Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series


These release notes accompany Junos OS Release 17.4R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 17.4R3 for the SRX Series devices.

Release 17.4R3 New and Changed Features

There are no new features in Junos OS Release 17.4R3 for the SRX Series devices.

Release 17.4R2 New and Changed Features

There are no new features in Junos OS Release 17.4R2 for the SRX Series devices.

Release 17.4R1-S1 New and Changed Features

Junos OS Release 17.4R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/SRX4200, SRX5400, SRX5600, and SRX5800.

Junos OS Release 17.4R1-S1 supports SRX4600 device.

Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 15.1X49-D80 through 15.1X49-D100. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D100 are not available in 17.4 releases.


Junos OS for SRX Series Software documentation includes information about SRX4600 Services Gateway.

New features for security platforms in Junos OS Release 17.4R1 and Junos OS Release 17.4R1-S1 include:

Chassis Cluster

  • Media Access Control Security (MACsec) (SRX4600)– Starting in Junos OS Release 17.4R1-S1, Media Access Control Security(MACsec) is supported on HA control and fabric ports of SRX4600 devices in chassis cluster mode to secure point-to-point Ethernet links between two nodes in a cluster.

    In the SRX chassis cluster implementation, the control and fabric link carry secure traffic between two nodes in clear text format. Because of this, it is important to encrypt the data between the two nodes. MACsec is an industry-standard security technology that provides secure communication and identifies and prevents most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec can be used in combination with other security protocols to provide end-to-end network security.

    See Understanding Media Access Control Security (MACsec).


  • SRX4600 Services Gateway—Starting with Junos OS Release 17.4R1-S1, SRX4600 Services Gateways are available as the next-generation, high-performance, and scalable security services devices. The services gateway supports 75-Gbps Internet mix (IMIX) throughput, is suited for large enterprises and small to medium data centers. The SRX4600 Services Gateway provides industry-leading next-generation firewall capabilities (AppID, UserFW, IPS, UTM, and so on) and advanced threat detection and mitigation capabilities features such as SecIntel and SkyATP. The Services Gateway features two high-performance Intel Xeon processors with 14 cores per processor.

Platforms and Infrastructure

  • Software support for SRX4600 devices—Starting in Junos OS Release 17.4R1-S1, Junos OS supports the SRX4600 Services Gateway. The SRX4600 device is a high-end dynamic services gateway that consolidates security functionality, networking services, and uncompromised performance for medium to large enterprises. With advanced security and threat mitigation capabilities, SRX4600 device can be used for campus edge integrated firewall, data center edge firewall, data center core firewall, LTE security gateway, and Gi/SGi firewall.

    SRX4600 device supports Juniper’s Software-Defined Secure Network (SDSN) framework, including Sky Advanced Threat Prevention (Sky ATP), which is built around automated and actionable intelligence that can be shared quickly to recognize and mitigate threats.

    The SRX4600 device supports the following software features:

    • Stateful firewall

    • Application security suite

    • UTM (Sophos AV, Web filtering, content filtering, and antispam)

    • IDP

    • Advanced anti-malware

    • High availability (Chassis cluster)

      • Dual HA control ports (10G)

      • MACsec support for HA ports

    • Ethernet interfaces through QSFP28 (100G modes), QSFP+ (40G/4x10G modes) and SFP+ (10G mode)

    • IPsec VPN, including AutoVPN and Group VPNv2

    • QoS and network services

    • J-Web

    • Routing policies with multicast

    The SRX4600 implements use of an individual thread for each session that is dedicated to management of that session and its flow. As a result, out-of-order packet problems that can occur with concurrent processing are eliminated.

    Installation packages available for SRX4600 devices are, Preboot Execution Environment (PXE), USB install media package, and CLI upgrade.

    You can use the show chassis hardware command to display the part number and the model number of the SRX4600 device.

    You can use the show security ipsec tunnel-distribution command to display the number of VPN tunnels anchored in each thread ID.

    [See Understanding Flow Processing on the SRX4600 Device.]


  • Secure Boot (SRX4600)—Starting in Junos OS Release 17.4R1-S1, a significant system security enhancement, Secure Boot, has been introduced. The Secure Boot implementation is based on the UEFI 2.4 standard. The BIOS has been hardened and serves as a core root of trust. The BIOS updates, the bootloader, and the kernel are cryptographically protected. Secure boot is enabled by default on supported platforms.

    [See Feature Explorer and enter Secure Boot.]

Release 17.4R1 New and Changed Features

Junos OS Release 17.4R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/SRX4200, SRX5400, SRX5600, and SRX5800.

Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 15.1X49-D80 through 15.1X49-D100. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D100 are not available in 17.4 releases.


  • H.323 gateway-to-gateway support (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, the gateway-to-gateway call feature is supported on the H.323 ALG. This feature introduces one-to-many mapping between an H.225 control session and H.323 calls as multiple H.323 calls go through a single control session.

    [See Understanding H.323 ALG.]

  • NAT64 support for H.323 ALG (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, the H.323 ALG supports NAT64 rules in an IPv6 network.

    [See Understanding H.323 ALG.]

Application Security

  • Advanced policy-based routing (APBR) with midstream support (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, SRX Series Services Gateways support advanced policy-based routing (APBR) with an additional enhancement to apply the APBR in the middle of a session (midstream support). With this enhancement, you can apply APBR for a non-cacheable application and also for the first session of the cacheable application.

    You can fine-tune the outbound traffic with APBR configuration (for example, limiting route changes and terminating sessions) to avoid issues such as excessive transitions due to frequent route changes.

    The enhancement provides more flexible traffic-handling capabilities that offer granular control for forwarding packets.

    [See Understanding Advanced Policy-Based Routing.]

  • Application tracking enhancements to support category and subcategory (SRX Series, vSRX instances)—Starting from Junos OS Release 17.4R1, AppTrack session create, session close, and volume update logs include new fields category and subcategory. AppTrack syslog message provide general information about the application type, and including category and subcategory of the application in the message, helps in categorizing the applications.

    [Understanding AppTrack.]

Authentication and Access

  • User firewall support for IPv6 (SRX Series, vSRX instances)—Starting in Junos OS Release 17.4R1, SRX Series devices support IPv6 addresses for user firewall (UserFW) authentication. This feature allows IPv6 traffic to match any security policy configured for source identity. Previously, if a security policy was configured for source identity and “any” was specified for its IP address, the UserFW module ignored the IPv6 traffic. IPv6 addresses are supported for the following authentication sources:

    • Active directory authentication table

    • Device identity with active directory authentication

    • Local authentication table

    • Firewall authentication table

    [See Overview of Integrated User Firewall.]

Chassis Cluster

  • Preemptive delay timer (SRX Series)—Starting with Junos OS Release 17.4R1, a failover delay timer is introduced on SRX Series devices in a chassis cluster to limit the flapping of redundancy group state between the secondary and the primary nodes in a preemptive failover.

    Back-to-back failovers of a redundancy group in a short interval can cause the cluster to exhibit unpredictable behavior because of flapping of the active and backup systems.

    To prevent this, a delay timer can be configured to delay the immediate failover for a configured period of time--between 1 and 21,600 seconds. In addition, you can configure the preemptive limit to restrict the number of failovers (1 to 50) in a given time period (1 to 1440 seconds) when preemption is enabled for a redundancy group.

    This enhancement enables the administrator to introduce a failover delay, which can reduce the number of failovers and result in a more stable network state due to the reduction in active / backup flapping within the redundancy group.

    [Understanding Chassis Cluster Redundancy Group Failover.]

Class of Service (CoS)

  • Support for CoS on dl0 Interface on SRX320, SRX340, SRX345, and SRX550M devices— Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can configure the following class of service (CoS) features on the dl0 interface for 4G wireless modems: behavior aggregate classifiers, multifield classifiers, policers, shapers, schedulers, and rewrite rules. The dialer interface, dl0, is a logical interface for configuring properties for modem connections.

    [See LTE Mini-PIM Overview.]

  • Support CoS on Logical Tunnel Interface in a Chassis Cluster on SRX300, SRX320, SRX340, SRX345, and SRX550M devices— Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, queuing is supported on logical tunnel (lt) interfaces to allow CoS configuration.

    [See CoS Queuing for Tunnels Overview.]

  • Support for port-based egress traffic shaping and policing on SRX Series devices— Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can configure egress traffic shaping and policing at the physical port level, which limits the egress traffic rate of all logical interfaces on the port.

    [See shaping-rate (CoS Interfaces).]

Flow-based and Packet-based Processing

  • Hash-based session distribution (SRX5400, SRX5600, SRX5800)— Starting with Junos OS Release 17.4R1, traffic is hashed and distributed to different SPUs by the IOC, based on a hash-based session distribution algorithm. This enhancement provides an even hash distribution among all SPUs by using a larger fixed-length hash table. In earlier Junos OS releases, the traffic distribution was uneven among all SPUs in some cases due to a smaller fixed-length hash table.

    [See Understanding Load Distribution in SRX5800, SRX5600, and SRX5400 Devices and vSRX.]


  • Support for GTP handover group (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 devices and vSRX instances)—Starting with Junos OS Release 17.4R1, GTP handover group configuration is supported on GTP profiles. An administrator can configure a GTP profile and associate a GTP handover group to a GTP profile.

    A GTP handover group is a set of SGSNs or serving gateway (SGW) with a common address-book library. When a GTP handover group name is referenced by a GTP profile, the device checks to see if the current SGSN/SGW address and the proposed SGSN/SGW address are contained within the same GTP handover group. If both the current and proposed SGSN/SGW addresses are contained within the same GTP handover group, then the handover is allowed. If both the current and proposed SGSN/SGW addresses are not within the same GTP handover group, then the profile for the default handover group is used.

    This feature enables the administrator to define policies that determine whether handover can happen between individual SGSNs/SGW and/or groups of SGSNs/SGW for roaming.

    [See GTP Handover Group Overview.]


  • SRX345 Services Gateway (DC power supply model)—The SRX345 Services Gateway now includes a DC model. The DC model has a single internal power supply, which is not field-replaceable. The DC model supports the same features as those supported on the existing SRX345 Services Gateways. The minimum Junos OS release supported on the DC model is 17.4R1. The services gateway can be managed using the CLI, Junos Space, and J-Web.

    [See SRX345 Services Gateway Description.]

