Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 18.4R1 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

Note

The SRX5K-SPC3 Services Processing Card was introduced in Junos OS Service Release 18.2R1-S1 and is supported in all subsequent Junos OS Releases. The features and functionalities of the SRX5K-SPC3 card are supported in Junos OS Release 18.4R1. Going forward, future improvements for SRX5K-SPC3 will be included in upcoming Junos OS Maintenance Releases.

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 18.4R1 for the SRX Series devices.

Application Security

  • CLI enhancements to support J-Web (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, the show service application-identification command is enhanced to display applications and application group details in J-Web.

    The show service application-identification command used with the new entries option provides the following functionality:

    • Alphabetical list application and application group details.

    • Pagination support to limit the number of entries in output.

    • Display of details in a sorted order.

    • Using filters on output columns to search applications easily.

    [See show services application-identification entries.]

  • SSL decryption port mirroring (SRX Series and vSRX)—Junos OS Release 18.4R1 introduces SSL decryption mirroring for SSL forward and reverse proxy. SSL decryption mirroring enables you to forward a copy of SSL decrypted traffic to a configured mirror port on a server that is acting as a traffic collection tool.

    To use the decryption mirroring feature, configure the mirror interface and the MAC address of the port in the SSL proxy profile, and apply the SSL proxy profile as the application service in the security policy. Traffic matching the policy rule is decrypted, and a copy of SSL-decrypted traffic is forwarded to the configured mirror port.

    [See SSL Proxy.]

  • Application path selection based on link preference and priority (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100 SRX4200, and vSRX)—Starting in Junos OS Release 18.4R1, you can configure Application Quality of Experience (AppQoE) to select an application path based on the link priority and the link type when multiple links are available.

    For application path selection, a list of paths to a specific destination, which meets SLA requirements, is made available. From the list, AppQoE selects a path that matches the configured link preference. Paths are WAN links used for forwarding application traffic. You can select an MPLS or Internet link as the preferred path, and assign a priority from the range 1-255 (value of 1 indicates highest priority).

    [See Application Quality of Experience.]

  • Schedulers support for APBR (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, support for configuring policy schedulers for an advanced policy-based routing (APBR) policy is available. Using a policy scheduler, you can schedule APBR policy execution at a specified time and enforce the policy for a specified duration.

    To use a scheduler for an APBR policy, you must create a scheduler and refer to scheduler in your APBR policy configuration. The policy scheduler activates and deactivates a policy according to the scheduled time. When the scheduler times out, the associated policy is deactivated.

    [See Advanced Policy-Based Routing.]

Chassis Cluster

  • Chassis cluster resiliency (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, a three-layered model is introduced to detect software and hardware failures that impact chassis cluster performance. Flapping of em0 and control path software or hardware failures are detected and state transitions and failovers are triggered using this model. Following are the three layers:

    • Layer 1 : Identifies and detects the components that are causing the failures.

    • Layer 2 : Detects the failures that are not detected by Layer1.

    • Layer 3 : Shares the health information of the system between the two nodes over control and fabric links.

    The set chassis cluster health-monitoring command is introduced to enable monitoring the health of chassis cluster.

    [See Chassis Cluster Resiliency.]

Flow-Based and Packet-Based Processing

  • SRX5K-SPC3 card with flow support in chassis cluster mode (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, the SRX5K-SPC3 and SRX5K-SPC-4-15-320 (SPC2) cards can operate together in a mixed-mode configuration on the SRX5000 line of devices using the same slot number in both nodes. If you are adding the SPC3 SPCs to the SRX5000 devices, you must install the new SPCs in the lowest-numbered slot of any SPC that provides central point functionality. SPC3 interoperates with the SRX5000 I/O cards (IOC2, IOC3), Switch Control Boards (SCB2, SCB3), Routing Engines, and SPC2 cards.

    [See Understanding Flow support on SRX5K-SPC3 Platforms.]

General Packet Radio Service (GPRS)

  • IPv6 support on GTP (SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 18.4R1, GPRS tunneling protocol (GTP) traffic security inspection is supported on IPv6 addresses along with existing IPv4 support. With this enhancement, a GTP tunnel using either IPv4 and IPv6 addresses is established for individual user endpoints (UEs) between a Serving GPRS Support Node (SGSN) in 3G or a Service Gateway (S-GW) and a Gateway GPRS Support Node (GGSN) in 3G or a PDN Gateway (P-GW) in 4G.

    [See GPRS Overview.]

  • Enhancements to GTP-C Tunnel (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, the GTP-C tunnel is enhanced to support tunnel-based session distribution to speed up the tunnel setup process and load-balance the sessions between the SPUs. The GTP-C tunnels and the GTP-C tunnel sessions are distributed by the SGSN tunnel endpoint identifier (TEID) of the tunnel. Use the set security forwarding-process application-services enable-gtpu-distribution command to enable the tunnel-based session distribution where the GTP-C traffic of different tunnels is spread across different SPUs.

    [See GPRS Overview.]

Interfaces and Chassis

  • Support for up and down delay timers on reth interfaces (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, you can configure up and down delay timers for redundant Ethernet (reth) interfaces. The delay timers keep the reth interfaces up or down, respectively, to prevent the routing protocols from reconverging and to avoid loss of traffic during a crash or when links flap.

    On SRX series devices, the default delay timer for down hold-time is 11 seconds, and the default delay timer for up hold-time is 0 seconds. To configure the timers, include the reth 1 hold-time down timer and reth 1 hold-time up timer statements at the [edit interfaces] hierarchy level.

    [See hold-time (Redundant Ethernet Interfaces)].

  • Half-duplex link support (SRX340 and SRX345)—Starting in Junos OS release 18.4R1, half-duplex mode is supported on SRX340 and SRX345 devices. Half duplex enables bidirectional communication, but signals can flow in only one direction at a time. Full-duplex communication means that both ends of the communication can send and receive signals at the same time. By default, half duplex is configured. If the link partner is set to autonegotiate the link, then the link is autonegotiated to full duplex or half duplex. If the link is not set to autonegotiation, then the link defaults to half duplex unless the interface is explicitly configured for full duplex.

    [See link-mode.]

Intrusion Detection and Protection (IDP)

  • Support for custom time bindings in a time-binding custom attack (SRX Series)—Starting in Junos OS Release 18.4R1, you can configure the maximum time interval between any two instances of a time-binding custom attack. The range for the maximum time interval is 0 minutes and 0 seconds through 60 minutes and 0 seconds. In Junos OS releases before 18.4R1, the maximum time interval between any two instances of a time-binding attack is 60 seconds.

    The interval time-interval statement is introduced at the [edit security idp custom-attack attack-name time-binding] hierarchy to configure a custom time-binding.

    [See Understanding Custom Attack Objects and time-binding.]

  • User visibility improvements for IDP attacks within an IDP Policy (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, you can view and validate the complete set of attacks that are configured for an IDP policy (predefined, dynamic, and custom attacks).

    Use the show security idp attack attack-list policy policy-name command to view the attacks that are configured for an IDP policy.

    [See show security idp attack attack-list policy.]

  • IDP policy rematch (SRX Series)—Starting in Junos OS Release 18.4R1, when a new IDP policy is loaded, the existing sessions are inspected using the newly loaded policy and are not ignored for IDP processing.

    [See IDP Policies Overview.]

Logical Systems and Tenant Systems

  • Starting in Junos OS Release 18.4R1, the following features that are supported on the logical systems are now extended to tenant systems:

    • Dynamic address support for tenant systems (SRX Series)—Starting in Junos OS Release 18.4R1, the tenant system user can create dynamic address entries within a tenant system. A dynamic address entry contains IP ranges extracted from external sources. The security policies use the dynamic address in the source-address or destination-address field. The tenant system administrator can view the dynamic address information, including name, feeds, properties, and number of IPv4 and IPv6 entries for tenant systems, by using the show security dynamic-address command.

      [See Security Policies for Tenant Systems.]

    • DHCP support for tenant systems (SRX Series)—Starting in Junos OS Release 18.4R1, DHCP provides support for DHCP clients, DHCP relay agents, and IPv6 dynamic servers for prefix delegation for tenant systems. The DHCP relay agent operates as the interface between DHCP clients and IPv6 dynamic server for tenant systems, and also relays DHCP messages between DHCP clients and DHCP servers on different IP address networks.

      [See DHCP for Tenant Systems.]

    • SRX5K-SPC3 card support for tenant systems (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, support for the SRX5K-SPC3 services processing card is introduced for tenant systems.

      [See Tenant Systems Overview.]

    • Application firewall support on tenant systems (SRX Series)—Starting in Junos OS Release 18.4R1, the tenant system administrator can configure the application firewall profile, trace options, and resources appfw-rule-set and appfw-rule in a tenant system. The application firewall rules can be reordered using the command insert tenants tenant-id security application-firewall rule-sets ruleset-name rule rule-name1 after rule rule-name2.

      Application firewall is a group of fine-grained application control policies to allow or deny the traffic based on the dynamic application name or the group names. It enhances security policy creation and enforcement based on the applications rather than traditional port and protocol analysis.

      [See Application Firewall Services for Tenant Systems.]

    • Interfaces support enhancement on tenant systems (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, support for interfaces is enhanced on tenants systems with the following changes:

      • You can configure an interface in the tenant system similar to how you configure an interface in a logical system.

      • All types of interfaces that can be configured in a logical system can also be configured in a tenant system.

      • All the interfaces that are configured in a tenant system are associated with the routing instance configured for that tenant system.

      [See Tenant Systems Overview.]

Network Management and Monitoring

  • RPM probe enhancement (SRX Series)—Starting in Junos OS Release 18.4R1, if the result of a probe or test exceeds the packet loss threshold, the real-time performance monitoring (RPM) test probe is marked as failed. The test probe also fails when the round-trip time (RTT) exceeds the configured threshold ranges from 0 through 60000000 ms. As a result, the device generates an SNMP notification (trap) and marks the RPM test as failed.

    RPM allows you to perform service-level monitoring. When RPM is configured on a device, the device calculates network performance based on packet response time, jitter, and packet loss.

    [See RPM Overview.]

  • SNMP support for monitoring the 4G LTE Mini-Physical Interface Module (Mini-PIM) status (SRX300, SRX320, SRX340, SRX345, and SRX550M)—Starting in Junos OS Release 18.4R1, you can monitor 4G LTE Mini-PIM status by using SNMP remote network management.

    You can use the following commands to monitor the 4G LTE Mini-PIM status:

    show snmp mib walk ascii jnxWirelessWANNetworkInfoTable

    show snmp mib walk ascii jnxWirelessWANFirmwareInfoTable

    In previous releases, the show modem wireless network interface interface-name and show modem wireless firmware interface interface-name commands are used to check the 4G LTE Mini-PIM status.

    [See Enterprise-Specific SNMP MIBs Supported by Junos OS.]

Routing Protocols

  • ARP policer support to protect Routing Engine (SRX Series)—Starting in Junos OS Release 18.4R1, you can apply policers on Address Resolution Protocol (ARP) traffic on SRX Series devices. You can configure rate limiting for the policer by specifying the bandwidth and the burst-size limit. Packets exceeding the policer limits are discarded.

    The traffic to the Routing Engine is controlled by applying the policer on ARP traffic. Using policers helps prevent network congestion caused by broadcast storms.

    [See ARP Policer Overview.]

Security

  • New operational commands for security policy configuration (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, the following operational commands are introduced:

    • show security policies information

    • show security policies checksum

    • request security policies check

    • request security policies resync

    The show security policies information command provides detailed information about the policies configured on SRX Series devices and on vSRX. The show security policies checksum, request security policies check, and request security policies resync commands are used to synchronize security policies between the Routing Engine and the Packet Forwarding Engine.

    [See show security policies information, show security policies checksum, request security policies check, and request security policies resync.]

  • URL category-based security with unified policies (SRX Series)—Starting from Junos OS Release 18.4R1, the unified policies feature is enhanced to include URL categories as match criteria for traffic flowing through the firewall. The URL category for Web filtering enables redirecting the traffic based on configured URL Category policy for further processing on the SRX Series devices. URL categories can be configured for unified policies with or without dynamic-application applied.

    A URL category can be configured as url-category any and url-category none. If url-category is not configured, the functionality is similar to url-category none.

    [See Configuring Unified Security Policies.]

Software Licensing

  • Support to stop log messages on throughput overuse (SRX4100)—Starting with Junos OS Release 18.4R1, the enhanced performance upgrade license is required to stop the log messages that are generated if the Internet mix (IMIX) throughput exceeds 20 Gbps and 7 Mpps on the SRX4100 device.

    [See Log File Sample Content.]

UTM

  • Avira scan engine support on antivirus module (SRX1500, SRX4100, SRX4200, and SRX4600)—Starting in Junos OS Release 18.4R1, SRX Series devices support an on-device antivirus scan engine. The on-device scan engine Avira scans the data by accessing the virus pattern database. The antivirus scan engine is provided as a UTM module that you can download and install on your SRX Series device either manually (using the request security utm anti-virus avira-engine command) or by using the Internet to connect to a Juniper Networks-hosted URL or a user-hosted URL.

    [See On-Device Antivirus Scan Engine.]

VPN

  • Port-mirrored traffic support on an IPsec interface (SRX Series)—Starting in Junos OS Release 18.4R1, if the output X2 interface of a mirror filter is configured for an st0 interface to filter traffic that you want to analyze, the packet is duplicated and encrypted by the IPsec tunnel bound to the st0 interface. This enhancement supports SRX Series devices in sending traffic mirrored from a port on an IPsec tunnel.

    [See Monitoring X2 Traffic.]

