Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 19.1R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.

What’s New in Release 19.1R3

There are no new features in Junos OS Release 19.1R3 for the SRX Series devices.

What’s New in Release 19.1R2

Chassis Clustering

What’s New in Release 19.1R1

Application Security

  • CLI enhancements to support J-Web in application identification (SRX Series and vSRX)—Starting in Junos OS Release 19.1R1, the show services application-identification command is enhanced to display application and application group details in J-Web.

    The show services application-identification application command includes the new risk option and the show services application-identification entries command is enhanced with the new category-list and subcategory-list options. These options support and improve the J-Web search mechanism.

    [See show services application-identification application.]

  • Support for user source identity in APBR policies (SRX Series and vSRX)—Starting in Junos OS Release 19.1R1, you can configure advanced policy-based routing (APBR) policies by defining the user source identity as one of the match criteria along with source addresses, destination addresses, and applications.

    If you specify source identity as a match criteria in a policy, then the user and role information are retrieved before policy lookup can proceed. After a successful match, the APBR profile configured with the APBR policy is used for applying the configured rule.

    [See Advanced Policy-Based Routing.]

  • Application quality of experience (AppQoE) support in high availability (HA) mode (SRX4100, SRX4200)—Starting in Junos OS Release 19.1R1, the SRX4100 and SRX4200 support application quality of experience (AppQoE) when these devices operate in chassis cluster mode.

    You can configure these SRX Series devices to operate both in active/active and in active/passive modes and deploy the device as spoke device in SD-WAN deployments.

    [See Application Quality of Experience.]

  • Application services bypass in APBR (SRX Series and vSRX)—Starting in Junos OS Release 19.1R1, you can bypass the application services on a session using advanced policy-based routing (APBR) profile rule. When the APBR profile rule is matched and re-routing is done, you can specify that the traffic matching the APBR profile rule can be bypassed from the application services that are configured on the SRX Series devices.

    You can use the APBR profile rule to bypass application services such as security policy, application quality of service (AppQoS), Juniper Sky ATP, IDP, Security Intelligence (SecIntel), and UTM using the APBR rule.

    See [Advanced Policy-Based Routing.]

  • AppQoE scaling support (SRX4100 and SRX4200)—Starting in Junos OS Release 19.1R1, Application quality of experience (AppQoE) enforces the configuration limit for overlay paths, metric profiles, probe parameters, and SLA rules per profile when you configure application-specific SLA rules and associate the SLA rules to an APBR profile. If you configure more parameters than the allowed limit, an error message is displayed after you commit the configuration.

    [See Application Quality of Experience.]

Authentication Access Control

  • Monitoring DHCP session logs (SRX Series)—Starting in Junos OS Release 19.1R1, you can monitor the Dynamic Host Configuration Protocol (DHCP) session events. Using the session logs generated by the jdhcp process, you can observe the session (subscribe) creation, session deletion, and renew events details. You can configure the DHCP session logs by using the log session and log session dhcpv6 options at the [edit system processes dhcp-service] hierarchy level for IPv4 and IPv6 addresses, respectively. You can use the session logs for monitoring and troubleshooting purposes.

    [See log.]

Intrusion Detection and Prevention (IDP)

  • Covert channels identification and mitigation for IPv6 extension headers (SRX Series and vSRX)—Starting in Junos OS Release 19.1R1, Intrusion Detection and Prevention (IDP) supports the identification and mitigation of covert channels for IPv6 extension headers.

    Covert channel is a type of attack in which information is transferred through existing channels that should not be allowed to communicate by the configured security policy. Thus, this kind of communication violates the existing security system.

    The IPv6 covert channel anomalies are part of the IDP signature database package. You can configure the anomalies by using the predefined-attacks statement under the idp-policies hierarchy level.

    [See Attack Objects and Object Groups for IDP Polices.]

  • Deprecation of signatures in IDP (SRX Series and vSRX)—Starting in Junos OS Release 19.1R1, certain signatures are marked as deprecated or excluded from the Intrusion Prevention System (IPS).

    For dynamic attack groups, two filters—Excluded and no-excluded—are introduced at the [edit security idp dynamic-attack-group dynamic-attack-group-name filters] hierarchy level to check the signatures which are part of the database updates.

    The show security idp attack deprecated-list and show security idp policy deprecated attacks commands are introduced to display the list of deprecated attacks in the signature updates.

    [See IDP Signature Database Overview.]

  • Support for Hyperscan extended parameters in IDP signature-based attacks (SRX Series and vSRX)—Starting in Junos OS Release 19.1R1, you can configure signature-based attacks by using Hyperscan extended parameters. By setting optimal values for the Hyperscan extended parameters, you can enhance the attack pattern matching process significantly.

    To configure the extended parameters, include the optional-parameters option at the [edit security idp custom-attack attack-name attack-type signature] hierarchy level. You can configure the following parameters under the optional-parameters option:

    • min-offset

    • max-offset

    • min-length

    [See Understanding IDP Signature-Based Attacks.]

J-Web

  • Threat Assessment report supports new charts (SRX Series)—Starting in Junos OS Release 19.1R1, the Threat Assessment report supports the following charts:

    • Top Web Categories for Security High—Displays only high severities and the top 10 Web categories.

    • Top Web Categories—Displays the top 10 Web categories.

    • Top Users Accessing Risky Websites—Displays the top 10 values.

    • Top URL Categories for Security Risk (High and Medium)—Displays both high and medium severities and the top 10 values.

    • Top URL Categories for Productivity Loss—Displays the top 10 values.

    • Top URL Categories for Legal Liability—Displays the top 10 values.

    [See Reports.]

  • IPsec VPN security services support new authentication algorithm and Diffie-Hellman (DH) group values (SRX Series)—Starting in Junos OS Release 19.1R1, IPsec VPN security services support and display the following new values:

    • IKE (Phase I)—SHA 512-bit authentication algorithm, DH Group 15, 16, and 21

    • IKE (Phase II)—HMAC-SHA-512 authentication algorithm, HMAC-SHA-384 authentication algorithm, DH Group 15, 16, and 21

    Note

    The new authentication algorithms and DH groups support the SRX5000 line of devices with SPC3 upon installation of junos-ike package only. Click Install from Configure>Security Services>IPsec VPN>Global Settings to install the package.

    [See VPN Global Settings Configuration Page Options, IKE (Phase I) Configuration Page Options, and IKE (Phase II) Configuration Page Options.]

  • Certificate management supports new bit length for the Elliptic Curve Digital Signature Algorithm (ECDSA) key (SRX Series)—Starting in Junos OS Release 19.1R1, when you create a certificate, Certificate management supports the bit length of the 521 ECDSA key.

    [See Managing Certificates.]

  • User management supports new password setting range (SRX Series)—Starting in Junos OS Release 19.1R1, the user management configuration supports the password settings range as follows:

    • Minimum Reuse: 1-20 old passwords, but these must not be the same as the new password you set.

    • Maximum Lifetime: 30-365 days

    • Minimum Lifetime: 1-30 days

    Note

    Using J-Web, you cannot configure the minimum number of characters required for a new password.

    [See User Management Configuration Page Options.]

  • In J-Web, device basic settings can be configured on a single page (SRX Series)—Starting in Junos OS Release 19.1R1, you can configure the following basic settings for a device on a single page in J-Web:

    • System Identity Details

    • Date & Time

    • Management Access Configuration

      Note

      If the SRX Series device does not have a dedicated management port (fxp0), then Loopback Address and Subnet are the only options available for configuring management access. For SRX Series devices with the fxp0 port, IPv4 configuration is supported for configuring management access.

    • Security Logging—Supports only stream mode.

    • SNMP

    [See System Identity Configuration Page Options.]

  • Support for monitoring logical system users and tenant users (SRX Series)—Starting in Junos OS Release 19.1R1, the Users option under the Monitor tab is available for both logical system users and tenant users.

    [See Monitoring Users.]

  • Support for events monitoring configuration for logical system users and tenant users (SRX Series)—Starting in Junos OS Release 19.1R1, the following events monitoring configurations are supported for logical system users and tenant users:

    • Firewall events are supported for both logical system users and tenant users.

    • All events, Web filtering, content filtering, antispam, antivirus, and IPS events are supported for logical system users.

    [See Monitoring Firewall Events and Monitoring All Events.]

  • Supported reports for logical system users and tenant users (SRX1500, SRX4100, SRX4200, and SRX4600)—Starting in Junos OS Release 19.1R1:

    • Threat assessment, application and user, talkers, firewall, screen, and source zone reports are supported for logical system users and tenant users.

    • IPS, URL, viruses, antispam, Web applications, roles, botnet, malware, blocked application, and permitted application reports are supported only for logical system users.

    [See Reports.]

