Junos OS Release Notes for SRX Series
These release notes accompany Junos OS Release 19.2R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
What’s New
Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.
New and Changed Features: 19.2R3
There are no new features in Junos OS Release 19.2R3 for the SRX Series devices.
New and Changed Features: 19.2R2
Intrusion Detection and Prevention (IDP)
HTTP X-Forwarded-For header support in IDP (SRX Series)—Starting in Junos OS Release 19.2R2, we've introduced the log-xff-header option to record the x-forward-for header (xff-header) information. When this option is enabled. During the traffic flow, IDP saves the source IP addresses (IPv4 or IPv6) from the contexts for HTTP and SMTP traffics and displays in attack logs.
The xff-header is not processed unless it’s enabled through sensor-configuration.
To enable the xff-header, use the set security idp sensor-configuration global log-xff-header command.
To disable the xff-header, use the delete security idp sensor-configuration global log-xff-header command.
In previous releases, when you accessed the internet, to lessen the external bandwidth the servers used transparent proxies. It was difficult to identify the originating source IP address because the proxy server converted it into an anonymous source IP address.
New and Changed Features: 19.2R1-S1
Routing Protocols
Decouple RSVP for IGP-TE (MX Series, PTX Series, ACX Series, QFX Series, SRX Series, and EX Series)—Starting in Junos OS Release 19.2R1-S1, device can advertise selective traffic-engineering attributes such as admin-color and maximum-bandwidth, without enabling RSVP, for segment routing and interior gateway protocol (IGP) deployments.
New and Changed Features: 19.2R1
Application Security
Application-based multipath support (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX4100, SRX4200, and vSRX)—Starting in Junos OS Release 19.2R1, application-based multipath routing is supported on SRX Series devices.
Multipath routing allows the sending device to create copies of packets and to send each copy through two or more WAN links. On the other end, multipath calculates the jitter and packet loss for the combined links and estimates the jitter and packet loss for the same traffic on individual links. You can compare the reduction in packet loss when combined links instead of individual links are used. Sending multiple copies of traffic ensures timely delivery of the sensitive application traffic.
Multipath support in SD-WAN use cases enhances application experience.
Application-level logging for AppQoE (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX4100, SRX4200, and vSRX)—Starting in Junos OS Release 19.2R1, SRX Series devices support application-level logging for AppQoE. This feature reduces the impact on the CSO or log collector device while processing a large number of system log messages generated at the session-level. The SRX Series device maintains session-level information and provides system log messages for the session level. Replacing session-level logging with application-level logging decreases the overhead on the SRX Series device and increases AppQoE throughput.
[See AppQoE.]
Secure Web proxy (SRX Series and vSRX)—Starting in Junos OS Release 19.2R1, SRX Series devices support secure Web proxy service.
The secure Web proxy feature enables you to specify dynamic Web applications for which the system performs proxy service. In this deployment, the SRX Series device receives a request from the client, examines the HTTP header for the application, and redirects the request directly to the webserver based on the application.
As a result, the SRX Series device performs transparent proxy between the client and the webserver for the specified applications and provides better quality of service for the application traffic.
[See SSL Proxy.]
Application identification of micro-applications (SRX Series, vSRX)—Starting in Junos OS Release 19.2R1, SRX Series devices support micro-applications with the application identification (AppID) feature.
AppID detects the applications at the subfunction level on your network and the security policy leverages the application identity information determined from the AppID module. After a particular application is identified, an action such as permit, deny, reject, or redirect is applied to the traffic according to the policy configured on the device.
[See Application Identification.]
JDPI-Decoder engine version upgrade (SRX Series)—Starting in Junos OS Release 19.2R1, the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) engine comes with a default application signature package version 999 that includes the protobundle version 1.380.0-64.005 and the JDPI-Decoder engine version 5.3.0-56. You can also upgrade the application signature package when a new signature package version is available.
Flow-Based and Packet-Based Processing
PowerMode IPsec fragment support (SRX4100, SRX4200, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 19.2R1, PowerMode IPsec (PMI) is enhanced to handle the incoming and outgoing fragment packets in first path or fast path processing.
PMI supports first path and fast path processing both for fragment handling and for unified encryption. You can enable PowerMode IPsec processing by using the set security flow power-mode-ipsec command.
Multiple J-Flow Server (SRX Series) —On SRX Series devices, the J-Flow version 9 can export flow records to only one collector. Starting from Junos OS Release 19.2R1, the J-Flow version 9 can configure up to 4 collectors under a family.
Packet Forwarding Engine exports flow record, flow record template, option data, and option data template packet to up to four collectors under a family. The template that is mapped, and the export version across the collectors under a family should be same.
Per-flow CoS support for GTP-U in PMI mode (SRX5000 line of devices with SPC3)— Starting in Junos OS Release 19.2R1, Junos OS supports per-flow CoS functions for GTP-U traffic in PowerMode IPsec (PMI) mode. This feature introduces tunnel endpoint identifier (TEID)-based hash distribution for creating GTP-U sessions to multiple cores on the anchor PIC when both PMI and IPsec session affinity are enabled. TEID-based hash distribution helps split a fat GTP session into multiple slim GTP sessions and process them on multiple cores in parallel. With this enhancement, per-flow CoS for GTP-U traffic is enabled even when the traffic carries multiple streams with different DSCP code within one GTP tunnel.
Intrusion Detection and Prevention (IDP)
Support for IDP intelligent inspection (SRX Series and vSRX)—Starting in Junos OS Release 19.2R1, you can enable IDP intelligent inspection and tune it dynamically to reduce IDP inspection load. IDP intelligent inspection helps the device to recover from overload state when the configured CPU and memory threshold values exceed the resource limits. Prior to Junos OS Release 19.2R1, when the device exceeds the configured CPU and memory threshold limit, IDP either rejects or ignores new sessions.
[See IDP Intelligent Inspection.]
Juniper Sky ATP
Juniper Sky ATP Support for Encrypted Traffic Inspection and Server Name Identification—Starting in Junos OS 19.2, SRX Series devices support inspection of encrypted traffic (HTTPS) in security-intelligence policies. Server name identification (SNI) checks are also supported. Note that these changes do not introduce any new CLI commands. All existing commands and configurations can make use of this expanded functionality.
Junos Telemetry Interface
Support for JTI (SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 19.2R1, you can stream statistics through junos telemetry interface (JTI) to an outside collector using remote procedure call (gRPC) services. gRPC is a protocol for configuration and retrieval of state information.
JTI supports the following sensors:
Log messages (resource path
/junos/events)Border Gateway Protocol (BGP) peer information (resource path
/network-instances/network-instance/protocols/protocol/bgp/)Memory utilization for a routing protocol task (resource path
/junos/task-memory-information/)Operational state of hardware components (resource path
/components/)Operational state of the AE interface (resource path
/lacp/)Operational state of Ethernet interfaces enabled with Link Layer Discovery Protocol (LLDP) (resource path
/lldp/)Address Resolution Protocol (ARP) statistics (resource path
/arp-information/)Routing Engine internal interfaces, such as fxp0, em0, and em1 (resource path
/interfaces/interface[name=' interface-name ‘]/)Network Discovery Protocol (NDP) table state (resource path
/nd6-information/)NDP router advertisement statistics (resource path
/ipv6-ra/)Intermediate System to Intermediate System (IS-IS) protocol statistics (resource path
/network-instances/network-instance/protocols/protocol/isis/levels/level/)IS-IS protocol (resource path
/network-instances/network-instance/protocols/protocol/interfaces/interface isis/levels/level/)
[See Guidelines for gRPC Sensors (Junos Telemetry Interface).]
J-Web
Threats Map (Live) (SRX Series except SRX5000 line of devices and vSRX)—Starting in Junos OS Release 19.2R1, you can monitor Threat Maps (Live). You can view blocked and allowed threat events based on feeds from intrusion prevention systems (IPSs), antivirus, antispam engines, Juniper Sky ATP, and screen options. You can also choose a country and view the total threat events for that country since midnight, followed by the number of inbound and outbound threat events, and see the top five IP addresses, either inbound or outbound. With View Details, you can see the additional details of the selected country.
[See Monitor Threats Map (Live).]
Quick Setup wizard enhancement (SRX Series except SRX5000 line of devices)—Starting in Junos OS Release 19.2R1 after the configuration is completed, you see a notification message when you access J-Web again through a new browser tab or window with the configured IPv4 or IPv6 address.
Getting Started panel (SRX Series)—Starting in Junos OS Release 19.2R1, you have quick access to the important configurations using a Getting Started panel on the J-Web UI. For logical systems users and tenant users, this option is available only in SRX1500, SRX4100, SRX4200, SRX4600, and SRX5000 line of devices.
By default, this panel appears when you log in. If you choose Don’t show this again, then you can access this panel using the help (?) icon.
HA Mode wizard (SRX Series)—Starting in Junos Release 19.2R1, you can configure chassis cluster using a new HA Mode wizard when the devices are in factory default. You can create HA using the same wizard from Configure > Device Settings > Cluster (HA) Setup when the devices are already in the network.
IPS Sensor enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, you can configure IP Sensor using the following settings:
Basic—Supports protection mode, IDP intelligent inspection, and basic IDP flow configuration.
Advanced—Supports IDP flow, global, IPS, log, reassembler, and packet log configuration.
Detectors settings—Supports the configuration for a specific service. You can also add or edit the configuration inline.
Active Directory enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, for SRX4200, SRX1500, SRX550M, and vSRX, and for the SRX5000 and SRX300 lines of devices, you can configure the integrated user firewall in a maximum of two domains. For the other SRX Series devices, you can create only one domain.
[See Configuring Active Directory.]
Certificate management enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, you can now configure device certificates, trusted certificate authorities (CAs), and CA groups. You can view information about the local certificate, trusted CA profiles, and CA groups that are configured on the device. You can manually generate self-signed certificate. You can enroll online, export, import, manually load, and delete the local certificate or certificate signing request (CSR).
[See Managing Device Certificates.]
Forwarding mode enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, flow mode is the default mode for processing traffic. You can now configure an SRX Series devices as a border router by changing the flow-based processing to packet-based processing.
Dashboard enhancement (SRX Series except SRX5000 line of devices)—Starting in Junos OS 19.2R1, you can view the Web filtering, Antispam, Content filtering, Application & Users, and Threat monitoring widgets in the J-Web dashboard for root, logical systems, and tenant users.
[See Monitoring the Dashboard.]
Security policy rules enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, when you create rules for the destination traffic, you can:
Add an application or application group for a dynamic application using the Add New Application/Group button.
Add a service for Service(s) using the Add New Service button.
Monitoring firewall events enhancement (SRX Series except SRX5000 line of devices)—Starting in Junos OS Release 19.2R1, you can now see that an application displays the same value as a nested application (if the application supports nested applications).
[See Monitoring Firewall Events.]
Monitoring events enhancement (SRX Series except SRX5000 line of devices)—Starting in Junos OS Release 19.2R1, you can monitor the following new events:
ATP—Top Malware Source Countries, Infected File Categories, and Malwares Identified widgets are shown in the chart view and detailed advanced anti-malware (AAMW) logs are shown in the grid view.
Security Intelligence—Top Infected Hosts and C&C Servers widgets are shown in the chart view and detailed secintel logs are shown in the grid view.
Screens—Top Screen Attacks, Screen Victims, and Screen Hits widgets are shown in the chart view and detailed screen logs are shown in the grid view.
[See Monitoring ATP Events, Monitoring Security Intelligence Events, and Monitoring Screen Events.]
Juniper Sky ATP enrollment enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, you can view the detailed enrollment steps on the SKY ATP Enrollment page.
[See Sky ATP Enrollment.]
Link aggregation enhancement (Standalone SRX Series)—Starting in Junos OS Release 19.2R1, VLAN tagging is enabled by default when you add an AE interface.
OSPF enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, you can configure OSPF area in two ways:
Basic—You can add new routing instances.
Advanced—You can group a policy and trace options.
VLAN enhancement (SRX Series)—Starting in Junos OS Release 19.2R1, Bridge domain is the new name for VLANs in Layer 2 transparent mode. You can assign an interface for the created VLANs. You can view all the available VLANs with their IDs, interfaces assigned, and status.
Logical Systems and Tenant Systems
Starting in Junos OS Release 19.2R1, the following features that are supported on the logical systems are now extended to tenant systems:
Default routing-instance support for tenant systems (SRX Series)—Starting in Junos OS Release 19.2R1, you can use the ping, telnet, ssh, traceroute, show arp, clear arp, show ipv6 neighbors, and clear ipv6 neighbors commands to pass the virtual router configured in a tenant system as a default routing instance.
[See Tenant Systems Overview.]
UTM support for tenant systems (SRX Series)—Starting in Junos OS Release 19.2R1, SRX Series devices support unified threat management (UTM) on tenant systems. Use the set utm default-configuration command under the [edit security] hierarchy level to create a default UTM profile for tenant systems. Configure policies, profiles, and custom objects for each tenant system in the UTM profile.
[See UTM for Tenant Systems.]
On-box logging support for tenant systems (SRX Series)—Starting in Junos OS Release 19.2R1, SRX Series devices support on-box logging configurations for each tenant system, and handle logs based on these configurations. Configure the set log mode event and set log mode stream commands under the [edit security] hierarchy level to enable on-box logging. Tenant systems also support binary format log in event mode.
IDP for tenant systems (SRX Series and vSRX)—Starting in Junos OS Release 19.2R1, tenant systems support intrusion detection and prevention (IDP). The IDP policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a tenant system.
[See IDP for Tenant Systems.]
Network Management and Monitoring
Support for displaying valid user input in the CLI for command options and configuration statements in custom YANG data models (SRX Series)—Starting in Junos OS Release 19.2R1, the CLI displays the set of possible values for a given command option or configuration statement in a custom YANG data model when you include the
action-expandextension statement in the option or statement definition and reference a script that handles the logic. Theaction-expandstatement must include thescriptchild statement, which defines the Python action script that is invoked when a user requests context-sensitive help in the CLI for the value of that option or statement.
Security
Support to configure micro-applications in a unified policy (SRX Series and vSRX)—Starting in Junos OS Release 19.2R1, you can configure micro-applications in a unified policy. Micro-applications are subfunctions of a particular application.
You can configure micro-applications at the same hierarchy as predefined dynamic applications in a security policy and take the action based on the policy rules.
Unified Threat Management (UTM)
SRX5K-SPC3 support Avira scan engine on antivirus module (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.2R1, SRX Series devices support an on-device antivirus Avira scan engine. The on-device antivirus Avira scan engine scans the data by accessing the virus pattern database. The antivirus scan engine is provided as a unified threat management (UTM) module that you can download and install on an SRX Series device either manually or by using the Internet to connect to a Juniper Networks-hosted URL or a user-hosted URL.
Note The SRX5000 line of devices with SRX5K-SPC-4-15-320 or SRX5K-SPC-2-10-40 cards do not support the on-device antivirus Avira scan engine.
VPN
PIM using point-to-multipoint mode support for AutoVPN and Auto Discovery VPN (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, and vSRX)—Starting in Junos OS Release 19.2R1, Protocol Independent Multicast (PIM) using point-to-multipoint (P2MP) mode supports AutoVPN and Auto Discovery VPN in which a new p2mp interface type is introduced for PIM. The p2mp interface tracks all PIM joins per neighbor to ensure that multicast forwarding or replication happens only to those neighbors that are in joined state. In addition, the PIM using point-to-multipoint mode supports chassis cluster mode.
[See Multicast Overview, Understanding AutoVPN, Understanding Auto Discovery VPN, and Understanding Multicast Routing on a Chassis Cluster.]
PowerMode IPsec for NAT-T (SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 19.2R1, SRX Series devices equipped with SRX5K-SPC3 Services Processing Cards (SPCs) support PowerMode IPsec (PMI) for Network Address Translation-Traversal (NAT-T).
