Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 18.3R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

Note

The SRX5K-SPC3 Services Processing Card was introduced in Junos OS Service Release 18.2R1-S1 and is supported in all subsequent Junos OS Releases. The features and functionalities of the SRX5K-SPC3 card are supported in Junos OS Release 18.3R1. Going forward, future improvements for SRX5K-SPC3 will be included in upcoming Junos OS Maintenance Releases.

New and Changed Features

Release 18.3R3 New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 18.3R3 for the SRX Series devices.

Chassis Clustering

Release 18.3R2 New and Changed Features

There are no new features in Junos OS Release 18.3R2 for the SRX Series devices.

Release 18.3R1 New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 18.3R1 for the SRX Series devices.

Junos OS Release 18.3R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550M, SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D150. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D150 are not available in 18.3 releases.

Application Security

  • Downloading the Junos OS application signature package from a proxy server (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, you can download the Junos OS application signature package from a proxy server. You can download and install application signature package hosted on an external server when a Web proxy is already deployed on your device.

    To download the signature package by using a proxy server, configure a profile with host and port details of the proxy server, and use the set services application-identification download proxy-profile profile-name command to connect to the external server through a specified proxy server.

    The download retrieves the application signature package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.

    [See Predefined Application Signatures for Application Identification.]

  • Elliptic Curve Digital Signature Algorithm (ECDSA) cipher support (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, ECDSA cipher suites are supported in SSL proxy for digital signing. ECDSA ciphers are based on Elliptic Curve Cryptography (ECC). ECDSA cipher suites are available with smaller keys, and provide faster and more secure cryptography across the Internet.

    SSL proxy supports only the ECC certificate with the Elliptic Prime Curve 256-bit (P-256).

    [See SSL Proxy Overview.]

  • URL category-based routing (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, advanced policy-based routing (APBR) feature is enhanced to include URL categories as match criteria in an APBR profile to enable URL category-based routing. URL categories are based on destination IP address, and the category identification is leveraged from Enhanced Web Filtering and local Web filtering results from UTM. APBR uses the details to match traffic and route the matching traffic to a specified next-hop device.

    URL category-based routing enables redirecting the traffic based on a specific website or a URL category to ensure that the Web traffic arrives at the appropriate destination.

    [See Advanced Policy-Based Routing.]

Authentication and Access

  • IPv6 support for configuring the JIMS server and filtering IP addresses (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, IPv6 addresses are supported to connect the Juniper Identity Management Service (JIMS) primary server and secondary server, in addition to existing IPv4 address support. Also, IPv6 addresses are supported to configure a filter based on IP addresses for the advanced query feature, in addition to existing IPv4 address support.

    [See Understanding the SRX Series Advanced Query Feature for Obtaining User Identity Information from JIMS.]

Authentication, Authorization, and Accounting

  • Support for password change policy enhancement (SRX Series)—Starting in Junos OS Release 18.3R1, the Junos password change policy for local user accounts is enhanced to comply with certain additional password policies. As part of the policy improvement, you can configure the following:

    • minimum-character-changes—The number of characters by which the new password should be different from the existing password.

    • minimum-reuse—The number of older passwords, which should not match the new password.

    [See password.]

Flow-Based and Packet-Based Processing

  • Selective stateless packet forwarding (SRX1500, SRX4100, SRX4200, and SRX4600)—Starting in Junos OS Release 18.3R1, selective stateless packet forwarding services are supported on SRX1500, SRX4100, SRX4200, and SRX4600 devices in addition to the existing support on SRX300, SRX320, SRX340, SRX345, and SRX550M devices. Using selective stateless packet forwarding services, the device is configured to provide packet-based processing for selected traffic based on the firewall filter input terms. The remaining traffic that is not filtered is processed using flow-based forwarding.

    Selective stateless packet forwarding is supported on the following protocols:

    • IPv4

    • MPLS

    • CCC-Ethernet switching cross-connects

    [See Understanding Selective Stateless Packet-Based Services and Example: Configuring Selective Stateless Packet-Based Services for Packet-Based to Flow-Based Forwarding.]

GPRS

  • GTP tunnel enhancements (SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 18.3R1, GPRS tunneling protocol (GTP) is enhanced to update the GTP tunnel and session lifetime to avoid GTP tunnel timeout issues. Even if the GTP-U validation is disabled, the GTP-U traffic can refresh the GTP tunnel to avoid timeout. Only GTPv1 and GTPv2 tunnels, not GTPv0 tunnels, are refreshed by the GTP-U traffic. Before refreshing the GTP tunnel, you must enable the GTP-U distribution.

    Note

    On SRX5400, SRX5600, and SRX5800 devices, the number of GTP tunnels supported per SPU is increased from 200,000 tunnels to 600,000 tunnels, for a total of 2,400,000 tunnels per SPC2 card.

    [See Monitoring GTP Traffic.]

Intrusion Detection and Protection (IDP)

  • Downloading the IDP security package through an explicit proxy server (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, you can download the IDP security package through an explicit Web proxy server.

    To download the IDP security package that hosts on an external server, you need to configure a proxy profile and use the proxy host and port details that are configured in the proxy profile.

    This feature allows you to use a deployed Web proxy server on your device for access and authentication for HTTP and HTTPS outbound sessions.

    [See Downloading the Junos OS IDP Signature Package through an Explicit Proxy Server.]

  • Support for multiple IDP policies (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, with unified policies configured on an SRX Series device, you can configure multiple IDP policies and set one of those policies as the default IDP policy. If multiple IDP policies are configured for a session and when policy conflict occurs, the device applies the default IDP policy for that session and thus resolves any policy conflicts.

    If you have configured two or more IDP policies in a unified security policy, then you must configure the default IDP policy.

    [See IDP Policies Overview.]

  • User visibility improvements for IDP attacks (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, you can view the attack objects that are available in an attack object group (predefined, dynamic, and custom attack groups) and the group to which a predefined attack object belongs.

    You can use the following new commands to view the details of attack objects in a group and the group to which a predefined attack belongs:

    • show security idp attack attack-list attack-group attack-group-name

    • show security idp attack group-list attack-name

    [See show security idp attack attack-list and show security idp attack group-list.]

Interfaces and Chassis

  • Management Ethernet interface (fxp0) is confined in a non-default virtual routing and forwarding table (SRX Series)—Starting in Junos OS Release 18.3R1, you can confine the management interface in a dedicated management instance by setting a new CLI configuration statement, management-instance, at the [edit system] hierarchy level. By doing so, operators will ensure that management traffic no longer has to share a routing table (that is, the default.inet.0 table) with other control or protocol traffic in the system. Instead, there is a mgmt_junos routing instance introduced for management traffic.

