Junos OS Release Notes for SRX Series
These release notes accompany Junos OS Release 19.3R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
What’s New
Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.
What’s New in Release 19.3R3
There are no new features in Junos OS Release 19.3R3 for the SRX Series devices.
What’s New in Release 19.3R2
There are no new features in Junos OS Release 19.3R2 for the SRX Series devices.
What’s New in Release 19.3R1
Application Security
Operational commands for SSL sessions (SRX Series and vSRX)—In Junos OS Release 19.3R1, we’ve introduced new operational mode CLI commands to monitor and troubleshoot SSL-related issues.
You can use the new show commands to display information and statistics related to SSL configurations, sessions, counters, and logs. You can also use the output of the CLI commands to understand the issue and plan the required next steps accordingly.
[See Troubleshooting SSL Proxy.]
DSCP support in APBR rule (SRX Series and vSRX)—Starting in Junos OS Release 19.3R1, you can use a differentiated services Code Point (DSCP) value in an APBR rule as a match criteria to perform advanced policy-based routing. You can configure the DSCP value in addition to the other matching criteria of the APBR rule such as dynamic application and dynamic application group.
By configuring the DSCP value in an APBR rule, you can extend the APBR service to the encrypted traffic or to the traffic with the DSCP markings.
User-defined ICAP request header extension (SRX Series)—Starting in Junos OS Release 19.3R1, Internet Content Adaptation Protocol (ICAP) redirect adds X-Client-IP, X-Server-IP, X-Authenticated-User, and X-Authenticated-Groups header extensions in an ICAP message to provide information about the source of the encapsulated HTTP message.
[See ICAP Service Redirect.]
Chassis Clustering
Dedicated fabric ports support (SRX4600)—Starting in Junos OS Release 19.3R1, you can use the built-in dedicated fabric ports as fabric link ports in chassis cluster mode.
[See Understanding Chassis Cluster Slot Numbering and Physical Port and Logical Interface Naming, SRX Series Chassis Cluster Configuration Overview, and Chassis Cluster Control Plane Interfaces.]
Flow-Based and Packet-Based Processing
Express Path (SRX4600)—Starting in Junos OS Release 19.3R1, SRX4600 devices support Express Path (formerly known as services offloading) functionality. The Express path support is already available on SRX5000 line devices.
Express Path considerably reduces packet-processing latency.
[See Express Path]
General Packet Radio Switching (GPRS)
Validate IP address in GTP messages to prevent security threats (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—In Junos OS Release 19.3R1, we’ve aligned with the GSMA FS.20 standards, which enables you to configure IP addresses in an IP group list. You can prevent a variety of attacks by validating the IP addresses of incoming and outgoing packets in GTP messages against the IP addresses configured in the IP group list.
Hardware
Starting with Junos OS Release 19.3R1, the following hardware is available to enhance the performance and scalability of the SRX5000 line of devices:
SRX5K-IOC4-10G (IOC4): SRX5K-IOC4-10G is a fourth-generation fixed-configuration I/O card with two Packet Forwarding Engines that provide 400 Gbps line rate with 40x10GbE interfaces.
SRX5K-IOC4-MRAT (IOC4): SRX5K-IOC4-MRAT is a fourth-generation fixed-configuration I/O card with two Packet Forwarding Engines that provide 480 Gbps (240 Gbps per PFE) line rate with 48x10GbE, 12x40GbE, or 4x100GbE interface options.
SRX5K-SCB4 (SCB4): The SCB4 is an enhanced Switch Control Board that provides improved fabric performance and bandwidth capabilities for high-capacity line cards using the ZF-based switch fabric. The SCB4 enables 480 Gbps throughput per SCB and can be configured with intra chassis and inter chassis redundancy.
SRX5K-RE3-128G (RE3): The RE3 for the SRX5000 line is, based on the Intel Haswell-EP CPU with six core processors running at 2.0 GHz and 128 GB of DDR4 memory. It provides increased control plane performance and scalability along with virtualization features in SRX5000 line chassis.
For more information about the new hardware support and interoperability, see Cards Supported on SRX5400, SRX5600, and SRX5800 Services Gateways.
J-Web
Support for line cards (SRX5000 line of devices)—Starting in Junos OS Release 19.3R1, J-Web supports IOC4 and RE3 line cards for the SRX5000 line of devices and SCB4 line cards for SRX5600 and SRX5800 devices.
[See Dashboard Overview, Monitor Ports, and About the Ports Page.]
New J-Web Launch Pad (SRX Series)—Starting in Junos OS Release 19.3R1, after you successfully log in to the J-Web user interface, the J-Web launch pad appears. The launch pad provides a quick view of system identification details, active users, and interface status.
[See Explore J-Web.]
Improved Setup wizard (SRX Series)—Starting in Junos OS Release 19.3R1, you can configure device and users, time and DNS servers, management interface, zones and interfaces, and security policies using the Setup wizard in the factory default settings to get a fully functional device. If you do not want to perform the initial configuration, you can click Skip in the Setup wizard. You can then select Configure > Setup Wizard on the J-Web menu and perform the initial configuration.
[See Start J-Web and Configure Setup Wizard.]