  • PowerMode IPsec (SRX4100 and SRX4200)—Starting in Junos OS Release 18.4R1, PowerMode IPsec (PMI) is a new mode of operation that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PMI utilizes a small software block inside the Packet Forwarding Engine that bypasses flow processing and utilizes the AES-NI instruction set for optimized performance of IPsec processing.

    You can enable PMI processing by using the set security flow power-mode-ipsec command.

    The following features are supported with PMI:

    • Auto Discovery VPN (ADVPN)

    • Internet Key Exchange (IKE) functionality

    • AutoVPN

    • High availability

    • IPv6

    • Stateful firewall

    • st0 interface

    • Traffic selectors

    [See Understanding PowerMode IPsec.]

  • SRX5K-SPC-4-15-320 (SPC2) and SRX5K-SPC3 (SPC3) support for IPsec VPN (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, all IPsec VPN features that were previously supported only on SPC3 (model number: SRX5K-SPC3) are now supported on both SPC2 (model number: SRX5K-SPC-4-15-320) and SPC3 installed in the SRX5000 line of devices operating in chassis cluster mode or in standalone mode.

    [See Understanding VPN Support for Inserting Services Processing Cards.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 18.4R1 for the SRX Series.

Application Security

  • Changes to show security advance-policy-based-routing statistics command—Starting from Junos OS Release 18.4R1, the AppID Requested, Rule matches, and AppID cache hits options are deprecated in the show security advance-policy-based-routing statistics command.

    The new options App rule hit on cache hit, URL cat rule hit on cache hit, App rule hit midstream and URL cat rule hit midstream are included to provide the details as shown in table Table 4:

    Table 4: show security advance-policy-based-routing statistics

    Field Name

    Field Description

    App rule hit on cache hit

    The number of times the rule with a matching entry in the application system cache (ASC) is found.

    URL cat rule hit on cache hit

    The number of times the rule with defined URL categories is matched.

    App rule hit midstream

    The number of times a route is changed in the middle of a session because of the rule with defined application is matched.

    URL cat rule hit midstream

    The number of times a route is changed in the middle of a session because of the rule with defined URL categories is matched.

    The modified show security advance-policy-based-routing statistics command provides the output as shown in the following sample:

    user@host> show security advance-policy-based-routing statistics

Chassis Cluster

  • Chassis cluster information detail operational command (SRX Series)—Starting in Junos OS Release 18.4R1, use the show chassis cluster information detail command to view the chassis cluster information details for each node.

    [See show chassis cluster information.]

Flow-Based and Packet-Based Processing

  • New configuration options for flow configuration—Starting from Junos OS 18.4R1, the log dropped-illegal-packet and log dropped-icmp-packet options are introduced under the [edit security flow] hierarchy-level.

    [See flow (Security Flow).]

  • Multiple collector support for J-Flow version 9 (SRX Series)—Starting in Junos OS Release 18.4R1, for J-Flow version 9, upto four collectors can be configured under family inet and the PFE to export the flow record, flow record template, option data, and option data template packet to all configured collectors. Earlier to this release, only one collector could be configured under family inet and inet6.

Installation and Upgrade

  • Autoinstallation support (SRX1500)—Starting in Junos OS Release 18.4R1, SRX1500 devices support autoinstallation to automate the configuration process for loading configuration files onto new or existing devices automatically over the network. Use the CLI Editor in configuration mode to configure the device for autoinstallation. The factory-default setting has been changed to support autoinstallation.

    [See Configuring Autoinstallation on an SRX1500 Device.]

Network Management and Monitoring

  • The NETCONF server omits warnings in RPC replies when the rfc-compliant statement is configured and the operation returns <ok/> (SRX Series)—Starting in Junos OS Release 18.4R1, when you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level to enforce certain behaviors by the NETCONF server, the server must not return an RPC reply that encloses both an <rpc-error> element and an <ok/> element. If the operation is successful, but the server reply would enclose one or more <rpc-error> elements of severity warning in addition to the <ok/> element, then the warnings are omitted. In earlier releases, or when the rfc-compliant statement is not configured, the NETCONF server might issue an RPC reply that encloses both an <rpc-error> element of severity warning and an <ok/> element.

  • SSHD process authentication logs timestamp (SRX Series)—Starting in Junos OS Release 18.4R1, the SSHD process authentication logs use only the time zone defined in the system time zone. In the earlier releases, the SSHD process authentication logs sometimes used the system time zone and the UTC time zone.

    [See Overview of Junos OS System Log Messages.]

UTM

  • security log message enhancement [SRX Series and vSRX]— Starting in Junos OS Release 18.4R1, the security log information is enhanced to include source zone and destination zone for Web filtering, content filtering, antispam filtering, and antivirus features of UTM.

    [See Understanding Unified Policies [Unified Threat Management (UTM)].]

  • UTM default policy enhancement (SRX1500, vSRX)—Starting with Junos OS Release 18.4R1, on SRX1500 Services Gateways and vSRX instances, UTM policies, profiles, MIME patterns, filename extensions, customer message, and protocol-command numbers of values are increased from 500 to 1500. The custom URL patterns and custom URL category values are increased from 1000 to 3000.

    [See UTM Overview.]

  • Antivirus profiles enhancement (SRX Series)— Starting in Junos OS Release 18.4R1, you can create a common antivirus profile for different antivirus types. While you are creating a UTM policy for an antivirus profile, the UTM policy configuration page provides common antivirus profile selection fields for each supported protocol.

    In Junos OS Release 18.3R1 and earlier releases, separate antivirus profiles are created for every antivirus protocol. While you are creating a UTM policy for an antivirus profile, the UTM policy configuration page provides separate antivirus profile selection fields for every supported protocol.

    [See Full Antivirus Protection.]

Known Behavior

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 18.4R1 for the SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Firewall

  • On SRX1500 device, the application firewall HTTP Cyber Physical System (CPS) traffic drop is observed and the sessions are bypassed. PR1339131

Chassis Clustering

  • On SRX4600 devices, the dedicated Chassis Cluster fabric ports are not available. Instead, any 40G or 10G traffic ports can be used as chassis cluster fabric ports.

Interfaces and Chassis

  • On SRX4600 devices, a USB flash drive is not available for the Junos OS. However, the USB flash drive is available with full access for the host OS (Linux) and USB flash drive is still used in the booting process (install and recovery functions). PR1283618

  • The USB flash drive stops working if the it is removed while it is in initialization state. To avoid this issue, wait for few seconds before removing it. PR1332360

J-Web

  • The CLI Terminal does not work in Java version 1.8 because of a security restriction in running the applet. PR1341956

Unified Threat Management (UTM)

  • From Junos OS Release 18.3 onward, categories in the APBR module based on destination IP address are supported. Category classification occurs and the APBR action takes place. UTM Web filtering provides information about the category to the APBR module for the matched and received destination IP addresses. But currently, there is a Web filtering limitation, which states that category classification is inaccurate for IP address and leads to non-APBR route. PR1365931

  • To make the APBR custom category to work, execute the set security utm feature-profile web-filtering juniper-local profile h1 category custom action permit CLI command. PR1366528

VPN

  • On an existing tunnel, if the DPD values are changed, then they are not applied until rekeying for that tunnel happens. PR1375963

  • When multiple traffic selectors are configured on a particular VPN , the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe will be sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 18.4R1 for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • On SRX Series devices, when the SSL forward proxy is configured for HTTPS websites, the application firewall fails to block the message and redirect it to the URL. PR1356483

  • The authorization request does not trigger the router to send RADIUS REQUEST messages. PR1366002

Chassis Clustering

  • On an SRX4600 device in a chassis cluster, configure four 100-Gigabit Ethernet interfaces on PIC 0 and after reboot all the four interfaces are down. PR1387701

  • On an SRX4600 device in a chassis cluster, rebooting the backup node might cause the flowd process to core on primary node. PR1392580

Flow-Based and Packet-Based Processing

  • On SRX Series devices, packet-forwarding traffic is stopped when a transient memory parity error is observed on an MPC Endpoint Mapper (EPM) port-group wedge. PR1220019

  • On an SRX4600 device, when the next hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725

  • On SRX Series devices, the flowd process generates core files when the SSL RTLOG logs are transferred through the secure channel. PR1345578

  • On an SRX1500 device, the Virtual Router Redundancy Protocol (VRRP) on the physical interface might stop working if the switching mode is configured at the global level. PR1351755

  • The flowd process generates a core file when the SIP ALG is enabled. PR1352416

  • On SRX Series devices, the encrypted HTTP, SMTP, IMAP and POP3 applications over SSL are identified as HTTPS, SMTPS, IMAPS, and POP3S respectively.. You need to configure a policy each for junos:HTTPS, junos:SMPTS, junos:IMAPS, and junos:POP3S to allow the encrypted traffic. PR1365810

  • When the flow traceoptions with the filters are enable, you can see the logs of other sessions although they are not configured. PR1367124

  • On SRX Series devices, traffic identification might fail and unidentified traffic might pass through the device when the AppID feature is used. PR1357093

  • If the interface is configured to a root system or zone under a tenant, the interfaces that are configured by other tenants are listed with a question mark. PR1370255

  • On SRX Series devices, the Security Log Event Details window size is increased to display all the relevant information about the event. PR1373357

  • With stress TCP traffics, sessions that have been invalid for more than 48 hours expire PR1383139