    [See Management Interface in a Non-Default Instance and management-instance.]

Logical Systems and Tenant Systems

  • Application identification support enhancement for logical systems (SRX Series)—Starting in Junos OS Release 18.3R1, the application identification (AppID) support for logical systems now includes two new options to display and clear logical system statistics and counters. The user logical system administrator can view the AppID signature package status and version. The custom signatures configured by the master logical system administrator can be configured in the user logical system security policies. You can view the information about AppID signature package status and version by using the commands show services application-identification status and show services application-identification version.

    [See Understanding Logical System Application Identification Services.]

  • ICAP redirect profile support for logical systems (SRX Series)—Starting in Junos OS Release 18.3R1, SRX Series devices support the Internet Content Adaptation Protocol (ICAP) service redirect when the device is configured for logical systems.

    ICAP is a lightweight protocol used to extend transparent proxy servers, thereby freeing up resources. ICAP redirect profile is only allowed to attach on the policy that belongs to the same logical system.

    [See ICAP Redirects for Logical Systems.]

  • IDP support for logical systems (SRX Series)—Starting in Junos OS Release 18.3R1, the intrusion detection and prevention (IDP) support is extended to logical systems.

    IDP support allows the following actions for logical systems:

    • Configure individual IDP policies.

    • Verify the IDP policy load and compilation status.

    • View the attacks detected and service statistics.

    A single IDP security package is installed at the master logical system that is shared by all other logical systems. Only the master logical system administrator can configure the sensor-configuration statement and this is used by other logical systems.

    [See IDP for Logical Systems.]

  • Logical systems support (SRX4600)—Starting in Junos OS Release 18.3R1, SRX4600 device supports logical system in route mode only.

    [See Understanding Logical Systems for SRX Series Services Gateways.]

  • New context-oid option for trap-options configuration statement to distinguish the traps which come from a non-default routing instance and non-default logical system (SRX Series)—In Junos OS Release 18.3R1, a new option, context-oid, for the trap-options statement allows you to handle prefixes such as <routing-instance name>@<trap-group> or <logical-system name>/<routing-instance name>@<trap-group> as an additional varbind.

    [See trap-options.]

  • Tenant systems support (SRX Series)—Starting in Junos OS Release 18.3R1, tenant systems are supported. A tenant system provides logical partitioning of the SRX Series device into multiple domains similar to logical systems and provides high scalability. A tenant system supports routing, services and security features. A tenant system is created by the master administrator. The tenant system supports independent provisioning and administration. The master administrator uses the resource profiles to specify resource allocation for a tenant system. The tenant system administrator can configure and view the security features for the tenant systems.

    [See Tenant Systems Overview and Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices.]

    The following features that are supported on the logical systems are now extended to tenant systems:

  • UTM support for logical systems (SRX Series)—Starting in Junos OS Release 18.3R1, unified threat management (UTM) is supported on logical systems. Use the set security utm default-configuration command to create a default UTM profile at the master logical system level. You can configure policies, profiles, and custom objects for UTM for each logical system. For a user logical system, parameters such as mime-whitelist and url-whitelist in an antivirus profile and address-blacklist and address-whitelist in an antispam profile can be configured at the following hierarchy levels, respectively:

    • [edit security utm feature-profile anti-virus sophos-engine profile]

    • [edit security utm feature-profile anti-spam sbl profile]

    [See Unified Threat Management Overview.]

  • User firewall support in logical systems (SRX Series)—Starting in Junos OS Release 18.3R1, user logical systems share user firewall authentication entries such as authentication entry timeout and invalid authentication entry timeout attributes with the master logical system.

    The support for authentication sources is extended to local authentication, Active Directory authentication, and firewall authentication, in addition to the existing supported authentication sources such as Juniper Identity Management Service (JIMS) and Clear Pass authentication.

    [See Overview of Integrated User Firewall.]

NAT

  • NAT configuration check on egress interfaces after reroute (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, support for retaining an existing session with Network Address Translation (NAT) rule is available when there is a change in egress interface because of rerouting.

    If the new egress interface and the previous egress interface are in the same security zone and there is no change in the matched NAT rule or if no rule is applied before and after rerouting, the session is retained with the existing NAT rule. Otherwise, the session expires and new session is created after retransmit or subsequent traffic is received.

    [See Understanding NAT Configuration Check on Egress Interfaces after Reroute.]

  • Session persistence after NAT configuration change (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, SRX Series devices support Network Address Translation (NAT) session persistence. With NAT session persistence enabled on your device, if there are any changes in the NAT configuration, then the device retains the existing NAT sessions instead of clearing them.

    NAT session persistence is supported only for source NAT in the following scenarios:

    • Source pool—Change in an address range in a Port Address Translation (PAT) pool.

    • Source rule—Change in match conditions for the address book, application, destination IP address, destination port, source IP address, and destination port fields.

    [See Understanding NAT Session Persistence.]

Platform and Infrastructure

Routing Protocols

  • Support to disable graceful restart helper mode during an interface failure (SRX Series)—Starting in Junos OS Release 18.3R1, you can prevent SRX Series devices from entering the graceful restart helper mode when the device is configured with BFD with a single-hop external BGP (EBGP).

    To disable the graceful restart helper mode capability, include the dont-help-shared-fate-bfd-down statement at the [edit protocols bgp graceful-restart] hierarchy level. When the helper mode is not enabled, data traffic continues to be forwarded to an alternate path even if there is an interface failure.

    [See dont-help-shared-fate-bfd-down.]

UTM

  • Explicit proxy support for Enhanced Web Filtering and Sophos antivirus (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, SRX Series devices support the use of an explicit proxy for the cloud-based connectivity for Enhanced Web Filtering (EWF) and Sophos antivirus (SAV). It hides the identity of the source device and establishes a connection with the destination device.

    To use the explicit proxy, create one or more proxy profiles and refer to those profiles:

    • In EWF, to establish connection with the Websense Threatseeker Cloud (TSC) server and dynamically load new EWF categories without any software upgrade.

    • In SAV, to connect to the pattern update server using the proxy host IP address.

    [See Understanding Explicit Proxy.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 18.3 for the SRX Series.

Changes in Behavior and Syntax: Release 18.3R3

Authentication and Access Control

  • SSH protocol version v1 option deprecated from CLI (SRX Series)—Starting in Junos OS Release 18.3R3, the nonsecure SSH protocol version v1 option is not available at the [edit system services ssh protocol-version] hierarchy level. The SSH protocol version v2 is the default option to remotely manage systems and applications. The SSH protocol version v1 deprecation enables Junos OS to be compatible with OpenSSH 7.4 and later versions.

    Junos OS Release 18.3R2 and earlier releases supported the SSH protocol version v1 option to remotely manage systems and applications.

    [See protocol-version.]

Juniper Sky ATP

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 18.3R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).

Network management and Monitoring

Changes in Behavior and Syntax: Release 18.3R2

Authentication and Access Control

  • Enhanced output for show security firewall-authentication jims statistics (SRX Series)—Starting in Junos OS Release 18.3R2, the output for show security firewall-authentication jims statistics operational command is enhanced to display the statistics of both primary and secondary JIMS server. For example, show security firewall-authentication jims statistics operational command displays the following sample output:

    [See show security firewall-authentication jims statistics.]

Chassis Clustering

  • MACsec on Chassis cluster (SRX4600)—Starting in Junos OS Release 18.3R2, any new MACsec chassis cluster port configurations or modifications to existing MACsec chassis cluster port configurations will require the chassis cluster to be disabled and displays a warning message Modifying cluster control port CA will break chassis cluster. Once disabled, you can apply the preceding configurations and enable the chassis cluster.

    [See Configuration Considerations When Configuring MACsec on Chassis Cluster Setup.]

Network Management and Monitoring

  • The NETCONF server omits warnings in RPC replies when the rfc-compliant statement is configured and the operation returns <ok/> (SRX Series)—Starting in Junos OS Release 18.3R2, when you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level to enforce certain behaviors by the NETCONF server, if the server reply after a successful operation includes both an <ok/> element and one or more <rpc-error> elements with a severity level of warning, the warnings are omitted. In earlier releases, or when the rfc-compliant statement is not configured, the NETCONF server might issue an RPC reply that includes both an <rpc-error> element with a severity level of warning and an <ok/> element.

Platform and Infrastructure

  • Chassis cluster with SPC card (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.3R2, when a SPC is the control plane as well as hosting the control port, this creates a single point of failure. If the SPC goes down on the primary node, the node is automatically rebooted to avoid split brain.

    Connecting SRX Series Devices to Create a Chassis Cluster

VPN

  • Certificate revocation list (SRX Series)—Local certificates are being validated against the certificate revocation list (CRL) even when the CRL check is disabled. Starting in Junos OS Release 18.3R2, this can be stopped by disabling the CRL check through the Public Key Infrastructure (PKI) configuration. When the CRL check is disabled, PKI will not validate the local certificate against the CRL.

    [See revocation-check (Security PKI) and Understanding Online Certificate Status Protocol and Certificate Revocation Lists.]

  • Encryption algorithm (SRX Series)—Starting in Junos OS Release 18.3R2, when AES-GCM 128-bit or AES-GCM 256-bit encryption algorithms are configured in the IPsec proposal, it is not mandatory to configure AES-GCM encryption algorithm in the corresponding IKE proposal.

    [See IPsec VPN Configuration Overview and encryption-algorithm (Security IKE).]

  • Encryption algorithm support for high availability—Starting in Junos OS Release 18.3R2, on SRX5000 Series devices, you can configure the aes-128-cbc option at set security ipsec internal security-association manual encryption algorithm. you configure this option for encrypting the high availability link.

    [See internal (Security IPsec).]

Known Behavior

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 18.3R3 for the SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Security

  • On SRX1500 with AppFW configured, the expected HTTP CPS is 60,000, which is a 14 percent drop (the expected value is 70,000). PR1339131

  • User firewall authentication entries might not match when you execute the request services user-identification authentication-table delete authentication-source command frequently. PR1366767

Chassis Clustering

  • On all SRX Series branch devices, if you enable IP monitoring for redundancy groups, the feature might not work properly on the secondary node if the reth interface has more than one physical interface configured. This is because the backup node sends traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch will drop. PR1344173

Flow-Based and Packet-Based Processing

  • When you configure an interface to a zone under a tenant or under a root system, interfaces that are rented by other tenants are listed with a question mark. PR1370255

Interfaces and Chassis

  • On SRX4600 devices, the USB storage device is available only for the host OS (Linux) with full access and for the boot process (install and recovery functions). PR1283618

J-Web

  • The PPPoE interface pp0 is not displayed on the J-Web's Interfaces> Port page. PR1316328

  • When there are no SPC3 or SPC2 cards in the SRX5000 line of devices, the Configure>Multi tenancy>Logical systems and Resource Profile pages do not populate the resource profiles. PR1362106

Unified Threat Management (UTM)

  • UTM feature profile works at the logical systems level. If mail notify for UTM content filtering is configured at the logical systems feature profile level, DUT does not send the mail to the specified mail server, because the system SMTP server does not support logical systems. The SMTP server is accessible only for the root system feature profile. PR1364783

  • From Junos OS Release 18.3 onward, categories in the APBR module based on destination IP address are supported. Category classification occurs and the APBR action takes place. UTM Web filtering provides information about the category to the APBR module for the matched and received destination IP address. But currently there is a limitation from Web filtering, which states that category classification is inaccurate for IP address and leads to non-APBR route. PR1365931

  • To make APBR custom category work, you need to create a local UTM profile. As a workaround, create one local UTM profile using the set security utm feature-profile web-filtering juniper-local profile h1 category custom action permit command. PR1366528

User Interface and Configuration

  • On SRX Series devices, committing a configuration with a considerable number of logical systems configurations takes a little longer time than usual. Taking backup of previous configurations might also take a little longer time. PR1339862

VPNs

  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe will be sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • Use the file created in the set security ike traceoptions file location to check the logs. PR1381328

  • In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported. PR1383329

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 18.3R3 for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Identification

  • IDP install fails on one node due to AppID process gets stuck. PR1336145

Chassis Clustering

  • VPN tunnels flap after adding or deleting a group in edit private mode on a clustered setup. PR1390831

Flow-Based and Packet-Based Processing

  • On SRX4600 platform, the output of the show route forwarding-table command displays the next-hop IP address twice if the next-hop is the st0 interface. The routing functionality is not impacted. PR1290725

  • The device sends incorrect rejection code when the destination device is not reachable. PR1371115

  • Support for intelligent CLI-based autocomplete is added to secure-wire. PR1372825

  • With stress TCP traffic, some invalid sessions time out over 48 hours. PR1383139

  • On all SRX Series platforms, in chassis cluster with Z mode traffic and local (non-reth) interfaces are configured, when using ECMP routing between multiple interfaces residing on both node0 and node1, if a session is initiated through one node and the return traffic comes in through the other node, packets might get dropped because reroute failed. As a workaround, do not use ECMP between interfaces residing on different cluster nodes. Make sure that both directions of the flow sessions pass through the same cluster node. PR1410233

J-Web

  • CLI terminal is not working in Java version 1.8 due to security restriction in running applet. PR1341956

  • On SRX Series platforms, the root password configured at first J-Web access (Skip to J-Web) does not work if password length is shorter than eight characters. PR1371353

Network Management and Monitoring

  • The show snmp mib walk etherStatsTable command displays incorrect results. PR1335808

Platform and Infrastructure

  • On SRX5600 and SRX5800 devices in a chassis cluster, when a second Routing Engine is installed to enable dual control links, the show chassis hardware command shows the same serial number for both the second Routing Engine on both the nodes. PR1321502

  • On SRX5000 line devices, EM interface is an internal interface. If the EM interface is down, that leads to the control link being lost. The SRX Series cluster will have an abnormal status. PR1342362

  • On SRX4600 device, Packet and Forwarding Engine stops are seen due to the segmentation problem. PR1422466

VPNs

  • When SRX Series device is an IPsec VPN initiator behind a NAT device, disabling NAT on the NAT device causes the next IKE negotiation to fail due to UDP port 4500 still being used. Use the CLI command clear security ike security-associations to recover and successfully establish a new IKE SA on UDP port 500. PR1273213

  • On SRX Series devices, in case multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. New negotiation of these traffic selectors is triggered through other mechanisms such as traffic or by peer. PR1287168

  • On SRX Series devices, with NCP as client, sometimes IKE SA might not be displayed in CLI output after RG1 failover. PR1352457

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • IKE SAs are not displayed in CLI output after failover happens on a cluster node when tunnels are established in aggressive mode. PR1424077

Resolved Issues

This section lists the issues fixed in hardware and software in Junos OS Release 18.3R3 for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 18.3R3

Application Layer Gateways (ALGs)

  • The TCP reset packet is dropped when any TCP proxy based feature and the rst-invalidate-session command are enabled simultaneously. PR1430685

  • The H.323 connection might not be established when the H.323 packet passes SRX Series devices twice through different virtual routers. PR1436449

  • Packet loss happens during cold sync from secondary node after rebooting. PR1448252

Application Security

  • Automatic application-identification download stops after going over the year and reboot. PR1436265

  • The flowd or srxpfe process might crash when advanced anti-malware service is used. PR1437270

Authentication and Access Control

  • The CPU utilization of the uacd is high, about 100 percent (in the output of show chassis routing-engine). PR1424971

Chassis Clustering

  • The SNMP trap sends wrong information with manual failover. PR1378903

  • Mixed mode (SPC3 coexisting with SPC2 cards) high availability (HA) IP monitoring fails on secondary node with secondary arp entry not found error. PR1407056

  • At most, six Packet Data Network Gateway (PGW) connections can be contained in a PDP context response; otherwise, the response will be dropped. PR1422877

  • Memory leaks might be seen on the jsqlsyncd process on SRX Series chassis clusters. PR1424884

  • RG0 failover sometimes causes FPC offline/present status. PR1428312

Flow-Based and Packet-Based Processing

  • Control traffic loss might be seen on SRX4600 platform. PR1357591

  • When activating security flow traceoptions, the unfiltered traffic is captured. PR1367124

  • Password recovery menu is not shown on SRX Series devices. PR1381653

  • On SRX4600 platform, the 40-Gigabit Ethernet interface might flap continuously by MAC local fault. PR1397012

  • SRX Series devices might not strip VLAN added by native VLAN ID command. PR1397443

  • CPU is hitting 100 percent with fragmented traffic. PR1402471

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary commands will not count or display the number of packets processed within PowerMode IPsec, because these packets do not go through regular flow path. PR1403037

  • Throughput or latency performance of TCP traffic are dropped when TCP traffic is passing through from one logical system to another logical system. PR1403727

  • On SRX1500, SRX4100, SRX4200, SRX4600, and SRX5000 line of devices with SPC3 card, if SSL proxy is configured, the firewall FPC CPU might spike above 80 percent and traffic might be lost. PR1414467

  • The input and output bytes or bps statistic values might not be identical for the same size of packets. PR1415117

  • Traffic would be dropped if SOF is enabled in a chassis cluster in active/active mode. PR1415761

  • Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093

  • Traffic might be lost on the SRX Series device if IPsec session affinity is configured with ipsec-performance-acceleration command. PR1418135

  • Tenant system administrator can change VLAN assignment beyond the allocated tenant system. PR1422058

  • The show security flow session session-identifier <sessID> is not working if the session ID is bigger than 10M on SRX4600 platform. PR1423818

  • PIM neighbors might not come up on SRX Series chassis cluster. PR1425884

  • When configuring GRE tunnel (GRE over IPsec tunnel) or IPsec tunnel on SRX Series device, the MTU of the tunnel interface is calculated incorrectly. PR1426607

  • The IPsec traffic going through SRX5000 line of devices with SPC2 cards installed causes high SPU CPU utilization. PR1427912

  • The flowd process might stop on SRX5000 line of devices. PR1430804

  • VPN traffic fails after primary node reboot or power off. PR1433336

  • SRX550M running Junos OS Release 18.4R1 shows PEM 1 output failure message, whereas with Junos OS Release 15.1X49 or Junos OS Release 18.1R3.3 it does not show any alarms. PR1433577

  • Intermittent packets drop might be observed if IPsec is configured. PR1434757

  • Syslog severity level of msg subtype is end of policy is error although this message can be ignored. PR1435233

  • The second IPsec ESP tunnel might not be able to establish between two IPv6 IKE peers. PR1435687

  • On SRX4600 device, core file might be observed and SPM might be in present state. PR1436421

  • The ipfd process might crash when SecIntel is used. PR1436455

  • Some Web pages cannot be fully rendered. PR1436813

  • Member of dynamically created VLANs information is not displaying on show VLANs. PR1438153

  • Security logs cannot be sent to external syslog server through TCP. PR1438834

  • The wmic process might stop and restart when using user firewall with Active Directory. PR1439538

  • The flowd process stops on SRX550 or SRX300 line of devices when SFP module is plugged in. PR1440194

  • The IKE pass-through packet might be dropped after source NATed. PR1440605

  • Performance improvements were made to Screens which benefit multi-socket systems. PR1440677

  • When packets are forwarded from SPC2 to SPC3, in some condition, packet might wrongly be forwarded to SPC3 core0 and core14, then causing the packet drop. PR1441234

  • RPM probe server hardware timestamp configured does not respond with correct timestamp to the RPM client. PR1441743

  • The flowd or srxpfe process might stop when processing fragmented packets. PR1443868

  • The jflow version 5 stops working after changing input rate value. PR1446996

  • Packet loss happens during cold sync from secondary node after rebooting. PR1447122

  • LACP cannot work with encapsulation flexible-ethernet-services configuration. PR1448161

  • SPC3 talus FPGA stuck on 0x3D or 0x69 golden version. PR1448722

  • FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122

  • Traffic forwarding on QinQ port, VLAN tagging is not observed properly on R0. PR1451474

  • Update SRX300 traffic logging to stream mode. PR1453074

Installation and Upgrade

  • SPMC version mismatch errors after Junos OS install using USB method. PR1437065

  • Junos OS upgrade fails when partition option is used. PR1449728

Interfaces and Chassis

  • Both nodes in the SRX Series cluster go into db mode after downgrading to Junos OS Release 18.1. PR1407295

  • Disabling the interface on the primary node causes traffic to get silently dropped through the secondary node. PR1424705

  • MTU change after a CFM session is up can impact L2 Ethernet ping (loopback messages). If the new change is less than initial incarnation, then L2 Ethernet ping would fail. PR1427589

  • LFM remote loopback is not working as expected. PR1428780

  • The LACP interface might flap if performing a failover. PR1429712

Intrusion Detection and Prevention (IDP)

  • IDP might crash with the custom IDP signature. PR1390205

  • NSD fails to push security zone to Packet and Forwarding Engine after reboot, if there is active IDP rule configured with FQDN. PR1420787

J-Web

  • J-Web configuration change for an address set using the search function results in a commit error. PR1426321

  • On SRX Series devices, J-Web incorrectly displays port mode access for the link aggregation interfaces despite them being configured with multiple VLAN IDs and port mode trunk. PR1430414

  • IRB interface is not available in zone option of J-Web. PR1431428

  • The idle-timeout for J-Web access doesn't work properly. PR1446990

  • J-Web fails to display traffic log in event mode when stream mode host is configured. PR1448541

Network Address Translation (NAT)

  • RTSP resource session is not found during NAT64 static mapping. PR1443222

Network Management and Monitoring

  • The set system no-redirects setting does not take effect for the reth interface. PR894194

  • MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979

  • Partial traffic might get dropped on an existing LAG. PR1423989

  • SNMPD might generate core file after restarting NSD process by restart network-security gracefully. PR1443675

Platform and Infrastructure

  • Memory leak might occur on the data plane during composite next-hop installation failure. PR1391074

  • The kernel might stop on the secondary node when committing set system management-instance command. PR1407938

  • The show security flow session command fails with error messages when SRX4600 has over 1 million routing entries. PR1408172

  • On SRX1500 platform, traffic is blocked on all interfaces after configuring the interface-mac-limit command on one interface. PR1409018

  • PEM 0 or PEM 1 or FAN, I2C failure major alarm might be set and cleared multiple times. PR1413758

  • Complete device outage might be seen when an SPU vmcore is generated. PR1417252

  • Some packages might be omitted during upgrade from legacy with packages. PR1417321

  • Flowd process might stop on SRX Series devices. PR1417658

  • On SRX4600 device, commit failed while configuring 2047 VLAN IDs on reth interface. PR1420685

  • The 4G network connection might not be established if LTE mPIM card is in use. PR1421418

  • FRU model number is not displayed. PR1422185

  • In SPC slot1 of node0 remained in offline state for more than 1 hour after the cluster was upgraded from Junos OS Release 18.2R2-S1.3 to Junos OS Release 18.2X41.1. PR1423169

  • Screen sync cookie causes 100 percent CPU utilization across all SPC3 of SRX5800, when packet rate is high. PR1425332

  • The ipfd process might crash if security intelligence feature is configured PR1425366

  • Alarms triggered due to high temperature when operating within expected temperatures. PR1425807

  • The PICs might go offline and split brain might be seen when interrupt storm happens on internal Ethernet interface em0 or em1. PR1429181

  • REST API does not work properly. PR1430187

  • Uneven distribution of CPU with high PPS on device. PR1430721

  • Packet Forwarding Engine crashes might be seen on SRX1500 platform. PR1431380

  • The false license alarm might be seen even if there is a valid license. PR1431609

  • The kmd log shows resource temporarily unavailable repeatedly and VPNs might be down. PR1434137

  • The interface using LACP flaps when Routing Engine is busy. PR1435955

  • The show security flow session command fails with error messages when SRX4100 or SRX4200 has around 1 million routing entries in FIB. PR1445791

Routing Policy and Firewall Filters

  • Memory leak in nsd causes configuration change to not take effect after a commit. PR1414319

  • The flowd process (responsible for traffic forwarding in SRX Series devices) stops on SRX Series devices while deleting a lot of policies from Junos Space. PR1419704

  • The NSD process might stop due to a memory corruption issue. PR1419983

  • A commit warning will now be presented to the user when a traditional policy is placed below a unified policy. PR1420471

  • One new alarm is created because NSD fails to restart because subcomponents fail. PR1422738

  • DNS cache entry does not time out from device even after TTL=0. PR1426186

  • SRX1500 device only allows a maximum of 256 policies with counting enabled. PR1435231

Unified Threat Management (UTM)

  • On SRX Series devices, when configuring Enhanced Web Filtering on the CLI, the autocomplete function did not properly handle or suggest custom categories. PR1406512

  • The device might not look up the blacklist first in a local Web filtering environment. PR1417330

  • UTM Web filtering status shows down when using Hostname [routing-instance synchronization failure]. PR1421398

  • When using unified policies, the base filter for certain UTM profiles might not be applied correctly. PR1424633

  • The custom-url-categories are now pushed correctly to the Packet Forwarding Engine under all circumstances. PR1426189

  • Memory issue due to SSL proxy whitelist or whitelist URL category. PR1430277

VPNs

  • Tunnel flap is seen after doing RG0 failover. PR1357402

  • With a large number of IPsec tunnels established, a few tunnels might fail during rekey negotiation if SRX Series device initiates the rekey. PR1389607

