Knowledge Search


×
 

[SRX] ISSU/ICU upgrade limitations on SRX firewalls

  [KB17946] Show Article Properties


Summary:

In-Service Software Upgrade (ISSU) allows software upgrades from one Junos OS version to a higher Junos OS version, with little or no down time.

This article provides information about ISSU limitations for SRX 1400, 1500, 3x00, 4x00, and SRX 5x00 series firewalls. The same limitations apply for In-band cluster upgrade (ICU) for SRX Branch Series. Currently ISSU/ICU is not supported on vSRX platforms.

In service software upgrade MUST NOT be performed on any systems that have any ISSU unsupported services enabled.

If an upgrade is necessary and you are impacted by these limitations, an alternative method of upgrading is outlined in KB17947 - How to upgrade SRX cluster with minimal downtime.

 

Symptoms:

These limitations apply to the installed Junos release you will be upgrading FROM

 

From Junos Version

Configured Services Not Supported in ISSU / ICU

Release Specific Limitations
12.1X46

NAT1

 
12.3X48 None Refer Solution Section
15.1X49+

VPN2
 

Refer Solution Section
17.3

None

Refer Solution Section
LACP*3
17.4 through 18.2 None LACP*3
18.3 and 18.4 None SX4600 (Refer Solution Section)
LACP*3
19.1 through 19.2 None LACP*3
19.3 through current None  

1 = THIS LIMITATION APPLIES ONLY IF upgrading from 12.1X46-D40 to any higher version. All other 12.1X46 versions DO NOT have this limitation. Refer to TSB16905.

2 = THIS LIMITATION APPLIES ONLY IF upgrading from a Junos release prior to 15.1X49-D75 to Junos Release 15.1X49-D75 and later releases.

  • You may use ISSU with VPN configuration when upgrading from Junos OS Release 15.1X49-D75 to later releases.

  • You may also use ISSU with VPN configuration to upgrade from Junos OS Release 15.1X49-D10 up to Junos Release 15.1X49-D70.

3 = LACP may be impacted during ISSU upgrade for devices using Junos versions running LACP in centralized mode during busy RE conditions.
     Refer to below Solutions section for Device and Version impact
 

Solution:

Device Specific Limitations

SRX5000 devices

  • ISSU is not supported for following upgrades:
    • Upgrading from earlier Junos releases to Junos Release 15.1X49
    • Upgrading from earlier Junos releases to Junos releases 17.3 or later versions
       
  • ISSU is supported when upgrading to successive Junos OS Release 15.1X49 releases, and for successive 17.3 release or higher versions
    • Examples:
      • 12.3X48-Dxx -> 15.1X49-Dxx   NOT Supported
      • 15.1X49-Dxx -> 15.1X49-Dxx   Supported
      • 15.1X49-Dxx -> 17.3Rx            NOT Supported
      • 17.3Rx -> 17.3Rx                     Supported
      • 17.3Rx -> 17.4Rx                     Supported
      • 17.RRx -> 18.1Rx                     Supported
     
  • SRX5K-SPC3: When running in centralized mode, LACP may flap if the RE is too busy during the ISSU process.
    • LACP is not affected by RE CPU usage when running in distributed mode, which is introduced starting from 18.2R3, 18.3R2, 18.4R1-S4, 18.4R2-S2, 18.4R3, 19.1R1, and 19.2R1.

SRX1500 devices

  • ICU is supported when upgrading from 15.1X49-D50 or later versions
     
  • ISSU is supported when upgrading from 15.1X49-D80 or later versions
    • Upgrades from 15.1X49-D50 or 15.1X49-D60 first require using ICU to 15.1X49-D80 or later release, then ISSU may be used to target release.
       
  • ISSU is not supported for the following upgrades:
    • Upgrading from Junos 15.1X49 releases to 17.3 or later versions
    • Upgrading from Junos 17.3 releases to 17.4 or later versions
       
  • When running in centralized mode, LACP may flap if the RE is too busy during the ISSU process.
    • LACP is not affected by RE CPU usage when running in distributed mode, which is introduced starting from 18.2R3-S1, 18.3R3, 18.4R3, 19.1R2, 19.2R1-S1, 19.2R2, and 19.3R1.

SRX4100 and SRX4200 devices

  • ISSU support is available when upgrading from 15.1X49-D80+.

  • ISSU is not supported for the following upgrades:
    • Upgrading from Junos 15.1X49 releases to 17.3 or later versions
    • Upgrading from Junos 17.3 releases to 17.4 or later versions
       
  • When running in centralized mode, LACP may flap if the RE is too busy during the ISSU process.
    • LACP is not affected by RE CPU usage when running in distributed mode, which is introduced starting from 15.1X49-D190, 17.4R3, 18.1R4, 18.2R3-S1, 18.3R3, 18.4R2-S1, 18.4R3, 19.1R2, 19.2R1-S1, 19.2R2, 19.3R1.

SRX4600 devices

  • When running in centralized mode, LACP may flap if the RE is too busy during the ISSU process.
    • LACP is not affected by RE CPU usage when running in distributed mode, which is introduced starting from 17.4R3, 18.1R4, 18.2R3-S1, 18.3R3, 18.4R2-S1, 18.4R3, 19.1R2, 19.2R1-S1, 19.2R2, 19.3R1, 19.4R1.

vSRX devices

  • ISSU/ICU is currently not supported for vSRXs.

Critical ISSU limitations

  • PR-1405556 ISSU upgrade fails for SRX4600 devices when upgrading from 18.3R1 or 18.4R1

  • PR-1305471 ISSU upgrade fails for SRX1500, SRX4100, SRX4200 when LACP and interface montoring are both in use

  • PR-1189403 Upgrades attempted to Junos version 12.3X48 with event scripts or commit scripts enabled, will fail with an error "validation failed"

For additional information on known issues and limitations for ISSU, refer to PR Search and the release notes for both the FROM and TO versions that are planned for ISSU.

Modification History:

2019-10-18: Added LACP centralized mode caution for TVP-based platform
                     Trim X44 & X45 table to Internal notes for historical
2019-10-05: Changed supported OS version for D70 to D80
2019-08-02: Added clarity on SRX5000 supported ISSU paths
2019-07-30: Refreshed article, removed older details, and cleaned up outputs
2019-07-01: Added notes regarding ISSU from 15.1X49 to higher Junos release trains not being supported.
2019-06-27: Added note regarding vSRXs
2019-01-18: Added note for ISSU failure on SRX TVP platforms with LACP and interface monitoring. Refer to PR1305471. As per developer #369, this is a day one issue.
2017-11-09: Corrected note on 15.1X49 to reflect VPN not NAT.
2017-11-02: Added note for SRX1500 that ICU to ISSU is NOT supported.
2017-09-27: Add clarifying note for introduction of ISSU support on 1500/4100/4200. Also added in 17.3 upgrade limitation for 5k devices.
2017-09-13: Removed 15.1X49 from the table.
2017-04-04: Added note from 15.1X49 that ISSU is NOT supported for upgrade on Junos releases before 15.1X49.

 

Related Links: