Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos OS Chassis Cluster User Guide for SRX Series Devices Upgrading or Disabling a Chassis Cluster

Chassis Cluster User Guide for SRX Series Devices

keyboard_arrow_up
close
keyboard_arrow_left
Chassis Cluster User Guide for SRX Series Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Upgrading Devices in a Chassis Cluster Using ICU

date_range 19-Nov-24
arrow_backward
arrow_forward

The chassis cluster ICU method allows both devices in a cluster to be upgraded from supported Junos OS versions using a single command. For more information, see the following topics:

Note:

For SRX300, SRX320, SRX340, SRX345, and SRX380 Firewalls, if you are upgrading to Junos OS Release 24.4R1, you cannot use the ICU method. You must use either the procedures outlined in KB 85650 or the minimal downtime procedure documented in KB17947 (Minimal_Downtime_Upgrade_Branch_Mid PDF file). Once you have upgraded to Junos OS Release 24.4R1, you can use the ICU method to upgrade to any later releases or downgrade from one of those later releases to either Junos OS Release 23.4R2-S3 or to Release 24.2R2.

Upgrading Both Devices in a Chassis Cluster Using ICU

Before you begin, note the following:

SRX Series Firewalls in a chassis cluster can be upgraded with a minimal service disruption using In-Band Cluster Upgrade (ICU). The chassis cluster ICU feature allows both devices in a cluster to be upgraded from supported Junos OS versions using a single command. You can enable this feature by executing the request system software in-service-upgrade image_name command on the primary node. This command upgrades the Junos OS and reboots both the secondary node and the primary node in turn. During the ICU process, traffic outage is minimal; however, cold synchronization is not provided between the two nodes.

For SRX300, SRX320, SRX340, SRX345, and SRX380 devices, the devices in a chassis cluster can be upgraded with a minimal service disruption of approximately 30 seconds using ICU with the no-sync option. The chassis cluster ICU feature allows both devices in a cluster to be upgraded from supported Junos OS versions.

You must use the in-band cluster upgrade (ICU) commands on SRX1500 device to upgrade following Junos OS Releases:

  • Junos OS Release 15.1X49-D50 to Junos OS Release 15.1X49-D100

  • Junos OS Release 15.1X49-D60 to Junos OS Release 15.1X49-D110

  • Junos OS Release 15.1X49-D50 to Junos OS Release 15.1X49-D120

You must use the in-band cluster upgrade (ICU) commands on SRX1600 device to upgrade from Junos OS Release 23.3R1 to later release.

You can use the in-band cluster upgrade (ICU) commands on SRX2300,SRX4100 and SRX4200 devices to upgrade following Junos OS Releases:

  • Junos OS Release 15.1X49-D65 to Junos OS Release 15.1X49-D70

  • Junos OS Release 15.1X49-D70 to Junos OS Release 15.1X49-D80.

For SRX300, SRX320, SRX340, SRX345 and SRX380 devices, the impact on traffic is as follows:

  • Drop in traffic (30 seconds approximately)

  • Loss of security flow sessions

The upgrade is initiated with the Junos OS build locally available on the primary node of the device or on an FTP server.

  • The primary node, RG0, changes to the secondary node after an ICU upgrade.

  • During ICU, the chassis cluster redundancy groups are failed over to the primary node to change the cluster to active/passive mode.

  • ICU states can be checked from the syslog or with the console/terminal logs.

  • ICU requires that both nodes be running a dual-root partitioning scheme with one exception being the SRX1500 and SRX1600. ICU will not continue if it fails to detect dual-root partitioning on either of the nodes. Requirement of the dual-root partitioning is applicable only for SRX300, SRX320, SRX340, SRX345, and SRX380 devices.

    Dual-root partitioning is not supported on SRX1500 and SRX1600 devices. SRX1500 and SRX1600 use solid-state drive (SSD) as secondary storage.

Upgrading ICU Using a Build Available Locally on a Primary Node in a Chassis Cluster

Ensure that sufficient disk space is available for the Junos OS package in the /var/tmp location in the secondary node of the cluster.