Simplified Juniper Sky ATP enrollment process (SRX Series)—Starting in Junos OS Release 19.3R1, you can enroll your device to Juniper Sky ATP directly through J-Web. You no longer need to switch between the Juniper Sky ATP portal and J-Web to fetch the enrollment URL and new registrations.
Improved Dashboard widget categories (SRX Series)—Starting in Junos OS Release 19.3R1, you can choose any one of the following categories in the J-Web dashboard to view supported widgets on your device:
All Widgets
Applications
Devices
Security
The dashlet data is refreshed every minute by default. You cannot manually configure the refresh interval of the dashlet. If the data is not aged in the cache, data loads from the cache during the dashlet refresh. If the data is aged, it is retrieved from the device during the next refresh interval cycle.
[See Dashboard Overview.]
UTM enhancements (SRX Series)—Starting in Junos OS Release 19.3R1, the following UTM (Configure > Security Services > UTM) pages are refreshed for a seamless experience:
Web Filtering
Category Update
Antispam Profiles
Custom Objects
[See About the Web Filtering Page, About the Category Update Page, About the Antispam Page, and About the Custom Objects Page.]
Logical Systems and Tenant Systems
Secure wire support for user logical system (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Junos OS Release 19.3R1 extends support for secure wire (on root logical systems) to user logical systems. You can forward traffic that arrives on a specific interface to another interface without modifying any received frames on the user logical systems.
User firewall support in customized mode for logical systems and tenant systems (SRX Series)—Starting in Junos OS Release 19.3R1, a customized model through integrated Juniper Identity Management Service (JIMS) with active mode improves the user firewall authentication process. In this model, the logical system and tenant system extract the authentication entries from JIMS servers configured at the root level based on the logical system and tenant system names.
[See Understanding Integrated User Firewall support in a Logical System, and Firewall Authentication for Tenant Systems.]
Application quality of services support for logical systems and tenant systems (SRX Series)—Starting in Junos OS Release 19.3R1, logical systems and tenant systems support application quality of services (AppQoS). You can configure a default AppQoS rule set to manage conflicts in the logical systems or tenant systems if multiple security policies match the traffic.
[See AppQoS for Logical Systems, and AppQoS for Tenant Systems.]
Network Address Translation (NAT)
Support for NAT features in PMI mode (SRX5000 devices with SRX5K-SPC3 card, SRX4200, SRX4100, and vSRX)—Starting in Junos OS Release 19.3R1, you can configure all NAT features in PowerMode IPsec (PMI) mode. Configuration and operational commands for NAT remain the same for both PMI and regular mode. You can configure source NAT, destination NAT, and static NAT for both IPv4 and IPv6 traffic in PMI mode. NAT64 is not supported in PMI mode. However, NAT64 works properly in normal mode, when PMI is enabled.
See [Introduction to NAT and Improving IPsec Performance with PowerMode IPsec.]
Network Management and Monitoring
Improved on-box reporting performance (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX4600, and vSRX)—Starting in Release 19.3R1, Junos OS stores logs in multiple tables instead of a single table in a database file. Each table contains the timestamp of the oldest and latest logs. When you initiate a query based on the start and end time, the local log management daemon (llmd process) finds the latest table to generate reports.
Packet capture from operational mode (SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.3R1, you can capture packets from operational mode without committing the configurations. You can define the packet filter to trace only a certain type of traffic, such as logical interface, protocol, source IP address prefix, source port, destination IP address prefix, and destination port. In addition, you can modify the filename, file type, file size, and capture size of the packet capture output.
Platform and Infrastructure
New SCB, IOC, and Routing Engine improve performance and scalability (SRX5400, SRX5600, SRX5800)—In Junos OS Release 19.3R1, we’ve introduced the following new hardware to enhance the performance and scalability of our SRX5000 line of devices:
Switch Control Board SCB4 (model number: SRX5K-SCB4)—Supports high traffic capacity, and provides greater link speeds, fabric capacity, and improved services. The SCB4 is supported only on SRX5600 and SRX5800 devices.
I/O card IOC4 (model numbers: SRX5K-IOC4-MRAT and SRX5K-IOC4-10G)—Enhances processing speed, provides line rates of up to 480 Gbps per slot, and supports Media Access Control Security (MACsec).
Routing Engine (model number: SRX5K-RE3-128G)—Supports higher CPU speed, 128-GB RAM, a trusted platform module (TPM), and increased processing capacity.
The IOC4 can interoperate with the SCB3, SCB4, SPC2, SPC3, IOC2, IOC3, IOC4, and the Routing Engines SRX5K-RE-1800X4 and SRX5K-RE3-128G. However:
The SCB4 can interoperate with all of these components except the SCB3.
The Routing Engine SRX5K-RE3-128G can interoperate with all of these components except the SRX5K-RE-1800X4.
You cannot use any of these components in a chassis that has the Switch Control Board SCB2 installed. For more information about the new hardware interoperability, see Cards Supported on SRX5400, SRX5600, and SRX5800 Services Gateways.
