Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 17.4R2 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 17.4R2 for the SRX Series devices.

Release 17.4R2 New and Changed Features

Junos OS Release 17.4R2 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 15.1X49-D80 through 15.1X49-D100. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D100 are not available in 17.4 releases.

Chassis Cluster

  • Nonstop active routing (NSR) (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 17.4R2, SRX5000 Series devices support NSR. NSR uses the same infrastructure as graceful Routing Engine switchover (GRES) to preserve interface and kernel information. NSR saves routing protocol information by running the routing protocol process (rpd) on the backup Routing Engine.

    To configure NSR, include the nonstop-routing statement at the [edit routing-options] hierarchy level.

    Use the show task replication and show bgp replication commands to check the NSR configuration status.

    [See Nonstop Active Routing Concepts and Configuring Nonstop Active Routing.]

Release 17.4R1-S1 New and Changed Features

Junos OS Release 17.4R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/SRX4200, SRX5400, SRX5600, and SRX5800.

Junos OS Release 17.4R1-S1 supports SRX4600 device.

Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 15.1X49-D80 through 15.1X49-D100. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D100 are not available in 17.4 releases.

Note

Junos OS for SRX Series Software documentation includes information about SRX4600 Services Gateway.

New features for security platforms in Junos OS Release 17.4R1 and Junos OS Release 17.4R1-S1 include:

Chassis Cluster

  • Media Access Control Security (MACsec) (SRX4600)– Starting in Junos OS Release 17.4R1-S1, Media Access Control Security(MACsec) is supported on HA control and fabric ports of SRX4600 devices in chassis cluster mode to secure point-to-point Ethernet links between two nodes in a cluster.

    In the SRX chassis cluster implementation, the control and fabric link carry secure traffic between two nodes in clear text format. Because of this, it is important to encrypt the data between the two nodes. MACsec is an industry-standard security technology that provides secure communication and identifies and prevents most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec can be used in combination with other security protocols to provide end-to-end network security.

    See Understanding Media Access Control Security (MACsec).

Hardware

  • SRX4600 Services Gateway—Starting with Junos OS Release 17.4R1-S1, SRX4600 Services Gateways are available as the next-generation, high-performance, and scalable security services devices. The services gateway supports 75-Gbps Internet mix (IMIX) throughput, is suited for large enterprises and small to medium data centers. The SRX4600 Services Gateway provides industry-leading next-generation firewall capabilities (AppID, UserFW, IPS, UTM, and so on) and advanced threat detection and mitigation capabilities features such as SecIntel and SkyATP. The Services Gateway features two high-performance Intel Xeon processors with 14 cores per processor.

Platforms and Infrastructure

  • Software support for SRX4600 devices—Starting in Junos OS Release 17.4R1-S1, Junos OS supports the SRX4600 Services Gateway. The SRX4600 device is a high-end dynamic services gateway that consolidates security functionality, networking services, and uncompromised performance for medium to large enterprises. With advanced security and threat mitigation capabilities, SRX4600 device can be used for campus edge integrated firewall, data center edge firewall, data center core firewall, LTE security gateway, and Gi/SGi firewall.

    SRX4600 device supports Juniper’s Software-Defined Secure Network (SDSN) framework, including Sky Advanced Threat Prevention (Sky ATP), which is built around automated and actionable intelligence that can be shared quickly to recognize and mitigate threats.

    The SRX4600 device supports the following software features:

    • Stateful firewall

    • Application security suite

    • UTM (Sophos AV, Web filtering, content filtering, and antispam)

    • IDP

    • Advanced anti-malware

    • High availability (Chassis cluster)

      • Dual HA control ports (10G)

      • MACsec support for HA ports

    • Ethernet interfaces through QSFP28 (100G modes), QSFP+ (40G/4x10G modes) and SFP+ (10G mode)

    • IPsec VPN, including AutoVPN and Group VPNv2

    • QoS and network services

    • J-Web

    • Routing policies with multicast

    The SRX4600 implements use of an individual thread for each session that is dedicated to management of that session and its flow. As a result, out-of-order packet problems that can occur with concurrent processing are eliminated.

    Installation packages available for SRX4600 devices are, Preboot Execution Environment (PXE), USB install media package, and CLI upgrade.

    You can use the show chassis hardware command to display the part number and the model number of the SRX4600 device.

    You can use the show security ipsec tunnel-distribution command to display the number of VPN tunnels anchored in each thread ID.

    [See Understanding Flow Processing on the SRX4600 Device.]

Security

  • Secure Boot (SRX4600)—Starting in Junos OS Release 17.4R1-S1, a significant system security enhancement, Secure Boot, has been introduced. The Secure Boot implementation is based on the UEFI 2.4 standard. The BIOS has been hardened and serves as a core root of trust. The BIOS updates, the bootloader, and the kernel are cryptographically protected. Secure boot is enabled by default on supported platforms.

    [See Feature Explorer and enter Secure Boot.]

System Logging

  • On-box reporting enhancements (SRX Series, vSRX instances)—Starting in Junos OS Release 17.4R1, SRX4600 devices support the on-box reporting feature, which is already supported on SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200 devices and vSRX instances. Also, the on-box reports are now enhanced to provide comprehensive and detailed reports.

    The on-box reporting feature now provides the following enhancements:

    • AppTrack API gets information on application category, subcategory, and risk level. An RTLOG module uses this API to get and send information to the local log management process (daemon).

    • Reports for applications, categories, subcategories, risk levels, and botnet threats are now by count and volume.

    • Application information is generated in UTM log reports.

    • Logs can now be listed from latest to oldest. Previously, logs were sorted only from oldest to latest.

    • SRX4600 devices now have a hard disk partition available to save traffic logs.

    [See Understanding On-Box Logging and Reporting.]

Release 17.4R1 New and Changed Features

Junos OS Release 17.4R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/SRX4200, SRX5400, SRX5600, and SRX5800.

Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 15.1X49-D80 through 15.1X49-D100. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D100 are not available in 17.4 releases.

ALG

  • H.323 gateway-to-gateway support (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, the gateway-to-gateway call feature is supported on the H.323 ALG. This feature introduces one-to-many mapping between an H.225 control session and H.323 calls as multiple H.323 calls go through a single control session.

    [See Understanding H.323 ALG.]

  • NAT64 support for H.323 ALG (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, the H.323 ALG supports NAT64 rules in an IPv6 network.

    [See Understanding H.323 ALG.]

Application Security

  • Advanced policy-based routing (APBR) with midstream support (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, SRX Series Services Gateways support advanced policy-based routing (APBR) with an additional enhancement to apply the APBR in the middle of a session (midstream support). With this enhancement, you can apply APBR for a non-cacheable application and also for the first session of the cacheable application.

    You can fine-tune the outbound traffic with APBR configuration (for example, limiting route changes and terminating sessions) to avoid issues such as excessive transitions due to frequent route changes.

    The enhancement provides more flexible traffic-handling capabilities that offer granular control for forwarding packets.

    [See Understanding Advanced Policy-Based Routing.]

  • Application tracking enhancements to support category and subcategory (SRX Series, vSRX instances)—Starting from Junos OS Release 17.4R1, AppTrack session create, session close, and volume update logs include new fields category and subcategory. AppTrack syslog message provide general information about the application type, and including category and subcategory of the application in the message, helps in categorizing the applications.

    [Understanding AppTrack.]

Authentication and Access

  • User firewall support for IPv6 (SRX Series, vSRX instances)—Starting in Junos OS Release 17.4R1, SRX Series devices support IPv6 addresses for user firewall (UserFW) authentication. This feature allows IPv6 traffic to match any security policy configured for source identity. Previously, if a security policy was configured for source identity and “any” was specified for its IP address, the UserFW module ignored the IPv6 traffic. IPv6 addresses are supported for the following authentication sources:

    • Active directory authentication table

    • Device identity with active directory authentication

    • Local authentication table

    • Firewall authentication table

    [See Overview of Integrated User Firewall.]

Chassis Cluster

  • Preemptive delay timer (SRX Series)—Starting with Junos OS Release 17.4R1, a failover delay timer is introduced on SRX Series devices in a chassis cluster to limit the flapping of redundancy group state between the secondary and the primary nodes in a preemptive failover.

    Back-to-back failovers of a redundancy group in a short interval can cause the cluster to exhibit unpredictable behavior because of flapping of the active and backup systems.

    To prevent this, a delay timer can be configured to delay the immediate failover for a configured period of time--between 1 and 21,600 seconds. In addition, you can configure the preemptive limit to restrict the number of failovers (1 to 50) in a given time period (1 to 1440 seconds) when preemption is enabled for a redundancy group.

    This enhancement enables the administrator to introduce a failover delay, which can reduce the number of failovers and result in a more stable network state due to the reduction in active / backup flapping within the redundancy group.

    [Understanding Chassis Cluster Redundancy Group Failover.]

Class of Service (CoS)

  • Support for CoS on dl0 Interface on SRX320, SRX340, SRX345, and SRX550M devices— Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can configure the following class of service (CoS) features on the dl0 interface for 4G wireless modems: behavior aggregate classifiers, multifield classifiers, policers, shapers, schedulers, and rewrite rules. The dialer interface, dl0, is a logical interface for configuring properties for modem connections.

    [See LTE Mini-PIM Overview.]

  • Support CoS on Logical Tunnel Interface in a Chassis Cluster on SRX300, SRX320, SRX340, SRX345, and SRX550M devices— Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, queuing is supported on logical tunnel (lt) interfaces to allow CoS configuration.

    [See CoS Queuing for Tunnels Overview.]

  • Support for port-based egress traffic shaping and policing on SRX Series devices— Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can configure egress traffic shaping and policing at the physical port level, which limits the egress traffic rate of all logical interfaces on the port.

    [See shaping-rate (CoS Interfaces).]

Flow-based and Packet-based Processing

  • Hash-based session distribution (SRX5400, SRX5600, SRX5800)— Starting with Junos OS Release 17.4R1, traffic is hashed and distributed to different SPUs by the IOC, based on a hash-based session distribution algorithm. This enhancement provides an even hash distribution among all SPUs by using a larger fixed-length hash table. In earlier Junos OS releases, the traffic distribution was uneven among all SPUs in some cases due to a smaller fixed-length hash table.

    [See Understanding Load Distribution in SRX5800, SRX5600, and SRX5400 Devices and vSRX.]

GPRS

  • Support for GTP handover group (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 devices and vSRX instances)—Starting with Junos OS Release 17.4R1, GTP handover group configuration is supported on GTP profiles. An administrator can configure a GTP profile and associate a GTP handover group to a GTP profile.

    A GTP handover group is a set of SGSNs or serving gateway (SGW) with a common address-book library. When a GTP handover group name is referenced by a GTP profile, the device checks to see if the current SGSN/SGW address and the proposed SGSN/SGW address are contained within the same GTP handover group. If both the current and proposed SGSN/SGW addresses are contained within the same GTP handover group, then the handover is allowed. If both the current and proposed SGSN/SGW addresses are not within the same GTP handover group, then the profile for the default handover group is used.

    This feature enables the administrator to define policies that determine whether handover can happen between individual SGSNs/SGW and/or groups of SGSNs/SGW for roaming.

    [See GTP Handover Group Overview.]

Hardware

  • SRX345 Services Gateway (DC power supply model)—The SRX345 Services Gateway now includes a DC model. The DC model has a single internal power supply, which is not field-replaceable. The DC model supports the same features as those supported on the existing SRX345 Services Gateways. The minimum Junos OS release supported on the DC model is 17.4R1. The services gateway can be managed using the CLI, Junos Space, and J-Web.

    [See SRX345 Services Gateway Description.]

Interface and Chassis

  • MACsec support (SRX300, SRX320, SRX340 and SRX345)—Starting in Junos OS Release 17.4R1, Media Access Control Security (MACsec) is supported on all MACsec-capable ports of SRX300, SRx320, SRX340 and SRX345 devices.

    On SRX300 line devices MACsec is supported on the following ports:

    • SRX300 and SRX320: 2 ports (on two fixed SFP interfaces.)

    • SRX340 and SRX345: 16 ports (on eight fixed SFP interfaces + eight fixed Ethernet ports)

    [See Understanding Media Access Control Security (MACsec).]

  • PPPoE support on SRX Series and vSRX devices—Starting in Junos OS Release 17.4R1, SRX series devices and vSRX support Point-to-Point Protocol over Ethernet (PPPoE). You can connect multiple hosts on an Ethernet LAN to a remote site through a single customer premises equipment (CPE) device. The hosts share a common digital subscriber line (DSL), a cable modem, or a wireless connection to the Internet.

    [See Understanding PPPoE Interfaces.]

  • RFC 4638 support for SRX300, SRX320, SRX340, SRX345, and SRX550M devices— Starting in Junos OS Release 17.4R1, you can use the PPP-Max-Payload option to override the default behavior of the PPPoE client by providing a maximum size that the PPP payload can support in both sending and receiving directions. The PPPoE server might allow the negotiation of an MRU larger than 1492 and the use of an MTU larger than 1492.

    [See Understanding MTU and MRU Configuration for PPP Subscribers.]

Installation and Upgrade

  • Upgraded FreeBSD support (SRX1500, SRX4100, SRX4200, and vSRX instances)—Starting with junos OS Release 17.4R1, the Junos Control Plane (JCP) virtual machine (VM) in the SRX Series devices is upgraded to support FreeBSD 11. Two virtual CPUs (VCPU) are allocated for JCP VM in the Linux host to improve Routing Engine performance for SRX4100 and SRX4200 devices and vSRX instances. For vSRX, additional vCPU will be allocated if you allocate more CPUs than the minimum required. For SRX1500 devices, no additional CPUs are available to allocate for JCP VM.

    [See Understanding Junos OS with Upgraded FreeBSD for SRX Series Devices.]

Logical System

  • Logical system (LSYS) support (SRX1500)—Starting in Junos OS Release 17.4R1, the logical system feature is supported on SRX1500 devices in addition to the existing support on SRX Series devices such as SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800. A logical system provides virtualization on a device that is partitioned into multiple logical administrative segments. Each segment can have its own security, routing, and bridging attributes.

    [See Understanding Logical Systems for SRX Series Services Gateways.]

Management

  • Support for multiple, smaller configuration YANG modules (SRX Series)—Starting in Junos OS Release 17.4R1, the YANG module for the Junos OS configuration schema is split into a root configuration module that is augmented by multiple, smaller modules. The root configuration module comprises the top-level configuration node and any nodes that are not emitted as separate modules. Separate, smaller modules augment the root configuration module for the different configuration statement hierarchies. Smaller configuration modules enable YANG tools and utilities to more quickly and efficiently compile and work with the modules, because they only need to import the modules required for the current operation.

    [See Understanding the YANG Modules That Define the Junos OS Configuration.]

NAT

  • Source NAT resource allocation improved (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 17.4R1, source NAT resources handled by the central point architecture have been offloaded to the SPUs when the SPC number is more than four, resulting in more efficient resource allocation.

    [See Understanding Central Point Architecture Enhancements for NAT.]

Routing Policy and Firewall Filters

  • Maximum number of addresses per security policy increased (SRX550M)—Starting in Junos OS Release 17.4R1, the maximum number of addresses per policy has been increased from 1024 to 2048 for SRX550M. SRX300, SRX320, SRX340 and SRX345 devices already support 2048 source and 2048 destination addresses per policy.

Routing Protocols

  • Support for EBGP route server (SRX Series)—Starting in Junos OS Release 17.4R1, BGP feature is enhanced to support EBGP route server functionality. A BGP route server is the external BGP (EBGP) equivalent of an internal IBGP (IBGP) route reflector that simplifies the number of direct point-to-point EBGP sessions required in a network. EBGP route server propagates unmodified BGP routing information between external BGP peers to facilitate high scale exchange of routes in peering points such as Internet Exchange Points (IXPs). When BGP is configured as a route server, EBGP routes are propagated between peers unmodified, with full attribute transparency (NEXT_HOP, AS_PATH, MULTI_EXIT_DISC, AIGP, and Communities).

    The BGP JET bgp_route_service.proto API has been enhanced to support route server functionality as follows:

    • Program the EBGP route server.

    • Inject routes to the specific route server RIB for selectively advertising it to the client groups in client-specific RIBs.

    The BGP JET bgp_route_service.proto API includes a peer-type object that identifies individual routes as either EBGP or IBGP (default).

    [See BGP Route Server Overview.]

System Logging

  • Support for log warning messages on throughput overuse (SRX4100)—Starting with Junos OS Release 17.4R1, when Internet mix (IMIX) throughput exceeds the limitation for an SRX4100 device, new log warning messages are logged. These log warning messages remind you that there is throughput overuse.

    [See Log File Sample Content.]

Screens

  • UDP flood screen whitelist (SRX300, SRX320, SRX340, SRX345, SRX1400, SRX4100, and SRX4200 devices, and vSRX instances)—Starting with Junos OS Release 17.4, UDP flood whitelist mechanism is implemented on SRX300, SRX320, SRX340, SRX345, SRX1400, SRX4100, and SRX4200 devices, and vSRX instances.

    When UDP is enabled in a zone, all the UDP traffic performs UDP flood attack detection. The UDP packets that are above the threshold level will be dropped. To avoid these packet drops and instead allow these packets to bypass UDP flood detection, the UDP flood screen whitelist is implemented. To support UDP flood whitelist, the traffic from addresses in the whitelist groups will bypass UDP flood check. Both IPv4 and IPv6 whitelists are supported and can be configured using a single address or a subnet address. UDP flood whitelist supports a maximum of 32 whitelist groups and each group has 32 or fewer IPv4 or IPv6 addresses.

    See Understanding Whitelists for UDP Flood Screens.

UTM

  • Custom URL category support for SSL forward proxy (SRX Series)—Starting with Junos OS Release 17.4R1, the whitelisting feature is extended to include custom URL categories supported by UTM in the whitelist configuration of SSL forward proxy. In this implementation, the Server Name Indication (SNI) field is extracted by the UTM module from client hello messages to determine the URL category. SNI is an extension of the SSL/TLS protocol. Each URL category has a unique ID. The list of URL categories in the whitelist is parsed and the corresponding category IDs are pushed to the Packet Forwarding Engine for each SSL forward proxy profile. The SSL forward proxy then determines through APIs whether to accept the proxy or to ignore the session.

    [See SSL Proxy Overview]

  • Enhanced Web Filtering (EWF) reputation and categorization behavior support for EWF category (SRX Series)—Starting from Junos OS Release 17.4R1, predefined base filters, defined in a category file, are supported for individual EWF categories. Each EWF category has a default action in a base filter, which is attached to the user profile to act as a backup filter. If the categories are not configured in the user profile, then the base filter takes the action. Online upgradation of base filters is also supported. Further, users can apply global reputation values, provided by the Websense ThreatSeeker Cloud (TSC). For the non-category URLs, the global reputation value is used to perform filtering, and from this release onward, the reputation base scores are configurable.

    [See Understanding Enhanced Web Filtering Process.]

  • Local Web filtering enhancement to support custom category configuration (SRX Series)—Starting from Junos OS Release 17.4R1, support for custom category configuration is available for EWF, local, and Websense redirect profiles. The custom-message option is also supported in a category for local Web filtering and Websense redirect profiles. You can create multiple URL lists (custom categories) and apply them to a UTM Web filtering profile with actions such as permit, permit and log, block, and quarantine.

    To create a global whitelist or blacklist, apply a local Web filtering profile to a UTM policy and attach it to a global rule.

    [See Understanding Local Web Filtering.]

  • Support for new Websense EWF categories (SRX Series)—Starting from Junos OS Release 17.4R1, you can download and dynamically load new Enhanced Web Filtering (EWF) categories. The downloading and dynamic loading of the new EWF categories do not require a software upgrade. Websense occasionally releases new EWF categories. EWF classifies websites into categories according to host, URL, or IP address and performs filtering based on the categories.

    [See Understanding Redirect Web Filtering.]

VPN

  • Increased number of IKE security associations supported (SRX5600, SRX5800)—Starting from JunosOS Release 17.4R1, SRX5600 with 5 SPC2 cards, and SRX5800 with 10 SPC2 cards can support up to 50,000 IKE security associations (SAs) (each SPC2 card supports upto 20,000 IKE SAs (5,000 IKE SAs / SPU) ) for AutoVPN networks in point-to-point secure tunnel mode with multiple traffic selectors. There are no changes in configuration.

    [See Understanding AutoVPN.]

  • IPv6 address support for point-to-point AutoVPN networks that use traffic selectors (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, AutoVPN networks that use secure tunnel interfaces in point-to-point mode support IPv6 addresses for traffic selectors and for IKE peers.

    Note

    IPv6 addresses are not supported for AutoVPN networks in point-to-multipoint secure tunnel mode.

    [See Understanding AutoVPN and Understanding AutoVPN with Traffic Selectors.]

  • IPsec VPN performance optimization (SRX5400, SRX5600, SRX5800)—Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled. Session affinity is enabled with the set security flow load-distribution session-affinity ipsec command, while performance acceleration is enabled with the set security flow ipsec-performance-acceleration command.

    [See Accelerating the IPsec VPN Traffic Performance and Understanding VPN Session Affinity.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 17.4R2.

Chassis Cluster

  • IP Monitoring—Starting with Junos OS Release 17.4R2, on all SRX Series devices, if the reth interface is in bundled state, IP monitoring for redundant groups is not supported on the secondary node. This is because the secondary node sends reply using the lowest port in the bundle which is having a different physical MAC address. The reply is not received on the same physical port from which the request is sent. If the reply comes on the other interface of the bundle, then the internal switch drops it.

  • Power Entry Module—Starting with Junos OS Release 17.4R2, when you use DC PEM on SRX Series devices operating in chassis cluster mode, the output of show chassis power command shows DC input: 48.0 V input (57000 mV). The value 48.0 V input is a fixed string and can be interpreted as a measured input voltage. The acceptable range of DC input voltage accepted by the DC PEM is 40 to 72 V. The (57500 mV) is a measured value, but is not related with the input. It is the actual output value of the PEM and the value is variable. The DC input: from show chassis power and Voltage: information from show chassis environment pem command output are removed for each PEM.

  • SRX5400, SRX5600, and SRX5800 devices operating in a chassis cluster might encounter the em0 or em1 interface link failure on either of the nodes, which results in split-brain condition. That is, both devices are unable to detect each other. If the failure occurs on the secondary node, the secondary node is moved to the disabled state.

    This solution does not cover the following cases:

    • em0 or em1 failure on primary node

    • HA process restart

    • Preempt conditions

    • Control link recovery

IDP

  • Custom Attack (SRX Series)—Starting with Junos OS Release 17.4R2, the maximum number of characters allowed for a custom attack object name is 60. You can validate the statement using the CLI set security idp custom-attack command.

Forwarding and Sampling

  • Support for Address Resolution Protocol (ARP) throttle and ARP detect [SRX5400, SRX5600, and SRX5800]—Starting in Junos OS Release 17.4R2, an ARP throttling mechanism is introduced for SRX Series devices.

    Excessive ARP processing results in high utilization of Routing Engine CPU resources, resulting in deprivation of CPU resources to other Routing Engine processes. To provide protection against excessive ARP processing, you can now use the following configuration statements:

    • edit forwarding-options next-hop arp-throttle seconds

    • edit forwarding-options next-hop arp-detect milliseconds

    Caution

    We recommend that only advanced Junos OS users attempt to configure the ARP throttle and ARP detect feature. An improper configuration could result in high CPU utilization of the Routing Engine, which could affect other processes on your device.

    [See arp-throttle and arp-detect].

System Logging

  • System log host support (SRX300, SRX320, SRX340, SRX345 Series devices)— Starting in Junos OS Release 17.4R2, when the device is configured in stream mode, you can configure maximum of eight system log hosts.

