Juniper SRX Upgrade Process

The estimated reading time for this post is 2 minutes

Example Task: Upgrade a HA pair of Juniper SRX240 firewalls (currently 10.4R9.2)

First step – grab two 8GB USB’s and plugin to each cluster member and backup the current software to them:

>request system snapshot media usb

Note: I woud reboot each chassis to confirm the current software boots first before taking a copy with usb

I used these versions and performed stepped upgrades – finishing with the current Juniper recommended version for the platform required. (in this case an SRX240)

  • junos-srxsme-11.4R3.7-domestic.tgz
  • junos-srxsme-12.1X44-D55.3-domestic.tgz
  • junos-srxsme-12.1X46-D35.1-domestic.tgz

“Juniper Support – JTAC” support/recommend upgrading with 2 versions in between, meaning the new software is 3 versions away from the current.

However JTAC also state: you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases. For example, Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4

Further info here

Juniper don’t provide earlier versions on their download site – so I normally go with the 11.4R3.7 as have not had any issues with it before and its one I had to hand

The approach I use is to:

  • Separate the model you are upgrading from the cluster by removing all the cables
  • Do 1 firewall at a time
  • use WINSCP for the file transfer into /tmp directory and
  • run the following command:

>request system software add /tmp/junos-srxsme-11.4R3.7-domestic.tgz no-copy no-validate unlink

  • no-copy — Installs the software package but does not saves the copies of package files
  • no-validate— Does not check the compatibility with current configuration before installation starts
  • unlink—Removes the software package after successful installation

The no-validate is referenced in some of the release notes where sometimes its flagged as being an issue between certain versions when there isn’t actually an issue.

This method also removes the install software as soon as possible to make sure that there is enough disk space available for install

I had issues – because the software we were running the “request system software” from was corrupted so you need to confirm that the software you are running is generally healthy – if not boot from other partition and copy that over

Why – no-validate?

In the junos12.1×44 release notes it states: “On the SRX240B2 and SRX240H2 models, when you try to upgrade from Junos OS Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade fails when attempting to validate the configuration. To resolve this, use the no-validate option”

Confirm software on dual partitions with:

>show system snapshot media internal

Copy to Backup Partition

>request system snapshot slice alternate

It will take a while then you can check the version of the backup software by executing the following command:

>show system software backup

If Fails:

  1. >request system software rollback
  2. Excellent article from Thorsten on Recover Juniper SRX from failed boot

https://yorickdowne.wordpress.com/2013/11/13/recover-juniper-srx-from-failed-boot/

  1. Also see Tech Notes / RtooDtoo.net

http://rtoodtoo.net/recovering-primary-junos-image/