Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 19.3R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.

What’s New in Release 19.3R3

There are no new features in Junos OS Release 19.3R3 for the SRX Series devices.

What’s New in Release 19.3R2

There are no new features in Junos OS Release 19.3R2 for the SRX Series devices.

What’s New in Release 19.3R1

Application Security

  • Operational commands for SSL sessions (SRX Series and vSRX)—In Junos OS Release 19.3R1, we’ve introduced new operational mode CLI commands to monitor and troubleshoot SSL-related issues.

    You can use the new show commands to display information and statistics related to SSL configurations, sessions, counters, and logs. You can also use the output of the CLI commands to understand the issue and plan the required next steps accordingly.

    [See Troubleshooting SSL Proxy.]

  • DSCP support in APBR rule (SRX Series and vSRX)—Starting in Junos OS Release 19.3R1, you can use a differentiated services Code Point (DSCP) value in an APBR rule as a match criteria to perform advanced policy-based routing. You can configure the DSCP value in addition to the other matching criteria of the APBR rule such as dynamic application and dynamic application group.

    By configuring the DSCP value in an APBR rule, you can extend the APBR service to the encrypted traffic or to the traffic with the DSCP markings.

    [See Advanced Policy-Based Routing.]

  • User-defined ICAP request header extension (SRX Series)—Starting in Junos OS Release 19.3R1, Internet Content Adaptation Protocol (ICAP) redirect adds X-Client-IP, X-Server-IP, X-Authenticated-User, and X-Authenticated-Groups header extensions in an ICAP message to provide information about the source of the encapsulated HTTP message.

    [See ICAP Service Redirect.]

Chassis Clustering

Flow-Based and Packet-Based Processing

  • Express Path (SRX4600)—Starting in Junos OS Release 19.3R1, SRX4600 devices support Express Path (formerly known as services offloading) functionality. The Express path support is already available on SRX5000 line devices.

    Express Path considerably reduces packet-processing latency.

    [See Express Path]

General Packet Radio Switching (GPRS)

  • Validate IP address in GTP messages to prevent security threats (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—In Junos OS Release 19.3R1, we’ve aligned with the GSMA FS.20 standards, which enables you to configure IP addresses in an IP group list. You can prevent a variety of attacks by validating the IP addresses of incoming and outgoing packets in GTP messages against the IP addresses configured in the IP group list.

    [See Understand Validation of IP Address in GTP Messages.]

Hardware

  • Starting with Junos OS Release 19.3R1, the following hardware is available to enhance the performance and scalability of the SRX5000 line of devices:

    • SRX5K-IOC4-10G (IOC4): SRX5K-IOC4-10G is a fourth-generation fixed-configuration I/O card with two Packet Forwarding Engines that provide 400 Gbps line rate with 40x10GbE interfaces.

    • SRX5K-IOC4-MRAT (IOC4): SRX5K-IOC4-MRAT is a fourth-generation fixed-configuration I/O card with two Packet Forwarding Engines that provide 480 Gbps (240 Gbps per PFE) line rate with 48x10GbE, 12x40GbE, or 4x100GbE interface options.

    • SRX5K-SCB4 (SCB4): The SCB4 is an enhanced Switch Control Board that provides improved fabric performance and bandwidth capabilities for high-capacity line cards using the ZF-based switch fabric. The SCB4 enables 480 Gbps throughput per SCB and can be configured with intra chassis and inter chassis redundancy.

    • SRX5K-RE3-128G (RE3): The RE3 for the SRX5000 line is, based on the Intel Haswell-EP CPU with six core processors running at 2.0 GHz and 128 GB of DDR4 memory. It provides increased control plane performance and scalability along with virtualization features in SRX5000 line chassis.

    For more information about the new hardware support and interoperability, see Cards Supported on SRX5400, SRX5600, and SRX5800 Services Gateways.

J-Web

  • Support for line cards (SRX5000 line of devices)—Starting in Junos OS Release 19.3R1, J-Web supports IOC4 and RE3 line cards for the SRX5000 line of devices and SCB4 line cards for SRX5600 and SRX5800 devices.

    [See Dashboard Overview, Monitor Ports, and About the Ports Page.]

  • New J-Web Launch Pad (SRX Series)—Starting in Junos OS Release 19.3R1, after you successfully log in to the J-Web user interface, the J-Web launch pad appears. The launch pad provides a quick view of system identification details, active users, and interface status.

    [See Explore J-Web.]

  • Improved Setup wizard (SRX Series)—Starting in Junos OS Release 19.3R1, you can configure device and users, time and DNS servers, management interface, zones and interfaces, and security policies using the Setup wizard in the factory default settings to get a fully functional device. If you do not want to perform the initial configuration, you can click Skip in the Setup wizard. You can then select Configure > Setup Wizard on the J-Web menu and perform the initial configuration.

    [See Start J-Web and Configure Setup Wizard.]

  • Simplified Juniper Sky ATP enrollment process (SRX Series)—Starting in Junos OS Release 19.3R1, you can enroll your device to Juniper Sky ATP directly through J-Web. You no longer need to switch between the Juniper Sky ATP portal and J-Web to fetch the enrollment URL and new registrations.

    [See Enroll Your Device with Juniper Sky ATP.]

  • Improved Dashboard widget categories (SRX Series)—Starting in Junos OS Release 19.3R1, you can choose any one of the following categories in the J-Web dashboard to view supported widgets on your device:

    • All Widgets

    • Applications

    • Devices

    • Security

    The dashlet data is refreshed every minute by default. You cannot manually configure the refresh interval of the dashlet. If the data is not aged in the cache, data loads from the cache during the dashlet refresh. If the data is aged, it is retrieved from the device during the next refresh interval cycle.

    [See Dashboard Overview.]

  • UTM enhancements (SRX Series)—Starting in Junos OS Release 19.3R1, the following UTM (Configure > Security Services > UTM) pages are refreshed for a seamless experience:

    • Web Filtering

    • Category Update

    • Antispam Profiles

    • Custom Objects

    [See About the Web Filtering Page, About the Category Update Page, About the Antispam Page, and About the Custom Objects Page.]

Logical Systems and Tenant Systems

  • Secure wire support for user logical system (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Junos OS Release 19.3R1 extends support for secure wire (on root logical systems) to user logical systems. You can forward traffic that arrives on a specific interface to another interface without modifying any received frames on the user logical systems.

    [See Secure Wire for Logical Systems.]

  • User firewall support in customized mode for logical systems and tenant systems (SRX Series)—Starting in Junos OS Release 19.3R1, a customized model through integrated Juniper Identity Management Service (JIMS) with active mode improves the user firewall authentication process. In this model, the logical system and tenant system extract the authentication entries from JIMS servers configured at the root level based on the logical system and tenant system names.

