ISSU: Performing the In-Service Software Upgrade

This article is the fourth in a series about performing an ISSU (In-Service Software Upgrade).

  1. Load the Junos Software package on the device
  2. Verify the Health of the Cluster (Important step)
  3. Create backup of the current configuration and set the rescue config
  4. Start the In-Service Software Upgrade
  5. Process to follow, in the event of the ISSU process stalling in the middle of the upgrade

This article primarily addresses the actual ISSU process.

It is strongly recommend that the In Service Software Upgrade (ISSU) be performed during a maintenance window or during the lowest possible traffic, as the secondary node is not available at this time, and ISSU might occasionally fail under heavy CPU load.

It is best to perform ISSU under the following conditions:

  • Chassis Cluster Mode
  • During System Maintenance Window
  • Lowest possible traffic period
  • When the Routing Engine CPU is less than 40%

The ISSU Process

JTAC does not currently recommend the ISSU process for a non-traffic disruption SRX software upgrade due to certain limitations with NAT, VPN and ALG. However, as of Junos 11.1, the ISSU upgrade limitations for NAT and ALG are resolved, but VPN configuration still could cause issues. Also, it is necessary to check the release documents of the version from and to which the upgrade is to be done. If your organization still requires following the ISSU upgrade process, for minimal traffic disruption, you can follow this guide.

1. Verify that you have console connectivity to the primary and secondary nodes.

2. Verify that ‘logging’ is enabled on both terminal sessions.

This is necessary to verify and monitor the ISSU process as it upgrades the Junos image.

3. Perform the upgrade with the following command:

Important: Make sure that reboot is specified in the command. If it is not specified, it will upgrade node 1 but not reboot, and the physical reboot of node 1 is needed before the automatic failover happens.

The messages reported on node 0 and node 1 will be on similar lines, as follows. (Messages that are not important have been omitted.)

After this is done, the following is reported on NODE 1:

At this stage, Node 1 has rebooted successfully and is on the Junos version that you upgraded to. Check the output of the command “show version” to verify this. Also, check the output of the following commands:

Now, the automatic failover will occur; after that, the upgrade of Node 0 will take place. The messages reported are similar to those above, but you should still monitor the process to see if there are any problems or warnings that the boot messages are throwing.

Node 0 should come back up in the healthy state.

Also, make sure that the Redundancy Groups are now primary on Node 1. To bring it back to node 0, follow the process below:

As mentioned earlier, the failover of Redundant Groups might take some time. The rest of the Redundancy Groups should failover fast.

The ISSU process is now complete.

About the author


Leave a Comment