    In Junos OS Release 17.4R1 and earlier releases, you can configure only three system log hosts in the stream mode. If you configure more than three system log hosts, then the following error message is displayed error: configuration check-out failed.

User Interface and Configuration

  • Junos OS prohibits configuring ephemeral configuration database instances that use the name default (SRX Series)—Starting in Junos OS Release 17.4R2, user-defined instances of the ephemeral configuration database, which are configured using the instance instance-name statement at the [edit system configuration-database ephemeral] hierarchy level, do not support configuring the name default.

Known Behavior

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 17.4R2 for the SRX Series.

Authentication and Access

  • On SRX Series devices with 256K user firewall authentication entries, in case of a failover or when PFE restart occurs, the show services user-identification command will generate response timeout. This timeout will last for at least 10 minutes. PR1302269

  • On SRX Series devices, the traffic that is sourced-from or destined-to the SRX Series device itself is classified as UNKNOWN in AppTrack log messages. PR1340338

Chassis Clustering

  • On SRX4600 devices, the dedicated Chassis Cluster fabric ports are not available. Instead, any 40G or 10G traffic ports can be used as chassis cluster fabric ports.

  • IP monitoring for redundancy groups does not work on the secondary node if the reth interface has more than one physical interfaces configured. This is because the backup node sends traffic using the MAC address of the lowest port. If the reply does not come back on the same physical port, then the internal switch drops the traffic. PR1344173

Install and Upgrade

  • On SRX Series devices, when you perform a downgrade from Junos OS Release 17.4R1-S2 or 17.4R2 to Junos OS Release 15.1X49-D125, using the request system software add command, downgrade fails. An error message mentioning that you need to force the downgrade process using the force CLI option is displayed. Use the force CLI option to force the downgrade. There is no need to use the force option when you downgrade from Junos OS Release 15.1 to any other release. 1350558

Interfaces and Chassis

  • On SRX4600 devices, the 10-Gigabit Ethernet and chassis cluster ports cannot be configured to operate as 1-Gigabit Ethernet ports.

  • SRX4600 device interfaces only support the following two traffic port modes:

    • 4x40G (all four QSFP28+ ports) + 8x10G (all eight SFP+ ports) by default.

    • 2x100G (first two QSFP28+ ports) + 4x10G (first four SFP+ ports) by configuration as shown below:

      • set chassis fpc 1 pic 0 pic-mode 100G

      • set chassis fpc 1 pic 0 number-of-ports 2

      • set chassis fpc 1 pic 1 number-of-ports 4

      Note

      The system requires a reboot after committing the above configuration.

  • On SRX4600 devices, the RAID-1 mirror feature is not available. The second SSD is not available for use, although it is present.

  • On SRX4600 devices, precision Time Protocol (PTP) feature is not available.

  • On SRX4600 devices, USB disk is not available for the Junos OS. However, the USB disk is available with full access for Host OS (Linux) and USB is still used in the booting process (install and recovery functions). PR1283618

  • On SRX1500 devices, pp0.0 interface link status is not up. PR1315416

  • USB stops working if the USB is removed while it is in initialization state. To avoid this issue, wait for few seconds before removing the USB. PR1332360

J-Web

  • On SRX550M and SRX1500 devices, there is no option to configure Layer 2 firewall filters from J-Web, irrespective of the device mode. PR1138333

  • On SRX Series devices in chassis cluster, if you want to use J-Web to configure and commit the configurations, you must ensure that all other user sessions are logged out including any CLI sessions. Otherwise, the configurations might fail. PR1140019

  • On SRX1500 devices in J-Web, snapshot functionality under Maintain->Snapshot->Target Media->Disk->Click Snap Shot is not supported. PR1204587

  • On SRX Series devices, DHCP relay configuration under Configure > Services > DHCP > DHCP Relay page is removed from J-Web in Junos OS Release 15.1X49-D60. The same DHCP relay can be configured using the CLI. PR1205911

  • On SRX Series devices, DHCP client bindings under Monitor is removed. The same bindings can be seen in CLI using the show dhcp client binding command. PR1205915

  • On SRX Series devices, if the configuration load is more than 5000 bytes then J-Web responds slowly and the navigation of pages might take more time.PR1222010

  • On SRX Series devices, you cannot view the custom log files created for event logging in J-Web. PR1280857

  • On SRX Series devices, generation of reports will work in IE and chrome browsers. To generate report in firefox, delete existing ff profile and relaunch firefox with new profile. PR1303722

  • Uploading certificate using browse button, stores the certificate in device at /jail/var/tmp/uploads/, which is deleted when you execute the CLI request system storage cleanup command.PR1312529

  • The values of address and address-range are not displayed in the inline address-set creation pop-up window of Juniper Identity Management Service (JIMS).PR1312900

Layer 2 Ethernet Services

  • PPPoe + DHCPv6 cannot work in all SRX platforms with 15.1X49 and later versions. PR1229836

User Interface and Configuration

  • On SRX1500 devices, committing a configuration with a huge number of logical systems will take more time. This issue occurs because taking backup of previous configurations might take a little longer to finish. PR1339862

VPNs

  • On SRX5400, SRX5600, and SRX5800 devices, when CoS is enabled on the st0 interface and the incoming traffic rate destined for the st0 interface is higher than 300,000 packets per second (pps) per SPU, the device might drop some of the high-priority packets internally and shaping of outgoing traffic might be impacted. We recommended that you configure the appropriate policer on the ingress interface to limit the traffic below 300,000 pps per SPU. PR1239021

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 17.4R2.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Outstanding Issues

Application Layer Gateways (ALGs)

  • In a chassis cluster with logical systems are configured, any ALG (excepts DNS ALG) enabled, and NAT configured for the ALG sessions, the flowd process on the secondary node might not work. PR1343552

Chassis Cluster

  • On SRX5600 and SRX5800 devices in chassis cluster mode, when the secondary Routing Engine is installed to enable dual control links, the show chassis hardware command might display the same serial number for both the routing engines on both the nodes. PR1321502

  • On SRX Series devices, the forwarding plane might failover from node 0 to node 1 when an SPC stops unexpectedly. PR1331809

  • On SRX4600 device with chassis cluster enabled, when a failover occurs the dedicated fabric link is down. PR1365969

Class of Service (CoS)

  • On SRX Series devices, if the action of forwarding-class is configured in the output direction on a firewall filter, the host outbound traffic matching the same term of this firewall filter will be blocked. PR1272286

Flow-based and Packet-based Processing

  • On SRX Series devices, sometimes the time range slider is not working for all events, as well individual events in Google Chrome or Firefox browser. PR1283536

  • On SRX4600 device, when the next-hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725

  • On all SRX Series devices, filter-based forwarding (FBF) does not work when applied on IPsec tunnel interface (st0.*).PR1290834

  • On SRX Series devices with chassis cluster enabled, the ingress interface of the multicast session in the first logical system is reth2.0, which belongs to redundancy group 2. Redundancy group 2 is active on node 1. The ingress interface of multicast session in the second logical system will be the PLT interface, which belongs to redundancy group 1. Redundancy group 1 is active on node 0. So, the multicast session in the second logical system will be active on node 0. Due to this condition multicast session active/backup is not aligned with forwarding traffic. This issue occurs when multicast traffic goes across logical systems. As a workaround to make RG-1 and RG-2 active on the same node. PR1295893

  • On SRX300, SRX320, SRX340, and SRX345 devices, if there is power outage many times in a short period of time, the device might end up getting stuck in the loader prompt. PR1292962

  • On SRX Series devices, packet capture does not work after you change, delete, or add maximum capture size. PR1304723

  • On SRX Series devices, when you run the command clear nhdb statistics on the SPU PIC, the SPC might reset. PR1346320

  • The IPsec replay error for Z-mode traffic is observed. PR1349724

  • The IPsec VPN traffic might be dropped on pass-through SRX Series device after an IKE rekey. PR1353779

  • On the secondary control plane, a multicast session leak is observed for the PIM register. PR1360373

Intrusion Detection and Prevention (IDP)

