Junos OS Release Notes for SRX Series
These release notes accompany Junos OS Release 18.1R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
New and Changed Features
This section describes the new features and
enhancements to existing features in Junos OS Release 18.1R3 for the
SRX Series devices.
Release 18.1R3 New and Changed Features
There are no new features in Junos OS Release 18.1R3 for the SRX Series devices.
Junos OS Release 18.1R3 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D120. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D120 are not available in 18.1 releases.
Release 18.1R2 New and Changed Features
There are no new features in Junos OS Release 18.1R2 for the SRX Series devices.
Junos OS Release 18.1R2 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D120. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D120 are not available in 18.1 releases.
Release 18.1R1 New and Changed Features
Junos OS Release 18.1R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D120. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D120 are not available in 18.1 releases.
Application Security
Data Loss Prevention (SRX Series) —Starting in Junos OS Release 18.1, SRX Series devices support Data Loss Prevention (DLP) to redirect HTTP or HTTPS traffic to any server through Internet Content Adaptation Protocol (ICAP).
ICAP is a lightweight protocol for executing a remote procedure call on HTTP messages using REQMOD which encapsulate HTTP request messages and RESPMOD which encapsulate HTTP response messages.
See SSL Proxy.
Optimizing SSL/TLS performance for HTTPS traffic (SRX Series, vSRX) —Starting from Junos OS Release 18.1R1, SSL/TLS performance is optimized by minimizing the time required for performing the decryption by using the following methods:
Using optimized cipher suites
Maintaining the certificate cache
Enhanced SSL/TLS performance for HTTPS traffic results in improved website performance without compromising security, and maximizes user experience.
[See SSL Proxy].
SSL proxy support (SRX300, SRX320)—Starting in Junos OS Release 18.1R1, SSL proxy support is available on SRX300 and SRX320 devices. SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server. SSL relies on digital certificates and private-public key exchange pairs for client and server authentication to ensure secure communication.
[See SSL Proxy].
Authentication and Access
IPv6 support for network access control (NAC) (SRX Series, vSRX)—Starting with Junos OS Release 18.1R1, SRX Series devices support IPv6 for the network access control (NAC) system. You can configure a Web API client address with an IPv6 address and Web API supports IPv6 user or device entries obtained from Juniper Identity Management Service (JIMS). An SRX Series device can query JIMS periodically for batches of newly generated IPv6 users or devices for identity information. The SRX Series can query JIMS for identity information for an individual user or device based on the IPv6 address when the IPv6 traffic hits the SRX Series device. The SRX Series device firewall authentication can push IPv6 IP-user mapping information to JIMS.
Chassis Cluster
VRRP and VRRPv3 support on redundant Ethernet interface to provide redundancy (SRX Series, vSRX)—Starting with Junos OS Release 18.1R1, SRX Series devices in a chassis cluster support the Virtual Router Redundancy Protocol (VRRP) and VRRPv3 on reth interfaces to provide redundancy, route advertising, and load sharing. Using VRRP, a secondary node can take over a failed primary node within a few seconds with minimum VRRP traffic and without any interaction with the hosts.
Class of Service (CoS)
Support for rewrite rules for both inner and outer VLAN tags on IEEE802.1 packets (SRX Series)—Starting with Junos OS Release 18.1R1, SRX Series devices support applying rewrite rules to both inner and outer VLAN tags on IEEE802.1 packets. To apply rewrite rules to both inner and outer VLAN tags, set the vlan-tag outer-and-inner option at the [edit class-of-service interfaces interface-name unit unit-number rewrite-rules ieee-802.1 rewrite-name] hierarchy level.
Flow-Based and Packet-Based Processing
Enhancement for show security flow statistics operational command (SRX Series, vSRX instances)—Starting in Junos OS Release 18.1R1, the output of the show security flow statistics command has been modified. The Packets forwarded field has been split into the Packets received and Packets transmitted fields. The Packets received field displays the actual number of packets received, including those dropped by the system. The Packet transmitted field displays the number of packets returned to jexec for transmission. The Packets forwarded/queued field displays the actual number of packets forwarded excluding the dropped packets.
Additionally, a new field, Packets copied has been created to provide information about packets copied by other modules including fragmentation and TCP proxy.
Interfaces and Chassis
Support for 4x10-Gigabit Ethernet Optical Breakouts (SRX4600)—Starting in Junos OS Release 18.1R1, you can use optical breakout cable to configure four 10-Gigabit Ethernet interfaces on each 40-Gigabit Ethernet port on an SRX4600. By default, FPC 1 PIC 0 comes up with the default setting of four 40-Gigabit Ethernet ports. This new feature allows the 40 Gigabit Ethernet port to be configured in 4X10-Gigabit Ethernet mode by plugging in QSFPP-4X10-Gigabit Ethernet optics connecting with 4x10-Gigabit Ethernet breakout cables. You use QSFP+ transceivers to connect the 40-Gbps (default speed) port to the breakout cable, which connects to four SFP+ transceivers at the other end thus converting that port into four 10-Gbps interfaces).
For example, on FPC 1 PIC 0, to configure each 40-Gbps port as four 10-Gbps interfaces, execute the set chassis fpc 1 pic 0 pic-mode 10G command.
After you commit the configuration, for the new configuration to take effect, you must reboot the device or chassis cluster. [See SRX4600 Gateway Rate-Selectability Overview.]