With the new hardware installed, the SRX5000 line of devices support the firewall and advanced security services—such as application security, unified threat management (UTM), intrusion prevention system (IPS)—and all other software features that they supported before this release, except the following:
Layer 2 Ethernet switching mode
Port mirroring
For the complete list of features supported on the SRX5000 line of devices, see Feature Explorer.
[See Chassis Cluster Control Plane Interfaces and show chassis hardware (View).]
Routing Protocols
Support for nondefault routing instance for outbound SSH (MX Series and SRX Series)—Starting in Junos OS Release 19.3R1, you can specify the name of the routing instance on which the outbound SSH connectivity needs to be established using the routing-instance statement at the [edit system services outbound-ssh] hierarchy level. If you do not specify a routing instance, your device will establish the outbound SSH connection using the default routing table.
Security
High Availability (HA) synchronization of address name resolving cache (SRX Series and vSRX)—Starting in Junos OS Release 19.3R1, the policy DNS cache memory is synchronized into a single local DNS cache file on the HA active node and is copied to the HA backup node. This process suppresses Domain Name System (DNS) queries and responses during Network Security Process (NSD) restart. In releases before Junos OS Release 19.3R1, a few system resources become a bottleneck when a large number of DNS queries and responses are sent and received at the same time. During this period, security policies use empty source and destination addresses. Therefore, the new pass-through traffic is blocked as no policy can be matched, and flow sessions cannot be established.
[See High Availability (HA) Synchronization of Address Name Resolving Cache.]
Support for bundle feeds in dynamic address groups (SRX Series and vSRX)—Starting in Junos OS Release 19.3R1, you can configure bundle feeds for dynamic address groups in a security policy. You can download a single
.tgzfile from the server and extract it into multiple child feed files. Each individual file corresponds to one feed. Individual dynamic-addresses reference the feed inside the bundle file.You can update IP addresses, IP prefixes, or IP ranges contained in a dynamic address entry periodically by downloading an external feed. SRX Series devices periodically initiate a connection to the feed server to download and update the IP lists that contain the updated dynamic addresses.
You can configure the url option for the feed server by using the set security dynamic-address feed-server feed-server-name at the [edit] hierarchy level.
Juniper Sky ATP
Juniper Sky ATP block files with unknown verdict and send user notification—Starting in Junos OS Release 19.3, for advanced anti-malware policies, you can block a file when the verdict is unknown. You can also send a user notification when a file is blocked. We’ve introduced the following new commands: set services advanced-anti-malware policy p1 http file-verdict-unknown (block|permit) and set services advanced-anti-malware policy p1 http client-notify (message|file|redirect-URL).
See set services anti-malware policy and request services advanced-anti-malware redirect-file.
Juniper Sky ATP onboarding changes—Starting in Junos OS Release 19.3, you can use an alternative onboarding procedure to perform all enrollment steps using the CLI on the SRX Series device without having to access the Sky ATP Web Portal. Run the request services advanced-anti-malware enroll command on the SRX Series device to begin the process. Both the original enrollment process that obtains an op script from the Web Portal and the new CLI-only enroll process are valid procedures. Use either one.
Subscriber Management and Services
Diameter S6a authentication (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 19.3R1, you can configure the diameter-based authentication S6a application on SRX series devices at [edit access] hierarchy. The MME uses S6a application to retrieve authentication information from Home Subscriber Server (HSS).
[See Configuring S6a and s6a.]
Virtual Routing
VRF-Group in L3VPN traffic (SRX Series and vSRX)—Starting in Junos OS Release 19.3R1, to support mid-stream routing, VRF undergoes changes for processing a session among a group of MPLS VRF instances in an L3VPN MPLS network. These VRF instances which are logically part of a given L3VPN traffic are grouped and this is a VRF-Group. The VRF-Groups allows the session to switch from one MPLS VRF to another MPLS VRF
VRF-Group supports the following features:
Overlapping in VPN session
VRF-Group Policy
VRF-Group NAT
VRF-Group ALG
[See Security Policy for Controlling Traffic for VRF Routing-Instance
What's Changed
Learn about what changed in Junos OS main and maintenance releases for SRX Series.
Release 19.3R3-S2 Changes in Behavior and Syntax
Interfaces and Chassis
Unable to Upgrade a Chassis Cluster Using In-Service Software Upgrade (SRX5400)—In chassis cluster mode, the backup router's destination address for IPv4 and IPv6 routers using the commands edit system backup-router address destination <destination-address> and edit system inet6-backup-router address destination <destination-address> must not be same as interface address configured for IPv4 and IPv6 using the commands edit interfaces interface-name unit logical-unit-number family inet address ipv4-address and edit interfaces interface-name unit logical-unit-number family inet6 address ipv6-address.
What's Changed in Release 19.3R3
Application Layer Gateways (ALGs)
Disable the do not fragment flag from packet IP header (SRX Series and vSRX)—Starting in Junos OS Release 19.3R3, we’ve introduced the clear-dont-frag-bit statement at the [edit security alg alg-manager] hierarchy level to disable the do not fragment flag from the packet IP header. This configuration allows the packet to be split after NAT is performed.
In Junos OS releases earlier than Release 19.3R3, when the ALG performs payload-NAT, sometimes the size of the packet becomes bigger than the maximum transmission unit (MTU) of the outgoing interface. If the packet IP header has the do not fragment flag, this packet cannot be sent out.