  • After an IDP signature automatic update is scheduled, the secondary node might not update the signatures. PR1358489

Interfaces and Routing

  • Incorrect ingress packet per second is observed on the MPLS enabled interface. PR1328161

Interfaces and Chassis

  • On SRX1500, if Junos OS Release 15.1X49-D70 or later is installed and you have a single PEM in slot 0, you will see an alarm saying PEM 1 is not present. PR1265795

  • On SRX4600 device, the 1GE interface is not supported in Junos OS Release 17.4R2. PR1315073

Platform and Infrastructure

  • The Secure Shell (SSH) to SRX fails if the phone-home: kern.maxfiles limit exceeds. PR1357076

  • On SRX4100 and SRX4200 devices, the Network Time Protocol (NTP) server might not synchronize because device the clock often switched from NTP to local time. PR1357843

Routing Policy and Firewall Filters

  • On SRX Series devices, DNS name entries in policies might not be resolved if the routing instance is configured under a system name server. PR1347006

Routing Protocols

  • On SRX Series devices, RIP is supported in packet to packet DC mode on st0 interfaces. PR1141817

  • A new CLI command stickydr is required to prevent traffic loss during the disaster recovery. PR1352589

VPNs

  • IPsec uses ESP as the default protocol, if the user does not explicitly configure the protocol. PR1061838

  • When an SRX Series device acts as an initiator behind the NAT, disabling NAT on the router in between causes an immediate new negotiation failure because of an attempt to disable NAT using the port 4,500.The next attempt succeeds by using the port 500. Disabling NAT and bringing down all the existing tunnels and re-establishing the tunnels with port 500 is the expected behavior. PR1273213

  • On SRX Series devices, in case multiple traffic-selectors are configured for a peer with IKEv2 reauthentication, only one traffic-selector will rekey at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors will be cleared without immediate rekey. New negotiation of those traffic-selectors might trigger through other mechanisms such as traffic or by peer. PR1287168

  • On SRX Series devices, when the VPN monitoring feature is enabled, the st interfaces go down immediately. PR1295896

  • If a period . is present in the CA profile name then the PKID might face issues, if the PKID is restarted at any point. PR1351727

  • On SRX5600 and SRX 5800 devices, during VPN to AutoVPN configuration migration, traffic loss is observed. PR1362317

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases for the SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 17.4R2

Application Layer Gateways (ALGs)

  • On SRX1400 device, the NFS traffic to port 2049 might drop. PR1307763

  • The configure download URL displays warning message requires appid-sig license. PR1324858

  • On SRX Series devices with SIP ALG enabled, the SIP ALG might drop SIP packets which have a referred-by or referred-to header field containing multiple header parameters. PR1328266

  • SIP calls drop, when the limit per SPU crosses 10,000 calls. PR1337549

Authentication and Access Control

  • On SRX Series devices, PFE might crash and huge number of core files might be generated within a short period of time. PR1326677

  • On SRX Series devices, incomplete Request Support Information (RSI) might be seen. PR1329967

  • On SRX Series devices, the sessions might close because of the idle Timeout junos-fwauth-adapter logs. PR1330926

  • The uacd process is unstable after upgrading to Junos OS Release 12.3X48 and later releases. PR1336356

  • On SRX Series devices, the show version detail command returns an error message: Unrecognized command (user-ad-authentication) while configuring the useridd settings. PR1337740

  • A new configuration is available to configure the web-authentication timeout. PR1339627

Chassis Clustering

  • The route information might not be synchronized between node0 and node1 when configuring the firewall filter or APBR to use the non-default routing-instance. PR1292235

  • Flowd process core files are generated after adding 65536 VPN tunnels using traffic selector with the same remote IP. PR1301928

  • On devices enabled with chassis cluster, the ISSU upgrade might fail and display an error message ISSU aborted and exiting ISSU window. PR1306194

  • On SRX1500, SRX4100 and SRX4200 devices, ISSU might fail if LACP and interface monitoring are configured. PR1305471

  • File Descriptor might leak on SRX Series chassis clusters with Sky ATP enabled. PR1306218

  • When services offloading feature is enabled, the device changes TCP checksum value to 0x0000 .PR1317650

  • When ISSU is performed from a Junos OS Release prior to 15.1X49-D60 to a Junos OS Release 15.1X49-D60 or later, flowd process generates core files. PR1320030

  • The device might stop forwarding traffic after RG1 failover from node0 to node1. PR1323024

  • When RG0 failover or primary node reboot happens, some of the logical interfaces might not be synchronized to the other node if the system has around 2,000 logical interfaces and 40,000 security policies. PR1331070

  • After the primary node or the secondary node restarts, the FPC module goes offline on the secondary node. PR1340116

  • In and active/active cluster, route change timeout does not work as expected. PR1314162

Class of Service (CoS)

  • Packets go out of order on SPC2 cards with IOC1 or FIOC cards. PR1339551

Flow-Based and Packet-Based Processing

General Routing

  • SRX1500 devices might power off unexpectedly because of incorrect device temperature readings which reported a too high temperature, leading to an immediate pro-active power-off of the device to protect the device from overheating. However in these cases the temperature was not actually too high and a power-off would not be required. When this occurs, the following log message is shown in file /var/log/hostlogs/lcmd.log: Jan 25 13:09:44 localhost lcmd[3561]: srx_shutdown:214: called with FRU TmpSensor. PR1241061

  • On SRX4100 and SRX4200 devices, packet loss is observed when the value of packet per second (pps) through the device is very high. This occurs because of the update of the application interval statistics statement, which has a default timer value of 1 minute. You can avoid this issue by setting the interval to maximum using the set services application-identification statistics interval 1440 command. PR1290945

  • The show host server name-server host CLI command fails when the source address is specified under the name-server configuration. PR1307128

  • A memory leak might occur in the appidd process while updating an application signature package. PR1308863

  • On SRX4600 devices, when you run the clear security flow session command, time taken to clear the session depends on the total session number. For example, the clear session takes nine minutes to clear 57M session. PR1308901

  • On SRX Series devices, if destination NAT and session affinity are configured with multiple traffic selectors in IPsec VPN, the traffic selector match might fail. PR1309565

  • The flowd process might stop and generate a core file during failover between node 0 and node 1. PR1311412

  • On SRX Series devices, the IPsec tunnel might fail to be established if datapath debug configuration include the options preserve-trace-order, record-pic-history, or both. PR1311454

  • The SRX Series device drops packets citing the reason "Drop pak on auth policy, not authed". PR1312676

  • The flowd process might stop if the SSL-FP profile is configured with whitelist. PR1313451

  • If IDP and SSL forward proxy whitelist are configured together, the device might generate a core file. PR1314282

  • On SRX550M devices, phone-home.core is generated after the zeroization procedure. PR1315367

  • If the Sky ATP cloud feed updates, the Packet Forwarding Engine might stop causing intermittent traffic loss. PR1315642

  • On SRX Series devices, the IPSec VPN tunnel with traffic-selector is configured and the packets TTL is set to 1, the flowd process stops and generates a core file on both the nodes. PR1316134

  • Periodic PIM register loop is observed during switch failure. PR1316428

  • On SRX Series devices, the fin-invalidate-session command does not work when the Express Path feature is enabled on the device. PR1316833

  • Return traffic through the routing instance might drop intermittently after changing the zone and routing-instance configuration on the st0.x interface. PR1316839

  • SRX300 devices DHCP client cannot obtain IP addresses. PR1317197

  • Default route is lost after system zero. PR1317630

  • SSL firewall proxy does not work if root-ca has fewer than four characters. PR1319755

  • The OSPF peers are unable to establish neighbors between the LT interfaces of the logical systems. PR1319859

  • On SRX Series devices, after logical system is configured, about 10 logical systems are not working. PR1323839

  • The flowd process generates core files on both nodes causing an outage. PR1324476

  • The MPC cards might drop traffic in the event of high temperatures. PR1325271

  • Software next-hop table is full with log messages RT_PFE: NH IPC op 1 (ADD NEXTHOP) failed, err 6 (No Memory) peer_class 0, peer_index 0 peer_type 10. PR1326475