  • Report generation status when the context is switched (SRX Series)—Starting in Junos OS Release 19.1R1, you can choose to stop generating a report to switch the context or continue generating the report without switching the context using the confirmation message.

    [See Configuring Multi Tenancy Logical Systems.]

  • Support for traffic logging (SRX Series)—Starting in Junos OS Release 19.1R1, traffic logging is enabled as part of the security logging configuration for logical system users and tenant users. When you enable traffic logging, the existing event mode configuration (if any) is deleted.

    [See Security Logging Configuration Page Options.]

  • Firewall security policy rules support source identity for local authentication users (SRX Series)—Starting in Junos OS Release 19.1R1, a list of local authentication users is available in source identity for logical system users and tenant users.

    [See Configuring Firewall Policy Rules.]

  • Local authentication monitoring for logical system users and tenant users (SRX Series)—Starting in Junos OS Release 19.1R1, the local authentication option (Monitor > Authentication > Local Auth) is enabled for logical system and tenant users.

    The Clear All option is not available for either logical system users or tenant users to clear the authentication information.

    [See Monitoring Local Authentication.]

  • Autocompletion of logical system names or tenant names (SRX Series)—Starting in Junos OS Release 19.1R1, when you type the partial name of the logical system name or tenant name, the user interface automatically completes the name.

    [See Interconnecting Interface Ports Configuration Page Options.]

  • Multitenancy support is provided for logical system users and tenant users (SRX Series)—Starting in Junos OS Release 19.1R1, you can have the following maximum number of logical system users and tenant users for multitenancy:

    Table 1: Maximum Number of Logical System Users and Tenant Users for Multitenancy

    SRX Series

    Number of Logical System Users

    Number of Tenant Users

    SRX5000 line of devices with SPC2

    32

    100

    SRX5000 line of devices with SPC3

    32

    500

    SRX5000 line of devices with mixed SPC2 and SPC3

    32

    100

    SRX4600

    32

    300

    SRX4200

    32

    200

    SRX4100

    32

    200

    SRX1500

    32

    50

    [See Configuring Multi Tenancy Logical Systems and Configuring Multi Tenancy Tenants.]

  • User configurations available on a single page (SRX Series)—Starting in Junos OS Release 19.1R1, the following user configurations are available on a single page:

    • User Management

    • Firewall Authentication

    • Access Profiles

    • UAC Settings

    [See User Management Configuration Page Options.]

  • Address Pool available as a separate configuration page (SRX Series)—Starting in Junos OS Release 19.1R1, you can access Address Pool as a separate configuration page from Configure > Security Objects.

    [See Address Pools Configuration Page Options.]

  • App Tracking available under Security Objects (SRX Series)—Starting in Junos OS Release 19.1R1, you can configure application tracking from Configure > Security Objects > App Tracking.

    [See Application Tracking Configuration Page Options.]

  • Changes on the Monitoring Events page (SRX Series)—Starting in Junos OS Release 19.1R1, the Summary View is replaced with the Chart View, and the Detailed View is replaced with the Grid View. These changes are applicable to all the configuration pages (except the System page) under Monitor > Events.

    [See Monitoring All Events.]

  • IKE (Phase II) supports new values for the Establish tunnels option (SRX Series)—Starting in Junos OS Release 19.1R1, the Establish tunnels option supports the responder-only and responder-only-no-rekey values.

    Note
    • The responder-only option is supported on the SRX5000 line of devices with an SPC3 card only if the junos-ike-package is installed. To install this package from J-Web, navigate to Configure>Security Services>IPsec VPN>Global Settings, and click Install.

    • When you configure the responder-only value on multiple VPN objects with a single gateway configuration, ensure that all the VPN objects are configured with this mode.

    • The responder-only option is supported only on a site-to-site VPN. This option is not supported on AutoVPN.

    [See VPN AutoKey Configuration Page Options.]

  • New risk values in application signature (SRX Series)—Starting in Junos OS Release 19.1R1, when the custom application creates an application signature, it supports the following application signature risk levels:

    • Low

    • Moderate

    • Unsafe

    • High

    • Critical

    [See Application Signature Configuration Page Options.]

  • Support for PowerMode IPsec (SRX4100, SRX4200, SRX4600, SRX5000 line with SPC3 card, and vSRX)—Starting in Junos OS Release 19.1R1, you can enable or disable PowerMode IPsec (PMI) in the IPsec VPN Global Settings.

    Note
    • After the PMI configuration is committed, the Packet Forwarding Engine service restarts automatically. The Packet Forwarding Engine service will not be explicitly restarted.

    • You can use the J-Web user interface to enable or disable PMI depending on the configuration required for each of the devices.

    [See VPN Global Settings Configuration Page Options.]

Logical Systems and Tenant Systems

  • SSL proxy support for logical systems (SRX Series)—Starting in Junos OS Release 19.1R1, SRX Series devices that have logical systems configured support the Secure Sockets Layer (SSL) proxy functionality. The logical-system users can configure and view the SSL profiles specific to their own logical systems by using the root certificate. The logical-system users can configure SSL profiles for proxy termination and initiation on logical systems and can also configure the certificate authority (CA), load a CA profile group, and apply an SSL proxy profile to a security policy for logical systems.

    [See SSL Forward Proxy Overview.]

  • Starting in Junos OS Release 19.1R1, the following features that are supported on the logical systems are now extended to tenant systems:

    • Logging support for tenant systems (SRX1500, SRX4100, SRX4200, and SRX4600)—Starting in Junos OS Release 19.1R1, on-box reporting configurations are supported for each tenant system, and logs are handled based on these configurations. Use the set security log report and set security log mode stream commands to enable the on-box reporting. The on-box reporting feature with stream mode is also supported on tenant systems.

      [See Security Log for Tenant Systems.]

    • User firewall enhanced support for tenant systems (SRX Series)—Starting in Junos OS Release 19.1R1, support for user firewall authentication is enhanced using a shared model. In this model, tenant systems share user firewall configuration and authentication entries with the master logical system. The tenant system shares the authentication data collected from the local authentication, Active Directory authentication, firewall authentication, Juniper Identity Management Service (JIMS), and ClearPass authentication with the master logical system.

      [See Firewall Authentication for Tenant Systems.]

Routing Policy and Firewall Filters

  • Optional application configuration in a unified policy (SRX Series and vSRX)—Starting in Junos OS Release 19.1R1, configuring the application statement at the [edit security policies from-zone zone-name to-zone zone-name policy policy-name match] hierarchy level is optional if the dynamic-application statement is configured at the same hierarchy level.

    In releases before Junos OS Release 19.1R1, it is mandatory to configure the application statement even if the dynamic-application statement is configured.

    [See application (Security Policies) and dynamic-application (Security Policies).]

Routing Protocols

  • Support for BGP graceful shutdown (SRX Series)— Starting in Junos OS Release 19.1R1, graceful traffic migration from one BGP next hop to another is supported, without traffic interruption. Also, BGP administrative shutdown communication can be sent to the BGP peer.

    You can configure both graceful-shutdown and shutdown statements at the [edit protocols bgp], [edit protocols bgp group group-name], and [edit protocols bgp group group-name neighbor address] hierarchy levels.

    Note

    Graceful shutdown is disabled by default.

    [See: graceful-shutdown (Protocols BGP), shutdown (Protocols BGP).]

Security

  • Juniper Entropy Beacon (SRX Series)—Starting in Junos OS Release 19.1R1, Juniper Entropy Beacon (JEB) allows authorized devices to request entropy packages from a SRX345 Services Gateway configured as a JEB server. Entropy is a crucial component of all cryptographic security systems because it is used to generate symmetric and asymmetric cryptographic keys. Low entropy leads to predictable keys, which can compromise the security of a system. JEB provides high quality entropy from a trusted source to entropy starved clients securely over the network.

    [See Juniper Entropy Beacon Overview]

Unified Threat Management (UTM)

  • SRX TAP mode support for UTM features (SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600)—Starting in Junos OS Release 19.1R1, the Unified Threat Management (UTM) module supports TAP (Terminal Access Point) mode. When you configure SRX Series device to operate in TAP mode, the device generates and displays security log information such as threats detected, application usage, and user details.When configured to operate in TAP mode, the SRX Series device receives packets only from the configured TAP interface.

    [See Enhanced Web Filtering.]

VPN

  • PowerMode IPsec with SPC3 (SRX5400, SRX5600, and SRX5800)—Starting in Release 19.1R1, Junos OS on SRX Series devices with SPC3 supports a new mode of IPsec operation called PowerMode IPsec (PMI). PMI ues a small software block inside the Packet Forwarding Engine that bypasses flow processing and utilizes the Intel Advanced Encryption Standard New Instructions (AES-NI) for optimized performance of IPsec processing.

    You can enable PMI processing by using the power-mode-ipsec statement at the [edit security flow hierarchy level.