Interface and Chassis

  • MACsec support (SRX300, SRX320, SRX340 and SRX345)—Starting in Junos OS Release 17.4R1, Media Access Control Security (MACsec) is supported on all MACsec-capable ports of SRX300, SRx320, SRX340 and SRX345 devices.

    On SRX300 line devices MACsec is supported on the following ports:

    • SRX300 and SRX320: 2 ports (on two fixed SFP interfaces.)

    • SRX340 and SRX345: 16 ports (on eight fixed SFP interfaces + eight fixed Ethernet ports)

    [See Understanding Media Access Control Security (MACsec).]

  • PPPoE support on SRX Series and vSRX devices—Starting in Junos OS Release 17.4R1, SRX series devices and vSRX support Point-to-Point Protocol over Ethernet (PPPoE). You can connect multiple hosts on an Ethernet LAN to a remote site through a single customer premises equipment (CPE) device. The hosts share a common digital subscriber line (DSL), a cable modem, or a wireless connection to the Internet.

    [See Understanding PPPoE Interfaces.]

  • RFC 4638 support for SRX300, SRX320, SRX340, SRX345, and SRX550M devices— Starting in Junos OS Release 17.4R1, you can use the PPP-Max-Payload option to override the default behavior of the PPPoE client by providing a maximum size that the PPP payload can support in both sending and receiving directions. The PPPoE server might allow the negotiation of an MRU larger than 1492 and the use of an MTU larger than 1492.

    [See Understanding MTU and MRU Configuration for PPP Subscribers.]

Installation and Upgrade

  • Upgraded FreeBSD support (SRX1500, SRX4100, SRX4200, and vSRX instances)—Starting with junos OS Release 17.4R1, the Junos Control Plane (JCP) virtual machine (VM) in the SRX Series devices is upgraded to support FreeBSD 11. Two virtual CPUs (VCPU) are allocated for JCP VM in the Linux host to improve Routing Engine performance for SRX4100 and SRX4200 devices and vSRX instances. For vSRX, additional vCPU will be allocated if you allocate more CPUs than the minimum required. For SRX1500 devices, no additional CPUs are available to allocate for JCP VM.

    [See Understanding Junos OS with Upgraded FreeBSD for SRX Series Devices.]

Logical System

  • Logical system (LSYS) support (SRX1500)—Starting in Junos OS Release 17.4R1, the logical system feature is supported on SRX1500 devices in addition to the existing support on SRX Series devices such as SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800. A logical system provides virtualization on a device that is partitioned into multiple logical administrative segments. Each segment can have its own security, routing, and bridging attributes.

    [See Understanding Logical Systems for SRX Series Services Gateways.]


  • Support for multiple, smaller configuration YANG modules (SRX Series)—Starting in Junos OS Release 17.4R1, the YANG module for the Junos OS configuration schema is split into a root configuration module that is augmented by multiple, smaller modules. The root configuration module comprises the top-level configuration node and any nodes that are not emitted as separate modules. Separate, smaller modules augment the root configuration module for the different configuration statement hierarchies. Smaller configuration modules enable YANG tools and utilities to more quickly and efficiently compile and work with the modules, because they only need to import the modules required for the current operation.

    [See Understanding the YANG Modules That Define the Junos OS Configuration.]


  • Source NAT resource allocation improved (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 17.4R1, source NAT resources handled by the central point architecture have been offloaded to the SPUs when the SPC number is more than four, resulting in more efficient resource allocation.

    [See Understanding Central Point Architecture Enhancements for NAT.]

Routing Policy and Firewall Filters

  • Maximum number of addresses per security policy increased (SRX550M)—Starting in Junos OS Release 17.4R1, the maximum number of addresses per policy has been increased from 1024 to 2048 for SRX550M. SRX300, SRX320, SRX340 and SRX345 devices already support 2048 source and 2048 destination addresses per policy.

Routing Protocols

  • Support for EBGP route server (SRX Series)—Starting in Junos OS Release 17.4R1, BGP feature is enhanced to support EBGP route server functionality. A BGP route server is the external BGP (EBGP) equivalent of an internal IBGP (IBGP) route reflector that simplifies the number of direct point-to-point EBGP sessions required in a network. EBGP route server propagates unmodified BGP routing information between external BGP peers to facilitate high scale exchange of routes in peering points such as Internet Exchange Points (IXPs). When BGP is configured as a route server, EBGP routes are propagated between peers unmodified, with full attribute transparency (NEXT_HOP, AS_PATH, MULTI_EXIT_DISC, AIGP, and Communities).

    The BGP JET bgp_route_service.proto API has been enhanced to support route server functionality as follows:

    • Program the EBGP route server.

    • Inject routes to the specific route server RIB for selectively advertising it to the client groups in client-specific RIBs.

    The BGP JET bgp_route_service.proto API includes a peer-type object that identifies individual routes as either EBGP or IBGP (default).

    [See BGP Route Server Overview.]

System Logging

  • Support for log warning messages on throughput overuse (SRX4100)—Starting with Junos OS Release 17.4R1, when Internet mix (IMIX) throughput exceeds the limitation for an SRX4100 device, new log warning messages are logged. These log warning messages remind you that there is throughput overuse.

    [See Log File Sample Content.]

  • On-box reporting enhancements (SRX Series, vSRX instances)—Starting in Junos OS Release 17.4R1, SRX4600 devices support the on-box reporting feature, which is already supported on SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200 devices and vSRX instances. Also, the on-box reports are now enhanced to provide comprehensive and detailed reports.

    The on-box reporting feature now provides the following enhancements:

    • AppTrack API gets information on application category, subcategory, and risk level. An RTLOG module uses this API to get and send information to the local log management process (daemon).

    • Reports for applications, categories, subcategories, risk levels, and botnet threats are now by count and volume.

    • Application information is generated in UTM log reports.

    • Logs can now be listed from latest to oldest. Previously, logs were sorted only from oldest to latest.

    • SRX4600 devices now have a hard disk partition available to save traffic logs.

    [See Understanding On-Box Logging and Reporting.]


  • UDP flood screen whitelist (SRX300, SRX320, SRX340, SRX345, SRX1400, SRX4100, and SRX4200 devices, and vSRX instances)—Starting with Junos OS Release 17.4, UDP flood whitelist mechanism is implemented on SRX300, SRX320, SRX340, SRX345, SRX1400, SRX4100, and SRX4200 devices, and vSRX instances.

    When UDP is enabled in a zone, all the UDP traffic performs UDP flood attack detection. The UDP packets that are above the threshold level will be dropped. To avoid these packet drops and instead allow these packets to bypass UDP flood detection, the UDP flood screen whitelist is implemented. To support UDP flood whitelist, the traffic from addresses in the whitelist groups will bypass UDP flood check. Both IPv4 and IPv6 whitelists are supported and can be configured using a single address or a subnet address. UDP flood whitelist supports a maximum of 32 whitelist groups and each group has 32 or fewer IPv4 or IPv6 addresses.

    See Understanding Whitelists for UDP Flood Screens.


  • Custom URL category support for SSL forward proxy (SRX Series)—Starting with Junos OS Release 17.4R1, the whitelisting feature is extended to include custom URL categories supported by UTM in the whitelist configuration of SSL forward proxy. In this implementation, the Server Name Indication (SNI) field is extracted by the UTM module from client hello messages to determine the URL category. SNI is an extension of the SSL/TLS protocol. Each URL category has a unique ID. The list of URL categories in the whitelist is parsed and the corresponding category IDs are pushed to the Packet Forwarding Engine for each SSL forward proxy profile. The SSL forward proxy then determines through APIs whether to accept the proxy or to ignore the session.

    [See SSL Proxy Overview]

  • Enhanced Web Filtering (EWF) reputation and categorization behavior support for EWF category (SRX Series)—Starting from Junos OS Release 17.4R1, predefined base filters, defined in a category file, are supported for individual EWF categories. Each EWF category has a default action in a base filter, which is attached to the user profile to act as a backup filter. If the categories are not configured in the user profile, then the base filter takes the action. Online upgradation of base filters is also supported. Further, users can apply global reputation values, provided by the Websense ThreatSeeker Cloud (TSC). For the non-category URLs, the global reputation value is used to perform filtering, and from this release onward, the reputation base scores are configurable.

    [See Understanding Enhanced Web Filtering Process.]

  • Local Web filtering enhancement to support custom category configuration (SRX Series)—Starting from Junos OS Release 17.4R1, support for custom category configuration is available for EWF, local, and Websense redirect profiles. The custom-message option is also supported in a category for local Web filtering and Websense redirect profiles. You can create multiple URL lists (custom categories) and apply them to a UTM Web filtering profile with actions such as permit, permit and log, block, and quarantine.

    To create a global whitelist or blacklist, apply a local Web filtering profile to a UTM policy and attach it to a global rule.

    [See Understanding Local Web Filtering.]

  • Support for new Websense EWF categories (SRX Series)—Starting from Junos OS Release 17.4R1, you can download and dynamically load new Enhanced Web Filtering (EWF) categories. The downloading and dynamic loading of the new EWF categories do not require a software upgrade. Websense occasionally releases new EWF categories. EWF classifies websites into categories according to host, URL, or IP address and performs filtering based on the categories.

    [See Understanding Redirect Web Filtering.]


  • Increased number of IKE security associations supported (SRX5600, SRX5800)—Starting from JunosOS Release 17.4R1, SRX5600 with 5 SPC2 cards, and SRX5800 with 10 SPC2 cards can support up to 50,000 IKE security associations (SAs) (each SPC2 card supports upto 20,000 IKE SAs (5,000 IKE SAs / SPU) ) for AutoVPN networks in point-to-point secure tunnel mode with multiple traffic selectors. There are no changes in configuration.

    [See Understanding AutoVPN.]

  • IPv6 address support for point-to-point AutoVPN networks that use traffic selectors (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, AutoVPN networks that use secure tunnel interfaces in point-to-point mode support IPv6 addresses for traffic selectors and for IKE peers.


    IPv6 addresses are not supported for AutoVPN networks in point-to-multipoint secure tunnel mode.

    [See Understanding AutoVPN and Understanding AutoVPN with Traffic Selectors.]

  • IPsec VPN performance optimization (SRX5400, SRX5600, SRX5800)—Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled. Session affinity is enabled with the set security flow load-distribution session-affinity ipsec command, while performance acceleration is enabled with the set security flow ipsec-performance-acceleration command.