  • If the serial number of the certificate for the SSL proxy has two consecutive zeros, the certificate authentication fails. PR1328253

  • When you use CFLOW, the source address for flow packets is not displayed. PR1328565

  • On SRX Series devices, the one-way jitter traps are not generated when the TWAMP is configured. PR1328708

  • The FPC is dropped or hangs in the present state when the intermittent control link heartbeat is observed. PR1329745

  • On SRX Series devices with stream logging configured, high CPU load is observed. PR1331011

  • The IPv6 traffic does not work as expected on IOC3 with the services offloading (npcache) feature. PR1331401

  • NTP synchronization fails and switches to a local clock. PR1331444

  • Inaccurate Jflow records might be seen for output interface and next hop. PR1332666

  • The whitelist function in syn-flood does not work. PR1332902

  • The show vlans detail no-forwarding command in the RSI does not display any information, because the no-forwarding option is not supported. PR1336267

  • Two-way active measurement protocol (TWAMP) client, when configured in a routing instance, does not work after a reboot. PR1336647

  • On the front panel LED, the red alarm goes on after an RG0 failover is triggered when the flowd process stops. PR1338396

  • The unfiltered traffic is captured after traceoptions are deactivated. PR1339213

  • SSH to the loopback interface of SRX Series devices does not work properly when AppTrack is configured. PR1343736

  • The flowd process might stop when SYN-proxy function is used. PR1343920

  • SNMP MIB walk provides incorrect data counters for total current flow sessions. PR1344352

  • SRX1500 devices might encounter a failure while accessing the SSD drive. PR1345275

  • The policy and zone configuration are not in synchronization with the Packet and Forwarding Engine (PFE). PR1345397

  • The REST API is not working on the SRX320-POE device. PR1347539

  • File download stops over a period of time when TCP proxy is activated through Antivirus or Sky ATP. PR1349351

  • When a J-Flow related configuration is deleted, the forwarding plane begins to drop packets. PR1351102

  • If the Trusted Platform Module (TPM) is enabled, the configuration integrity failure occurs when there is a power loss for few seconds after the commit. PR1351256

  • On SRX1500 device, after the SSL forward proxy is configured, the system stops and generates a core file. PR1352171

  • The flowd process generates a core file when the SIP ALG is enabled. PR1352416

  • When the routing instance is configured, the UTM Anti-Spam:DUT process do not send the DNS query. PR1352906

  • On SRX Series devices, if the memory buffer is accessed without checking the mbuf and the associated external storage, the flowd process might stop. PR1353184

  • On SRX Series devices in a chassis cluster, if an IPv6 session is being closed and at the same time the related data-plane Redundancy Group (RG1+) failover occurs, this IPv6 session on the backup node might hang and cannot be cleared. PR1354448

  • The PIM register might stop the message from the source First Hop Router (FHR). PR1356241

  • On SRX300, SRX320, SRX340, and SRX345 devices, with LTE mini-PIM the DHCP relay packets are not forwarded. PR1357137

  • On SRX5000 series devices, when the IPsec performance acceleration feature is enabled, packets going in or out of a VPN tunnel are dropped. PR1357616

  • On SRX5400, SRX5600, and SRX5800 devices, the MIB walk tool is not working when screens are applied to the security zones. PR1364210

Interfaces and Chassis

  • Unable to add IRB and aggregated Ethernet interfaces. PR1310791

  • On SRX1500 devices, pp0.0 interface link status is not up. PR1315416

  • An error is not seen at each commit or commit check if autonegotiation is disabled but the speed and duplex configurations are not configured on the interface. PR1316965

  • If an interface is configured with the Ethernet switching family, we recommend that you do not configure vlan-tagging. PR1317021

  • The interface might be brought down by IP monitoring at the time of committing a configuration because of incorrect interface status computing. PR1328363

Interfaces and Routing

  • JIMS server stops responding to requests from SRX Series devices. PR1311446

  • On SRX Series devices in a chassis cluster, the IRB interface does not send an ARP request after clearing the ARP entries. PR1338445

  • Packet reorder occurs on the traffic received on the PPP interface. PR1340417

  • On SRX Series devices, when the VPLS interface receives a broadcast frame, the device sends this frame back to the sender. PR1350857

  • On the SRX1500, when the LACP is configured with interfaces ae0 and ae1, the mac address is displayed as 00:00:00:00:00:00 and 00:00:00:00:00:01 for interfaces ae0 and ae1 respectively. PR1352908

  • The set protocols rstp interface all command does not enable RSTP on all interfaces. PR1355586

Intrusion Detection and Prevention (IDP)

  • The control plane CPU usage is high when using IDP. PR1283379

  • IDP signatures might not get pushed to the Packet Forwarding Engine if there is a policy in logical systems. PR1298530

  • The IDP PCAP feature has been improved. PR1297876

  • The output of show security idp status command does not accurately reflect the number of decrypted SSL or TLS sessions being inspected by the IDP. PR1304666

  • The file descriptor might leak during a security package auto update. PR1318727

  • On SRX4600 devices, the maximum SSLRP session count is observed to be approaching 100,000. In the CLI, configuring a maximum of 100,000 sessions are allowed, whereas in SSLFP, 600,000 sessions are allowed. Thus, the set security idp sensor-configuration ssl-inspection sessions command is now modified to allow a maximum of 600, 000 sessions. However, for other devices the original session limit value of 100,000 is retained. PR1329827

  • Loading IDP policy fails because of less available heap memory. PR1347821

J-Web

  • J-Web system snapshot throws error. PR1204587

  • In J-Web when you click the SKIP TO JWEB OPTIONS, the Google Chrome browser automatically redirects. PR1284341

  • J-Web does not display all global address book entries. PR1302307

  • On SRX300, SRX320, SRX340, and SRX345 devices, CPU usage is high when generating on-box reporting on the J-Web. PR1310288

  • J-Web authentication fails when a password includes the backslash. PR1316915

  • J-Web dashboard displays wrong last updated time. PR1318006

  • J-Web display problems for security policies are observed. PR1318118

  • J-Web displays the red alarm for temperature value within the threshold. PR1318821

  • J-Web does not display wizards on the dashboard. PR1330283

  • Unable to delete the dynamic VPN user configuration. PR1348705

  • When the J-Web fails to get resource information, the Routing Engine CPU usage is displayed as 100 percent. PR1351416

  • Security policies search button on the J-Web does not work with Internet Explorer version 11. PR1352910

Layer 2 Ethernet Services

  • In DHCP relay configuration, the option VPN has been renamed to source-ip-change. PR1318487

  • On SRX1500 devices, VLAN popping and pushing does not work over Layer 2 circuits. PR1324893

  • DHCP rebind and renew packets is not calculated in BOOTREQUEST. PR1325872

  • The default gateway route might be lost after the failover of RG0 in a chassis cluster. PR1334016

  • The subnet mask address is not sent as a reply to the DHCPINFORM request. PR1357291

Network Address Translation (NAT)

  • The default-gateway route received by DHCP when some interface in the chassis cluster has been configured as a DHCP client is lost in about 3 minutes after RG0 failover. PR1321480

  • On SRX Series devices, the Sky ATP connection leak causes the service plane to be disconnected from the Sky ATP cloud. PR1329238

  • Arena utilization on a FPC spikes and then resumes to a normal value. PR1336228

Network Management and Monitoring

  • SRX300 device is unresponsive as a result of cf/var: filesystem full error. PR1289489

  • CLI options are available to manage the packet forwarding engine handling the ARP throttling for NHDB resolutions. PR1302384

Platform and Infrastructure

  • When you perform commits with apply-groups, VPN might flap. PR1242757

  • The packet captured by datapath-debug on an IOC2 card might be truncated. PR1300351

  • Inconsistent flow-control status on reth interface is observed. PR1302293

  • On SRX5400, SRX5600, and SRX5800 devices, DC PEM is used on the box, the output of show chassis environment pem and show chassis power commands do not show DC input value correctly. PR1323256

  • On SRX5400, SRX5600, and SRX5800 devices, SPC2 XLP stops processing packets in the ingress direction after repeated RSI collections. PR1326584