Support for default 10-Gbps ports to operate at 1-Gbps speed (SRX4600)—Starting in Junos OS Release 18.1R1, SRX4600 supports 1-Gbps port speed on the default 10-Gbps ports on its 8-port PICs and on two dedicated chassis cluster control ports on the 4-port chassis cluster PICs. The SRX4600 supports three different PIC types—8-port 10-Gigabit Ethernet PIC, 4-port 40-Gigabit or 100-Gigabit Ethernet PIC, and 4-port 10-Gigabit Ethernet PIC (in a chassis cluster). Out of the four ports on the 10-Gigabit Ethernet PIC in a chassis cluster, two ports are fabric ports and the other two ports are chassis cluster control ports. The two fabric ports do not support 1-Gbps speed. Only the two control ports of the chassis cluster support a port speed of 1 Gbps.
Note The interface name prefix must be xe.
You can configure a combination of 1-Gbps and 10-Gbps speed only on the 8-port 10-Gigabit Ethernet PIC. The chassis cluster control interfaces (that is, on the 4-port 10-Gigabit Ethernet PIC) do not support multiple speeds.
Multicast
Layer 2 IGMP and MLD Snooping feature support (SRX1500)—Starting with Junos OS Release 18.1R1, the SRX1500 supports the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) snooping feature in Layer 2 switching mode.
The snooping feature snoops the IGMP or MLD packets received by the switch interfaces and builds a multicast database. The SRX Series device uses the multicast database and forwards the multicast traffic only to the downstream interfaces of interested receivers. Using the multicast database to forward multicast packets helps ensure efficient use of network bandwidth.
[See IGMP Snooping Overview and Understanding MLD Snooping.]
Network Management and Monitoring
Two-Way Active Measurement Protocol (TWAMP) support (SRX4100, SRX4200 and vSRX)—Starting in Junos OS Release 18.1R1, the Two-Way Active Measurement Protocol (TWAMP) is supported on SRX4100 and SRX4200 devices and on vSRX instances in addition to the existing support on SRX Series devices such as SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500. TWAMP is a standard protocol framework that defines control and test session separation based on the client/server architecture. The TWAMP-Control protocol is used to set up performance measurement sessions between a TWAMP client and a TWAMP server, and the TWAMP-Test protocol is used to send and receive performance measurement probes.
User Interface and Configuration
Ephemeral configuration database support for load replace and load override operations (SRX Series)—Starting in Junos OS Release 18.1R1, NETCONF and Junos XML protocol client applications can configure the ephemeral configuration database using load replace and load override operations, in addition to the previously supported
load mergeandload setoperations. To perform a load replace or load override operation, set the<load-configuration>actionattribute toreplaceoroverride, respectively.
VPN
Binding trusted CAs or trusted CA group to an IKE policy (SRX Series and vSRX instances)—Starting in Junos OS Release 18.1R1, you can group CA profiles (trusted CAs) in a trusted CA group and or bind a specific CA profile to an IKE policy. When a remote peer establishing a connection that matches this IKE policy, the particular CA profile or trusted CA group is used to validate the remote peer.
A group of trusted CA servers can be created with the trusted CA group configuration statement at the [edit security pki] hierarchy level; one or multiple CA profiles can be specified. The trusted CA server is bound to the IKE policy configuration for the peer at [edit security ike policy policy certificate] hierarchy level.
[See Understanding Certificates and PKI and Understanding Certificate Authority Profiles.]
IPv6 support for AutoVPN and ADVPN with dynamic routing protocol (SRX Series and vSRX instances)—Starting with Junos OS Release 18.1R1, IPv6 is supported on AutoVPN and Auto Discovery VPN (ADVPN) with point-to-multipoint secure tunnel mode. ADVPN can run with OSPFv3 routing protocol and AutoVPN can run with OSPFv3 and iBGP (internal BGP) routing protocols.
The ospf3 option is introduced at the edit protocol hierarchy level to support IPv6 for AutoVPN and ADVPN with point-to-multipoint secure tunnel mode. In addition, the show security ipsec next-hop-tunnels command, which displays the IPsec VPN tunnels bound to a specific tunnel interface, is updated to add family and tunnel ID filters.
[See Understanding AutoVPN and Understanding Auto Discovery VPN.]
IPv6 support for PKI (SRX Series and vSRX instances)—Starting in Junos OS Release 18.1, the public key infrastructure (PKI) supports IPv6 address format for the Certificate Authority (CA) server and source addresses in a CA profile. The PKI provides an infrastructure for digital certificate management. In PKI, a CA is a trusted third party agency responsible for issuing and revoking certificates. The certificates are used to create secure connections between two or more entities.
SSL remote access VPN support by bypassing an application-based firewall (SRX Series and vSRX instances)—Starting with Junos OS Release 18.1R1, remote access VPN uses SSL to pass through an application level firewall using the third-party NCP Exclusive Remote Access Client on Windows, MAC OS, Apple iOS, and Android devices.
Most intermediate Internet-facing devices allow users to establish a session over SSL (HTTPS) to any Internet-based device. This solution allows users to establish a secure communication using a full SSL session when an intermediate device blocks IPsec or UDP traffic.
[See Understanding SSL Remote Access VPNs with NCP Exclusive Remote Access Client.]
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 18.1R3 for the SRX Series.
Chassis Cluster
The SRX5400, SRX5600, and SRX5800 devices operating in a chassis cluster might encounter the em0 or em1 interface link failure on either of the nodes, which results in split-brain condition. That is, both devices are unable to detect each other. If the failure occurs on the secondary node, the secondary node is moved to the disabled state.
This solution does not cover the following cases:
em0 or em1 failure on primary node
HA process restart
Preempt conditions
Control link recovery
Juniper Sky ATP
Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 18.1R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).