    [See Accelerating the IPsec VPN Traffic Performance and Understanding VPN Session Affinity.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 17.4R3.

Release 17.4R3 Changes in Behavior and Syntax

Application Security

  • Starting in Junos OS Release 17.4R3, you can set up automatic update of the application signature package in new format. Now you can use the YYYY-MM-DD.hh:mm format to configure the time for automatic download for application signatures. For example, following statement sets the start time as 10 AM on June 30, 2019:

    You can configure the automatic updates using the new format once you upgrade your previous Junos OS version to any of the above supported Junos OS version.

Authentication and Access Control

  • Enhanced output for show security firewall-authentication jims statistics (SRX Series)—Starting in Junos OS Release 17.4R3, the output for the show security firewall-authentication jims statistics operational command is enhanced to display the statistics of both the primary and secondary JIMS servers. For example, the show security firewall-authentication jims statistics operational command displays the following sample output:

    [See show security firewall-authentication jims statistics.]

Chassis Clustering

  • MACsec on Chassis cluster (SRX4600)—Starting in Junos OS Release 17.4R3, any new MACsec chassis cluster port configurations or modifications to existing MACsec chassis cluster port configurations will require the chassis cluster to be disabled and displays a warning message Modifying cluster control port CA will break chassis cluster. Once disabled, you can apply the preceding configurations and enable the chassis cluster.

    [See Configuration Considerations When Configuring MACsec on Chassis Cluster Setup.]

  • Chassis cluster with SPC card (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 17.4R3, when a SPC is the control plane as well as hosting the control port, this creates a single point of failure. If the SPC goes down on the primary node, the node is automatically rebooted to avoid split brain.

    Connecting SRX Series Devices to Create a Chassis Cluster

Network Management and Monitoring

  • NSD Restart Failure Alarm (SRX Series)—Starting in Junos OS Release 17.4R3, a system alarm is triggered when the Network Security Process (NSD) is unable to restart due to the failure of one or more NSD subcomponents. The alarm logs about the NSD are saved in the messages log. The alarm is automatically cleared when NSD restarts successfully.

    The show chassis alarms and show system alarms commands are updated to display the following output when NSD is unable to restart - NSD fails to restart because subcomponents fail.

    [See Alarm Overview.]

  • The NETCONF server omits warnings in RPC replies when the rfc-compliant statement is configured and the operation returns <ok/> (SRX Series)—Starting in Junos OS Release 17.4R3, when you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level to enforce certain behaviors by the NETCONF server, if the server reply after a successful operation includes both an <ok/> element and one or more <rpc-error> elements with a severity level of warning, the warnings are omitted. In earlier releases, or when the rfc-compliant statement is not configured, the NETCONF server might issue an RPC reply that includes both an <rpc-error> element with a severity level of warning and an <ok/> element.

User Access and Authentication

  • SSH protocol version v1 option deprecated from CLI (SRX Series)—Starting in Junos OS Release 17.4R3, the nonsecure SSH protocol version v1 option is not available at the [edit system services ssh protocol-version] hierarchy level. The SSH protocol version v2 is the default option to remotely manage systems and applications. The SSH protocol version v1 deprecation enables Junos OS to be compatible with OpenSSH 7.4 and later versions.

    Junos OS Release 17.4R2 and earlier releases supported the SSH protocol version v1 option to remotely manage systems and applications.

    [See protocol-version.]

  • Enabling and disabling SSH login password or challenge-response authentication (SRX Series)—Starting in Junos OS Release 17.4R3, you can disable either the SSH login password or challenge-response authentication at the [set system services ssh] hierarchy level.

    In Junos OS releases earlier than Release 17.4R3, you can enable or disable both SSH login password and challenge-response authentication simultaneously at the [set system services ssh] hierarchy level.

    [See Configuring SSH Service for Remote Access to the Router or Switch.]

Release 17.4R2 Changes in Behavior and Syntax

Chassis Cluster

  • IP Monitoring—Starting with Junos OS Release 17.4R2, on all SRX Series devices, if the reth interface is in bundled state, IP monitoring for redundant groups is not supported on the secondary node. This is because the secondary node sends reply using the lowest port in the bundle which is having a different physical MAC address. The reply is not received on the same physical port from which the request is sent. If the reply comes on the other interface of the bundle, then the internal switch drops it.

  • Power Entry Module—Starting with Junos OS Release 17.4R2, when you use DC PEM on SRX Series devices operating in chassis cluster mode, the output of show chassis power command shows DC input: 48.0 V input (57000 mV). The value 48.0 V input is a fixed string and can be interpreted as a measured input voltage. The acceptable range of DC input voltage accepted by the DC PEM is 40 to 72 V. The (57500 mV) is a measured value, but is not related with the input. It is the actual output value of the PEM and the value is variable. The DC input: from show chassis power and Voltage: information from show chassis environment pem command output are removed for each PEM.

  • SRX5400, SRX5600, and SRX5800 devices operating in a chassis cluster might encounter the em0 or em1 interface link failure on either of the nodes, which results in split-brain condition. That is, both devices are unable to detect each other. If the failure occurs on the secondary node, the secondary node is moved to the disabled state.

    This solution does not cover the following cases:

    • em0 or em1 failure on primary node

    • HA process restart

    • Preempt conditions

    • Control link recovery


  • Custom Attack (SRX Series)—Starting with Junos OS Release 17.4R2, the maximum number of characters allowed for a custom attack object name is 60. You can validate the statement using the CLI set security idp custom-attack command.

Forwarding and Sampling

  • Support for Address Resolution Protocol (ARP) throttle and ARP detect [SRX5400, SRX5600, and SRX5800]—Starting in Junos OS Release 17.4R2, an ARP throttling mechanism is introduced for SRX Series devices.

    Excessive ARP processing results in high utilization of Routing Engine CPU resources, resulting in deprivation of CPU resources to other Routing Engine processes. To provide protection against excessive ARP processing, you can now use the following configuration statements:

    • edit forwarding-options next-hop arp-throttle seconds

    • edit forwarding-options next-hop arp-detect milliseconds


    We recommend that only advanced Junos OS users attempt to configure the ARP throttle and ARP detect feature. An improper configuration could result in high CPU utilization of the Routing Engine, which could affect other processes on your device.

    [See arp-throttle and arp-detect].

System Logging

  • System log host support (SRX300, SRX320, SRX340, SRX345 Series devices)— Starting in Junos OS Release 17.4R2, when the device is configured in stream mode, you can configure maximum of eight system log hosts.

    In Junos OS Release 17.4R1 and earlier releases, you can configure only three system log hosts in the stream mode. If you configure more than three system log hosts, then the following error message is displayed error: configuration check-out failed.

User Interface and Configuration

  • Junos OS prohibits configuring ephemeral configuration database instances that use the name default (SRX Series)—Starting in Junos OS Release 17.4R2, user-defined instances of the ephemeral configuration database, which are configured using the instance instance-name statement at the [edit system configuration-database ephemeral] hierarchy level, do not support configuring the name default.


Known Behavior

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 17.4R3 for the SRX Series.

Authentication and Access

  • On SRX Series devices with 256K user firewall authentication entries, in case of a failover or when Packet Forwarding Engine restart occurs, the show services user-identification command will generate response timeout. This timeout will last for at least 10 minutes. PR1302269

Chassis Clustering

  • On all SRX Series devices, if you enable IP monitoring for redundancy groups, the feature might not work properly on the secondary node if the reth interface has more than one physical interface configured. This is because the backup node will send traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch will drop it. PR1344173

  • SRX5400, SRX5600, and SRX5800 devices operating in a chassis cluster might encounter the em0 or em1 interface link failure on either of the nodes, which results in split-brain condition. That is, both devices are unable to detect each other. If the failure occurs on the secondary node, the secondary node is moved to the disabled state.

    The following cases are not covered:

    • em0 or em1 failure on primary node

    • HA process restart

    • Preempt conditions

    • Control link recovery


  • On SRX Series devices, you cannot view the custom log files created for event logging in J-Web. PR1280857

  • On SRX550M and SRX1500 devices, there is no option to configure Layer 2 firewall filters from J-Web, irrespective of the device mode. PR1138333

  • On SRX Series devices in a chassis cluster, if you want to use J-Web to configure and commit the configurations, you must ensure that all other user sessions are logged out including any CLI sessions. Otherwise, the configurations might fail. PR1140019

  • Generation of reports will work in Internet Explorer and Chrome browsers. To generate a report in Firefox, delete the existing ff profile and relaunch Firefox with new profile. PR1303722

  • Uploading a certificate using the Browse button stores the certificate in the device at the /jail/var/tmp/uploads/ location. The certificate is deleted when you execute the request system storage cleanup command. PR1312529

  • The values of address and address-range are not displayed in the Inline address-set creation pop-up window of Juniper Identity Management Service (JIMS). PR1312900

Layer 2 Ethernet Services

  • On SRX Series devices, the PPPoE and DHCPv6 cannot work together on the pp0 interface. PR1229836

Platform and Infrastructure

  • On SRX4600 devices, the USB disk is not made available to Junos OS. However, the USB disk is available for host OS (Linux) with full access. USB is still used in the booting process (install and recovery functions). PR1283618

  • On SRX Series devices, when you perform a downgrade from a Junos OS release with upgraded FreeBSD (Junos OS Release 17.3+ for SRX5000 Series devices, Junos OS Release 17.4+ for SRX1500 and SRX4100 or 4200) to Junos OS Release 15.1X49, use the force option with the request system software add command. If you do not use the force option, an error message opens indicating that you have not used the option. Note that in such a downgrade, the configuration and other files might be lost from the device due to file system repartitioning. PR1350558

User Interface and Configuration

  • In a few SRX Series setups, committing a configuration with a considerable number of logical system configuration can take a little more time than usual. The reason can be taking backup of previous configurations might take a little longer to finish. PR1339862


  • On SRX5400, SRX5600, and SRX5800 devices, when CoS is enabled on st0 interface and the incoming traffic rate destined for the st0 interface is higher than 3,00,000 packets per second (pps) per SPU, the device might drop some of the high priority packets internally and shaping of outgoing traffic might be impacted. We recommend that you configure an appropriate policer on the ingress interface to limit the traffic below 3,00,000 pps per SPU. PR1239021

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 17.4R3.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Chassis Clustering

  • On SRX340 and SRX345 devices, the Media Access Control Security (MACsec) on a physical port might not initialize correctly when a new node is joined to chassis cluster, which might lead the chassis cluster to be in a split-brain condition. PR1396020