IPsec Distribution Profile (SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 19.2R1, you can manage the tunnel distribution through the configuration. You can create a profile for a VPN object to handle the distribution of tunnels. In a profile, mention the slot and thread-id where the tunnels from the VPN object should be distributed. The same profiles can be used for different VPN objects.
To add profiles for distributing IPsec SAs, use the new distribution-profile profile-name statement.
[See IPsec Distribution Profile and distribution-profile.]
Anti-replay window (SRX Series 5000 line of devices with SPC3 cards)—Starting from Junos OS Release 19.2R1, you can configure the anti-replay window size within the range of 64 to 8192 (power of 2). If you do not configure the anti-replay window size, the default window size remains as 64.
To configure the window size, use the new anti-replay-window-size option.
[See Replay Protection.]
What's Changed
Learn about what changed in Junos OS main and maintenance releases for SRX Series.
Release 19.2R3-S2 Changes in Behavior and Syntax
Interfaces and Chassis
Unable to Upgrade a Chassis Cluster Using In-Service Software Upgrade (SRX5400)—In chassis cluster mode, the backup router's destination address for IPv4 and IPv6 routers using the commands edit system backup-router address destination <destination-address> and edit system inet6-backup-router address destination <destination-address> must not be same as interface address configured for IPv4 and IPv6 using the commands edit interfaces interface-name unit logical-unit-number family inet address ipv4-address and edit interfaces interface-name unit logical-unit-number family inet6 address ipv6-address.
Release 19.2R3 Changes in Behavior and Syntax
General Routing
Advertising /32 secondary loopback addresses to traffic engineering database as prefixes (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—We've made changes to export multiple loopback addresses to the lsdist.0 and lsdist.1 routing tables as prefixes. This eliminates the issue of advertising secondary loopback addresses as router IDs instead of prefixes. In earlier releases, we added multiple secondary loopback addresses in the traffic engineering database to the lsdist.0 and lsdist.1 routing tables as part of node characteristics and advertised them as the router ID.
Repetition of WALinuxAgent logs causing file size increase (vSRX 3.0)—-The Azure WALinuxAgent performs the provisioning job for the vSRX instances. When a new vSRX instance is deployed, the continued increasing size of the waagent log file might cause the vSRX to stop. If the vSRX is still operating, then delete the /var/log/waagent.log directly or run the clear log waagent.log all command to clear the log file. Or you can run the set groups azure-provision system syslog file waagent.log archive size 1m and set groups azure-provision system syslog file waagent.log archive files 10 commands to prevent the growing of the waagent logs. These configurations will cause the rotation of log of waagent with the size bigger than 1MB and set a maximum of 10 backups.
[See vSRX with Microsoft Azure.]
Juniper Extension Toolkit (JET)
Set the trace log to only show error messages (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series)— You can set the verbosity of the trace log to only show error messages using the error option at the edit system services extension-service traceoptions level hierarchy.
Network Management and Monitoring
Packet Forwarding Engine data display command (SRX Series)— Starting in Junos OS Release 19.2R3, you can now view the Packet Forwarding Engine data using the usp flow config and usp flow stats options for the show pfe data command.
Juniper Sky ATP
Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 19.2R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).
Release 19.2R2 Changes in Behavior and Syntax
Authentication and Access Control
Enhanced user firewall support—In Junos OS Release 19.2R2, for SRX300 devices with eUSB (SRX300, SRX320, SRX340, and SRX345), the SRX Series user firewall (UserFW) module tries to synchronize user entries from the domain controller or Juniper Identity Management Service (JIMS) after booting up. If the historical login events expired on the domain controller, then the SRX Series UserFW module is unable to retrieve those user entries after the UserFW module boots up.
[See User Authentication Entries in the ClearPass Authentication Table.]
SSH protocol version v1 option deprecated from CLI (SRX Series)—Starting in Junos OS Release 19.2R2, we’ve removed the nonsecure SSH protocol version 1 (v1) option from the [edit system services ssh protocol-version] hierarchy level. You can use the SSH protocol version 2 (v2) as the default option to remotely manage systems and applications. With the v1 option deprecated, Junos OS is compatible with OpenSSH 7.4 and later versions.
Junos OS releases earlier than Release 19.2R2, continue to support the v1 option to remotely manage systems and applications.
[See protocol-version.]
Enabling and disabling SSH login password or challenge-response authentication (SRX Series)—Starting in Junos OS Release 19.2R2, you can disable either the SSH login password or challenge-response authentication at the [set system services ssh] hierarchy level.
In Junos OS releases earlier than 19.2R2, you can enable or disable both SSH login password and challenge-response authentication simultaneously at the [set system services ssh] hierarchy level.
[See Configuring SSH Service for Remote Access to the Router or Switch.]
Security
Disable the do not fragment flag from packet IP header (SRX Series and vSRX)—Starting in Junos OS Release 19.2R2, we’ve introduced the clear-dont-frag-bit option at the [edit security alg alg-manager] hierarchy level to disable the do not fragment flag from the packet IP header, which allows the packet to be split after NAT is performed.
In Junos OS releases earlier than Release 19.2R2, when the ALG performs payload-NAT, sometimes the size of the packet becomes bigger than the outgoing interface maximum transmission unit (MTU). If the packet IP header has the do not fragment flag, this packet cannot be sent out.
[See alg-manager.]
Release 19.2R1 Changes in Behavior and Syntax
Application Security
Starting in Junos OS Release 19.2R1, the SSL decryption mirroring feature is supported on redundant Ethernet (reth) interface on SRX Series devices operating in a chassis cluster.
Ethernet Switching and Bridging
Support for double tagged VLANs being pushed out the egress interface (SRX300, SRX320, SRX340, SRX345, SRX550, and SRX1500)—Starting in Junos OS Release 19.2R1, in a Q-in-Q scenario, double tagged VLANs are pushed out the egress interface. In previous releases, when two VLANs were added at the ingress interface, with the native-vlan-id vlan-id assigned to the user-to-network interface (UNI) interface and the vlan-id vlan-id-list assigned to the network-to-network interface (NNI) interface, the VLAN with the native-vlan-id tag did not exit from the egress interface. Now both VLAN tags exit from the egress interface.
Flow-Based and Packet-Based Processing
Power Mode IPsec (SRX Series)—On SRX Series devices, when Power Mode IPSec is enabled, the show security flow statistics and show security flow session tunnel summary commands does not count, or display the number of packets that are processed within the Power Mode IPsec as these packets do not go through the regular flow path.
Network Management and Monitoring
The show system schema command and
<get-yang-schema>RPC require specifying an output directory (SRX Series)—Starting in Junos OS Release 19.2R1, when you issue the show system schema operational mode command in the CLI or execute the<get-yang-schema>RPC in a remote session to retrieve schema files, you must specify the directory in which to generate the output files by including the output-directory command option in the CLI or the<output-directory>element in the RPC. In earlier releases, you can omit the output-directory argument when requesting a single module to display the module in standard output.Custom YANG RPC support for input parameters of type empty (SRX Series)—Starting in Junos OS Release 19.2R1, custom YANG RPCs support input parameters of type
emptywhen executing the RPC’s command in the Junos OS CLI, and the value passed to the action script is the parameter name. In earlier releases, input parameters of typeemptyare only supported when executing the RPC in a NETCONF or Junos XML protocol session, and the value passed to the action script is the string'none'.[See Creating Action Scripts for YANG RPCs on Devices Running Junos OS.]
NSD Restart Failure Alarm (SRX Series)—Starting in Junos OS Release 19.2R1, a system alarm is triggered when the Network Security Process (NSD) is unable to restart due to the failure of one or more NSD subcomponents. The alarm logs about the NSD are saved in the messages log. The alarm is automatically cleared when NSD restarts successfully.
The show chassis alarms and show system alarms commands are updated to display the following output when NSD is unable to restart - NSD fails to restart because subcomponents fail.
[See Alarm Overview.]
VPNs
Certificate revocation list (SRX Series)—Local certificates are being validated against certificate revocation list (CRL) even when CRL check is disabled. Starting in Junos OS Release 19.2R1, this can be stopped by disabling the CRL check through the Public Key Infrastructure (PKI) configuration. When CRL check is disabled, PKI will not validate local certificate against CRL.
[See revocation-check (Security PKI) and Understanding Online Certificate Status Protocol and Certificate Revocation Lists.]
Known Limitations
Learn about known limitations in this release for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
J-Web
CLI terminal is not working in Java version 1.8 because of a security restriction in the running applet. PR1341956
After you generate the Default Trusted CA profile group under Certificate Management>Trusted Certificate Authority in J-Web, J-Web does not display the CA profile group local under Certificate Management>Certificate Authority Group page. PR1424131
The CA profile group imported using J-Web does not populate the group on the Certificate Authority Group initial landing page grid, but all the CA profiles of a group are populated on the Trusted Certificate Authorities landing page. PR1426682
Country logo is not displaying in Threats Map page and Events page for some countries. Time slider is not displayed properly in Screen/ATP/Security Intelligence events pages. PR1435124
VPNs
In the HA design for SRX Series devices, the antireplay window is synchronized to the backup only when the total incoming packet count is an odd multiple of 128 packets. When a failover occurs, the antireplay bitmap is not synchronized. Again, when the node comes back online, the SA is installed but the antireplay bitmap is reset to 0 along with the in and out sequence number. PR1420521
In a chassis cluster, ESP or AH packet sequence number is not synchronized to the backup node after the backup node is rebooted. PR1433424
On the SRX5000 line of devices with SPC3 installed, the IPsec VPN antireplay sequence number might be reset to zero after the crash of the SPC3 card or the flowd process. Traffic drop is seen due to the mismatch of the sequence number. PR1433568
Per tunnel debugging configuration is not synchronized to backup node. It needs to be configured again after RG0 failover. PR1450393
Open Issues
Learn about open issues in this release for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Chassis Clustering
When GTP profile with the same name is deleted and then added, the profile ID will be changed. So, if this profile is being used by policy, you need to reconfigure the policy application bounding; otherwise, the GTP will not work as you expect. PR1409213
Flow-Based and Packet-Based Processing
On an SRX4600 device, when the next hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725
On SRX5400, SRX5600, and SRX5800 devices with SPC3, it is possible that when multiple core files are generated in quick succession, the cold-sync-monitored status is displayed and cannot be removed even though cold-sync has finished. You must reboot the affected node to recover. PR1403000
Automatic completion is not working on proxy terminator profile name. PR1424822
Syslog severity level of msg subtype is end of policy is set to error although this message can be ignored. PR1435233
Some packets are dropped due to the FPGA issue. PR1443600
SSL-based AppID simplification effort (removal of HTTPS, POP3S, IMAPS, SMTPS). PR1444767
TCP session cannot time out properly upon receiving the TCP RESET packet, and the session timeout does not change to two seconds. PR1467654
Intrusion Detection and Prevention (IDP)
On SRX Series devices, commit or show command for IDP might not work if SNMP queries are run when large-scale IDP is used. PR1444043
J-Web
Due to set chassis auto-image-upgrade in factory configuration, from phone home page you are not able to skip to J-Web and get the error Bootstrap is in progress, Can't Skip!!. PR1420888
SECINTEL_ACTION_LOG events with subcategories such as Infected-Hosts and C are not shown on Juniper Sky ATP threat count on Monitor>Threats Map page in J-Web. PR1425795
On SRX Series devices, until Junos OS Release 19.2, phone home UI portal is displayed by default. The J-Web UI should be the default page to be launched when the device is in factory default. PR1428717
Country logo is not displaying in Threats Map page and Events page for some countries. Time slider is not displayed properly in Screen/ATP/Security Intelligence events pages. PR1435124
Platform and Infrastructure
Under certain heavy traffic conditions srxpfe process might crash and result in a denial-of-service (DoS) condition for the SRX1500 device. Repeated crashes of the srxpfe can result in an extended DOS condition. The SRX Sereis device might fail to forward traffic when this condition occurs. PR1277363
CDN-based dynamic application classification has been deprecated in this release. To restore previous behavior, you can configure set services application-identification enable-cdn-application-detection. PR1375442
Routing Policy and Firewall Filters
If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907
VPNs
On SRX Series devices, if multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. New negotiation of these traffic selectors is triggered through other mechanisms such as traffic or by peer. PR1287168
VPN tunnels flap after a group is added or deleted in edit private mode in a clustered setup. PR1390831
On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334
On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when st0 binding on VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411
In IPsec VPN scenario on SRX5400, SRX5600, and SRX5800 platforms, the IKED treats retransmission of IKE_INIT request packets as new connections when SRX Series device acts as responder of IKE negotiation. This causes IKE tunnel negotiation to fail and IPsec VPN traffic might be impacted. PR1460907
The SRX5000 line of devices with SPC3 was not supporting simultaneous IKE negotiation in Junos OS Release 19.2, Junos OS Release 19.3, Junos OS Release 19.4, and Junos OS Release 20.1. PR1497297
Resolved Issues
Learn which issues were resolved in Junos OS main and maintenance releases for SRX Series devices. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: 19.2R3
Chassis Clustering
If a cluster ID of 16 or multiples of 16 is used, the chassis cluster might not come up. PR1487951
Flow-Based and Packet-Based Processing
The show security group-vpn server statistics |display xml is not in expected format. PR1349959
ECMP load balancing does not happen when RG1 node 0 is secondary. PR1475853
The flowd or srxpfe process might stop when deleting user firewall local authentication table entry. PR1477627
MPCs might stop when there is bulk route update failure in a corner case. PR1478392
On Web proxy, memory leak occurs in association hash table and DNS hash table. PR1480760
GRE or IPsec tunnel might not come up when set security flow no-local-favor-ecmp command is configured. PR1489276
Outbound SSH connection flap or memory leak issue might be observed during pushing configuration to ephemeral database with high rate. PR1497575
Traffic interruption happens due to MAC address duplication between two Junos OS devices. PR1497956
Don’t use capital characters for source-identity when using show security match-policies command. PR1499090
J-Flow v9 does not display correct outgoing interface for APBR traffic. PR1502432
Interfaces and Chassis
All interfaces remain in the down status after the SRX300 line of devices power up or reboot. PR1488348
Continuous drops seen in control traffic, when high data queues in one SPC2 PIC. PR1490216
Intrusion Detection and Prevention (IDP)
IDP's custom-attack time-binding interval command was mistakenly hidden within the CLI. PR1506765
J-Web
The J-Web users might not be able to configure PPPoE using PPPoE wizard. PR1502657
Multiprotocol Label Switching (MPLS)
BGP session might keep flapping between two directly connected BGP peers because of the incorrect use of the TCP-MSS. PR1493431
Platform and Infrastructure
Packets get dropped when next hop is IRB over LT interface. PR1494594
Routing Policy and Firewall Filters
TCP proxy was mistakenly engaged in unified policies when Web filtering was configured in potential match policies. PR1492436
Traffic fails to hit the policies with match source-end-user-profile. PR1505002
Routing Protocols
The BGP route-target family might prevent RR from reflecting Layer 2 VPN and Layer 3 VPN routes. PR1492743
VPNs
With NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145
On SRX Series devices with SPC3, when overlapping taffic-selectors are configured, multiple IPsec SAs get negotiated with peer device. PR1482446
Resolved Issues: 19.2R2
Application Layer Gateways (ALGs)
Sometimes unexpected forwarding sessions appear for tenant ALG SIP traffic in cross tenant. PR1409748
The H.323 connection might not be established when the H.323 packet passes SRX Series devices twice through different virtual routers. PR1436449
On the SRX5000 line of devices, the H323 call with NAT64 could not be established. PR1462984
The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942
SIP messages that need to be fragmented might be dropped by SIP ALG. PR1475031
Application Security
The AAMW diagnostic script generates incorrect error: Error: Platform does not support SkyATP: srx300. PR1423378
Automatic application-identification download stops after going over the year and reboot. PR1436265
The flowd or srxpfe process might crash when advanced anti-malware service is used. PR1437270
The applications that get declassified in the middle of a session are not identified properly. PR1437816
Unable to get more than 60 Gbps of AppQoS throughput. PR1439575
The flowd process core files might be seen when the traffic hits an AppQoS policy. PR1446080
Authentication and Access Control
The CPU utilization of the uacd is high, about 100 percent, in the output of show chassis routing-engine. PR1424971
The srxpfe or flowd process might stop if a UAC policy is removed. PR1437892
Same-source IP sessions are cleared when the IP entry is removed from the UAC table. PR1457570
Chassis Clustering
IP monitoring might fail on the secondary node. PR1468441
The chassis cluster failover to a secondary node does not happen after Packet Forwarding Engine stops on the primary node PR1451091
Hardware failure is seen on both nodes in show chassis cluster status. PR1452137
On SRX Series devices with chassis cluster, the control link remains up even though the control link is actually down. PR1452488
An unhealthy node might become primary in SRX4600 devices with chassis cluster scenario. PR1474233
Class of Service (CoS)
Frequent issuance of the show class-of-service spu statistics command causes the rtlogd process to be busy. PR1438747
The CoS rewrite rule does not work for st0 interface. PR1439401
Flow-Based and Packet-Based Processing
Throughput or latency performance of all traffic drops when TCP traffic is passing through the device. PR1403727
Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093
Blacklist compilation failures are reported. PR1418980
Group VPN IKE security associations cannot be established before RG0 failover. PR1419341
SSL proxy did not correctly warn users about unsupported certificates. PR1419485
The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859
Failed to clear sessions on SPC2 with error message error: usp_ipc_client_recv_:ipc_pipe_read() failed read timed out after 5 second(s). PR1426090
When configuring a GRE tunnel (GRE-over-IPsec-tunnel) or an IPsec tunnel on an SRX Series device, the MTU of the tunnel interface is calculated incorrectly. PR1426607
Junos OS: SRX1500: Denial of service due to crash of srxpfe process under heavy traffic conditions. (CVE-2019-0050) PR1428657
The X2 traffic cannot be encrypted after the traffic is decrypted when PMI is enabled. PR1429473
The flowd process might stop on the SRX5000 line of devices. PR1430804
VPN traffic fails after primary node reboot or power off. PR1433336
Intermittent packet drop might be observed if IPsec is configured. PR1434757
Traffic drop when session key rolls over between primary and fallback for more than 10 times. PR1435277
The second IPsec ESP tunnel might not be able to establish between two IPv6 IKE peers. PR1435687
Control logical interface is not created by default for LLDP. PR1436327
On an SRX4600 device, core file generation might be observed and SPM might be in present state. PR1436421
The ipfd process might crash when SecIntel is used. PR1436455
Some webpages cannot be fully rendered. PR1436813
When running SSL proxy on the firewall, the locally generated certificate is not validated by OpenSSL client. PR1436831
Packet reorder does not work when sending traffic over IPsec tunnel with session-affinity. PR1436720
Decryption traffic doesn’t take PMI path after IPsec rekey (initiated by peer) when loopback interface is configured as external interface. PR1438847
The flowd process stops and generates a core file when processing SSL proxy traffic. PR1437783
Member of dynamically created VLANs information is not displaying on show VLANs. PR1438153
The probe of Ethernet switching always shows down in a chassis cluster scenario. PR1438277
The flowd process stops and generates core files. PR1438445
Security logs cannot be sent to the external syslog server through TCP. PR1438834
When llmd is rotating database, there is a possibility of reading a NULL db at the same time, which generates core files. PR1439186
LACP MUX state stuck in "Attached" after disabling peer active members when link protection is enabled on local along with force-up. PR1439268
The IKE pass-through packet might be dropped after the source address has been changed. PR1440605
While checking the flow session XML for source NAT under tenant, there is no value identifier for tenant-name ( < tenant>< /tenant> ). PR1440652
Performance improvements were made to Screens, which benefit multisocket systems. PR1440677
Support inspection for pass-through IP-IP tunnel traffic on TAP mode. PR1441226
SPC2 wrongly forwarded packet to SPC3 core0 and core14. PR1441234
New CLI option to show only useful group information for an Active Directory user. PR1442567
The SRX300 line of devices does not have MIB that can retrieve the fan status. PR1443649
In the BERT test for E1 interface, bits counts number is not within the range. PR1445041
Junos OS: SRX5000 Series: flowd process crash due to receipt of specific TCP packet (CVE-2019-0064) PR1445480
There is no active connection with Juniper Sky ATP server. PR1446481
The flowd process might stop on SRX Series devices when chassis cluster and IRB interface are configured. PR1446833
J-Flow version 5 stops working after changing the input rate value. PR1446996
Packet loss happens during cold synchronization from secondary node after rebooting. PR1447122
SPC3 talus FPGA stuck on 0x3D or 0x69 golden version. PR1448722
Host inbound or host outbound traffic on VR does not work when the SRX5000 line of devices works in SPC3 mixed mode. PR1449059
SPU priority does not work when PMI is enabled on the SRX5000 line of devices with an SPC3 card. PR1449587
All ingress packets are dropped if the traffic transit network is also the same network for LTE mPIM internal management. PR1450046
On SRX Series devices with SSL proxy service used, a memory leak issue might occur, which results in the flowd or srxpfe process stopping. PR1450829
AAWM policy rules for IMAP traffic sometimes might not get applied when passed through an SRX Series device. PR1450904
FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122
Traffic forwarding on Q-in-Q port and VLAN tagging is not observed properly on R0. PR1451474
The rpd process might stop and restart and an rpd core file is generated when committing the configuration. PR1451860
Update SRX300 traffic default logging to stream mode. PR1453074
The fxp0 interface might redirect packets not destined to itself. PR1453154
Introduction of default inspection limits for application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180
The SRX Series devices stop and generate several core files. PR1455169
When you try to reset the system configuration on an SRX1500 device using the reset config button, it does not work properly. PR1458323
The security flow traceoptions fills in with RTSP ALG related information. PR1458578
Optimizations were made to improve the connections-per-second performance of SPC3. PR1458727
SRX Series device might not be reachable when initiating offline command for PIC. PR1459037
The security-intelligence CC feed does not block HTTPS traffic based on SNI. PR1460384
The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619
The srxpfe or flowd process might stop if the sampling configuration is changed. PR1462610
The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825
A core file might be generated when you perform an ISSU on SRX Series devices. PR1463159
Fragmented traffic might get looped between the fab interface in a rare case. PR1465100
The PKI daemon keeps leaking memory on SRX Series devices. PR1465614
HTTP block message stops working after SNI check for HTTPS session. PR1465626
Loading CA certificate causes PKI daemon core file to be generated. PR1465966
The jbuf process usage might increase up to 99 percent after Junos OS upgrade. PR1467351
The rpd process might stop after several changes to the flow-spec routes. PR1467838
Packet Forwarding Engine might generate core files because SSL proxy is enabled on NFX Series and SRX Series devices. PR1467856
Server unreachable is detected; ensure that port 443 is reachable. PR1468114
Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430
FTP data connection might be dropped if SRX Series devices send the FTP connection traffic through the dl interface. PR1468570
RPM test probe fails to show that round-trip time has been exceeded. PR1471606
On SRX Series devices, Packet Forwarding Engine memory might be used up if the security intelligence feature is configured. PR1472926
Support LLDP protocol on reth interface. PR1473456
Certificate error while configuration validation during Junos OS upgrade. PR1474225
Packet drop might be observed on the SRX300 line of devices when adding or removing an interface from MACsec. PR1474674
Stateful firewall rule configuration deletion might lead to memory leak. PR1475220
Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684
The flowd or srxpfe process might crash when advanced anti-malware services are used. PR1480005
IMAP curl sessions stuck in the active state if AAMW IMAP block mode is configured. PR1484692
The show chassis temperature-thresholds command displays a lot of FPC 0 output. PR1485224
After installation through boot loader at cluster setup, primary node cannot proceed commit. PR1487831
If a cluster-id of 16 or multiples of 16 is used, the cluster might not come up. PR1487951
On SRX1500, CPU board inlet increases after Junos OS upgrade from Junos OS Release 15.1X49 to Junos OS Release 18.x. PR1488203
Risk of service interruption on SRX Series devices with a dual-stacked CA server. PR1489249
Installation and Upgrade
SPMC version mismatch errors after Junos OS install using USB method. PR1437065
Junos OS upgrade fails when partition option is used on SRX Series devices. PR1449728
Interfaces and Chassis
Both nodes in the SRX Series chassis cluster go into DB mode after downgrading to Junos OS Release 18.1. PR1407295
MTU change after a CFM session is up can impact Layer 2 Ethernet ping (loopback messages). If the new change is less than the value in the initial incarnation, then Layer 2 Ethernet ping fails. PR1427589
LFM remote loopback is not working as expected. PR1428780
The LACP interface might flap if performing a failover. PR1429712
Certain interfaces might drop all unicast traffic when LTE PIM is used. PR1430403
Static route through dl0.0 interface is not active. PR1465199
MAC limiting on Layer 3 routing interfaces does not work. PR1465366
Intrusion Detection and Prevention (IDP)
The flowd or srxpfe process stops and generates core files when processing IDP packets. PR1416275
NSD fails to push security zone to the Packet Forwarding Engine after reboot, if there is an active IDP rule configured with FQDN. PR1420787
The flowd or srxpfe process stops and generates core files. PR1437569
Updating the IDP security package offline might fail in SRX Series devices. PR1466283
J-Web
Some error messages might be seen when using J-Web. PR1446081
The idle-timeout for J-Web access does not work properly. PR1446990
J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541
Editing destination NAT rule in J-Web introduces a nonconfigured routing-instance field. PR1461599
Layer 2 Ethernet Services
DHCP requests might get dropped in a DHCP relay scenario. PR1435039
The metric is not changing when configured under the DHCP. PR1461571
Network Address Translation (NAT)
The nsd process might stop when SNMP queries deterministic NAT pool information. PR1436775
Core files are generated while using NAT PBA in AA mode. PR1443148
RTSP resource session is not found during NAT64 static mapping. PR1443222
On SRX5000 line of devices with SPC3 card, when using source NAT, under high traffic load, a small fraction of TCP-SYN packets might be dropped due to the source NAT port failing to be allocated. Also, the NAT pool resources might leak over time. PR1443345
Packet loss happens during cold synchronization from the secondary node after rebooting. PR1448252
A port endian issue in SPU messages between SPC3 and SPC2 results in one redundant NAT binding being created in central point when one binding is allocated in SPC2 SPC. PR1450929
Packet loss is observed when multiple source NAT pools and rules are configured. PR1457904
The flowd or srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932
Issuing the show security nat source paired-address command might return an error. PR1479824
Network Management and Monitoring
MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979
Snmpd process might generate core files after restarting NSD process by using the restart network-security gracefully command. PR1443675
Control links are logically down on SRX Series devices with chassis cluster running Junos OS Release 12.3X48. PR1458314
The flowd or srxpfe process might stop immediately after committing the jflowv9 configuration or after upgrading to affected releases. PR1471524
SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288
Platform and Infrastructure
Memory leak might occur on the data plane during composite next-hop installation failure. PR1391074
The show security flow session command fails with error messages when SRX4600 has over a million routing entries. PR1408172
On SRX4600 platform, when manual RG0 failover is performed, sometimes node0 (the original primary node) stays in secondary-hold status for a long time and cannot change back to secondary status. PR1421242
SPC in slot1 of node0 remained in offline state for more than 1 hour after the cluster was upgraded from Junos OS Release 18.2R2-S1.3 to Junos OS Release 18.2X41.1. PR1423169
Packet drops, replication failure, or ksyncd stops might be seen on the logical system of a Junos OS device after Routing Engine switchover. PR1427842
The PICs might go offline and split brain might be seen when interrupt storm happens on internal Ethernet interface em0 or em1. PR1429181
Packet loss is caused by FPGA back pressure on SPC3. PR1429899
REST API does not work properly. PR1430187
Packet Forwarding Engine pause might be seen on the SRX1500 device. PR1431380
The false license alarm might be seen even if there is a valid license. PR1431609
When changing the decrypt mirror interface in the SSL proxy service configuration, it does not reflect properly in the Packet Forwarding Engine. PR1434595
On SRX4100 and SRX4200 devices, when LACP is configured on the reth interface, the interface flaps when Routing Engine is busy. PR1435955
LACP traffic is distributed evenly on ingress child links but not on egress links. PR1437098
The ksyncd process might crash and restart on SRX Series devices. PR1440576
The chassis cluster might stuck at CS FL state after rebooting. PR1440938
The configured RPM probe server hardware timestamp does not respond with correct timestamp to the RPM client. PR1441743
The RPM udp-ping probe does not work in a multiple routing instance scenario. PR1442157
ARP resolution might fail after ARP HOLD NHs are added and deleted continuously. PR1442815
On the SRX300 line of devices, the interface LED does not work properly. PR1446035
The show security flow session command fails with error messages when SRX4100 or SRX4200 has around 1 million routing entries in FIB. PR1445791
LACP cannot work with the encapsulation flexible-ethernet-services configuration. PR1448161
On certain MPC line cards, cm errors need to be reclassified. PR1449427
REST API process will become unresponsive when a number of requests come at a high rate. PR1449987
Traffic loss might occur when there are around 80,000 routes in FIB. PR1450545
Modifying the REST configuration might cause the system to become unresponsive. PR1461021
VM core files might be generated if the configured sampling rate is more than 65,535. PR1461487
On the SRX300 line of devices, you might encounter Authentication-Table loading slowly while using user-identification. PR1462922
The AE interface cannot be configured on an SRX4600 device. PR1465159
On SRX1500 and the SRX4000 line of devices, physically disconnecting the cable from fxp0 interface causes hardware monitor failure and redundancy group failover, when the device is the primary node in a chassis cluster. PR1467376
The RGx might fail over after RG0 failover in a rare case. PR1479255
Routing Policy and Firewall Filters
The NSD process might stop due to a memory corruption issue. PR1419983
The ipfd generates a core file while scaling cases 6-1. PR1431861
An SRX1500 device allows only a maximum of 256 policies with counting enabled. PR1435231
Two ipfd processes appear in ps command and the process pauses. PR1444472
During commit, the nsd_vrf_group_config_lsys log messages are displayed. PR1446303
Security policies cannot synchronize between Routing Engine and Packet Forwarding Engine on SRX Series devices. PR1453852
Traffic log shows wrong custom-application name when the alg ignore option is used in application configuration. PR1457029
The NSD process might get stuck and cause problems. PR1458639
Some domains are not resolved by the SRX Series devices when using DNS address book. PR1471408
The count option in security policy does not take effect even if the policy count is enabled. PR1471621
Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530
Routing Protocols
SSH login might fail if a user account exists in both local database and RADIUS or TACACS+. PR1454177
The rpd might stop when both instance-import and instance-export policies contain as-path-prepend action. PR1471968
The routing protocol process (rpd) crashes while processing a specific BGP update information. PR1448425
Receipt of certain genuine BGP packets from any BGP speaker causes rpd to crash. PR1497721
Services Applications
The flowd process stops when SRX5800 devices work at SPC3 mix mode with 1 SPC3 card and 7 SPC2 cards. PR1448395
Unified Threat Management (UTM)
The command show security utm web-filtering status now provides additional context when the status of EWF is down. PR1426748
Memory issue due to SSL proxy whitelist or whitelist URL category. PR1430277
Adjust core allocation ratio for on-box antivirus. PR1431780
On SRX Series devices, memory might leak if Websense Redirect Web Filtering is configured. PR1445222
Increase the scale number of UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321
The utmd process might pause after deactivating UTM configuration with predefined category upgrading used. PR1478825
VPNs
IPsec SA inconsistent on SPCs of node0 and node1 in SRX Series devices with chassis cluster. PR1351646
After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457
With a large number of IPsec tunnels established, a few tunnels might fail during rekey negotiation if the SRX Series device initiates the rekey. PR1389607
IPsec VPN is missing half of the IKE SA and IPsec SA is showing incorrect port number when scaling to 1000 IKEv1 AutoVPN tunnels. PR1399147
The IKE and IPsec configuration under groups is not supported. PR1405840
On SRX5400, SRX5600, and SRX5800 devices with SPC3, when the SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, the IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855
The established tunnels might remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN. PR1413619
The iked process might crash due to misconfiguration in IPsec VPN network PR1416081
The IKED process might stop when IKE and IPsec SA rekey happen simultaneously. PR1420762
The VPN tunnel might flap when IKE and IPsec rekey happen simultaneously. PR1421905
Old tunnel entries might be observed in the output of show security, IPsec or IKE SA. PR1423821
The show security ipsec statistics command output displays buffer overflow and wraps around 4,---,---,--- count. PR1424558
IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post fragment happens PR1424937
Tunnel does not come up after changing configurations from IPv4 to IPv6 tunnels in the script with gateway lookup failed error. PR1431265
P1 configuration delete message is not sent on loading baseline configuration if there has been a prior change in VPN configuration. PR1432434
On the SRX5000 line of devices with SPC3, with P2MP and IKEv1 configured, if negotiation fails on the peer device, then multiple IPSec SA entries are created on the device if the peer keeps triggering new negotiation. PR1432852
IPsec rekey trigger is not working for when sequence number in AH and ESP packet is about to exhaust . PR1433343
P1 or P2 SAs are deleted after RG0 failover. PR1433355
IPsec SA in and out key sequence number update missing after cold synchronization. PR1433424
Sequence number reset to zero while recovering SA after SPC3 or flowd stops or reboots. PR1433568
The kmd log shows resource temporarily unavailable repeatedly and VPNs might be down. PR1434137
On SRX Series devices, fragments exit VPN traffic earlier than required by ingress packet sizes. PR1435700
The IKED stops on the SRX5000 line of devices with SPC3 when IPsec VPN or IKE is configured. PR1443560
IPsec VPN traffic drop might be seen on SRX Series platforms with NAT-T scenario. PR1444730
After a long time (a few hours) of traffic during a mini PDT test, the number of IPsec tunnels is much higher than expected. PR1449296
Some IPsec tunnels flap after RGs fail over on the SRX5000 line of devices. PR1450217
The VPN flaps on the primary node after a reboot of the secondary node. PR1455389
IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951
IPsec VPN tunnels are losing routes for the traffic selector randomly while the tunnel is still up, causing complete outage. PR1456301
Traffic is not sent out through an IPsec VPN after update to Junos OS Release 18.2 or later. PR1461793
The IPsec VPN tunnels cannot be established if overlapped subnets are configured in traffic selectors. PR1463880
IPsec tunnels might lose connectivity on SRX Series devices after chassis cluster failover when using AutoVPN point-to-multipoint mode. PR1469172
The kmd process might crash continually after the chassis cluster failover in the IPsec ADVPN scenario. PR1479738
Resolved Issues: 19.2R1
Application Firewall
Fail to match permit rule in Application Firewall (AppFW) rule set. PR1404161
Application Identification
IDP install failing on secondary node due to AI installation failure. PR1336145
Application Layer Gateways (ALGs)
DNS requests with the EDNS option might be dropped by the DNS ALG. PR1379433
On all SRX Series platforms, SIP/FTP ALG does not work when SIP traffic with source NAT goes through the SRX Series devices. PR1398377
The TCP rst packet is dropped when any TCP proxy-based feature and rst-invalidate-session are enabled simultaneously. PR1430685
Chassis Clustering
The SNMP trap sends wrong info with Manual failover. PR1378903
Traffic with domain name address might fail for 3-5 minutes after RG0 failover on SRX Series platforms. PR1401925
The flowd process stops when updating or deleting a GTP tunnel. PR1404317
Mixed mode (SPC3 coexisting with SPC2 cards) high availability (HA) IP-Monitoring fails on secondary node with secondary arp entry not found error PR1407056
The SRX Series devices might be potentially overwritten with an incorrect buffer address when detailed logging is configured under the GTPv2 profile. PR1413718
Starting with Junos OS Release 18.4, at most, 6 pdn connects can be contained in a pdp context response; otherwise, the response will be dropped. PR1422877
Memory leaks might be seen on the jsqlsyncd process on SRX chassis clusters PR1424884
RG0 failover sometimes causes FPC offline/present status. PR1428312
Flow-Based and Packet-Based Processing
Control traffic loss might be seen on SRX4600 platform. PR1357591
On SRX1500 devices, the activity LED (right LED) for 1-Gigabit Ethernet/10-Gigabit Ethernet port is not on although traffic is passing through that interface. PR1380928
Password recovery menu is not shown up on SRX device. PR1381653
Large file downloads slow down for many seconds. PR1386122
On the SRX300 line of devices default configuration changed. PR1393683
Switching interface mode between family ethernet-switching and family inet/inet6 might cause traffic loss. PR1394850
SRX to not strip vlan added by native vlan id command. PR1397443
Increase DAG feed scale number to 256 from 63. PR1399314
CPU is hitting 100 percent with fragmented traffic. PR1402471
On SRX5400, SRX5600, and SRX5800 devices with SPC3, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary commands will not count or display the number of packets processed within PowerMode IPsec, because these packets do not go through regular flow path. PR1403037
Downloads might stall and/or completely fail when utilizing services that are reliant on TCP proxy. PR1403412
The flowd process stops and all cards are brought offline. PR1406210
The RG1 failover does not happen immediately when the SPC3 card crashes. PR1407064
The flowd process might crash if enable-session-cache knob is configured under the SSL termination profile. PR1407330
Support for LAG interface with PowerMode IPsec. PR1407231
The kernel might stop on the secondary node when committing set system management-instance command. PR1407938
On SRX1500 platform, traffic is blocked on all interfaces after configuring interface-mac-limit on one interface. PR1409018
Memory leak if AAMW is enabled. PR1409606
Packets might get dropped in chassis cluster Z mode with local interface configured. PR1410233
Session capacity of SRX340 does not match SRX345. PR1410801
While PMI is ON, IPsec encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets. PR1411486
PEM 0 or PEM 1 or FAN, I2C failure major alarm might be set and cleared multiple times. PR1413758
HA packets might be dropped on SRX5000 line of devices with IOC3 or IOC2 cards. PR1414460
On SRX1500, SRX4100, SRX4200, SRX4600, and SRX5000 line of devices with SPC3 card, if SSL proxy is configured, the firewall FPC CPU might spike above 80 percent and traffic might be lost. PR1414467
Any traffic originated from the device itself might be dropped in the IPsec tunnel. PR1414509
The input and output bytes or bps statistic values might not be identical for the same size of packets. PR1415117
The reth interfaces are now supported when configuring SSL decryption mirroring (mirror-decrypt-traffic interface) PR1415352
Force clearing Client Session from flow does not clean up Proxy session. PR1415756
Traffic would be dropped if SOF is enabled in a chassis cluster in active/active mode. PR1415761
Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093
The flowd process stops on the SRX5000 Series or SRX4000 lines of devices when large-size packets go through IPsec tunnel with the post-fragment check. PR1417219
TCP segmented client side session fails to create transparent proxied relay session, and session stays idle. PR1417389
Best path selected keeps changing at regular intervals even when no violation is reported. PR1417926
Traffic might be lost on the SRX Series device if IPsec session affinity is configured with ipsec-performance-acceleration command. PR1418135
Group VPN IKE security-associations can not establish before RG0 failover. PR1419341
On all SRX Series devices firewalls, if the traffic-log feature is configured, logs might incorrectly display IPv4 addresses in an IPv6 format PR1421255
The show security flow session session-identifier < sessID> is not working if the session ID is bigger than 10M on SRX4600 platform. PR1423818
The tunnel-id information is displayed in the flow session. PR1423889
Replace bypass-on-dns-cache-miss command with drop_on_dns_error command in Web proxy profile. If drop_on_dns_error command is not set and DNS failure occurs for a session, that session passes through bypass mode. If drop_on_dns_error command is set and DNS failure occurs for a session, that session is dropped by Web proxy plug-in. PR1430425
Support IPv6 session through Web proxy. PR1433088
The applications which get declassified in the middle of session will not be identified properly. PR1437816
Partial traffic might get dropped on an existing LAG. PR1423989
Alarms due to high temperature when operating with expected temperatures. PR1425807
PIM neighbors might not come up on SRX Series chassis cluster PR1425884
The IPsec traffic going through SRX5000 line of devices with SPC2 cards installed causes SPU CPU utilization to be high. PR1427912
Uneven distribution of CPU with high PPS on device. PR1430721
SRX550M running Junos OS Release 18.4R1 shows PEM 1 output failure message where as with Junos OS Release 15.1X49 or Junos OS Release 18.1R3.3 it does not show any alarms. PR1433577
Some webpages cannot be fully rendered. PR1436813
Infrastructure
Increase in Junos OS image size for Junos OS Release 19.1R1. PR1423139
Interfaces and Routing
On SRX4600 platform, the 40-Gigabit Ethernet might flap continuously by MAC local fault. PR1397012
SRX Series devices cannot obtain IPv6 address through DHCPv6 when using a PPPoE interface with a logical unit number greater than 0. PR1402066
Intrusion Detection and Prevention (IDP)
IDP might crash with the custom IDP signature. PR1390205
Unable to configure dynamic-attack-group command. PR1418754
Installation and Upgrade
ISSU failed from Junos OS Release 18.3R1.9 to Junos OS Release 18.4R1.4. PR1405556
SRX1500 devices running Junos OS Release 15.1X49-D160 are unable to be upgraded or downgraded successfully to all releases built before 17 February 2019 PR1407556
J-Web
In the J-Web dashboard, the Security Resources widget did not display absolute values. PR1372826
J-Web now supports defining SSL-Proxy and redirect (block page) profiles when a policy contains dynamic applications. PR1376117
Configuring using the CLI editor in J-Web generates an mgd core file. PR1404946
The httpd-gk process stops, leading to dynamic VPN failures and high Routing Engine CPU utilization (100 percent). PR1414642
Risk report, when generated in IE browser, appears completely out of alignment and XML tags are displayed. PR1415767
J-Web configuration change for an address set using the search function results in a commit error. PR1426321
J-Web not working when logged in as read-only user. PR1428520
IRB interface is not available in zone option of J-Web. PR1431428
Logical Systems and Tenant Systems
Tenant system administrator can change vlan assignment beyond the allocated tenant system. PR1422058
Multiprotocol Label Switching (MPLS)
RPD might restart unexpectedly when no-cspf is configured and lo0 is not included under protocol rsvp. PR1366575
Network Address Translation (NAT)
SRX SPC3 mix mode, NAT SPC3 core files are generated at
../sysdeps/unix/sysv/linux/raise.c:55. PR1403583
Network Management and Monitoring
The set system no-redirects setting does not take effect for the reth interface. PR894194
The chassisd might crash and restart after the AGENTX session timeout between master(snmpd) and sub-agent. PR1396967
Platform and Infrastructure
In chassis cluster redundancy group failover scenario, on SRX5600 and 5800 platforms, if the failover is caused by interface monitoring failure, the failover on Packet Forwarding Engine side (that is, data plane) might be slow (for example, impact on BFD session up to several seconds). This issue might result in protocol and traffic outage. PR1385521
The flowd process might crash if there are too many IPsec tunnels PR1392580
Complete device outage might be seen when an SPU VM core file is generated. PR1417252
Some applications might not be installed during upgrade from lower version which does not support FreeBSD 10 to FreeBSD 10(based system). PR1417321
On SRX Series devices, flowd process stops might be seen. PR1417658
Routing Engine CPU utilization is high and eventd process is consuming a lot of resources. PR1418444
On SRX4600 device, commit failed while configuring 2047 VLAN IDs on the reth interface. PR1420685
Routing Policy and Firewall Filters
Memory leak in nsd prevents change from taking effect. PR1414319
The flowd process (responsible for traffic forwarding in SRX Series devices) stops on SRX Series devices while deleting a lot of policies from Junos Space. PR1419704
A commit warning will now be presented to the user when a traditional policy is placed below a unified policy. PR1420471
The dynamic-address summary's IP entry count does not include IP entries in root logical system. PR1422525
If restarting NSD fails, there is no any indication or symptom, and users don’t know it. So a new alarm is added to indicate this failure. PR1422738
The ipfd generates a core file while scaling cases 6-1. PR1431861
Unified Threat Management (UTM)
Whitelist/blacklist does not work for HTTPS traffic going through Web proxy. PR1401996
On SRX Series devices, when configuring Enhanced Web Filtering on the CLI, the autocomplete function did not properly handle or suggest custom categories. PR1406512
On SRX Series devices, when using Unified Policies and Web filtering (EWF) without SSL proxy, the Server Name Indication (SNI) might not be identified correctly and the RT_UTM logs were recording incomplete information. PR1410981
Unable to achieve better Avira AV TP on SRX4600 due to reaching mbuf high watermark. PR1419064
UTM Web filtering status shows down when using Hostname [routing-instance synchronization failure]. PR1421398
When using Unified Policies, the base-filter for certain UTM profiles might not be applied correctly. PR1424633
The custom-url-categories are now pushed correctly to the Packet Forwarding Engine under all circumstances. PR1426189
User Interface and Configuration
Tenant system administrator cannot view the configuration with Empty Database message when configuring tenant system using groups. PR1422036
VPNs
On SRX1500 device, when configuring IPsec VPN and BGP simultaneously, the kmd process might stop and generate a core file if BGP peers reach approximately 350. All of the VPN tunnels will be disconnected during the pause. PR1336235
SPC3 IKE SA detail output is not showing proper traffic statistics. PR1371638
The pkid process might stop after RG0 failover. PR1379348
On SRX5400, SRX5600, and SRX5800 devices with SPC3, the show security ike security-association detail command does not display local IKE-ID field correctly. PR1388979
A few VPN tunnels do not forward traffic after RG1 failover. PR1394427
The kmd process might stop when SNMP polls for the IKE SA. PR1397897
VPN tunnels flap after adding or deleting a configuration group in edit private mode on a clustered setup. PR1400712
Syslog is not generated when IKE gateway rejects duplicate IKE ID connection. PR1404985
Idle IPsec VPN tunnels without traffic and with ongoing DPD probes can be affected during RG0 failover. PR1405515
Not all the tunnels are deleted when authentication algorithm in IPsec proposal is changed. PR1406020
On SRX5400, SRX5600, and SRX5800 devices with SPC3, the incoming packet's flow context information is not reset correctly when the packet is dropped in IPsec acceleration module. This will cause subsequent packets to be incorrectly processed as IPsec packets and results in the crash. To address this issue, SRX Series device now resets the flow context before dropping the packet in all relevant modules including IPsec acceleration module. PR1407910
On SRX5400, SRX5600, and SRX5800 devices with SPC3, when SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855
Traffic drops on peer due to bad SPI after first reauthentication. PR1412316
On SRX5400, SRX5600, and SRX5800 devices with SPC3, when SRX Series device is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication might fail. PR1414193
The flowd/srxpfe process might stop when traffic selector is used for IPsec VPN PR1418984
The show security ike sa detail command shows incorrect value in IPSec security associations column. PR1423249
On the SRX5000 line of devices with SPC3, with P2MP and IKEv1 configured, if negotiation fails on the peer device, then multiple IPSec SA entries are created on the device if the peer keeps triggering new negotiation. PR1432852
On SRX Series devices with SPC3, should send IKE delete notification to peer when traffic selector configuration is changed for a specific AutoVPN. PR1426714
The kmd process stops and generates a core file after running the show security ipsec traffic-selector command. PR1428029
IPsec rekey triggers for when sequence number in AH and ESP packet is about to exhaust is not working. PR1433343
Documentation Updates
There are no errata or changes in Junos OS Release 19.2R3 documentation for the SRX Series.
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases
Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.
You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.
For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.
For information about ISSU, see the Chassis Cluster User Guide for Security Devices.