VPN
Default encryption algorithm for PKI certificates (SRX Series and vSRX)—Starting in Junos OS Release 18.1R3, the default encryption algorithm that is used for validating automatically and manually generated self-signed PKI certificates is Secure Hash Algorithm 256 (SHA-256).
Prior to Junos OS Release 18.1R3, the default encryption algorithm is SHA-1.
[See Understanding Certificates and PKI and request security pki local-certificate generate-self-signed (Security).]
Known Behavior
This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 18.1R3 for the SRX Series.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Chassis Clustering
If you enable IP monitoring on the redundancy group when the reth interface has more than one physical interface configured, then IP monitoring may not work properly on the secondary node. This issue occurs because the backup node may send traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch may drop the traffic. PR1344173
J-Web
On SRX4100 and SRX4200 devices, as part of JDHCP changes DHCP relay configuration under Configure > Services > DHCP > DHCP Relay page is removed from J-Web in Junos OS Release 15.1X49-D60. The same DHCP relay can be configured using the CLI. PR1205911
On SRX4100 and SRX4200 devices, as part of JDHCP changes DHCP client bindings under Monitor is removed for Junos OS Release 15.1X49-D60. The same bindings can be seen in CLI using the show dhcp client binding command. PR1205915
On SRX Series devices, adding of 2,000 or more global addresses at a time to the SSL proxy profile exempted addresses can cause the web page to be unresponsive. PR1278087
On SRX Series devices, you cannot view the custom log files created for event logging in J-Web. PR1280857
On SRX Series devices, validation is not checked when the UTM policy is detached from the firewall policy rule after an SSL proxy profile is selected. PR1285543
On SRX Series devices, uploading certificate using the browse button stores the certificate in the device at
/jail/var/tmp/uploads/, which will be deleted upon executing the request system storage cleanup command. PR1312529On SRX Series devices, the values of address and address-range are not displayed in the inline address-set creation pop-up window of JIMS. PR1312900
Application signature install or uninstall status above the grid remains in loading state when the device connectivity to the cloud server. Application signature database is not present or not responding. This in turn affects the status that is displayed in the J-Web. PR1332768
Platform and Infrastructure
On SRX4600 devices, the USB flash drive is not available to Junos OS. However, the USB flash drive is available for the host OS (Linux) with full access. The USB flash drive is still used in the booting process (install and recovery functions). PR1283618
When a USB device is under initialization, removing the USB device may cause the USB to stop working. PR1332360
Software Installation and Upgrade
When you upgrade from Junos OS Release 15.1X49, the signature version is automatically refreshed to version 534. Hence, you need to download and install a new signature version; if not, some features such as SKYATP IMAP may be missing. PR1324848
User Interface and Configuration
On SRX1500 devices, committing a configuration with a huge number of logical systems will take more time. This issue occurs because taking backup of previous configurations may take a little longer to finish. PR1339862
VPNs
On SRX5400, SRX5600, and SRX5800 devices, when CoS is enabled on the st0 interface and the incoming traffic rate destined for the st0 interface is higher than 300,000 packets per second (pps) per SPU, the device may drop some of the high-priority packets internally and shaping of outgoing traffic may be impacted. We recommended that you configure the appropriate policer on the ingress interface to limit the traffic below 300,000 pps per SPU. PR1239021
On SRX Series devices, IPsec traffic statistics counters return 32-bit values, which may quickly overflow. PR1301688
Known Issues
This section lists the known issues in hardware and software in Junos OS Release 18.1R3 for SRX Series devices.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Application Layer Gateways (ALGs)
On all SRX Series devices with NAT configured, a memory overwrite issue occurs when the scaling RAS or H.323 traffic passes through the device and the device fails to perform NAT for RAS or H.323 traffic. As a result, the flowd process may stop. PR1084549
On SRX Series devices with chassis cluster enabled and logical systems configured, when any ALG (except DNS ALG) is enabled and NAT is configured for the ALG sessions, the flowd process on the secondary node may stop. PR1343552
When using the IPsec ALG, the IPsec tunnel payload is dropped after the IKE or IPsec tunnel reestablishment due to a session conflict. PR1372232
If the SIP ALG is disabled, the SIP active sessions are affected. PR1373420
Chassis Clustering
On SRX550M device, the SFP transceiver does not work after the chassis reboot. PR1347874
Class of Service (CoS)
On all SRX Series devices, if the action of forwarding-class is configured in the output direction on a firewall filter, the host outbound traffic matching the same term of this firewall filter is blocked. PR1272286
When the host-outbound-traffic command is configured in the class of service (CoS), the device stops working when a corrupted packet is arrived on the Packet Forwarding Engine. PR1359767
Flow-based and Packet-based Processing
SRX1500 devices may power-off unexpectedly due to incorrect device temperature readings which reportedly is a too high temperature, leading to an immediate proactive power-off of the device to protect the device from overheating. When this condition occurs, the following log message is shown in file
/var/log/hostlogs/lcmd.log: Jan 25 13:09:44 localhost lcmd[3561]: srx_shutdown:214: called with FRU TmpSensor.PR1241061On SRX1500 devices, the message /kernel: kern.maxfiles limit exceeded by uid 0, please see tuning(7) is displayed when the kdm_savekcore process consumes the maximum open files allowed. As a workaround, use the savecore -C command to stop the file processing and clear the kernel crash flag, and reboot the device. PR1277664
On SRX4600 device, when the next-hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725
On all SRX Series devices, filter-based forwarding (FBF) does not work when applied on IPsec tunnel interface (st0.*). PR1290834
On SRX320, SRX340, SRX340, and SRX550 devices, the RPD process stops when you configure the auto-bandwidth option under the label-switched path (LSP) in the multiprotocol label switching (MPLS). PR1331164
On SRX Series devices, when you run the clear nhdb statistics command on an SPU PIC, the SPC may reset. PR1346320
The IPsec replay error for Z-mode traffic is observed. PR1349724
On SRX Series devices in a chassis cluster, if an IPv6 session is being closed and at the same time the related data-plane Redundancy Group (RG1+) failover occurs, this IPv6 session on the backup node may hang and cannot be cleared. PR1354448
The application layer protocol negotiation (ALPN) fails because the SSL proxy removes the ALPN extensions in the TLS packets. PR1360820
In chassis cluster mode with the IPsec tunnel configured, packet loss is observed when the clear text packets are processed. PR1373161
The Windows security log can overwrite the username that contains null to N/A. This issue causes the access privileges granted to that IP address to be lost. PR1375514
Interfaces and Routing
Incorrect ingress packet per second is observed on the MPLS enabled interface. PR1328161
On the SRX1500, when the LACP is configured with interfaces ae0 and ae1, the mac address is displayed as 00:00:00:00:00:00 and 00:00:00:00:00:01 for interfaces ae0 and ae1 respectively. PR1352908
Intrusion Detection and Prevention (IDP)
On SRX Series devices, the output of show security idp status command does not accurately reflect the number of decrypted SSL or TLS sessions being inspected by IDP. PR1304666
After an IDP signature automatic update is scheduled, the secondary node may not update the signatures. PR1358489
Platform and Infrastructure
On SRX5400, SRX5600, and SRX5600 devices, when the control link is down, the secondary node becomes ineligible and then goes to disabled state. But the FPCs restart continuously after going to disabled state when the FPCs should remain offline until rebooted. PR1170024
On SRX5600 and SRX5800 devices in a chassis cluster, when a secondary Routing Engine is installed to enable dual control links, the show chassis hardware command may display the same serial number for both the Routing Engines on both the nodes. PR1321502
On SRX Series devices, the forwarding plane may failover from node 0 to node 1 when an SPC stops unexpectedly. PR1331809
On SRX5600 and SRX5800 devices in a chassis cluster, when a secondary Routing Engine is installed to enable dual control links, the show chassis hardware command may display the same serial number for both the Routing Engines on both the nodes. PR1342362
SSH to the device fails if the phone-home: kern.maxfiles limit is exceeded. PR1357076
On SRX4100 and SRX4200 devices, the SRX Network Time Protocol (NTP) client may not stay synchronized to the NTP server and as a result the device clock often switches from NTP to local time. PR1357843
When the secure copy protocol (SCP) fails to transfer the active configuration to an archive site, the archive site also fails. PR1359424
Routing Policy and Firewall Filters
On SRX Series devices, DNS name entries in policies may not be resolved if the routing instance is configured under a system name server. PR1347006
Routing Protocols
On SRX Series devices, RIP is supported in packet-to-packet DC mode on st0 interfaces. PR1141817
A new CLI command is required to prevent traffic loss during a disaster recovery failover scenario. PR1352589
Software Installation and Upgrade
On SRX1500 devices, the fan speed often fluctuates. PR1335523
VPNs
IPsec uses ESP as the default protocol, if the user does not explicitly configure the protocol. PR1061838
When an SRX Series device acts as an initiator behind the NAT, disabling NAT on the router in between causes an immediate new negotiation failure because of an attempt to disable NAT using the port 4,500.The next attempt succeeds by using the port 500. Disabling NAT and bringing down all the existing tunnels and re-establishing the tunnels with port 500 is the expected behavior. PR1273213
On SRX Series devices, in case multiple traffic-selectors are configured for a peer with IKEv2 reauthentication, only one traffic-selector will rekey at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors will be cleared without immediate rekey. New negotiation of those traffic-selectors may trigger through other mechanisms such as traffic or by peer. PR1287168
IPsec traffic statistic counters return 32-bit values. PR1301688
During an RG0 failover in ISSU, when you use the rekeys, the iked core process file are generated. PR1340973
When NCP profile is changed on an existing IKE gateway, the SSL session corresponding to the existing tunnel is not affected. PR1323425
If a period . is present in the CA profile name then the PKID may face issues, if the PKID is restarted at any point. PR1351727
On SRX Series devices in a chassis cluster, configuration commit may succeed even though the external logical interface configuration (reth) associated with the Internet Key Exchange (IKE) VPN gateway configuration is deleted. This may lead to configuration load failure during the next device boot-up. PR1352559
Software Installation and Upgrade
On SRX1500 devices, the fan speed often fluctuates. PR1335523
VPNs
