Knowledge Search


×
 

[SRX] ISSU/ICU upgrade limitations on SRX firewalls

  [KB17946] Show Article Properties


Summary:

In-Service Software Upgrade (ISSU) allows software upgrades from one Junos OS version to a higher Junos OS version, with little or no down time. This article provides information about ISSU limitations for SRX 1400, 1500, 3000, 4100, 4200, and SRX 5000 firewalls. The same limitations apply for In-band cluster upgrade (ICU) for SRX Branch Series. These limitations apply to the installed Junos OS release you will be upgrading FROM.

For additional information on known issues and limitations for ISSU, refer to PR Search and the release notes for both the FROM and TO versions that are planned for ISSU.

In service software upgrade MUST NOT be performed on any systems that have any ISSU unsupported services enabled.

If an upgrade is necessary and you are impacted by these limitations or upgrading from Junos OS earlier than 10.4R4, an alternative method of upgrading is outlined in KB17947 - How to upgrade SRX cluster with minimal downtime.

 

Symptoms:
 

From Junos OS Version

Services Not Supported in ISSU / ICU

10.4R3 and earlier

Do not use ISSU.

10.4R4+

NAT, SIP, SUNRPC, SQL, FTP, DNS, MSRPC, RSH, TALK, PPTP, RTSP, TFTP, H.323, Low Latency Firewall, MGCP, SCCP, VPN, Logging, IDP, AppSecure, NTP, PCAP, Port Mirroring, GRE/IPIP, Multicast, SNMP, Interface Monitoring, LACP, LAG, JFLOW, GPRS/GTP/SCTP

11.1

SIP, SUNRPC, SQL, FTP, DNS, MSRPC, RSH, TALK, PPTP, RTSP, TFTP, H.323, Low Latency Firewall, MGCP, SCCP, VPN, Logging, IDP, AppSecure, NTP, PCAP, Port Mirroring, GRE/IPIP, Multicast, SNMP, Interface Monitoring, LACP, LAG, JFLOW, GPRS/GTP/SCTP

11.2

SUNRPC, SQL, FTP, DNS, MSRPC, RSH, TALK, PPTP, RTSP, TFTP, H.323, Low Latency Firewall, MGCP, SCCP, VPN, Logging, IDP, AppSecure, NTP, PCAP, Port Mirroring, GRE/IPIP, Multicast, SNMP, Interface Monitoring, LACP, LAG, JFLOW, GPRS/GTP/SCTP

11.4R1 - 11.4R4

MGCP, SCCP, VPN, Logging, IDP, AppSecure, NTP, PCAP, Port Mirroring, GRE/IPIP, Multicast, SNMP, Interface Monitoring, LACP, LAG, JFLOW, GPRS/GTP/SCTP

11.4R5+

VPN, GRE/IPIP, Multicast, JFLOW, GPRS/GTP/SCTP

12.1+

VPN, GRE/IPIP, Multicast, JFLOW, GPRS/GTP/SCTP

12.1X44

JFLOW, GPRS/GTP

12.1X45

GPRS/GTP

12.1X46

NAT1

15.1X49+

VPN2
See Note 3

17.3

See Note 3

1 = THIS LIMITATION APPLIES ONLY IF upgrading from 12.1X46-D40 to any higher version. All other 12.1X46 versions DO NOT have this limitation. Refer to TSB-16905.
2 = THIS LIMITATION APPLIES ONLY IF upgrading from a Junos OS release prior to 15.1X49-D75 to Junos OS Release 15.1X49-D75 and later releases.

You can use ISSU with VPN configuration when upgrading from Junos OS Release 15.1X49-D75 to later releases. You can also use ISSU with VPN configuration to upgrade from Junos OS Release 15.1X49-D10 up to Junos OS Release 15.1X49-D70.

3 =  Refer to SRX5000/1500/4100/4200 notes below.

 

Solution:

ISSU is supported only if the from Junos OS image is 10.4R4 or later. ISSU is also supported only if you are not using the services listed in the above table.

When an upgrade is attempted to version 12.3X48 and event scripts or commit scripts are enabled in configuration, the upgrade might fail with the reason "validation failed". You can proceed with ISSU upgrade after disabling the script. Refer to PR-1189403 .

SRX 5000 devices

  • On SRX5000 Series devices, In-Service Software Upgrade (ISSU) is not supported for following upgrades:

    • Upgrading from earlier Junos OS releases to Junos OS Release 15.1X49

    • Upgrading from Junos OS 15.1X49 releases to 17.3+ versions

  • SRX5000 Series devices may use ISSU for upgrading to successive Junos OS Release 15.1X49 releases, and for successive 17.3 release or higher versions.

  • Examples:

    • 12.3X48-Dxx -> 15.1X49-Dxx   NOT Supported

    • 15.1X49-Dxx -> 15.1X49-Dxx   Supported

    • 15.1X49-Dxx -> 17.3Rx            NOT Supported

    • 17.3Rx -> 17.3Rx                     Supported

SRX 1500 devices

  • ISSU support is available when upgrading from 15.1X49-D70+.

Note: For Junos 15.1X49-D50 and D60, SRX1500 does not support ISSU but supports ICU.
  • Upgrade from ICU supported Junos image to ISSU supported Junos image using in-service-upgrade command is NOT supported except when upgrading from D50/D60 to D70.

  • In-service-upgrade from D50 to release after D70 would require first ICU from D50 to D70, and then an ISSU from D70 to target release.

  • ISSU upgrade fails if LACP and interface monitoring are both configured, when upgrading from any version below the following versions: 15.1X49-D123 15.1X49-D122 15.1X49-D130 17.3R2 17.3R3 17.4R2 18.1R1. Refer to PR1305471.

SRX 4100 and 4200 devices

  • ISSU support is available when upgrading from 15.1X49-D80+.

  • ISSU upgrade fails if LACP and interface monitoring are both configured, when upgrading from any version below the following versions: 15.1X49-D123 15.1X49-D122 15.1X49-D130 17.3R2 17.3R3 17.4R2 18.1R1. Refer to PR1305471.

For other limitations and known issues, refer to the release notes.

If an upgrade is necessary and you are impacted by these limitations or upgrading from Junos OS prior to 10.4R4, an alternative method of upgrading is outlined in KB17947 - How to upgrade SRX cluster with minimal downtime.

 

Modification History:

2019-01-18: Added note for ISSU failure on SRX TVP platforms with LACP and interface monitoring. Refer to PR1305471. As per developer #369, this is a day one issue.

2017-11-09: Corrected note on 15.1X49 to reflect VPN not NAT.

2017-11-02: Added note for SRX1500 that ICU to ISSU is NOT supported.

2017-09-27: Add clarifying note for introduction of ISSU support on 1500/4100/4200. Also added in 17.3 upgrade limitation for 5k devices.

2017-09-13: Removed 15.1X49 from the table.

2017-04-04: Added note from 15.1X49 that ISSU is NOT supported for upgrade on Junos releases before 15.1X49.

 

Related Links: