Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 18.1R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 18.1R3 for the SRX Series devices.

Release 18.1R3 New and Changed Features

There are no new features in Junos OS Release 18.1R3 for the SRX Series devices.

Junos OS Release 18.1R3 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D120. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D120 are not available in 18.1 releases.

Release 18.1R2 New and Changed Features

There are no new features in Junos OS Release 18.1R2 for the SRX Series devices.

Junos OS Release 18.1R2 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D120. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D120 are not available in 18.1 releases.

Release 18.1R1 New and Changed Features

Junos OS Release 18.1R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D120. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D120 are not available in 18.1 releases.

Application Security

  • Data Loss Prevention (SRX Series) —Starting in Junos OS Release 18.1, SRX Series devices support Data Loss Prevention (DLP) to redirect HTTP or HTTPS traffic to any server through Internet Content Adaptation Protocol (ICAP).

    ICAP is a lightweight protocol for executing a remote procedure call on HTTP messages using REQMOD which encapsulate HTTP request messages and RESPMOD which encapsulate HTTP response messages.

    See SSL Proxy.

  • Optimizing SSL/TLS performance for HTTPS traffic (SRX Series, vSRX) —Starting from Junos OS Release 18.1R1, SSL/TLS performance is optimized by minimizing the time required for performing the decryption by using the following methods:

    • Using optimized cipher suites

    • Maintaining the certificate cache

    Enhanced SSL/TLS performance for HTTPS traffic results in improved website performance without compromising security, and maximizes user experience.

    [See SSL Proxy].

  • SSL proxy support (SRX300, SRX320)—Starting in Junos OS Release 18.1R1, SSL proxy support is available on SRX300 and SRX320 devices. SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server. SSL relies on digital certificates and private-public key exchange pairs for client and server authentication to ensure secure communication.

    [See SSL Proxy].

Authentication and Access

  • IPv6 support for network access control (NAC) (SRX Series, vSRX)—Starting with Junos OS Release 18.1R1, SRX Series devices support IPv6 for the network access control (NAC) system. You can configure a Web API client address with an IPv6 address and Web API supports IPv6 user or device entries obtained from Juniper Identity Management Service (JIMS). An SRX Series device can query JIMS periodically for batches of newly generated IPv6 users or devices for identity information. The SRX Series can query JIMS for identity information for an individual user or device based on the IPv6 address when the IPv6 traffic hits the SRX Series device. The SRX Series device firewall authentication can push IPv6 IP-user mapping information to JIMS.

    [See Understanding the SRX Series Advanced Query Feature for Obtaining User Identity Information from JIMS .]

Chassis Cluster

  • VRRP and VRRPv3 support on redundant Ethernet interface to provide redundancy (SRX Series, vSRX)—Starting with Junos OS Release 18.1R1, SRX Series devices in a chassis cluster support the Virtual Router Redundancy Protocol (VRRP) and VRRPv3 on reth interfaces to provide redundancy, route advertising, and load sharing. Using VRRP, a secondary node can take over a failed primary node within a few seconds with minimum VRRP traffic and without any interaction with the hosts.

    [See Understanding VRRP on SRX Series Devices.]

Class of Service (CoS)

  • Support for rewrite rules for both inner and outer VLAN tags on IEEE802.1 packets (SRX Series)—Starting with Junos OS Release 18.1R1, SRX Series devices support applying rewrite rules to both inner and outer VLAN tags on IEEE802.1 packets. To apply rewrite rules to both inner and outer VLAN tags, set the vlan-tag outer-and-inner option at the [edit class-of-service interfaces interface-name unit unit-number rewrite-rules ieee-802.1 rewrite-name] hierarchy level.

    [See rewrite-rules (CoS Interfaces)]

Flow-Based and Packet-Based Processing

  • Enhancement for show security flow statistics operational command (SRX Series, vSRX instances)—Starting in Junos OS Release 18.1R1, the output of the show security flow statistics command has been modified. The Packets forwarded field has been split into the Packets received and Packets transmitted fields. The Packets received field displays the actual number of packets received, including those dropped by the system. The Packet transmitted field displays the number of packets returned to jexec for transmission. The Packets forwarded/queued field displays the actual number of packets forwarded excluding the dropped packets.

    Additionally, a new field, Packets copied has been created to provide information about packets copied by other modules including fragmentation and TCP proxy.

    [See show security flow statistics.]

Interfaces and Chassis

  • Support for 4x10-Gigabit Ethernet Optical Breakouts (SRX4600)—Starting in Junos OS Release 18.1R1, you can use optical breakout cable to configure four 10-Gigabit Ethernet interfaces on each 40-Gigabit Ethernet port on an SRX4600. By default, FPC 1 PIC 0 comes up with the default setting of four 40-Gigabit Ethernet ports. This new feature allows the 40 Gigabit Ethernet port to be configured in 4X10-Gigabit Ethernet mode by plugging in QSFPP-4X10-Gigabit Ethernet optics connecting with 4x10-Gigabit Ethernet breakout cables. You use QSFP+ transceivers to connect the 40-Gbps (default speed) port to the breakout cable, which connects to four SFP+ transceivers at the other end thus converting that port into four 10-Gbps interfaces).

    For example, on FPC 1 PIC 0, to configure each 40-Gbps port as four 10-Gbps interfaces, execute the set chassis fpc 1 pic 0 pic-mode 10G command.

    After you commit the configuration, for the new configuration to take effect, you must reboot the device or chassis cluster. [See SRX4600 Gateway Rate-Selectability Overview.]