When an SRX Series device acts as an initiator behind the NAT, disabling NAT on the router in between causes an immediate new negotiation failure because of an attempt to disable NAT using the port 4,500. The next attempt succeeds by using the port 500. Disabling NAT and bringing down all the existing tunnels and re-establishing the tunnels with port 500 is the expected behavior. PR1273213
On SRX Series devices, in case multiple traffic-selectors are configured for a peer with IKEv2 reauthentication, only one traffic-selector rekeys at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic-selectors are cleared without immediate rekey. New negotiation of those traffic-selectors might be triggered through other mechanisms such as traffic or peer. PR1287168
When NCP profile is changed on an existing IKE gateway, the SSL session corresponding to the existing tunnel is not affected. PR1323425
If a period
.is present in the CA profile name then the PKID might face issues, if the PKID is restarted at any point. PR1351727
Resolved Issues
This section lists the issues fixed in the Junos OS main release and the maintenance releases.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: 18.1R3
Chassis Clustering
On SRX Series devices in chassis cluster, minor
Potential slow peers are: FWDD0 XDPC1 XDPC8 FWDD1alarm is observed which can be ignored. PR1371222
Flow-based and Packet-based Processing
When you use CFLOW, the source address for flow packets is not displayed. PR1328565
SSH to the loopback interface of SRX Series devices does not work properly when AppTrack is configured. PR1343736
SNMP MIB walk provides incorrect data counters for total current flow sessions. PR1344352
On SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 devices in chassis cluster, when CoS is configured on a interface, LACP communication stops due to failure of the fabric port and the connections between the SRX device and other devices breaks. PR1350731
The flowd process generates a core file when the SIP ALG is enabled. PR1352416
When the routing instance is configured, the UTM Anti-Spam:DUT process do not send the DNS query. PR1352906
The IPsec VPN traffic may be dropped on pass-through SRX Series device after an IKE rekey. PR1353779
On SRX Series devices, when AppTrack is configured the flowd process stop. PR1354671
On SRX Series devices, the error message error: Policy is out of sync between RE (Routing Engine) and PFE (Packet Forwarding Engine) node0.fpc0. Please resync before commit is displayed if too many policies and addresses are configured. PR1355528
The PIM register may stop the message from the source First Hop Router (FHR). PR1356241
On SRX5000 devices, when the IPsec performance acceleration feature is enabled, packets going in or out of a VPN tunnel are dropped. PR1357616
On SRX Series devices, if you disable one of the four reth interfaces, the traffic flow stops. PR1360399
On the secondary control plane, a multicast session leak is observed for the PIM register. PR1360373
On SRX5400, SRX5600, and SRX5800 devices, the MIB walk tool is not working when screens are applied to the security zones. PR1364210
When RG0 failover occurs, the flowd process core files are generated. PR1366122
On SRX300, SRX320, SRX340, and SRX345 devices, with LTE mini-PIM the DHCP relay packets are not forwarded. PR1357137
General Routing
The Pred Fail Fan Tray chassis alarm is renamed to Predicted Fail. PR1202724
On SRX Series devices, if the memory buffer is accessed without checking the mbuf and the associated external storage, the flowd process may stop. PR1353184
Interfaces and Routing
On SRX Series devices, when the VPLS interface receives a broadcast frame, the device sends this frame back to the sender. PR1350857
The set protocols rstp interface all command does not enable RSTP on all interfaces. PR1355586
Intrusion Detection and Prevention (IDP)
The file descriptor may leak during a security package auto update. PR1318727
J-Web
In J-Web when you click the SKIP TO JWEB OPTIONS, the Google Chrome browser automatically redirects. PR1284341
When the J-Web fails to get resource information, the Routing Engine CPU usage is displayed as 100 percent. PR1351416
The J-Web setup does not propagate the DHCP attributes from ISP to LAN. PR1370700
Layer 2 Features
The DCPFE/FXPC process might stop and generate a core file. PR1362332
Layer 2 Ethernet Services
The subnet mask address is not sent as a reply to the DHCPINFORM request. PR1357291
Platform and Infrastructure
When you perform commits with apply-groups, VPN may flap. PR1242757
On SRX5400, SRX5600, and SRX5800 devices log messages are seen often when IOC card has the same identifier as the SPC PIC card. PR1357913
On SRX4100 devices, interfaces are shown as half-duplex, but there is no impact on the traffic. PR1358066
Routing Policy and Firewall Filters
The TCP protocol ports 5800 and 5900 are added to junos-defaults to support VNC application. PR1333206
On SRX Series devices, a large scale commit, for example, 70,000 lines security policy may stop the NSD process on the Packet Forwarding Engine. PR1354576
The timeout value of junos-http is not accurate. PR1371041
Routing Protocols
On SRX Series devices, dedicated BFD does not work. PR1347662
Unified Threat Management (UTM)
The default actions under Web filtering profile do not work as expected. PR1365389
VLAN Infrastructure
On SRX Series devices in transparent mode, the flowd process may stop when matching the destination MAC. PR1355381
VPNs
On SRX5400, SRX5600, and SRX5800 devices, the chassis cluster control link encryption does not work. PR1347380
S2S tunnels are not redistributed after IKE or IPsec are reactivated in a configuration. PR1354440
On SRX5600 and SRX 5800 devices, during VPN to AutoVPN configuration migration, traffic loss is observed. PR1362317
Resolved Issues: 18.1R2
API
On SRX320-POE devices, the REST API does not work when the relevant configuration is added under the system services rest hierarchy. PR1347539
Application Layer Gateways (ALGs)
