SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX340 Cluster upgrade

    Posted 11-01-2022 14:35
    Hello all,

    I will be upgrading our SRX340 active-passive cluster for the first time since installation. I found the link below with the embedded PDF on upgrading with minimal downtime. The entire process doesn't look hard, but seems kind of long. I also read that downtime could be around 30 seconds. Is that correct? I guess I'm just used to a Palo Alto firewall HA upgrades where you click a button and it fails over immediately with no downtime. Does that mean if node 0 dies suddenly that it will take 30 seconds for node 1 to come up in a production environment?

    Is this the best method for updating that's out there? Any method that is zero downtime?

    https://supportportal.juniper.net/s/article/SRX-How-to-upgrade-an-SRX-cluster-with-minimal-down-time?language=en_US


  • 2.  RE: SRX340 Cluster upgrade

    Posted 11-02-2022 06:48
    The method for no downtime is ISSU (in service software upgrade) but unfortunately there are a lot of restrictions for this method on SRX platforms.  You can see the details here to see if your version and configuration settings would qualify.

    https://supportportal.juniper.net/s/article/SRX-ISSU-ICU-upgrade-limitations-on-SRX-firewalls?language=en_US

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX340 Cluster upgrade

    Posted 11-02-2022 09:56
    Hi,

    I dont think 30 second. It's not more than 10 second depend how fast u connect cable back and how fast arp learning back


    Thanks


  • 4.  RE: SRX340 Cluster upgrade
    Best Answer

     
    Posted 11-02-2022 10:13
    Hello, 

    As kronicklez  said, it totally depends on how fast the interfaces on the non upgraded node is disabled and the upgraded node is enabled. 
    if you are disabling interfaces on a switch / as per the PDF shared in the link you shared instead of removing it manually, then it would be matter of few seconds. 
    Once the interfaces of upgraded node would be enabled it would send the garp to the switch and switch would start to send the traffic to that node. 

    Also, in case of a node0 failure in production, the traffic transition would be seamless. 

    For zero downtime you can opt for ICU upgrade:
    https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/task/chassis-cluster-upgrading-and-aborting-backup-and-primary-device-with-icu.html

    Please go through the below DOC before you proceed with ICU upgrade. 
    https://supportportal.juniper.net/s/article/SRX-ISSU-ICU-upgrade-limitations-on-SRX-firewalls?language=en_US


    ------------------------------
    Brijil R
    ------------------------------



  • 5.  RE: SRX340 Cluster upgrade

    Posted 11-02-2022 12:14
    There are no zero downtime upgrade options with the SRX340.  To get zero downtime upgrade you need ISSU capabilities which are on the SRX1500 and above.  The SRX300 series just don't have that ability.

    ------------------------------
    KRISTIAN DURVIN
    ------------------------------