Flow-Based and Packet-Based Processing

  • On an SRX4600 device, the output of show route forwarding-table displays the next hop IP address twice if the next hop is st0 interface. The routing functionality is not impacted. PR1290725

  • When both chassis cluster and PIM sparse mode are configured in SRX Series devices, multicast session leaks on secondary CP when PIM register messages are received in SRX Series devices. PR1360373

  • On SRX Series devices, when the flow traceoptions with the packet filter are enabled, the traces of other sessions that are not configured in the packet filter might be captured in the logs. However, when the packet filters are removed, the traces are dumped in to the log file for some time less than 30 seconds. PR1367124

  • In a multi-threaded environment, the service offload counters sometimes show incorrect values. It is a multi-threaded issue, and more than one thread can decrease the counter sometimes. PR1381312

  • On SRX Series devices, in a chassis cluster with Z mode traffic and local (non-reth) interfaces are configured, when using ECMP routing between multiple interfaces residing on both node0 and node1, if a session is initiated through one node and the return traffic comes in through the other node, packets might be dropped due to reroute failure. PR1410233

  • On an SRX4600 device, input and output bytes or bps statistic values might not be identical for the same size of packets. PR1415117

  • On SRX Series devices, syslog severity level of “msg subtype is end of policy” is set to “error” although this message can be ignored. The severity level of this message is changed to “Info” as an ignorable message. PR1435233

Intrusion Detection and Prevention (IDP)

  • On SRX Series devices in chassis cluster mode, IDP signature update might sometimes fail on one node because the AppID process gets stuck while unzipping of the downloaded signature file. PR1336145

  • When IDP signature automatic update is scheduled, the secondary node might fail to upgrade the signature pack. PR1358489


  • On SRX Series devices, the root password configured at first J-Web access (Skip to J-Web feature) does not work if the password length is shorter than 8 characters. PR1371353

Platform and Infrastructure

  • On SRX300, SRX320, SRX340, and SRX345 devices, if there is power outage too many times in a short period of time, the device might end up getting stuck in the loader prompt. This is resolved by upgrading the boot loader from Junos OS Release 15.1X49-D110 or later image using the following command request system firmware upgrade re bios and then rebooting the device. PR1292962

  • On SRX1500, SRX4100, SRX4200, and vSRX platforms with packet-capture configured, packet capture does not work after you change, delete, or add the maximum capture size.PR1304723

  • In Junos OS Release 17.4R1, the 1-Gigabit interface is not supported for an SRX4600 platform. PR1315073

  • On SRX5600 and SRX5800 devices in chassis cluster, when a second Routing Engine is installed to enable dual control links, the show chassis hardware operational command might show the same serial number for both the second Routing Engines on both the nodes. PR1321502

  • On SRX5400, SRX5600, and SRX5800 devices, the EM interface is an internal interface. If the EM interface is down, the control link is lost and the device cluster is in an abnormal status. PR1342362

  • On an SRX1500 device, the activity LED (right LED) for the 1-Gigabit Ethernet and 10-Gigabit Ethernet ports (xe-0/0/16 through xe-0/0/19) does not light up when the interface is up and passing traffic correctly. PR1380928

  • In a chassis cluster redundancy group failover scenario, on SRX5600 and SRX5800 devices, if the failover is caused by interface monitoring failure, the failover on the Packet Forwarding Engine side (that is data plane) might be slow (for example, impact on BFD session up to several seconds). This issue might result in protocol and traffic outage. PR1385521

  • On SRX550M devices, when encapsulation flexible-ethernet-services is configured together with LACP protocol on aggregated Ethernet (AE) interfaces, the interface does not come up. PR1448161


  • IPsec uses ESP as the default protocol in IPsec proposal, if the administrator does not explicitly configure the protocol. However, this is not indicated as such in the schema for Security Director. PR1061838

  • When an SRX Series device is an IPsec VPN initiator behind a NAT device, disabling NAT on the NAT device causes the next IKE negotiation to fail because UDP port 4500 is still in use. Use the CLI command clear security ike security-associations to recover and successfully establish a new IKE SA on UDP port 500. PR1273213

  • If multiple traffic selectors are configured for a peer with Internet Key Exchange version 2 (IKEv2) reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors will be cleared without immediate rekeying. A new negotiation of these traffic selectors is triggered through other mechanisms (for example, by traffic or by a peer). PR1287168

  • On SRX Series devices, with NCP as client, sometimes IKE SA might not be displayed in the CLI output after RG1 failover. PR1352457

  • VPN tunnels might flap when adding or deleting configuration group on SRX devices that are part of a Chassis Cluster.PR1390831

  • On SRX Series devices, if IPsec VPN is configured with Network Address Translation-Transversal (NAT-T) and the size of an IP packet going into the tunnel is larger than 1400 bytes, IPsec Encapsulating Security Payload (ESP) packets might be received with fragments, indicating that post-fragmentation occurred. However, only pre-fragmentation is expected for the large packets, not post-fragmentation. PR1424937

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases for the SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 17.4R3

Application Layer Gateways (ALGs)

  • The 5060 SIP active session will be affected after the status of SIP ALG is changed to disabled. PR1373420

  • DNS requests with EDNS options might be dropped by DNS ALG. PR1379433

  • The SUN RPC data traffic might be dropped after interface-related configuration is changed. PR1387895

  • On SRX Series devices, SIP/FTP ALG does not work when SIP traffic with source NAT goes through the SRX Series device. PR1398377

  • H.323 voice packets might be dropped on SRX devices. PR1400630

  • The TCP reset packet is dropped when any TCP proxy-based feature and rst-invalidate-session are enabled simultaneously. PR1430685

  • When H.323 packet passes the same SRX twice through different VRs instead of LSYS, the H.323 ALG Source NAT connection might fail but the Static NAT connections works fine. It also causes the H.323 connection not to be established successfully. PR1436449

Application Security

  • Application firewall block message and redirect URL do not work for HTTPS websites. PR1356483

  • Future group membership updates are not recognized by integrated user firewall after a user’s sAMAccountName is changed while the distinguished name (DN) remains the same. PR1394049

  • Packet loss might occur on unrelated traffic when AppQoS rate limiter is applied on SRX4600 and SRX5000 devices using SPC3. PR1394085

  • Fail to match permit rule in application firewall ruleset. PR1404161

  • Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093

  • The ipfd process might crash if security intelligence feature is configured. PR1425366

  • Automatic application identification download stops after going over the year and rebooting. PR1436265

  • The flowd or srxpfe process might crash when advanced anti-malware service is used. PR1437270

  • Security logs cannot be sent to external syslog server through TCP. PR1438834

Chassis Clustering

  • On SRX550 and SRX550M platforms, SFP-T based interfaces may fail to move to Link Up state after a chassis reboot. PR1347874

  • Multiple flowd process files are seen on node1 after an RG0 failover. PR1372761

  • Traffic loss occurs when the primary node is rebooting. PR1372862

  • On SRX Series devices in chassis cluster, if reroute occurs on the IPv4 wings of a NAT64 or NAT46 session, the active node sends RTO message to the backup session to update the rerouted interface. PR1379305

  • The packets might be dropped in an SRX Series devices in a chassis cluster environment if sampling or packet capture is configured. PR1379734

  • The flowd process might stop if doing an ISSU upgrade. PR1386522

  • On SRX4600 platform, in chassis cluster scenario, if configuring 4 100G interfaces on PIC 0, after reboot for the changed configuration to take effect, all the 4 interfaces might be in the 'down' state PR1387701

  • The cluster IDs larger than 10 will cause FPCs to remain in offline on SRX4600 device in a chassis cluster. PR1390202

  • GTPv2 Modify Bearer Request packets not containing F-TEID IE in bearer context are dropped during GTP inspection. PR1399658

  • In SRX cluster environment, when a huge number of domain names are configured inside security policies and these policies are being used by some flow sessions, after RG0 failover, traffic with domain name address might fail for 3-5 minutes. PR1401925

  • The flowd process stops when updating or deleting a GTP tunnel. PR1404317

  • The SRX Series devices might be potentially overwritten with an incorrect buffer address when detailed logging is configured under the GTPv2 profile. PR1413718

  • PDP context response messages containing more than 6 Packet Data Network Gateway (PGW) connections will cause response packet to be dropped. PR1422877

  • RG0 failover sometimes causes FPC offline/present status. PR1428312

Class of Service (CoS)

  • Configuring host-outbound-traffic under class of service might cause certain devices to stop. PR1359767

Flow-based and Packet-based Processing

  • The half-duplex mode is not supported on SRX340 and SRX345 devices. PR1149904

  • On all SRX platforms, the IPSec "replay error" might be seen on the IKE peer in cluster Z mode, because the IPSec traffic is encapsulated on the wrong node that leads to disorder of esp packet and the VPN peer gets replay error. As a result, the IPSec packet might be dropped on the peers. PR1349724

  • IPsec VPN traffic loss is observed in an active-active HA mode. PR1373161

  • False log message /kernel: check_configured_tpids: : default tpid (0x8100) not configured. pic allows maximum of 0 tpids is seen on SRX Series branch devices. PR1373668

  • PIM register message might be dropped on SRX Series devices. PR1378295

  • During SRX1500, SRX4100, SRX4200, SRX4600 and vSRX platforms reboot, users are not able to enter boot menu to select option to recover password. PR1381653

  • On SRX1500 device, the IPv4 multicast packets might not be broadcast from the IRB interface. PR1385934

  • Large file downloads slow down for many seconds. PR1386122

  • Traffic might be processed by the VRRP backup when multiple VRRP groups are configured. PR1386292

  • VDSL is not stable if there are sudden noises after configuring VDSL SOS feature. PR1387133

  • Display issue in show usp memory segment shm data module and show jsf shm module vty fwdd commands on SRX Series branch devices. PR1387711

  • On SRX4600 platform, when the same UDP source port is used for multiple flows, the traffic using the same source port might be stopped after session created. PR1388735

  • The SRX Series devices do not send the messages frag needed and DF set back to the source host during path MTU discovery. PR1389428

  • SRX Series devices might not strip VLAN added by native VLAN ID command. PR1397443

  • SRX Series devices connection to JIMS keeps flapping causes failover to secondary JIMS. PR1398140

