Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 15.1X49-D90.

Authentication, Authorization and Accounting (AAA)

  • Starting with Junos OS 15.1X49-D80, the wins-server option at the [edit access profile profile-name] hierarchy level allows you to configure the IPv4 address of a Windows Internet Name Service (WINS) server.

CLI

  • Starting with Junos OS Release 15.1X49-D60, the modem1 option has been added to the show wireless-wan adapter <adapter-name> modem command. The modem1 option displays details of the integrated modems on the CBA850 3G/4G/LTE Wireless WAN Bridge.

Dynamic Host Configuration Protocol (DHCP)

  • Starting with Junos OS Release 15.1X49-D90, the factory-default configuration of SRX300, SRX320, SRX340, SRX345, and SRX550M devices has changed to allow small form-factor pluggable (SFP) ports to be configured as DHCP clients.

    See the following for configuration changes:

    SRX300 / SRX320 / SRX320-POE
    -----------------------------
    ge-0/0/0 and ge-0/0/7 (UNTRUST) - routed interfaces with DHCP client enabled
    ge-0/0/1 - ge-0/0/6 - Ethernet Switching part of VLAN TRUST
    
    SRX340 / SRX345
    -----------------------------
    ge-0/0/0 and ge-0/0/15 (UNTRUST) - routed interfaces with DHCP client enabled
    ge-0/0/1 - ge-0/0/14 - Ethernet Switching part of VLAN TRUST
    
    SRX550M
    -----------------------------
    ge-0/0/0 and ge-0/0/9 (UNTRUST) - Routed interface with DHCP client enabled
    ge-0/0/1-5 (TRUST) - Routed interfaces with DHCP server enabled
    
    Also enable RSTP protocol by default (set protocols rstp)
    
  • Starting with Junos OS Release 15.1X49-D80, a new command, force-discover, is introduced to the DHCP client to force the DHCP client to send a DHCP discover packet after one to three failed dhcp-request attempts. The force-discover option ensures that the DHCP server will assign the same or a new IP address to the client. To ensure that this process does not fail in the event of a DHCP server outage, the retransmission-attempt value has been extended from a maximum of 6 to 50,000 attempts. No changes are made to the current default values.

    To start the new DHCP process, include the force-discover command in the [edit interfaces] hierarchy level. For example,

    set interfaces ge-0/0/0 unit 0 family inet dhcp-client force-discover
  • Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD (DHCP daemon) configuration on all SRX Series devices is being deprecated and only the new JDHCP CLI will be supported. When you upgrade to Junos OS Release 15.1X49-D60 and later releases on a device that already has the DHCPD configuration, the following warning messages are displayed:

    WARNING: The DHCP configuration command used will be deprecated in future Junos releases.

    WARNING: Please see documentation for updated commands.

    To ensure uninterrupted service to existing user implementation of DHCP relay service, the following configuration items are identified as missing (edit and interface hierarchies) between the old DHCPD and the new JDHCPD configurations:

    set forwarding-options helpers bootp description
    set forwarding-options helpers bootp client-response-ttl
    set forwarding-options helpers bootp maximum-hop-count
    set forwarding-options helpers bootp minimum-wait-time
    set forwarding-options helpers bootp vpn
    set forwarding-options helpers bootp relay-agent-option
    set forwarding-options helpers bootp dhcp-option82

    and the interface hierarchy:

    set forwarding-options helpers bootp interface interface-name description
    set forwarding-options helpers bootp interface interface-name client-response-ttl
    set forwarding-options helpers bootp interface interface-name maximum-hop-count
    set forwarding-options helpers bootp interface interface-name minimum-wait-time
    set forwarding-options helpers bootp interface interface-name vpn
    set forwarding-options helpers bootp interface interface-name relay-agent-option
    set forwarding-options helpers bootp interface interface-name dhcp-option82

Flow-based and Packet-based Processing

  • Flow-based processing for IPv6 Traffic—Starting with Junos OS Release 15.1X49-D70, on the SRX1500, SRX4100, and SRX4200 devices, flow-based processing for IPv6 traffic is enabled by default. Also, you do not need to reboot the device when you are switching modes between flow mode, packet mode, and drop mode.

    When IPv6 is configured on SRX300 Series devices, drop mode remains the default behavior because of memory constraints. In this case, you must reboot the device after changing the processing mode from the drop mode default to flow mode and between modes.