  • Support for default 10-Gbps ports to operate at 1-Gbps speed (SRX4600)—Starting in Junos OS Release 18.1R1, SRX4600 supports 1-Gbps port speed on the default 10-Gbps ports on its 8-port PICs and on two dedicated chassis cluster control ports on the 4-port chassis cluster PICs. The SRX4600 supports three different PIC types—8-port 10-Gigabit Ethernet PIC, 4-port 40-Gigabit or 100-Gigabit Ethernet PIC, and 4-port 10-Gigabit Ethernet PIC (in a chassis cluster). Out of the four ports on the 10-Gigabit Ethernet PIC in a chassis cluster, two ports are fabric ports and the other two ports are chassis cluster control ports. The two fabric ports do not support 1-Gbps speed. Only the two control ports of the chassis cluster support a port speed of 1 Gbps.

    Note
    • The interface name prefix must be xe.

    • You can configure a combination of 1-Gbps and 10-Gbps speed only on the 8-port 10-Gigabit Ethernet PIC. The chassis cluster control interfaces (that is, on the 4-port 10-Gigabit Ethernet PIC) do not support multiple speeds.

    [See SRX4600 Gateway Rate-Selectability Overview.]

Multicast

  • Layer 2 IGMP and MLD Snooping feature support (SRX1500)—Starting with Junos OS Release 18.1R1, the SRX1500 supports the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) snooping feature in Layer 2 switching mode.

    The snooping feature snoops the IGMP or MLD packets received by the switch interfaces and builds a multicast database. The SRX Series device uses the multicast database and forwards the multicast traffic only to the downstream interfaces of interested receivers. Using the multicast database to forward multicast packets helps ensure efficient use of network bandwidth.

    [See IGMP Snooping Overview and Understanding MLD Snooping.]

Network Management and Monitoring

  • Two-Way Active Measurement Protocol (TWAMP) support (SRX4100, SRX4200 and vSRX)—Starting in Junos OS Release 18.1R1, the Two-Way Active Measurement Protocol (TWAMP) is supported on SRX4100 and SRX4200 devices and on vSRX instances in addition to the existing support on SRX Series devices such as SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500. TWAMP is a standard protocol framework that defines control and test session separation based on the client/server architecture. The TWAMP-Control protocol is used to set up performance measurement sessions between a TWAMP client and a TWAMP server, and the TWAMP-Test protocol is used to send and receive performance measurement probes.

    [See Two-Way Active Measurement Protocol (TWAMP) Overview.]

User Interface and Configuration

  • Ephemeral configuration database support for load replace and load override operations (SRX Series)—Starting in Junos OS Release 18.1R1, NETCONF and Junos XML protocol client applications can configure the ephemeral configuration database using load replace and load override operations, in addition to the previously supported load merge and load set operations. To perform a load replace or load override operation, set the <load-configuration> action attribute to replace or override, respectively.

    [See Configuring Ephemeral Database Instances.]

VPN

  • Binding trusted CAs or trusted CA group to an IKE policy (SRX Series and vSRX instances)—Starting in Junos OS Release 18.1R1, you can group CA profiles (trusted CAs) in a trusted CA group and or bind a specific CA profile to an IKE policy. When a remote peer establishing a connection that matches this IKE policy, the particular CA profile or trusted CA group is used to validate the remote peer.

    A group of trusted CA servers can be created with the trusted CA group configuration statement at the [edit security pki] hierarchy level; one or multiple CA profiles can be specified. The trusted CA server is bound to the IKE policy configuration for the peer at [edit security ike policy policy certificate] hierarchy level.

    [See Understanding Certificates and PKI and Understanding Certificate Authority Profiles.]

  • IPv6 support for AutoVPN and ADVPN with dynamic routing protocol (SRX Series and vSRX instances)—Starting with Junos OS Release 18.1R1, IPv6 is supported on AutoVPN and Auto Discovery VPN (ADVPN) with point-to-multipoint secure tunnel mode. ADVPN can run with OSPFv3 routing protocol and AutoVPN can run with OSPFv3 and iBGP (internal BGP) routing protocols.

    The ospf3 option is introduced at the edit protocol hierarchy level to support IPv6 for AutoVPN and ADVPN with point-to-multipoint secure tunnel mode. In addition, the show security ipsec next-hop-tunnels command, which displays the IPsec VPN tunnels bound to a specific tunnel interface, is updated to add family and tunnel ID filters.

    [See Understanding AutoVPN and Understanding Auto Discovery VPN.]

  • IPv6 support for PKI (SRX Series and vSRX instances)—Starting in Junos OS Release 18.1, the public key infrastructure (PKI) supports IPv6 address format for the Certificate Authority (CA) server and source addresses in a CA profile. The PKI provides an infrastructure for digital certificate management. In PKI, a CA is a trusted third party agency responsible for issuing and revoking certificates. The certificates are used to create secure connections between two or more entities.

    [See Understanding Certificate Authority Profiles.]

  • SSL remote access VPN support by bypassing an application-based firewall (SRX Series and vSRX instances)—Starting with Junos OS Release 18.1R1, remote access VPN uses SSL to pass through an application level firewall using the third-party NCP Exclusive Remote Access Client on Windows, MAC OS, Apple iOS, and Android devices.

    Most intermediate Internet-facing devices allow users to establish a session over SSL (HTTPS) to any Internet-based device. This solution allows users to establish a secure communication using a full SSL session when an intermediate device blocks IPsec or UDP traffic.

    [See Understanding SSL Remote Access VPNs with NCP Exclusive Remote Access Client.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 18.1R3 for the SRX Series.

Chassis Cluster

  • The SRX5400, SRX5600, and SRX5800 devices operating in a chassis cluster might encounter the em0 or em1 interface link failure on either of the nodes, which results in split-brain condition. That is, both devices are unable to detect each other. If the failure occurs on the secondary node, the secondary node is moved to the disabled state.

    This solution does not cover the following cases:

    • em0 or em1 failure on primary node

    • HA process restart

    • Preempt conditions

    • Control link recovery

Juniper Sky ATP

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 18.1R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).

VPN

Known Behavior

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 18.1R3 for the SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Chassis Clustering

  • If you enable IP monitoring on the redundancy group when the reth interface has more than one physical interface configured, then IP monitoring may not work properly on the secondary node. This issue occurs because the backup node may send traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch may drop the traffic. PR1344173

J-Web

  • On SRX4100 and SRX4200 devices, as part of JDHCP changes DHCP relay configuration under Configure > Services > DHCP > DHCP Relay page is removed from J-Web in Junos OS Release 15.1X49-D60. The same DHCP relay can be configured using the CLI. PR1205911

  • On SRX4100 and SRX4200 devices, as part of JDHCP changes DHCP client bindings under Monitor is removed for Junos OS Release 15.1X49-D60. The same bindings can be seen in CLI using the show dhcp client binding command. PR1205915

  • On SRX Series devices, adding of 2,000 or more global addresses at a time to the SSL proxy profile exempted addresses can cause the web page to be unresponsive. PR1278087

  • On SRX Series devices, you cannot view the custom log files created for event logging in J-Web. PR1280857

  • On SRX Series devices, validation is not checked when the UTM policy is detached from the firewall policy rule after an SSL proxy profile is selected. PR1285543

  • On SRX Series devices, uploading certificate using the browse button stores the certificate in the device at /jail/var/tmp/uploads/, which will be deleted upon executing the request system storage cleanup command. PR1312529

  • On SRX Series devices, the values of address and address-range are not displayed in the inline address-set creation pop-up window of JIMS. PR1312900

  • Application signature install or uninstall status above the grid remains in loading state when the device connectivity to the cloud server. Application signature database is not present or not responding. This in turn affects the status that is displayed in the J-Web. PR1332768

Platform and Infrastructure

  • On SRX4600 devices, the USB flash drive is not available to Junos OS. However, the USB flash drive is available for the host OS (Linux) with full access. The USB flash drive is still used in the booting process (install and recovery functions). PR1283618

  • When a USB device is under initialization, removing the USB device may cause the USB to stop working. PR1332360

Software Installation and Upgrade

  • When you upgrade from Junos OS Release 15.1X49, the signature version is automatically refreshed to version 534. Hence, you need to download and install a new signature version; if not, some features such as SKYATP IMAP may be missing. PR1324848

User Interface and Configuration

  • On SRX1500 devices, committing a configuration with a huge number of logical systems will take more time. This issue occurs because taking backup of previous configurations may take a little longer to finish. PR1339862

VPNs

  • On SRX5400, SRX5600, and SRX5800 devices, when CoS is enabled on the st0 interface and the incoming traffic rate destined for the st0 interface is higher than 300,000 packets per second (pps) per SPU, the device may drop some of the high-priority packets internally and shaping of outgoing traffic may be impacted. We recommended that you configure the appropriate policer on the ingress interface to limit the traffic below 300,000 pps per SPU. PR1239021

  • On SRX Series devices, IPsec traffic statistics counters return 32-bit values, which may quickly overflow. PR1301688

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 18.1R3 for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Layer Gateways (ALGs)

  • On all SRX Series devices with NAT configured, a memory overwrite issue occurs when the scaling RAS or H.323 traffic passes through the device and the device fails to perform NAT for RAS or H.323 traffic. As a result, the flowd process may stop. PR1084549

  • On SRX Series devices with chassis cluster enabled and logical systems configured, when any ALG (except DNS ALG) is enabled and NAT is configured for the ALG sessions, the flowd process on the secondary node may stop. PR1343552

  • When using the IPsec ALG, the IPsec tunnel payload is dropped after the IKE or IPsec tunnel reestablishment due to a session conflict. PR1372232

  • If the SIP ALG is disabled, the SIP active sessions are affected. PR1373420

Chassis Clustering

  • On SRX550M device, the SFP transceiver does not work after the chassis reboot. PR1347874

Class of Service (CoS)

  • On all SRX Series devices, if the action of forwarding-class is configured in the output direction on a firewall filter, the host outbound traffic matching the same term of this firewall filter is blocked. PR1272286

  • When the host-outbound-traffic command is configured in the class of service (CoS), the device stops working when a corrupted packet is arrived on the Packet Forwarding Engine. PR1359767

Flow-based and Packet-based Processing

  • SRX1500 devices may power-off unexpectedly due to incorrect device temperature readings which reportedly is a too high temperature, leading to an immediate proactive power-off of the device to protect the device from overheating. When this condition occurs, the following log message is shown in file /var/log/hostlogs/lcmd.log: Jan 25 13:09:44 localhost lcmd[3561]: srx_shutdown:214: called with FRU TmpSensor. PR1241061

  • On SRX1500 devices, the message /kernel: kern.maxfiles limit exceeded by uid 0, please see tuning(7) is displayed when the kdm_savekcore process consumes the maximum open files allowed. As a workaround, use the savecore -C command to stop the file processing and clear the kernel crash flag, and reboot the device. PR1277664

  • On SRX4600 device, when the next-hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725

  • On all SRX Series devices, filter-based forwarding (FBF) does not work when applied on IPsec tunnel interface (st0.*). PR1290834

  • On SRX320, SRX340, SRX340, and SRX550 devices, the RPD process stops when you configure the auto-bandwidth option under the label-switched path (LSP) in the multiprotocol label switching (MPLS). PR1331164

  • On SRX Series devices, when you run the clear nhdb statistics command on an SPU PIC, the SPC may reset. PR1346320

  • The IPsec replay error for Z-mode traffic is observed. PR1349724

  • On SRX Series devices in a chassis cluster, if an IPv6 session is being closed and at the same time the related data-plane Redundancy Group (RG1+) failover occurs, this IPv6 session on the backup node may hang and cannot be cleared. PR1354448

  • The application layer protocol negotiation (ALPN) fails because the SSL proxy removes the ALPN extensions in the TLS packets. PR1360820

  • In chassis cluster mode with the IPsec tunnel configured, packet loss is observed when the clear text packets are processed. PR1373161

  • The Windows security log can overwrite the username that contains null to N/A. This issue causes the access privileges granted to that IP address to be lost. PR1375514

Interfaces and Routing

  • Incorrect ingress packet per second is observed on the MPLS enabled interface. PR1328161

  • On the SRX1500, when the LACP is configured with interfaces ae0 and ae1, the mac address is displayed as 00:00:00:00:00:00 and 00:00:00:00:00:01 for interfaces ae0 and ae1 respectively. PR1352908

Intrusion Detection and Prevention (IDP)

  • On SRX Series devices, the output of show security idp status command does not accurately reflect the number of decrypted SSL or TLS sessions being inspected by IDP. PR1304666

  • After an IDP signature automatic update is scheduled, the secondary node may not update the signatures. PR1358489

Platform and Infrastructure

  • On SRX5400, SRX5600, and SRX5600 devices, when the control link is down, the secondary node becomes ineligible and then goes to disabled state. But the FPCs restart continuously after going to disabled state when the FPCs should remain offline until rebooted. PR1170024

  • On SRX5600 and SRX5800 devices in a chassis cluster, when a secondary Routing Engine is installed to enable dual control links, the show chassis hardware command may display the same serial number for both the Routing Engines on both the nodes. PR1321502

  • On SRX Series devices, the forwarding plane may failover from node 0 to node 1 when an SPC stops unexpectedly. PR1331809

  • On SRX5600 and SRX5800 devices in a chassis cluster, when a secondary Routing Engine is installed to enable dual control links, the show chassis hardware command may display the same serial number for both the Routing Engines on both the nodes. PR1342362

  • SSH to the device fails if the phone-home: kern.maxfiles limit is exceeded. PR1357076

  • On SRX4100 and SRX4200 devices, the SRX Network Time Protocol (NTP) client may not stay synchronized to the NTP server and as a result the device clock often switches from NTP to local time. PR1357843

  • When the secure copy protocol (SCP) fails to transfer the active configuration to an archive site, the archive site also fails. PR1359424

Routing Policy and Firewall Filters

  • On SRX Series devices, DNS name entries in policies may not be resolved if the routing instance is configured under a system name server. PR1347006

Routing Protocols

  • On SRX Series devices, RIP is supported in packet-to-packet DC mode on st0 interfaces. PR1141817

  • A new CLI command is required to prevent traffic loss during a disaster recovery failover scenario. PR1352589

Software Installation and Upgrade

  • On SRX1500 devices, the fan speed often fluctuates. PR1335523

VPNs

  • IPsec uses ESP as the default protocol, if the user does not explicitly configure the protocol. PR1061838

  • When an SRX Series device acts as an initiator behind the NAT, disabling NAT on the router in between causes an immediate new negotiation failure because of an attempt to disable NAT using the port 4,500.The next attempt succeeds by using the port 500. Disabling NAT and bringing down all the existing tunnels and re-establishing the tunnels with port 500 is the expected behavior. PR1273213

  • On SRX Series devices, in case multiple traffic-selectors are configured for a peer with IKEv2 reauthentication, only one traffic-selector will rekey at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors will be cleared without immediate rekey. New negotiation of those traffic-selectors may trigger through other mechanisms such as traffic or by peer. PR1287168

  • IPsec traffic statistic counters return 32-bit values. PR1301688

  • During an RG0 failover in ISSU, when you use the rekeys, the iked core process file are generated. PR1340973

  • When NCP profile is changed on an existing IKE gateway, the SSL session corresponding to the existing tunnel is not affected. PR1323425

  • If a period . is present in the CA profile name then the PKID may face issues, if the PKID is restarted at any point. PR1351727

  • On SRX Series devices in a chassis cluster, configuration commit may succeed even though the external logical interface configuration (reth) associated with the Internet Key Exchange (IKE) VPN gateway configuration is deleted. This may lead to configuration load failure during the next device boot-up. PR1352559

Software Installation and Upgrade

  • On SRX1500 devices, the fan speed often fluctuates. PR1335523

VPNs

  • When an SRX Series device acts as an initiator behind the NAT, disabling NAT on the router in between causes an immediate new negotiation failure because of an attempt to disable NAT using the port 4,500. The next attempt succeeds by using the port 500. Disabling NAT and bringing down all the existing tunnels and re-establishing the tunnels with port 500 is the expected behavior. PR1273213

  • On SRX Series devices, in case multiple traffic-selectors are configured for a peer with IKEv2 reauthentication, only one traffic-selector rekeys at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic-selectors are cleared without immediate rekey. New negotiation of those traffic-selectors might be triggered through other mechanisms such as traffic or peer. PR1287168

  • When NCP profile is changed on an existing IKE gateway, the SSL session corresponding to the existing tunnel is not affected. PR1323425

  • If a period . is present in the CA profile name then the PKID might face issues, if the PKID is restarted at any point. PR1351727

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 18.1R3

Chassis Clustering

  • On SRX Series devices in chassis cluster, minor Potential slow peers are: FWDD0 XDPC1 XDPC8 FWDD1 alarm is observed which can be ignored. PR1371222

Flow-based and Packet-based Processing

  • When you use CFLOW, the source address for flow packets is not displayed. PR1328565

  • SSH to the loopback interface of SRX Series devices does not work properly when AppTrack is configured. PR1343736

  • SNMP MIB walk provides incorrect data counters for total current flow sessions. PR1344352

  • On SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 devices in chassis cluster, when CoS is configured on a interface, LACP communication stops due to failure of the fabric port and the connections between the SRX device and other devices breaks. PR1350731

  • The flowd process generates a core file when the SIP ALG is enabled. PR1352416

  • When the routing instance is configured, the UTM Anti-Spam:DUT process do not send the DNS query. PR1352906

  • The IPsec VPN traffic may be dropped on pass-through SRX Series device after an IKE rekey. PR1353779

  • On SRX Series devices, when AppTrack is configured the flowd process stop. PR1354671

  • On SRX Series devices, the error message error: Policy is out of sync between RE (Routing Engine) and PFE (Packet Forwarding Engine) node0.fpc0. Please resync before commit is displayed if too many policies and addresses are configured. PR1355528

  • The PIM register may stop the message from the source First Hop Router (FHR). PR1356241

  • On SRX5000 devices, when the IPsec performance acceleration feature is enabled, packets going in or out of a VPN tunnel are dropped. PR1357616

  • On SRX Series devices, if you disable one of the four reth interfaces, the traffic flow stops. PR1360399

  • On the secondary control plane, a multicast session leak is observed for the PIM register. PR1360373

  • On SRX5400, SRX5600, and SRX5800 devices, the MIB walk tool is not working when screens are applied to the security zones. PR1364210

  • When RG0 failover occurs, the flowd process core files are generated. PR1366122

  • On SRX300, SRX320, SRX340, and SRX345 devices, with LTE mini-PIM the DHCP relay packets are not forwarded. PR1357137

General Routing

  • The Pred Fail Fan Tray chassis alarm is renamed to Predicted Fail. PR1202724

  • On SRX Series devices, if the memory buffer is accessed without checking the mbuf and the associated external storage, the flowd process may stop. PR1353184

Interfaces and Routing

  • On SRX Series devices, when the VPLS interface receives a broadcast frame, the device sends this frame back to the sender. PR1350857

  • The set protocols rstp interface all command does not enable RSTP on all interfaces. PR1355586

Intrusion Detection and Prevention (IDP)

  • The file descriptor may leak during a security package auto update. PR1318727

J-Web

  • In J-Web when you click the SKIP TO JWEB OPTIONS, the Google Chrome browser automatically redirects. PR1284341

  • When the J-Web fails to get resource information, the Routing Engine CPU usage is displayed as 100 percent. PR1351416

  • The J-Web setup does not propagate the DHCP attributes from ISP to LAN. PR1370700

Layer 2 Features

  • The DCPFE/FXPC process might stop and generate a core file. PR1362332

Layer 2 Ethernet Services

  • The subnet mask address is not sent as a reply to the DHCPINFORM request. PR1357291

Platform and Infrastructure

  • When you perform commits with apply-groups, VPN may flap. PR1242757

  • On SRX5400, SRX5600, and SRX5800 devices log messages are seen often when IOC card has the same identifier as the SPC PIC card. PR1357913

  • On SRX4100 devices, interfaces are shown as half-duplex, but there is no impact on the traffic. PR1358066

Routing Policy and Firewall Filters

  • The TCP protocol ports 5800 and 5900 are added to junos-defaults to support VNC application. PR1333206

  • On SRX Series devices, a large scale commit, for example, 70,000 lines security policy may stop the NSD process on the Packet Forwarding Engine. PR1354576

  • The timeout value of junos-http is not accurate. PR1371041

Routing Protocols

  • On SRX Series devices, dedicated BFD does not work. PR1347662

Unified Threat Management (UTM)

  • The default actions under Web filtering profile do not work as expected. PR1365389

VLAN Infrastructure

  • On SRX Series devices in transparent mode, the flowd process may stop when matching the destination MAC. PR1355381

VPNs

  • On SRX5400, SRX5600, and SRX5800 devices, the chassis cluster control link encryption does not work. PR1347380

  • S2S tunnels are not redistributed after IKE or IPsec are reactivated in a configuration. PR1354440

  • On SRX5600 and SRX 5800 devices, during VPN to AutoVPN configuration migration, traffic loss is observed. PR1362317

Resolved Issues: 18.1R2

API

  • On SRX320-POE devices, the REST API does not work when the relevant configuration is added under the system services rest hierarchy. PR1347539

Application Layer Gateways (ALGs)

  • On SRX5400, SRX5600, and SRX5800 devices, when you use the SIP ALG and have multiple local SIP servers with consecutive IP addresses, the SIP session distribution over the SPUs might not be optimal. PR1337549

Authentication and Access Control

  • The uacd process is not stable after upgrading to Junos OS Release 12.3X48 release. PR1336356

  • On SRX Series devices, show version detail command displays the following error message: Unrecognized command (user-ad-authentication) when configuring the USERIDD. PR1337740

  • New configuration is available to configure the web-authentication timeout. PR1339627

Chassis Clustering

  • The FPC module is offline at the secondary node, after the primary node or the secondary node is restarted. PR1340116

  • On SRX5400, SRX5600, and SRX5800 devices with DC PEM installed on the device, the output of show chassis environment pem and show chassis power commands do not accurately reflect the actual value. PR1323256

  • IP monitoring is not working as expected when one node is in secondary-hold and the primary node priority becomes 0. PR1330821

  • On SRX Series devices, the integrated routing and bridging (IRB) interface on high availability does not send the ARP request after clearing ARP. PR1338445

  • When a PPPoE interface is configured over an Aggregate Ethernet (AE) or redundant ethernet (RETH) interfaces, reboot of the cluster nodes might occur in some cases. PR1341968

Class of Service (CoS)

  • Packets are out-of-order on the SRX5K-SPC-4-15-320 card (SPC2) cards with IOC1 or FIOC cards. PR1339551

Flow-Based and Packet-Based Processing

  • The forwarding plane drops the packets, when J-Flow version 9 related configuration is removed. PR1351102

  • On SRX Series devices, packet reorder might occur in traffic when using Point-to-Point protocol (PPP). PR1340417

  • The flowd process might stop when the SYN-proxy function is configured. PR1343920

  • File download halts over a period of time when the TCP proxy is activated through antivirus or Sky ATP. PR1349351

  • On SRX1500, SRX4100, and SRX4200 devices, if the Sky ATP cloud feeds updates, the packet forwarding engine might stop causing intermittent traffic loss. PR1315642

Intrusion Detection and Prevention (IDP)

  • On SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices, if IDP and SSL forward proxy whitelist are used together, the device might generate a core file. PR1314282

  • Unable to load IDP policy because of less available heap memory. PR1347821

J-Web

  • Unable to delete the dynamic VPN user configuration using J-Web. PR1348705

Platform and Infrastructure

  • SRX5400, SRX5600, and SRX5800 devices, the message No Port is enabled for FPC# on node0 is observed in the chassis process (chassisd) log for every 5 seconds. PR1335486

  • SRX1500 devices might encounter a failure while accessing the SSD drive. PR1345275

  • On SRX300 devices, the show system firmware command displays old firmware image. PR1345314

  • On SRX Series devices, mandatory argument is missing for show usp policy counters command in RSI. PR1341042

  • Simultaneous commit triggers the configuration integrity check failure and halts the SRX. PR1332605

Routing Policy and Firewall Filters

  • On SRX Series devices, if you configure a huge number of custom applications in the policies, the flowd process might stop. PR1347822

  • The log messages L2ALM Trying peer/master connection, status 26 is displayed on all SRX Series devices. PR1317011

  • The flowd process stops when AppQoS is configured on the device. PR1319051

Routing Protocols

  • When BGP traceoptions are configured and enabled, the traces specific to the messages sent to the BGP peer (BGP SEND traces)are not logged, but the traces specific to the received messages (BGP RECV traces) are logged correctly. PR1318830

  • OpenSSL Security Advisory, refer to https://kb.juniper.net/JSA10851 for more information. PR1328891

Software Installation and Upgrade

  • On SRX Series devices, if power loss occurs few seconds after commit and if the Trusted Platform Module is enabled, the configuration integrity fails. PR1351256.

VPNs

  • For FIPS: PKID, the syslog for key-pair deletion is required for conformance. PR1308364

  • The kmd process might generate a core file when all the VPNs are down. PR1336368

Resolved Issues: 18.1R1

Application Layer Gateways (ALGs)

  • On SRX Series devices, SIP packets might drop when SIP traffic performs destination NAT. PR1268767

  • H323 ALG does not work correctly with static NAT and VR. PR1303575

  • H323 ALG decode Q931 packet error is observed even after H323 ALG is disabled. PR1305598

  • HTTP ALG is listed within show security match-policies, when the HTTP ALG does not exist. PR1308717

  • On SRX Series devices with SIP ALG enabled, the SIP ALG might drop SIP packets which have a "referred-by" or "referred-to header" field containing multiple header parameters. PR1328266

  • When SIP ALG is enabled and NAT is used, cores might be observed and then the device might reboot after the cores. PR1330254

Authentication and Access Control

  • PFE might stop working, resulting in generation of huge number of core files in a short period of time. PR1326677

  • JIMS server stops responding to requests from SRX Series devices. PR1311446

  • On SRX Series devices, incomplete RSI might be seen. PR1329967

  • On SRX Series devices, sessions might be closed because of idle Timeout junos-fwauth-adapter. PR1330926

Chassis Clustering

  • The ISSU or ICU operation might fail if the upgrade is initiated from Junos Space on multiple SRX clusters. PR1279916

  • Warning messages are tagged with error tag wrongly in the RPC response from an SRX Series device when you configure a change through netconf. PR1286903

  • On SRX Series devices, if your are running the User Firewall feature, under some condition, core files are seen with the flow process or user identification process. The Packet Forwarding Engine is restarted, and RG1+ failover occurs. PR1299494

  • Flowd process core files are generated after adding 65536 VPN tunnels using traffic selector with the same remote IP. PR1301928

  • ISSU might be unsuccessful if the control link recovery is configured. PR1303948

  • On SRX1500, SRX4100 and SRX4200 devices, ISSU might fail if LACP and interface monitoring are configured. PR1305471

  • File Descriptor might leak on SRX Series chassis clusters with Sky ATP enabled. PR1306218

  • After the device is rebooted, IP monitoring on secondary node shows unknown status. PR1307749

  • In and active/active cluster, route change timeout does not work as expected. PR1314162

  • When ISSU is performed from a Junos OS Release prior to 15.1X49-D60 to a Junos OS Release 15.1X49-D60 or later, flowd process generates core files. PR1320030

  • When RG0 failover or primary node reboot happens, some of the logical interfaces might not be synchronized to the other node if the system has around 2000 logical interfaces and 40,000 security policies. PR1331070

  • The default-gateway route received by DHCP when some interface in the chassis cluster has been configured as a DHCP client is lost in about 3 minutes after RG0 failover. PR1334016

Flow-Based and Packet-Based Processing

  • On SRX4100 and SRX4200 devices, packet loss is observed when the value of packet per second (pps) through the device is very high. This occurs due to the update of the application interval statistics statement, which has a default timer value of 1 minute. You can avoid this issue by setting the interval to maximum using the set services application-identification statistics interval 1440 command. PR1290945

  • If SDNS proxy is configured on SRX Series devices, the naming process might stop. PR1307435

  • When executing operations for creating rescue configuration, some errors are reported but the rescue configuration is created.PR1280976

  • RPM packets not account through LT interface under certain configurations. PR1303445

  • Packet capture does not work after the value of the maximum-capture-size option is modified. PR1304723

  • The show host server name-server host CLI command fails when the source address is specified under the name-server configuration.PR1307128

  • Clear session takes 9 minutes to clear 57 million sessions. PR1308901

  • On SRX Series devices, if destination NAT and session affinity are configured with multiple traffic selectors in IPsec VPN, the traffic selector match might fail. PR1309565

  • The flow process might stop and generate a core file during failover between node 0 and node 1. PR1311412

  • On SRX Series devices, the IPsec tunnel might fail to be established if datapath debug configuration include the options preserve-trace-order, record-pic-history, or both.PR1311454

  • The SRX Series device drops packets citing the reason "Drop pak on auth policy, not authed". PR1312676

  • When you commit configuration changes involving deletion of routing-instance with application-tracking and session-close log enabled for the zone a PFE core file is generated. PR1312757

  • The flow process might stop if the SSL-FP profile is configured with whitelist. PR1313451

  • On SRX550M devices, phone-home.core is generated after the zeroization procedure. PR1315367

  • On SRX Series devices, the PIM register stop comes before the PIM register packet. The out-of-sequence packet causes the flow session build error. PR1316428

  • On SRX Series devices, the fin-invalidate-sessio command does not work when the Express Path feature is enabled on the device. PR1316833

  • Return traffic through the routing instance might drop intermittently after changing the zone and routing-instance configuration on the st0.x interface. PR1316839

  • SRX300 devices DHCP client cannot obtain IP addresses. PR1317197

  • Default route is lost after system zero. PR1317630

  • SSL firewall proxy does not work if root-ca has fewer than four characters. PR1319755

  • Software next-hop table is full with log messages RT_PFE: NH IPC op 1 (ADD NEXTHOP) failed, err 6 (No Memory) peer_class 0, peer_index 0 peer_type 10. PR1326475

  • The FPC is dropped or gets stuck in present state when intermittent control link heartbeats are seen. PR1329745

  • The OSPF peers are unable to establish neighbors between the LT interfaces of the logical systems. PR1319859

  • Flow process generates core files on both nodes causing an outage. PR1324476

  • On the SRX5000 line of devices with an SRX5K-MPC3-40G10G (IOC3) or an SRX5K-MPC3-100G10G, the IPv6 traffic might be dropped if the IOC3 with the service-offload (npcache) feature is applied. PR1331401

  • Inaccurate Jflow records might be seen for output interface and next hop. PR1332666

  • The whitelist function in syn-flood does not work. PR1332902

Interfaces and Chassis

  • LLDP protocol is not supported on a reth interface but it can be configured. PR1127960

  • Traffic is looped with MSTP for untag traffic from IxNetwork ports. PR1259099

  • Unable to add IRB and aggregated Ethernet interfaces. PR1310791

  • On SRX1500 devices, pp0.0 interface link status is not up. PR1315416

  • An error is not seen at each commit or commit check if autonegotiation is disabled but the speed and duplex configurations are not configured on the interface. PR1316965

  • RSI uses incorrect show vlans syntax. PR1336267

Intrusion Detection and Prevention (IDP)

  • On SRX4600 devices, the maximum SSLRP session count is observed to be approaching 100,000. In the CLI, configuring a maximum of 100,000 sessions are allowed, whereas in SSLFP, 600,000 sessions are allowed. Thus, the set security idp sensor-configuration ssl-inspection sessions command is now modified to allow a maximum of 600, 000 sessions. However, for other devices the original session limit value of 100,000 is retained. PR1329827

  • IDP policy compilation can be triggered even if changes that are not related to IDP are performed. PR1283379

  • IDP signatures might not get pushed to the Packet Forwarding Engine if there is a policy in logical systems. PR1298530

  • On SRX Series devices, IDP PCAP feature underwent improvements such as:

    • The first valid packet-log-id will no longer be generated as '0' as this was not compatible with third party tools.

    • The algorithm for assigning packet-log-id's is improved to reduce the likelihood of duplicate entries and id-rollover events, particularly among devices with multiple SPU's.

    PR1297876

J-Web

  • J-Web system snapshot throws error. PR1204587

  • J-Web does not display all global address book entries. PR1302307

  • J-Web removes backslash character on source identity object when committing changes. PR1304608

  • In J-Web, the zone drop-down does not list the available zones while creating the zone address book or sets with Internet Explorer IE 10 or 11. PR1308684

  • J-Web authentication fails when a password includes the backslash. PR1316915

  • J-Web dashboard displays wrong last updated time. PR1318006

  • J-Web display problems for security policies are observed. PR1318118

  • J-Web does not display wizards on the dashboard. PR1330283

Layer 2 Ethernet Services

  • Duplicate hops or more than expected hop count is seen in Layer 2 traceroute. PR1243213

  • Ping to VRRP(VIP) address failed when VRRP is on VLAN tagging. It only affects Trio-based IOC2 and IOC3 in SRX5000 line of devices. Other devices are not affected. PR1293808

  • DHCPv6 prefix delegation does not start with the first available subnet. PR1295178

