Junos OS Release Notes for SRX Series
Junos OS Release 17.3R3 and later Junos OS 17.3 releases are not supported for SRX Series devices and vSRX instances. Junos OS Release 17.3R2 is the last release for the Junos OS 17.3 release train that is supported for SRX Series devices and vSRX instances.
To find the release notes for Junos OS Release 17.3 for releases that are supported for SRX Series devices, go to the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
New and Changed Features
This section describes the new features and
enhancements to existing features in the Junos OS main release and
the maintenance releases for the SRX Series devices.
Release 17.3R2 New and Changed Features
There are no new features in Junos OS Release 17.3R2 for the SRX Series devices.
Release 17.3R1 New and Changed Features
Junos OS Release 17.3R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D75. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D75 are not available in 17.3R1.
New features for security platforms in Junos OS Release 17.3R1 include:
Flow and Processing
TCP out-of-state packet drop logging (SRX Series)—Starting in Junos OS Release 17.3R1, SRX Series devices support logging of unsynchronized TCP out-of-state packets that are dropped by the flow module.
Within any packet-switched network, when demand exceeds available capacity, the packets are queued up to hold the excess packets until the queue fills, and then the packets are dropped. When TCP operates across such a network, it takes any corrective actions to maintain error-free end-to-end communications.
This feature enables packet recovery by logging the out-of-sync packets for error-free communication, and avoids database servers going out of sync.
TCP packet drop logging occurs when:
TCP packets that trigger session creation are not synchronized.
TCP three-way handshake in flow fails.
TCP sequence check in flow fails.
TCP SYN packets are received in TCP FIN state.
The unsynchronized TCP out-of-state packet drop log is a packet-based log, not a session-based log.
TCP packets that are dropped by TCP-proxy and IDP are not logged.
IPS signature package update (SRX Series and vSRX instances)—Starting with Junos OS Release 17.3, when you upgrade from Junos OS Release 12.3X48 or 15.1X49 to Junos OS Release 17.3 or downgrade from Junos OS Release 17.3 to Junos OS Release 12.3X48 or 15.1X49, you must update the IPS signature package to avoid any IDP configuration commit failures. Update the IPS signature package by:
Downloading the IPS signature package.
Installing the IPS signature package update when the download completes.
When you upgrade from Junos OS Release 15.1X49 to Junos OS Release 17.3, the following warning message is displayed:
WARNING: A full install of the security package is required after reboot. WARNING: Please perform a full update of the security package using WARNING: "request security idp security-package download full-update" WARNING: followed by WARNING: "request security idp security-package install"
Interfaces and Chassis
Promiscuous mode support (SRX5400, SRX5600, SRX5800)—Promiscuous mode function is supported on the SRX5000 line MPC (SRX5K-MPC) on 1-Gigabit, 10-Gigabit, 40-Gigabit, and 100-Gigabit Ethernet interfaces on the MICs.
By default, an interface enables MAC filtering. You can configure promiscuous mode on the interface to disable MAC filtering. When you delete the promiscuous mode configuration, the interface will perform MAC filtering again. You can change the MAC address of the interface even when the interface is operating in promiscuous mode. When the interface is operating in normal mode again, the MAC filtering function on MPC uses the new MAC address to filter packets.
Junos OS XML API and Scripting
Support for Python language for commit, event, op, and SNMP scripts (SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX instances)—Starting in Junos OS Release 17.3R1, you can author commit, event, op, and SNMP scripts in Python on devices that include the Python extensions package in the software image. Creating automation scripts in Python enables you to take advantage of Python features and libraries as well as leverage Junos PyEZ APIs supported in Junos PyEZ Release 1.3.1 and earlier releases to perform operational and configuration tasks on devices running Junos OS. To enable execution of Python automation scripts, which must be owned by either root or a user in the Junos OS super-user login class, configure the language python statement at the [edit system scripts] hierarchy level, and configure the filename for the Python script under the hierarchy level appropriate to that script type. Supported Python versions include Python 2.7.
Layer 2 Features
LACP support in Layer 2 transparent mode (SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 17.3R1, LACP is supported in Layer 2 transparent mode in addition to existing support in Layer 3 mode.
When the SRX Series device uses LACP to bundle the member links, it creates high-speed connections, also known as fat pipe, with peer systems. Bandwidth can be increased by adding member links. Increased bandwidth is especially important for redundant Ethernet (reth) and aggregated Ethernet (ae) interfaces. LACP also provides automatic determination, configuration, and monitoring member links.
