I am reading different posts over internet and confusion reigns over the exact sequence of rebooting srx cluster for updating srx software and if "no validate" should be used.
please help to clear confusion, should the srx cluster be rebooted at once when updating srx software or the primary be rebooted first.
Will using "no validate" cause any issues or should it be allowed to validate.
As per my knowledge, since you are upgrading a chassis cluster, you should add the image onto both the nodes and then issue the reboot command simultaneously on both nodes. The major requirement for the setup to be in cluster mode is having the same junos version, so issue the command simultaneously on both nodes.
Refer the KB for understanding this better: https://kb.juniper.net/InfoCenter/index?page=content&id=KB17235&actp=METADATA
Secondly, the no-validate would fasten your upgrade process but it does skip some basic checks which include the validation of software against the device and the current configuration on the box. If you have done this previously and are sure that there are no discrepencies with the s/w version and the device config then you could proceed with the no-validate option.
Hope this helps 🙂
Mark this as Accepted Solution if this answers your queries.
Does the request system software add "software image" no-copy unlink command need to be run on both firewall in a cluster or only on the active firewall?
Yes, as per my understanding you must run the same command on both the nodes, this no-copy is basically to avoid storing the image on the internal storage location /var/sw/pkg after the image is added to save some storage .
I am not sure of the unlink command - seems to be used on legacy junos, do try the command on both nodes and confirm to help wider community.