    [See Understanding Integrated User Firewall support in a Logical System, and Firewall Authentication for Tenant Systems.]

  • Application quality of services support for logical systems and tenant systems (SRX Series)—Starting in Junos OS Release 19.3R1, logical systems and tenant systems support application quality of services (AppQoS). You can configure a default AppQoS rule set to manage conflicts in the logical systems or tenant systems if multiple security policies match the traffic.

    [See AppQoS for Logical Systems, and AppQoS for Tenant Systems.]

Network Address Translation (NAT)

  • Support for NAT features in PMI mode (SRX5000 devices with SRX5K-SPC3 card, SRX4200, SRX4100, and vSRX)—Starting in Junos OS Release 19.3R1, you can configure all NAT features in PowerMode IPsec (PMI) mode. Configuration and operational commands for NAT remain the same for both PMI and regular mode. You can configure source NAT, destination NAT, and static NAT for both IPv4 and IPv6 traffic in PMI mode. NAT64 is not supported in PMI mode. However, NAT64 works properly in normal mode, when PMI is enabled.

    See [Introduction to NAT and Improving IPsec Performance with PowerMode IPsec.]

Network Management and Monitoring

  • Improved on-box reporting performance (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX4600, and vSRX)—Starting in Release 19.3R1, Junos OS stores logs in multiple tables instead of a single table in a database file. Each table contains the timestamp of the oldest and latest logs. When you initiate a query based on the start and end time, the local log management daemon (llmd process) finds the latest table to generate reports.

    [See Understanding On-Box Logging and Reporting.]

  • Packet capture from operational mode (SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.3R1, you can capture packets from operational mode without committing the configurations. You can define the packet filter to trace only a certain type of traffic, such as logical interface, protocol, source IP address prefix, source port, destination IP address prefix, and destination port. In addition, you can modify the filename, file type, file size, and capture size of the packet capture output.

    [See Packet Capture from Operational Mode.]

Platform and Infrastructure

  • New SCB, IOC, and Routing Engine improve performance and scalability (SRX5400, SRX5600, SRX5800)—In Junos OS Release 19.3R1, we’ve introduced the following new hardware to enhance the performance and scalability of our SRX5000 line of devices:

    • Switch Control Board SCB4 (model number: SRX5K-SCB4)—Supports high traffic capacity, and provides greater link speeds, fabric capacity, and improved services. The SCB4 is supported only on SRX5600 and SRX5800 devices.

    • I/O card IOC4 (model numbers: SRX5K-IOC4-MRAT and SRX5K-IOC4-10G)—Enhances processing speed, provides line rates of up to 480 Gbps per slot, and supports Media Access Control Security (MACsec).

    • Routing Engine (model number: SRX5K-RE3-128G)—Supports higher CPU speed, 128-GB RAM, a trusted platform module (TPM), and increased processing capacity.

    The IOC4 can interoperate with the SCB3, SCB4, SPC2, SPC3, IOC2, IOC3, IOC4, and the Routing Engines SRX5K-RE-1800X4 and SRX5K-RE3-128G. However:

    • The SCB4 can interoperate with all of these components except the SCB3.

    • The Routing Engine SRX5K-RE3-128G can interoperate with all of these components except the SRX5K-RE-1800X4.

    You cannot use any of these components in a chassis that has the Switch Control Board SCB2 installed. For more information about the new hardware interoperability, see Cards Supported on SRX5400, SRX5600, and SRX5800 Services Gateways.

    With the new hardware installed, the SRX5000 line of devices support the firewall and advanced security services—such as application security, unified threat management (UTM), intrusion prevention system (IPS)—and all other software features that they supported before this release, except the following:

    • Layer 2 Ethernet switching mode

    • Port mirroring

    For the complete list of features supported on the SRX5000 line of devices, see Feature Explorer.

    [See Chassis Cluster Control Plane Interfaces and show chassis hardware (View).]

Routing Protocols

  • Support for nondefault routing instance for outbound SSH (MX Series and SRX Series)—Starting in Junos OS Release 19.3R1, you can specify the name of the routing instance on which the outbound SSH connectivity needs to be established using the routing-instance statement at the [edit system services outbound-ssh] hierarchy level. If you do not specify a routing instance, your device will establish the outbound SSH connection using the default routing table.

    [See outbound-ssh, Configuring Outbound SSH Service.]

Security

  • High Availability (HA) synchronization of address name resolving cache (SRX Series and vSRX)—Starting in Junos OS Release 19.3R1, the policy DNS cache memory is synchronized into a single local DNS cache file on the HA active node and is copied to the HA backup node. This process suppresses Domain Name System (DNS) queries and responses during Network Security Process (NSD) restart. In releases before Junos OS Release 19.3R1, a few system resources become a bottleneck when a large number of DNS queries and responses are sent and received at the same time. During this period, security policies use empty source and destination addresses. Therefore, the new pass-through traffic is blocked as no policy can be matched, and flow sessions cannot be established.

    [See High Availability (HA) Synchronization of Address Name Resolving Cache.]

  • Support for bundle feeds in dynamic address groups (SRX Series and vSRX)—Starting in Junos OS Release 19.3R1, you can configure bundle feeds for dynamic address groups in a security policy. You can download a single .tgz file from the server and extract it into multiple child feed files. Each individual file corresponds to one feed. Individual dynamic-addresses reference the feed inside the bundle file.

    You can update IP addresses, IP prefixes, or IP ranges contained in a dynamic address entry periodically by downloading an external feed. SRX Series devices periodically initiate a connection to the feed server to download and update the IP lists that contain the updated dynamic addresses.

    You can configure the url option for the feed server by using the set security dynamic-address feed-server feed-server-name at the [edit] hierarchy level.

    [See Dynamic Address Groups in Security Policies.]

Juniper Sky ATP

  • Juniper Sky ATP block files with unknown verdict and send user notification—Starting in Junos OS Release 19.3, for advanced anti-malware policies, you can block a file when the verdict is unknown. You can also send a user notification when a file is blocked. We’ve introduced the following new commands: set services advanced-anti-malware policy p1 http file-verdict-unknown (block|permit) and set services advanced-anti-malware policy p1 http client-notify (message|file|redirect-URL).

    See set services anti-malware policy and request services advanced-anti-malware redirect-file.

  • Juniper Sky ATP onboarding changes—Starting in Junos OS Release 19.3, you can use an alternative onboarding procedure to perform all enrollment steps using the CLI on the SRX Series device without having to access the Sky ATP Web Portal. Run the request services advanced-anti-malware enroll command on the SRX Series device to begin the process. Both the original enrollment process that obtains an op script from the Web Portal and the new CLI-only enroll process are valid procedures. Use either one.

    See Enroll the SRX Series Device using the Enroll Command.

Subscriber Management and Services

  • Diameter S6a authentication (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 19.3R1, you can configure the diameter-based authentication S6a application on SRX series devices at [edit access] hierarchy. The MME uses S6a application to retrieve authentication information from Home Subscriber Server (HSS).

    [See Configuring S6a and s6a.]

Virtual Routing

  • VRF-Group in L3VPN traffic (SRX Series and vSRX)—Starting in Junos OS Release 19.3R1, to support mid-stream routing, VRF undergoes changes for processing a session among a group of MPLS VRF instances in an L3VPN MPLS network. These VRF instances which are logically part of a given L3VPN traffic are grouped and this is a VRF-Group. The VRF-Groups allows the session to switch from one MPLS VRF to another MPLS VRF

    VRF-Group supports the following features:

    • Overlapping in VPN session

    • VRF-Group Policy

    • VRF-Group NAT

    • VRF-Group ALG

    [See Security Policy for Controlling Traffic for VRF Routing-Instance

What's Changed

Learn about what changed in Junos OS main and maintenance releases for SRX Series.

What's Changed in Release 19.3R3

Application Layer Gateways (ALGs)

  • Disable the do not fragment flag from packet IP header (SRX Series and vSRX)—Starting in Junos OS Release 19.3R3, we’ve introduced the clear-dont-frag-bit statement at the [edit security alg alg-manager] hierarchy level to disable the do not fragment flag from the packet IP header. This configuration allows the packet to be split after NAT is performed.

    In Junos OS releases earlier than Release 19.3R3, when the ALG performs payload-NAT, sometimes the size of the packet becomes bigger than the maximum transmission unit (MTU) of the outgoing interface. If the packet IP header has the do not fragment flag, this packet cannot be sent out.

    [See alg-manager.]

Authentication and Access Control

  • Enabling and disabling SSH login password or challenge-response authentication (SRX Series)—Starting in Junos OS Release 19.3R3, you can disable either the SSH login password or the challenge-response authentication at the [edit system services ssh] hierarchy level.

    In Junos OS releases earlier than Release 19.3R3, you can enable and disable both SSH login password and the challenge-response authentication simultaneously at the [edit system services ssh] hierarchy level.

    [See Configuring SSH Service for Remote Access to the Router or Switch.]

Flow-based and Packet-based Processing

  • Self-generated IKE packets chooses outgoing interface matching source IP Address (SRX Series) — A self-generated Internet Key Exchange (IKE) packet always select the ECMP outgoing interface that matches source IP address. Note that filter-based forwarding for self-generated traffic with rerouting is not supported.

J-Web

  • Deactivated policy rules are not visible in the J-Web UI (SRX Series)—Starting in Junos OS 19.4R1 Release, J-Web does not support disabling or enabling the security firewall or global policy rules. The policy rules that are deactivated through the CLI are also not visible in the J-Web UI. As a workaround, use the CLI to disable or enable the policy rules on the device.

Juniper Sky ATP

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 19.3R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).

Network Management and Monitoring

  • Packet Forwarding Engine data display command (SRX Series)—Starting in Junos OS Release 19.3R3, you can now view the Packet Forwarding Engine data by using the usp flow config and usp flow stats options for the show pfe data command.

What's Changed in Release 19.3R2

Interfaces and Chassis

  • Change in output of show interfaces (SRX300, SRX320, SRX340, SRX345, SRX550M)—Starting in Junos OS Release 19.3R2, the output of the show interfaces command on the SRX300 line of devices and on the SRX550M, no longer displays vlan as the value of the Physical interface field. On these devices, the value of the Physical interface field in the command output appears as irb instead of vlan.

Network Management and Monitoring

  • Change in jnxJsFlowMIB statistics display (SRX Series)—Starting in Junos OS Release 19.3R2, in a chassis cluster, you can see the statistics on all SPUs of both nodes using the show snmp mib walk jnxJsFlowMIB command. In earlier releases, you can see the statistics only on local SPUs.

    [See SNMP MIB Explorer.]

What's Changed in Release 19.3R1

Application Security

  • Starting in Junos OS Release 19.3R1, you can schedule automatic download of the application signature package in a new format. Use the YYYY-MM-DD.hh:mm format to configure the time to automatic download for application signatures. For example, the following statement sets the start time as 10 AM on June 30, 2019:

    You can configure the automatic updates using the new format once you upgrade your previous Junos OS version to any of the above supported Junos OS version.

Authentication and Access Control

  • SSH protocol version v1 option deprecated from CLI (SRX Series)—Starting in Junos OS Release 19.3R1, we’ve removed the nonsecure SSH protocol version 1 (v1) option from the [edit system services ssh protocol-version] hierarchy level. You can use the SSH protocol version 2 (v2) as the default option to remotely manage systems and applications. With the v1 option deprecated, Junos OS is compatible with OpenSSH 7.4 and later versions.

    Junos OS releases earlier than Release 19.3R1, continue to support the v1 option to remotely manage systems and applications.

    [See protocol-version.]

Junos OS XML API and Scripting

  • Range defined for confirm-timeout value in NETCONF and Junos XML protocol sessions (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 19.3R1, the value for the <confirm-timeout> element in the Junos XML protocol <commit-configuration> operation must be in the range 1 through 65,535 minutes, and the value for the <confirm-timeout> element in the NETCONF <commit> operation must be in the range 1 through 4,294,967,295 seconds. In earlier releases, the range is determined by the minimum and maximum value of its unsigned integer data type.

Licensing

  • Starting in Junos OS Release 19.3R1, the SNMP OID jnxLicenseKeys is deprecated.

    [See Licensing Guide.]

Network Management and Monitoring

System Logging

  • Preventing system instability during core file generation (SRX Series)—Starting with Release 19.3R1 onward, Junos OS checks for available storage space on the Routing Engine before generating core files either on request or because of an assertion condition. This check ensures that your device does not become unstable because of shortage of storage space on the Routing Engine. If the available space is not sufficient, core files are not generated. Instead, Junos OS either displays the Insufficient Disk space !!! Core generation skipped message as an output or issues the syslog message core generation is skipped due to disk full.

Unified Threat Management (UTM)

  • Support to adjust core allocation ratio of UTM onbox-AV— Starting in Junos OS Release 19.3R1, to improve the throughput of low scan cost file such as doc file and big exe file, the on-box AV load flavor light ratio is changed from 1/3 to 1/4, and the onbox AV load flavor heavy ratio is changed from 2/3 to 1/2.

    [See Example: Configuring On-Device Antivirus Feature Profile.]