  • When SecIntel is configured, IPFD CPU utilization might be higher than expected. PR1326644

  • The log messages file contains node*.fpc*.pic* Status:1000 from if_np for ifl_copnfig op:2 for ifl :104 message. PR1333380

  • Log message No Port is enabled for FPC# on node0 is generated every 5 seconds. PR1335486

  • In RSI, a mandatory argument is missing for the request pfe execute and the show usp policy counters commands.PR1341042

  • On SRX Series devices in a chassis cluster, configuration commit might succeed even though the external logical interface configuration (reth) associated with the Internet Key Exchange (IKE) VPN gateway configuration is deleted. This might lead to configuration load failure during the next device boot-up. PR1352559

  • On SRX4100 devices, interfaces are shown as half-duplex, but there is no impact on the traffic. PR1358066

Routing Policy and Firewall Filters

  • The firewall authentication does not list the correct polices when the NSD process is busy. PR1312697

  • The number of address objects per policy for SRX5400, SRX5600, SRX5800 devices is increased from 4,096 to 16,000. PR1315625

  • The flowd process stops when AppQoS is configured on the device. PR1319051

  • Flowd process stops after configuring a huge number of custom applications. PR1347822

  • On SRX Series devices, with a large number of firewall authentication entries, the flowd process might stop. PR1349191

  • On SRX Series devices, a large scale commit, for example, 70,000 lines security policy might stop the NSD process on the Packet Forwarding Engine (PFE). PR1354576

Routing Protocols

  • On SRX1500 devices, the IS-IS adjacency remains down when using an IRB interface. PR1300743

  • Dedicated BFD does not work on SRX Series devices. PR1312298

  • On a chassis with BMP configured, if the rpd termination timeout is happening while the BMP main task has failed to terminate and delete itself (seen when rpd is gracefully terminated), the rpd might stop. PR1315798

  • When BGP traceoptions are configured and enabled, the traces specific to messages sent to the BGP peer (BGP SEND traces )are not logged The traces specific to received messages (BGP RECV traces ) are logged correctly. PR1318830

  • OpenSSL Security Advisory [07 Dec 2017]. Refer to https://kb.juniper.net/JSA10851 for more information. PR1328891

  • The ppmd process might stop, after one node is upgraded and failover completes. PR1347277

  • On SRX Series devices, dedicated BFD does not work. PR1347662

Software Installation and Upgrade

  • The request system reboot node in/at command results in an immediate reboot instead of rebooting at the allotted time. PR1303686

  • On SRX1500 devices, the fan speed often fluctuates. PR1335523

System Logs

  • A warning syslog message is displayed when the number of security screens installed exceed the IOC capacity. PR1209565

  • The following log messages are displayed on the device: L2ALM Trying peer/master connection, status 26. PR1317011

User Firewall and Authentication

  • User firewall has a command to fetch the user-group mapping from the active directory server. PR1327633

Unified Threat Management (UTM)

  • The ISSU upgrade might fail because of the Packet Forwarding Engine generating a core file. PR1328665

Upgrade and Downgrade

  • The command show system firmware displays the old firmware image. PR1345314

VLAN Infrastructure

  • On SRX Series devices in transparent mode, the flowd process might stop when matching the destination MAC. PR1355381

VPNs

  • The IRB interface does not support VPN. PR1166714

  • Next hop tunnel binding (NHTB) is not installed occasionally during rekey for VPN using IKEv1. PR1281833

  • IPsec traffic statistic counters return 32-bit values. PR1301688

  • Auto Discovery VPN (ADVPN) tunnels might flap with the spoke error no response ready yet, leading to IKEv2 timeout. PR1305451

  • On SRX Series devices, core files are observed under certain conditions with VPN and when NAT-T is enabled. PR1308072

  • PKID syslog for key-pair deletion is required for conformance. PR1308364

  • On SRX Series devices, ESP packet drops in IPsec VPN tunnels with NULL encryption algorithm configuration are observed. PR1329368

  • SNMP for jnxIpSecTunMonVpnName does not work. PR1330365

  • The kmd process might generate a core file when all the VPNs are down. PR1336368

  • On SRX5400, SRX5600, and SRX5800 devices, the chassis cluster control link encryption does not work. PR1347380

  • The kmd process might stop if multiple IKE gateways uses the same IKE policy. PR1337903

  • All IPsec tunnels are in both active and inactive state. PR1348767

  • S2S tunnels are not redistributed after IKE or IPsec are reactivated in a configuration. PR1354440

Resolved Issues: 17.4R1

Application Layer Gateways (ALGs)

  • On SRX Series devices SIP packet might drop when SIP traffic performs destination NAT. PR1268767

  • The pfed process stops and generates core files. PR1292992

  • H323 ALG decode Q931 packet error was observed even after disabling H323 ALG. PR1305598

  • HTTP ALG is listed within show security match-policies, when the HTTP ALG does not exist. PR1308717

Chassis Cluster

  • Node 0 is going into db prompt after applying Layer 2 switching configuration and rebooting. PR1228473

  • HA configuration synchronization monitoring does not work if encrypt-configuration-files is enabled. PR1235628

  • The ISSU or ICU operation might fail if upgrade is initiated from Junos Space on multiple SRX clusters. PR1279916

  • ALG traffic and other traffic with tcp-proxy gets stuck after back-to-back RG1 failover when using PPPoE on the reth interface. PR1286547

  • Warning messages are incorrectly tagged as errors in the RPC response from the SRX Series device when you configure a change through NETCONF. PR1286903

  • After software upgrade, the cluster goes into a brief split-brain state when rebooting RG0 on the secondary node. PR1288819

  • In an SRX1500 cluster, if control-link-recovery is configured, ISSU might not complete successfully and the cluster will end up with different software releases. PR1303948

  • IP monitoring on the secondary node shows unknown status after rebooting. PR1307749

  • On SRX Series devices, the traffic logging impact issue after ISSU is fixed. PR1284783

Class of Service (CoS)

  • on SRX devices, self-generated TCP session from RE destined to an lt-0/0/0.x nexthop is not established. PR1286866

Flow-Based and Packet-Based Processing

  • The software-NH value increases and and causes a traffic outage. PR1190301

  • SRX1500 devices might power-off unexpectedly because of incorrect device temperature readings which reportedly is a too high temperature, leading to an immediate proactive power-off of the device to protect the device from overheating. When this condition occurs, the following log message is shown in file /var/log/hostlogs/lcmd.log: Jan 25 13:09:44 localhost lcmd[3561]: srx_shutdown:214: called with FRU TmpSensor.PR1241061

  • Duplicate hops or a higher than expected hop count is seen in L2 traceroute. PR1243213

  • Configuring dpd results in timeouts for TCP encapsulation sessions. PR1254875

  • A down interface in the mirror-filter command might cause a core file in certain situations. PR1270724

  • Core files are seen on SRX1500 when J-Flow is enabled. PR1271466

  • SRX320 with MPIM: IPv6 static route on dl0.0 is not active, so it cannot work for dial-on-demand. PR1273532

  • Multicast traffic sent to the downstream interface in the destination MAC address is set to all zeros. PR1276043

  • Output hangs while checking pki ca-certificate ca-profile-group details. PR1276619

  • SRX1500 randomly stops forwarding traffic. PR1277435

  • When using integrated user firewall, the useridd process might consume high CPU. PR1280783

  • When executing operational commands for creating rescue configuration, some errors will be reported but the rescue configuration will still be created. PR1280976

  • User firewall users are not assigned their roles. PR1282744

  • Certain SCTP packets are dropped. PR1285089

  • The pfed process stop and core files are generated by committing traceoptions configure. PR1289972

  • More CPU threshold warnings are seen than in the previous releases. PR1291506

  • CoS scheduler and shaping does not work on IRB interface. PR1292187

  • Cryptographic weakness is seen on SRX300 line devices TPM Firmware (CVE-2017-10606) PR1293114