    With PMI configured, the device supports the following features:

    • Internet Key Exchange (IKE) functionality

    • AutoVPN with traffic selectors

    • High availability

    • IPv6

    • Stateful firewall

    • st0 interface

    • Traffic selectors

    [See Understanding PowerMode IPsec.]

  • Cryptographic algorithm support for IPsec and IKE on SRX5K-SPC3 card (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.1R1, SRX5000 line of devices with SRX5K-SPC3 card support cryptographic algorithms to protect classified information.

    The following algorithms are supported for IPsec:

    • Diffie-Hellman Group 15

    • Diffie-Hellman Group 16

    • Diffie-Hellman Group 21

    • HMAC-SHA-512

    • HMAC-SHA-384

    The following algorithms are supported for IKE:

    • Diffie-Hellman Group 15

    • Diffie-Hellman Group 16

    • Diffie-Hellman Group 21

    • SHA-512

    • ECDSA-521 for X509 signatures

    [See IPsec VPN Overview and Understanding Certificates and PKI.]

  • Support for CoS classifier and rewrite functions in PMI on SPC3 (SRX Series)— Starting in Junos OS Release 19.1R1, class of service (CoS) supports the configuration of behavior aggregate (BA) classifier, multifield (MF) classifier, and rewrite-rule functions in PowerMode IPsec (PMI) on SPC3 cards.

    [See Improving IPsec Performance with PowerMode IPsec.]

  • Support for IKE responder-only mode (SRX Series)—Starting in Junos OS Release 19.1R1, two new options for the establishment of IPSec tunnels are introduced. The responder-only and responder-only-no-rekey options are added to the establish-tunnels statement under the [edit security ipsec vpn vpn-name] hierarchy level.

    When you use these options, the VPN tunnel is established from the remote peer. In the case of the responder-only option, an established tunnel rekeys both Internet Key Exchange (IKE) and IPsec, based on the configured lifetime values. When you use the responder-only-no-rekey option, an established tunnel does not initiate rekeying from the device but relies on the remote peer to initiate rekeying.

    [See IPsec VPN Overview.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for SRX Series.

Changes in Behavior and Syntax: Release 19.1R3

Application Layer Gateways (ALG)

  • Disable the do not fragment flag from packet IP header (SRX Series and vSRX)—Starting in Junos OS Release 19.1R3, we’ve introduced the clear-dont-frag-bit option at the [edit security alg alg-manager] hierarchy level to disable the do not fragment flag from the packet IP header, which allows the packet to be split after NAT is performed.

    In Junos OS releases earlier than Release 19.1R3, when the ALG performs payload-NAT, sometimes the size of the packet becomes bigger than the outgoing interface maximum transmission unit (MTU). If the packet IP header has the do not fragment flag, this packet cannot be sent out.

    [See alg-manager.]

Application Security

  • Starting in Junos OS 19.1R3 release, you can configure maximum memory limit for the deep packet inspection (DPI) by using the following configuration statement:

    You can set 1 through 200000 MB as memory value.

    Once the JDPI memory consumption reaches to 90% of the configured value, then DPI stops processing new sessions.

  • In Junos OS Release 19.1R3, you have the flexibility to limit the application identification inspection as follows:

    • Inspection Limit for TCP and UDP Sessions

      You can set the byte limit and the packet limit for application identification (AppID) in a UDP or in a TCP session. AppID concludes the classification based on the configured inspection limit. On exceeding the limit, AppID terminates the application classification.

      If AppID does not conclude the final classification within the configured limits, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled. The global AppID cache is enabled by default.

      To configure the byte limit and the packet limit, use the following configuration statements from the [edit] hierarchy:

      Table 2 provides the range and default value for configuring the byte limit and the packet limit for TCP and UDP sessions.

      Table 2: Maximum Byte Limit and Packet Byte Limit for TCP and UDP Sessions

      Session

      Limit

      Range

      Default Value

      TCP

      Byte limit

      0 through 4294967295

      • 6000

      • For Junos OS Release 15.1X49-D200, the default value is 10000.

      Packet limit

      0 through 4294967295

      Zero

      UDP

      Byte limit

      0 through 4294967295

      Zero

      Packet limit

      0 through 4294967295

      • 10

      • For Junos OS Release 15.1X49-D200, the default value is 20.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

      If you set the both the byte-limit and the packet-limit options, AppID inspects the session until both the limits are reached.

      You can disable the TCP or UDP inspection limit by configuring the corresponding byte-limit and the packet-limit values to zero.

    • Global Offload Byte Limit (Other Sessions)

      You can set the byte limit for the AppID to conclude the classification and identify the application in a session. On exceeding the limit, AppID terminates the application classification.

      If AppID does not conclude the final classification within the configured limits, or the session is not offloaded due to tunneling behavior of some applications, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled (the global AppID cache is enabled by default).

      To configure the byte limit, use the following configuration statement from the [edit] hierarchy:

      The default value for the global-offload-byte-limit option is 10000 and the range is 0 through 4294967295.

      You can disable the global offload byte limit by configuring the global-offload-byte-limit value to zero.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

    • Starting in Junos OS Release 19.3R1, the maximum packet threshold for DPI performance mode option set services application-identification enable-performance-mode max-packet-threshold value is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. This option was used for setting the maximum packet threshold for the DPI performance mode.

      If your configuration includes enabled performance mode option with max-packet-threshold value, AppID concludes the application classification on reaching the lowest value configured in the TCP or UDP inspection limit or in the global offload byte limit, or in the maximum packet threshold for DPI performance mode option.

    [See Application Identification Inspection Limit and application-identification]

Authentication and Access Control

  • Enhanced user firewall support—In Junos OS Release 19.1R3, for SRX300 devices with eUSB (SRX300, SRX320, SRX340, and SRX345), the SRX Series user firewall (UserFW) module tries to synchronize user entries from the domain controller or Juniper Identity Management Service (JIMS) after booting up. If the historical login events expired on the domain controller, then the SRX Series UserFW module is unable to retrieve those user entries after the UserFW module boots up.

    [See User Authentication Entries in the ClearPass Authentication Table.]

Ethernet Switching

  • LLDP support on redundant Ethernet interfaces (SRX Series)—Starting in Junos OS Release 19.1R3, you can configure the Link Layer Discovery Protocol (LLDP) on redundant Ethernet (reth) interfaces. Use the set protocol lldp interface reth-interface command to configure LLDP on a reth interface.

    [See Configuring LLDP and Ethernet Ports Switching Overview for Security Devices.]

Juniper Sky ATP

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 19.1R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).

Unified Threat Management (UTM)

  • Increase in the UTM scale number (SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 19.1R3, on SRX Series devices, UTM policies, profiles, MIME patterns, filename extensions, protocol commands, and custom messages are increased up to 1500. Custom URL patterns and custom URL categories are increased up to 3000.

    [See Unified Threat Management overview.]

VPNs

  • Public key infrastructure warning message (SRX Series)—Junos OS Release 19.1R3 displays the warning message ECDSA Keypair not supported with SCEP for cert_id certificate id when you try to enroll a local certificate using an Elliptic Curve Digital Signature Algorithm (ECDSA) key with Simple Certificate Enrollment Protocol (SCEP). The message appears because the ECDSA key is not supported with SCEP.

    In Junos OS Release before Junos OS Release 19.1R3, the warning message is not displayed.

    [See Example: Enrolling a Local Certificate Online Using SCEP.]

Changes in Behavior and Syntax: Release 19.1R2

Authentication and Access Control

  • SSH protocol version v1 option deprecated from CLI (SRX Series)—Starting in Junos OS Release 19.1R2, we’ve removed the nonsecure SSH protocol version 1 (v1) option from the [edit system services ssh protocol-version] hierarchy level. You can use the SSH protocol version 2 (v2) as the default option to remotely manage systems and applications. With the v1 option deprecated, Junos OS is compatible with OpenSSH 7.4 and later versions.

    Junos OS releases earlier than Release 19.1R2 continue to support the v1 option to remotely manage systems and applications.

    [See protocol-version.]

Network Management and Monitoring

  • The show system schema command and <get-yang-schema> RPC require specifying an output directory (SRX Series)—Starting in Junos OS Release 19.1R2, when you issue the show system schema operational mode command in the CLI or execute the <get-yang-schema> RPC in a remote session to retrieve schema files, you must specify the directory in which to generate the output files by including the output-directory command option in the CLI or the <output-directory> element in the RPC. In earlier releases, you can omit the output-directory argument when requesting a single module to display the module in standard output.

  • Default system log messages (SRX300, SRX320, SRX340, SRX345, SRX550, and SRX550M)—Starting in Junos OS Release 19.1R2, the default mode for system log messages is changed from event mode to stream mode.

