Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] How to upgrade two ScreenOS devices to ScreenOS 5.x or ScreenOS 6.x in an Active/Active NSRP configuration

0

0

Article ID: KB4232 KB Last Updated: 03 Aug 2017Version: 7.0
Summary:
This article provides information on how to upgrade two ScreenOS devices to ScreenOS 5.x or 6.x in an Active/Active NSRP configuration.
Symptoms:
How to upgrade two ScreenOS devices to ScreenOS 5.x or 6.x in an Active/Active NSRP configuration. Active/Active can be configured in a SSG device, only on Screen OS 6.0 or later.
Solution:
Note:
  • This article is applicable to ScreenOS 5.x and 6.x.

  • This article refers to an NSRP configuration, in which two ScreenOS devices are paired into two Virtual Security Devices (VSD) groups, with each physical device being the master in one group and the backup in the other. To upgrade, you first have to fail over one of the devices, so that only one physical device is the master of both VSD groups. You can upgrade the backup device first and then the master device.

  • The following image illustrates a typical NSRP Active/Active configuration, in which 'NetScreen 1' is the master of 'VSD 0' and backup for VSD 1, and 'NetScreen 2' is the master of 'VSD 1' and backup for 'VSD 0':
     

 

Warning: Do not power off the NetScreen device, when it is being upgraded to new firmware. Doing so could result in permanent damage to the device.

You can download firmware updates from the web. For more information, refer to KB7860 - Download NetScreen Firmware Updates from the Web.

To upgrade the ScreenOS version for two NetScreens in an Active/Active NSRP configuration, perform the following procedure:

Open the CLI and connect to the master NetScreen 2 in VSD group 1. For more information, refer to KB4082 - Accessing the Command Line InterfaceUsing Telnet.

Step two: From the CLI, type exec nsrp vsd-group 1 mode ineligible, and then press Enter:

Note: If the pre-empt option is not enabled on the master device, type 'exec nsrp vsd-group 1 mode backup' and then press 'Enter'.


 

Step three: Open the WebUI. For more information, refer to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI

Step four: Save a copy of your configuration to a TFTP server. For more information, refer to KB4758 - Saving a Configuration from Web Management.

Step five: Upgrade ScreenOS via web management. For more information, refer to KB13672 - How to upgrade ScreenOS either via the WebUI or CLI.

Note: NetScreen 2 has now been upgraded. It is now time to manually fail-over NetScreen 1 and then upgrade it.

Step six: Open the CLI for NetScreen 1 and type exec nsrp vsd-group 0 mode ineligible.

Note: If the pre-empt option is not enabled on the master device, type 'exec nsrp vsd-group 0 mode backup'.

Image of step six
 

Step seven: Repeat Step 6. Type exec nsrp vsd-group 1 mode ineligible.

Note: If the pre-empt option is not enabled on the master device, type 'exec nsrp vsd-group 1 mode backup'.

Note: At this point, NetScreen 1 is now the backup for both groups and ready to be upgraded.

Step eight: Repeat Step 3 through 5. However, this time, connect to NetScreen 1.
.
Note: After both of the NetScreen devices are upgraded to the new ScreenOS version , you will have to manually synchronize the RTOs between the two devices.

Step nine: Open the CLI for NetScreen 1, and enter exec nsrp sync rto all from peer.

Image of step nine
 

Note: Finally, you will have to reinstate the two NetScreen devices in an NSRP Active/Active configuration.

Step ten: Open the CLI for NetScreen 2 and type exec nsrp vsd-group 1 mode ineligible.

Note: If the pre-empt option is not enabled on the master device, type 'exec nsrp vsd-group 1 mode backup'.

Image of step ten

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search