  • In DHCP relay configuration, the option VPN has been renamed to source-ip-change. PR1318487

  • DHCP rebind and renew packets is not calculated in BOOTREQUEST. PR1325872

Network Address Translation (NAT)

  • SCTP packet has incorrect SCTP checksum after the SRX Series device implements NAT on the payload. PR1310141

  • Active source NAT causes an NSD error and the session closes. PR1313144

  • On SRX340 and SRX345 devices, configuring the source NAT pool larger than 1024 fails. PR1321480

  • Arena utilization on a FPC spikes and then resumes to a normal value. PR1336228

Network Security

  • On SRX Series devices, the Sky ATP connection leak causes the service plane to be disconnected from the Sky ATP cloud. PR1329238

Network Management and Monitoring

  • DHCP packets are dropped by the dot1x module, if the port is a multiple-supplicant port. PR1296734

  • On SRX Series devices, the Routing Engine does not reply to an SNMP request. PR1240178

  • SRX1500 devices might power-off unexpectedly because of incorrect device temperature readings, which reported very high temperature, leading to an immediate proactive powering -off of the device to protect the device from overheating. However, in these cases the temperature was not actually too high and a power-off would not be required. When this occurs, the following log message is shown in file /var/log/hostlogs/lcmd.log: Jan 25 13:09:44 localhost lcmd[3561]: srx_shutdown:214: called with FRU TmpSensor.PR1241061

  • On SRX Series devices, when J-flow is enabled for multicast traffic, extern nexthop is installed during the multicast composite next hop. However, when you uninstall the composite next hop, it does not free the extern nexthop, which results in the jtree memory leak. PR1276133

  • SRX300 device is unresponsive as a result of cf/var: filesystem full error. PR1289489

  • CLI options are available to manage the packet forwarding engine handling the ARP throttling for NHDB resolutions. PR1302384

Platform and Infrastructure

  • SRX Series devices do not process traffic because of an IPv6 NDP packets burst. PR1293673

  • Inconsistent flow-control status on reth interfaces is observed. PR1302293

  • On SRX5400, SRX5600, SRX5800 devices, SPC2 XLP stops processing packets in the ingress direction after repeated RSI collections. PR1326584

  • On SRX5400, SRX5600, and SRX5800 devices, the packet captured by datapath-debug on an IOC2 card might be truncated. PR1300351

  • When Security Intelligence (SecIntel) is configured, IPFD CPU utilization might be higher than expected. PR1326644

Routing Policy and Firewall Filters

  • BGP traceoption logs are written even when it is deactivated. PR1307690

  • The nsd process might stop responding when the name of a logical system is replaced. PR1307876

  • The number of address objects per policy for SRX5400, SRX5600, SRX5800 devices is increased from 4096 to 16,000. PR1315625

Routing Protocols

  • On SRX1500 devices, the IS-IS adjacency remains down when using an IRB interface. PR1300743

  • Dedicated BFD does not work on SRX Series devices. PR1312298

  • In a chassis cluster device with BMP configured, the rpd process might stop responding when the rpd process gracefully terminates. PR1315798

Software Installation and Upgrade

  • The request system reboot node in/at command results in an immediate reboot instead of rebooting at the allotted time. PR1303686

Unified Threat Management (UTM)

  • On SRX Series, if Sophos antispam or Sophos antivirus interfaces are in a routing-instance, the feature might not work as expected. PR1311694

  • The ISSU upgrade might fail because of the generation of Packet Forwarding Engine core files.PR1328665

VPNs

  • The IRB interface does not support VPN. PR1166714

  • Output hangs while checking pki ca-certificate ca-profile-group details. PR1276619

  • Next hop tunnel binding (NHTB) is not installed occasionally during rekey for VPN using IKEv1. PR1281833

  • Traffic through tunnel fails without configuring th authentication algorithm under IPsec proposal on SRX1500 devices. SRX5600 it works correctly.PR1285284

  • ADVPN tunnels flap with spoke error no response ready yet, this issue leads to IKEv2 timeout. PR1305451

  • On SRX Series devices, core files are observed under certain conditions with VPN and when NAT-T is enabled. PR1308072

  • SNMP for jnxIpSecTunMonVpnName does not work. PR1330365

  • The kmd process core files might be seen when all the VPNs are down. PR1336368

  • On SRX Series devices, ESP packet drops in IPsec VPN tunnels with NULL encryption algorithm configuration are observed. PR1329368

Documentation Updates

This section lists the errata and changes in Junos OS Release 18.1R1 for the SRX Series device documentation.

New Simplified Documentation Architecture

  • With the release of Junos OS Release 18.1, Juniper is simplifying its technical documentation to make it easier for you to find information and know that you can rely on it when you find it. In the past, we organized documentation about Junos OS software features into platform-specific documents. In many cases, features are supported on multiple platforms, so you might not easily find the document you want for your platform.

    With Junos OS Release 18.1, we have eliminated the platform-specific software feature documents. For example, if you want to find documentation on OSPF, there is only one document regardless of which platform you have. Here are some of the benefits of our new simplified architecture:

    • Over time, you will see better search results when looking for Juniper documentation. You will be able to find what you want faster and be assured that is the right document.

    • If a software feature is supported on multiple platforms, you can find information about all the platforms in one place.

    • Because we have eliminated many documents that covered similar topics, you will now find one document with all the information.

    • You can know that you are always getting the most current and accurate information.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 12.3X48, 15.1X49, 17.3, and 17.4 are EEOL releases. You can upgrade from Junos OS Release 15.1X49 to Release 17.3 or from Junos OS Release 15.1X49 to Release 17.4.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product.

To determine the features supported on SRX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: https://pathfinder.juniper.net/feature-explorer/