SRX Services Gateway
Reply
Visitor
andys
Posts: 3
Registered: ‎01-15-2011
0

Upgrading branch SRX cluster

We're planning to refresh some firewall hardware soon and so far I've got my shortlist down to:

SRX 210H / 220
ASA 5510
Fortigate

We'll be putting in an Active/Standby pair to replace an existing A/S pair of PIX515Es. The PIXs have been very reliable in the time we've had them but the budget for the upgrades is quite limited so I'm looking at alternatives to the ASAs.

Reading through here, it seems that running the SRXs as a cluster might cause a few issues? Is it possible to do a zero-downtime JUNOS update of an HA pair of branch SRXs?

Super Contributor
colemtb
Posts: 313
Registered: ‎09-30-2009
0

Re: Upgrading branch SRX cluster

Zero...  NO.  Close to Zero, yes.

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: Upgrading branch SRX cluster

Is it possible to upgrade a pair now without taking them both offline?

 

mawr

Super Contributor
colemtb
Posts: 313
Registered: ‎09-30-2009
0

Re: Upgrading branch SRX cluster

I don't believe complete ISSU is out but, you can minimize down-time with physical access to revenue ports.  ...  On a 210 or 220 this wouldn't be a gigantic task.

Distinguished Expert
muttbarker
Posts: 2,352
Registered: ‎01-29-2008
0

Re: Upgrading branch SRX cluster

As Cole stated you can do this with some minmal downtime. The original Juniper recommmendation was to upgrade the code on both units and do a concurrent reboot (KB article # KB17235) - Since then Juniper published KB17947 that shows how to accomplish this:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17947&actp=search&viewlocale=en_US&searchid...

 

Note that there WILL be session loss - read carefully to understand the impact. I have done this on production boxes but there will be an impact as it is not ISSU :smileysad:

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
andys
Posts: 3
Registered: ‎01-15-2011
0

Re: Upgrading branch SRX cluster

Thanks for the replies, at first I thought the only option was rebooting both at the same time and praying it comes back up but I'll look into the newer KB article.

 

It's been a while since I worked with SSGs but I was sure it was possible to do this on an NSRP cluster so was surprised that upgrades seem to have taken such a step back.

Regular Visitor
mcable
Posts: 3
Registered: ‎05-13-2010
0

Re: Upgrading branch SRX cluster

Per that KB article, you're supposed to disable all ports on node1.  When I attempt to commit a config that does that, I get:

 

  'ge-9/0/1'
     HA control port cannot be configured
error: configuration check-out failed

 

Am I not supposed to disable the control plane ports?  That would seem to be the one we'd most want to disable!

Contributor
thwack
Posts: 12
Registered: ‎10-12-2010
0

Re: Upgrading branch SRX cluster

Just did an upgrade from 10.0R3.10 to 10.2R3.10 on an Active/Passive SRX 650 cluster the other day with absolutely no problems.  Simply following this KB: http://kb.juniper.net/InfoCenter/index?page=content&id=KB17235

 

Reboots for both SRX clusters at the same time is necessary, but only down for 5 or so minutes tops. If you follow the KB, there is no downtime for the first step with the initial install of the software.

 

Please note that you should check your firmware after the upgrade depending on what SRX you have. Run 'show system firmware' as there may be a new one available. For our SRX, we had to manual upgrade the firmware after the software upgrade and that required another reboot.

Visitor
andys
Posts: 3
Registered: ‎01-15-2011
0

Re: Upgrading branch SRX cluster

 


mcable wrote:

 

Am I not supposed to disable the control plane ports?  That would seem to be the one we'd most want to disable!


 

I haven't had a chance to try the steps yet but how did you disable the ports? When I read the guide I assumed that the control plane link either needed unplugging or moving to a port that isn't in use?

Super Contributor
tbehrens
Posts: 348
Registered: ‎04-30-2010
0

Re: Upgrading branch SRX cluster

On branch and 3k, you have to physically remove the control port. 5k, it can be disabled from config.

 

For that reason, I like the cable swapping method better. If you are already physically present, you may as well leave the config alone.

 

There was a post in these forums that detailed how to do a minimal downtime upgrade while juggling cables around.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.