On SRX5400, SRX5600, and SRX5800 devices, when you use the SIP ALG and have multiple local SIP servers with consecutive IP addresses, the SIP session distribution over the SPUs might not be optimal. PR1337549
Authentication and Access Control
The
uacdprocess is not stable after upgrading to Junos OS Release 12.3X48 release. PR1336356On SRX Series devices, show version detail command displays the following error message: Unrecognized command (user-ad-authentication) when configuring the USERIDD. PR1337740
New configuration is available to configure the web-authentication timeout. PR1339627
Chassis Clustering
The FPC module is offline at the secondary node, after the primary node or the secondary node is restarted. PR1340116
On SRX5400, SRX5600, and SRX5800 devices with DC PEM installed on the device, the output of show chassis environment pem and show chassis power commands do not accurately reflect the actual value. PR1323256
IP monitoring is not working as expected when one node is in secondary-hold and the primary node priority becomes 0. PR1330821
On SRX Series devices, the integrated routing and bridging (IRB) interface on high availability does not send the ARP request after clearing ARP. PR1338445
When a PPPoE interface is configured over an Aggregate Ethernet (AE) or redundant ethernet (RETH) interfaces, reboot of the cluster nodes might occur in some cases. PR1341968
Class of Service (CoS)
Packets are out-of-order on the SRX5K-SPC-4-15-320 card (SPC2) cards with IOC1 or FIOC cards. PR1339551
Flow-Based and Packet-Based Processing
The forwarding plane drops the packets, when J-Flow version 9 related configuration is removed. PR1351102
On SRX Series devices, packet reorder might occur in traffic when using Point-to-Point protocol (PPP). PR1340417
The flowd process might stop when the SYN-proxy function is configured. PR1343920
File download halts over a period of time when the TCP proxy is activated through antivirus or Sky ATP. PR1349351
On SRX1500, SRX4100, and SRX4200 devices, if the Sky ATP cloud feeds updates, the packet forwarding engine might stop causing intermittent traffic loss. PR1315642
Intrusion Detection and Prevention (IDP)
On SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices, if IDP and SSL forward proxy whitelist are used together, the device might generate a core file. PR1314282
Unable to load IDP policy because of less available heap memory. PR1347821
J-Web
Unable to delete the dynamic VPN user configuration using J-Web. PR1348705
Platform and Infrastructure
SRX5400, SRX5600, and SRX5800 devices, the message No Port is enabled for FPC# on node0 is observed in the chassis process
(chassisd)log for every 5 seconds. PR1335486SRX1500 devices might encounter a failure while accessing the SSD drive. PR1345275
On SRX300 devices, the show system firmware command displays old firmware image. PR1345314
On SRX Series devices, mandatory argument is missing for show usp policy counters command in RSI. PR1341042
Simultaneous commit triggers the configuration integrity check failure and halts the SRX. PR1332605
Routing Policy and Firewall Filters
On SRX Series devices, if you configure a huge number of custom applications in the policies, the flowd process might stop. PR1347822
The log messages L2ALM Trying peer/master connection, status 26 is displayed on all SRX Series devices. PR1317011
The flowd process stops when AppQoS is configured on the device. PR1319051
Routing Protocols
When BGP traceoptions are configured and enabled, the traces specific to the messages sent to the BGP peer (BGP SEND traces)are not logged, but the traces specific to the received messages (BGP RECV traces) are logged correctly. PR1318830
OpenSSL Security Advisory, refer to https://kb.juniper.net/JSA10851 for more information. PR1328891
Software Installation and Upgrade
On SRX Series devices, if power loss occurs few seconds after commit and if the Trusted Platform Module is enabled, the configuration integrity fails. PR1351256.
VPNs
For FIPS: PKID, the syslog for key-pair deletion is required for conformance. PR1308364
The kmd process might generate a core file when all the VPNs are down. PR1336368
Resolved Issues: 18.1R1
Application Layer Gateways (ALGs)
On SRX Series devices, SIP packets might drop when SIP traffic performs destination NAT. PR1268767
H323 ALG does not work correctly with static NAT and VR. PR1303575
H323 ALG decode Q931 packet error is observed even after H323 ALG is disabled. PR1305598
HTTP ALG is listed within show security match-policies, when the HTTP ALG does not exist. PR1308717
On SRX Series devices with SIP ALG enabled, the SIP ALG might drop SIP packets which have a "referred-by" or "referred-to header" field containing multiple header parameters. PR1328266
When SIP ALG is enabled and NAT is used, cores might be observed and then the device might reboot after the cores. PR1330254
Authentication and Access Control
PFE might stop working, resulting in generation of huge number of core files in a short period of time. PR1326677
JIMS server stops responding to requests from SRX Series devices. PR1311446
On SRX Series devices, incomplete RSI might be seen. PR1329967
On SRX Series devices, sessions might be closed because of idle Timeout junos-fwauth-adapter. PR1330926
Chassis Clustering
The ISSU or ICU operation might fail if the upgrade is initiated from Junos Space on multiple SRX clusters. PR1279916
Warning messages are tagged with error tag wrongly in the RPC response from an SRX Series device when you configure a change through netconf. PR1286903
On SRX Series devices, if your are running the User Firewall feature, under some condition, core files are seen with the flow process or user identification process. The Packet Forwarding Engine is restarted, and RG1+ failover occurs. PR1299494
Flowd process core files are generated after adding 65536 VPN tunnels using traffic selector with the same remote IP. PR1301928
ISSU might be unsuccessful if the control link recovery is configured. PR1303948