[See alg-manager.]
Authentication and Access Control
Enabling and disabling SSH login password or challenge-response authentication (SRX Series)—Starting in Junos OS Release 19.3R3, you can disable either the SSH login password or the challenge-response authentication at the [edit system services ssh] hierarchy level.
In Junos OS releases earlier than Release 19.3R3, you can enable and disable both SSH login password and the challenge-response authentication simultaneously at the [edit system services ssh] hierarchy level.
[See Configuring SSH Service for Remote Access to the Router or Switch.]
Flow-based and Packet-based Processing
Self-generated IKE packets chooses outgoing interface matching source IP Address (SRX Series) — A self-generated Internet Key Exchange (IKE) packet always select the ECMP outgoing interface that matches source IP address. Note that filter-based forwarding for self-generated traffic with rerouting is not supported.
J-Web
Deactivated policy rules are not visible in the J-Web UI (SRX Series)—Starting in Junos OS 19.3R3 Release, J-Web does not support disabling or enabling the security firewall or global policy rules. The policy rules that are deactivated through the CLI are also not visible in the J-Web UI. As a workaround, use the CLI to disable or enable the policy rules on the device.
Juniper Extension Toolkit (JET)
Set the trace log to only show error messages (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series)— You can set the verbosity of the trace log to only show error messages using the error option at the edit system services extension-service traceoptions level hierarchy.
Juniper Sky ATP
Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 19.3R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).
Network Management and Monitoring
Packet Forwarding Engine data display command (SRX Series)—Starting in Junos OS Release 19.3R3, you can now view the Packet Forwarding Engine data by using the usp flow config and usp flow stats options for the show pfe data command.
What's Changed in Release 19.3R2-S6
Network Management and Monitoring
Support for disconnecting unresponsive NETCONF-over-SSH clients (ACX Series, EX Series, MX Series, NFX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—You can enable devices to automatically disconnect unresponsive NETCONF-over-SSH clients by configuring the client-alive-interval and client-alive-count-max statements at the [edit system services netconf ssh] hierarchy level. The client-alive-interval statement specifies the timeout interval in seconds, after which, if no data has been received from the client, the device requests a response, and the client-alive-count-max statement specifies the threshold of missed client-alive responses that triggers the device to disconnect the client, thereby terminating the NETCONF session.
See ssh (NETCONF).
Changes to
commitRPC responses in RFC-compliant NETCONF sessions (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—When you configure therfc-compliantstatement at the edit system services netconf hierarchy level, the NETCONF server's response forcommitoperations includes the following changes:If a successful
commitoperation returns a response with one or more warnings, the warnings are redirected to the system log file, in addition to being omitted from the response.The NETCONF server response emits the
<source-daemon>element as a child of the<error-info>element instead of the<rpc-error>element.If you also configure the
flatten-commit-resultsstatement at the edit system services netconf hierarchy level, the NETCONF server suppresses any<commit-results>XML subtree in the response and only emits an<ok>or<rpc-error>element.
What's Changed in Release 19.3R2
Interfaces and Chassis
Change in output of show interfaces (SRX300, SRX320, SRX340, SRX345, SRX550M)—Starting in Junos OS Release 19.3R2, the output of the show interfaces command on the SRX300 line of devices and on the SRX550M, no longer displays vlan as the value of the Physical interface field. On these devices, the value of the Physical interface field in the command output appears as irb instead of vlan.
Network Management and Monitoring
Change in jnxJsFlowMIB statistics display (SRX Series)—Starting in Junos OS Release 19.3R2, in a chassis cluster, you can see the statistics on all SPUs of both nodes using the show snmp mib walk jnxJsFlowMIB command. In earlier releases, you can see the statistics only on local SPUs.
[See SNMP MIB Explorer.]
What's Changed in Release 19.3R1
Application Security
Starting in Junos OS Release 19.3R1, you can schedule automatic download of the application signature package in a new format. Use the YYYY-MM-DD.hh:mm format to configure the time to automatic download for application signatures. For example, the following statement sets the start time as 10 AM on June 30, 2019:
user@host# set services application-identification download automatic start-time 2019-06-30.10:00:00You can configure the automatic updates using the new format once you upgrade your previous Junos OS version to any of the above supported Junos OS version.
Authentication and Access Control
SSH protocol version v1 option deprecated from CLI (SRX Series)—Starting in Junos OS Release 19.3R1, we’ve removed the nonsecure SSH protocol version 1 (v1) option from the [edit system services ssh protocol-version] hierarchy level. You can use the SSH protocol version 2 (v2) as the default option to remotely manage systems and applications. With the v1 option deprecated, Junos OS is compatible with OpenSSH 7.4 and later versions.
Junos OS releases earlier than Release 19.3R1, continue to support the v1 option to remotely manage systems and applications.
[See protocol-version.]
