F5

v9.X To 10.2.4 Upgrade Guide: F5 LTM Load Balancing Methods

Chris Spillane urges the upgrade of your version 9.x of F5 and provides a concise guide for the upgrade to version 10.2.4. Chris is a Senior Security Analyst at NTT Com Security and has been working with F5 Load Balancers for more than seven years.

Last updated: September 15, 2025

An avatar of the author
Matt Faraclas
Table listing F5 hardware models with corresponding blade or slot codes for v9.x to 10.2.4 upgrade planning

Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.

The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog

Key Takeaways
  • F5 BIG-IP version 9.x is obsolete, unsupported, and lacks access to iHealth, so systems should be upgraded to at least 10.x, with 10.2.4 recommended for the 10.x branch in this guide.
  • Before upgrading to 10.2.4, administrators must verify hardware support, reactivate the unit license, and take comprehensive off-box backups (UCS, SCF, key config files, and ASM policies where applicable).
  • The upgrade to 10.2.4 supports direct migration only from 9.3.x or 9.4.x; earlier 9.x versions require an intermediate upgrade to one of these releases first.
  • Installation uses the image2disk utility with different formatting options (volumes vs partitions) depending on whether only 10.x or both 9.x and 10.x need to coexist, with special care around the –nomoveconfig flag and ASM deployments.
  • Post-installation steps include booting from the new partition, applying hotfixes, restoring configuration via UCS or individual config files, and validating traffic handling and HA failover behavior.
  • From 10.0.0 onward, HA configurations require explicit failover peer management addresses; rolling forward a 9.x configuration without these will generate periodic log reminders until the addresses are configured.

F5 LTM Load Balancing Methods: Guide on How to Upgrade to 10.2.4

Unfortunately there are still a lot of F5 ® version 9.x installations out there, and there shouldn’t be. Not only is version 9 a long way out of support, it’s really not secure in this day and age. You’re also missing out on using iHealth® which can only be used from version 10.x onwards.

Please note that you may need AskF5™ login credentials to access some of the links within this article. If you do not have an AskF5 login you can request one here.

This guide assumes an upgrade to version 10.2.4 unless otherwise stated, although the same process applies to earlier 10.x versions. Note that 10.0.x releases are no longer supported. 10.2.4 is the recommended version for this branch and is supported to 31st December 2016 (see AskF5 SOL5903).

Prerequisites:
Before considering upgrading, ensure your hardware platform will support 10.2.4 code. The following platforms support it, as confirmed by AskF5 SOL9412:

You can only upgrade directly to 10.2.4 code from 9.3.x or 9.4.x releases.  If you are running an earlier 9.x release, you must upgrade to 9.3.x or 9.4.x before continuing.

Before you begin

Assuming you meet the prerequisite requirements, consider the following:

  • YOU MUST re-activate the unit license before upgrading.  See AskF5 SOL7727 for reasoning.
  • Backup EVERYTHING: /config/bigip.conf, bigip_base.conf, bigip.license, bigip_sys.conf (if it exists), wideip.conf (if it exists), take an SCF* (recommended, but only backs up LTM configuration), take a UCS (note that UCS also saves admin/root passwords and the license, so take this after license reactivation). Save these off box.  Also save the UCS file to /shared/ (you might need to create this directory) and to /var/local/ucs.  An extra 10 minutes spent here can save agony later on! If you are running ASM, also take a backup of the policy.

*to take an SCF, use the command:

# bigpipe export <filename.scf>

for example:

# bigpipe export mybackup.scf
  • You should still read the release notes for the version you are installing.
  • If you have a HA pair, you will, of course, be working on your standby unit.
  • It is recommended to disconnect any unnecessary cables from a unit whilst upgrading (only leave connected the cables you need, such as the management cable). This will prevent any issues with the unit attempting to process traffic whilst upgrading.