  • On SRX4600 and SRX5000 line of devices, BGP packets might be dropped under high CPU usage. PR1398407

  • VLAN push might not work on SRX1500. PR1398877

  • Maximum feed number of IPFilter and GeoIP increased to 256. PR1399314

  • The authd process might stop when issuing the show network-access requests pending command during the authd restart. PR1401249

  • SRX Series devices cannot obtain IPv6 address through DHCPv6 when using PPPoE interface with logical unit number greater than zero. PR1402066

  • Unable to access to SRX Series devices if messages kern.maxfiles limit exceeded by uid 65534, please see tuning(7) are seen. PR1402242

  • Downloads might stall or completely fail when utilizing services that are reliant on TCP proxy. PR1403412

  • Throughput or latency performance of TCP traffic drops when TCP traffic is passing through from one logical system to another logical system. PR1403727

  • Split brain condition is experienced if the SPC2 or SPC3 card goes offline in the primary node. PR1403872

  • The flowd process stops and all cards are brought offline. PR1406210

  • The flowd process might stop if enable-session-cache option is configured under the SSL termination profile. PR1407330

  • On SRX1500 devices, traffic is blocked on all interfaces after configuring interface-mac-limit on one interface. PR1409018

  • On all SRX platforms, high memory utilization is observed if Advanced Anti-Malware service (AAMW) is enabled. This issue might use up all the memory and cause traffic slow. PR1409606

  • Traffic might be dropped if SOF is enabled in a chassis cluster in active/active mode. PR1415761

  • The command show security firewall-authentication jims statistics shows output statistics of both primary JIMS server and secondary JIMS server. PR1415987

  • Traffic logging shows service-name junos-dhcp-server for UDP destination port 68. PR1417423

  • Traffic might be lost on the SRX Series device if IPsec session affinity is configured with the ipsec-performance-acceleration command. PR1418135

  • The 4G network connection might not be established if LTE mPIM card is in use. PR1421418

  • The show security flow session session-identifier < sessID> is not working if the session ID is bigger than 10M on SRX4600 platform. PR1423818

  • On the SRX300 series and SRX550 series platforms, when an unconnected port is added to the LAG, traffic over updated LAG might be assigned to the unconnected port causing packet loss. PR1423989

  • SRX340 and SRX345 devices reporting high temperature alarms when operating within expected temperatures. PR1425807

  • PIM neighbors might not come up on SRX Series devices in a chassis cluster. PR1425884

  • When configuring GRE tunnel (GRE over IPsec tunnel) or IPsec tunnel on SRX Series devices, the MTU of the tunnel interface is calculated incorrectly. PR1426607

  • The flowd process might stop on SRX5000 line of devices. PR1430804

  • The second IPsec ESP tunnel might not be able to establish between two IPv6 IKE peers. PR1435687

  • The ipfd process might stop when Security Intelligence (SecIntel) is used. PR1436455

  • SRX4600 devices may encounter a SPMC version mismatch error causing SPM to remain in Present/Offline state after using USB Install method. PR1437065

  • On SRX1500 devices, the member of dynamically created VLANs information is not displaying on show VLAN. PR1438153

  • The flowd process stops on SRX550 or SRX300 platforms, when SFP module is plugged in. PR1440194

  • SRX Series branch devices with RPM probe-server hardware timestamp configured does not respond with correct timestamp to the RPM client. PR1441743

Interfaces and Chassis

  • The virtual IP of the VRRP on an SRX4600 device might not respond to host-inbound traffic. PR1371516

  • SRX Series: Crafted packets destined to fxp0 management interface on SRX340 and SRX345 devices can lead to DoS (CVE-2019-0038). PR1377152

  • The pkid process might stop after RG0 failover. PR1379348

  • SRX4600 10-Gigabit Ethernet interface optics diagnostic access issue. PR1395806

  • On SRX4600 platform, the 40-Gigabit Ethernet interface might flap continuously due to MAC local fault. PR1397012

  • Midplane FRU model number is not displayed. PR1422185

Interfaces and Routing

  • Incorrect (double) ingress pps rate on MPLS-enabled interface. PR1328161

  • Control traffic loss might be seen on SRX4600 platform. PR1357591

  • Switching interface mode between family ethernet-switching and family inet/inet6 might cause traffic loss. PR1394850

Intrusion Detection and Prevention (IDP)

  • Unable to deploy IDP because the IDP configuration cannot be committed. PR1374079

  • IDP might crash with the custom IDP signature. PR1390205


  • The chassis cluster image is not displayed on the J-Web dashboard. PR1382219

  • On the SRX300 and SRX4000 Series devices, the J-Web shows that the CPU is overheating. PR1389981

  • The next-hop IP address is not displayed in the routing table in J-Web. PR1398650

  • On all SRX Series devices, the special character without a quotation mark used in preshared key (security ike policy) is removed silently after a commit operation on J-Web. This will cause the VPN connection to be down due to the preshared key mismatch between the peers. PR1399363

  • Configuring using the CLI editor in J-Web generates an mgd core dump and commit does not work. PR1404946

  • The httpd-gk process stops, leading to dynamic VPN failures and high Routing Engine CPU utilization (100 percent). PR1414642

  • J-Web configuration change for an address set using the search function results in a commit error. PR1426321

  • J-Web shows incorrect port-mode under Configure>Interfaces>Link Aggregation. PR1430414

  • IRB interface is not available in zone option of J-Web. PR1431428

  • In SRX chassis cluster setup, node1 is not available for monitoring using J-Web. PR1443819

Layer 2 Ethernet Services

  • DHCPv6 clients might fail to get addresses on SRX Series platforms. PR1392723

  • IPv6 default route might not be installed from the received Router Advertisement message. PR1411921

Multiprotocol Label Switching (MPLS)

  • The rpd might restart unexpectedly when no-cspf is configured and lo0 is not included under RSVP protocol. PR1366575

Network Address Translation (NAT)

  • The SRX Series devices might send the noSuchInstance value to SNMP server in get response during commit. PR1357840

  • NAT64 and traceroute do not work correctly on SRX Series devices. PR1376890

  • The nsd process stops and causes the Web filter to stop working. PR1406248

  • On SRX Series devices, when using NAT64 translation, RTSP uses a wrong string to rewrite the message payload, which might result in the message being dropped in a remote device. PR1443222

Network Management and Monitoring

  • The set system no-redirects setting does not take effect for the reth interface. PR894194

  • On SRX Series devices, after the AGENTX session timeout between master (snmpd) and subagent, the subagent might crash and restart. PR1396967

  • MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979

  • SNMPD might generate core files after restarting NSD process through restart network-security gracefully. PR1443675

Platform and Infrastructure

  • Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039). PR1289313

  • High httpd utilization after reboot failover. PR1352133

  • SRX4200 devices using show chassis commands may not display any outputs. PR1363645

  • SRX1500 continues to raise alarm on fan Fan Tray 0 Fan 0 Spinning Degraded. PR1367334

  • Packet capture feature does not work after removing the sampling configuration. PR1370779

  • IP monitoring failure results in multiple interfaces disappearing from the forwarding table. PR1371500

  • Slowness in cold sync when there are many Packet Forwarding Engines installed in the SRX Series devices in a chassis cluster. PR1376172

  • Useridd CPU is higher than 100 percent for more than 1 hour. PR1377684

  • On SRX5000 or SRX3000 platforms, some uspipc failed messages might be seen while running show interface extensive command from CLI or Junos Space. PR1380439

  • On SRX Series devices, when doing an ISSU upgrade, the reth interface might flap and cause traffic loss in rare occasions. PR1381475

  • Traffic loss seen in Layer 2 VPN with GRE tunnel. PR1381740

  • Junos upgrade might fail with validate option after the /cf/var/sw directory is accidentally deleted. PR1384319

  • Login class with allowed days and specific access-start and access-end does not work as expected. PR1389633

  • Memory leak might occur on the data plane during composite next-hop installation failure. PR1391074

  • The flowd process stops if it goes into a dead loop. PR1403276

  • Complete device outage might be seen when an SPU VM core file is generated. PR1417252

  • Some applications might not be installed during upgrade from an earlier version that does not support FreeBSD 10 to FreeBSD 10(based system). PR1417321

  • On SRX Series devices, flowd process stops might be seen. PR1417658

  • Routing Engine CPU utilization is high and eventd process is consuming a lot of resources. PR1418444

  • REST API does not work on SRX550HM. PR1430187

  • On SRX Series devices with any licensed feature enabled, a false license alarm might be generated. This issue is not feature or license specific; it is random and can happen for any licensed feature. This issue only generates a false alarm, and has no functionality impact. PR1431609

  • On SRX platforms with lots of IPsec VPN tunnels configured (for example - 6700 IPsec VPN tunnels configured on SRX5400), after system bootup , the kmd and iked processes repeatedly generate ipc_pipe_write:353 num_sent=-1 errno=35 Resource temporarily unavailable with IPsec VPN tunnels temporarily being down. PR1434137

  • On SRX4100 and SRX4200 devices, when LACP is configured on the reth interface, the interface flaps when Routing Engine is busy. PR1435955

Routing Policy and Firewall Filters

  • The timeout value of junos-http is incorrect. PR1371041

  • Application firewall action is not correct in the output of CLI show security policies application-firewall. PR1378993

  • The nsd process stops and generates a core file. PR1388719

  • Memory leak in nsd prevents change from taking effect. PR1414319

  • The flowd process (responsible for traffic forwarding in SRX Series devices) stops on SRX Series devices while deleting a lot of policies from Junos Space. PR1419704

  • If restarting NSD fails, there is no indication or symptom, and users are not notified. So a new alarm is added to indicate this failure. PR1422738

  • DNS cache entry does not time out from device even after TTL=0. PR1426186

  • Packet Forwarding Engine stops might be seen on SRX1500 platform. PR1431380

  • SRX550M running Junos OS Release 18.4R1 shows PEM 1 output failure message, whereas with Junos OS Release 15.1X49 or Junos OS Release 18.1R3.3 it does not show any alarms. PR1433577

  • SRX1500 device only allows a maximum of 256 policies with counting enabled. PR1435231

Unified Threat Management (UTM)

  • EWF server status shows UP when 443 is specified as server port. PR1383695

  • Whitelist/blacklist does not work for HTTPS traffic going through Web proxy. PR1401996

  • SRX Series: srxpfe process crash while JSF/UTM module parses specific HTTP packets (CVE-2019-0052). PR1406403

