Upgrade Failure

Juniper Mist AP43: How to do an emergency image reload from the boot loader

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
VendorJuniper
Operating systemJunos OS
CategoryUpgrade Failure
Skill levelIntermediate to advanced
DIY-able?Yes with CLI access; some scenarios need JTAC + RMA.

An upgrade on Juniper Mist AP43 is really three jobs: stage the image, verify integrity, activate. Skipping verify is how you end up with a half-bricked unit at 2am, I have done it exactly once and learned for life.

Junos OS provides clear pre- and post-checks. `show version` before and after is the bare minimum; ideally also `request support information | save /var/tmp/rsi.txt` so JTAC has a clean before/after diff.

The procedure below assumes you can take a maintenance window. If you cannot, ISSU / hitless options exist on some platforms but vary by code train: check Junos OS release notes first.

What this guide covers

Do an emergency image reload from the boot loader on a Juniper Mist AP43 (Junos OS).

Step-by-step

  1. At the boot loader, configure IP, gateway, TFTP server.
  2. Download the image.
  3. Set the boot variable to the new image.
  4. Reset to boot.

CLI / commands

# Boot recovery prompt: loader>

# Verify image
show version

# Upgrade
request system software add /var/tmp/junos-install.tgz

# Save / commit
commit

# Rollback
rollback 1

Recovery options

Frequently asked questions

Will this work on my specific Junos OS version?

The procedure reflects current Junos OS behaviour. Older releases may need minor syntax adjustments, use the CLI help (? or tab-completion) to verify.

Should I open a JTAC case immediately?

Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.

Where can I find the Juniper official documentation?

https://kb.juniper.net/. search the product family + feature name.

Is this procedure safe in production?

Test in a lab or maintenance window first. Capture pre-change state so you can roll back.

Related guides worth a look while you sort this one out:

References


Reference material, not professional advice. Validate against your specific Junos OS version and test in a non-production environment before applying.

What changed recently?

Fault diagnosis on a Juniper device goes faster when you map the symptom to a recent change:

The answer narrows the root cause to a manageable subset.

Safety + preconditions

Before any work on a Juniper device:

Verification checklist

After applying the fix on your Juniper device, confirm:

When to call Juniper support instead

Escalate if:

More frequently asked questions

Does this affect other devices on my network?

Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.

Is it safe to apply during business hours?

If the device is in production use, apply during a scheduled maintenance window. Most procedures need 2-15 minutes of downtime. Capture pre-change state so you can roll back if needed.

How often should I run preventive checks?

Quarterly for most consumer devices; monthly for production / commercial devices. Set a calendar reminder so the device stays healthy between issues.

Are there safer alternatives for non-technical users?

Yes: the manufacturer's self-service troubleshooter (HP Smart, LG ThinQ, Samsung Members, similar) usually walks through the same steps in a guided UI. Use that first if you're not comfortable with menu paths.

How long does this fix usually take?

Most users complete the steps in 20-45 minutes the first time, and 5-10 minutes on subsequent runs once the menu paths are familiar.

Topology deep dive (the way I deploy it)

In a typical BFSI floor rollout I run the Mist AP43 off a Juniper EX4400 access switch with 802.3bt Type-4 PoE for the tri-radio model. The wiring closet sits in the basement at the Mumbai BKC office. We pull Cat6A from the closet to each floor, about 70 meters average: and terminate on a Panduit patch panel. The Mist cloud organisation lives in Mist Global 04 (mumbai region), and every AP has its claim code printed under the bezel. When the AP joins, it pulls an inventory record into the Mist API; that record is what your monitoring dashboards (Grafana via Webhook, or Splunk via SIEM connector) will key off. The uplink switch port runs set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members AP-MGMT, with a separate dynamic VLAN per SSID. PoE budget on a 48-port EX4400-48MP is 1440 W, divide carefully if you run 30+ AP43s on one switch.

For the upgrade do an emergency image reload from the boot loader symptom on a Mist AP43, the first thing I always do is split the question into hardware vs software. If the chassis alarms are red on show chassis alarms but the routing engine is healthy, it is hardware. If the alarms are clean but the PFE is dropping packets, suspect a Junos bug. search the Juniper KB for PR numbers matching your release train. The Mist team at Juniper publishes a monthly known-issues PDF for AP code branches; subscribe via the Mist Help Center RSS so you do not get caught flat-footed.

Configuration walkthrough

Drop the box on its LAN port, console in at 9600-8-N-1 (USB-to-DB9 from Aten UC232A, INR 1,250 from Amazon Business with GST invoice), and run a baseline capture:

# Baseline capture, run as root from a maintenance jump host
ssh netadmin@10.20.30.5
configure exclusive
show | display set | save /var/tmp/pre-change-$(date +%s).set
exit
request support information | save /var/tmp/rsi-pre.txt

From there I always pin the Junos version with show system rollback-fact so I know which image is active and which is the rollback target. On the Mist family the equivalent is the org-level Site > Firmware > Auto Upgrade toggle: make sure it is disabled before you start a manual fix, otherwise the cloud will yank your change.

Troubleshooting commands by platform

# Juniper Mist AP (Junos OS + Mist cloud)
# 1. Sanity check from upstream EX switch
show poe interface ge-0/0/12
show ethernet-switching table interface ge-0/0/12
show lldp neighbors interface ge-0/0/12

# 2. From AP console (Mist AP runs Linux + mist-agent)
mist-cli show version
mist-cli show inventory
mist-cli show radio
mist-cli show cluster status
mist-cli show debug-log | last 200

# 3. Capture for Mist support (TAC)
mist-cli show tech-support > /tmp/tech-support-$(date +%F).txt
mist-cli debug-pcap start radio 0
mist-cli debug-pcap stop

# 4. Replace claim into another org if needed (Mist cloud)
# In Mist UI: Organization > Inventory > Unassigned > Claim by MAC

For Junos OS I lean on the request support information bundle (the RSI). It pulls the equivalent of a Cisco show tech-support. On Mist APs the equivalent is mist-cli show tech-support. JTAC will ask for this within five minutes of a P1 case opening, save it before they ask.