  • On SRX1500 device, the IPv4 multicast packets might not able to broadcast from the IRB interface. PR1385934

  • On SRX Series devices, the srxpfe process crashes and generates core files when SSL proxy is used. PR1383655

  • The SRX320 device might trigger traffic flow while acting as the VRRP backup device, with the Layer 2 link between the devices forwarding the VRRP protocol message. PR1386292

  • On SRX Series devices with the integrated user firewall, the group membership changes are not processed correctly after the user changes the value of the sAMAccountName attribute. PR1394049

  • On SRX4600, SRX5400, SRX5600, and SRX5800 devices using the SPC3, when the AppQoS rate limiter is configured to specific traffic, packet loss occurs on unrelated traffic until reboot. PR1394085

  • On SRX5400, SRX5600, and SRX5800 devices using the SPC3, the IPSec tunnels passing through the SRX device does not work, because of the IKE packets with certain source and destination IP addresses combinations are dropped. PR1403517

J-Web

  • On SRX Series devices, DHCP relay configuration under the Configure > Services > DHCP > DHCP Relay page is removed from J-Web. The same DHCP relay can be configured using the CLI. PR1205911

  • On SRX Series devices, DHCP client bindings under Monitor are removed. The same bindings can be seen in the CLI by using the show dhcp client binding command. PR1205915

Platform and Infrastructure

  • On SRX5400, SRX5600, and SRX5800 devices, when the control link is down, the secondary node becomes ineligible and then goes into the disabled state. But the FPCs restart continuously after the node goes to the disabled state although the FPCs should remain offline until they are rebooted. PR1170024

  • On the SRX5000 line of devices, the em interface goes down, the control link connection is lost, and the SRX Series chassis cluster goes into abnormal state. PR1342362

  • On SRX Series devices, when the software upgrade is executed from Junos OS Release 15.1X49-D125 to Junos OS Release 17.4X1, multiple flowd process core files are generated. PR1363314

  • On SRX4600 devices, the show chassis fan show chassis environment command does not display any output. PR1363645

  • The show interface extensive command displays the uspipc server fail message ifext_uspipc_connect_and_send_to_pfe: send to pfe xxxxxxxx failed. PR1380439

  • On SRX Series devices, the login class with allowed days and specific access start and end date might not work correctly. PR1389633

Routing Policy and Firewall Filters

  • When the SSL forward proxy is configured in the unified policy with the Reject+Redirect action, a block of the Web page is not presented for HTTPS sites. PR1375823

Routing Protocols

  • On SRX Series devices, RIP is supported in packet-to-packet DC mode on st0 interfaces. PR1141817

Unified Threat Management (UTM)

  • UTM logs include source and destination zone information. PR1326271

  • A warning message is displayed if the Juniper enhanced server port is configured as non-80. PR1383695

VPNs

  • On SRX Series devices, in case multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector rekeys at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. New negotiation of those traffic selectors might be triggered through other mechanisms such as traffic or peer. PR1287168

  • On SRX1500 device, when configuring the IPsec VPN and BGP simultaneously, the kmd process might crash and all the VPN tunnels are disconnected. PR1336235

  • During an RG0 failover in ISSU, when you use the rekeys, the iked process generates core files. PR1340973

  • If a period ( . )is present in the CA profile name, then the pkid process might face issues, if the pkid is restarted at any point. PR1351727

  • The kmd process might stop when SNMP polls for Internet Key Exchange (IKE). PR1397897

Resolved Issues

This section lists the issues fixed in hardware and software in Junos OS Release 18.4R1 for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues

Application Layer Gateways (ALGs)

  • When the IPsec ALG is used, the IPsec tunnel payload is dropped after the IKE or IPsec tunnel reestablishment because of a session conflict. PR1372232

  • If the SIP ALG is disabled, the SIP active sessions are affected. PR1373420

  • Sun RPC data traffic for previously established ALG sessions might be dropped because it matches the gate that contains old interface information. PR1387895

  • A flowd process might generate core files when cross-tenant ALG traffic is sent. PR1388658

  • DNS requests with the EDNS (extension mechanisms for DNS) option option might be dropped by the DNS ALG. PR1379433

Chassis Cluster

  • On SRX340 and SRX345 devices, half-duplex mode is not supported because BCM53426 does not support half-duplex mode. BCM5342X SoC port configurations, BCM53426 does not have QSGMII interface. Only the QSGMII port supports half-duplex mode. PR1149904

  • On an SRX4600 device with chassis cluster enabled, when a failover occurs the dedicated fabric link is down. PR1365969

  • The device in chassis cluster might be unresponsive if IP monitoring is enabled. PR1366958