  • Idle IPsec VPN tunnels without traffic and with ongoing DPD probes can be affected during RG0 failover. PR1405515

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when the SRX Series device is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication might fail. PR1414193

  • The iked process does not handle cases and core files might be generated when a remote gateway address is configured as an IPv6 address while the local interface where the tunnel is anchored has an IPv4 address. PR1416081

  • Group VPN IKE security associations cannot be established before RG0 failover. PR1419341

  • SSL proxy did not correctly warn users about unsupported certificates. PR1419485

  • The iked process might stop when IKE and IPsec SA rekey happens simultaneously. PR1420762

  • The show security ike sa detail command shows incorrect value in the IPsec security associations column. PR1423249

  • IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post fragment happens. PR1424937

  • On SRX Series devices with SPC3, SRX Series device does not send IKE delete notification to the peer if the traffic selector configuration is changed. PR1426714

  • The kmd process stops and generates a core file after running the show security ipsec traffic-selector command. PR1428029

  • With SPC3 and SPC2 mixed mode, IPsec SA is not getting cleared by executing the CLI command clear security ipsec sa. PR1428082

  • On SRX5000 line of devices with SPC3, with P2MP and IKEv1 configured, if negotiation fails on the peer device, then multiple IPsec SA entries are created on the device if the peer keeps triggering new negotiation. PR1432852

  • IPsec rekey triggers for when sequence number in AH and ESP packet is about to exhaust are not working. PR1433343

  • On SRX Series devices, fragments egress VPN traffic earlier than required by ingress packet sizes. PR1435700

  • The IPsec VPN traffic drop might be seen on SRX Series devices with NAT-T scenario. PR1444730

Resolved Issues: 18.3R2

Application Layer Gateways (ALGs)

  • On all SRX platforms, SIP/FTP ALG does not work when SIP traffic with source NAT goes through SRX device. PR1398377

Application Security

  • Fail to match permit rule in application firewall ruleset. PR1404161

Application Layer Gateways (ALGs)

  • DNS requests with EDNS options might be dropped by DNS ALG. PR1379433

  • The SUN-RPC data traffic might be dropped after interface related configuration is changed. PR1387895

  • H323 voice packets might be dropped on SRX devices. PR1400630

Chassis Clustering

  • The half duplex mode do not support on SRX340 and SRX345 PR1149904

  • Multiple flowd process files are seen on node1 after an RG0 failover. PR1372761

  • Traffic loss occurs when the primary node is rebooting. PR1372862

  • The packet might be dropped in an SRX chassis cluster environment if the sampling or packet capture is configured. PR1379734

  • The flowd might stop if doing an ISSU upgrade. PR1386522

  • VDSL is not stable if there are sudden noises after configuring VDSL SOS feature. PR1387133

  • If using SRX cluster and configuring 4 100G interfaces on PIC 0, all the 4 interfaces might be down. PR1387701

  • ISSU status with error from 18.2R1-S1/18.2R1-S2 to 18.2R1-S3. PR1387947

  • The cluster IDs larger than 10 will cause FPCs to remain in offline on SRX4600 chassis cluster. PR1390202

  • The MACsec on a physical port may not initialize properly when a new node is joined to chassis cluster. PR1396020

  • Traffic with domain name address might fail for 3-5 minutes after RG0 failover on SRX platforms. PR1401925

Command-Line Interface (CLI)

  • Display issue in show usp memory segment shm data module and show jsf shm module vty fwdd commands on branch SRX. PR1387711

Flow-based and Packet-based Processing

  • Security Logs for unified policies have been improved to correctly reflect the reason for a denied or rejected session. PR1338310

  • Crash happens when the output interface is configured in X2 mirror filter configuration is down. PR1357347

  • Control traffic loss may be seen on SRX4600 platform. PR1357591

  • Application identification support for HTTP, SMTPS, POP3S, and IMAPS applications. PR1365810

  • SRX1500 continues alarm on FAN Fan Tray 0 Fan 0 Spinning Degraded. PR1367334

  • Observing 40 percent drop with respect to basic FW UDP IMIX throughput(expected is 20 percent) PR1373019

  • PIM register message might be dropped on SRX Series devices. PR1378295

  • The pkid process might stop after RG0 failover. PR1379348

  • On SRX1500, activity LED (right LED) for 1G/10G port is not on although traffic is passing through that interface. PR1380928

  • Improper message is thrown when the data path debug capture is stopped. PR1381703

  • SRX5600 HA ICAP redirect status flapping on few SPU PICs. PR1382376

  • The flowd/srxpfe process might crash when SSL proxy is used. PR1383655

  • Large file downloads slow down for many seconds. PR1386122

  • Traffic might be processed by the VRRP backup when multiple VRRP groups are configured. PR1386292

  • Traffic might be stopped after session created on SRX4600 platform. PR1388735

  • The SRX does not send messages frag needed and DF set back to the source host during path MTU discovery. PR1389428

  • Future group membership updates are not recognized by IUFW after a users sAMAccountName is changed while its DN remained the same. PR1394049

  • Packet loss might occur on unrelated traffic when AppQoS rate limiter is applied on SRX4600 and SRX5000 Series platform using SPC3. PR1394085

  • These messages are seen /kernel: tcp_timer_keep:Local(0x80000004:54652) Foreign(0x80000004:33160). PR1396584

  • Request to unhide dropped-illegal-packet and dropped-icmp-packet configuration options. PR1394720

  • Switching interface mode between family ethernet-switching and family inet/inet6 might cause traffic loss. PR1394850

  • SRX connection to JIMS keeps flapping causes failover to secondary JIMS. PR1398140

  • On SRX4600 and SRX5000 Series devices, BGP packets might be dropped under high CPU usage. PR1398407

  • VLAN push might not work on SRX1500. PR1398877

  • Increase DAG feed scale number to 256 from 63. PR1399314

  • Unable to access to SRX platforms if messages kern.maxfiles limit exceeded by uid 65534, please see tuning(7) are seen. PR1402242

  • Downloads may stall and/or completely fail when utilizing services that are reliant on TCP proxy. PR1403412

  • Transit UDP 500/4500 traffic might not pass across SRX5000 series devices when using SPC3/SPC2. PR1403517

  • ISSU failed from 18.3R1.9 to 18.4R1.4. PR1405556

  • The flowd process stops and all cards are brought off. PR1406210

  • The RG1 failover does not happen immediately when the SPC3 card crashes. PR1407064