VPN

  • Power Mode IPsec (SRX Series)—Starting in Junos OS Release 19.3R1, when you enable the Power Mode IPsec, the show security flow statistic and show security flow session tunnel summary commands does not count, or display the number of packets that are processed within the Power Mode IPsec.

    show security flow statistics

Known Limitations

Learn about known limitations in this release for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • Enhanced user firewall support—In Junos OS Release 19.3R3, for SRX300 devices with eUSB (SRX300, SRX320, SRX340, and SRX345), the SRX Series user firewall (UserFW) module tries to synchronize user entries from the domain controller or Juniper Identity Management Service (JIMS) after booting up. If the historical login events expired on the domain controller, then the SRX Series UserFW module is unable to retrieve those user entries after the UserFW module boots up.

    [See User Authentication Entries in the ClearPass Authentication Table.]

J-Web

  • After you generate the Default Trusted CA profile group under Certificate Management>Trusted Certificate Authority in J-Web, J-Web does not display the CA profile group local on the Certificate Management>Certificate Authority Group page. PR1424131

  • The CA profile group imported using J-Web does not populate the group on the Certificate Authority Group initial landing page grid, but all the CA profiles of a group are populated on the Trusted Certificate Authorities landing page. PR1426682

  • When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is automatically refreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214

Logical Systems and Tenant Systems

  • In case of logical systems, secure wire cannot work with the user firewall AD integrated solution, because secure wire cannot support forwarding traffic between different logical systems. The user firewall AD integrated solution cannot probe client PCs, which are located at non-root logical systems. PR1436546

Platform and Infrastructure

  • When an NTP server is newly added to the Junos configuration using a domain name, a DNS server IP address needs to have been already configured and committed in a previous commit. Otherwise the commit will fail due to the NTP server domain name failing to be resolved to an IP address. As a workaround, use an IP address for the NTP server configuration. PR1411396

VPNs

  • In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329

  • In the HA design for SRX Series devices, the anti-replay window is synchronized to the backup only when the total incoming packet count is an odd multiple of 128 packets. When a failover occurs, the anti-replay bitmap is not synchronized. Again, when the node comes back online, the SA is installed but the anti-replay bitmap is reset to 0 along with the in and out sequence number. PR1420521

  • The IPsec VPN tunnel does not come up, and the gateway lookup failed error is seen, after the configurations are changed from IPv4 to IPv6 tunnels in the script. PR1431265

  • On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when the st0 binding on the VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • Per-tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393

Open Issues

Learn about open issues in this release for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • On an SRX4600 device, when the next hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, it is possible that when multiple core files are generated in quick succession, the cold-sync-monitored status is displayed and cannot be removed even though cold-sync has finished. You must reboot the affected node to recover. PR1403000

  • The dynamic applications that relied on SSL proxy for matching have been deprecated. These dynamic applications are HTTPS, SMTPS, POP3S, and IMAPS. Use SSL, SMTP, POP3, and IMAP in all policies moving forward as they will now match for both encrypted and decrypted streams. PR1444767

  • TCP session cannot time out properly upon receiving the TCP RESET packet, and the session timeout does not change to 2 seconds. PR1467654

Intrusion Detection and Prevention (IDP)

  • On the SRX Series devices, the commit or show command for IDP might not work if you keep running SNMP queries when large-scale IDP is used. PR1444043

  • When intelligent inspection status changes, syslog is not generated on SRX300 and SRX500 line of devices. PR1448365

J-Web

  • Due to set chassis auto-image-upgrade in the factory configuration, from phone home page you are not able to skip to J-Web and get the error Bootstrap is in progress, Can't Skip!!. PR1420888

  • On the SRX5000 line of devices, J-Web might not be responsive sometimes when you commit configuration changes after adding a new dynamic application while creating a new firewall rule. J-Web displays a warning while validating the configuration due to dynamic application or any other configuration changes. As a workaround, refresh the J-Web page. PR1460001

  • When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is automatically refreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214

Routing Policy and Firewall Filters

  • The SSL reverse proxy feature must be used instead of the SSL inspection feature. SSL inspection on IDP level is being deprecated in favor of SSL reverse proxy. PR1450900

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

VPNs

  • On SRX Series devices, if multiple traffic selectors are configured for a peer with Internet Key Exchange version 2 (IKEv2) reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. A new negotiation of these traffic selectors is triggered through other mechanisms—for example, by traffic or by a peer. PR1287168

  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of one DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX Series device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE IDs. PR1407356

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when the st0 binding on the VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • Per-tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393

  • In an IPsec VPN scenario on SRX5400, SRX5600, and SRX5800 platforms, the iked process treats retransmission of IKE_INIT request packets as new connections when the SRX Series device acts as a responder of IKE negotiation. This causes IKE tunnel negotiation to fail, and IPsec VPN traffic might be impacted. PR1460907

  • The SRX5000 line of devices with SPC3 does not support simultaneous IKE negotiation in Junos OS Releases 19.2, 19.3, 19.4, and 20.1. PR1497297

Resolved Issues

Learn which issues were resolved in Junos OS main and maintenance releases for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: Release 19.3R3

Application Layer Gateways (ALGs)

  • On the SRX5000 line of devices, the H323 call with NAT64 could not be established. PR1462984

  • The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942

  • SIP messages that need to be fragmented might be dropped by the SIP ALG. PR1475031

  • FTPS traffic might be dropped on SRX Series or MX Series devices if FTP ALG is used. PR1483834

Authentication and Access Control

  • SRX Series: Unified Access Control (UAC) bypass vulnerability (CVE-2020-1637). PR1475435

Chassis Clustering

  • IP monitoring might fail on the secondary node. PR1468441

  • An unhealthy node might become primary in SRX4600 devices in a chassis cluster scenario. PR1474233

Flow-Based and Packet-Based Processing

  • The show security group-vpn server statistics |display xml is not in expected format. PR1349959

  • The show security pki local-certificate logical-system all command is not showing any output. PR1414628

  • The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859

  • The control logical interface is not created by default for LLDP. PR1436327

  • The SPC card might stop on the SRX5000 line of devices. PR1439744

  • With NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145

  • In the BERT test for E1 interface, bits count is not within the range. PR1445041

  • Introduction of default inspection limits for application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180

  • The SRX Series devices stop and generate several core files. PR1455169

  • The srxpfe or flowd process might stop if the sampling configuration is changed. PR1462610

  • The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825

  • The flowd or srxpfe process might crash if the tunnel information-related show command is issued during the tunnel deleting process. PR1469123

  • On the SRX300 line of devices, you might encounter Authentication-Table loading slowly while using user identification. PR1462922

  • A core file might be generated when you perform an ISSU on SRX Series devices. PR1463159

