JUniper SRX Upgrade - Options

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 29
At a glance
Powered by AI
The document discusses different upgrade methods for SRX devices including ISSU, ICU, simultaneous node upgrade and node isolation. It provides detailed steps and prerequisites for each method.

The different upgrade methods discussed are ISSU, ICU, simultaneous node upgrade and node isolation. ISSU is supported for most devices starting from JunOS version 12.1X46. ICU and simultaneous node upgrade are also options depending on the device model.

The steps to perform ISSU upgrade are: 1) Load the JunOS software, 2) Verify cluster health, 3) Create backup, 4) Start the upgrade, 5) Use hidden commands, 6) Backup current installation

I.

In-Service Software Upgrade (ISSU)


ISSU is not supported for Branch SRX Series according to Juniper KB20959 at the
following link http://kb.juniper.net/InfoCenter/index?
page=content&id=KB20959&smlogin=true&actp=search.
FWLFGW (VPN concentrator) is a Branch Series model (srx240h) and hence the
upgrade is not possible through ISSU. It is however possible through ICU.
According to information presented in Juniper KB17946 at the following link
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17946&actp=search
and considering the JunOS version on all 3 SRX clusters (FWLFGW, FWLFTE &
FWLBKE) there are no limitations for the upgrade through ISSU/ICU method
beginning with version 12.1.X46 and newer.
JunOS version on all 3 ASP SRX clusters is 12.1X46-D35.1:
Overview:
ISSU White Paper available at
https://www.juniper.net/kr/kr/local/pdf/whitepapers/2000280-en.pdf presents
detailed insight into JunOS design and processes used by ISSU.

Caveats and recommended Knowledge Base articles to read before proceeding:


- Process to follow, in the event of the ISSU process stalling in the middle of the
upgrade - KB19500
- KB17627 - [SRX] ISSU (In-Service Software Upgrade) issue
- KB15389 - What Logs to collect when a Problem occurs while performing ISSU
(In Service Software Upgrade)
- If you run into issues, collect the logs on your device as specified in KB21781
- [SRX] Data Collection Reference Checklist - Logs/data to collect for
troubleshooting and open a case with your technical support representative.

Procedure steps:
1. Load the JunOS Software package on the device - KB20955
2. Verify the Health of the Cluster (This is an important step and the cluster
needs to be certified healthy before proceeding with In-Service Software
Upgrade) - KB20956
3. Create backup of the current configuration and set the rescue config -
KB20957
4. Start the In-Service Software Upgrade - KB20958
5. KB15376 - ISSU Hidden commands that can be used during ISSU testing
Step 1. Load the JunOS Software package on the device - KB20955

- Download JunOS software image to which we will perform the upgrade


JTAC recommends using version 12.1.X46-D40.2 for all three firewalls:
http://www.juniper.net/support/downloads/?p=srx240#sw

http://www.juniper.net/support/downloads/?p=srx1400#sw

http://www.juniper.net/support/downloads/?p=srx3400#sw
http://kb.juniper.net/InfoCenter/index?
page=content&id=KB21476&actp=search
- Check for available space on devices in order to be able to load the new
image
In cases where not enough space is available refer to the following:
o Step 6 of the Software Installation Preparation section of KB16652 -
SRX Getting Started - JunOS Software Installation has tips on checking
the flash size and purging unused files
o KB17365 - Freeing Up Space in Dual Root Partitions on SRX Branch
Devices
o If you cannot free up enough space, then refer to KB19466 - Common
and safest files to remove in order to increase the system storage OR
use CLI Installation Method 2 or 3 below (basically using the no-copy
option when image is stored remotely on FTP/USB)
For Branch devices (FWLFGW here) look for /cf/var partition usage.
For High-End devices (FWLFTE & FWLBKE here) look for /var/ partition
usage.
Additionally look for the location of JunOS images loaded on device used in
previous upgrades (if not cleaned-up) by using file list detail <path> | match
junos-srx.*domestic.tgz$ where path is usually /cf/var/tmp for Branch and
/var/tmp for High-End devices

o FWLFGW (srx240h)

o FWLFTE (srx1400)

o FWLBKE (srx3400)
- Once enough free space is available, load the image on devices (copy image
with WinSCP from rebound CEP to node0 of each cluster then copy it from
node0 to node1 with command file copy /<local-path>/<imagexyz.tgz>
node1:/<remote-path>) and perform and MD5 checksum (KB19931
Using the MD5checksum to Verify the Integrity of the JUNOS OS been pushed
into the Juniper Device) to ensure the transferred image is not truncated or
corrupted

