[j-nsp] SRX upgrade procedure -ready for enterprise?

Mark Tees marktees at gmail.com
Fri Mar 8 18:05:12 EST 2013


>From  11.2 R2 onwards you have ICU for SRX100, SRX210, SRX220, SRX240, and SRX650

http://www.juniper.net/techpubs/en_US/junos11.4/topics/task/operational/chassis-cluster-upgrading-both-device-with-icu.html

This with the "no-tcp-syn-check" option (thanks Craig) might possibly make life easier. I haven't had a chance to try this yet though.

On 09/03/2013, at 6:49 AM, Andy Litzinger wrote:

> what pieces of the KB do you think contribute to the possibility of major outages?  Not having tested anything it already makes me nervous that failover is initiated solely by shutting down the interfaces on the active node...
> 
>> -----Original Message-----
>> From: Tim Eberhard [mailto:xmin0s at gmail.com]
>> Sent: Friday, March 08, 2013 10:11 AM
>> To: Andy Litzinger
>> Cc: juniper-nsp at puck.nether.net
>> Subject: Re: [j-nsp] SRX upgrade procedure -ready for enterprise?
>> 
>> I would never, ever follow that KB. It's just asking for a major outage..
>> 
>> With that said, you have two options. 1) ISSU and 2) Reboot both close
>> to the same time and take the hit. Depending on your hardware it might
>> be 4 minutes, it might be 8-10 minutes.
>> 
>> If option one is the path you choose to go keep in mind the
>> limitations and I would suggest you test it in a lab well before you
>> ever do it in production. ISSU on the SRX is still *very* new. Here is
>> a list of limitations:
>> http://kb.juniper.net/InfoCenter/index?page=content&id=KB17946&actp=R
>> SS
>> 
>> I've seen ISSU fail more than a couple of times when it was supposed
>> to be fully supported. This caused us to take a hit, then have to
>> reboot both devices anyways. So we ended up expecting a hitless
>> upgrade and got 10 minutes of downtime anyways. If you're up for
>> running bleeding edge code then maybe ISSU will work properly, but if
>> availability is that critical you should have a lab to test this in.
>> 
>> Good luck,
>> -Tim Eberhard
>> 
>> On Fri, Mar 8, 2013 at 9:50 AM, Andy Litzinger
>> <Andy.Litzinger at theplatform.com> wrote:
>>> We're evaluating SRX clusters as replacements for our aging ASAs FO pairs
>> in various places in our network including the Datacenter Edge.  I  was reading
>> the upgrade procedure KB:
>> http://kb.juniper.net/InfoCenter/index?page=content&id=KB17947  and
>> started to have some heart palpitations.  It seems a complicated procedure
>> fraught with peril.  Anyone out there have any thoughts (positive/negative)
>> on their experience on upgrading an SRX cluster with minimal downtime?
>>> 
>>> thanks!
>>> -andy
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list