  • The show chassis environment fpc # command, which is used to display the FPC voltage, is enhanced to show the current and power consumption for an SPC3. PR1368507

  • On SRX Series devices in chassis cluster, the minor Potential slow peers are: FWDD0 XDPC1 XDPC8 FWDD1 alarm is observed, which can be ignored. PR1371222

  • Multiple flowd process files are seen on node 1 after an RG0 failover. PR1372761

  • Traffic loss occurs when the primary node is rebooting. PR1372862

  • On SRX Series devices in chassis cluster, if reroute occurs on the IPv4 wings of a NAT64 or NAT46 session, the active node sends RTO message to the backup session to update the rerouted interface. PR1379305

  • On SRX4600 devices in a chassis cluster, the FPCs go offline if the chassis cluster IDs are more than 10. PR1390202

Class of Service (CoS)

  • When the host-outbound-traffic statement is configured in class of service (CoS), the device stops working when a corrupted packet arrives on the Packet Forwarding Engine. PR1359767

Command-Line Interface (CLI)

  • The following CLI command outputs are not displayed correctly: show usp memory segment shm data module and show jsf shm module. PR1387711

Flow-Based and Packet-Based Processing

  • On SRX320, SRX340, SRX340, and SRX550 devices, the rpd process stops when you configure the auto-bandwidth option under the MPLS label-switched path (LSP). PR1331164

  • The security logs for unified policies are improved to reflect the reason for a denied or rejected session. PR1338310

  • The IPsec replay error for Z-mode traffic is observed. PR1349724

  • When the output interface configured in the X2 mirrored filter is down, the flowd process might stop. PR1357347

  • On SRX4200 and SRX4600 devices, when the device is being rebooted or powered on,control traffic loss is observed. PR1357591

  • IDP inline-tap mode is not supported and configuration for SPC3 must be disabled. PR1359591

  • The syslog usage is deprecated, use the ERRMSG for relevant messages. PR1360274

  • On the secondary control plane, a multicast session leak is observed for the PIM register. PR1360373

  • The application layer protocol negotiation (ALPN) fails because the SSL proxy removes the ALPN extensions from the TLS packets. PR1360820

  • On the SRX550M device, traffic might be duplicated and forwarded to the wrong interface. PR1362514

  • The show services application-identification statistics applications command displays the application-system-cache error message. PR1363033

  • On SRX Series devices, application identification (AppID) is supported for HTTP, SMTPS, POP3S, and IMAPS protocols. PR1365810

  • When RG0 failover occurs, the flowd process generates core files. PR1366122

  • The request services user-identification authentication-table delete authentication-source command output displays incorrect results. PR1366767

  • On SRX Series devices, when AppQoE is enabled and the traffic starts flowing, the flowd process might stop. PR1367599

  • On an SRX1500 device with Junos OS Release 15.1X49-D140, the srxpfe process might not work. PR1370900

  • The device under test (DUT) sends incorrect rejection code when the destination device is not reachable. PR1371115

  • The SPC3 core file size is larger than the SPC1 and SPC2 core files. PR1371447

  • On SRX4100 and SRX4200 devices, the UDP IMIX throughput is decreased. PR1373019

  • In chassis cluster mode with the IPsec tunnel configured, packet loss is observed when the clear-text packets are processed. PR1373161

  • Using the SPC3 improves the performance of the unified policies. PR1374231

  • A summary option for the show system security-profile assignment command is added to provide summary of security profile assignment for the entire device. PR1376990

  • The SPC3 card might be installed on any slot except slot 0, slot 1, and slot 11. PR1378178

  • On SRX Series devices working in a PIM sparse mode, and located between a first-hop router and a rendezvous point (RP), if a PIM control session is created through the PIM register stop message, only the next PIM register message can be forwarded, and after this first message, the subsequent PIM register messages (also matching the PIM control session above) are wrongly dropped. PR1378295

  • When the datapath-debug capture is stopped, incorrect error message is displayed. PR1381703

  • On an SRX5600 device in a chassis cluster, if respmod is enabled for ICAP, the connection with the ICAP server might reset automatically. PR1382376

  • On SRX300, SRX320, SRX340, SRX345, SRX550M devices, during the path MTU discovery, the control engine does not receive the message frag needed and DF set. PR1389428

  • The set security flow log dropped-illegal-packet and set security flow log dropped-icmp-packet CLI commands are unhidden. PR1394720

  • On SRX Series devices, the active flow monitoring does not work for multiple collectors. PR1396482

Interfaces and Chassis

  • The virtual IP address of the Virtual Router Redundancy Protocol (VRRP) might not respond to the host-inbound traffic. PR1371516

Intrusion Detection and Prevention (IDP)

  • The IDP might not be deployed because the IDP configuration cannot be committed. PR1374079

