SRX

Hello people,

Be honest. What's your thoughts on ISSU process from your experience? Is it solid and works pretty well? Recently we've seen several problems with it: intermittent accesses, some sessions were lost between the switchover process and the most noticeable and recent one is a completely cluster down due to NSD process failure in the beginning of the upgrade process (node1), which couldn't bring NSD process up and ironically node0 switchover all traffic to node1 anyway. Problem PR1724777 shows this scenario.

https://prsearch.juniper.net/problemreport/PR1724777

 Do you guys are comfortable using ISSU? Is it minimal downtime process more safe?

------------------------------
Tierre Amaral
------------------------------

ISSU has been a mixed experience for me from the beginning in 2009.  When it works the process is great but the failures tend to be much worse than scheduled outages.

A few years back we made the decision to do scheduled outages with reboots instead of ISSU.  We found that downtime is minimized with the following process.

• Upgrade the backup node
• Manually switch to the backup (There is a brief outage but not as long as a reboot as interfaces all drop and come up affecting all traffic).
• Upgrade the old primary node
• Reform and sync the pair and confirm all state is back in sync
• Perform the lossless fail back to primary manually

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
------------------------------

Original Message:
Sent: 03-10-2025 20:47
From: Tierre Amaral
Subject: Thoughts on ISSU process

Hello people,

Be honest. What's your thoughts on ISSU process from your experience? Is it solid and works pretty well? Recently we've seen several problems with it: intermittent accesses, some sessions were lost between the switchover process and the most noticeable and recent one is a completely cluster down due to NSD process failure in the beginning of the upgrade process (node1), which couldn't bring NSD process up and ironically node0 switchover all traffic to node1 anyway. Problem PR1724777 shows this scenario.

https://prsearch.juniper.net/problemreport/PR1724777

 Do you guys are comfortable using ISSU? Is it minimal downtime process more safe?

------------------------------
Tierre Amaral
------------------------------

I'm with Steve on this one. It's nice to issue a single command and just sit back and let it do its thing, upgrading a whole stack.

It seems that the validation whether a cluster can perform the operation are insufficient, so if your cluster isn't in a condition that's just right for the upgrade from and to the versions that are just right, your cluster can end up in an inconsistent state that's tedious and time-consuming to recover from. Add to that the variety of terminology (ISSU, ISU, etc.) and the nuances from model to model and version and to version, and the occasional bug that prevents the process from completing normally, and at some point ISSU becomes more trouble than it's worth.

Unfortunately, Juniper's minimal downtime process requires someone be physically present.

------------------------------
Nikolay Semov
------------------------------

Original Message:
Sent: 03-10-2025 20:47
From: Tierre Amaral
Subject: Thoughts on ISSU process

Hello people,

Be honest. What's your thoughts on ISSU process from your experience? Is it solid and works pretty well? Recently we've seen several problems with it: intermittent accesses, some sessions were lost between the switchover process and the most noticeable and recent one is a completely cluster down due to NSD process failure in the beginning of the upgrade process (node1), which couldn't bring NSD process up and ironically node0 switchover all traffic to node1 anyway. Problem PR1724777 shows this scenario.

https://prsearch.juniper.net/problemreport/PR1724777

 Do you guys are comfortable using ISSU? Is it minimal downtime process more safe?

------------------------------
Tierre Amaral
------------------------------