This article provides information on how to upgrade two ScreenOS devices to ScreenOS 5.x or 6.x in an Active/Active NSRP configuration.

How to upgrade two ScreenOS devices to ScreenOS 5.x or 6.x in an Active/Active NSRP configuration. Active/Active can be configured in a SSG device, only on Screen OS 6.0 or later.

Note:

• This article is applicable to ScreenOS 5.x and 6.x.


• This article refers to an NSRP configuration, in which two ScreenOS devices are paired into two Virtual Security Devices (VSD) groups, with each physical device being the primary in one group and the backup in the other. To upgrade, you first have to fail over one of the devices, so that only one physical device is the primary of both VSD groups. You can upgrade the backup device first and then the primary device.


• The following image illustrates a typical NSRP Active/Active configuration, in which 'NetScreen 1' is the primary of 'VSD 0' and backup for VSD 1, and 'NetScreen 2' is the primary of 'VSD 1' and backup for 'VSD 0':
   

  

 

Warning: Do not power off the NetScreen device, when it is being upgraded to new firmware. Doing so could result in permanent damage to the device.

You can download firmware updates from the web. For more information, refer to KB7860 - Download NetScreen Firmware Updates from the Web.

To upgrade the ScreenOS version for two NetScreens in an Active/Active NSRP configuration, perform the following procedure:

Open the CLI and connect to the primary NetScreen 2 in VSD group 1. For more information, refer to KB4082 - Accessing the Command Line InterfaceUsing Telnet.

From the CLI, type exec nsrp vsd-group 1 mode ineligible, and then press Enter:

Note: If the pre-empt option is not enabled on the primary device, type 'exec nsrp vsd-group 1 mode backup' and then press 'Enter'.

 

Open the WebUI. For more information, refer to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI

Save a copy of your configuration to a TFTP server. For more information, refer to KB4758 - Saving a Configuration from Web Management.

Upgrade ScreenOS via web management. For more information, refer to KB13672 - How to upgrade ScreenOS either via the WebUI or CLI.

Note: NetScreen 2 has now been upgraded. It is now time to manually fail-over NetScreen 1 and then upgrade it.

Open the CLI for NetScreen 1 and type exec nsrp vsd-group 0 mode ineligible.

Note: If the pre-empt option is not enabled on the primary device, type 'exec nsrp vsd-group 0 mode backup'.

 

Repeat Step 6. Type exec nsrp vsd-group 1 mode ineligible.

Note: If the pre-empt option is not enabled on the primary device, type 'exec nsrp vsd-group 1 mode backup'.

Note: At this point, NetScreen 1 is now the backup for both groups and ready to be upgraded.

Repeat Step 3 through 5. However, this time, connect to NetScreen 1.
.
Note: After both of the NetScreen devices are upgraded to the new ScreenOS version , you will have to manually synchronize the RTOs between the two devices.

Open the CLI for NetScreen 1, and enter exec nsrp sync rto all from peer.

 

Note: Finally, you will have to reinstate the two NetScreen devices in an NSRP Active/Active configuration.

Open the CLI for NetScreen 2 and type exec nsrp vsd-group 1 mode ineligible.

Note: If the pre-empt option is not enabled on the primary device, type 'exec nsrp vsd-group 1 mode backup'.