On SRX1500, SRX4100 and SRX4200 devices, ISSU might fail if LACP and interface monitoring are configured. PR1305471
File Descriptor might leak on SRX Series chassis clusters with Sky ATP enabled. PR1306218
After the device is rebooted, IP monitoring on secondary node shows unknown status. PR1307749
In and active/active cluster, route change timeout does not work as expected. PR1314162
When ISSU is performed from a Junos OS Release prior to 15.1X49-D60 to a Junos OS Release 15.1X49-D60 or later, flowd process generates core files. PR1320030
When RG0 failover or primary node reboot happens, some of the logical interfaces might not be synchronized to the other node if the system has around 2000 logical interfaces and 40,000 security policies. PR1331070
The default-gateway route received by DHCP when some interface in the chassis cluster has been configured as a DHCP client is lost in about 3 minutes after RG0 failover. PR1334016
Flow-Based and Packet-Based Processing
On SRX4100 and SRX4200 devices, packet loss is observed when the value of packet per second (pps) through the device is very high. This occurs due to the update of the application interval statistics statement, which has a default timer value of 1 minute. You can avoid this issue by setting the interval to maximum using the set services application-identification statistics interval 1440 command. PR1290945
If SDNS proxy is configured on SRX Series devices, the naming process might stop. PR1307435
When executing operations for creating rescue configuration, some errors are reported but the rescue configuration is created.PR1280976
RPM packets not account through LT interface under certain configurations. PR1303445
Packet capture does not work after the value of the maximum-capture-size option is modified. PR1304723
The show host server name-server host CLI command fails when the source address is specified under the name-server configuration.PR1307128
Clear session takes 9 minutes to clear 57 million sessions. PR1308901
On SRX Series devices, if destination NAT and session affinity are configured with multiple traffic selectors in IPsec VPN, the traffic selector match might fail. PR1309565
The flow process might stop and generate a core file during failover between node 0 and node 1. PR1311412
On SRX Series devices, the IPsec tunnel might fail to be established if datapath debug configuration include the options preserve-trace-order, record-pic-history, or both.PR1311454
The SRX Series device drops packets citing the reason "Drop pak on auth policy, not authed". PR1312676
When you commit configuration changes involving deletion of routing-instance with application-tracking and session-close log enabled for the zone a PFE core file is generated. PR1312757
The flow process might stop if the SSL-FP profile is configured with whitelist. PR1313451
On SRX550M devices, phone-home.core is generated after the zeroization procedure. PR1315367
On SRX Series devices, the PIM register stop comes before the PIM register packet. The out-of-sequence packet causes the flow session build error. PR1316428
On SRX Series devices, the fin-invalidate-sessio command does not work when the Express Path feature is enabled on the device. PR1316833
Return traffic through the routing instance might drop intermittently after changing the zone and routing-instance configuration on the st0.x interface. PR1316839
SRX300 devices DHCP client cannot obtain IP addresses. PR1317197
Default route is lost after system zero. PR1317630
SSL firewall proxy does not work if root-ca has fewer than four characters. PR1319755
Software next-hop table is full with log messages RT_PFE: NH IPC op 1 (ADD NEXTHOP) failed, err 6 (No Memory) peer_class 0, peer_index 0 peer_type 10. PR1326475
The FPC is dropped or gets stuck in present state when intermittent control link heartbeats are seen. PR1329745
The OSPF peers are unable to establish neighbors between the LT interfaces of the logical systems. PR1319859
Flow process generates core files on both nodes causing an outage. PR1324476
On the SRX5000 line of devices with an SRX5K-MPC3-40G10G (IOC3) or an SRX5K-MPC3-100G10G, the IPv6 traffic might be dropped if the IOC3 with the service-offload (npcache) feature is applied. PR1331401
Inaccurate Jflow records might be seen for output interface and next hop. PR1332666
The whitelist function in syn-flood does not work. PR1332902
Interfaces and Chassis
LLDP protocol is not supported on a reth interface but it can be configured. PR1127960
Traffic is looped with MSTP for untag traffic from IxNetwork ports. PR1259099
Unable to add IRB and aggregated Ethernet interfaces. PR1310791
On SRX1500 devices, pp0.0 interface link status is not up. PR1315416
An error is not seen at each commit or commit check if autonegotiation is disabled but the speed and duplex configurations are not configured on the interface. PR1316965
RSI uses incorrect show vlans syntax. PR1336267
Intrusion Detection and Prevention (IDP)
On SRX4600 devices, the maximum SSLRP session count is observed to be approaching 100,000. In the CLI, configuring a maximum of 100,000 sessions are allowed, whereas in SSLFP, 600,000 sessions are allowed. Thus, the set security idp sensor-configuration ssl-inspection sessions command is now modified to allow a maximum of 600, 000 sessions. However, for other devices the original session limit value of 100,000 is retained. PR1329827
IDP policy compilation can be triggered even if changes that are not related to IDP are performed. PR1283379
IDP signatures might not get pushed to the Packet Forwarding Engine if there is a policy in logical systems. PR1298530
On SRX Series devices, IDP PCAP feature underwent improvements such as:
The first valid packet-log-id will no longer be generated as '0' as this was not compatible with third party tools.
The algorithm for assigning packet-log-id's is improved to reduce the likelihood of duplicate entries and id-rollover events, particularly among devices with multiple SPU's.