Junos OS XML API and Scripting
Range defined for
confirm-timeoutvalue in NETCONF and Junos XML protocol sessions (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 19.3R1, the value for the<confirm-timeout>element in the Junos XML protocol<commit-configuration>operation must be in the range 1 through 65,535 minutes, and the value for the<confirm-timeout>element in the NETCONF<commit>operation must be in the range 1 through 4,294,967,295 seconds. In earlier releases, the range is determined by the minimum and maximum value of its unsigned integer data type.
Licensing
Starting in Junos OS Release 19.3R1, the SNMP OID jnxLicenseKeys is deprecated.
[See Licensing Guide.]
Network Management and Monitoring
Default system log messages (SRX300, SRX320, SRX340, SRX345, SRX550, and SRX550M)—Starting in Junos OS Release 19.3R1, we’ve changed the default mode for system log messages from event mode to stream mode.
[See Understanding System Logging for Security Devices and mode (Security Log).]
Unified Threat Management (UTM)
Support to adjust core allocation ratio of UTM onbox-AV— Starting in Junos OS Release 19.3R1, to improve the throughput of low scan cost file such as doc file and big exe file, the on-box AV load flavor light ratio is changed from 1/3 to 1/4, and the onbox AV load flavor heavy ratio is changed from 2/3 to 1/2.
[See Example: Configuring On-Device Antivirus Feature Profile.]
VPN
Power Mode IPsec (SRX Series)—Starting in Junos OS Release 19.3R1, when you enable the Power Mode IPsec, the show security flow statistic and show security flow session tunnel summary commands does not count, or display the number of packets that are processed within the Power Mode IPsec.
Known Limitations
Learn about known limitations in this release for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Authentication and Access Control
Enhanced user firewall support—In Junos OS Release 19.3R3, for SRX300 devices with eUSB (SRX300, SRX320, SRX340, and SRX345), the SRX Series user firewall (UserFW) module tries to synchronize user entries from the domain controller or Juniper Identity Management Service (JIMS) after booting up. If the historical login events expired on the domain controller, then the SRX Series UserFW module is unable to retrieve those user entries after the UserFW module boots up.
[See User Authentication Entries in the ClearPass Authentication Table.]
J-Web
After you generate the Default Trusted CA profile group under Certificate Management>Trusted Certificate Authority in J-Web, J-Web does not display the CA profile group local on the Certificate Management>Certificate Authority Group page. PR1424131
The CA profile group imported using J-Web does not populate the group on the Certificate Authority Group initial landing page grid, but all the CA profiles of a group are populated on the Trusted Certificate Authorities landing page. PR1426682
When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is automatically refreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214
Logical Systems and Tenant Systems
In case of logical systems, secure wire cannot work with the user firewall AD integrated solution, because secure wire cannot support forwarding traffic between different logical systems. The user firewall AD integrated solution cannot probe client PCs, which are located at non-root logical systems. PR1436546
Platform and Infrastructure
When an NTP server is newly added to the Junos configuration using a domain name, a DNS server IP address needs to have been already configured and committed in a previous commit. Otherwise the commit will fail due to the NTP server domain name failing to be resolved to an IP address. As a workaround, use an IP address for the NTP server configuration. PR1411396
VPNs
In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329
In the HA design for SRX Series devices, the anti-replay window is synchronized to the backup only when the total incoming packet count is an odd multiple of 128 packets. When a failover occurs, the anti-replay bitmap is not synchronized. Again, when the node comes back online, the SA is installed but the anti-replay bitmap is reset to 0 along with the in and out sequence number. PR1420521
The IPsec VPN tunnel does not come up, and the gateway lookup failed error is seen, after the configurations are changed from IPv4 to IPv6 tunnels in the script. PR1431265
On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when the st0 binding on the VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411
Per-tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393
Open Issues
Learn about open issues in this release for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Flow-Based and Packet-Based Processing
On an SRX4600 device, when the next hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725
On SRX5400, SRX5600, and SRX5800 devices with SPC3, it is possible that when multiple core files are generated in quick succession, the cold-sync-monitored status is displayed and cannot be removed even though cold-sync has finished. You must reboot the affected node to recover. PR1403000
The dynamic applications that relied on SSL proxy for matching have been deprecated. These dynamic applications are HTTPS, SMTPS, POP3S, and IMAPS. Use SSL, SMTP, POP3, and IMAP in all policies moving forward as they will now match for both encrypted and decrypted streams. PR1444767
TCP session cannot time out properly upon receiving the TCP RESET packet, and the session timeout does not change to 2 seconds. PR1467654
Intrusion Detection and Prevention (IDP)
On the SRX Series devices, the commit or show command for IDP might not work if you keep running SNMP queries when large-scale IDP is used. PR1444043
When intelligent inspection status changes, syslog is not generated on SRX300 and SRX500 line of devices. PR1448365
J-Web
Due to set chassis auto-image-upgrade in the factory configuration, from phone home page you are not able to skip to J-Web and get the error Bootstrap is in progress, Can't Skip!!. PR1420888
On the SRX5000 line of devices, J-Web might not be responsive sometimes when you commit configuration changes after adding a new dynamic application while creating a new firewall rule. J-Web displays a warning while validating the configuration due to dynamic application or any other configuration changes. As a workaround, refresh the J-Web page. PR1460001
When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is automatically refreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214
Routing Policy and Firewall Filters
The SSL reverse proxy feature must be used instead of the SSL inspection feature. SSL inspection on IDP level is being deprecated in favor of SSL reverse proxy. PR1450900
If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907
VPNs
On SRX Series devices, if multiple traffic selectors are configured for a peer with Internet Key Exchange version 2 (IKEv2) reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. A new negotiation of these traffic selectors is triggered through other mechanisms—for example, by traffic or by a peer. PR1287168
When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of one DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585
On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX Series device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE IDs. PR1407356
On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334
On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when the st0 binding on the VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411
Per-tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393
In an IPsec VPN scenario on SRX5400, SRX5600, and SRX5800 platforms, the iked process treats retransmission of IKE_INIT request packets as new connections when the SRX Series device acts as a responder of IKE negotiation. This causes IKE tunnel negotiation to fail, and IPsec VPN traffic might be impacted. PR1460907
The SRX5000 line of devices with SPC3 does not support simultaneous IKE negotiation in Junos OS Releases 19.2, 19.3, 19.4, and 20.1. PR1497297
Resolved Issues
Learn which issues were resolved in Junos OS main and maintenance releases for SRX Series devices.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: Release 19.3R3
Application Layer Gateways (ALGs)
On the SRX5000 line of devices, the H323 call with NAT64 could not be established. PR1462984
The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942
SIP messages that need to be fragmented might be dropped by the SIP ALG. PR1475031
FTPS traffic might be dropped on SRX Series or MX Series devices if FTP ALG is used. PR1483834
Authentication and Access Control
SRX Series: Unified Access Control (UAC) bypass vulnerability (CVE-2020-1637). PR1475435
Chassis Clustering
IP monitoring might fail on the secondary node. PR1468441
An unhealthy node might become primary in SRX4600 devices in a chassis cluster scenario. PR1474233
Flow-Based and Packet-Based Processing
The show security group-vpn server statistics |display xml is not in expected format. PR1349959
The show security pki local-certificate logical-system all command is not showing any output. PR1414628
The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859
The control logical interface is not created by default for LLDP. PR1436327
The SPC card might stop on the SRX5000 line of devices. PR1439744
With NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145
In the BERT test for E1 interface, bits count is not within the range. PR1445041
Introduction of default inspection limits for application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180
The SRX Series devices stop and generate several core files. PR1455169
The srxpfe or flowd process might stop if the sampling configuration is changed. PR1462610
The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825
The flowd or srxpfe process might crash if the tunnel information-related show command is issued during the tunnel deleting process. PR1469123
On the SRX300 line of devices, you might encounter Authentication-Table loading slowly while using user identification. PR1462922
A core file might be generated when you perform an ISSU on SRX Series devices. PR1463159
The PKI daemon keeps leaking memory on SRX Series devices. PR1465614
The jbuf process usage might increase up to 99 percent after Junos OS upgrade. PR1467351
The rpd process might stop after several changes to the flowspec routes. PR1467838
The Packet Forwarding Engine might generate core files because SSL proxy is enabled on NFX Series and SRX Series devices. PR1467856
Server unreachable is detected; ensure that port 443 is reachable. PR1468114
Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430
FTP data connection might be dropped if SRX Series devices send the FTP connection traffic through the dl interface. PR1468570
RPM test probe fails to show that round-trip time has been exceeded. PR1471606
19.3R2: pkid crash at bn_i2c (pval=0x1d, cont=0x0, putype=0xffffcce8, it=0xc8c848b8 < BIGNUM_it>) at ../../../../../../../src/crypto/openssl/crypto/asn1/x_bignum.c:127. PR1471878
Look-up failure for expected e-mail address in DUT. PR1472748
Packet drop might be observed on the SRX300 line of devices when adding or removing an interface from MACsec. PR1474674
Stateful firewall rule configuration deletion might lead to memory leak. PR1475220
ECMP load balancing does not happen when the RG1 node 0 is secondary. PR1475853
The flowd or srxpfe process might stop when deleting user firewall local authentication table entry. PR1477627
MPCs might stop when there is bulk route update failure in a corner case. PR1478392
Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684
The flowd or srxpfe process might stop when advanced anti-malware service is used. PR1480005
On Web proxy, memory leak in association hash table and DNS hash table. PR1480760
The jsqlsyncd process synchronizes its databases every second even there is no change. PR1482428
IMAP curl sessions get stuck in the active state if AAMW IMAP block mode is configured. PR1484692
The show chassis temperature-thresholds command displays extensive FPC 0 output. PR1485224
The flowd process might stop and impact services if J-Flow version 9 is configured. PR1486528
Commit does not work after the installation through boot loader. PR1487831
If a cluster ID of 16 or multiples of 16 is used, the chassis cluster might not come up. PR1487951
CPU board inlet increases after OS upgrade from Junos OS Release 15.1X49 to Junos OS Release 18.x. PR1488203
All interfaces remain in the down state after the SRX300 line of devices power up or reboot. PR1488348
There is a risk of service interruption on all SRX Series devices with a dual-stacked CA server. PR1489249
Continuous drops seen in control traffic, with high data queues in one SPC2 PIC. PR1490216
Phone client stop seen while doing SRX345 device ZTP with CSO. PR1496650
Outbound SSH connection flap or memory leak issue might be observed when pushing configuration to ephemeral database with high rate. PR1497575
Traffic interruption happens due to MAC address duplication between two Junos OS devices. PR1497956
Don’t use capital characters for source-identity when using the show security match-policies command. PR1499090
J-Flow version 9 does not display the correct outgoing interface for APBR traffic. PR1502432
Fabric interface might be monitored down after chassis cluster reboot. PR1503075
SOF asymmetric scenario not working phase-1 solution. PR1507865
VRRP does not work on the reth interface with a VLAN ID greater than 1023. PR1515046
A logic issue was corrected in SSL proxy that could lead to an srxpfe or flowd core file under load. PR1516903
The PPPoE session does not come up after zeroization on SRX Series devices. PR1518709
Interfaces and Chassis
Static route through the dl0.0 interface is not active. PR1465199
MAC limiting on Layer 3 routing interfaces does not work. PR1465366
Intrusion Detection and Prevention (IDP)
On SRX Series devices, updating the IDP security package offline might fail. PR1466283
The IDP attack detection might not work in a specific situation. PR1497340
IDP's custom-attack time-binding interval command was mistakenly hidden within the CLI. PR1506765
J-Web
The Policy Rules grid will not populate the deactivated security firewall or global policy rules on the Rules page. PR1460161
IPv6 address objects containing a,b,c,d,e cannot be configured through J-Web. PR1464110
J-Web security resources dashboard widget was not being populated correctly. PR1464769
The J-Web users might not be able to configure PPPoE using the PPPoE wizard. PR1502657
Layer 2 Ethernet Services
Member links state might be asychronized on a connection between PE and CE devices in EVPN active/active mode. PR1463791
MPLS
BGP session might keep flapping between two directly connected BGP peers because of the incorrect use of the TCP-MSS. PR1493431
Network Address Translation (NAT)
The flowd or srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932
Issuing the show security nat source paired-address command might return an error. PR1479824
Network Management and Monitoring
The flowd or srxpfe process might stop immediately after committing the J-Flow version 9 configuration or after upgrading to affected releases. PR1471524
SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288
Platform and Infrastructure
On certain MPC line cards, cm errors need to be reclassified. PR1449427
Modifying the REST configuration might cause the system to become unresponsive. PR1461021
On SRX1500 and the SRX4000 line of devices, physically disconnecting the cable from the fxp0 interface causes hardware monitor failure and redundancy group failover, when the device is the primary node in a chassis cluster. PR1467376
On SRX Series devices, Packet Forwarding Engine memory might be used up if the security intelligence feature is configured. PR1472926
Support LLDP protocol on reth interface. PR1473456
Certificate error while configuration validation during Junos OS upgrade. PR1474225
The RGx might fail over after RG0 failover in a rare case. PR1479255
Packets get dropped when the next hop is IRB over lt interface. PR1494594
On the SRX1500 device, the factory-default configuration for ge-0/0/0 and ge-0/0/15 should be set with family inet DHCP. PR1503636
Routing Policy and Firewall Filters
Security policies cannot synchronize between Routing Engine and Packet Forwarding Engine on SRX Series devices. PR1453852
Traffic log shows an incorrect custom-application name when the alg ignore option is used in application configuration. PR1457029
Some domains are not resolved by the SRX Series devices when using DNS address book. PR1471408
The count option in the security policy does not take effect even if the policy count is enabled. PR1471621
Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530
TCP proxy was mistakenly engaged in unified policies when Web filtering was configured in potential match policies. PR1492436
The srxpfe or flowd process might crash due to memory corruption within JDPI. PR1500938
Traffic fails to hit the policies with matching source-end-user-profiles. PR1505002
Routing Protocols
SSH login might fail if a user account exists in both local database and RADIUS or TACACS+. PR1454177
The rpd might stop when both instance-import and instance-export policies contain the as-path-prepend action. PR1471968
The BGP route-target family might prevent the route reflector from reflecting Layer 2 VPN and Layer 3 VPN routes. PR1492743
Unified Threat Management (UTM)
Increase the scale number of UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321
The utmd process might pause after deactivating a UTM configuration with predefined category upgrading used. PR1478825
UTM websense redirect supports IPv6 messages. PR1481290
VLAN Infrastructure
ISSU failed from Junos OS Release 18.4R2.7 to Junos OS Release 19.4, with secondary node PICs in present state after upgrading to Junos OS Release 19.4. PR1468609
VPNs
After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457
IPsec VPN missing half of the IKE SA and IPsec SA showing incorrect port number when scaling to 1000 IKEv1 AutoVPN tunnels. PR1399147
The established tunnels might remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN. PR1413619