  • The PKI daemon keeps leaking memory on SRX Series devices. PR1465614

  • The jbuf process usage might increase up to 99 percent after Junos OS upgrade. PR1467351

  • The rpd process might stop after several changes to the flowspec routes. PR1467838

  • The Packet Forwarding Engine might generate core files because SSL proxy is enabled on NFX Series and SRX Series devices. PR1467856

  • Server unreachable is detected; ensure that port 443 is reachable. PR1468114

  • Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430

  • FTP data connection might be dropped if SRX Series devices send the FTP connection traffic through the dl interface. PR1468570

  • RPM test probe fails to show that round-trip time has been exceeded. PR1471606

  • 19.3R2: pkid crash at bn_i2c (pval=0x1d, cont=0x0, putype=0xffffcce8, it=0xc8c848b8 < BIGNUM_it>) at ../../../../../../../src/crypto/openssl/crypto/asn1/x_bignum.c:127. PR1471878

  • Look-up failure for expected e-mail address in DUT. PR1472748

  • Packet drop might be observed on the SRX300 line of devices when adding or removing an interface from MACsec. PR1474674

  • Stateful firewall rule configuration deletion might lead to memory leak. PR1475220

  • ECMP load balancing does not happen when the RG1 node 0 is secondary. PR1475853

  • The flowd or srxpfe process might stop when deleting user firewall local authentication table entry. PR1477627

  • MPCs might stop when there is bulk route update failure in a corner case. PR1478392

  • Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684

  • The flowd or srxpfe process might stop when advanced anti-malware service is used. PR1480005

  • On Web proxy, memory leak in association hash table and DNS hash table. PR1480760

  • The jsqlsyncd process synchronizes its databases every second even there is no change. PR1482428

  • IMAP curl sessions get stuck in the active state if AAMW IMAP block mode is configured. PR1484692

  • The show chassis temperature-thresholds command displays extensive FPC 0 output. PR1485224

  • The flowd process might stop and impact services if J-Flow version 9 is configured. PR1486528

  • Commit does not work after the installation through boot loader. PR1487831

  • If a cluster ID of 16 or multiples of 16 is used, the chassis cluster might not come up. PR1487951

  • CPU board inlet increases after OS upgrade from Junos OS Release 15.1X49 to Junos OS Release 18.x. PR1488203

  • All interfaces remain in the down state after the SRX300 line of devices power up or reboot. PR1488348

  • There is a risk of service interruption on all SRX Series devices with a dual-stacked CA server. PR1489249

  • Continuous drops seen in control traffic, with high data queues in one SPC2 PIC. PR1490216

  • Phone client stop seen while doing SRX345 device ZTP with CSO. PR1496650

  • Outbound SSH connection flap or memory leak issue might be observed when pushing configuration to ephemeral database with high rate. PR1497575

  • Traffic interruption happens due to MAC address duplication between two Junos OS devices. PR1497956

  • Don’t use capital characters for source-identity when using the show security match-policies command. PR1499090

  • J-Flow version 9 does not display the correct outgoing interface for APBR traffic. PR1502432

  • Fabric interface might be monitored down after chassis cluster reboot. PR1503075

  • SOF asymmetric scenario not working phase-1 solution. PR1507865

  • VRRP does not work on the reth interface with a VLAN ID greater than 1023. PR1515046

  • A logic issue was corrected in SSL proxy that could lead to an srxpfe or flowd core file under load. PR1516903

  • The PPPoE session does not come up after zeroization on SRX Series devices. PR1518709

Interfaces and Chassis

  • Static route through the dl0.0 interface is not active. PR1465199

  • MAC limiting on Layer 3 routing interfaces does not work. PR1465366

Intrusion Detection and Prevention (IDP)

  • On SRX Series devices, updating the IDP security package offline might fail. PR1466283

  • The IDP attack detection might not work in a specific situation. PR1497340

  • IDP's custom-attack time-binding interval command was mistakenly hidden within the CLI. PR1506765

J-Web

  • The Policy Rules grid will not populate the deactivated security firewall or global policy rules on the Rules page. PR1460161

  • IPv6 address objects containing a,b,c,d,e cannot be configured through J-Web. PR1464110

  • J-Web security resources dashboard widget was not being populated correctly. PR1464769

  • The J-Web users might not be able to configure PPPoE using the PPPoE wizard. PR1502657

Layer 2 Ethernet Services

  • Member links state might be asychronized on a connection between PE and CE devices in EVPN active/active mode. PR1463791

MPLS

  • BGP session might keep flapping between two directly connected BGP peers because of the incorrect use of the TCP-MSS. PR1493431

Network Address Translation (NAT)

  • The flowd or srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932

  • Issuing the show security nat source paired-address command might return an error. PR1479824

Network Management and Monitoring

  • The flowd or srxpfe process might stop immediately after committing the J-Flow version 9 configuration or after upgrading to affected releases. PR1471524

  • SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288

Platform and Infrastructure

  • On certain MPC line cards, cm errors need to be reclassified. PR1449427

  • Modifying the REST configuration might cause the system to become unresponsive. PR1461021

  • On SRX1500 and the SRX4000 line of devices, physically disconnecting the cable from the fxp0 interface causes hardware monitor failure and redundancy group failover, when the device is the primary node in a chassis cluster. PR1467376

  • On SRX Series devices, Packet Forwarding Engine memory might be used up if the security intelligence feature is configured. PR1472926

  • Support LLDP protocol on reth interface. PR1473456

  • Certificate error while configuration validation during Junos OS upgrade. PR1474225

  • The RGx might fail over after RG0 failover in a rare case. PR1479255

  • Packets get dropped when the next hop is IRB over lt interface. PR1494594

  • On the SRX1500 device, the factory-default configuration for ge-0/0/0 and ge-0/0/15 should be set with family inet DHCP. PR1503636

Routing Policy and Firewall Filters

  • Security policies cannot synchronize between Routing Engine and Packet Forwarding Engine on SRX Series devices. PR1453852

  • Traffic log shows an incorrect custom-application name when the alg ignore option is used in application configuration. PR1457029

  • Some domains are not resolved by the SRX Series devices when using DNS address book. PR1471408

  • The count option in the security policy does not take effect even if the policy count is enabled. PR1471621

  • Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530

  • TCP proxy was mistakenly engaged in unified policies when Web filtering was configured in potential match policies. PR1492436

  • The srxpfe or flowd process might crash due to memory corruption within JDPI. PR1500938

  • Traffic fails to hit the policies with matching source-end-user-profiles. PR1505002

Routing Protocols

  • SSH login might fail if a user account exists in both local database and RADIUS or TACACS+. PR1454177

  • The rpd might stop when both instance-import and instance-export policies contain the as-path-prepend action. PR1471968

