Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 19.2R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.

New and Changed Features: 19.2R3

There are no new features in Junos OS Release 19.2R3 for the SRX Series devices.

New and Changed Features: 19.2R2

Intrusion Detection and Prevention (IDP)

  • HTTP X-Forwarded-For header support in IDP (SRX Series)—Starting in Junos OS Release 19.2R2, we've introduced the log-xff-header option to record the x-forward-for header (xff-header) information. When this option is enabled. During the traffic flow, IDP saves the source IP addresses (IPv4 or IPv6) from the contexts for HTTP and SMTP traffics and displays in attack logs.

    The xff-header is not processed unless it’s enabled through sensor-configuration.

    • To enable the xff-header, use the set security idp sensor-configuration global log-xff-header command.

    • To disable the xff-header, use the delete security idp sensor-configuration global log-xff-header command.

    In previous releases, when you accessed the internet, to lessen the external bandwidth the servers used transparent proxies. It was difficult to identify the originating source IP address because the proxy server converted it into an anonymous source IP address.

    [See Understanding Multiple IDP Detector Support.]

New and Changed Features: 19.2R1-S1

Routing Protocols

  • Decouple RSVP for IGP-TE (MX Series, PTX Series, ACX Series, QFX Series, SRX Series, and EX Series)—Starting in Junos OS Release 19.2R1-S1, device can advertise selective traffic-engineering attributes such as admin-color and maximum-bandwidth, without enabling RSVP, for segment routing and interior gateway protocol (IGP) deployments.

New and Changed Features: 19.2R1

Application Security

  • Application-based multipath support (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX4100, SRX4200, and vSRX)—Starting in Junos OS Release 19.2R1, application-based multipath routing is supported on SRX Series devices.

    Multipath routing allows the sending device to create copies of packets and to send each copy through two or more WAN links. On the other end, multipath calculates the jitter and packet loss for the combined links and estimates the jitter and packet loss for the same traffic on individual links. You can compare the reduction in packet loss when combined links instead of individual links are used. Sending multiple copies of traffic ensures timely delivery of the sensitive application traffic.

    Multipath support in SD-WAN use cases enhances application experience.

    [See Application Quality of Experience.]

  • Application-level logging for AppQoE (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX4100, SRX4200, and vSRX)—Starting in Junos OS Release 19.2R1, SRX Series devices support application-level logging for AppQoE. This feature reduces the impact on the CSO or log collector device while processing a large number of system log messages generated at the session-level. The SRX Series device maintains session-level information and provides system log messages for the session level. Replacing session-level logging with application-level logging decreases the overhead on the SRX Series device and increases AppQoE throughput.

    [See AppQoE.]

  • Secure Web proxy (SRX Series and vSRX)—Starting in Junos OS Release 19.2R1, SRX Series devices support secure Web proxy service.

    The secure Web proxy feature enables you to specify dynamic Web applications for which the system performs proxy service. In this deployment, the SRX Series device receives a request from the client, examines the HTTP header for the application, and redirects the request directly to the webserver based on the application.

    As a result, the SRX Series device performs transparent proxy between the client and the webserver for the specified applications and provides better quality of service for the application traffic.

    [See SSL Proxy.]

  • Application identification of micro-applications (SRX Series, vSRX)—Starting in Junos OS Release 19.2R1, SRX Series devices support micro-applications with the application identification (AppID) feature.

    AppID detects the applications at the subfunction level on your network and the security policy leverages the application identity information determined from the AppID module. After a particular application is identified, an action such as permit, deny, reject, or redirect is applied to the traffic according to the policy configured on the device.

    [See Application Identification.]

  • JDPI-Decoder engine version upgrade (SRX Series)—Starting in Junos OS Release 19.2R1, the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) engine comes with a default application signature package version 999 that includes the protobundle version 1.380.0-64.005 and the JDPI-Decoder engine version 5.3.0-56. You can also upgrade the application signature package when a new signature package version is available.

    [See show services application-identification status.]

Flow-Based and Packet-Based Processing

  • PowerMode IPsec fragment support (SRX4100, SRX4200, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 19.2R1, PowerMode IPsec (PMI) is enhanced to handle the incoming and outgoing fragment packets in first path or fast path processing.

    PMI supports first path and fast path processing both for fragment handling and for unified encryption. You can enable PowerMode IPsec processing by using the set security flow power-mode-ipsec command.

    See [Improving IPsec Performance with PowerMode IPsec.]

  • Multiple J-Flow Server (SRX Series) —On SRX Series devices, the J-Flow version 9 can export flow records to only one collector. Starting from Junos OS Release 19.2R1, the J-Flow version 9 can configure up to 4 collectors under a family.

    Packet Forwarding Engine exports flow record, flow record template, option data, and option data template packet to up to four collectors under a family. The template that is mapped, and the export version across the collectors under a family should be same.

  • Per-flow CoS support for GTP-U in PMI mode (SRX5000 line of devices with SPC3)— Starting in Junos OS Release 19.2R1, Junos OS supports per-flow CoS functions for GTP-U traffic in PowerMode IPsec (PMI) mode. This feature introduces tunnel endpoint identifier (TEID)-based hash distribution for creating GTP-U sessions to multiple cores on the anchor PIC when both PMI and IPsec session affinity are enabled. TEID-based hash distribution helps split a fat GTP session into multiple slim GTP sessions and process them on multiple cores in parallel. With this enhancement, per-flow CoS for GTP-U traffic is enabled even when the traffic carries multiple streams with different DSCP code within one GTP tunnel.

    [See PMI Flow Based CoS functions for GTP-U.]

Intrusion Detection and Prevention (IDP)

  • Support for IDP intelligent inspection (SRX Series and vSRX)—Starting in Junos OS Release 19.2R1, you can enable IDP intelligent inspection and tune it dynamically to reduce IDP inspection load. IDP intelligent inspection helps the device to recover from overload state when the configured CPU and memory threshold values exceed the resource limits. Prior to Junos OS Release 19.2R1, when the device exceeds the configured CPU and memory threshold limit, IDP either rejects or ignores new sessions.

    [See IDP Intelligent Inspection.]

Juniper Sky ATP

  • Juniper Sky ATP Support for Encrypted Traffic Inspection and Server Name Identification—Starting in Junos OS 19.2, SRX Series devices support inspection of encrypted traffic (HTTPS) in security-intelligence policies. Server name identification (SNI) checks are also supported. Note that these changes do not introduce any new CLI commands. All existing commands and configurations can make use of this expanded functionality.

Junos Telemetry Interface

  • Support for JTI (SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 19.2R1, you can stream statistics through junos telemetry interface (JTI) to an outside collector using remote procedure call (gRPC) services. gRPC is a protocol for configuration and retrieval of state information.

    JTI supports the following sensors:

    • Log messages (resource path /junos/events)

    • Border Gateway Protocol (BGP) peer information (resource path /network-instances/network-instance/protocols/protocol/bgp/)

    • Memory utilization for a routing protocol task (resource path /junos/task-memory-information/)

    • Operational state of hardware components (resource path /components/)

    • Operational state of the AE interface (resource path /lacp/)

    • Operational state of Ethernet interfaces enabled with Link Layer Discovery Protocol (LLDP) (resource path /lldp/)

    • Address Resolution Protocol (ARP) statistics (resource path /arp-information/)

    • Routing Engine internal interfaces, such as fxp0, em0, and em1 (resource path /interfaces/interface[name=' interface-name ‘]/)

    • Network Discovery Protocol (NDP) table state (resource path /nd6-information/)

    • NDP router advertisement statistics (resource path /ipv6-ra/)

    • Intermediate System to Intermediate System (IS-IS) protocol statistics (resource path /network-instances/network-instance/protocols/protocol/isis/levels/level/)

    • IS-IS protocol (resource path /network-instances/network-instance/protocols/protocol/interfaces/interface isis/levels/level/)

    [See Guidelines for gRPC Sensors (Junos Telemetry Interface).]

J-Web

  • Threats Map (Live) (SRX Series except SRX5000 line of devices and vSRX)—Starting in Junos OS Release 19.2R1, you can monitor Threat Maps (Live). You can view blocked and allowed threat events based on feeds from intrusion prevention systems (IPSs), antivirus, antispam engines, Juniper Sky ATP, and screen options. You can also choose a country and view the total threat events for that country since midnight, followed by the number of inbound and outbound threat events, and see the top five IP addresses, either inbound or outbound. With View Details, you can see the additional details of the selected country.

    [See Monitor Threats Map (Live).]

  • Quick Setup wizard enhancement (SRX Series except SRX5000 line of devices)—Starting in Junos OS Release 19.2R1 after the configuration is completed, you see a notification message when you access J-Web again through a new browser tab or window with the configured IPv4 or IPv6 address.

    [See Understanding the J-Web CLI Terminal.]

  • Getting Started panel (SRX Series)—Starting in Junos OS Release 19.2R1, you have quick access to the important configurations using a Getting Started panel on the J-Web UI. For logical systems users and tenant users, this option is available only in SRX1500, SRX4100, SRX4200, SRX4600, and SRX5000 line of devices.

    By default, this panel appears when you log in. If you choose Don’t show this again, then you can access this panel using the help (?) icon.

    [See Security J-Web Getting Started.]

  • HA Mode wizard (SRX Series)—Starting in Junos Release 19.2R1, you can configure chassis cluster using a new HA Mode wizard when the devices are in factory default. You can create HA using the same wizard from Configure > Device Settings > Cluster (HA) Setup when the devices are already in the network.

    [See Configuring Cluster (HA) Setup.]

  • IPS Sensor enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, you can configure IP Sensor using the following settings:

    • Basic—Supports protection mode, IDP intelligent inspection, and basic IDP flow configuration.

    • Advanced—Supports IDP flow, global, IPS, log, reassembler, and packet log configuration.

    • Detectors settings—Supports the configuration for a specific service. You can also add or edit the configuration inline.

    [See Sensor Configuration Page Options.]

  • Active Directory enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, for SRX4200, SRX1500, SRX550M, and vSRX, and for the SRX5000 and SRX300 lines of devices, you can configure the integrated user firewall in a maximum of two domains. For the other SRX Series devices, you can create only one domain.

    [See Configuring Active Directory.]

  • Certificate management enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, you can now configure device certificates, trusted certificate authorities (CAs), and CA groups. You can view information about the local certificate, trusted CA profiles, and CA groups that are configured on the device. You can manually generate self-signed certificate. You can enroll online, export, import, manually load, and delete the local certificate or certificate signing request (CSR).

    [See Managing Device Certificates.]

  • Forwarding mode enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, flow mode is the default mode for processing traffic. You can now configure an SRX Series devices as a border router by changing the flow-based processing to packet-based processing.

    [See Forwarding Configuration Page Options.]

  • Dashboard enhancement (SRX Series except SRX5000 line of devices)—Starting in Junos OS 19.2R1, you can view the Web filtering, Antispam, Content filtering, Application & Users, and Threat monitoring widgets in the J-Web dashboard for root, logical systems, and tenant users.

    [See Monitoring the Dashboard.]

  • Security policy rules enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, when you create rules for the destination traffic, you can:

    • Add an application or application group for a dynamic application using the Add New Application/Group button.

    • Add a service for Service(s) using the Add New Service button.

    [See Configuring Firewall Security Policy Rules.]

  • Monitoring firewall events enhancement (SRX Series except SRX5000 line of devices)—Starting in Junos OS Release 19.2R1, you can now see that an application displays the same value as a nested application (if the application supports nested applications).

    [See Monitoring Firewall Events.]

  • Monitoring events enhancement (SRX Series except SRX5000 line of devices)—Starting in Junos OS Release 19.2R1, you can monitor the following new events:

    • ATP—Top Malware Source Countries, Infected File Categories, and Malwares Identified widgets are shown in the chart view and detailed advanced anti-malware (AAMW) logs are shown in the grid view.

    • Security Intelligence—Top Infected Hosts and C&C Servers widgets are shown in the chart view and detailed secintel logs are shown in the grid view.

    • Screens—Top Screen Attacks, Screen Victims, and Screen Hits widgets are shown in the chart view and detailed screen logs are shown in the grid view.

    [See Monitoring ATP Events, Monitoring Security Intelligence Events, and Monitoring Screen Events.]

  • Juniper Sky ATP enrollment enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, you can view the detailed enrollment steps on the SKY ATP Enrollment page.

    [See Sky ATP Enrollment.]

  • Link aggregation enhancement (Standalone SRX Series)—Starting in Junos OS Release 19.2R1, VLAN tagging is enabled by default when you add an AE interface.

    [See Link Aggregation Configuration Page Options.]

  • OSPF enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, you can configure OSPF area in two ways:

    • Basic—You can add new routing instances.

    • Advanced—You can group a policy and trace options.

    [See OSPF Configuration Page Options.]

  • VLAN enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, Bridge domain is the new name for VLANs in Layer 2 transparent mode. You can assign an interface for the created VLANs. You can view all the available VLANs with their IDs, interfaces assigned, and status.

    [See VLAN Configuration Page Options.]

Logical Systems and Tenant Systems

  • Starting in Junos OS Release 19.2R1, the following features that are supported on the logical systems are now extended to tenant systems:

    • Default routing-instance support for tenant systems (SRX Series)—Starting in Junos OS Release 19.2R1, you can use the ping, telnet, ssh, traceroute, show arp, clear arp, show ipv6 neighbors, and clear ipv6 neighbors commands to pass the virtual router configured in a tenant system as a default routing instance.

      [See Tenant Systems Overview.]

    • UTM support for tenant systems (SRX Series)—Starting in Junos OS Release 19.2R1, SRX Series devices support unified threat management (UTM) on tenant systems. Use the set utm default-configuration command under the [edit security] hierarchy level to create a default UTM profile for tenant systems. Configure policies, profiles, and custom objects for each tenant system in the UTM profile.

      [See UTM for Tenant Systems.]

    • On-box logging support for tenant systems (SRX Series)—Starting in Junos OS Release 19.2R1, SRX Series devices support on-box logging configurations for each tenant system, and handle logs based on these configurations. Configure the set log mode event and set log mode stream commands under the [edit security] hierarchy level to enable on-box logging. Tenant systems also support binary format log in event mode.

      [See Security Log for Tenant Systems.]

    • IDP for tenant systems (SRX Series and vSRX)—Starting in Junos OS Release 19.2R1, tenant systems support intrusion detection and prevention (IDP). The IDP policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a tenant system.

      [See IDP for Tenant Systems.]

Network Management and Monitoring

  • Support for displaying valid user input in the CLI for command options and configuration statements in custom YANG data models (SRX Series)—Starting in Junos OS Release 19.2R1, the CLI displays the set of possible values for a given command option or configuration statement in a custom YANG data model when you include the action-expand extension statement in the option or statement definition and reference a script that handles the logic. The action-expand statement must include the script child statement, which defines the Python action script that is invoked when a user requests context-sensitive help in the CLI for the value of that option or statement.

    [See Displaying Valid Command Option and Configuration Statement Values in the CLI for Custom YANG Modules.]

Security

  • Support to configure micro-applications in a unified policy (SRX Series and vSRX)—Starting in Junos OS Release 19.2R1, you can configure micro-applications in a unified policy. Micro-applications are subfunctions of a particular application.

    You can configure micro-applications at the same hierarchy as predefined dynamic applications in a security policy and take the action based on the policy rules.

    [See Configuring Micro-Applications in Unified Policies.]

Unified Threat Management (UTM)

  • SRX5K-SPC3 support Avira scan engine on antivirus module (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.2R1, SRX Series devices support an on-device antivirus Avira scan engine. The on-device antivirus Avira scan engine scans the data by accessing the virus pattern database. The antivirus scan engine is provided as a unified threat management (UTM) module that you can download and install on an SRX Series device either manually or by using the Internet to connect to a Juniper Networks-hosted URL or a user-hosted URL.

    Note

    The SRX5000 line of devices with SRX5K-SPC-4-15-320 or SRX5K-SPC-2-10-40 cards do not support the on-device antivirus Avira scan engine.

    [See On-Device Antivirus Scan Engine.]

VPN

  • PIM using point-to-multipoint mode support for AutoVPN and Auto Discovery VPN (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, and vSRX)—Starting in Junos OS Release 19.2R1, Protocol Independent Multicast (PIM) using point-to-multipoint (P2MP) mode supports AutoVPN and Auto Discovery VPN in which a new p2mp interface type is introduced for PIM. The p2mp interface tracks all PIM joins per neighbor to ensure that multicast forwarding or replication happens only to those neighbors that are in joined state. In addition, the PIM using point-to-multipoint mode supports chassis cluster mode.

    [See Multicast Overview, Understanding AutoVPN, Understanding Auto Discovery VPN, and Understanding Multicast Routing on a Chassis Cluster.]

  • PowerMode IPsec for NAT-T (SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 19.2R1, SRX Series devices equipped with SRX5K-SPC3 Services Processing Cards (SPCs) support PowerMode IPsec (PMI) for Network Address Translation-Traversal (NAT-T).

    [See Understanding PowerMode IPsec.]

  • IPsec Distribution Profile (SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 19.2R1, you can manage the tunnel distribution through the configuration. You can create a profile for a VPN object to handle the distribution of tunnels. In a profile, mention the slot and thread-id where the tunnels from the VPN object should be distributed. The same profiles can be used for different VPN objects.

    To add profiles for distributing IPsec SAs, use the new distribution-profile profile-name statement.

    [See IPsec Distribution Profile and distribution-profile.]

  • Anti-replay window (SRX Series 5000 line of devices with SPC3 cards)—Starting from Junos OS Release 19.2R1, you can configure the anti-replay window size within the range of 64 to 8192 (power of 2). If you do not configure the anti-replay window size, the default window size remains as 64.

    To configure the window size, use the new anti-replay-window-size option.

    [See Replay Protection.]

What's Changed

Learn about what changed in Junos OS main and maintenance releases for SRX Series.

Release 19.2R3 Changes in Behavior and Syntax

Network Management and Monitoring

  • Packet Forwarding Engine data display command (SRX Series)— Starting in Junos OS Release 19.2R3, you can now view the Packet Forwarding Engine data using the usp flow config and usp flow stats options for the show pfe data command.

Juniper Sky ATP

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 19.2R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).

Release 19.2R2 Changes in Behavior and Syntax

Authentication and Access Control

  • Enhanced user firewall support—In Junos OS Release 19.2R2, for SRX300 devices with eUSB (SRX300, SRX320, SRX340, and SRX345), the SRX Series user firewall (UserFW) module tries to synchronize user entries from the domain controller or Juniper Identity Management Service (JIMS) after booting up. If the historical login events expired on the domain controller, then the SRX Series UserFW module is unable to retrieve those user entries after the UserFW module boots up.

    [See User Authentication Entries in the ClearPass Authentication Table.]

  • SSH protocol version v1 option deprecated from CLI (SRX Series)—Starting in Junos OS Release 19.2R2, we’ve removed the nonsecure SSH protocol version 1 (v1) option from the [edit system services ssh protocol-version] hierarchy level. You can use the SSH protocol version 2 (v2) as the default option to remotely manage systems and applications. With the v1 option deprecated, Junos OS is compatible with OpenSSH 7.4 and later versions.

    Junos OS releases earlier than Release 19.2R2, continue to support the v1 option to remotely manage systems and applications.

    [See protocol-version.]

  • Enabling and disabling SSH login password or challenge-response authentication (SRX Series)—Starting in Junos OS Release 19.2R2, you can disable either the SSH login password or challenge-response authentication at the [set system services ssh] hierarchy level.

    In Junos OS releases earlier than 19.2R2, you can enable or disable both SSH login password and challenge-response authentication simultaneously at the [set system services ssh] hierarchy level.

    [See Configuring SSH Service for Remote Access to the Router or Switch.]

Security

  • Disable the do not fragment flag from packet IP header (SRX Series and vSRX)—Starting in Junos OS Release 19.2R2, we’ve introduced the clear-dont-frag-bit option at the [edit security alg alg-manager] hierarchy level to disable the do not fragment flag from the packet IP header, which allows the packet to be split after NAT is performed.

    In Junos OS releases earlier than Release 19.2R2, when the ALG performs payload-NAT, sometimes the size of the packet becomes bigger than the outgoing interface maximum transmission unit (MTU). If the packet IP header has the do not fragment flag, this packet cannot be sent out.

    [See alg-manager.]

Release 19.2R1 Changes in Behavior and Syntax

Application Security

  • Starting in Junos OS Release 19.2R1, the SSL decryption mirroring feature is supported on redundant Ethernet (reth) interface on SRX Series devices operating in a chassis cluster.

Ethernet Switching and Bridging

  • Support for double tagged VLANs being pushed out the egress interface (SRX300, SRX320, SRX340, SRX345, SRX550, and SRX1500)—Starting in Junos OS Release 19.2R1, in a Q-in-Q scenario, double tagged VLANs are pushed out the egress interface. In previous releases, when two VLANs were added at the ingress interface, with the native-vlan-id vlan-id assigned to the user-to-network interface (UNI) interface and the vlan-id vlan-id-list assigned to the network-to-network interface (NNI) interface, the VLAN with the native-vlan-id tag did not exit from the egress interface. Now both VLAN tags exit from the egress interface.

Flow-Based and Packet-Based Processing

  • Power Mode IPsec (SRX Series)—On SRX Series devices, when Power Mode IPSec is enabled, the show security flow statistics and show security flow session tunnel summary commands does not count, or display the number of packets that are processed within the Power Mode IPsec as these packets do not go through the regular flow path.

    [See show security flow statistics]

Network Management and Monitoring

  • The show system schema command and <get-yang-schema> RPC require specifying an output directory (SRX Series)—Starting in Junos OS Release 19.2R1, when you issue the show system schema operational mode command in the CLI or execute the <get-yang-schema> RPC in a remote session to retrieve schema files, you must specify the directory in which to generate the output files by including the output-directory command option in the CLI or the <output-directory> element in the RPC. In earlier releases, you can omit the output-directory argument when requesting a single module to display the module in standard output.

  • Custom YANG RPC support for input parameters of type empty (SRX Series)—Starting in Junos OS Release 19.2R1, custom YANG RPCs support input parameters of type empty when executing the RPC’s command in the Junos OS CLI, and the value passed to the action script is the parameter name. In earlier releases, input parameters of type empty are only supported when executing the RPC in a NETCONF or Junos XML protocol session, and the value passed to the action script is the string 'none'.

    [See Creating Action Scripts for YANG RPCs on Devices Running Junos OS.]

  • NSD Restart Failure Alarm (SRX Series)—Starting in Junos OS Release 19.2R1, a system alarm is triggered when the Network Security Process (NSD) is unable to restart due to the failure of one or more NSD subcomponents. The alarm logs about the NSD are saved in the messages log. The alarm is automatically cleared when NSD restarts successfully.

    The show chassis alarms and show system alarms commands are updated to display the following output when NSD is unable to restart - NSD fails to restart because subcomponents fail.

    [See Alarm Overview.]

VPNs

Known Limitations

Learn about known limitations in this release for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

J-Web

  • CLI terminal is not working in Java version 1.8 because of a security restriction in the running applet. PR1341956

  • After you generate the Default Trusted CA profile group under Certificate Management>Trusted Certificate Authority in J-Web, J-Web does not display the CA profile group local under Certificate Management>Certificate Authority Group page. PR1424131

  • The CA profile group imported using J-Web does not populate the group on the Certificate Authority Group initial landing page grid, but all the CA profiles of a group are populated on the Trusted Certificate Authorities landing page. PR1426682

  • Country logo is not displaying in Threats Map page and Events page for some countries. Time slider is not displayed properly in Screen/ATP/Security Intelligence events pages. PR1435124

VPNs

  • In the HA design for SRX Series devices, the antireplay window is synchronized to the backup only when the total incoming packet count is an odd multiple of 128 packets. When a failover occurs, the antireplay bitmap is not synchronized. Again, when the node comes back online, the SA is installed but the antireplay bitmap is reset to 0 along with the in and out sequence number. PR1420521

  • In a chassis cluster, ESP or AH packet sequence number is not synchronized to the backup node after the backup node is rebooted. PR1433424

  • On the SRX5000 line of devices with SPC3 installed, the IPsec VPN antireplay sequence number might be reset to zero after the crash of the SPC3 card or the flowd process. Traffic drop is seen due to the mismatch of the sequence number. PR1433568

  • Per tunnel debugging configuration is not synchronized to backup node. It needs to be configured again after RG0 failover. PR1450393

Open Issues

Learn about open issues in this release for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Chassis Clustering

  • When GTP profile with the same name is deleted and then added, the profile ID will be changed. So, if this profile is being used by policy, you need to reconfigure the policy application bounding; otherwise, the GTP will not work as you expect. PR1409213

Flow-Based and Packet-Based Processing

  • On an SRX4600 device, when the next hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, it is possible that when multiple core files are generated in quick succession, the cold-sync-monitored status is displayed and cannot be removed even though cold-sync has finished. You must reboot the affected node to recover. PR1403000

  • Automatic completion is not working on proxy terminator profile name. PR1424822

  • Syslog severity level of msg subtype is end of policy is set to error although this message can be ignored. PR1435233

  • Some packets are dropped due to the FPGA issue. PR1443600

  • SSL-based AppID simplification effort (removal of HTTPS, POP3S, IMAPS, SMTPS). PR1444767

  • TCP session cannot time out properly upon receiving the TCP RESET packet, and the session timeout does not change to two seconds. PR1467654

Intrusion Detection and Prevention (IDP)

  • On SRX Series devices, commit or show command for IDP might not work if SNMP queries are run when large-scale IDP is used. PR1444043

J-Web

  • Due to set chassis auto-image-upgrade in factory configuration, from phone home page you are not able to skip to J-Web and get the error Bootstrap is in progress, Can't Skip!!. PR1420888

  • SECINTEL_ACTION_LOG events with subcategories such as Infected-Hosts and C are not shown on Juniper Sky ATP threat count on Monitor>Threats Map page in J-Web. PR1425795

  • On SRX Series devices, until Junos OS Release 19.2, phone home UI portal is displayed by default. The J-Web UI should be the default page to be launched when the device is in factory default. PR1428717

  • Country logo is not displaying in Threats Map page and Events page for some countries. Time slider is not displayed properly in Screen/ATP/Security Intelligence events pages. PR1435124

Platform and Infrastructure

  • Under certain heavy traffic conditions srxpfe process might crash and result in a denial-of-service (DoS) condition for the SRX1500 device. Repeated crashes of the srxpfe can result in an extended DOS condition. The SRX Sereis device might fail to forward traffic when this condition occurs. PR1277363

  • CDN-based dynamic application classification has been deprecated in this release. To restore previous behavior, you can configure set services application-identification enable-cdn-application-detection. PR1375442

Routing Policy and Firewall Filters

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

VPNs

  • On SRX Series devices, if multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. New negotiation of these traffic selectors is triggered through other mechanisms such as traffic or by peer. PR1287168

  • VPN tunnels flap after a group is added or deleted in edit private mode in a clustered setup. PR1390831

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when st0 binding on VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • In IPsec VPN scenario on SRX5400, SRX5600, and SRX5800 platforms, the IKED treats retransmission of IKE_INIT request packets as new connections when SRX Series device acts as responder of IKE negotiation. This causes IKE tunnel negotiation to fail and IPsec VPN traffic might be impacted. PR1460907

  • The SRX5000 line of devices with SPC3 was not supporting simultaneous IKE negotiation in Junos OS Release 19.2, Junos OS Release 19.3, Junos OS Release 19.4, and Junos OS Release 20.1. PR1497297

Resolved Issues

Learn which issues were resolved in Junos OS main and maintenance releases for SRX Series devices. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 19.2R3

Chassis Clustering

  • If a cluster ID of 16 or multiples of 16 is used, the chassis cluster might not come up. PR1487951

Flow-Based and Packet-Based Processing

  • The show security group-vpn server statistics |display xml is not in expected format. PR1349959

  • ECMP load balancing does not happen when RG1 node 0 is secondary. PR1475853

  • The flowd or srxpfe process might stop when deleting user firewall local authentication table entry. PR1477627

  • MPCs might stop when there is bulk route update failure in a corner case. PR1478392

  • On Web proxy, memory leak occurs in association hash table and DNS hash table. PR1480760

  • GRE or IPsec tunnel might not come up when set security flow no-local-favor-ecmp command is configured. PR1489276

  • Outbound SSH connection flap or memory leak issue might be observed during pushing configuration to ephemeral database with high rate. PR1497575

  • Traffic interruption happens due to MAC address duplication between two Junos OS devices. PR1497956

  • Don’t use capital characters for source-identity when using show security match-policies command. PR1499090

  • J-Flow v9 does not display correct outgoing interface for APBR traffic. PR1502432

Interfaces and Chassis

  • All interfaces remain in the down status after the SRX300 line of devices power up or reboot. PR1488348

  • Continuous drops seen in control traffic, when high data queues in one SPC2 PIC. PR1490216

Intrusion Detection and Prevention (IDP)

  • IDP's custom-attack time-binding interval command was mistakenly hidden within the CLI. PR1506765

J-Web

  • The J-Web users might not be able to configure PPPoE using PPPoE wizard. PR1502657

Multiprotocol Label Switching (MPLS)

  • BGP session might keep flapping between two directly connected BGP peers because of the incorrect use of the TCP-MSS. PR1493431

Platform and Infrastructure

  • Packets get dropped when next hop is IRB over LT interface. PR1494594

Routing Policy and Firewall Filters

  • TCP proxy was mistakenly engaged in unified policies when Web filtering was configured in potential match policies. PR1492436

  • Traffic fails to hit the policies with match source-end-user-profile. PR1505002

Routing Protocols

  • The BGP route-target family might prevent RR from reflecting Layer 2 VPN and Layer 3 VPN routes. PR1492743

VPNs

  • With NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145

  • On SRX Series devices with SPC3, when overlapping taffic-selectors are configured, multiple IPsec SAs get negotiated with peer device. PR1482446

Resolved Issues: 19.2R2

Application Layer Gateways (ALGs)

  • Sometimes unexpected forwarding sessions appear for tenant ALG SIP traffic in cross tenant. PR1409748

  • The H.323 connection might not be established when the H.323 packet passes SRX Series devices twice through different virtual routers. PR1436449

  • On the SRX5000 line of devices, the H323 call with NAT64 could not be established. PR1462984

  • The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942

  • SIP messages that need to be fragmented might be dropped by SIP ALG. PR1475031

Application Security

  • The AAMW diagnostic script generates incorrect error: Error: Platform does not support SkyATP: srx300. PR1423378

  • Automatic application-identification download stops after going over the year and reboot. PR1436265

  • The flowd or srxpfe process might crash when advanced anti-malware service is used. PR1437270

  • The applications that get declassified in the middle of a session are not identified properly. PR1437816

  • Unable to get more than 60 Gbps of AppQoS throughput. PR1439575

  • The flowd process core files might be seen when the traffic hits an AppQoS policy. PR1446080

Authentication and Access Control

  • The CPU utilization of the uacd is high, about 100 percent, in the output of show chassis routing-engine. PR1424971

  • The srxpfe or flowd process might stop if a UAC policy is removed. PR1437892

  • Same-source IP sessions are cleared when the IP entry is removed from the UAC table. PR1457570

Chassis Clustering

  • IP monitoring might fail on the secondary node. PR1468441

  • The chassis cluster failover to a secondary node does not happen after Packet Forwarding Engine stops on the primary node PR1451091

  • Hardware failure is seen on both nodes in show chassis cluster status. PR1452137

  • On SRX Series devices with chassis cluster, the control link remains up even though the control link is actually down. PR1452488

  • An unhealthy node might become primary in SRX4600 devices with chassis cluster scenario. PR1474233

Class of Service (CoS)

  • Frequent issuance of the show class-of-service spu statistics command causes the rtlogd process to be busy. PR1438747

  • The CoS rewrite rule does not work for st0 interface. PR1439401

Flow-Based and Packet-Based Processing

  • Throughput or latency performance of all traffic drops when TCP traffic is passing through the device. PR1403727

  • Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093

  • Blacklist compilation failures are reported. PR1418980

  • Group VPN IKE security associations cannot be established before RG0 failover. PR1419341

  • SSL proxy did not correctly warn users about unsupported certificates. PR1419485

  • The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859

  • Failed to clear sessions on SPC2 with error message error: usp_ipc_client_recv_:ipc_pipe_read() failed read timed out after 5 second(s). PR1426090

  • When configuring a GRE tunnel (GRE-over-IPsec-tunnel) or an IPsec tunnel on an SRX Series device, the MTU of the tunnel interface is calculated incorrectly. PR1426607

  • Junos OS: SRX1500: Denial of service due to crash of srxpfe process under heavy traffic conditions. (CVE-2019-0050) PR1428657

  • The X2 traffic cannot be encrypted after the traffic is decrypted when PMI is enabled. PR1429473

  • The flowd process might stop on the SRX5000 line of devices. PR1430804

  • VPN traffic fails after primary node reboot or power off. PR1433336

  • Intermittent packet drop might be observed if IPsec is configured. PR1434757

  • Traffic drop when session key rolls over between primary and fallback for more than 10 times. PR1435277

  • The second IPsec ESP tunnel might not be able to establish between two IPv6 IKE peers. PR1435687

  • Control logical interface is not created by default for LLDP. PR1436327

  • On an SRX4600 device, core file generation might be observed and SPM might be in present state. PR1436421

  • The ipfd process might crash when SecIntel is used. PR1436455

  • Some webpages cannot be fully rendered. PR1436813

  • When running SSL proxy on the firewall, the locally generated certificate is not validated by OpenSSL client. PR1436831

  • Packet reorder does not work when sending traffic over IPsec tunnel with session-affinity. PR1436720

  • Decryption traffic doesn’t take PMI path after IPsec rekey (initiated by peer) when loopback interface is configured as external interface. PR1438847

  • The flowd process stops and generates a core file when processing SSL proxy traffic. PR1437783

  • Member of dynamically created VLANs information is not displaying on show VLANs. PR1438153

  • The probe of Ethernet switching always shows down in a chassis cluster scenario. PR1438277

  • The flowd process stops and generates core files. PR1438445

  • Security logs cannot be sent to the external syslog server through TCP. PR1438834

  • When llmd is rotating database, there is a possibility of reading a NULL db at the same time, which generates core files. PR1439186

  • LACP MUX state stuck in "Attached" after disabling peer active members when link protection is enabled on local along with force-up. PR1439268

  • The IKE pass-through packet might be dropped after the source address has been changed. PR1440605

  • While checking the flow session XML for source NAT under tenant, there is no value identifier for tenant-name ( < tenant>< /tenant> ). PR1440652

  • Performance improvements were made to Screens, which benefit multisocket systems. PR1440677

  • Support inspection for pass-through IP-IP tunnel traffic on TAP mode. PR1441226

  • SPC2 wrongly forwarded packet to SPC3 core0 and core14. PR1441234

  • New CLI option to show only useful group information for an Active Directory user. PR1442567

  • The SRX300 line of devices does not have MIB that can retrieve the fan status. PR1443649

  • In the BERT test for E1 interface, bits counts number is not within the range. PR1445041

  • Junos OS: SRX5000 Series: flowd process crash due to receipt of specific TCP packet (CVE-2019-0064) PR1445480

  • There is no active connection with Juniper Sky ATP server. PR1446481

  • The flowd process might stop on SRX Series devices when chassis cluster and IRB interface are configured. PR1446833

  • J-Flow version 5 stops working after changing the input rate value. PR1446996

  • Packet loss happens during cold synchronization from secondary node after rebooting. PR1447122

  • SPC3 talus FPGA stuck on 0x3D or 0x69 golden version. PR1448722

  • Host inbound or host outbound traffic on VR does not work when the SRX5000 line of devices works in SPC3 mixed mode. PR1449059

  • SPU priority does not work when PMI is enabled on the SRX5000 line of devices with an SPC3 card. PR1449587

  • All ingress packets are dropped if the traffic transit network is also the same network for LTE mPIM internal management. PR1450046

  • On SRX Series devices with SSL proxy service used, a memory leak issue might occur, which results in the flowd or srxpfe process stopping. PR1450829

  • AAWM policy rules for IMAP traffic sometimes might not get applied when passed through an SRX Series device. PR1450904

  • FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122

  • Traffic forwarding on Q-in-Q port and VLAN tagging is not observed properly on R0. PR1451474

  • The rpd process might stop and restart and an rpd core file is generated when committing the configuration. PR1451860

  • Update SRX300 traffic default logging to stream mode. PR1453074

  • The fxp0 interface might redirect packets not destined to itself. PR1453154

  • Introduction of default inspection limits for application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180

  • The SRX Series devices stop and generate several core files. PR1455169

  • When you try to reset the system configuration on an SRX1500 device using the reset config button, it does not work properly. PR1458323

  • The security flow traceoptions fills in with RTSP ALG related information. PR1458578

  • Optimizations were made to improve the connections-per-second performance of SPC3. PR1458727

  • SRX Series device might not be reachable when initiating offline command for PIC. PR1459037

  • The security-intelligence CC feed does not block HTTPS traffic based on SNI. PR1460384

  • The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619

  • The srxpfe or flowd process might stop if the sampling configuration is changed. PR1462610

  • The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825

  • A core file might be generated when you perform an ISSU on SRX Series devices. PR1463159

  • Fragmented traffic might get looped between the fab interface in a rare case. PR1465100

  • The PKI daemon keeps leaking memory on SRX Series devices. PR1465614

  • HTTP block message stops working after SNI check for HTTPS session. PR1465626

  • Loading CA certificate causes PKI daemon core file to be generated. PR1465966

  • The jbuf process usage might increase up to 99 percent after Junos OS upgrade. PR1467351

  • The rpd process might stop after several changes to the flow-spec routes. PR1467838

  • Packet Forwarding Engine might generate core files because SSL proxy is enabled on NFX Series and SRX Series devices. PR1467856

  • Server unreachable is detected; ensure that port 443 is reachable. PR1468114

  • Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430

  • FTP data connection might be dropped if SRX Series devices send the FTP connection traffic through the dl interface. PR1468570

  • RPM test probe fails to show that round-trip time has been exceeded. PR1471606

  • On SRX Series devices, Packet Forwarding Engine memory might be used up if the security intelligence feature is configured. PR1472926

  • Support LLDP protocol on reth interface. PR1473456

  • Certificate error while configuration validation during Junos OS upgrade. PR1474225

  • Packet drop might be observed on the SRX300 line of devices when adding or removing an interface from MACsec. PR1474674

  • Stateful firewall rule configuration deletion might lead to memory leak. PR1475220

  • Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684

  • The flowd or srxpfe process might crash when advanced anti-malware services are used. PR1480005

  • IMAP curl sessions stuck in the active state if AAMW IMAP block mode is configured. PR1484692

  • The show chassis temperature-thresholds command displays a lot of FPC 0 output. PR1485224

  • After installation through boot loader at cluster setup, primary node cannot proceed commit. PR1487831

  • If a cluster-id of 16 or multiples of 16 is used, the cluster might not come up. PR1487951

  • On SRX1500, CPU board inlet increases after Junos OS upgrade from Junos OS Release 15.1X49 to Junos OS Release 18.x. PR1488203

  • Risk of service interruption on SRX Series devices with a dual-stacked CA server. PR1489249

Installation and Upgrade

  • SPMC version mismatch errors after Junos OS install using USB method. PR1437065

  • Junos OS upgrade fails when partition option is used on SRX Series devices. PR1449728

Interfaces and Chassis

  • Both nodes in the SRX Series chassis cluster go into DB mode after downgrading to Junos OS Release 18.1. PR1407295

  • MTU change after a CFM session is up can impact Layer 2 Ethernet ping (loopback messages). If the new change is less than the value in the initial incarnation, then Layer 2 Ethernet ping fails. PR1427589

  • LFM remote loopback is not working as expected. PR1428780

  • The LACP interface might flap if performing a failover. PR1429712

  • Certain interfaces might drop all unicast traffic when LTE PIM is used. PR1430403

  • Static route through dl0.0 interface is not active. PR1465199

  • MAC limiting on Layer 3 routing interfaces does not work. PR1465366

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process stops and generates core files when processing IDP packets. PR1416275

  • NSD fails to push security zone to the Packet Forwarding Engine after reboot, if there is an active IDP rule configured with FQDN. PR1420787

  • The flowd or srxpfe process stops and generates core files. PR1437569

  • Updating the IDP security package offline might fail in SRX Series devices. PR1466283

J-Web

  • Some error messages might be seen when using J-Web. PR1446081

  • The idle-timeout for J-Web access does not work properly. PR1446990

  • J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541

  • Editing destination NAT rule in J-Web introduces a nonconfigured routing-instance field. PR1461599

Layer 2 Ethernet Services

  • DHCP requests might get dropped in a DHCP relay scenario. PR1435039

  • The metric is not changing when configured under the DHCP. PR1461571

Network Address Translation (NAT)

  • The nsd process might stop when SNMP queries deterministic NAT pool information. PR1436775

  • Core files are generated while using NAT PBA in AA mode. PR1443148

  • RTSP resource session is not found during NAT64 static mapping. PR1443222

  • On SRX5000 line of devices with SPC3 card, when using source NAT, under high traffic load, a small fraction of TCP-SYN packets might be dropped due to the source NAT port failing to be allocated. Also, the NAT pool resources might leak over time. PR1443345

  • Packet loss happens during cold synchronization from the secondary node after rebooting. PR1448252

  • A port endian issue in SPU messages between SPC3 and SPC2 results in one redundant NAT binding being created in central point when one binding is allocated in SPC2 SPC. PR1450929

  • Packet loss is observed when multiple source NAT pools and rules are configured. PR1457904

  • The flowd or srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932

  • Issuing the show security nat source paired-address command might return an error. PR1479824

Network Management and Monitoring

  • MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979

  • Snmpd process might generate core files after restarting NSD process by using the restart network-security gracefully command. PR1443675

  • Control links are logically down on SRX Series devices with chassis cluster running Junos OS Release 12.3X48. PR1458314

  • The flowd or srxpfe process might stop immediately after committing the jflowv9 configuration or after upgrading to affected releases. PR1471524

  • SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288

Platform and Infrastructure

  • Memory leak might occur on the data plane during composite next-hop installation failure. PR1391074

  • The show security flow session command fails with error messages when SRX4600 has over a million routing entries. PR1408172

  • On SRX4600 platform, when manual RG0 failover is performed, sometimes node0 (the original primary node) stays in secondary-hold status for a long time and cannot change back to secondary status. PR1421242

  • SPC in slot1 of node0 remained in offline state for more than 1 hour after the cluster was upgraded from Junos OS Release 18.2R2-S1.3 to Junos OS Release 18.2X41.1. PR1423169

  • Packet drops, replication failure, or ksyncd stops might be seen on the logical system of a Junos OS device after Routing Engine switchover. PR1427842

  • The PICs might go offline and split brain might be seen when interrupt storm happens on internal Ethernet interface em0 or em1. PR1429181

  • Packet loss is caused by FPGA back pressure on SPC3. PR1429899

  • REST API does not work properly. PR1430187

  • Packet Forwarding Engine pause might be seen on the SRX1500 device. PR1431380

  • The false license alarm might be seen even if there is a valid license. PR1431609

  • When changing the decrypt mirror interface in the SSL proxy service configuration, it does not reflect properly in the Packet Forwarding Engine. PR1434595

  • On SRX4100 and SRX4200 devices, when LACP is configured on the reth interface, the interface flaps when Routing Engine is busy. PR1435955

  • LACP traffic is distributed evenly on ingress child links but not on egress links. PR1437098

  • The ksyncd process might crash and restart on SRX Series devices. PR1440576

  • The chassis cluster might stuck at CS FL state after rebooting. PR1440938

  • The configured RPM probe server hardware timestamp does not respond with correct timestamp to the RPM client. PR1441743

  • The RPM udp-ping probe does not work in a multiple routing instance scenario. PR1442157

  • ARP resolution might fail after ARP HOLD NHs are added and deleted continuously. PR1442815

  • On the SRX300 line of devices, the interface LED does not work properly. PR1446035

  • The show security flow session command fails with error messages when SRX4100 or SRX4200 has around 1 million routing entries in FIB. PR1445791

  • LACP cannot work with the encapsulation flexible-ethernet-services configuration. PR1448161

  • On certain MPC line cards, cm errors need to be reclassified. PR1449427

  • REST API process will become unresponsive when a number of requests come at a high rate. PR1449987

  • Traffic loss might occur when there are around 80,000 routes in FIB. PR1450545

  • Modifying the REST configuration might cause the system to become unresponsive. PR1461021

  • VM core files might be generated if the configured sampling rate is more than 65,535. PR1461487

  • On the SRX300 line of devices, you might encounter Authentication-Table loading slowly while using user-identification. PR1462922

  • The AE interface cannot be configured on an SRX4600 device. PR1465159

  • On SRX1500 and the SRX4000 line of devices, physically disconnecting the cable from fxp0 interface causes hardware monitor failure and redundancy group failover, when the device is the primary node in a chassis cluster. PR1467376

  • The RGx might fail over after RG0 failover in a rare case. PR1479255

Routing Policy and Firewall Filters

  • The NSD process might stop due to a memory corruption issue. PR1419983

  • The ipfd generates a core file while scaling cases 6-1. PR1431861

  • An SRX1500 device allows only a maximum of 256 policies with counting enabled. PR1435231

  • Two ipfd processes appear in ps command and the process pauses. PR1444472

  • During commit, the nsd_vrf_group_config_lsys log messages are displayed. PR1446303

  • Security policies cannot synchronize between Routing Engine and Packet Forwarding Engine on SRX Series devices. PR1453852

  • Traffic log shows wrong custom-application name when the alg ignore option is used in application configuration. PR1457029

  • The NSD process might get stuck and cause problems. PR1458639

  • Some domains are not resolved by the SRX Series devices when using DNS address book. PR1471408

  • The count option in security policy does not take effect even if the policy count is enabled. PR1471621

  • Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530

Routing Protocols

  • SSH login might fail if a user account exists in both local database and RADIUS or TACACS+. PR1454177

  • The rpd might stop when both instance-import and instance-export policies contain as-path-prepend action. PR1471968

  • The routing protocol process (rpd) crashes while processing a specific BGP update information. PR1448425

  • Receipt of certain genuine BGP packets from any BGP speaker causes rpd to crash. PR1497721

Services Applications

  • The flowd process stops when SRX5800 devices work at SPC3 mix mode with 1 SPC3 card and 7 SPC2 cards. PR1448395

Unified Threat Management (UTM)

  • The command show security utm web-filtering status now provides additional context when the status of EWF is down. PR1426748

  • Memory issue due to SSL proxy whitelist or whitelist URL category. PR1430277

  • Adjust core allocation ratio for on-box antivirus. PR1431780

  • On SRX Series devices, memory might leak if Websense Redirect Web Filtering is configured. PR1445222

  • Increase the scale number of UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321

  • The utmd process might pause after deactivating UTM configuration with predefined category upgrading used. PR1478825

VPNs

  • IPsec SA inconsistent on SPCs of node0 and node1 in SRX Series devices with chassis cluster. PR1351646

  • After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457

  • With a large number of IPsec tunnels established, a few tunnels might fail during rekey negotiation if the SRX Series device initiates the rekey. PR1389607

  • IPsec VPN is missing half of the IKE SA and IPsec SA is showing incorrect port number when scaling to 1000 IKEv1 AutoVPN tunnels. PR1399147

  • The IKE and IPsec configuration under groups is not supported. PR1405840

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when the SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, the IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855

  • The established tunnels might remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN. PR1413619

  • The iked process might crash due to misconfiguration in IPsec VPN network PR1416081

  • The IKED process might stop when IKE and IPsec SA rekey happen simultaneously. PR1420762

  • The VPN tunnel might flap when IKE and IPsec rekey happen simultaneously. PR1421905

  • Old tunnel entries might be observed in the output of show security, IPsec or IKE SA. PR1423821

  • The show security ipsec statistics command output displays buffer overflow and wraps around 4,---,---,--- count. PR1424558

  • IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post fragment happens PR1424937

  • Tunnel does not come up after changing configurations from IPv4 to IPv6 tunnels in the script with gateway lookup failed error. PR1431265

  • P1 configuration delete message is not sent on loading baseline configuration if there has been a prior change in VPN configuration. PR1432434

  • On the SRX5000 line of devices with SPC3, with P2MP and IKEv1 configured, if negotiation fails on the peer device, then multiple IPSec SA entries are created on the device if the peer keeps triggering new negotiation. PR1432852

  • IPsec rekey trigger is not working for when sequence number in AH and ESP packet is about to exhaust . PR1433343

  • P1 or P2 SAs are deleted after RG0 failover. PR1433355

  • IPsec SA in and out key sequence number update missing after cold synchronization. PR1433424

  • Sequence number reset to zero while recovering SA after SPC3 or flowd stops or reboots. PR1433568

  • The kmd log shows resource temporarily unavailable repeatedly and VPNs might be down. PR1434137

  • On SRX Series devices, fragments exit VPN traffic earlier than required by ingress packet sizes. PR1435700

  • The IKED stops on the SRX5000 line of devices with SPC3 when IPsec VPN or IKE is configured. PR1443560

  • IPsec VPN traffic drop might be seen on SRX Series platforms with NAT-T scenario. PR1444730

  • After a long time (a few hours) of traffic during a mini PDT test, the number of IPsec tunnels is much higher than expected. PR1449296

  • Some IPsec tunnels flap after RGs fail over on the SRX5000 line of devices. PR1450217

  • The VPN flaps on the primary node after a reboot of the secondary node. PR1455389

  • IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951

  • IPsec VPN tunnels are losing routes for the traffic selector randomly while the tunnel is still up, causing complete outage. PR1456301

  • Traffic is not sent out through an IPsec VPN after update to Junos OS Release 18.2 or later. PR1461793

  • The IPsec VPN tunnels cannot be established if overlapped subnets are configured in traffic selectors. PR1463880

  • IPsec tunnels might lose connectivity on SRX Series devices after chassis cluster failover when using AutoVPN point-to-multipoint mode. PR1469172

  • The kmd process might crash continually after the chassis cluster failover in the IPsec ADVPN scenario. PR1479738

Resolved Issues: 19.2R1

Application Firewall

  • Fail to match permit rule in Application Firewall (AppFW) rule set. PR1404161

Application Identification

  • IDP install failing on secondary node due to AI installation failure. PR1336145

Application Layer Gateways (ALGs)

  • DNS requests with the EDNS option might be dropped by the DNS ALG. PR1379433

  • On all SRX Series platforms, SIP/FTP ALG does not work when SIP traffic with source NAT goes through the SRX Series devices. PR1398377

  • The TCP rst packet is dropped when any TCP proxy-based feature and rst-invalidate-session are enabled simultaneously. PR1430685

Chassis Clustering

  • The SNMP trap sends wrong info with Manual failover. PR1378903

  • Traffic with domain name address might fail for 3-5 minutes after RG0 failover on SRX Series platforms. PR1401925

  • The flowd process stops when updating or deleting a GTP tunnel. PR1404317

  • Mixed mode (SPC3 coexisting with SPC2 cards) high availability (HA) IP-Monitoring fails on secondary node with secondary arp entry not found error PR1407056

  • The SRX Series devices might be potentially overwritten with an incorrect buffer address when detailed logging is configured under the GTPv2 profile. PR1413718

  • Starting with Junos OS Release 18.4, at most, 6 pdn connects can be contained in a pdp context response; otherwise, the response will be dropped. PR1422877

  • Memory leaks might be seen on the jsqlsyncd process on SRX chassis clusters PR1424884

  • RG0 failover sometimes causes FPC offline/present status. PR1428312

Flow-Based and Packet-Based Processing

  • Control traffic loss might be seen on SRX4600 platform. PR1357591

  • On SRX1500 devices, the activity LED (right LED) for 1-Gigabit Ethernet/10-Gigabit Ethernet port is not on although traffic is passing through that interface. PR1380928

  • Password recovery menu is not shown up on SRX device. PR1381653

  • Large file downloads slow down for many seconds. PR1386122

  • On the SRX300 line of devices default configuration changed. PR1393683

  • Switching interface mode between family ethernet-switching and family inet/inet6 might cause traffic loss. PR1394850

  • SRX to not strip vlan added by native vlan id command. PR1397443

  • Increase DAG feed scale number to 256 from 63. PR1399314

  • CPU is hitting 100 percent with fragmented traffic. PR1402471

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary commands will not count or display the number of packets processed within PowerMode IPsec, because these packets do not go through regular flow path. PR1403037

  • Downloads might stall and/or completely fail when utilizing services that are reliant on TCP proxy. PR1403412

  • The flowd process stops and all cards are brought offline. PR1406210

  • The RG1 failover does not happen immediately when the SPC3 card crashes. PR1407064

  • The flowd process might crash if enable-session-cache knob is configured under the SSL termination profile. PR1407330

  • Support for LAG interface with PowerMode IPsec. PR1407231

  • The kernel might stop on the secondary node when committing set system management-instance command. PR1407938

  • On SRX1500 platform, traffic is blocked on all interfaces after configuring interface-mac-limit on one interface. PR1409018

  • Memory leak if AAMW is enabled. PR1409606

  • Packets might get dropped in chassis cluster Z mode with local interface configured. PR1410233

  • Session capacity of SRX340 does not match SRX345. PR1410801

  • While PMI is ON, IPsec encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets. PR1411486

  • PEM 0 or PEM 1 or FAN, I2C failure major alarm might be set and cleared multiple times. PR1413758

  • HA packets might be dropped on SRX5000 line of devices with IOC3 or IOC2 cards. PR1414460

  • On SRX1500, SRX4100, SRX4200, SRX4600, and SRX5000 line of devices with SPC3 card, if SSL proxy is configured, the firewall FPC CPU might spike above 80 percent and traffic might be lost. PR1414467

  • Any traffic originated from the device itself might be dropped in the IPsec tunnel. PR1414509

  • The input and output bytes or bps statistic values might not be identical for the same size of packets. PR1415117

  • The reth interfaces are now supported when configuring SSL decryption mirroring (mirror-decrypt-traffic interface) PR1415352

  • Force clearing Client Session from flow does not clean up Proxy session. PR1415756

  • Traffic would be dropped if SOF is enabled in a chassis cluster in active/active mode. PR1415761

  • Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093

  • The flowd process stops on the SRX5000 Series or SRX4000 lines of devices when large-size packets go through IPsec tunnel with the post-fragment check. PR1417219

  • TCP segmented client side session fails to create transparent proxied relay session, and session stays idle. PR1417389

  • Best path selected keeps changing at regular intervals even when no violation is reported. PR1417926

  • Traffic might be lost on the SRX Series device if IPsec session affinity is configured with ipsec-performance-acceleration command. PR1418135

  • Group VPN IKE security-associations can not establish before RG0 failover. PR1419341

  • On all SRX Series devices firewalls, if the traffic-log feature is configured, logs might incorrectly display IPv4 addresses in an IPv6 format PR1421255

  • The show security flow session session-identifier < sessID> is not working if the session ID is bigger than 10M on SRX4600 platform. PR1423818

  • The tunnel-id information is displayed in the flow session. PR1423889

  • Replace bypass-on-dns-cache-miss command with drop_on_dns_error command in Web proxy profile. If drop_on_dns_error command is not set and DNS failure occurs for a session, that session passes through bypass mode. If drop_on_dns_error command is set and DNS failure occurs for a session, that session is dropped by Web proxy plug-in. PR1430425

  • Support IPv6 session through Web proxy. PR1433088

  • The applications which get declassified in the middle of session will not be identified properly. PR1437816

  • Partial traffic might get dropped on an existing LAG. PR1423989

  • Alarms due to high temperature when operating with expected temperatures. PR1425807

  • PIM neighbors might not come up on SRX Series chassis cluster PR1425884

  • The IPsec traffic going through SRX5000 line of devices with SPC2 cards installed causes SPU CPU utilization to be high. PR1427912

  • Uneven distribution of CPU with high PPS on device. PR1430721

  • SRX550M running Junos OS Release 18.4R1 shows PEM 1 output failure message where as with Junos OS Release 15.1X49 or Junos OS Release 18.1R3.3 it does not show any alarms. PR1433577

  • Some webpages cannot be fully rendered. PR1436813

Infrastructure

  • Increase in Junos OS image size for Junos OS Release 19.1R1. PR1423139

Interfaces and Routing

  • On SRX4600 platform, the 40-Gigabit Ethernet might flap continuously by MAC local fault. PR1397012

  • SRX Series devices cannot obtain IPv6 address through DHCPv6 when using a PPPoE interface with a logical unit number greater than 0. PR1402066

Intrusion Detection and Prevention (IDP)

  • IDP might crash with the custom IDP signature. PR1390205

  • Unable to configure dynamic-attack-group command. PR1418754

Installation and Upgrade

  • ISSU failed from Junos OS Release 18.3R1.9 to Junos OS Release 18.4R1.4. PR1405556

  • SRX1500 devices running Junos OS Release 15.1X49-D160 are unable to be upgraded or downgraded successfully to all releases built before 17 February 2019 PR1407556

J-Web

  • In the J-Web dashboard, the Security Resources widget did not display absolute values. PR1372826

  • J-Web now supports defining SSL-Proxy and redirect (block page) profiles when a policy contains dynamic applications. PR1376117

  • Configuring using the CLI editor in J-Web generates an mgd core file. PR1404946

  • The httpd-gk process stops, leading to dynamic VPN failures and high Routing Engine CPU utilization (100 percent). PR1414642

  • Risk report, when generated in IE browser, appears completely out of alignment and XML tags are displayed. PR1415767

  • J-Web configuration change for an address set using the search function results in a commit error. PR1426321

  • J-Web not working when logged in as read-only user. PR1428520

  • IRB interface is not available in zone option of J-Web. PR1431428

Logical Systems and Tenant Systems

  • Tenant system administrator can change vlan assignment beyond the allocated tenant system. PR1422058

Multiprotocol Label Switching (MPLS)

  • RPD might restart unexpectedly when no-cspf is configured and lo0 is not included under protocol rsvp. PR1366575

Network Address Translation (NAT)

  • SRX SPC3 mix mode, NAT SPC3 core files are generated at ../sysdeps/unix/sysv/linux/raise.c:55. PR1403583

Network Management and Monitoring

  • The set system no-redirects setting does not take effect for the reth interface. PR894194

  • The chassisd might crash and restart after the AGENTX session timeout between master(snmpd) and sub-agent. PR1396967

Platform and Infrastructure

  • In chassis cluster redundancy group failover scenario, on SRX5600 and 5800 platforms, if the failover is caused by interface monitoring failure, the failover on Packet Forwarding Engine side (that is, data plane) might be slow (for example, impact on BFD session up to several seconds). This issue might result in protocol and traffic outage. PR1385521

  • The flowd process might crash if there are too many IPsec tunnels PR1392580

  • Complete device outage might be seen when an SPU VM core file is generated. PR1417252

  • Some applications might not be installed during upgrade from lower version which does not support FreeBSD 10 to FreeBSD 10(based system). PR1417321

  • On SRX Series devices, flowd process stops might be seen. PR1417658

  • Routing Engine CPU utilization is high and eventd process is consuming a lot of resources. PR1418444

  • On SRX4600 device, commit failed while configuring 2047 VLAN IDs on the reth interface. PR1420685

Routing Policy and Firewall Filters

  • Memory leak in nsd prevents change from taking effect. PR1414319

  • The flowd process (responsible for traffic forwarding in SRX Series devices) stops on SRX Series devices while deleting a lot of policies from Junos Space. PR1419704

  • A commit warning will now be presented to the user when a traditional policy is placed below a unified policy. PR1420471

  • The dynamic-address summary's IP entry count does not include IP entries in root logical system. PR1422525

  • If restarting NSD fails, there is no any indication or symptom, and users don’t know it. So a new alarm is added to indicate this failure. PR1422738

  • The ipfd generates a core file while scaling cases 6-1. PR1431861

Unified Threat Management (UTM)

  • Whitelist/blacklist does not work for HTTPS traffic going through Web proxy. PR1401996

  • On SRX Series devices, when configuring Enhanced Web Filtering on the CLI, the autocomplete function did not properly handle or suggest custom categories. PR1406512

  • On SRX Series devices, when using Unified Policies and Web filtering (EWF) without SSL proxy, the Server Name Indication (SNI) might not be identified correctly and the RT_UTM logs were recording incomplete information. PR1410981

  • Unable to achieve better Avira AV TP on SRX4600 due to reaching mbuf high watermark. PR1419064

  • UTM Web filtering status shows down when using Hostname [routing-instance synchronization failure]. PR1421398

  • When using Unified Policies, the base-filter for certain UTM profiles might not be applied correctly. PR1424633

  • The custom-url-categories are now pushed correctly to the Packet Forwarding Engine under all circumstances. PR1426189

User Interface and Configuration

  • Tenant system administrator cannot view the configuration with Empty Database message when configuring tenant system using groups. PR1422036

VPNs

  • On SRX1500 device, when configuring IPsec VPN and BGP simultaneously, the kmd process might stop and generate a core file if BGP peers reach approximately 350. All of the VPN tunnels will be disconnected during the pause. PR1336235

  • SPC3 IKE SA detail output is not showing proper traffic statistics. PR1371638

  • The pkid process might stop after RG0 failover. PR1379348

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, the show security ike security-association detail command does not display local IKE-ID field correctly. PR1388979

  • A few VPN tunnels do not forward traffic after RG1 failover. PR1394427

  • The kmd process might stop when SNMP polls for the IKE SA. PR1397897

  • VPN tunnels flap after adding or deleting a configuration group in edit private mode on a clustered setup. PR1400712

  • Syslog is not generated when IKE gateway rejects duplicate IKE ID connection. PR1404985

  • Idle IPsec VPN tunnels without traffic and with ongoing DPD probes can be affected during RG0 failover. PR1405515

  • Not all the tunnels are deleted when authentication algorithm in IPsec proposal is changed. PR1406020

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, the incoming packet's flow context information is not reset correctly when the packet is dropped in IPsec acceleration module. This will cause subsequent packets to be incorrectly processed as IPsec packets and results in the crash. To address this issue, SRX Series device now resets the flow context before dropping the packet in all relevant modules including IPsec acceleration module. PR1407910

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855

  • Traffic drops on peer due to bad SPI after first reauthentication. PR1412316

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when SRX Series device is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication might fail. PR1414193

  • The flowd/srxpfe process might stop when traffic selector is used for IPsec VPN PR1418984

  • The show security ike sa detail command shows incorrect value in IPSec security associations column. PR1423249

  • On the SRX5000 line of devices with SPC3, with P2MP and IKEv1 configured, if negotiation fails on the peer device, then multiple IPSec SA entries are created on the device if the peer keeps triggering new negotiation. PR1432852

  • On SRX Series devices with SPC3, should send IKE delete notification to peer when traffic selector configuration is changed for a specific AutoVPN. PR1426714

  • The kmd process stops and generates a core file after running the show security ipsec traffic-selector command. PR1428029

  • IPsec rekey triggers for when sequence number in AH and ESP packet is about to exhaust is not working. PR1433343

Documentation Updates

There are no errata or changes in Junos OS Release 19.2R3 documentation for the SRX Series.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.