    [See Understanding System Logging for Security Devices and mode (Security Log).]

Changes in Behavior and Syntax: Release 19.1R1

Flow-Based and Packet-Based Processing

  • Change in the maximum number of sessions permitted (SRX340)—Starting in Junos OS Release 19.1R1, the maximum number of sessions permitted on SXR340 devices increases. Table 3 shows the maximum number of sessions permitted on SXR340 devices.

    Table 3: Maximum Number of Sessions Permitted on SRX340 Devices

    Junos OS Release

    Device

    Maximum Number of Sessions

    Junos OS Release 19.1R1 onward

    SRX340

    375000

    SRX340 configured with a license

    256000

    Junos OS Releases before 19.1R1

    SRX340

    256000

    SRX340 configured with a license

    128000

    See Features Requiring a License on SRX340 Devices for more information about licenses for SRX340 Series Devices.

    [See show security flow session.]

Platform and Infrastructure

  • Chassis cluster with SPC card (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.1R1, when an SPC is acting as the central point as well as hosting the single control link port, this creates a single point of failure. If the SPC goes down on the primary node, the node is automatically rebooted to avoid a split-brain condition.

    [See Connecting SRX Series Devices to Create a Chassis Cluster.]

User Interface and Configuration

  • Options for monitor traffic interfaces statement added (SRX Series)—Starting in Junos OS Release 19.1R1, the options write-fileand read-file under the monitor traffic command are included in the visible CLI.

    [See monitor traffic.]

VPNs

  • Certificate revocation list (SRX Series)—Local certificates are being validated against certificate revocation list (CRL) even when CRL check is disabled. Starting in Junos OS Release 19.1R1, this can be stopped by disabling the CRL check through the Public Key Infrastructure (PKI) configuration. When CRL check is disabled, PKI will not validate local certificate against CRL.

    [See revocation-check (Security PKI) and Understanding Online Certificate Status Protocol and Certificate Revocation Lists.]

  • Encryption algorithm (SRX Series)—Starting in Junos OS Release 19.1R1, when AES-GCM 128-bit or AES-GCM 256-bit encryption algorithms are configured in the IPsec proposal, it is not mandatory to configure AES-GCM encryption algorithm in the corresponding IKE proposal.

    [See IPsec VPN Configuration Overview and encryption-algorithm (Security IKE).]

  • Local or remote certificates (SRX Series)—Starting in Junos OS Release 19.1R1, a commit check is added to prevent user from adding ., /, %, and space in a certificate identifier while generating a local or remote certificates or a key pair.

    [See certificate-id (Security) and Example: Configuring PKI.]

  • Encryption algorithm support for high availability—Starting in Junos OS Release 19.1R1, on the SRX5000 line of devices, you can configure the aes-128-cbc option at set security ipsec internal security-association manual encryption algorithm. You configure this option for encrypting the high availability link.

    [See internal (Security IPsec).]

Known Limitations

Learn about known limitations in this release for SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Security

  • For any web application that is hosted on a content delivery network (CDN) such as AWS, Akamai, Azure, Fastly, Cloudflare and so on, application identification (AppID) classifies such applications incorrectly as "AMAZON" application instead of actual application.

Installation and Upgrade

  • The USB storage device stops working if it is removed while it is in initialization state. To avoid this issue, wait for a few seconds before removing the USB storage device. PR1332360

J-Web

  • The CLI terminal does not work in Java version 1.8 because of a security restriction in running the applet. PR1341956

Platform and Infrastructure

  • The gRPC connection with the gRPC collector resets upon RG0 failover. PR1402149

Switching

  • SRX300, SRX320, SRX340, SRX345, and SRX550HM devices do not support CoS features such as classification, scheduling, shaping, policing, PCP, and DSCP rewrite in Ethernet switching mode. PR1476310

VPNs

  • Tunnel debugging configuration is not synchronized to backup node. It needs to be configured again after RG0 failover. PR1450393

Open Issues

Learn about open issues in this release for SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • On an SRX4600 device, the output of the show route forwarding-table command displays the next-hop IP address twice if the next hop is the st0 interface. The routing functionality is not impacted. PR1290725

  • On all SRX Series devices, in a chassis cluster with Z-mode traffic and local (non-reth) interfaces configured, when using ECMP routing between multiple interfaces residing on both node0 and node1, if a session is initiated through one node and the return traffic comes in through the other node, packets might be dropped due to reroute failure. PR1410233

  • Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093

  • Syslog severity level of msg subtype is end of policy is set to error although this message can be ignored. PR1435233

  • The dynamic applications that relied on SSL proxy for matching have been deprecated. These dynamic applications are HTTPS, SMTPS, POP3S, and IMAPS. Use SSL, SMTP, POP3, and IMAP in all policies moving forward as they will now match for both encrypted and decrypted streams. PR1444767

  • The flowd or srxpfe process might stop when SSL proxy service is used. PR1450829

  • TCP session cannot time out properly upon receiving the TCP RESET packet, and the session timeout does not change to two second. PR1467654

Intrusion Detection and Prevention (IDP)

  • On the SRX Series devices, the commit or show command for IDP might not work if you keep running SNMP queries when large-scale IDP is used. PR1444043

J-Web

  • Forming a chassis cluster from J-Web by using the HA cluster wizard is not supported from Junos OS Release 12.1X47 onward for SRX5400 only. PR1372518

Platform and Infrastructure

  • Multiple monitor failures are seen on the rg1 interface after ISSU from Junos OS Release 17.4R1-S3 to Junos OS Release 18.1R1.9. PR1354395

  • When SRX5K-SPC3 or MX-SPC3 cards are installed in slots 0 or 1 in a SRX5800 or MX960 chassis, EMI-radiated emissions are observed to be higher than regulatory compliance requirements PR1479001

Routing Policy and Firewall Filters

  • During commit, the nsd_vrf_group_config_lsys log messages are displayed. PR1446303

  • The SSL reverse proxy feature must be used instead of the SSL inspection feature. SSL inspection on IDP level is being deprecated in favor of SSL reverse proxy. PR1450900

  • If a large number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

SSL Proxy

  • Within an SSL-proxy configuration, if trusted-ca and root-ca have the same name, then in the associated SSL-T and I profiles do not get pushed to the Packet Forwarding Engine and thereby impact the SSL-proxy functionality. As a workaround, ensure to have different IDs or names for trusted-ca and root-ca. If already in the scenario, do the following to recover:

    • Configure different names for trusted-ca and root-ca.

    • From the CLI, restart NSD process using command restart network-security.

    PR1420859

VPNs

  • On SRX Series devices, in case multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector rekeys at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. New negotiation of those traffic selectors might be triggered through other mechanisms such as traffic or peer. PR1287168

  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of one DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • VPN tunnels flap after a group is added or deleted a group in edit private mode in a clustered setup. PR1390831

  • On the SRX5000 line of devices with SPC3, sometimes the IPsec tunnel may not come up after the configuration is changed from responder-only to responder-only-no-rekey ikev1. PR1441320

  • With the NCP remote access solution, where IPsec traffic has to be encapsulated as TCP packets, TCP encapsulation for transit traffic is failing. PR1442145

  • On SRX5400, SRX5600, and SRX5800 devices, when a chassis cluster is configured and IPsec tunnels are set up with DPD, after RG failover on the chassis cluster, some IPsec tunnels flap and there is temporary VPN traffic interruption until it restored automatically. PR1450217

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 19.1R3

Application Layer Gateways (ALGs)

  • The H323 call with NAT64 cannot be established on the SRX5000 line of devices. PR1462984

  • The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942

  • SIP messages that need to be fragmented might be dropped by the SIP ALG. PR1475031

Application Security

  • Introduction of default inspection limits to application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180

Authentication and Access Control

  • The same source IP sessions are cleared when the IP entry is removed from the UAC table. PR1457570

Chassis Clustering

  • The flowd process might stop and restart, with the generation of a flowd core file, while using NAT PBA in a chassis cluster AA mode PR1443148

  • The flowd process might stop on SRX Series devices with chassis cluster and IRB interface configured. PR1446833

  • IP monitoring might fail on the secondary node. PR1468441

  • An unhealthy node might become primary in an SRX4600 chassis cluster scenario. PR1474233

Class of Service (CoS)

  • The CoS rewrite rule does not work for the st0 interface. PR1439401

Flow-Based and Packet-Based Processing

  • The security flow traceoptions files fills in with RTSP ALG-related information. PR1458578

  • Optimizations were made to improve the connections-per-second performance of an SPC3. PR1458727

  • The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825

  • AAWM policy rules for IMAP traffic sometimes might not get applied when the IMAP traffic passes through an SRX Series device. PR1450904

  • The SRX Series devices stops and generates several core files. PR1455169

  • When you try to reset the system configuration on an SRX1500 device using the reset config button, it does not work properly. PR1458323