  • IDP signature update fails at RG0 primary node. PR1407603

  • Memory leak if AAMW is enabled. PR1409606

  • Session capacity of SRX340 is not match SRX345. PR1410801

  • Any traffic originated from the device itself might be dropped in the IPsec tunnel. PR1414509

  • Command show security firewall-authentication jims statistics will output statistics of both primary jims server and secondary jims server. PR1415987

  • Traffic logging shows service-name junos-dhcp-server for UDP destination port 68. PR1417423

General Routing

  • High jsd or na-grpcd CPU usage might be seen even JET or JTI is not used. PR1398398

  • The authd might stop when issuing show network-access requests pending command during the authd restarting. PR1401249

Intrusion Detection and Prevention (IDP)

  • Unable to deploy IDP due to the IDP configuration cannot be committed. PR1374079

  • When utilizing unified policies with IDP, under certain circumstances IDP would not inspect arbitrary sessions, marking them as Not Interested within show security idp counters flow. PR1385094

  • Performance drops are seen in SRX345/SRX340 platforms for IDP C2S policy. PR1395592

  • Unable to configure dynamic-attack-group. PR1418754

Interfaces and Routing

  • SRX1500 IPv4 multicast packets might not be broadcasted from the IRB interface. PR1385934

  • SRX4600 10G Interface optics diagnostic access issue. PR1395806

  • 40G/100G ports may take a long time (about 30 seconds) to link up on SRX4600 platform. PR1397210

  • SRX device can not obtain IPv6 address through DHCPv6 when using PPPOE interface with logical-unit-number greater than zero. PR1402066

Installation and Upgrade

  • 18.3R1 cannot be installed through TFTP in boot loader on SRX 300 line platforms. PR1390858

J-Web

  • In the J-Web Dashboard, the Security Resources widget did not display absolute values. PR1372826

  • Excluded addresses within J-Web security policy editor were not sufficiently differentiated versus normal addresses. They are now highlighted red for ease of identification. PR1376112

  • In this release, J-Web now supports defining SSL-Proxy and redirect (block page) profiles when a policy contains dynamic applications. PR1376117

  • Chassis image did not show from J-Web dashboard PR1382219

  • J-Web page do not load after login with logical-system specific user. PR1396879

  • The next-hop IP address is not displayed in the routing table in the J-Web. PR1398650

  • Special character used in the pre-shared-key is removed silently after a commit operation on J-Web. PR1399363

  • Configuring using the CLI editor in the J-Web generates an mgd core file. PR1404946

  • The httpd-gk process stops leading to dynamic VPN failures and high RE CPU utilization 100 percent. PR1414642

Layer 2 Ethernet Services

  • DHCPv6 clients might fail to get addresses on SRX platforms. PR1392723

Logical Systems and Tenant Systems

  • Logical system license fail to bind to the tenant/logical systems after rebooting the device. PR1380144

  • Logical system license. PR1384659

  • Logical system configuration installed failed on node 1 after ISSU from 18.2R1.9 to 18.3R1.8. PR1388336

Network Address Translation (NAT)

  • The SRX might send the noSuchInstance value to SNMP server in get response during commit. PR1357840

  • NAT64 and traceroute do not work correctly on an SRX. PR1376890

  • SRX-SPC3 mix mode NAT SPC3 core at ../sysdeps/unix/sysv/linux/raise.c:55. PR1403583

Platform and Infrastructure

  • High httpd utilization after reboot failover. PR1352133

  • Many chassis commands missing. PR1363645

  • Packet capture feature does not work after removing the sampling configuration. PR1370779

  • IP monitoring failure resulting in multiple interfaces disappearing from forwarding table. PR1371500

  • Some error messages could be seen when running show interface extensive command from CLI or Junos Space. PR1380439

  • Traffic loss seen in Layer 2 VPN with GRE tunnel. PR1381740

  • Junos upgrade might fail with validate option after the /cf/var/sw directory is accidentally deleted. PR1384319

  • Login class with allowed days and specific access-start/access-end does not work as expected. PR1389633

  • GW lcores and srxpfe cores at ../src/pfe/usp/rt/applications/ipsec/ipsec_rt_forge_util.c:59 when loading 18.4 image. PR1392580

  • The flowd process stops if it goes into a dead loop. PR1403276

  • RE CPU utilization is high and eventd is consuming a lot of resources. PR1418444

Routing Policy and Firewall Filters

  • The output of show security policies detail has been modified to improve readability, particularly for unified policies. PR1338307

  • The timeout value of junos-http is improper. PR1371041

  • When SSL-Forward-Proxy is configured in a unified policy along with the action of Reject+Redirect, a block page was not presented to the user for HTTPS sites PR1375823

  • show security flow session now fully supports the dynamic-application construct. PR1387449

  • The nsd process stops and generates a core file. PR1388719

Services Applications

  • Flowd process stops in icap_redirect_release_profile_server at ../../../../../../../../src/pfe/usp/rt/applications/icap-redirect/icap_redirect_server.c:1513. PR1389600

  • SRX5600 HA SPC2 ICAP redirect object's are in use even after clearing TCP sessions. PR1390835

Unified Threat Management (UTM)

  • EWF server status shows UP when 443 is specified as server port. PR1383695

  • Whitelist/Blacklist does not work for HTTPS traffic going through Web proxy. PR1401996

  • UTM Web filtering status shows down when using Hostname [routing-instance synchronization failure]. PR1421398

VPNs

  • The kmd process might stop when configuring IPsec VPN and BGP on SRX1500 platform. PR1336235

  • Dot usage in CA profile name causes issues when the pkid process is restarted. PR1351727

  • SPC3 ike sa detail output is not showing proper traffic statistics. PR1371638

  • In a rare situation, VPN tunnels may not be configured successfully and the VPN tunnels will not come up. PR1376134

  • Packet loss was seen in IPsec Z-mode scenario. PR1377266

  • The kmd daemon might stop and cause VPN traffic outage after executing show security ipsec next-hop-tunnels. PR1381868

  • Adding/deleting site-to-site manual-nhtb VPN tunnels to an existing st0 unit will cause existing manual-NHTB VPN tunnels under the same st0 unit to flap. PR1382694

  • After repeatedly HA failover, the flowd process might stop if IPsec VPN is configured. PR1386229

  • On SRX5400, SRX5600, SRX5800 devices with SPC3, show security ike security-association detail command does not display local IKE-ID field correctly. PR1388979

