use signed RPMs and will therefore be affected

    Error Message

    2017-07-25 10:33:16:: Traceback (most recent call last):
     File "/pkg/bin/install", line 2202, in <module>
     main(options,args)
     File "/pkg/bin/install", line 1440, in main
     upgrade_packages(options, pkglist)
     File "/pkg/bin/install", line 1758, in upgrade_packages
     upgrade(options,pkgs,cur_version)
     File "/pkg/bin/install", line 1919, in upgrade
     more_package = pkgstate.checkcompat()
     File "/opt/cisco/XR/packages/ncs5500-infra-5.0.0.0-r622/rp/bin/package.py", line 1218, in checkcompat
     version,pkg_name,release = result.split()
    ValueError: too many values to unpack

    2017-07-25 10:33:16::
     Error: An exception is hit while executing the install operation.
     If you hit same error on retries, please collect "show tech install"
     and contact cisco-support.

    Workaround

    Install XR and sysadmin bridge SMU, both can be installed at the same time

    TAC Authored

    Contributed by Cisco Engineers

    • Syed Zaidi
      Cisco Escalation Engineer
    • Sam Milstead
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products