This section describes how to upgrade a SD-WAN Gateway installation.

Important: This procedure will not work for upgrading a Gateway image version from 3.x to 4.x due to a significant platform changes. Upgrading from a 3.x to 4.x image will require a new Gateway deployment and reactivation. Please refer to Partner Gateway Upgrade and Migration 3.4 to 4.0 for upgrade information.

Note: Currently, VMware does not support downgrading for the VMware SASE Orchestrator and VMware SD-WAN Gateway. So before upgrading the SASE Orchestrator or SD-WAN Gateway, VMware recommends you to back up the system prior to upgrade for easy recovery in the event the upgrade is not successfully completed.

Authenticate Software Update Package Via Digital Signature

The software installer in the SASE Orchestrator version 4.3.0 and higher now has the ability to authenticate the software update package using a digital signature.

Prior to upgrading to a newer version of the software, make sure the public key exists to verify the package. The known public key location to verify signature is as follows, /var/lib/velocloud/software_update/keys/software.key. Alternatively, the key can be provided on the command line using --pubkey parameter.

The current release public key is:

-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEqCuQHDuoVkYG6j6++wBMAnowJr5uUQXE
b/iKcTbCZky4lBlUWkjR/zucLgNdyOuotQAOHwT689WHPOnhuQo13+IQIeCBXRdG
EX50zfkkqXQhFYNORPqCke+cqF0Wd4xD
-----END PUBLIC KEY-----

If the key is missing or the signature cannot be verified, the Operator will be notified that the package is untrusted with an option to proceed or not proceed.

To skip verification, use "--untrusted" parameter.

If running in batch mode or not on the terminal, the installation is aborted unless the "--untrusted" option is specified on the command line.

By default, the installer will run in interactive mode and may issue prompts. For automated scripts, use --batch parameter to suppress prompts.

Upgrade Procedures

To upgrade a SD-WAN Gateway installation:

  1. Download the SD-WAN Gateway update package.
  2. Upload the image to the SD-WAN Gateway system (using, for example, the scp command). Copy the image to the following location on the system:

    /var/lib/velocloud/software_update/vcg_update.tar

  3. Connect to the SD-WAN Gateway console and run:
    sudo /opt/vc/bin/vcg_software_update