To upgrade ICU using a build locally available on the primary node of a cluster:

  1. Copy the Junos OS package build to the primary node at any location, or mount a network file server folder containing the Junos OS build.
  2. Start ICU by entering the following command:

    user@host> request system software in-service-upgrade image_name no-sync (for SRX300, SRX320, SRX340, SRX345, and SRX380 devices)

    user@host> request system software in-service-upgrade image_name (for SRX1500 devices prior to Junos OS Release 15.1X49-D70)

    user@host> request vmhost software in-service-upgrade image_name (for SRX1600 and SRX2300 devices)

Upgrading ICU Using a Build Available on an FTP Server

Ensure that sufficient disk space is available for the Junos OS package in the /var/tmp location in both the primary and the secondary nodes of the cluster.

To upgrade ICU using a build available on an FTP server:

  1. Place the Junos OS build on an FTP server.
  2. (SRX300, SRX320, SRX340, SRX345 and SRX380 only) Start ICU by entering the following command:

    user@root> request system software in-service-upgrade <ftp url for junos image> no-sync

    Sample Command

    content_copy zoom_out_map
    user@root> request system software in-service-upgrade ftp://<user>:<password>@<server>:/<path> no-sync

    This command upgrades the Junos OS and reboots both nodes in turn.

  3. (SRX1500 only prior to Junos OS Release 15.1X49-D70) Start ICU by entering the following command:

    user@root> request system software in-service-upgrade <ftp url for junos image>

    Sample Command

    content_copy zoom_out_map
    user@root> request system software in-service-upgrade ftp://<user>:<password>@<server>:/<path>

    This command upgrades the Junos OS and reboots both nodes in turn.

    For SRX1600 and SRX2300 devices, start ICU by entering the following command:

    content_copy zoom_out_map
    user@root> request vmhost software in-service-upgrade ftp://<user>:<password>@<server>:/<path>

The upgrade process displays the following warning message to reboot the system:

WARNING: A reboot is required to load this software correctly. Use the request system reboot command when software installation is complete.

This warning message can be ignored because the ICU process automatically reboots both the nodes.

Terminating an Upgrade in a Chassis Cluster During an ICU

You can terminate an ICU at any time by issuing the following command on the primary node:

request system software abort in-service-upgrade

Issuing an abort command during or after the secondary node reboots puts the cluster in an inconsistent state. The secondary node boots up running the new Junos OS build, while the primary continues to run the older Junos OS build.

To recover from the chassis cluster inconsistent state, perform the following actions sequentially on the secondary node:

  1. Issue an abort command:

    request system software abort in-service-upgrade

  2. Roll back the Junos OS build by entering the following command:

    request system software rollback node < node-id >

  3. Reboot the secondary node immediately by using the following command:

    request system reboot

You must execute the above steps sequentially to complete the recovery process and avoid cluster instability.

Table 1 lists the options and their descriptions for the request system software in-service-upgrade command.

Table 1: request system software in-service-upgrade Output Fields

Options

Description

no-sync

Disables the flow state from syncing up when the old secondary node has booted with a new Junos OS image.

This option is not available on SRX1500 and SRX1600 devices.

no-tcp-syn-check

Creates a window wherein the TCP SYN check for the incoming packets will be disabled. The default value for the window is 7200 seconds (2 hours).

This option is not available on SRX1500 and SRX1600 devices.

no-validate

Disables the validation of the configuration at the time of the installation. The system behavior is similar to software add.

unlink

Removes the package from the local media after installation.

  • During ICU, if a termination command is executed, ICU will terminate only after the current operation finishes. This is required to avoid any inconsistency with the devices.

    For example, if formatting and upgrade of a node is in progress, ICU terminates after this operation finishes.

  • After a termination, ICU will try to roll back the build on the nodes if the upgrading nodes step was completed.

Related Documentation

arrow_backward PREVIOUS Upgrading Individual Devices in a Chassis Cluster Separately
NEXT arrow_forward Upgrading a Chassis Cluster Using In-Service Software Upgrade
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top