    Flow-based processing for IPv4 Traffic—The SRX Series device is enabled for flow-based forwarding for IPv4 traffic on all devices by default. For the SRX1500, SRX4100, SRX4200 devices and vSRX, you do not need to reboot the device when you are switching modes between flow mode, packet mode, and drop mode. For SRX300 Series devices, you must reboot the device when switching between flow mode, packet mode, and drop mode.

  • Source address for SRX5400, SRX5600, and SRX5800 devices and vSRX instances—Starting with Junos OS 15.1X49-D60, management traffic can originate from a specific source address for Domain Name System (DNS) names.

    Consider the following when you configure the source address for DNS:

    • Only one source address can be configured as the source address for each DNS server name.
    • IPv6 source addresses are supported for IPv6 DNS servers, and only IPv4 addresses are supported for IPv4 DNS servers. You cannot configure an IPv4 address for an IPv6 DNS server or an IPv6 address for an IPv4 DNS server.

    To have all management traffic originate from a specific source address, configure the system name server and the source address. For example:

    user@host# set system name-server 5.0.0.1 source-address 4.0.0.3

Installation and Upgrade

  • Starting with Junos OS Release 15.1X49-D80, on SRX5400, SRX5600, and SRX5800 devices, if the software image is installed from a USB device, a fips-error core is generated during bootup of the device. This core dump is harmless and does not affect any other functionality. To avoid this issue, after installing the software image using a USB, install the software image again using the Junos CLI.

Network Address Translation (NAT)

  • Starting with Junos OS Release 15.1X49-D90, the number of addresses in NAT source pools with IPv6 prefixes are represented as zeros (0).This change ensures that when a configuration that includes a NAT source pool with IPv6 prefixes is committed, the capacity check is not exceeded, and the commit is successful. This change will be reflected in the output of the following commands when used on NAT source pools with IPv6 prefixes:
    • show security nat resource-usage source-pool—The Avail and Total fields are zero (0).
    • show security nat source pool—The Total Addresses field is 0.
    • show security nat source summary—The Total Address field is 0.
  • Starting with Junos OS Release 15.1X49-D60, when you delete or modify a NAT rule, a NAT pool, or an interface address, the related NAT bindings might not be deleted immediately. In addition, the related session scan for the NAT rule and NAT pool might not be deleted as quickly as in previous releases.

Public Key Infrastructure

  • Generating a public key infrastructure (PKI) signature of 512 bits for a digital certificate with Digital Signal Algorithm (DSA) or RSA encryption is being deprecated on SRX Series devices and vSRX instances:
    • Starting with Junos OS Release 15.1X49-D75, the size 512 option is not supported in the CLI command request security pki generate-key-pair certificate-id certificate-id-name type dsa. Instead, the size must be 1024 (the default value), 2048, or 4096.
    • The size 512 option is being deprecated in the CLI command request security pki generate-key-pair certificate-id certificate-id-name type rsa and will no longer be supported in a future release. Instead, the size must be 1024, 2048 (the default value), or 4096.
  • The request security pki local-certificate enroll command now includes the cmpv2 and scep keywords for CMPv2 and SCEP certificate enrollment. Each keyword has configurable options. In previous releases, SCEP enrollment parameters were entered after the enroll keyword. Starting with this release, SCEP enrollment parameters should be entered after the scep keyword. In a future release, SCEP enrollment parameters after the enroll keyword will be deprecated.

    The auto-re-enrollment configuration statement at the [edit security pki] hierarchy level now includes the cmpv2 and scep keywords for automatic reenrollment of local certificates using CMPv2 or SCEP. Each keyword has configurable options. In previous releases, SCEP enrollment parameters were entered after the set security pki auto-re-enrollment certificate-id certificate-id-name statement. Starting with this release, SCEP reenrollment parameters should be entered after the scep keyword. In a future release, SCEP enrollment parameters after the set security pki auto-re-enrollment certificate-id certificate-id-name statement will be deprecated.

Routing Protocols

  • Starting in Junos OS Release 15.1X49-D80, authentication-key-chain configuration is not supported on SRX devices.

System Logs

  • Starting with Junos OS Release 15.1X49-D80, two new system log messages have been added to indicate memory-related problems on the interfaces to the DDR3 memory:
    • XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MINOR
    • XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MAJOR

    These error messages indicate that the XMCHIP on an Flexible PIC Concentrator (FPC) has detected a checksum error, which is causing packet drops.