LACP is compatible with other peers that run the 802.3ad LACP protocol. It automatically binds member links without manually configuring the LAG, thereby avoiding errors.
Tentative sessions are created for all interfaces in a particular VLAN. If there is plenty of one-way traffic, numerous tentative sessions are created. When sessions reach the maximum limit, vector fails and packet loss might be seen.
Support for adding non-native YANG modules to the Junos OS schema (SRX345, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX instances)—Starting in Junos OS Release 17.3R1, you can load custom YANG models on devices running Junos OS to add data models that are not natively supported by Junos OS but can be supported by translation. Doing this enables you to extend the configuration hierarchies and operational commands with data models that are customized for your operations. The ability to add data models to a device is also beneficial when you want to create device-agnostic and vendor-neutral data models that enable the same configuration or RPC to be used on different devices from one or more vendors. You can load custom YANG modules by using the request system yang add operational command.
Maximum number of security policies increased (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 17.3R1, the maximum number of security policies for SRX5400, SRX5600, and SRX5800 devices has increased from 80,000 to 100,000.
Software Installation and Upgrade
Support for FreeBSD version 10 for Junos OS (SRX5800, SRX5600, SRX5400)—Starting with Junos OS Release 17.3R1, on the SRX5000 line of devices, FreeBSD version 10 is the underlying operating system for Junos OS. Junos OS with upgraded FreeBSD is based on an upgraded FreeBSD kernel instead of older versions of FreeBSD. The newer FreeBSD kernel base provides Junos OS with sophisticated processing, efficiency, and security.
On SRX5000 line of devices, use no-validate flag at the request system software add <filename> no-validate command to upgrade or downgrade between Junos OS Release 17.3 and the previous releases.
Along with the upgraded FreeBSD, the System Snapshot feature has been enhanced on the SRX5000 line of devices. For more details, see Junos OS with Upgraded FreeBSD
User Interface and Configuration
Support for configuring the ephemeral database using the NETCONF and Junos XML protocols (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX instances)—Starting in Junos OS Release 17.3R1, NETCONF and Junos XML protocol client applications can configure the ephemeral configuration database, which is an alternate configuration database that enables multiple clients to simultaneously load and commit configuration changes on a device running Junos OS and with significantly greater throughput than when committing data to the candidate configuration database. Junos OS provides a default instance and up to eight user-defined instances of the ephemeral configuration database. The device’s active configuration is a merged view of the committed configuration database and the configuration data in all instances of the ephemeral configuration database. Ephemeral configuration data is volatile and is deleted upon rebooting the device.
This section lists the issues fixed in the Junos OS main release and the maintenance releases.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: 17.3R2
Application Layer Gateways (ALGs)
The pfed process crashes and generates core files. PR1292992
Authentication and Access Control
SRX Series device assigns IP address 0.0.0.0 to xauth clients. PR1315999
The SRX1500 stops forwarding traffic randomly. PR1277435
Duplicate RFSP IE drops the GTP packet. PR1284311
After software upgrade, the cluster goes to short split-brain when rebooting RG0 secondary, and multiple errors and issues are seen. PR1288819
ISSU can be unsuccessful if control-link-recovery is configured. PR1303948
On SRX1500 devices, CoS scheduler and shaping do not work on IRB interface. PR1292187
Ping to VRRP(VIP) address failed when VRRP on vlan-tagging. It only affects IOC2 and IOC3 cards in SRX5000 line devices.PR1293808
Flow-Based and Packet-Based Processing
ECMP does not work for traffic with ECN enabled and with IPv6. PR1265576
On SRX1500 devices, core files are generated when J-Flow is enabled. PR1271466
More CPU threshold warnings are seen than in the previous releases. PR1291506
SCTP association capacity cannot reach up to 20K. PR1299186
The name daemon (named) might crash if SRX Series device is configured for dns-proxy. PR1307435
J-Web removes backslash character on source identity object when committing changes. PR1304608
Network Address Translation (NAT)
The show security zones detail command causes memory leak. PR1269525
Network Management and Monitoring
The mib2d process might crash when polling the OID ifStackStatus.0 after an a logical interface (IFL) of lo0 is deleted. PR1286351
The show arp no-resolve interface X command for non-existent interface X is showing all unrelated static ARP entries. PR1299619
Platform and Infrastructure
SRX Series device does not process traffic due to an IPv6 NA packets burst. PR1293673
Resolved Issues: 17.3R1
Interfaces and Chassis
On SRX1500, if Junos OS Release 15.1X49-D70 or later is installed and you have a single PEM in slot 0, you will see an alarm saying PEM 1 is not present. PR1265795
Layer 2 Ethernet Services