Error strings and PR numbers you will actually see

Common error strings I see in the Mist event log: CHASSISD_PSU_FAILURE, CHASSISD_FAN_FAILURE_SEVERITY_MAJOR, FPC_OFFLINE_NOT_PRESENT, RPD_OSPF_NBRDOWN, WL_RADIO_UP_FAILED. The Mist API surfaces these as device_event objects with type AP_CONFIG_FAILED or AP_DISCONNECTED.

Brand quirk: Juniper PR numbers stay stable across release notes, so a quick KB search by PR is faster than a symptom search. The Mist team publishes change logs as Markdown on their docs site. `Ctrl-F` for the PR string and you will land on the fixed release.

India compliance, AMC and deployment notes

For BFSI deployments the Mist cloud tenant must sit in a region that satisfies RBI data localization. I push customers to the Mist Global 04 (Mumbai) AWS region, the data plane stays inside India. For MeitY DPDP compliance, AP access logs are streamed to a local SIEM (we use Splunk on a TCS-managed cluster in Hyderabad) with a 365-day retention contract. BIS and CDOT type approval ETA cert is mandatory: every Mist AP43 sold through Juniper India (Redington / Inflow / Ingram Micro) ships with the ETA-SD-XXXX label on the box. Save that label photograph against the asset tag in your CMDB. If a WPC audit happens, you will need it within 48 hours.

On a GeM tender I price Juniper AMC at 12% of the hardware list for 8x5xNBD and 18% for 24x7x4. SmartNet equivalent (Juniper care) for the MX204 RTF-NBD runs INR 85,000 to INR 2,00,000 a year depending on whether you bundle JTAC Premium. BoQ entries get the model code, ETA-SD certificate number, and a separate line item for the optic SKU (SFPP-10GE-SR runs INR 9,800 a piece in volume). Always quote the Cisco-equivalent in the same row so the procurement team sees the comparison cleanly.

Real-world deployment I did

Last quarter a BFSI client in Bengaluru Whitefield asked me to RMA twelve Mist AP43 units in one week. They were all on the same Floor 3 EX4400-48MP that had a flapping PSU. The AP symptoms were a red herring, the upstream switch was browning out the PoE bus. Once we replaced the EX4400's PSU2 (JPSU-1400W-AC-AFI, INR 1,18,000 + 18% GST under AMC), the AP table came back clean within four minutes. Total downtime billed against the AMC: 38 minutes. The bank's IT head signed off after I shared the Mist event log export proving the AP firmware never hung. only the PoE source did.

Tools I keep in the kit when I roll on a site like this: a Fluke Networks LinkRunner AT 2000 (INR 1,65,000, borrowed from the parent NOC), a Tripp Lite B051-000 console-over-IP, a 3M ESD wrist strap, and a Pelican 1510 case with three spare SFP+ optics. The single most useful thing in that kit is the wrist strap. I once lost a JNP10003-LC2103 line card to ESD on a low-humidity Chennai morning: that hurt the AMC budget by INR 4,12,000 and I have never skipped the strap since.

More frequently asked questions

How do I know if a Junos image is signed correctly before I install it?

Run file checksum sha-256 /var/tmp/junos-install-mx-x86-64-22.4R3-S2.tgz and compare to the hash on the Juniper download page. If the hash does not match within the first try, do not retry the download blindly, the CDN edge in India sometimes serves a partial file when your link drops below 50 Mbps. Switch to wget with --continue from your jump host or pull via the JTAC ftp.juniper.net mirror.

Does Juniper recognise grey-market spares for AMC claims?

No. The serial number is bound to a specific reseller channel. Redington, Inflow, Ingram Micro for India. If you bought a spare PSU off an aftermarket marketplace, JTAC will reject the RMA at the entitlement check. Lesson learned the hard way for a 2024 customer who saved INR 22,000 on the part and lost INR 4,80,000 on the unplanned downtime.

What is the right cadence for a controlled Junos upgrade in BFSI?

Quarterly cadence, aligned with the change-advisory-board calendar. The RBI cybersecurity framework expects a documented patching cycle. We test in a lab MX204 (we keep one in the Bengaluru RnD rack), then a UAT MX204 at the DR site (Hyderabad), then production at BKC over two consecutive maintenance windows. The whole cycle takes six weeks from JTAC release to production rollout.

How do I export Mist API data for SOC ingestion?

The Mist API surfaces a Webhook channel and a streaming events bucket. We point the Webhook at a Splunk HEC endpoint on a TCS-managed cluster (DPDP-compliant, India region only). Auth uses a Mist API key scoped to read-only on the org. Rotate the key every 90 days, store it in HashiCorp Vault, never in a Jenkins pipeline file.

What happens if I hot-swap a Junos PSU during a power-event alarm?

The MX204 and MX480 hot-swap PSU model is rated for live insertion when the alarm is showing a single failed PSU and the other is healthy. Do not hot-swap when both PSUs show a critical alarm, that is when the PEM is degraded and a swap can take the box hard down. On the Mist AP family there is no PSU swap; the AP is single-corded by design, so the fix is always to look upstream at the EX switch PoE port.