    The following error threshold values classify the error as a major error or a minor error:

    • Minor error —> 5 errors per second
    • Major error —> 255 errors per second (maximum count)
  • Starting in Junos OS Release 15.1X49-D70, new parameters are added to the structured log fields of the antivirus, antispam, content, and apppxy system log messages.

    The following example shows the structured log fields of AV_VIRUS_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT, CONTENT_FILTERING_BLOCKED_MT, APPPXY_RESOURCE_OVERUSED_MT, and APPPXY_SESSION_ABORT_MT messages before Junos OS Release 15.1X49-D70:

    AntiVirus: Virus detected: from <source-address>:<source-port> to <destination-address>:<destination-port> source-zone <source-zone-name> <filename> file <temporary-filename> virus <name> URL:<url> username <username> roles <roles>

    AntiSpam: SPAM detected: <source-name> (<source-address>) <action> reason: <reason> username <username> roles <roles>

    Content Filtering: <argument> (<profile-name> from <source-address> is <action> due to <reason> username <username> roles <roles>

    ApplicationProxy: Suspicious client <source-address>:<source-port>->(<destination-address>:<destination-port>) used <percentage-value> connections, which exceeded the maximum allowed <maximum-value> connectionsusername <username> roles <roles>

    ApplicationProxy: session from <source-address>:<source-port> to <destination-address>:<destination-port> aborted due to <error-message> (code <error-code>)

    The following example shows AV_VIRUS_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT, CONTENT_FILTERING_BLOCKED_MT, APPPXY_RESOURCE_OVERUSED_MT, and APPPXY_SESSION_ABORT_MT messages in Junos OS Release 15.1X49-D70, indicating the newly added parameters in the structured log fields:

    AntiVirus: Virus detected: <source-address>:<source-port>-><destination-address>:<destination-port> source-zone="<source-zone-name>" profile-name="<profile-name>" file="<filename>" temp_file="<temporary-filename>" virus="<name>" URL="<url>" username="<username>" roles="<roles>"

    AntiSpam: SPAM detected: name="<source-name>" source-ip=(<source-address>) profile-name="<profile-name>" action="<action>" reason="<reason>" username="<username>" roles="<roles>"

    Content Filtering: protocol="<argument>" <source-address>:<source-port>-><destination-address>:<destination-port> profile-name="<profile-name>" action="<action>" reason="<reason>" username="<username>" roles="<roles>"

    ApplicationProxy: Suspicious client <source-address>:<source-port>->(<destination-address>:<destination-port>) used <current-connections> connections, which exceeded the maximum allowed <maximum-value> connections. policy-name <policy-name> username <username> roles <roles>

    ApplicationProxy: session from <source-address>:<source-port> to <destination-address>:<destination-port> aborted due to <error-message> (code <error-code>), policy-name <policy-name>

VPN

  • Starting with Junos OS Release 15.1X49-D90, if VPN session affinity is enabled on SRX5400, SRX5600, and SRX5800 devices, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU). If the configured encryption or authentication changes, the tunnel overhead is updated on the anchor SPU when a new IPsec security association is established.
  • Starting with Junos OS Release 15.1X49-D80, the xauth access-profile option is being deprecated at the [edit security ike gateway gateway-name] hierarchy level, and will no longer be supported in a future release. A new configuration option aaa access-profile is added under [edit security ike gateway gateway-name] hierarchy level for Extended Authentication (XAuth) and Extensible Authentication Protocol (EAP) authentication. Also, AAA replaces the XAuth field names in the outputs for the show security ike active-peer, show security ike active-peer detail, show security ike security-association detail, and show security ipsec next-hop-tunnels commands.
  • The show security dynamic-vpn client version command is not supported for dynamic VPN.
  • Starting with Junos OS Release 15.1X49-D70, a warning message is displayed if you configure the establish-tunnels immediately option at the [edit security ipsec vpn vpn-name] hierarchy level on AutoVPN hubs with point-to-point tunnel interfaces. Committing the configuration will succeed, however the establish-tunnels immediately configuration is ignored. The state of the point-to-point tunnel interface will be up all the time.

    The establish-tunnels immediately option is not appropriate for AutoVPN hubs with point-to-point tunnel interfaces because multiple VPN tunnels may be associated with a single AutoVPN configuration.

Modified: 2017-11-28