On SRX1500 devices, when configuring the devices to switching mode, an IRB interface located in a custom routing-instance is not reachable. PR1234000
Platform and Infrastructure
On SRX Series devices in a chassis cluster, if sampling is used, the flowd process fails and core files are seen on both the nodes, when the route is updated through dynamic protocols such as BGP. PR1249254
Routing Policy and Firewall Filters
Starting in Junos OS Release 15.1X49-D100, a new default application, application junos-smtps, has been added for secured e-mail traffic using port 587 or 465. To view the new default policy, use the show configuration groups junos-defaults applications command. PR1273725
Unified Threat Management (UTM)
Some traffic from web-cam contain non-standard HTTP boundary format will cause SRX Series UTM/SAV to hold traffic/mbuf and later causes failover. PR1283806
On SRX5400, SRX5600, and SRX5800 devices, the st0 interface global counter statistics do not increment and remain zero, although traffic passes through the tunnel sub-interfaces such as st0.0 and st0.1. PR1171958
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
Upgrade and Downgrade Scripts for Address Book Configuration
Beginning with Junos OS Release 12.1, you can configure address books under the [security] hierarchy and attach security zones to them (zone-attached configuration). In Junos OS Release 11.1 and earlier, address books were defined under the [security zones] hierarchy (zone-defined configuration).
You can either define all address books under the [security] hierarchy in a zone-attached configuration format or under the [security zones] hierarchy in a zone-defined configuration format; the CLI displays an error and fails to commit the configuration if you configure both configuration formats on one system.
Juniper Networks provides Junos operation scripts that allow you to work in either of the address book configuration formats (see Figure 1).
About Upgrade and Downgrade Scripts
After downloading Junos OS Release 12.1, you have the following options for configuring the address book feature:
Use the default address book configuration—You can configure address books using the zone-defined configuration format, which is available by default. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.
Use the upgrade script—You can run the upgrade script available on the Juniper Networks support site to configure address books using the new zone-attached configuration format. When upgrading, the system uses the zone names to create address books. For example, addresses in the trust zone are created in an address book named trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules remain unaffected.
After upgrading to the zone-attached address book configuration:
You cannot configure address books using the zone-defined address book configuration format; the CLI displays an error and fails to commit.
You cannot configure address books using the J-Web interface.
For information on how to configure zone-attached address books, see the Junos OS Release 12.1 documentation.
Use the downgrade script—After upgrading to the zone-attached configuration, if you want to revert to the zone-defined configuration, use the downgrade script available on the Juniper Networks support site. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.
Before running the downgrade script, make sure to revert any configuration that uses addresses from the global address book.
Running Upgrade and Downgrade Scripts
The following restrictions apply to the address book upgrade and downgrade scripts:
The scripts cannot run unless the configuration on your system has been committed. Thus, if the zone-defined address book and zone-attached address book configurations are present on your system at the same time, the scripts will not run.
The scripts cannot run when the global address book exists on your system.
If you upgrade your device to Junos OS Release 12.1 and configure logical systems, the master logical system retains any previously configured zone-defined address book configuration. The master administrator can run the address book upgrade script to convert the existing zone-defined configuration to the zone-attached configuration. The upgrade script converts all zone-defined configurations in the master logical system and user logical systems.
You cannot run the downgrade script on logical systems.
For information about implementing and executing Junos operation scripts, see the Junos OS Configuration and Operations Automation Guide.
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases
Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Release 12.3X48 is an EEOL release. You can upgrade from Junos OS Release 12.1X46 to Release 12.3X48 or even from Junos OS Release 12.3X48 to Release 15.1X49-D10. For upgrading from Junos OS Release 12.1X47-D15 to Junos OS Release 15.1X49-D10, ISSU is supported. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.
To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see https://support.juniper.net/support/eol/software/junos/.
For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.
For information about ISSU, see the Chassis Cluster User Guide for Security Devices.
To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product.
To determine the features supported on SRX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: https://pathfinder.juniper.net/feature-explorer/