  • The SRX Series device might not be reachable when you initiate the offline command for a PIC. PR1459037

  • The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619

  • The srxpfe or flowd process might stop if you change the sampling configuration. PR1462610

  • On the SRX300 line of devices, you might encounter slow loading of Authentication-Table while using user identification. PR1462922

  • The EA WAN SerDes gets into a stuck state, leading to continuous DFE tuning timeout errors and link staying down. PR1463015

  • A core file is generated when you perform an ISSU on SRX Series devices. PR1463159

  • Fragmented traffic might get looped on the fabric interface between the nodes in a rare case. PR1465100

  • The pkid process keeps leaking memory on SRX Series devices. PR1465614

  • The jbuf process usage may increase up to 99 percent after Junos OS upgrade. PR1467351

  • The rpd process might stop after several changes to the flow-spec routes. PR1467838

  • Packet Forwarding Engine core files are generated because SSL proxy is enabled on SRX Series devices and NFX Series routers. PR1467856

  • The AAMW diagnostic script generates incorrect error when there is Internet latency: Error: server unreachable is detected, please make sure port 443 is reachable. PR1468114

  • Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430

  • FTP data connection might be dropped if the SRX Series device sends the FTP connection traffic through the dialer (dl) interface. PR1468570

  • RPM test probe failure due to exceeded round-trip time is not working. PR1471606

  • SRX300, SRX320, SRX340, SRX345, SRX550, and SRX550HM devices may not retrieve the complete users or groups and user-group-mappings if the DC includes more than 20,000 users or groups. Use JIMS solution on SRX300, SRX320, SRX340, SRX345, SRX550, and SRX550HM devices when there are more than 20,000 users or devices or groups in the AD deployment. PR1472601

  • Supports LLDP on reth interfaces. PR1473456

  • Packet drop might be observed on the SRX300 line of devices when an interface is added to or removed from MACsec. PR1474674

  • The flowd or srxpfe process might stop when advanced anti-malware service is used. PR1480005

Install and Upgrade

  • Certificate error while validating configuration during Junos OS upgrade. PR1474225

Interfaces and Chassis

  • On E1 interface, BERT bits count is not within the range. PR1445041

  • Static route through dl0.0 interface is not active. PR1465199

  • MAC limiting on Layer 3 routing interfaces does not work. PR1465366

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process stops and generates a core file. PR1437569

  • Rogue .gz files in /var/tmp/sec-download/ might cause an offline security package update to fail. PR1466283

J-Web

  • Editing a destination NAT rule in J-Web introduces a nonconfigured routing instance field. PR1461599

Layer 2 Ethernet Services

  • The metric is not changing when configured under DHCP. PR1461571

Network Address Translation (NAT)

  • The flowd and srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932

Network Management and Monitoring

  • The flowd and srxpfe process might stop immediately after you commit the jflowv9 configuration or after you upgrade Junos OS to affected releases. PR1471524

  • SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288

  • All ingress packets are dropped if the traffic transit network is also the same network for LTE mPIM internal management. PR1450046

Platform and Infrastructure

  • The SPC card might stop on SRX5000 line of devices. PR1439744

  • Cm errors on certain MPC line cards are classified as major, which should be minor or non-fatal. PR1449427

  • Traffic loss might occur when there are around 80,000 routes in the FIB. PR1450545

  • Modifying the REST configuration might cause the system to become unresponsive. PR1461021

  • A VM core might be observed if you are configuring a sampling rate of more than 65,535. PR1461487

  • The aggregated Ethernet interface cannot be configured on an SRX4600 device. PR1465159

  • Physically disconnecting the cable from the fxp0 interface causes hardware monitor failure. PR1467376

  • The RGx may fail over after RG0 failover in a rare case. PR1479255

Routing Policy and Firewall Filters

  • Security policies cannot be synchronized between the Routing Engine and the Packet Forwarding Engine on SRX Series devices. PR1453852

  • Traffic log shows a wrong custom-application name when the alg ignore option is used in the application configuration. PR1457029

  • The NSD process might get stuck and cause problems. PR1458639

  • Some domains are not resolved by the SRX Series devices when using the DNS address book. PR1471408

  • The policy detail does not display the policy statistics counter, even when policy count is enabled. PR1471621

  • Support for dynamic tunnels on SRX Series devices was removed. PR1476530

Routing Protocols

  • SSH login might fail if a user account exists in both local database and RADIUS/TACACS+. PR1454177

  • The rpd might stop when both instance-import and instance-export policies contain the as-path-prepend action. PR1471968

Unified Threat Management (UTM)

  • Increase the scale number of a UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321

  • The UTMD process pauses after you deactivate UTM configuration with predefined category upgrading used. PR1478825

VPNs

  • After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457

  • Displaying an incorrect port number when scale is 1000 on IKEv1 AutoVPN tunnels. PR1399147

  • The IKE and IPsec configuration under groups is not supported in this release. PR1405840

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, if an existing IKE gateway configuration is changed from AutoVPN to Site-to-Site VPN, the IKE negotiation behavior remains in responder-only mode. PR1413619

  • The VPN tunnel might flap when IKE and IPsec rekey happen simultaneously. PR1421905

  • Old tunnel entries are also seen when a new tunnel negotiation happens from the peer device after a change in the IKE gateway configuration at the peer side. PR1423821

  • The show security ipsec statistics command output of encrypted bytes fields count is not properly displayed.

  • The P1 configuration delete message is not sent on loading the baseline configuration if there has been a prior change in the VPN configuration. PR1432434

  • IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951

  • Traffic is not sent out through an IPsec VPN after upgrade to Junos OS Release 18.2 or later. PR1461793

  • The IPsec VPN tunnels cannot be established if overlapped subnets are configured in traffic selectors. PR1463880

  • IPsec tunnels might lose connectivity after an SRX Series chassis cluster failover when using AutoVPN point-to-multipoint mode. PR1469172

Resolved Issues: 19.1R2

Application Layer Gateways (ALGs)

  • On all SRX Series platforms, SIP/FTP ALG does not work when SIP traffic with source NAT goes through the SRX Series devices. PR1398377

  • Unexpected forwarding sessions appear for tenant ALG SIP traffic in cross tenant case sometimes. PR1409748

  • When both ALG and rst-invalidate-session are enabled, the TCP reset packet will be dropped by the SRX Series devices. This will impact all TCP ALG related traffic. PR1430685

  • The H.323 connection might not be established when the H.323 packet passes SRX Series devices twice through different virtual routers. PR1436449

  • Packet loss happens during cold synchronization from secondary node after rebooting. PR1448252

Application Security

  • Automatic application-identification download stops after going over the year and reboot. PR1436265

  • With a single SPC3 card, AppQoS configured with unified policy can't provide throughput of more than 60 Gbps. PR1439575

  • The flowd process core files might be seen when the traffic hits AppQoS policy. PR1446080

Authentication and Access Control

  • The CPU utilization of the uacd is high, about 100 percent, in the output of show chassis routing-engine. PR1424971

Chassis Clustering

  • The SNMP trap sends wrong information with manual failover. PR1378903

  • Mixed mode (SPC3 coexisting with SPC2 cards) high availability (HA) IP monitoring fails on the secondary node with secondary arp entry not found error. PR1407056

  • Node 0 stayed in secondary-hold status for long time but cannot change back to secondary status after manual failover in RG0. PR1421242

  • Starting in Junos OS Release 18.4, a maximum of six PDN connects can be contained in PDP context response. Otherwise, the response is dropped. PR1422877

  • Memory leaks might be seen on the jsqlsyncd process on SRX Series chassis clusters. PR1424884

  • RG0 failover sometimes causes FPC offline/present status. PR1428312

  • Hardware failure is seen on both nodes in show chassis cluster status. PR1452137

  • Chassis cluster control link will remain up even though control link is actually down. PR1452488

Class of Service (CoS)

  • Frequent issuance of the show class-of-service spu statistics command causes rtlogd to become busy. PR1438747

Flow-Based and Packet-Based Processing

  • Control traffic loss might be seen on SRX4600 platform. PR1357591

  • On SRX1500 devices, the activity LED (right LED) for 1-Gigabit Ethernet/10-Gigabit Ethernet port is not on although traffic is passing through that interface. PR1380928

  • Password recovery menu is not shown on SRX Series devices. PR1381653

  • Invalid sessions time out over 48 hours with stress TCP traffic in the backup node. PR1383139

  • On SRX4600 platform, the 40-Gigabit Ethernet interface might flap continuously by MAC local fault. PR1397012

  • SRX Series devices might not strip VLAN added by native VLAN ID command. PR1397443

  • CPU is hitting 100 percent with fragmented traffic. PR1402471

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary commands do not count or display the number of packets processed within PowerMode IPsec, because these packets do not go through the regular flow path. PR1403037

