[Archive] How to upgrade two ScreenOS devices to ScreenOS 5.x or ScreenOS 6.x in an Active/Active NSRP configuration

  [KB4232] Show Article Properties


Summary:
This article provides information on how to upgrade two ScreenOS devices to ScreenOS 5.x or 6.x in an Active/Active NSRP configuration.
Symptoms:
How to upgrade two ScreenOS devices to ScreenOS 5.x or 6.x in an Active/Active NSRP configuration. Active/Active can be configured in a SSG device, only on Screen OS 6.0 or later.
Solution:
Note:
  • This article is applicable to ScreenOS 5.x and 6.x.

  • This article refers to an NSRP configuration, in which two ScreenOS devices are paired into two Virtual Security Devices (VSD) groups, with each physical device being the master in one group and the backup in the other. To upgrade, you first have to fail over one of the devices, so that only one physical device is the master of both VSD groups. You can upgrade the backup device first and then the master device.

  • The following image illustrates a typical NSRP Active/Active configuration, in which 'NetScreen 1' is the master of 'VSD 0' and backup for VSD 1, and 'NetScreen 2' is the master of 'VSD 1' and backup for 'VSD 0':
     

 

Warning: Do not power off the NetScreen device, when it is being upgraded to new firmware. Doing so could result in permanent damage to the device.

You can download firmware updates from the web. For more information, refer to KB7860 - Download NetScreen Firmware Updates from the Web.

To upgrade the ScreenOS version for two NetScreens in an Active/Active NSRP configuration, perform the following procedure:

Open the CLI and connect to the master NetScreen 2 in VSD group 1. For more information, refer to KB4082 - Accessing the Command Line InterfaceUsing Telnet.

Step two: From the CLI, type exec nsrp vsd-group 1 mode ineligible, and then press Enter:

Note: If the pre-empt option is not enabled on the master device, type 'exec nsrp vsd-group 1 mode backup' and then press 'Enter'.


 

Step three: Open the WebUI. For more information, refer to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI

Step four: Save a copy of your configuration to a TFTP server. For more information, refer to KB4758 - Saving a Configuration from Web Management.

Step five: Upgrade ScreenOS via web management. For more information, refer to KB13672 - How to upgrade ScreenOS either via the WebUI or CLI.

Note: NetScreen 2 has now been upgraded. It is now time to manually fail-over NetScreen 1 and then upgrade it.

Step six: Open the CLI for NetScreen 1 and type exec nsrp vsd-group 0 mode ineligible.

Note: If the pre-empt option is not enabled on the master device, type 'exec nsrp vsd-group 0 mode backup'.

Image of step six
 

Step seven: Repeat Step 6. Type exec nsrp vsd-group 1 mode ineligible.

Note: If the pre-empt option is not enabled on the master device, type 'exec nsrp vsd-group 1 mode backup'.

Note: At this point, NetScreen 1 is now the backup for both groups and ready to be upgraded.

Step eight: Repeat Step 3 through 5. However, this time, connect to NetScreen 1.
.
Note: After both of the NetScreen devices are upgraded to the new ScreenOS version , you will have to manually synchronize the RTOs between the two devices.

Step nine: Open the CLI for NetScreen 1, and enter exec nsrp sync rto all from peer.

Image of step nine
 

Note: Finally, you will have to reinstate the two NetScreen devices in an NSRP Active/Active configuration.

Step ten: Open the CLI for NetScreen 2 and type exec nsrp vsd-group 1 mode ineligible.

Note: If the pre-empt option is not enabled on the master device, type 'exec nsrp vsd-group 1 mode backup'.

Image of step ten

Related Links: