Juniper SRX JunOS Upgrade

Juniper JunOS Upgrade instructions⌗

Tested/verified with SRX 340 and 345.

Getting Started⌗

Begin by downloading the recommended version of JunOS per the following KB: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476
It seems to stay consistently up to date with JTAC recommended OS for the specific models.

Once it’s downloaded, move it over to a FAT32 formatted drive. YMMV, but I used Windows 10 Format tool to format a 4GB flash drive to Fat32. Once the file (still zipped) is coppied over to the drive, plug it into the USB port. Alternatively, you can copy the image via SCP/SFTP/Carrier pidgeon to /var/tmp/IMAGE.tgz

The next set of instructions are for if following with a USB drive. If you’re not pick back up a little later on.

First thing we’re going to do is move over to the system shell.

root> start shell user root
root@%

Now we’re ready to plug in the drive. Again, this is assuming you’re connected to the console port, and it’s going to log changes to devices to the console.

Watching the CLI when you plug the drive in, it should tell you the drive path for Example:

root@% umass1: Kingston DataTraveler 3.0, rev 3.00/1.10, addr 2
da1 at umass-sim1 bus 1 target 0 lun 0
da1: <Kingston DataTraveler 3.0 PMAP> Removable Direct Access SCSI-6 device 
da1: 80.000MB/s transfers
da1: 29568MB (60555264 512 byte sectors: 255H 63S/T 3769C)

Great we see that the device is mounted as da1

now we can look at /dev/da1:

root@% ls /dev/da1*
/dev/da1        /dev/da1s1

So we see there’s a partition on there and only one, that’s what we’re going to want to mount. We’ll create a directory in tmp for the drive:

root@% mkdir /var/tmp/usb

Then mount the drive:

root@% mount_msdosfs /dev/da1s1 /var/tmp/usb

we can verify what is there with:

root@% ls /var/tmp/usb
junos-srxsme-18.2R3.4.tgz

Great! There’s the image we want to use. Now we need to get that onto the actual device for consumption. Alternatively, you can install from the USB drive with the no-copy portion. I like to have it on the drive under /var/tmp/ and then use the no-copy so my workflow is:

root@% cp /var/tmp/usb/junos-srxsme-18.2R3.4.tgz /var/tmp/
root@% ls /var/tmp/
junos-srxsme-18.2R3.4.tgz

Now that it’s on the device itself, I can unmount my USB:

root@% umount /var/tmp/usb
##REMOVING DRIVE HERE
(da1:umass-sim1:1:0:0): lost device
(da1:umass-sim1:1:0:0): removing device entry
umass1: detached

Now we’re ready for the actual installation, we’re going to jump back to the CLI at this point.

root@% cli
root>

Next we’ll tell the device to begin installing the package, and to not copy the files again:

root> request system software add /var/tmp/junos-srxsme-18.2R3.4.tgz no-copy

This will take a little while, took about 20 minutes on my bench with nothing else going on. Once it’s done, you’ll wind back up at the cli prompt:

root> ... add /var/tmp/junos-srxsme-18.2R3.4.tgz no-copy                    
NOTICE: Validating configuration against junos-srxsme-18.2R3.4.tgz.0
NOTICE: Use the 'no-validate' option to skip this if desired.   usb1
Formatting alternate root (/dev/da0s2a)...      pass1           veriexec
/dev/da0s2a: 2518.0MB (5156848 sectors) block size 16384, fragment size 2048
cfi1            da0s3e          klog            random          zero
        using 14 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
 32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544,
 3384608, 3760672, 4136736, 4512800, 4888864

Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProductionEc_2016
Using junos-18.2R3.4 from /altroot/cf/packages/install-tmp/junos-18.2R3.4
Copying package ...
veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/php_mod.ini: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/mime.types: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libpsu.so.3: Too many links
veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libyaml.so.3: Too many links
veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libext_db.so.3: Too many links
veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory
Verified manifest signed by PackageProductionEc_2019
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
mgd: commit complete
Validation succeeded
Installing package '/altroot/cf/packages/install-tmp/junos-18.2R3.4' ...
Verified junos-boot-srxsme-18.2R3.4.tgz signed by PackageProductionEc_2019

Verified junos-srxsme-18.2R3.4-domestic signed by PackageProductionEc_2019
Verified junos-boot-srxsme-18.2R3.4.tgz signed by PackageProductionRSA_2019
Verified junos-srxsme-18.2R3.4-domestic signed by PackageProductionRSA_2019
JUNOS 18.2R3.4 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete

WARNING:     The DHCP configuration command used will be deprecated in future Junos releases.
WARNING:     Please see documentation for updated commands.


cp: cannot overwrite directory /altroot/cf/etc/ssh with non-directory /cf/etc/ssh
Saving state for rollback ...

root>

Finally, we’re ready for the device to reboot and activate the new version:

root> request system reboot

A few minutes later, and we’re back to the login prompt.

Time for device cleanup! Now that you’ve rebooted and you think you’re good, it’s time to get the two internal media partitions on the same page. Start by verifying that the version you want is on the (primary) using the command show system snapshot media internal

root> show system snapshot media internal 
Information for snapshot on       internal (/dev/da0s1a) (backup)
Creation date: Aug 30 02:31:04 2016
JUNOS version on snapshot:
  junos  : 15.1X49-D45-domestic
Information for snapshot on       internal (/dev/da0s2a) (primary)
Creation date: Oct 15 17:43:12 2019
JUNOS version on snapshot:
  junos  : 18.2R3.4

So we can see, the old version is running on /dev/da0s1a and is the backup. The new version is on /dev/da0s2a and is the primary. Now we want to clear up the warning about about “JUNOS versions running on dual partitions are not same”

We’re going to copy over the new primary onto the backup: request system snapshot slice alternate. This command is going to format the other partition, then copy over the OS to the backup part.

root> request system snapshot slice alternate 
Formatting alternate root (/dev/da0s1a)...
Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes)
The following filesystems were archived: /

root>

It took about five minutes on a device that was just sitting on my workbench. No traffic passing or anything else.

Then verification:

root> show system snapshot media internal        
Information for snapshot on       internal (/dev/da0s1a) (backup)
Creation date: Oct 15 17:55:07 2019
JUNOS version on snapshot:
  junos  : 18.2R3.4
Information for snapshot on       internal (/dev/da0s2a) (primary)
Creation date: Oct 15 17:43:12 2019
JUNOS version on snapshot:
  junos  : 18.2R3.4

All is good!

JTAC KBs referenced: Which version to use Mounting a USB Installing JunOS on SRX Series Devices JTAC KB for copying primary to secondary if primary is corrupt Bonus article on different partitions