  • Throughput or latency performance of TCP traffic is dropped when TCP traffic is passing through from one logical system to another logical system. PR1403727

  • The kernel might stop on the secondary node when committing set system management-instance command. PR1407938

  • While PMI is on, IPsec-encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets. PR1411486

  • Traffic might be lost on SRX Series devices if IPsec session affinity is configured with ipsec-performance-acceleration. PR1418135

  • If the traffic-log feature is configured, logs might incorrectly display IPv4 addresses in IPv6 format and packets might be dropped. PR1421255

  • On PEM 0 or PEM 1 or fan, I2C failure major alarm might be set and cleared multiple times. PR1413758

  • On SRX1500, SRX4100, SRX4200, SRX4600, and SRX5000 line of devices with SPC3 card, if SSL proxy is configured, the firewall FPC CPU might spike above 80 percent and traffic might be lost. PR1414467

  • The input and output bytes or BPS statistic values might not be identical for the same size of packets. PR1415117

  • The reth interfaces are now supported when configuring SSL decryption mirroring (mirror-decrypt-traffic interface). PR1415352

  • Traffic would be dropped if SOF is enabled in a chassis cluster in active/active mode. PR1415761

  • The command show security firewall-authentication jims statistics will output statistics of both the primary JIMS server and secondary JIMS server. PR1415987

  • Juniper Sky ATP does not escape the \ inside the username before the metedata is sent to cloud. PR1416093

  • The flowd process stops on the SRX5000 or SRX4000 lines of devices when large-size packets go through IPsec tunnel with the post-fragment check. PR1417219

  • Traffic logging shows service-name junos-dhcp-server for UDP destination port 68. PR1417423

  • Best path selected keeps changing at regular intervals even when no violation is reported. PR1417926

  • Blacklist compilation failed syslog message not in later releases. PR1418980

  • Group VPN IKE security associations cannot be established before RG0 failover. PR1419341

  • SSL proxy did not correctly warn users about unsupported certificates. PR1419485

  • AAMW diagnostic script gives incorrect error Error: Platform does not support SkyATP. PR1423378

  • The show security flow session session-identifier <sessID> command is not working if the session ID is bigger than 10 million on SRX4600 platform. PR1423818

  • PIM neighbors might not come up on SRX Series chassis cluster. PR1425884

  • When configuring a GRE tunnel (GRE-over-IPsec-tunnel) or an IPsec tunnel on an SRX Series device, the MTU of the tunnel interface is calculated incorrectly. PR1426607

  • The IPsec traffic going through the SRX5000 line of devices with SPC2 cards installed causes high SPU CPU utilization. PR1427912

  • Packet loss by FPGA backpressure on SPC3. PR1429899

  • The flowd process might stop on the SRX5000 line of devices. PR1430804

  • VPN traffic fails after primary node reboot or power off. PR1433336

  • SRX550M running Junos OS Release 18.4R1 shows PEM 1 output failure message, whereas with Junos OS Release 15.1X49 or Junos OS Release 18.1R3.3 it does not show any alarms. PR1433577

  • Intermittent packet drop might be observed if IPsec is configured. PR1434757

  • The second IPsec ESP tunnel might not be able to establish between two IPv6 IKE peers. PR1435687

  • On an SRX4600 device, core file generation might be observed and SPM might be in present state. PR1436421

  • The ipfd process might crash when SecIntel is used. PR1436455

  • Some webpages cannot be fully rendered. PR1436813

  • SPMC version mismatch errors after Junos OS install using USB method. PR1437065

  • The flowd or srxpfe process might crash when advanced anti-malware service is used. PR1437270

  • Member of dynamically created VLANs information is not displaying on show VLANs. PR1438153

  • Decryption traffic doesn’t take PMI path after IPsec rekey (initiated by peer) when loopback interface is configured as external interface. PR1438847

  • The flowd process stops and generates core files. PR1438445

  • Security logs cannot be sent to external syslog server through TCP. PR1438834

  • When llmd is rotating database, there is possibility that a reading access a NULL db at the same time, which generates core files. PR1439186

  • The wmic process might stop and restart when using user firewall with Active Directory. PR1439538

  • The flowd process stops on SRX550 or SRX300 line of devices when an SFP transceiver is plugged in. PR1440194

  • Performance improvements were made to Screens, which benefit multi-socket systems. PR1440677

  • The IKE pass-through packet might be dropped after source has undergone NAT. PR1440605

  • While checking the flow session XML for source NAT under tenant, there is no value identifier for tenant-name ( < tenant>< /tenant>). PR1440652

  • New CLI option to show only useful group information for an Active Directory user. PR1442567

  • SPC2 wrongly forwarded packet to SPC3 core0 and core14. PR1441234

  • The flowd or srxpfe process might crash when processing fragmented packets. PR1443868

  • The J-Flow version 5 stops working after changing input rate value. PR1446996

  • Packet loss happens during cold sync from secondary node after rebooting. PR1447122

  • SPC3 Talus FPGA stuck on 0x3D or 0x69 golden version. PR1448722

  • FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122

  • Traffic forwarding on Q-in-Q port and VLAN tagging is not observed properly on R0. PR1451474

  • The rpd process might stop and restart with an rpd core file created when committing the configuration. PR1451860

  • Removed commit peers and peers-synchronize command from SRX Series devices. PR1456661

Infrastructure

  • Increase in Junos OS image size for Junos OS Release 19.1R1. PR1423139

Installation and Upgrade

  • Junos OS upgrade fails when partition option is used on SRX Series devices. PR1449728

Interfaces and Chassis

  • Both nodes in the SRX Series chassis cluster go into DB mode after downgrading to Junos OS Release 18.1. PR1407295

  • Disabling the interface on the primary node causes traffic to get silently dropped through the secondary node. PR1424705

  • MTU change after a CFM session is up can impact L2 Ethernet ping (loopback messages). If the new change is less than the value in the initial incarnation then L2 Ethernet ping would fail. PR1427589

  • LFM remote loopback is not working as expected. PR1428780

  • The LACP interface might flap if performing a failover. PR1429712

Interfaces and Routing

  • The fxp0 interface might redirect packet not destined to itself. PR1453154

Intrusion Detection and Prevention (IDP)

  • IDP install fails on one node because AppID process gets stuck. PR1336145

  • IDP might crash with the custom IDP signature. PR1390205

  • Unable to configure dynamic-attack-group command. PR1418754

  • NSD fails to push security zone to the Packet Forwarding Engine after reboot, if there is an active IDP rule configured with FQDN. PR1420787

J-Web

  • J-Web now supports defining SSL proxy and redirect (block page) profiles when a policy contains dynamic applications. PR1376117

  • Risk report, when generated in IE browser, appears completely out of alignment and XML tags are displayed. PR1415767

  • J-Web configuration change for an address set using the search function results in a commit error. PR1426321

  • J-Web not working when logged in as read-only user. PR1428520

  • On SRX Series devices, J-Web incorrectly displays port mode access for the link aggregation interfaces despite them being configured with multiple VLAN IDs and port mode trunk. PR1430414

  • IRB interface is not available in zone option of J-Web. PR1431428

  • When J-Web is used, if you log in to J-Web and navigate to multiple pages frequently, some error messages would be seen. It has no impact to service or traffic. This affects only J-Web UI. PR1446081

  • The idle-timeout for J-Web access doesn't work properly. PR1446990

  • J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541

Layer 2 Ethernet Services

  • IPv6 address default route might not be installed from the received router advertisement message. PR1411921

  • DHCP request might get dropped in DHCP relay scenario. PR1435039

Network Address Translation (NAT)

  • The nsd process might crash during SNMP query for deterministic NAT pool information. PR1436775

  • RTSP resource session is not found during NAT64 static mapping. PR1443222

  • A port endian issue in SPU messages between SPC3 and SPC2 results in one redundant NAT binding being created in central point when one binding is allocated in SPC2 SPC. PR1450929

Network Management and Monitoring

  • The set system no-redirects setting does not take effect for the reth interface. PR894194

  • MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979

  • Partial traffic might get dropped on an existing LAG. PR1423989

  • SNMPD might generate core files after restarting NSD process by restart network-security gracefully. PR1443675

  • Control links are logically down on SRX Series chassis cluster when software version is Junos OS Release 12.3X48. PR1458314

Platform and Infrastructure

  • Memory leak might occur on the data plane during composite next-hop installation failure. PR1391074

  • The show security flow session command fails with error messages when SRX4600 has over a million routing entries. PR1408172

  • On SRX1500 platform, traffic is blocked on all interfaces after configuring the interface-mac-limit command on one interface. PR1409018

  • Complete device outage might be seen when an SPU VM core file is generated. PR1417252