  • The device might not look up the blacklist first in a local Web filtering environment. PR1417330


  • The kmd process might stop when configuring IPsec VPN and BGP on SRX1500 platform. PR1336235

  • Dot (.) usage in CA profile name causes issues when the pkid process is restarted. PR1351727

  • Tunnel flap is seen after doing RG0 failover. PR1357402

  • IPsec tunnel might flap when there are concurrent IKEv2 Phase 1 SA rekeys. PR1360968

  • The IPsec traffic might be blocked by SRX5000 line of devices if they are acting as IPsec transit devices. PR1372232

  • In a rare situation, VPN tunnels might not be configured successfully and the VPN tunnels might not come up. PR1376134

  • Packet loss is seen in IPsec Z-mode scenario. PR1377266

  • The kmd process might stop and cause VPN traffic outage after executing show security ipsec next-hop-tunnels. PR1381868

  • Adding or deleting site-to-site manual NHTB VPN tunnels to an existing st0 unit causes existing manual NHTB VPN tunnels under the same st0 unit to flap. PR1382694

  • A few VPN tunnels do not forward traffic after RG1 failover. PR1394427

  • The kmd process might stop when SNMP polls for the IKE SA. PR1397897

  • VPN tunnels flap after adding or deleting a configuration group in edit private mode on a clustered setup. PR1400712

  • The kmd process stops and generates a core file after running the show security ipsec traffic-selector command. PR1428029

Resolved Issues: 17.4R2

Application Layer Gateways (ALGs)

  • On SRX1400 device, the NFS traffic to port 2049 might drop. PR1307763

  • The configure download URL displays warning message requires appid-sig license. PR1324858

  • On SRX Series devices with SIP ALG enabled, the SIP ALG might drop SIP packets which have a referred-by or referred-to header field containing multiple header parameters. PR1328266

  • SIP calls drop, when the limit per SPU crosses 10,000 calls. PR1337549

Authentication and Access Control

  • On SRX Series devices, PFE might crash and huge number of core files might be generated within a short period of time. PR1326677

  • On SRX Series devices, incomplete Request Support Information (RSI) might be seen. PR1329967

  • On SRX Series devices, the sessions might close because of the idle Timeout junos-fwauth-adapter logs. PR1330926

  • The uacd process is unstable after upgrading to Junos OS Release 12.3X48 and later releases. PR1336356

  • On SRX Series devices, the show version detail command returns an error message: Unrecognized command (user-ad-authentication) while configuring the useridd settings. PR1337740

  • A new configuration is available to configure the web-authentication timeout. PR1339627

Chassis Clustering

  • The route information might not be synchronized between node0 and node1 when configuring the firewall filter or APBR to use the non-default routing-instance. PR1292235

  • Flowd process core files are generated after adding 65536 VPN tunnels using traffic selector with the same remote IP. PR1301928

  • On devices enabled with chassis cluster, the ISSU upgrade might fail and display an error message ISSU aborted and exiting ISSU window. PR1306194

  • On SRX1500, SRX4100 and SRX4200 devices, ISSU might fail if LACP and interface monitoring are configured. PR1305471

  • File Descriptor might leak on SRX Series chassis clusters with Sky ATP enabled. PR1306218

  • When services offloading feature is enabled, the device changes TCP checksum value to 0x0000 .PR1317650

  • When ISSU is performed from a Junos OS Release prior to 15.1X49-D60 to a Junos OS Release 15.1X49-D60 or later, flowd process generates core files. PR1320030

  • The device might stop forwarding traffic after RG1 failover from node0 to node1. PR1323024

  • When RG0 failover or primary node reboot happens, some of the logical interfaces might not be synchronized to the other node if the system has around 2,000 logical interfaces and 40,000 security policies. PR1331070

  • After the primary node or the secondary node restarts, the FPC module goes offline on the secondary node. PR1340116

  • In and active/active cluster, route change timeout does not work as expected. PR1314162

Class of Service (CoS)

  • Packets go out of order on SPC2 cards with IOC1 or FIOC cards. PR1339551

Flow-Based and Packet-Based Processing

General Routing

  • SRX1500 devices might power off unexpectedly because of incorrect device temperature readings which reported a too high temperature, leading to an immediate pro-active power-off of the device to protect the device from overheating. However in these cases the temperature was not actually too high and a power-off would not be required. When this occurs, the following log message is shown in file /var/log/hostlogs/lcmd.log: Jan 25 13:09:44 localhost lcmd[3561]: srx_shutdown:214: called with FRU TmpSensor. PR1241061

  • On SRX4100 and SRX4200 devices, packet loss is observed when the value of packet per second (pps) through the device is very high. This occurs because of the update of the application interval statistics statement, which has a default timer value of 1 minute. You can avoid this issue by setting the interval to maximum using the set services application-identification statistics interval 1440 command. PR1290945

  • The show host server name-server host CLI command fails when the source address is specified under the name-server configuration. PR1307128

  • A memory leak might occur in the appidd process while updating an application signature package. PR1308863

  • On SRX4600 devices, when you run the clear security flow session command, time taken to clear the session depends on the total session number. For example, the clear session takes nine minutes to clear 57M session. PR1308901

  • On SRX Series devices, if destination NAT and session affinity are configured with multiple traffic selectors in IPsec VPN, the traffic selector match might fail. PR1309565

  • The flowd process might stop and generate a core file during failover between node 0 and node 1. PR1311412

  • On SRX Series devices, the IPsec tunnel might fail to be established if datapath debug configuration include the options preserve-trace-order, record-pic-history, or both. PR1311454

  • The SRX Series device drops packets citing the reason "Drop pak on auth policy, not authed". PR1312676

  • The flowd process might stop if the SSL-FP profile is configured with whitelist. PR1313451

  • If IDP and SSL forward proxy whitelist are configured together, the device might generate a core file. PR1314282

  • On SRX550M devices, phone-home.core is generated after the zeroization procedure. PR1315367

  • If the Sky ATP cloud feed updates, the Packet Forwarding Engine might stop causing intermittent traffic loss. PR1315642

  • On SRX Series devices, the IPSec VPN tunnel with traffic-selector is configured and the packets TTL is set to 1, the flowd process stops and generates a core file on both the nodes. PR1316134

  • Periodic PIM register loop is observed during switch failure. PR1316428

  • On SRX Series devices, the fin-invalidate-session command does not work when the Express Path feature is enabled on the device. PR1316833

  • Return traffic through the routing instance might drop intermittently after changing the zone and routing-instance configuration on the st0.x interface. PR1316839

  • SRX300 devices DHCP client cannot obtain IP addresses. PR1317197

  • Default route is lost after system zero. PR1317630

  • SSL firewall proxy does not work if root-ca has fewer than four characters. PR1319755

  • The OSPF peers are unable to establish neighbors between the LT interfaces of the logical systems. PR1319859

  • On SRX Series devices, after logical system is configured, about 10 logical systems are not working. PR1323839

  • The flowd process generates core files on both nodes causing an outage. PR1324476

  • The MPC cards might drop traffic in the event of high temperatures. PR1325271

  • Software next-hop table is full with log messages RT_PFE: NH IPC op 1 (ADD NEXTHOP) failed, err 6 (No Memory) peer_class 0, peer_index 0 peer_type 10. PR1326475

  • If the serial number of the certificate for the SSL proxy has two consecutive zeros, the certificate authentication fails. PR1328253

  • When you use CFLOW, the source address for flow packets is not displayed. PR1328565

  • On SRX Series devices, the one-way jitter traps are not generated when the TWAMP is configured. PR1328708

  • The FPC is dropped or hangs in the present state when the intermittent control link heartbeat is observed. PR1329745

  • On SRX Series devices with stream logging configured, high CPU load is observed. PR1331011

  • The IPv6 traffic does not work as expected on IOC3 with the services offloading (npcache) feature. PR1331401

  • NTP synchronization fails and switches to a local clock. PR1331444

  • Inaccurate Jflow records might be seen for output interface and next hop. PR1332666

  • The whitelist function in syn-flood does not work. PR1332902

  • The show vlans detail no-forwarding command in the RSI does not display any information, because the no-forwarding option is not supported. PR1336267

  • Two-way active measurement protocol (TWAMP) client, when configured in a routing instance, does not work after a reboot. PR1336647

  • On the front panel LED, the red alarm goes on after an RG0 failover is triggered when the flowd process stops. PR1338396

  • The unfiltered traffic is captured after traceoptions are deactivated. PR1339213

  • SSH to the loopback interface of SRX Series devices does not work properly when AppTrack is configured. PR1343736

  • The flowd process might stop when SYN-proxy function is used. PR1343920

  • SNMP MIB walk provides incorrect data counters for total current flow sessions. PR1344352

  • SRX1500 devices might encounter a failure while accessing the SSD drive. PR1345275

  • On SRX Series devices, when you upgrade to a Junos OS Release with "no-validate" option and if there are unsupported configurations with the new version, then configuration push fails and the ksyncd process stops. PR1345397

  • The REST API is not working on the SRX320-POE device. PR1347539

  • File download stops over a period of time when TCP proxy is activated through Antivirus or Sky ATP. PR1349351

  • When a J-Flow related configuration is deleted, the forwarding plane begins to drop packets. PR1351102

  • If the Trusted Platform Module (TPM) is enabled, the configuration integrity failure occurs when there is a power loss for few seconds after the commit. PR1351256

  • On SRX1500 device, after the SSL forward proxy is configured, the system stops and generates a core file. PR1352171

  • The flowd process generates a core file when the SIP ALG is enabled. PR1352416

  • When the routing instance is configured, the UTM Anti-Spam:DUT process do not send the DNS query. PR1352906

  • On SRX Series devices, if the memory buffer is accessed without checking the mbuf and the associated external storage, the flowd process might stop. PR1353184

  • On SRX Series devices in a chassis cluster, if an IPv6 session is being closed and at the same time the related data-plane Redundancy Group (RG1+) failover occurs, this IPv6 session on the backup node might hang and cannot be cleared. PR1354448

  • The PIM register might stop the message from the source First Hop Router (FHR). PR1356241

  • On SRX300, SRX320, SRX340, and SRX345 devices, with LTE mini-PIM the DHCP relay packets are not forwarded. PR1357137

  • On SRX5000 series devices, when the IPsec performance acceleration feature is enabled, packets going in or out of a VPN tunnel are dropped. PR1357616