J-Web
J-Web system snapshot throws error. PR1204587
J-Web does not display all global address book entries. PR1302307
J-Web removes backslash character on source identity object when committing changes. PR1304608
In J-Web, the zone drop-down does not list the available zones while creating the zone address book or sets with Internet Explorer IE 10 or 11. PR1308684
J-Web authentication fails when a password includes the backslash. PR1316915
J-Web dashboard displays wrong last updated time. PR1318006
J-Web display problems for security policies are observed. PR1318118
J-Web does not display wizards on the dashboard. PR1330283
Layer 2 Ethernet Services
Duplicate hops or more than expected hop count is seen in Layer 2 traceroute. PR1243213
Ping to VRRP(VIP) address failed when VRRP is on VLAN tagging. It only affects Trio-based IOC2 and IOC3 in SRX5000 line of devices. Other devices are not affected. PR1293808
DHCPv6 prefix delegation does not start with the first available subnet. PR1295178
In DHCP relay configuration, the option VPN has been renamed to source-ip-change. PR1318487
DHCP rebind and renew packets is not calculated in BOOTREQUEST. PR1325872
Network Address Translation (NAT)
SCTP packet has incorrect SCTP checksum after the SRX Series device implements NAT on the payload. PR1310141
Active source NAT causes an NSD error and the session closes. PR1313144
On SRX340 and SRX345 devices, configuring the source NAT pool larger than 1024 fails. PR1321480
Arena utilization on a FPC spikes and then resumes to a normal value. PR1336228
Network Security
On SRX Series devices, the Sky ATP connection leak causes the service plane to be disconnected from the Sky ATP cloud. PR1329238
Network Management and Monitoring
DHCP packets are dropped by the dot1x module, if the port is a multiple-supplicant port. PR1296734
On SRX Series devices, the Routing Engine does not reply to an SNMP request. PR1240178
SRX1500 devices might power-off unexpectedly because of incorrect device temperature readings, which reported very high temperature, leading to an immediate proactive powering -off of the device to protect the device from overheating. However, in these cases the temperature was not actually too high and a power-off would not be required. When this occurs, the following log message is shown in file /var/log/hostlogs/lcmd.log: Jan 25 13:09:44 localhost lcmd[3561]: srx_shutdown:214: called with FRU TmpSensor.PR1241061
On SRX Series devices, when J-flow is enabled for multicast traffic, extern nexthop is installed during the multicast composite next hop. However, when you uninstall the composite next hop, it does not free the extern nexthop, which results in the jtree memory leak. PR1276133
SRX300 device is unresponsive as a result of cf/var: filesystem full error. PR1289489
CLI options are available to manage the packet forwarding engine handling the ARP throttling for NHDB resolutions. PR1302384
Platform and Infrastructure
SRX Series devices do not process traffic because of an IPv6 NDP packets burst. PR1293673
Inconsistent flow-control status on reth interfaces is observed. PR1302293
On SRX5400, SRX5600, SRX5800 devices, SPC2 XLP stops processing packets in the ingress direction after repeated RSI collections. PR1326584
On SRX5400, SRX5600, and SRX5800 devices, the packet captured by datapath-debug on an IOC2 card might be truncated. PR1300351
When Security Intelligence (SecIntel) is configured, IPFD CPU utilization might be higher than expected. PR1326644
Routing Policy and Firewall Filters
BGP traceoption logs are written even when it is deactivated. PR1307690
The nsd process might stop responding when the name of a logical system is replaced. PR1307876
The number of address objects per policy for SRX5400, SRX5600, SRX5800 devices is increased from 4096 to 16,000. PR1315625
Routing Protocols
On SRX1500 devices, the IS-IS adjacency remains down when using an IRB interface. PR1300743
Dedicated BFD does not work on SRX Series devices. PR1312298
In a chassis cluster device with BMP configured, the rpd process might stop responding when the rpd process gracefully terminates. PR1315798
Software Installation and Upgrade
The request system reboot node in/at command results in an immediate reboot instead of rebooting at the allotted time. PR1303686
Unified Threat Management (UTM)
On SRX Series, if Sophos antispam or Sophos antivirus interfaces are in a routing-instance, the feature might not work as expected. PR1311694
The ISSU upgrade might fail because of the generation of Packet Forwarding Engine core files.PR1328665
VPNs
The IRB interface does not support VPN. PR1166714
Output hangs while checking pki ca-certificate ca-profile-group details. PR1276619
Next hop tunnel binding (NHTB) is not installed occasionally during rekey for VPN using IKEv1. PR1281833
Traffic through tunnel fails without configuring th authentication algorithm under IPsec proposal on SRX1500 devices. SRX5600 it works correctly.PR1285284
ADVPN tunnels flap with spoke error no response ready yet, this issue leads to IKEv2 timeout. PR1305451
On SRX Series devices, core files are observed under certain conditions with VPN and when NAT-T is enabled. PR1308072
SNMP for jnxIpSecTunMonVpnName does not work. PR1330365
The kmd process core files might be seen when all the VPNs are down. PR1336368
On SRX Series devices, ESP packet drops in IPsec VPN tunnels with NULL encryption algorithm configuration are observed. PR1329368
Documentation Updates
This section lists the errata and changes in Junos OS Release 18.1R1 for the SRX Series device documentation.
New Simplified Documentation Architecture
With the release of Junos OS Release 18.1, Juniper is simplifying its technical documentation to make it easier for you to find information and know that you can rely on it when you find it. In the past, we organized documentation about Junos OS software features into platform-specific documents. In many cases, features are supported on multiple platforms, so you might not easily find the document you want for your platform.
With Junos OS Release 18.1, we have eliminated the platform-specific software feature documents. For example, if you want to find documentation on OSPF, there is only one document regardless of which platform you have. Here are some of the benefits of our new simplified architecture:
Over time, you will see better search results when looking for Juniper documentation. You will be able to find what you want faster and be assured that is the right document.
If a software feature is supported on multiple platforms, you can find information about all the platforms in one place.
Because we have eliminated many documents that covered similar topics, you will now find one document with all the information.
You can know that you are always getting the most current and accurate information.
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases
Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 12.3X48, 15.1X49, 17.3, and 17.4 are EEOL releases. You can upgrade from Junos OS Release 15.1X49 to Release 17.3 or from Junos OS Release 15.1X49 to Release 17.4.
You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.
For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.
For information about ISSU, see the Chassis Cluster User Guide for Security Devices.
Product Compatibility
Hardware Compatibility
To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product.
To determine the features supported on SRX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: https://pathfinder.juniper.net/feature-explorer/