Let’s upgrade

1)    Download the 10.2.4 ISO and copy* to /shared/images (create this folder if it does not already exist).
*SCP is the recommended method to copy files to/from the BigIP system. For a Windows client, check out WinSCP 

2)    Install the image2disk utility:

# im /shared/images/<filename.iso>

for example:

# im /shared/images/BIGIP-10.2.4.577.0.iso

3)    Begin the install. The full command syntax is

# image2disk --instslot=HD<slot_number> --format=<format_style> <downloaded_filename.iso>

BUT WAIT! Observe the following options first:

  • Assuming you only want version 10.x and above from now on (highly recommended!), we need to format for volumes, so use:
# image2disk --instslot=<slot_number> --format=volumes /shared/images/>filename.iso>
  • Assuming we wish to run version 10 and version 9 (not recommended, version 9.x is not supported), use:
# image2disk --instslot=<slot_number> --format=partitions /shared/images/>filename.iso>

Note that since we repartition, we will need to reinstall version 9 to a free partition after the version 10 installation completes.

  • To preserve your existing configuration, use
# image2disk --instslot=<slot_number> --nomoveconfig--format=volumes /shared/images/<filename.iso>

DO NOT use the ‘–nomoveconfig’ flag if you are running ASM. Use a backup UCS instead. Using ‘–nomoveconfig’ means: “The configuration of the target boot location (if any is present) is re-installed on the target boot location after re-imaging is complete.”

The ‘slot_number’ variable will be HD1.1 or HD1.2 for example (the inactive partition, NOT the one you are currently running in*)
* If you are not sure which partition you are currently running on, use 

# switchboot -l
  • If installing 10.2.x the flag “–instslot=<slot_number>” is NOT permitted so should be absent from the command to install software.  Reasoning: 10.2.x will always install to HD1.1 after the disk is formatted.

4)    The unit should reboot and install the new software.

5)    Once finished, you may need to do

# switchboot

and select the newly upgraded partition, then

# full_box_reboot

This depends on the specific upgrade version so may not be applicable. Install hotfixes at this point if necessary. It’s always recommended to be running the latest available hotfix.

6)    Wait for the filesystem to build and the installation to finish. This first boot after upgrade can take a while!

7)    Once the unit is up and running, load on any necessary config files.  These can either be a UCS (User Configuration Set, aka ‘Archive’) uploaded via System > Archives, or can be individual bigip.conf, bigip_base.conf, bigip.license (etc) files, which should be uploaded to the /config directory using SCP.  If you upload the individual configuration files, you’ll need to reboot again.  Check the configuration is present and correct via the GUI.  Cable the unit back up and you should be good to go.  If you are running a HA pair, you should failover during a change window and check the newly upgraded unit processes traffic correctly.  Assuming it does, repeat the upgrade process on your second unit.

8)    Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up correctly, but the system logs a message every ten minutes reminding you to configure the peer management addresses. To configure the failover peer management addresses, navigate to System > High Availability > Network Failover, then specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the configuration. Once you specify both IP addresses, the system should operate as expected. For more information, see AskF5 SOL9947.

You’re all done!

Chris Spillane is a Senior Security Analyst at NTT Com Security. He has been working with F5 Load Balancers for more than seven years. If you want to contribute as well, click here.

Find more tip on how to manage your F5 load balancers with indeni.

Published in:

F5

Published on: July 21, 2015

An avatar of the author

Related content

Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more
Row of orange industrial robotic arms positioned along an automated conveyor belt in a factory setting
Blog

Automate it all in Integrity with REST v2 API-first DDI management

Discover API-first DDI with Integrity X by using REST v2 to automate DNS, DHCP, and IPAM for scalable, secure network operations.

Read more
Three colleagues at monitors collaborating, overlaid with network, analytics, cloud, and gear icons.
Blog

Agentic AI adoption in network observability propels NetOps teams

Network observability is crucial for today’s networks and even more capable with agentic AI, according to new Omdia and BlueCat research.

Read more

⏳ Cisco Live is almost here. Put BlueCat on your agenda for smarter, more secure networks.

Get the details