Example for FWLFTE:


Step 2. Verify the Health of the Cluster (This is an important step and the cluster
needs to be certified healthy before proceeding with In-Service Software Upgrade) -
KB20956

- Confirm the Chassis Cluster is in the Primary/Secondary state with a proper


priority. Follow the steps here: KB20673 - How to verify that Chassis Cluster
in Primary/Secondary State has proper priority
Basically the state should look like this (node0 is primary for all RG and node1
secondary; priorities for RGs should be between 1 and 254):
- As a complementary verification step we should check that all VLANs configured
on interconnects between FW nodes and SW are the same on both sites
(primary-Clichy and backup-Collegien) as well as being properly propagated on
the aggregate between the two sites (ae7 in this case)

o FWLFGW
o FWLFTE
o FWLBKE

- Additionally perform some checks with regard to normal operational behavior


of the cluster prior to upgrade like:
o Check numbers of VPNs that are UP
o Check interface traffic counters
o Check number of overall active sessions; check number of NAT
sessions
o Check Nagios and Cacti status of the firewalls and any other devices
hosted behind them
Step 3. Create backup of the current configuration and set the rescue config -
KB20957

- There are several ways of making sure to have a backup of the active
configuration
o Make sure to log your ssh terminal session and then issue these
commands:
show configuration | display set | no-more
show configuration | no-more
o Create a rescue configuration

For Branch SRX Series its possible to load the Rescue config using the reset
button as well: http://www.juniper.net/techpubs/en_US/release-
ndependent/junos/topics/task/operational/reset-config-button-srx240-using.html
o Retrieve available configurations from the local default location

Step 4. Verify accounts of last resort are functional


- JunOS Authentication Order for RADIUS, TACACS+, and Password
Authentication
Example for FWLFTE
Step 5. Start the In-Service Software Upgrade - KB20958
Step 6. KB15376 - ISSU Hidden commands that can be used during ISSU testing
Step 7. Backup JunOS Installation
- Boot Media and Boot Partition on the SRX Series Devices
- [SRX/J-series] In what order are the storage media booted during the boot
sequence of SRX and J-Series devices?
- Understanding How the Primary JunOS Image with Dual-Root Partitioning
Recovers on Branch SRX Series Devices

- Backup Up the Current Installation on SRX Series Devices


Step 8. Returning to previous image and configuration
Step 9. Resetting to Factory default and load configuration from Console

II. In-band cluster upgrade (ICU)


According to the Junipers TechLibrary for SRX devices with JunOS version
12.1X46 available at the following link
http://www.juniper.net/documentation/en_US/junos12.1x46/topics/task/operation
al/chassis-cluster-upgrading-both-device-with-icu.html upgrade through ICU is
possible for FWLFGW (srx240h):

The procedure starts from node0 and consists of only one command (assuming
pre-requisites are being met) as stated at the following Juniper TechLibrary link
http://www.juniper.net/documentation/en_US/junos12.1x46/topics/task/operation
al/chassis-cluster-upgrading-from-local-build-with-icu.html :

III. Simultaneous node upgrade


This method basically consists of uploading the JunOS image locally to both
nodes and reboot them both at once.

IV. Node isolation (non-ISSU/ICU)


For situations where upgrade through ISSU/ICU is not supported or not
recommended/desirable Juniper KB17947 available at the following link
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17947&actp=search
provides a solution with minimal downtime which basically consists of controlled
individual chassis cluster members upgrade through node isolation.
It is worth mentioning that this solution is supported for both Branch and High-
End Series SRX devices so this would apply to all 3 ASP SRX clusters: FWLFGW,
FWLFTE & FWLBKE.
Upgrade procedure at a glance:

An example of the more detailed procedure is available at the following link


http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/BK17947/LICU_v0.
7.pdf .

You might also like