  • The BGP route-target family might prevent the route reflector from reflecting Layer 2 VPN and Layer 3 VPN routes. PR1492743

Unified Threat Management (UTM)

  • Increase the scale number of UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321

  • The utmd process might pause after deactivating a UTM configuration with predefined category upgrading used. PR1478825

  • UTM websense redirect supports IPv6 messages. PR1481290

VLAN Infrastructure

  • ISSU failed from Junos OS Release 18.4R2.7 to Junos OS Release 19.4, with secondary node PICs in present state after upgrading to Junos OS Release 19.4. PR1468609

VPNs

  • After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457

  • IPsec VPN missing half of the IKE SA and IPsec SA showing incorrect port number when scaling to 1000 IKEv1 AutoVPN tunnels. PR1399147

  • The established tunnels might remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN. PR1413619

  • The show security ipsec statistics command output displays buffer overflow and wraps around 4,---,---,--- count. PR1424558

  • IKE SA does not get cleared and is showing a very long lifetime. PR1439338

  • Some IPsec tunnels flap after RGs failover on the SRX5000 line of devices. PR1450217

  • IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951

  • IPsec tunnels might lose connectivity on SRX Series devices after chassis cluster failover when using AutoVPN point-to-multipoint mode. PR1469172

  • The kmd process might crash continually after chassis cluster failover in an IPsec ADVPN scenario. PR1479738

  • On SRX Series devices with SPC3, when overlapping traffic selectors are configured, multiple IPsec SAs get negotiated with the peer device. PR1482446

Resolved Issues: Release 19.3R2

Application Layer Gateways (ALGs)

  • Sometimes unexpected forwarding sessions appear for tenant ALG SIP traffic in cross tenant. PR1409748

  • After Layer 3 HA enable, ALG H.323 group or resource cannot be synchronized to the peer node correctly. PR1456709

Authentication and Access Control

  • The same source IP sessions are cleared when the IP entry is removed from UAC table. PR1457570

Application Security

  • The AAMW diagnostic script gives incorrect error Error: Platform does not support SkyATP: srx300. PR1423378

  • Unable to get more than 60 Gbps of AppQoS throughput. PR1439575

Chassis Clustering

  • Hardware failure is seen on both nodes in show chassis cluster status. PR1452137

  • On SRX Series devices with chassis cluster, the control link remains up even though the control link is actually down. PR1452488

Flow-Based and Packet-Based Processing

  • Packet loss is caused by FPGA back pressure on SPC3. PR1429899

  • VPN traffic fails after primary node reboot or power off. PR1433336

  • On SRX4600 device, core file might be observed and SPM might be in present state. PR1436421

  • While checking the flow session XML for source NAT under tenant, there is no value identifier for tenant-name ( < tenant>< /tenant> ). PR1440652

  • J-Flow version 5 stops working after changing input rate value. PR1446996

  • AAWM policy rules for IMAP traffic sometimes might not get applied when passed through SRX Series device. PR1450904

  • FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122

  • Traffic forwarding on Q-in-Q port and VLAN tagging is not observed properly on R0. PR1451474

  • The rpd process might stop and restart and an rpd core file is generated when committing the configuration. PR1451860

  • The peers and peers-synchronize commands are removed from SRX Series devices. PR1456661

  • Added some JP APN settings to default list in LTE mPIM. PR1457838

  • Changing the RESET configuration button behavior on the SRX1500 does not work. PR1458323

  • The security flow traceoptions fills in with RTSP ALG related information. PR1458578

  • The security-intelligence CC feed does not block HTTPS traffic based on SNI. PR1460384

  • The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619

  • Fragmented traffic might get looped between the fab interface in Z mode. PR1465100

  • HTTP block message stops working after SNI check for HTTPS session. PR1465626

Interfaces and Chassis

  • SCB4 or SCB3 ZF or XF2 fabric plane retraining is needed after switching the fabric redundancy mode. PR1427119

  • The fxp0 interface might redirect packet not destined to itself. PR1453154

J-Web

  • J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541

  • Editing destination NAT rule in J-Web introduces a non-configured routing instance field. PR1461599

Network Address Translation (NAT)

  • There is port endian issue in SPU messages between SPC3 and SPC2, which results in one redundant NAT binding being created in CP when one binding is allocated in SPC2 SPC. PR1450929

Network Management and Monitoring

  • Control links are logically down on SRX Series device chassis cluster running Junos OS Release 12.3X48. PR1458314

Platform and Infrastructure

  • The node0 stayed in secondary hold status for a long time but cannot change back to secondary status after manual failover in RG0. PR1421242

  • On the SRX300 line of devices, interface LED does not work properly. PR1446035

  • REST API process will get non-responsive when a number of requests come at a high rate. PR1449987

Routing Policy and Firewall Filters

  • The NSD process might stop due to a memory corruption issue. PR1419983

  • The NSD process might get stuck and cause problems. PR1458639

Services Applications

  • On SRX Series devices, the lcore-slave core files are seen. PR1460035

Unified Threat Management (UTM)

  • Blacklist compilation failures are reported. PR1418980

  • The command show security utm web-filtering status now provides additional context when the status of EWF is down. PR1426748

VPNs

  • The IKE and IPsec configuration under groups is not supported. PR1405840

  • Old tunnel entries are also seen when new tunnel negotiation happens from peer device after change in IKE gateway configuration at peer side. PR1423821

  • The P1 configuration delete message is not sent on loading baseline configuration if there has been a prior change in VPN configuration. PR1432434

  • The P1 or P2 SAs are deleted after RG0 failover. PR1433355

  • IPsec SA in and out key sequence number update missing with cold-sync (secondary node reboot). PR1433424

  • Sequence number is reset to zero while recovering SA after SPC3 or flowd stop or reboot. PR1433568

  • The IKED stops on the SRX5000 line of devices with SPC3 when IPsec VPN or IKE is configured. PR1443560

  • Sometimes old SAs are not deleted after rekey and the number of IPsec tunnels shows up more than the configured tunnels. PR1449296

  • Traffic is not sent out through IPsec VPN after update to Junos OS Release 18.2 or later. PR1461793

Resolved Issues: Release 19.3R1

Application Layer Gateways (ALGs)

  • The TCP reset packet is dropped when any TCP proxy-based feature and the rst-invalidate-session command are enabled simultaneously. PR1430685

  • The H.323 connection might not be established when the H.323 packet passes SRX devices twice through different virtual routers. PR1436449

  • Packet loss happens during cold synchronization from secondary node after rebooting. PR1448252

Application Security

  • Automatic application-identification download stops after going over the year and reboot. PR1436265

  • The flowd or srxpfe process might crash when advanced anti-malware service is used. PR1437270

  • The applications that get declassified in the middle of a session are not identified properly. PR1437816

  • The flowd process core files might be seen when the traffic hits AppQoS policy. PR1446080

Authentication and Access Control

  • Support redirecting HTTP or HTTPS request to firewall Web authentication server with the server's domain name. PR1421725

  • The CPU utilization of the uacd is high, about 100 percent, in the output of show chassis routing-engine. PR1424971

Chassis Clustering

  • Mixed mode (SPC3 coexisting with SPC2 cards) high availability (HA) IP monitoring fails on the secondary node with secondary arp entry not found error. PR1407056

  • Memory leaks might be seen on the jsqlsyncd process on SRX Series chassis clusters. PR1424884

  • The flowd or srxpfe process might stop when SCCP or MGCP ALG works on SRX Series chassis clusters. PR1426722

  • RG0 failover sometimes causes FPC offline/present status. PR1428312

Class of Service (CoS)

  • Frequent issuance of the show class-of-service spu statistics command cause rtlogd busy. PR1438747

Flow-Based and Packet-Based Processing

  • Password recovery menu does not appear on SRX Series device. PR1381653

  • Invalid sessions timeout over 48 hours with stress TCP traffics in the backup node. PR1383139

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary commands do not count or display the number of packets processed within PowerMode IPsec, because these packets do not go through the regular flow path. PR1403037

  • CPU is hitting 100 percent with fragmented traffic. PR1402471

  • Throughput or latency performance of TCP traffic is dropped when TCP traffic is passing through from one logical system to another logical system. PR1403727

  • While PMI is on, IPsec-encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets. PR1411486

  • The input and output bytes or bps statistic values might not be identical for the same size of packets. PR1415117

  • None of the operational web-proxy command have clear support. PR1415753

  • Force clearing client session from flow does not clean up proxy session. PR1415756

  • Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093

  • The TCP session might not get cleared even after it reaches the timeout value. PR1416385

  • TCP segmented client-side session fails to create transparent proxied relay session, and session stays idle. PR1417389

  • The show security flow session session-identifier <sessID> command is not working if the session ID is bigger than 10M on SRX4600 platform. PR1423818

  • The tunnel ID information is displayed in the flow session. PR1423889

  • PIM neighbors might not come up on SRX Series chassis cluster. PR1425884

  • When configuring a GRE tunnel (GRE-over-IPsec-tunnel) or an IPsec tunnel on an SRX Series device, the MTU of the tunnel interface is calculated incorrectly. PR1426607

  • The IPsec traffic going through the SRX5000 line of devices with SPC2 cards installed causes high SPU CPU utilization. PR1427912

  • The flowd process might stop on the SRX5000 line of devices. PR1430804

  • SRX550M running Junos OS Release 18.4R1 shows PEM 1 output failure message, whereas with Junos OS Release 15.1X49 or Junos OS Release 18.1R3.3 it does not show any alarms. PR1433577

  • Currently PMI doesn't support mirror-filter functionality. If there are any mirror filters configured, PMI flaps all of the traffic to the regular flow path. PR1434583

  • Intermittent packets drop might be observed if IPsec is configured. PR1434757

  • On SRX series, syslog severity level of msg subtype is end of policy is set to error although this message can be ignored. PR1435233

  • The rtlogd process on the two Routing Engine HA nodes go into deadlock state when rtlogd on both nodes are busy with sending data to each other in the single thread context. PR1435352

  • The second IPsec ESP tunnel might not be able to establish between two IPv6 IKE peers. PR1435687

  • On an SRX4600 device, core file generation might be observed and SPM might be in present state. PR1436421

  • The ipfd process might crash when SecIntel is used. PR1436455

  • Packet reorder does not work when sending traffic over IPsec tunnel with session-affinity. PR1436720

  • Member of dynamically created VLANs information is not displaying on show VLANs. PR1438153

  • Security logs cannot be sent to the external syslog server through TCP. PR1438834

  • Decryption traffic doesn’t take PMI path after IPsec rekey (initiated by peer) when loopback interface is configured as external interface. PR1438847

  • The wmic process might stop and restart when using user firewall with Active Directory. PR1439538

  • The IKE pass-through packet might be dropped after source NATed. PR1440605

  • Performance improvements were made to Screens, which benefit multi-socket systems. PR1440677

  • SPC2 wrongly forwarded packet to SPC3 core0 and core14. PR1441234

  • The configured RPM probe server hardware timestamp does not respond with correct timestamp to the RPM client. PR1441743

  • New CLI option to show only userful group infotmations for an Active Directrory user. PR1442567

  • The flowd or srxpfe process might crash when processing fragmented packets. PR1443868

  • Packet loss happens during cold sync from secondary node after rebooting. PR1447122

  • LACP cannot work with the encapsulation flexible-ethernet-services configuration. PR1448161

  • SPC3 talus FPGA stuck on 0x3D or 0x69 golden version. PR1448722

  • FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122

  • Traffic forwarding on Q-in-Q port and VLAN tagging is not observed properly on R0. PR1451474

Infrastructure

  • Increase in Junos OS image size for Junos OS Release 19.1R1. PR1423139

Interfaces and Routing

  • The fxp0 interface might redirect packet not destined itself. PR1453154

Installation and Upgrade

  • SRX Series devices go into DB mode after USB installation. PR1390577

  • SPMC version mismatch errors after Junos OS install using USB method. PR1437065

Interfaces and Chassis

  • Both nodes in the SRX Series chassis cluster go into DB mode after downgrading to Junos OS Release 18.1. PR1407295

  • The reth interfaces are now supported when configuring SSL decryption mirroring (mirror-decrypt-traffic interface). PR1415352

  • Disabling the interface on the primary node causes traffic to get silently dropped through the secondary. PR1424705

  • SCB4 or SCB3 ZF or XF2 fabric plane retraining is needed after switching the fabric redundancy mode. PR1427119

  • MTU change after a CFM session is up can impact L2 Ethernet ping (loopback messages). If the new change is less than the value in the initial incarnation then L2 Ethernet ping would fail. PR1427589

  • LFM remote loopback is not working as expected. PR1428780

  • The LACP interface might flap if performing a failover. PR1429712

Intrusion Detection and Prevention (IDP)

  • NSD fails to push security zone to the Packet Forwarding Engine after reboot, if there is an active IDP rule configured with FQDN. PR1420787

J-Web

  • J-Web configuration change for an address set using the search function results in a commit error. PR1426321

  • User unable to view GUI when logged in as read-only user. The user is presented with an empty page after login. PR1428520

  • IRB interface is not available in the zone option of J-Web. PR1431428

  • Launch pad is not loading in the foreground and not showing details for any widgets. PR1446802