  • The unified policies configured with IDP might not inspect the arbitrary sessions, and are marked as Not Interested within the show security idp counters flow command. PR1385094

J-Web

  • The PPPoE interface pp0 is not displayed on the J-Web's Interfaces > Port page. PR1316328

  • The dynamic application configuration page in J-Web does not display application signatures in the result if the signatures are searched by category field. PR1344165

  • The J-Web setup does not populate the DHCP attributes. PR1370700

  • The chassis cluster image is not displayed on the J-Web dashboard. PR1382219

Logical Systems

  • The logical system licenses fail to bind to the tenants or logical systems after the device is rebooted. PR1380144

  • The logical system license limit is increased to three. One license is for root-logical-system traffic and the other two licenses are for the logical system and the tenant to transfer the traffic. PR1384659

  • Tenant for logical system installation failed on node 1 after upgrading ISSU. PR1388336

Network Address Translation (NAT)

  • Source NAT sessions might fail to be created when the port-overloading or the port-overloading-factor statement is configured. PR1370279

Network Management and Monitoring

  • The show snmp mib walk etherStatsTable command displays incorrect results. PR1335808

  • The eventd process generates core file, when the incoming system log message length is at or beyond the maximum supported size. PR1366120

Platform and Infrastructure

  • On SRX1500 devices, when the power supply fails, the trap sent might contain incorrect information. PR1315937

  • On SRX300, SRX320, SRX340, and SRX345 devices, you are unable to lock the USB port. PR1352104

  • On SRX4100 and SRX4200 devices, the SRX Network Time Protocol (NTP) client might not stay synchronized to the NTP server and as a result the device clock often switches from NTP to local time. PR1357843

  • On SRX5400, SRX5600, and SRX5800 devices, log messages are seen often when an IOC card has the same identifier as the SPC card. PR1357913

  • When the secure copy protocol (SCP) fails to transfer the active configuration to an archive site, the archive site also fails. PR1359424

  • On SRX4600 devices, the show chassis fan show chassis environment command does not display any output. PR1363645

  • Packet capture feature does not work after the sampling configuration is deleted. PR1370779

  • On SRX Series devices in a chassis cluster, the cold synchronization process might slow down when there are many Packet Forwarding Engines installed on the device. PR1376172

  • Junos OS upgrade might fail when you use the validate option after the /cf/var/sw directory is erroneously deleted. PR1384319

Routing Policy and Firewall Filters

  • The TCP protocol ports 5800 and 5900 are added to junos-defaults to support the VNC application. PR1333206

  • The show security policies detail command output is modified to improve readability, particularly for unified policies. PR1338307

  • The timeout value of junos-http is not accurate. PR1371041

  • When the dynamic address is referenced in the dynamic-address field and the destination IP address for the traffic is matched within this dynamic address, the policy fails to match the traffic PR1372921

Routing Protocols

  • If family iso is enabled through the GRE over IPSec tunnel, the vFPC stops working. PR1364624

Services Applications

  • When the ICAP configuration and the traffic passing through are modified, core files might be generated. PR1389600

  • Clearing the TCP session might not clear the redirect objects. PR1390835

System Logs

  • On SRX Series devices, the following false log message is observed. are observed: /kernel: check_configured_tpids: < interfaces > : default tpid (0x8100) not configured. pic allows maximum of 0 tpids. PR1373668

Unified Threat Management (UTM)

  • The default actions under a Web filtering profile might not work properly. PR1365389

  • When the server port is configured as 443, the displayed EWF server status is UP. PR1383695

VPNs

  • IPsec tunnel might not work when there are concurrent IKEv2 Phase 1 SA rekeys. PR1360968

  • On SRX5600 and SRX 5800 devices, during a migration from VPN to AutoVPN configuration, traffic loss is observed. PR1362317

  • On SRX Series devices in a chassis cluster, when the VPN configuration size reaches an internal configuration processing chunk size, the VPN tunnels might not be configured successfully and the VPN tunnels might not come up after rebooting, upgrading, or restarting ipsec-key-management. PR1376134

  • Packet loss is observed in IPsec Z-mode scenario. PR1377266

  • The kmd process might stop and cause VPN traffic outage after the show security ipsec next-hop-tunnels command is run. PR1381868

  • Adding or deleting site-to-site manual NHTB VPN tunnels to an existing st0 unit causes the existing manual NHTB VPN tunnels under the same st0 unit to flap. PR1382694

Documentation Updates

There are no errata or changes in Junos OS Release 18.4R1 for the SRX Series documentation.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example, you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster Feature Guide for Security Devices.

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product.

To determine the features supported on SRX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: https://pathfinder.juniper.net/feature-explorer/