  • A few VPN tunnels do not forward traffic after RG1 failover. PR1394427

  • The kmd process might stop when SNMP polls for the IKE SA. PR1397897

  • Syslog is not generated when ike gateway rejects duplicate IKE ID connection. PR1404985

  • Not all the tunnels are deleted when authentication algorithm in ipsec proposal is changed. PR1406020

  • Multiple flowd process files are observed with IPsec acceleration with fragmentation traffic. PR1407910

  • Traffic drops on peer due to bad SPI after first re authentication. PR1412316

Resolved Issues: 18.3R1

Application Layer Gateways (ALGs)

  • When using IPsec ALGs, the IPsec tunnel payload is dropped after IKE/IPsec tunnel reestablishment because of session conflict. PR1372232

  • The status of SIP ALG is disabled and the original SIP active sessions are affected, when SIP active sessions are created with standard port 5060. PR1373420

Application Layer Gateways (ALGs)

  • On SRX5800 devices when IPsec ALG is used, the IPsec tunnel payload is dropped after IKE/IPsec tunnel reestablishment because of session conflict. PR1372232

  • When the status of SIP ALG is changed to disabled, the SIP active session is affected. PR1373420

  • DNS requests with additional EDNS records might be dropped by the DNS ALG. PR1379433

Class of Service (CoS)

  • Packets go out of order on SPC2 cards when IOC1 or FIOC cards are used. PR1339551

Flow-Based and Packet-Based Processing

  • Using SSH to connect to the loopback interface of the SRX Series device does not work properly when AppTrack is configured. PR1343736

  • SNMP MIB walk provides wrong data counters for total current flow sessions. PR1344352

  • File download stops over a period of time when TCP proxy is activated through antivirus or Juniper Sky ATP. PR1349351

  • When the routing instance is configured, the UTM Anti-Spam:DUT process does not send the DNS query. PR1352906

  • IPsec VPN traffic might drop when passing through the SRX Series device after an IKE rekey. PR1353779

  • IPv6 backup sessions might hang and cannot be cleared after data-plane redundancy groups fail over. PR1354448

  • The PIM register message might stop from the source first-hop router. PR1356241

  • On the SRX5000 line of devices, when the IPsec performance acceleration feature is enabled, packets going in to or out of a VPN tunnel are dropped. PR1357616

  • On the secondary control plane, a multicast session leak is observed when the PIM is registered. PR1360373

Interfaces and Chassis

  • On SRX4600 device, the virtual IP address of the VRRP might not respond to host-inbound traffic. PR1371516

Intrusion Detection and Prevention (IDP)

  • Unable to load IDP policy because of less available heap memory. PR1347821

  • IDP signature update fails on secondary node. PR1358489

J-Web

  • The Dynamic-Application configuration page does not display application signatures properly when you search using the category filter. PR1344165

  • In J-Web you cannot delete dynamic VPN user configuration. PR1348705

  • When J-Web fails to get resource information, the Routing Engine CPU usage shows 100% resource utilization on the J-Web dashboard. PR1351416

  • When you use Internet Explorer version 11, the security policies search button in J-Web does not work. PR1352910

  • J-Web setup wizard does not propagate DHCP attributes from ISP to LAN. PR1370700

Layer 2 Features

  • The dcpfe and fxpc processes might stop on Packet Forwarding Engines with low memory. PR1362332

Layer 2 Ethernet Services

  • The subnet mask is not sent as the reply to a DHCPINFORM message. PR1357291

Network Management and Monitoring

  • With user firewall enabled and RG0 failover is being performed, eventd process core files are generated. PR1366120

Platform and Infrastructure

  • VPN is not stable when you perform commits with apply-groups. PR1242757

  • The show chassis environment pem and show chassis power commands show incorrect input voltage. PR1323256

  • On SRX Series devices, the No Port is enabled for FPC# on node0 log is generated every 5 seconds. PR1335486

  • On the SRX5000 line of devices, frequent logs are seen when the IOC has the same identifier as the SPC PIC. PR1357913

  • On SRX4100 devices, the interface shows up as half-duplex. PR1358066

  • SCP configuration backup fails even though /var/etc/ssh_known_hosts has the correct fingerprint. PR1359424

Routing Policy and Firewall Filters

  • The flowd process stops after a large number of custom applications are configured. PR1347822

  • On SRX Series devices, the nsd process might stop on the Packet Forwarding Engine with large-scale security policy configuration. PR1354576

  • Dynamic application autocomplete support is not functional within the CLI for the show security match-policies command. PR1363908

  • The timeout value of junos-http is incorrect. PR1371041

  • When a policy references dynamic addresses in the destination-address field and the destination IP address of the traffic is within this dynamic-address pool, the policy does not match this traffic. The issue occurs only for destination address and not for the source address. PR1372921

Routing Protocols

  • When BGP traceoptions are configured and enabled, the traces specific to messages sent to the BGP peer (BGP SEND traces) are not logged, but the traces specific to received messages (BGP RECV traces) are logged correctly. PR1318830

  • The ppmd process might stop during ISSU. PR1347277

  • On SRX1500 devices, dedicated BFD does not work. PR1347662

Unified Threat Management (UTM)

  • The default action of Web filtering does not work as expected. PR1365389

VLAN Infrastructure

  • On SRX Series devices in transparent mode, the flowd process might stop when matching the destination MAC address. PR1355381

VPNs

  • IPsec traffic statistics counters return 32-bit values, which is too fast and might overflow. PR1301688

  • The kmd process might stop if multiple IKE gateways use the same IKE policy. PR1337903

  • On the SRX5000 line of devices in a chassis cluster, control link encryption does not work. PR1347380

  • After a chassis cluster failover, all IPsec tunnels that are in active state are shown as inactive. PR1348767

  • On SRX Series devices, the policy-based IPsec VPN does not forward traffic properly when ingress and egress interfaces are in a virtual router. PR1350123

  • On SRX Series devices in a chassis cluster, configuration commit might succeed even when the external logical interface configuration (reth) associated with the IKE VPN gateway configuration is deleted. This might lead to configuration load failure during the next device bootup. PR1352559

  • S2S tunnels are not redistributed after IKE and IPsec are reactivated in the configuration. PR1354440

  • On SRX5000 line of devices, during the migration from site-to-site VPN to AutoVPN configuration, loss of traffic for some sessions might be observed. PR1362317

Documentation Updates

There are no errata or changes in Junos OS Release 18.3R3 for the SRX Series documentation.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product.

To determine the features supported on SRX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: https://apps.juniper.net/feature-explorer/