  • The APN profile password is displayed in cleartext. PR1295274

  • On SRX Series devices running the user firewall feature, under some conditions, flowd or useridd might generate core files. The Packet Forwarding Engine might get restarted, and RG1+ failover occurs. PR1299494

  • SRX Series device fail to upgrade the Junos image when you use the unlink and partition options at the same time. PR1299859

  • When you run the show interfaces queue rethx command, the output displays ingress queue information. PR1309226

  • On SRX Series devices, the Stream Control Transmission Protocol (SCTP) packet has an incorrect SCTP checksum after the payload is translated by the device. PR1310141

Interfaces and Chassis

  • On SRX1500 devices with SFP+-10G-CU3M DAC, 10-Gigabit Ethernet interface does not work. PR1246725

  • On SRX1500, 10-Gigabit Ethernet interface might not come up between the SRX Series device and another type of device when using SFP+-10G-CU3M DAC. PR1279182

  • Ping to VRRP (VIP) address failed when VRRP on vlan-tagging. This only affected IOC2 and IOC3 cards in SRX5000 line devices. SRX1500, SRX4100, and SRX4200 devices are not impacted. PR1293808

  • RPM packets do not go through the LT interface under certain configurations. PR1303445

J-Web

  • SRX Series devices cannot be upgraded with Junos image using J-Web. PR1297362

  • Configuration upload using J-Web does not work. PR1300766

  • In J-Web, when logical system adds a custom application, the applications 'any' are not present in Logical System Configure> Security> Security Policy> Add Policy. PR1303260

  • J-Web removes the backslash character on the source identity object when the commit changes. PR1304608

Layer 2 Ethernet Services

  • ARP issues are seen when using Layer 2 switching with the IRB interface. PR1266450

  • On SRX1500 devices in an Ethernet switching mode, an IRB interface located in a custom routing instance is not reachable. PR1234000

  • The change no-dns-propagation command should be changed to no-dns-install. PR1284852

  • DHCPv6 prefix delegation does not start with the first available subnet PR1295178

Network Address Translation (NAT)

  • On SRX Series devices, the periodic execution of the show security zones detail command causes the NSD process to fail in releasing unused memory, causing memory leak. PR1269525

  • The proxy-arp does not work intermittently after RG0 failover. PR1289614

  • Commit check might allow a Source NAT pool without addresses to be committed, leading to flowd core file generation when the misconfigured pool is utilized by traffic. PR1300019

  • Active source NAT causes an NSD error and the session closes. PR1313144

Network Management and Monitoring

  • On the SRX340 device, one Routing Engine does not reply for the SNMP request after power-on or RG0 failover in a cluster. PR1240178

  • On SRX Series devices, when J-Flow is enabled for multicast traffic extern nexthop is installed during the multicast composite next hop. However, when you uninstall the composite next hop, it does not free the extern nexthop, which results in the jtree memory leak. PR1276133

  • The mib2d process might crash when polling the OID ifStackStatus.0 after a logical interface of lo0 is deleted. PR1286351

  • The show arp no-resolve interface X command for nonexistent interface X is showing all unrelated static ARP entries. PR1299619

Platform and Infrastructure

  • SRX300 line devices reboot when Juniper RE-USB-4G-S (yellow or orange) USB is inserted. PR1214125

  • The flowd process might crash during route update. PR1249254

  • Unexpected behavior with IP monitoring is seen. PR1263078

  • The TTL (Time To Live) of some Z-mode packets is reduced to zero incorrectly, if IOC2 or IOC3 interface is configured as HA fabric port. PR1270770

  • DNS cache does not get populated in multiple virtual router (VR) environments. PR1275792

  • Memory leak occurs on SRX Series devices chassis cluster when em0 or em1 interface is down. PR1277136

  • On SRX5000 line devices, under a heavy flood of IPv6 Neighbor Discovery Protocol (NDP) packets, some incoming IPv6 neighbor advertisements (NA) might be dropped because of a queue being full. This issue has been resolved by using a different queue for IPv6 NA packets. PR1293673

  • XLP lost heartbeat (SPU hang) is not detected in a timely manner by hardware monitoring. PR1300804

Routing Policy and Firewall Filters

  • Secured e-mail application is not available. PR1273725

  • On SRX Series devices, the DNS configured in the address-book fails to resolve the IP address, if the case (uppercase or lowercase) in the DNS query and the DNS response do not match. PR1304706

  • The NSD process might crash when replacing the name of a logical-system. PR1307876

System Logging

  • The logs from syslog RT_FLOW: FLOW_REASSEMBLE_SUCCEED: Packet merged might cause high CPU usage on the Routing Engine. PR1278333

Unified Threat Management (UTM)

  • The Packet Forwarding Engine CPU utilization is high when using the UTM antivirus feature. PR1282719

VPNs

  • The st0 global counter statistics do not increment. PR1171958

  • The second client is disconnected when the assigned IP address is changed in the access profile for the first client. PR1246131

  • IPsec traffic through tunnel fails without configuring the authentication algorithm under the IPsec proposal on the SRX1500; however, it works on the SRX5600. PR1285284

Documentation Updates

There are no errata or changes in Junos OS Release 17.4R2 for the SRX Series documentation.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Scripts for Address Book Configuration

Beginning with Junos OS Release 12.1, you can configure address books under the [security] hierarchy and attach security zones to them (zone-attached configuration). In Junos OS Release 11.1 and earlier, address books were defined under the [security zones] hierarchy (zone-defined configuration).

You can either define all address books under the [security] hierarchy in a zone-attached configuration format or under the [security zones] hierarchy in a zone-defined configuration format; the CLI displays an error and fails to commit the configuration if you configure both configuration formats on one system.

Juniper Networks provides Junos operation scripts that allow you to work in either of the address book configuration formats (see Figure 1).

About Upgrade and Downgrade Scripts

After downloading Junos OS Release 12.1, you have the following options for configuring the address book feature:

  • Use the default address book configuration—You can configure address books using the zone-defined configuration format, which is available by default. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.

  • Use the upgrade script—You can run the upgrade script available on the Juniper Networks support site to configure address books using the new zone-attached configuration format. When upgrading, the system uses the zone names to create address books. For example, addresses in the trust zone are created in an address book named trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules remain unaffected.

    After upgrading to the zone-attached address book configuration:

    • You cannot configure address books using the zone-defined address book configuration format; the CLI displays an error and fails to commit.

    • You cannot configure address books using the J-Web interface.

    For information on how to configure zone-attached address books, see the Junos OS Release 12.1 documentation.

  • Use the downgrade script—After upgrading to the zone-attached configuration, if you want to revert to the zone-defined configuration, use the downgrade script available on the Juniper Networks support site. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.

    Note

    Before running the downgrade script, make sure to revert any configuration that uses addresses from the global address book.

Figure 1: Upgrade and Downgrade Scripts for Address Books
Upgrade and Downgrade
Scripts for Address Books

Running Upgrade and Downgrade Scripts

The following restrictions apply to the address book upgrade and downgrade scripts:

  • The scripts cannot run unless the configuration on your system has been committed. Thus, if the zone-defined address book and zone-attached address book configurations are present on your system at the same time, the scripts will not run.

  • The scripts cannot run when the global address book exists on your system.

  • If you upgrade your device to Junos OS Release 12.1 and configure logical systems, the master logical system retains any previously configured zone-defined address book configuration. The master administrator can run the address book upgrade script to convert the existing zone-defined configuration to the zone-attached configuration. The upgrade script converts all zone-defined configurations in the master logical system and user logical systems.

    Note

    You cannot run the downgrade script on logical systems.

For information about implementing and executing Junos operation scripts, see the Junos OS Configuration and Operations Automation Guide.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after.

For example, Junos OS Releases 12.3X48, 15.1X49, 17.3 and 17.4 are EEOL releases. You can upgrade from Junos OS Release 15.1X49 to Release 17.3 or from Junos OS Release 15.1X49 to Release 17.4. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

Upgrade from Junos OS Release 17.4 to successive Junos OS Release, is supported. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster Feature Guide for Security Devices.

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product.

To determine the features supported on SRX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: https://pathfinder.juniper.net/feature-explorer/