  • The idle-timeout for J-Web access doesn't work properly. PR1446990

  • J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541

Network Address Translation (NAT)

  • RTSP resource session is not found during NAT64 static mapping. PR1443222

Network Management and Monitoring

  • MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979

  • Partial traffic might get dropped on an existing LAG. PR1423989

  • SNMPD might generate core files after restarting NSD process by restart network-security gracefully. PR1443675

Platform and Infrastructure

  • Memory leak might occur on the data plane during composite next-hop installation failure. PR1391074

  • On SRX4600 device, the 40-Gigabit Ethernet interface might flap continuously by MAC local fault. PR1397012

  • The show security flow session command fails with error messages when SRX4600 has over a million routing entries. PR1408172

  • On PEM 0 or PEM 1 or fan, I2C failure major alarm might be set and cleared multiple times. PR1413758

  • Complete device outage might be seen when an SPU VM core file is generated. PR1417252

  • Some applications might not be installed during upgrade from an earlier version that does not support FreeBSD 10 to FreeBSD 10 (based system). PR1417321

  • On SRX Series device, the flowd process might stop. PR1417658

  • On SRX4600 devices, commit failed while configuring 2047 VLAN IDs on the reth interface. PR1420685

  • SPC in slot1 of node0 remained in offline state for more than 1 hour after the cluster was upgraded from Junos OS Release 18.2R2-S1.3 to Junos OS Release 18.2X41.1. PR1423169

  • Screen sync cookie causes 100 percent CPU utilization across all SPC3 cards of SRX5800, when packet rate is high. PR1425332

  • The ipfd process might crash if the security intelligence feature is configured. PR1425366

  • Alarms triggered due to high temperature when operating within expected temperatures. PR1425807

  • The PICs might go offline and split-brain might be seen when interrupt storm happens on internal Ethernet interface em0 or em1. PR1429181

  • REST API does not work properly. PR1430187

  • Uneven distribution of CPU with high PPS on device. PR1430721

  • Packet Forwarding Engine crashes might be seen on SRX1500 platform. PR1431380

  • The false license alarm may be seen even if there is a valid license. PR1431609

  • The kmd log shows resource temporarily unavailable repeatedly and VPNs might be down. PR1434137

  • The interface using LACP flaps when the Routing Engine is busy. PR1435955

  • CLI giving error as usp_ipc_client_open: failed to connect to the server after 1 retries(61) when SRX4100 or SRX4200 has large entries on RIB or FIB. PR1445791

  • On the SRX300 line of devices, interface LED does not work properly. PR1446035

  • IS-IS adjacencies between the GE link is not up. PR1446533

Routing Policy and Firewall Filters

  • Memory leak in nsd causes configuration change to not take effect after a commit. PR1414319

  • The flowd process stops on SRX Series devices while deleting a lot of policies from Junos Space. PR1419704

  • A commit warning is now presented to the user when a traditional policy is placed below a unified policy. PR1420471

  • The dynamic-address summary's IP entry count does not include IP entries in the root logical system. PR1422525

  • After a new alarm is created, the NSD process fails to restart because subcomponents fail. PR1422738

  • DNS cache entry does not time out from device even after TTL=0. PR1426186

  • The ipfd generates a core file while scaling. PR1431861

  • An SRX1500 device allows only a maximum of 256 policies with counting enabled. PR1435231

  • Two ipfd processes appear in ps command and the process pauses. PR1444472

Unified Threat Management (UTM)

  • Unable to achieve better Avira antivirus TP on SRX4600 as mbuf high watermark is reached. PR1419064

  • When using unified policies, the base filter for certain UTM profiles might not be applied correctly. PR1424633

  • The custom-url-categories configuration is now pushed correctly to the Packet Forwarding Engine under all circumstances. PR1426189

  • Memory issue due to SSL proxy whitelist or whitelist URL category. PR1430277

  • Replace the bypass-on-dns-cache-miss command with the drop_on_dns_error command in the Web proxy profile. If the drop_on_dns_error command is not set and DNS failure occurs for a session, that session passes through bypass mode. If the drop_on_dns_error command is set and DNS failure occurs for a session, that session is dropped by the Web proxy plug-in. PR1430425

  • Adjust core allocation ratio for on-box antivirus. PR1431780

User Interface and Configuration

  • Tenant system administrator cannot view its configuration with empty database message when using groups. PR1422036

VPNs

  • Tunnel flapping is seen after doing RG0 failover. PR1357402

  • With a large number of IPsec tunnels established, a few tunnels may fail during rekey negotiation if the SRX Series device initiates the rekey. PR1389607

  • VPN tunnels may flap upon commiting changes in configuration groups on SRX Series devices. PR1390831

  • Idle IPsec VPN tunnels without traffic and with ongoing DPD probes can be affected during RG0 failover. PR1405515

  • On SRX5400, SRX5600, and SRX5800 devices with SPC3, when the SRX Series device is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication might fail. PR1414193

  • The iked process does not handle cases and core files might be generated when a remote gateway address is configured as an IPv6 address while the local interface where the tunnel is anchored has an IPv4 address. PR1416081

  • Group VPN IKE security associations cannot be established before RG0 failover. PR1419341

  • SSL proxy did not correctly warn users about unsupported certificates. PR1419485

  • The iked process might stop when IKE and IPsec SA rekey happens simultaneously. PR1420762

  • The 4G network connection might not be established if LTE mPIM card is in use. PR1421418

  • Tenant system administrator can change VLAN assignment beyond the allocated tenant system. PR1422058

  • The show security ike sa detail command shows incorrect values in the IPsec security associations column. PR1423249

  • IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post fragment happens. PR1424937

  • On SRX Series devices with SPC3, the device does not send IKE delete notification to the peer if the traffic selector configuration is changed. PR1426714

  • The kmd process stops and generates a core file after running the show security ipsec traffic-selector command. PR1428029

  • In SPC3 and SPC2 mixed mode, IPsec SA is not getting cleared by executing the clear security ipsec sa command. PR1428082

  • On the SRX5000 line of devices with SPC3, with P2MP and IKEv1 configured, if negotiation fails on the peer device, then multiple IPsec SA entries are created on the device if the peer keeps triggering a new negotiation. PR1432852

  • IPsec rekey triggers for when sequence number in AH and ESP packet is about to exhaust is not working. PR1433343

  • On SRX Series devices, fragments exit VPN traffic earlier than required by ingress packet sizes. PR1435700

  • The IPsec VPN traffic drop might be seen on SRX Series platforms with NAT-T scenario. PR1444730

Documentation Updates

There are no errata or changes in Junos OS Release 19.3R3 documentation for the SRX Series.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.