  • On SRX5400, SRX5600, and SRX5800 devices, the MIB walk tool is not working when screens are applied to the security zones. PR1364210

Interfaces and Chassis

  • Unable to add IRB and aggregated Ethernet interfaces. PR1310791

  • On SRX1500 devices, pp0.0 interface link status is not up. PR1315416

  • An error is not seen at each commit or commit check if autonegotiation is disabled but the speed and duplex configurations are not configured on the interface. PR1316965

  • If an interface is configured with the Ethernet switching family, we recommend that you do not configure vlan-tagging. PR1317021

  • The interface might be brought down by IP monitoring at the time of committing a configuration because of incorrect interface status computing. PR1328363

Interfaces and Routing

  • JIMS server stops responding to requests from SRX Series devices. PR1311446

  • On SRX Series devices in a chassis cluster, the IRB interface does not send an ARP request after clearing the ARP entries. PR1338445

  • Packet reorder occurs on the traffic received on the PPP interface. PR1340417

  • On SRX Series devices, when the VPLS interface receives a broadcast frame, the device sends this frame back to the sender. PR1350857

  • On the SRX1500, when the LACP is configured with interfaces ae0 and ae1, the mac address is displayed as 00:00:00:00:00:00 and 00:00:00:00:00:01 for interfaces ae0 and ae1 respectively. PR1352908

  • The set protocols rstp interface all command does not enable RSTP on all interfaces. PR1355586

Intrusion Detection and Prevention (IDP)

  • The control plane CPU usage is high when using IDP. PR1283379

  • IDP signatures might not get pushed to the Packet Forwarding Engine if there is a policy in logical systems. PR1298530

  • The IDP PCAP feature has been improved. PR1297876

  • The output of show security idp status command does not accurately reflect the number of decrypted SSL or TLS sessions being inspected by the IDP. PR1304666

  • The file descriptor might leak during a security package auto update. PR1318727

  • On SRX4600 devices, the maximum SSLRP session count is observed to be approaching 100,000. In the CLI, configuring a maximum of 100,000 sessions are allowed, whereas in SSLFP, 600,000 sessions are allowed. Thus, the set security idp sensor-configuration ssl-inspection sessions command is now modified to allow a maximum of 600, 000 sessions. However, for other devices the original session limit value of 100,000 is retained. PR1329827

  • Loading IDP policy fails because of less available heap memory. PR1347821


  • J-Web system snapshot throws error. PR1204587

  • In J-Web when you click the SKIP TO JWEB OPTIONS, the Google Chrome browser automatically redirects. PR1284341

  • J-Web does not display all global address book entries. PR1302307

  • On SRX300, SRX320, SRX340, and SRX345 devices, CPU usage is high when generating on-box reporting on the J-Web. PR1310288

  • J-Web authentication fails when a password includes the backslash. PR1316915

  • J-Web dashboard displays wrong last updated time. PR1318006

  • J-Web display problems for security policies are observed. PR1318118

  • J-Web displays the red alarm for temperature value within the threshold. PR1318821

  • J-Web does not display wizards on the dashboard. PR1330283

  • Unable to delete the dynamic VPN user configuration. PR1348705

  • When the J-Web fails to get resource information, the Routing Engine CPU usage is displayed as 100 percent. PR1351416

  • Security policies search button on the J-Web does not work with Internet Explorer version 11. PR1352910

Layer 2 Ethernet Services

  • In DHCP relay configuration, the option VPN has been renamed to source-ip-change. PR1318487

  • On SRX1500 devices, VLAN popping and pushing does not work over Layer 2 circuits. PR1324893

  • DHCP rebind and renew packets is not calculated in BOOTREQUEST. PR1325872

  • The default gateway route might be lost after the failover of RG0 in a chassis cluster. PR1334016

  • The subnet mask address is not sent as a reply to the DHCPINFORM request. PR1357291

Network Address Translation (NAT)

  • The default-gateway route received by DHCP when some interface in the chassis cluster has been configured as a DHCP client is lost in about 3 minutes after RG0 failover. PR1321480

  • On SRX Series devices, the Sky ATP connection leak causes the service plane to be disconnected from the Sky ATP cloud. PR1329238

  • Arena utilization on a FPC spikes and then resumes to a normal value. PR1336228

Network Management and Monitoring

  • SRX300 device is unresponsive as a result of cf/var: filesystem full error. PR1289489

  • CLI options are available to manage the packet forwarding engine handling the ARP throttling for NHDB resolutions. PR1302384

Platform and Infrastructure

  • When you perform commits with apply-groups, VPN might flap. PR1242757

  • The packet captured by datapath-debug on an IOC2 card might be truncated. PR1300351

  • Inconsistent flow-control status on reth interface is observed. PR1302293

  • On SRX5400, SRX5600, and SRX5800 devices, DC PEM is used on the box, the output of show chassis environment pem and show chassis power commands do not show DC input value correctly. PR1323256

  • On SRX5400, SRX5600, and SRX5800 devices, SPC2 XLP stops processing packets in the ingress direction after repeated RSI collections. PR1326584

  • When SecIntel is configured, IPFD CPU utilization might be higher than expected. PR1326644

  • The log messages file contains node*.fpc*.pic* Status:1000 from if_np for ifl_copnfig op:2 for ifl :104 message. PR1333380

  • Log message No Port is enabled for FPC# on node0 is generated every 5 seconds. PR1335486

  • In RSI, a mandatory argument is missing for the request pfe execute and the show usp policy counters commands.PR1341042

  • On SRX Series devices in a chassis cluster, configuration commit might succeed even though the external logical interface configuration (reth) associated with the Internet Key Exchange (IKE) VPN gateway configuration is deleted. This might lead to configuration load failure during the next device boot-up. PR1352559

  • On SRX4100 devices, interfaces are shown as half-duplex, but there is no impact on the traffic. PR1358066

Routing Policy and Firewall Filters

  • The firewall authentication does not list the correct polices when the NSD process is busy. PR1312697

  • The number of address objects per policy for SRX5400, SRX5600, SRX5800 devices is increased from 4,096 to 16,000. PR1315625

  • The flowd process stops when AppQoS is configured on the device. PR1319051

  • Flowd process stops after configuring a huge number of custom applications. PR1347822

  • On SRX Series devices, with a large number of firewall authentication entries, the flowd process might stop. PR1349191

  • On SRX Series devices, a large scale commit, for example, 70,000 lines security policy might stop the NSD process on the Packet Forwarding Engine (PFE). PR1354576

Routing Protocols

  • On SRX1500 devices, the IS-IS adjacency remains down when using an IRB interface. PR1300743

  • Dedicated BFD does not work on SRX Series devices. PR1312298

  • On a chassis with BMP configured, if the rpd termination timeout is happening while the BMP main task has failed to terminate and delete itself (seen when rpd is gracefully terminated), the rpd might stop. PR1315798

  • When BGP traceoptions are configured and enabled, the traces specific to messages sent to the BGP peer (BGP SEND traces )are not logged The traces specific to received messages (BGP RECV traces ) are logged correctly. PR1318830

  • OpenSSL Security Advisory [07 Dec 2017]. Refer to for more information. PR1328891

  • The ppmd process might stop, after one node is upgraded and failover completes. PR1347277

  • On SRX Series devices, dedicated BFD does not work. PR1347662

Software Installation and Upgrade

  • The request system reboot node in/at command results in an immediate reboot instead of rebooting at the allotted time. PR1303686

  • On SRX1500 devices, the fan speed often fluctuates. PR1335523

System Logs

  • A warning syslog message is displayed when the number of security screens installed exceed the IOC capacity. PR1209565

  • The following log messages are displayed on the device: L2ALM Trying peer/master connection, status 26. PR1317011

User Firewall and Authentication

  • User firewall has a command to fetch the user-group mapping from the active directory server. PR1327633

Unified Threat Management (UTM)

  • The ISSU upgrade might fail because of the Packet Forwarding Engine generating a core file. PR1328665

Upgrade and Downgrade

  • The command show system firmware displays the old firmware image. PR1345314

VLAN Infrastructure

  • On SRX Series devices in transparent mode, the flowd process might stop when matching the destination MAC. PR1355381


  • The IRB interface does not support VPN. PR1166714

  • Next hop tunnel binding (NHTB) is not installed occasionally during rekey for VPN using IKEv1. PR1281833

  • IPsec traffic statistic counters return 32-bit values. PR1301688

  • Auto Discovery VPN (ADVPN) tunnels might flap with the spoke error no response ready yet, leading to IKEv2 timeout. PR1305451

  • On SRX Series devices, core files are observed under certain conditions with VPN and when NAT-T is enabled. PR1308072

  • PKID syslog for key-pair deletion is required for conformance. PR1308364

  • On SRX Series devices, ESP packet drops in IPsec VPN tunnels with NULL encryption algorithm configuration are observed. PR1329368

  • SNMP for jnxIpSecTunMonVpnName does not work. PR1330365

  • The kmd process might generate a core file when all the VPNs are down. PR1336368

  • On SRX5400, SRX5600, and SRX5800 devices, the chassis cluster control link encryption does not work. PR1347380

  • The kmd process might stop if multiple IKE gateways uses the same IKE policy. PR1337903

  • All IPsec tunnels are in both active and inactive state. PR1348767

  • S2S tunnels are not redistributed after IKE or IPsec are reactivated in a configuration. PR1354440

Resolved Issues: 17.4R1

Application Layer Gateways (ALGs)

  • On SRX Series devices SIP packet might drop when SIP traffic performs destination NAT. PR1268767

  • The pfed process stops and generates core files. PR1292992

  • H323 ALG decode Q931 packet error was observed even after disabling H323 ALG. PR1305598

  • HTTP ALG is listed within show security match-policies, when the HTTP ALG does not exist. PR1308717

Chassis Cluster

  • Node 0 is going into db prompt after applying Layer 2 switching configuration and rebooting. PR1228473

  • HA configuration synchronization monitoring does not work if encrypt-configuration-files is enabled. PR1235628

  • The ISSU or ICU operation might fail if upgrade is initiated from Junos Space on multiple SRX clusters. PR1279916

  • ALG traffic and other traffic with tcp-proxy gets stuck after back-to-back RG1 failover when using PPPoE on the reth interface. PR1286547

  • Warning messages are incorrectly tagged as errors in the RPC response from the SRX Series device when you configure a change through NETCONF. PR1286903

