We recently purchased two Juniper SRX 650s to replace our aging Nortel VPN Routers (formerly Contivity Extranet Switches). We finally have both gateways/routers/firewalls racked and connected to the network and we started working our way through the JUNOS configuration and command line interface. The SRX650 we received from our reseller came with 10.0R8 so we decided to upgrade them to 10.1R1.8 based on some feedback we had received from Juniper concerning the slow response from the Web GUI while evaluating the SRX platform a few months ago.
You can find the release notes for JUNOS 10.1 on the Juniper website.
We started by placing the software (junos-srxsme-10.1R1.8-domestic.tgz) on an internal web server (10.1.20.1).
The upgrade itself took at least 5 minutes and the reboot took at least another 5 minutes, you definitely need to be patient when upgrading the SRX. It took a really long time compared to anything else I’ve upgraded in the past.
root> request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot /var/tmp/incoming-package.1145 1500 kB 1500 kBps Package contains junos-10.1R1.8.tgz ; renaming ... NOTICE: Validating configuration against junos-10.1R1.8.tgz. NOTICE: Use the 'no-validate' option to skip this if desired. Formatting alternate root (/dev/ad0s2a)... /dev/ad0s2a: 631.0MB (1292236 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 157.75MB, 10096 blks, 20224 inodes. super-block backups (for fsck -b #) at: 32, 323104, 646176, 969248 ** /dev/altroot FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 317928 free (24 frags, 39738 blocks, 0.0% fragmentation) Checking compatibility with configuration Initializing... Verified manifest signed by PackageProduction_10_0_0 Verified junos-10.0R1.8-domestic signed by PackageProduction_10_0_0 Using junos-10.1R1.8-domestic from /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic Copying package ... Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/etc/voip/musiconhold.conf: No such file or directory Verified manifest signed by PackageProduction_10_1_0 Hardware Database regeneration succeeded Validating against /config/juniper.conf.gz cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied). cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied). Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 84,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: ERROR IDL IDR Decode Error -1(Garbled Message) Link Layer Discovery Protocol: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required Link Layer Discovery Protocol: Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required Link Layer Discovery Protocol: Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required Link Layer Discovery Protocol: Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required Link Layer Discovery Protocol: mgd: commit complete Validation succeeded Installing package '/altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic' ... Verified junos-boot-srxsme-10.1R1.8.tgz signed by PackageProduction_10_1_0 Verified junos-srxsme-10.1R1.8-domestic signed by PackageProduction_10_1_0 Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz JUNOS 10.1R1.8 will become active at next reboot Saving package file in /var/sw/pkg/junos-10.1R1.8 ... cp: /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic is a directory (not copied). Saving state for rollback ... Rebooting ... shutdown: [pid 1888] Shutdown NOW! *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY
I hope to post some additional information as we move forward with the Juniper SRX platform.
Cheers!
in the future to speed up upgrades I highly, highly suggest using the no-validate option when you initiate the upgrade, especially if its a new box with the default config on it. It will speed up the upgrade time significantly.
Will
Thanks for the tip Will!
It took an incredibly long time to upgrade the SRX650… at one point I thought I might have bricked the security gateway.
Cheers!
So, any news with your SRX for the last 8 months ? :-)
What version are you on now ?
Hi Tom,
I just actually started working with the Juniper SRX again… I upgraded a few units to 10.2R3.10 and was going to document that process and some of the clean-up that I needed to undertake before I could upgrade the units (issue with free disk space).
I have an SRX210 running in my testlab connected to an SRX650 at another location over the Internet and it’s been very stable. I’m currently working on setting up another tunnel to a secondary SRX650 and then configuring OSPF routing for redundancy between the branch and main office sites. I’ve been reading about Juniper’s Multipoint VPN Configuration with Next-Hop Tunnel Binding and I’m wondering if I should be using that. In short I have around 25 branch offices (could probably grow no higher than 50) with two geographically disperse (different ISP even) main office sites for redundancy. I need to configure OSPF so there can be a dynamic recovery in the event that one of the main office sites fails.
I will say that I’m impressed with the performance of the SRX650. I had an issue not too long ago with a set of Check Point IP560 appliances that forced me to take them offline. I was quickly able to configure a rule base on the SRX650 and it was able to take the load as a firewall for approximately 50Mbps of Internet traffic.
The learning curve can be a little steep, especially if you’re like me and don’t have the occasion to work with the equipment (or check it) every day. I essentially get up to speed for a few weeks and then some other project and/or issue pulls me away and then it takes me a little bit to get back up to speed again although I will say that taking notes helps greatly. You could say that’s a compliment to Juniper really… you configure the equipment and it just works non-stop so there’s no need to go messing around with it daily.
I’ll let you know how I make out now that I know someone’s interested.
Cheers!
Got a decent setup at a customer with 10.2 on the HighEnd series.
But another customer seems to find most of junipers bugs in Srx :-)
Currently on 10.4R4 and found some bugs, Suppose R5 should fix those.
So 10.4R5 might be the release to go with :-)