SRX

This is a minimum effort upgrade procedure for an SRX Branch cluster.

It as assumed that the cluster is being managed through a reth interface, thus there is no direct access to node1 via fxp0, and that the cluster is running at least JunOS 10.1r1, thus the ability to login to the backup node from the master node exists.

For a minimum downtime upgrade procedure instead of a minimum effort one, see Juniper KB17947, or use the cable pulling method described in these forums by contributor rahula.

1) Check that the SRX has sufficient space on the flash drive:
    >show system storage | match cf
   If space is too low to transfer the upgrade file, purge some log files:
   >request system storage cleanup
   If space is still too low, follow the instructions in Juniper KB16652
   
2) Transfer upgrade file to SRX using SCP or FTP
   a) Use scp or WinSCP to copy the file to /var/tmp on the SRX cluster
  or
   b)Login to SRX, type 'start shell' (need to be root) if in operational mode
  (denoted by > at cmd prompt)
   Grab software from an FTP server
   user@srx%  ftp <ip address of local ftp server>  (and login)
     ftp>  lcd /var/tmp
     ftp>  bin
     ftp>  get junos-srxsme-10.2R3.10-domestic.tgz
     ftp>  bye
   user@srx% cli

3)  Install software
  >request system software add no-copy /var/tmp/junos-srxsme-10.2R3.10-domestic.tgz

4)  Add a system reboot request for midnight
  >request system reboot at 23:59

5)  Copy file to Node 1
  >file copy /var/tmp/junos-srxsme-10.2R3.10-domestic.tgz node1:/var/tmp/
  or
  % rcp -T /cf/var/tmp/junos-srxsme-10.2R3.10-domestic.tgz node1:/cf/var/tmp

  ***Copying the file takes a bit, ~30 min on SRX240

6)  Log in to the secondary node. Assuming node0 is master and node1 is backup:
  >request routing-engine login node 1

7)  Repeat steps 3) and 4)
 
This will load the upgraded software on both members, and then reboot them at the same time.
The simultaneous reboot is needed to keep the cluster happy.
 
If step 3) fails because of bogus validation errors, try this instead:
  >request system software add no-copy no-validate /var/tmp/junos-srxsme-10.2R3.10-domestic.tgz

One addendum to this:

 

The cluster does not synchronize time between the two members. Which kind of defeats the purpose of scheduling a simultaneous reboot. Therefore:

 

😎 Verify time on both members of the cluster (show uptime), and adjust time on the backup member if it is more than a few seconds off

 

Hi guys,

I'm doing an upgrade remotely right now. I've done it many times sucessfully but this time the copy of the junos from node 0 to node 1 is failing as follows:

 

root@firewall01> file copy /var/tmp/junos-srxsme-10.4R9.2-domestic.tgz node1:/var/tmp/junos-srxsme-10.4R9.2-domestic.tgz
ssh: connect to host node1 port 22: Operation timed out
lost connection
error: put-file failed
error: could not send local copy of file

 

The cluster looks fine:

 

root@oot@firewall01> show chassis cluster status
Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   110         primary        no       no  
    node1                   100         secondary      no       no  

Redundancy group: 1 , Failover count: 5
    node0                   110         primary        yes      no  
    node1                   100         secondary      yes      no  

Redundancy group: 2 , Failover count: 5
    node0                   100         primary        no       no  
    node1                   110         secondary      no       no  

Redundancy group: 3 , Failover count: 5
    node0                   110         primary        no       no  
    node1                   100         secondary      no       no  

Redundancy group: 4 , Failover count: 5
    node0                   100         primary        no       no  
    node1                   110         secondary      no       no  

**************************************************************************************

 

root@firewall01> show chassis cluster interfaces
Control link 0 name: fxp1

Redundant-ethernet Information:     
    Name         Status      Redundancy-group
    reth0        Down        Not configured   
    reth1        Up          1                
    reth2        Up          2                
    reth3        Down        Not configured   
    reth4        Up          4                
    reth5        Down        Not configured   
    reth6        Down        Not configured   
    reth7        Down        Not configured   

Interface Monitoring:
    Interface         Weight    Status    Redundancy-group
    ge-5/0/4          255       Up        1   
    ge-0/0/4          255       Up        1   

 

 

Any ideas what might be wrong?

 

Many thanks 🙂

@paulkil: Did you verify you had enough disk space free on both nodes ahead of time (please be aware that the automated clean-up command "request system storage cleanup" might delete the copy of JunOS install package you are trying to copy, so watch for it in the list if you run that command on the node you already copied it to - I found that out the hard way!) I have had good luck using this syntax to copy the install package file: rcp -T /cf/var/tmp/junos-srxsme-10.4R3.4-domestic.tgz node1:/cf/var/tmp

Hi john,

thanks for the reply. Yeah I issued that command prior to copying the junos file to node 0.

 

Should I have also issued the command on node 1?

 

Thanks,

 

PK

Hi again john....it worked using the rcp command 🙂

 

Thanks and kudos to you,

 

Paul

In regards to timesync, perhaps using the fxp0 interface for sync could be useful.

I have not tried it out myself.

 

Here is SCU (not ISSU) for branch procedure which I thought might be worth sharing on back of this thread.

 

Regarding SCU:

 

"This feature introduces a single command-line interface (CLI) command (or management interface) to upgrade/downgrade both cluster nodes with minimal traffic disruption (around 30 seconds)"

 

http://www.juniper.net/us/en/local/pdf/app-notes/3500211-en.pdf

 

ISSU procedure covers hitless upgrades for high-end only SRX platforms.

 

hth,