  • Some applications might not be installed during upgrade from an earlier version that does not support FreeBSD 10 to FreeBSD 10 (based system). PR1417321

  • On SRX Series device, the flowd process might stop. PR1417658

  • Routing Engine CPU utilization is high and eventd process is consuming a lot of resources. PR1418444

  • On SRX4600 device, commit failed while configuring 2047 VLAN IDs on the reth interface. PR1420685

  • SPC in slot1 of node0 remained in offline state for more than 1 hour after the cluster was upgraded from Junos OS Release 18.2R2-S1.3 to Junos OS Release 18.2X41.1. PR1423169

  • Screen sync cookie causes 100 percent CPU utilization across all SPC3 cards of SRX5800, when packet rate is high. PR1425332

  • The ipfd process might crash if the security intelligence feature is configured. PR1425366

  • Alarms triggered due to high temperature when operating within expected temperatures. PR1425807

  • The PICs might go offline and split-brain might be seen when interrupt storm happens on internal Ethernet interface em0 or em1. PR1429181

  • REST API does not work properly. PR1430187

  • Uneven distribution of CPU with high PPS on device. PR1430721

  • Packet Forwarding Engine crashes might be seen on SRX1500 platform. PR1431380

  • The false license alarm might be seen even if there is a valid license. PR1431609

  • The interface using LACP flaps when the Routing Engine is busy. PR1435955

  • LACP traffic is distributed evenly on ingress child links but not on egress links. PR1437098

  • The ksyncd process might crash and restart on SRX Series devices. PR1440576

  • The configured RPM probe server hardware timestamp does not respond with correct timestamp to the RPM client. PR1441743

  • The show security flow session command fails, generating an error message, when an SRX4100 or SRX4200 has around 1 million routing entries in the FIB. PR1445791

  • LACP cannot work with the encapsulation flexible-ethernet-services configuration. PR1448161

  • REST API process will get non-responsive when a number of requests come at a high rate. PR1449987

Routing Policy and Firewall Filters

  • Memory leak in nsd causes configuration change to not take effect after a commit. PR1414319

  • The flowd process stops on SRX Series devices while deleting a lot of policies from Junos Space. PR1419704

  • The NSD process might crash due to a memory corruption issue. PR1419983

  • A commit warning is now presented to the user when a traditional policy is placed below a unified policy. PR1420471

  • The dynamic-address summary's IP entry count does not include IP entries in the root logical system. PR1422525

  • After a new alarm is created, the NSD process fails to restart because subcomponents fail. PR1422738

  • DNS cache entry does not time out from device even after TTL=0. PR1426186

  • The ipfd generates a core file while scaling. PR1431861

  • An SRX1500 device allows only a maximum of 256 policies with counting enabled. PR1435231

  • Two ipfd processes appear in ps command and the process pauses. PR1444472

  • On all SRX Series devices that have policy counter configured, there is a potential risk where the network security process (NSD) on the Routing Engine cannot communicate with its Packet and Forwarding Engine counterpart (NSD-PFE) after either a chassis cluster failover, control link down, or Packet Forwarding Engine restart. At that point, it could no longer respond to network-security related commands and will not be able to complete coldsync for a newly joined node in chassis cluster environment. PR1458639

Services Applications

  • The flowd process stops when SRX5800 devices works at SPC3 mix mode with 1 SPC3 card and 7 SPC2 cards. PR1448395

  • In rare condition, SRX device Platform and Forwarding Engine might generate core file because corrupted or malformed HTTP long (over 64,000 bytes) messages hit security policy that is attached on ICAP redirect policy. PR1460035

Unified Threat Management (UTM)

  • On SRX Series devices, when using Unified Policies and Web filtering (EWF) without SSL proxy, the Server Name Indication (SNI) might not be identified correctly and the RT_UTM logs were recording incomplete information. PR1410981

  • The device might not look up the blacklist first in the local Web filtering environment. PR1417330

  • Unable to achieve better Avira antivirus TP on SRX4600 as mbuf high watermark is reached. PR1419064

  • UTM Web filtering status shows down when using Hostname [routing-instance synchronization failure]. PR1421398

  • When using Unified Policies, the base-filter for certain UTM profiles might not be applied correctly. PR1424633

  • The custom-url-categories are now pushed correctly to the Packet Forwarding Engine under all circumstances. PR1426189

  • The command show security utm web-filtering status now provides additional context when the status of EWF is down. PR1426748

  • Memory issue due to SSL proxy whitelist or whitelist URL category. PR1430277

  • Adjust core allocation ratio for on-box antivirus. PR1431780

User Interface and Configuration

  • Tenant system administrator cannot view its configuration with empty database message when using groups. PR1422036

VPNs

  • On SRX1500 device, when configuring IPsec VPN and BGP simultaneously, the kmd process might stop and generate a core file if BGP peers reach approximately 350. All of the VPN tunnels will be disconnected during the pause. PR1336235

  • IPsec SA inconsistent on SPCs of node0 and node1 in chassis cluster. PR1351646

  • Tunnel flapping is seen after doing RG0 failover. PR1357402

  • SPC3 IKE SA detail output is not showing proper traffic statistics. PR1371638

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, the show security ike security-association detail command does not display local IKE-ID field correctly. PR1388979

  • With a large number of IPsec tunnels established, a few tunnels might fail during rekey negotiation if the SRX Series device initiates the rekey. PR1389607

  • Idle IPsec VPN tunnels without traffic and with ongoing DPD probes can be affected during RG0 failover. PR1405515

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when SRX Series device is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication might fail. PR1414193

  • The iked process does not handle cases and core files might be generated when a remote gateway address is configured as an IPv6 address while the local interface where the tunnel is anchored has an IPv4 address. PR1416081

  • The flowd/srxpfe process might stop when traffic selector is used for IPsec VPN. PR1418984

  • The IKED process might stop when IKE and IPsec SA rekey happens simultaneously. PR1420762

  • The 4G network connection might not be established if LTE mPIM card is in use. PR1421418

  • Tenant system administrator can change VLAN assignment beyond the allocated tenant system. PR1422058

  • The show security ike sa detail command shows incorrect values in the IPsec security associations column. PR1423249

  • IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post fragment happens. PR1424937

  • On SRX Series devices with SPC3, the device does not send IKE delete notification to the peer if the traffic selector configuration is changed. PR1426714

  • The kmd process stops and generates a core file after running the show security ipsec traffic-selector command. PR1428029

  • In SPC3 and SPC2 mixed mode, IPsec SA is not getting cleared by executing the clear security ipsec sa command. PR1428082

  • On the SRX5000 line of devices with SPC3, with P2MP and IKEv1 configured, if negotiation fails on the peer device, then multiple IPsec SA entries are created on the device if the peer keeps triggering a new negotiation. PR1432852

  • IPsec rekey triggers for when sequence number in AH and ESP packet is about to exhaust is not working. PR1433343

  • The kmd log shows resource temporarily unavailable repeatedly and VPNs might be down. PR1434137

  • On SRX Series devices, fragments exit VPN traffic earlier than required by ingress packet sizes. PR1435700

  • The IKED crashes on SRX5000 line of devices with SPC3 when IPsec VPN or IKE is configured. PR1443560

  • The IPsec VPN traffic drop might be seen on SRX Series platforms with NAT-T scenario. PR1444730

  • IPsec tunnels with distribution profile configuration will be renegotiated after perform RG0 failover on SRX5000 line of devices with SPC3. PR1446078

  • After a long time (a few hours) of traffic during mini PDT test, the number of IPsec tunnels number is much higher than expected. PR1449296

  • IPsec VPN tunnels are loosing routes for traffic selector randomly while tunnel is still up, causing complete outage. PR1456301

Resolved Issues: 19.1R1

Application Security

  • Fail to match permit rule in AppFW rule set. PR1404161

Application Layer Gateways (ALGs)

  • DNS requests with the EDNS option might be dropped by the DNS ALG. PR1379433

  • The H.323 protocol voice packets might be dropped. PR1400630

Chassis Clustering

  • Traffic loss occurs when the primary node is rebooting. PR1372862

  • If using SRX Series chassis cluster and configuring four 100-Gigabit Ethernet interfaces on PIC 0, all the four interfaces might be down. PR1387701

  • Traffic cannot pass through cross tenants after ISSU from Junos OS Release 18.3 to Junos OS Release 18.4. PR1382467

  • The flowd process might stop if doing an ISSU upgrade. PR1386522

  • The VDSL is not stable if there are sudden noises after configuring VDSL SOS feature. PR1387133

  • ISSU status with error from Junos OS Release 18.2R1-S1 or Junos OS Release 18.2R1-S2 to Junos OS Release 18.2R1-S3. PR1387947

  • The cluster IDs larger than 10 will cause FPCs to remain in offline on SRX4600 chassis cluster. PR1390202