  • After software upgrade, the cluster goes into a brief split-brain state when rebooting RG0 on the secondary node. PR1288819

  • In an SRX1500 cluster, if control-link-recovery is configured, ISSU might not complete successfully and the cluster will end up with different software releases. PR1303948

  • IP monitoring on the secondary node shows unknown status after rebooting. PR1307749

  • On SRX Series devices, the traffic logging impact issue after ISSU is fixed. PR1284783

Class of Service (CoS)

  • on SRX devices, self-generated TCP session from RE destined to an lt-0/0/0.x nexthop is not established. PR1286866

Flow-Based and Packet-Based Processing

  • The software-NH value increases and and causes a traffic outage. PR1190301

  • SRX1500 devices might power-off unexpectedly because of incorrect device temperature readings which reportedly is a too high temperature, leading to an immediate proactive power-off of the device to protect the device from overheating. When this condition occurs, the following log message is shown in file /var/log/hostlogs/lcmd.log: Jan 25 13:09:44 localhost lcmd[3561]: srx_shutdown:214: called with FRU TmpSensor.PR1241061

  • Duplicate hops or a higher than expected hop count is seen in L2 traceroute. PR1243213

  • Configuring dpd results in timeouts for TCP encapsulation sessions. PR1254875

  • A down interface in the mirror-filter command might cause a core file in certain situations. PR1270724

  • Core files are seen on SRX1500 when J-Flow is enabled. PR1271466

  • SRX320 with MPIM: IPv6 static route on dl0.0 is not active, so it cannot work for dial-on-demand. PR1273532

  • Multicast traffic sent to the downstream interface in the destination MAC address is set to all zeros. PR1276043

  • Output hangs while checking pki ca-certificate ca-profile-group details. PR1276619

  • SRX1500 randomly stops forwarding traffic. PR1277435

  • When using integrated user firewall, the useridd process might consume high CPU. PR1280783

  • When executing operational commands for creating rescue configuration, some errors will be reported but the rescue configuration will still be created. PR1280976

  • User firewall users are not assigned their roles. PR1282744

  • Certain SCTP packets are dropped. PR1285089

  • The pfed process stop and core files are generated by committing traceoptions configure. PR1289972

  • More CPU threshold warnings are seen than in the previous releases. PR1291506

  • CoS scheduler and shaping does not work on IRB interface. PR1292187

  • Cryptographic weakness is seen on SRX300 line devices TPM Firmware (CVE-2017-10606) PR1293114

  • The APN profile password is displayed in cleartext. PR1295274

  • On SRX Series devices running the user firewall feature, under some conditions, flowd or useridd might generate core files. The Packet Forwarding Engine might get restarted, and RG1+ failover occurs. PR1299494

  • SRX Series device fail to upgrade the Junos image when you use the unlink and partition options at the same time. PR1299859

  • When you run the show interfaces queue rethx command, the output displays ingress queue information. PR1309226

  • On SRX Series devices, the Stream Control Transmission Protocol (SCTP) packet has an incorrect SCTP checksum after the payload is translated by the device. PR1310141

Interfaces and Chassis

  • On SRX1500 devices with SFP+-10G-CU3M DAC, 10-Gigabit Ethernet interface does not work. PR1246725

  • On SRX1500, 10-Gigabit Ethernet interface might not come up between the SRX Series device and another type of device when using SFP+-10G-CU3M DAC. PR1279182

  • Ping to VRRP (VIP) address failed when VRRP on vlan-tagging. This only affected IOC2 and IOC3 cards in SRX5000 line devices. SRX1500, SRX4100, and SRX4200 devices are not impacted. PR1293808

  • RPM packets do not go through the LT interface under certain configurations. PR1303445


  • SRX Series devices cannot be upgraded with Junos image using J-Web. PR1297362

  • Configuration upload using J-Web does not work. PR1300766

  • In J-Web, when logical system adds a custom application, the applications 'any' are not present in Logical System Configure> Security> Security Policy> Add Policy. PR1303260

  • J-Web removes the backslash character on the source identity object when the commit changes. PR1304608

Layer 2 Ethernet Services

  • ARP issues are seen when using Layer 2 switching with the IRB interface. PR1266450

  • On SRX1500 devices in an Ethernet switching mode, an IRB interface located in a custom routing instance is not reachable. PR1234000

  • The change no-dns-propagation command should be changed to no-dns-install. PR1284852

  • DHCPv6 prefix delegation does not start with the first available subnet PR1295178

Network Address Translation (NAT)

  • On SRX Series devices, the periodic execution of the show security zones detail command causes the NSD process to fail in releasing unused memory, causing memory leak. PR1269525

  • The proxy-arp does not work intermittently after RG0 failover. PR1289614

  • Commit check might allow a Source NAT pool without addresses to be committed, leading to flowd core file generation when the misconfigured pool is utilized by traffic. PR1300019

  • Active source NAT causes an NSD error and the session closes. PR1313144

Network Management and Monitoring

  • On the SRX340 device, one Routing Engine does not reply for the SNMP request after power-on or RG0 failover in a cluster. PR1240178

  • On SRX Series devices, when J-Flow is enabled for multicast traffic extern nexthop is installed during the multicast composite next hop. However, when you uninstall the composite next hop, it does not free the extern nexthop, which results in the jtree memory leak. PR1276133

  • The mib2d process might crash when polling the OID ifStackStatus.0 after a logical interface of lo0 is deleted. PR1286351

  • The show arp no-resolve interface X command for nonexistent interface X is showing all unrelated static ARP entries. PR1299619

Platform and Infrastructure

  • SRX300 line devices reboot when Juniper RE-USB-4G-S (yellow or orange) USB is inserted. PR1214125

  • The flowd process might crash during route update. PR1249254

  • Unexpected behavior with IP monitoring is seen. PR1263078

  • The TTL (Time To Live) of some Z-mode packets is reduced to zero incorrectly, if IOC2 or IOC3 interface is configured as HA fabric port. PR1270770

  • DNS cache does not get populated in multiple virtual router (VR) environments. PR1275792

  • Memory leak occurs on SRX Series devices chassis cluster when em0 or em1 interface is down. PR1277136

  • On SRX5000 line devices, under a heavy flood of IPv6 Neighbor Discovery Protocol (NDP) packets, some incoming IPv6 neighbor advertisements (NA) might be dropped because of a queue being full. This issue has been resolved by using a different queue for IPv6 NA packets. PR1293673

  • XLP lost heartbeat (SPU hang) is not detected in a timely manner by hardware monitoring. PR1300804

Routing Policy and Firewall Filters

  • Secured e-mail application is not available. PR1273725

  • On SRX Series devices, the DNS configured in the address-book fails to resolve the IP address, if the case (uppercase or lowercase) in the DNS query and the DNS response do not match. PR1304706

  • The NSD process might crash when replacing the name of a logical-system. PR1307876

System Logging

  • The logs from syslog RT_FLOW: FLOW_REASSEMBLE_SUCCEED: Packet merged might cause high CPU usage on the Routing Engine. PR1278333

Unified Threat Management (UTM)

  • The Packet Forwarding Engine CPU utilization is high when using the UTM antivirus feature. PR1282719


  • The st0 global counter statistics do not increment. PR1171958

  • The second client is disconnected when the assigned IP address is changed in the access profile for the first client. PR1246131

  • IPsec traffic through tunnel fails without configuring the authentication algorithm under the IPsec proposal on the SRX1500; however, it works on the SRX5600. PR1285284

Documentation Updates

There are no errata or changes in Junos OS Release 17.4R3 for the SRX Series documentation.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Scripts for Address Book Configuration

Beginning with Junos OS Release 12.1, you can configure address books under the [security] hierarchy and attach security zones to them (zone-attached configuration). In Junos OS Release 11.1 and earlier, address books were defined under the [security zones] hierarchy (zone-defined configuration).

You can either define all address books under the [security] hierarchy in a zone-attached configuration format or under the [security zones] hierarchy in a zone-defined configuration format; the CLI displays an error and fails to commit the configuration if you configure both configuration formats on one system.

Juniper Networks provides Junos operation scripts that allow you to work in either of the address book configuration formats (see Figure 1).

About Upgrade and Downgrade Scripts

After downloading Junos OS Release 12.1, you have the following options for configuring the address book feature:

  • Use the default address book configuration—You can configure address books using the zone-defined configuration format, which is available by default. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.

  • Use the upgrade script—You can run the upgrade script available on the Juniper Networks support site to configure address books using the new zone-attached configuration format. When upgrading, the system uses the zone names to create address books. For example, addresses in the trust zone are created in an address book named trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules remain unaffected.

    After upgrading to the zone-attached address book configuration:

    • You cannot configure address books using the zone-defined address book configuration format; the CLI displays an error and fails to commit.

    • You cannot configure address books using the J-Web interface.

    For information on how to configure zone-attached address books, see the Junos OS Release 12.1 documentation.

  • Use the downgrade script—After upgrading to the zone-attached configuration, if you want to revert to the zone-defined configuration, use the downgrade script available on the Juniper Networks support site. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.


    Before running the downgrade script, make sure to revert any configuration that uses addresses from the global address book.

Figure 1: Upgrade and Downgrade Scripts for Address Books
Upgrade and Downgrade
Scripts for Address Books

Running Upgrade and Downgrade Scripts

The following restrictions apply to the address book upgrade and downgrade scripts:

  • The scripts cannot run unless the configuration on your system has been committed. Thus, if the zone-defined address book and zone-attached address book configurations are present on your system at the same time, the scripts will not run.

  • The scripts cannot run when the global address book exists on your system.

  • If you upgrade your device to Junos OS Release 12.1 and configure logical systems, the master logical system retains any previously configured zone-defined address book configuration. The master administrator can run the address book upgrade script to convert the existing zone-defined configuration to the zone-attached configuration. The upgrade script converts all zone-defined configurations in the master logical system and user logical systems.


    You cannot run the downgrade script on logical systems.

For information about implementing and executing Junos operation scripts, see the Junos OS Configuration and Operations Automation Guide.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after.

For example, Junos OS Releases 12.3X48, 15.1X49, 17.3 and 17.4 are EEOL releases. You can upgrade from Junos OS Release 15.1X49 to Release 17.3 or from Junos OS Release 15.1X49 to Release 17.4. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

Upgrade from Junos OS Release 17.4 to successive Junos OS Release, is supported. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.