IBM Support

QRadar: Upgrading QRadar environment on physical appliances in High Availability to 750UP11 can cause the secondary to fail to upgrade

Flashes (Alerts)


Abstract

QRadar® SIEM development has identified a known issue while patching a QRadar deployment with High Availability on physical hardware appliances (type listed below) which can cause the secondary high availability host to fail to patch. An unscheduled reboot of the secondary appliance occurs, which in turn causes the upgrade to fail.

The hardware appliance types that are impacted as follows: 1400 ,1628, 1629, 1648, 1728, 1729, 1748, 1828, 1829, 1848, 3128, 3129 and 3148

Content

Technical note updates

  • 12 March 2025 12:00 PM EDT: Technote created for SIM Generic log events issue.
  • 17 March 2025 10:00 AM EDT: Updated resolution of new SFS bundle  on Fix Central.
  • 17 March 2025 10:08 AM EDT: Updated workaround to list the updated SFS package posted to Fix Central to resolve this issue.

Urgency


Important: QRadar® SIEM development has identified a known issue while patching a QRadar deployment with High Availability on a physical hardware appliance types as listed below can cause the secondary high availability host to fail to upgrade due to an install script that is executed during the 7.5.0 Update Pack 11 upgrade.
 
Please note that the SFS has been removed from Fix Central while our development team works on the solution.
If you have downloaded the 7.5.0 Update Pack 11 sfs (7.5.0-QRADAR-QRSIEM-20250122185136) on or before March 12, we recommend you to not proceed with patching deployment which contains the affected appliances as outlined below until the corrected 7.5.0 Update Pack 11 sfs (7.5.0-QRADAR-QRSIEM-20250122185136) is available.

Resolution

On March 17th, 2025 the new 7.5.0 Update Pack 11 sfs bundles have been made available on IBM Fix Central with the corrected changes.  The updated sha256sum for QRadar SFS file is:
d0b01ad23b9a281883589cc90e0d88f83730e2892a5b8869266bf54137443656

The updated sha256sum for QRadar Incident Forensics is SFS file is:
4a0264f9a56ad262e40a148275d30c2c9f9befc775ac98961e44b63dd7c77b68


Please ensure you verify you are using the correct SFS files prior to starting your upgrade.

QRadar https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRadar+Vulnerability+Manager&fixids=7.5.0-QRADAR-QRSIEM-20250122185136&source=SAR&function=fixId&parent=IBM%20Security

QRadar Incident Forensics https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRadar+Incident+Forensics&fixids=7.5.0-QRADAR-QIFSFS-20250122185136&source=SAR&function=fixId&parent=IBM%20Security

Affected products

QRadar SIEM installations on physical hardware upgrading to 7.5.0 Update Pack 11 sfs (7.5.0-QRADAR-QRSIEM-20250122185136)

Hardware appliance types impacted are as follows:

appliance_types=("1400" "1628" "1629" "1648"  "1728" "1729" "1748" "1828"  "1829" "1848" "3128" "3129" "3148")

Am I affected?

Before you upgrade to 7.5.0 Update Pack 11 (7.5.0-QRADAR-QRSIEM-20250122185136), you must confirm whether you are affected by this known issue.

Procedure 
  1. Use SSH to log in to the QRadar Primary Active Console hosts in your deployment as the root user.
  2. Type the following command:

    /opt/qradar/support/all_servers.sh -C "cat /etc/.appliance_name"

    Output should be as the following example:

    xx.xx.xx.xx -> qradar_console.com
    Appliance Type: 3148   Product Version: <Build number>
    ------------------------------------------------------------------------
    3148
    xx.xx.xx.xx -> qradar_ep.com
    Appliance Type: 1629    Product Version: <Build number>
    ------------------------------------------------------------------------
    1629
    xx.xx.xx.xx -> qradar_dn.com
    Appliance Type: 1400    Product Version: <Build number>
    ------------------------------------------------------------------------
    1400
  3. Review the output to determine if you are impacted:
    • If your output contains one of the impacted appliance types in High Availabilty, you should not continue the upgrade to 7.5.0 Update Pack 11.
    • If you started the upgrade to 7.5.0 Update Pack 11 and it failed, you can open a support case for further assistance. 

      Please reference in your case the known issue -       DT425543
 
We apologize for any inconvenience due to this issue. Please be advised that we will continue to update this notice and advise when the 7.5.0 Update Pack 11 sfs (7.5.0-QRADAR-QRSIEM-20250122185136) will be made available on Fix Central. If you have questions about the contents of this technical note, contact QRadar Support.

- QRadar Support

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
17 March 2025

UID

ibm17185609

Page Feedback