  • The MACsec on a physical port might not initialize properly when a new node is joined to the chassis cluster. PR1396020

  • The flowd process stops if updating or deleting a GTP tunnel. PR1404317

Flow-Based and Packet-Based Processing

  • AppID classification logic has been improved for NetBIOS and RPC. PR1357093

  • Control traffic loss may be seen on SRX4600 platform. PR1357591

  • The Application identification (AppID) is supported for HTTP, SMTPS, POP3S, and IMAPS protocols. PR1365810

  • When activating security flow traceoptions, the unfiltered traffic is captured. PR1367124

  • Support for intelligent CLI-based autocomplete is added to secure-wire. PR1372825

  • The pkid process might stop after RG0 failover. PR1379348

  • The reth interface flaps after doing an ISSU update. PR1381475

  • Large file downloads slow down for many seconds. PR1386122

  • Traffic might be processed by the VRRP backup when multiple VRRP groups are configured. PR1386292

  • Traffic might be stopped after session created on SRX4600 platform. PR1388735

  • The SRX Series device does not send messages frag needed and DF set back to the source host during path MTU discovery. PR1389428

  • Packet loss might occur on unrelated traffic when AppQoS rate-limiter is applied on SRX4600 and SRX5000 platform using SPC3. PR1394085

  • Request to display dropped-illegal-packet and dropped-icmp-packet configuration options. PR1394720

  • Switching interface mode between family ethernet-switching and family inet/inet6 might cause traffic loss. PR1394850

  • These messages are seen: /kernel: tcp_timer_keep:Local(0x80000004:54652) Foreign(0x80000004:33160). PR1396584

  • SRX Series devices connection to JIMS keeps flapping causes fail over to secondary JIMS. PR1398140

  • On SRX4600 and SRX5000 devices, BGP packets might be dropped under high CPU usage. PR1398407

  • VLAN push might not work on SRX1500. PR1398877

  • Increase DAG feed scale number to 256 from 63. PR1399314

  • The authd process might crash when issuing show network-access requests pending command during the authd restarting. PR1401249

  • Unable to access to SRX Series platforms if the messages kern.maxfiles limit exceeded by uid 65,534, please see tuning(7) are seen. PR1402242

  • Downloads may stall and/or completely fail when utilizing services that are reliant on TCP proxy. PR1403412

  • Transit UDP 500/4500 traffic might not pass across SRX5000 Series devices when using SPC3/SPC2. PR1403517

  • ISSU failed from Junos OS Release 18.3R1.9 to Junos OS Release 18.4R1.4. PR1405556

  • The flowd process crashes and all cards are brought off. PR1406210

  • The RG1 failover does not happen immediately when the SPC3 card crashes. PR1407064

  • Session capacity of SRX340 is not match SRX345. PR1410801

Integrated User Firewall

  • Future group membership updates are not recognized by IUFW after a user’s sAMAccountName is changed while the distinguished name (DN) remained the same. PR1394049

Interfaces and Routing

  • IPv4 multicast packets might not be broadcasted from the IRB interface on SRX1500 device. PR1385934

  • SRX4600 10-gigabit Interface optics diagnostic access issue. PR1395806

  • The 40-Gigabit and 100-Gigabit Ethernet ports may take a long time (about 30 s) to link up on SRX4600 platform. PR1397210

  • High jsd or na-grpcd CPU usage might be seen when JET or JTI is not used. PR1398398

  • SRX Series device cannot obtain IPv6 address through DHCPv6 when using a PPPoE interface with logical unit number greater than 0. PR1402066

Intrusion Detection and Prevention (IDP)

  • Unable to deploy IDP due to the IDP configuration cannot be committed. PR1374079

  • Performance drops are seen in SRX345 and SRX340 platforms for IDP C2S policy. PR1395592

Installation and Upgrade

  • Junos OS Release 18.3R1 cannot be installed using TFTP in boot loader on SRX300 platforms. PR1390858

J-Web

  • On SRX Series platforms, the root password configured at first J-Web access (Skip to J-Web) does not work if password length is shorter than eight characters. PR1371353

  • In the J-Web dashboard, the Security Resources widget did not display absolute values. This is now corrected. PR1372826

  • Excluded addresses within J-Web Security Policy editor were not sufficiently differentiated versus normal addresses. They are now highlighted red for ease of identification. PR1376112

  • The next-hop IP address is not displayed in the routing table in the J-Web. PR1398650

  • J-Web page do not load after login with logical-system specific user. PR1396879

  • Special character used in the preshared key is removed silently after a commit operation on J-Web. PR1399363

  • Configuring using the CLI Editor in the J-Web generates an mgd core file. PR1404946

  • The httpd-gk process crashes, leading to dynamic VPN failures and high Routing Engine CPU utilization 100 percent. PR1414642

Layer 2 Ethernet Services

  • DHCPv6 clients might fail to get addresses on SRX Series platforms. PR1392723

Multiprotocol Label Switching (MPLS)

  • BGP and OSPF flapped to cause traffic loss with RPD core on SRX550M cluster. PR1366575

Network Address Translation (NAT)

  • The SRX Series devices might send the noSuchInstance value to the SNMP server in get-response during commit. PR1357840

  • NAT64 and traceroute do not work correctly on an SRX Series device. PR1376890

  • SPC3 mix mode NAT core at ../sysdeps/unix/sysv/linux/raise.c:55. PR1403583

Platform and Infrastructure

  • High httpd utilization after reboot failover. PR1352133

  • Many chassis commands missing. PR1363645

  • IP monitoring failure resulting in multiple interfaces disappearing from forwarding table. PR1371500

  • Some error messages could be seen when running show interface extensive command from CLI or Junos Space. PR1380439

  • Traffic loss seen in Layer 2 VPN with GRE tunnel. PR1381740

  • Redundancy group failover caused by interface monitoring failure is slow to master state at PFE. PR1385521

  • Login class with allowed-days and specific access-start/access-end does not work as expected. PR1389633

  • GW lcores and srxpfe cores at ../src/pfe/usp/rt/applications/ipsec/ipsec_rt_forge_util.c:59 when loading 18.4 image. PR1392580

  • The flowd process crashes if it goes into a dead loop. PR1403276

  • HA failed with the failure code HW after loading the image. PR1406029

Routing Policy and Firewall Filters

  • When SSL-Forward-Poxy is configured in a unified policy along with the action of Reject+Redirect, a block page was not presented to the user for HTTPS sites. PR1375823

  • The show security flow session command now fully supports the dynamic-application construct. PR1387449

  • The nsd process crashes and generates a core file. PR1388719

Routing Protocols

  • vFPC may continuously crash on vMX platform. PR1364624

Services Applications

  • SRX5600 HA SPC2, the ICAP redirect objects are in use even after clearing TCP sessions. PR1390835

Software Installation and Upgrade

  • Fan speed goes up and down continuously on SRX1500. PR1335523

Unified Threat Management (UTM)

  • Source and destination zone information are added in the UTM log. PR1326271

  • EWF server status shows UP when 443 is specified as server port. PR1383695

  • Whitelist/Blacklist does not work for HTTPS traffic going through the Web proxy. PR1401996

  • On SRX Series, when configuring Enhanced Web Filtering on the CLI, the autocomplete function did not properly handle or suggest custom categories. PR1406512

  • On SRX Series, when using Unified Policies and Webfiltering (EWF) without SSL-Proxy in Junos OS Release 18.4R1, the Server Name Indication (SNI) may not be identified correctly and the RT_UTM logs were recording incomplete information. PR1410981

VPNs

  • ISSU from Junos OS.Release 15.1X49-D120 to Junos OS.Release 15.1X49-D130 seeing KMD core seen at 0x08228b83 in iked_advpn_timer_cb_delete_inactive_shortcut_tunnel (timer_ctx=0x99d8000) at ../../../../../../src/usp/usr.sbin/iked/core/iked_advpn.c:227. PR1340973

  • Dot usage in CA profile name causes issues when the pkid process is restarted. PR1351727

  • A few VPN tunnels do not forward traffic after RG1 failover. PR1394427

  • The kmd process might crash when SNMP polls for the IKE SA. PR1397897

  • VPN does not recover on the high-end standalone SRX Series device when CLI operation restart ipsec-key-management is done. PR1400712

  • Syslog is not generated when the ike gateway rejects a duplicate IKE ID connection. PR1404985

  • Not all the tunnels are deleted when the authentication algorithm in IPsec proposal is changed. PR1406020

  • Multiple flowd core files are observed with IPsec acceleration with fragmentation traffic. PR1407910

  • Traffic drops on peer due to bad SPI after first re-authentication. PR1412316

Documentation Updates

There are no errata or changes in Junos OS Release 19.1R3 documentation for the SRX Series.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.