The show security ipsec statistics command output displays buffer overflow and wraps around 4,---,---,--- count. PR1424558
IKE SA does not get cleared and is showing a very long lifetime. PR1439338
Some IPsec tunnels flap after RGs failover on the SRX5000 line of devices. PR1450217
IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951
IPsec tunnels might lose connectivity on SRX Series devices after chassis cluster failover when using AutoVPN point-to-multipoint mode. PR1469172
The kmd process might crash continually after chassis cluster failover in an IPsec ADVPN scenario. PR1479738
On SRX Series devices with SPC3, when overlapping traffic selectors are configured, multiple IPsec SAs get negotiated with the peer device. PR1482446
Resolved Issues: Release 19.3R2
Application Layer Gateways (ALGs)
Sometimes unexpected forwarding sessions appear for tenant ALG SIP traffic in cross tenant. PR1409748
After Layer 3 HA enable, ALG H.323 group or resource cannot be synchronized to the peer node correctly. PR1456709
Authentication and Access Control
The same source IP sessions are cleared when the IP entry is removed from UAC table. PR1457570
Application Security
The AAMW diagnostic script gives incorrect error Error: Platform does not support SkyATP: srx300. PR1423378
Unable to get more than 60 Gbps of AppQoS throughput. PR1439575
Chassis Clustering
Hardware failure is seen on both nodes in show chassis cluster status. PR1452137
On SRX Series devices with chassis cluster, the control link remains up even though the control link is actually down. PR1452488
Flow-Based and Packet-Based Processing
Packet loss is caused by FPGA back pressure on SPC3. PR1429899
VPN traffic fails after primary node reboot or power off. PR1433336
On SRX4600 device, core file might be observed and SPM might be in present state. PR1436421
While checking the flow session XML for source NAT under tenant, there is no value identifier for tenant-name ( < tenant>< /tenant> ). PR1440652
J-Flow version 5 stops working after changing input rate value. PR1446996
AAWM policy rules for IMAP traffic sometimes might not get applied when passed through SRX Series device. PR1450904
FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122
Traffic forwarding on Q-in-Q port and VLAN tagging is not observed properly on R0. PR1451474
The rpd process might stop and restart and an rpd core file is generated when committing the configuration. PR1451860
The peers and peers-synchronize commands are removed from SRX Series devices. PR1456661
Added some JP APN settings to default list in LTE mPIM. PR1457838
Changing the RESET configuration button behavior on the SRX1500 does not work. PR1458323
The security flow traceoptions fills in with RTSP ALG related information. PR1458578
The security-intelligence CC feed does not block HTTPS traffic based on SNI. PR1460384
The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619
Fragmented traffic might get looped between the fab interface in Z mode. PR1465100
HTTP block message stops working after SNI check for HTTPS session. PR1465626
Interfaces and Chassis
SCB4 or SCB3 ZF or XF2 fabric plane retraining is needed after switching the fabric redundancy mode. PR1427119
The fxp0 interface might redirect packet not destined to itself. PR1453154
J-Web
J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541
Editing destination NAT rule in J-Web introduces a non-configured routing instance field. PR1461599
Network Address Translation (NAT)
There is port endian issue in SPU messages between SPC3 and SPC2, which results in one redundant NAT binding being created in CP when one binding is allocated in SPC2 SPC. PR1450929
Network Management and Monitoring
Control links are logically down on SRX Series device chassis cluster running Junos OS Release 12.3X48. PR1458314
Platform and Infrastructure
The node0 stayed in secondary hold status for a long time but cannot change back to secondary status after manual failover in RG0. PR1421242
On the SRX300 line of devices, interface LED does not work properly. PR1446035
REST API process will get non-responsive when a number of requests come at a high rate. PR1449987
Routing Policy and Firewall Filters
The NSD process might stop due to a memory corruption issue. PR1419983
The NSD process might get stuck and cause problems. PR1458639
Services Applications
On SRX Series devices, the
lcore-slavecore files are seen. PR1460035
Unified Threat Management (UTM)
Blacklist compilation failures are reported. PR1418980
The command show security utm web-filtering status now provides additional context when the status of EWF is down. PR1426748
VPNs
The IKE and IPsec configuration under groups is not supported. PR1405840
Old tunnel entries are also seen when new tunnel negotiation happens from peer device after change in IKE gateway configuration at peer side. PR1423821
The P1 configuration delete message is not sent on loading baseline configuration if there has been a prior change in VPN configuration. PR1432434
The P1 or P2 SAs are deleted after RG0 failover. PR1433355
IPsec SA in and out key sequence number update missing with cold-sync (secondary node reboot). PR1433424
Sequence number is reset to zero while recovering SA after SPC3 or flowd stop or reboot. PR1433568
The IKED stops on the SRX5000 line of devices with SPC3 when IPsec VPN or IKE is configured. PR1443560
Sometimes old SAs are not deleted after rekey and the number of IPsec tunnels shows up more than the configured tunnels. PR1449296
Traffic is not sent out through IPsec VPN after update to Junos OS Release 18.2 or later. PR1461793
Resolved Issues: Release 19.3R1
Application Layer Gateways (ALGs)
The TCP reset packet is dropped when any TCP proxy-based feature and the rst-invalidate-session command are enabled simultaneously. PR1430685
The H.323 connection might not be established when the H.323 packet passes SRX devices twice through different virtual routers. PR1436449
Packet loss happens during cold synchronization from secondary node after rebooting. PR1448252
Application Security
Automatic application-identification download stops after going over the year and reboot. PR1436265
The flowd or srxpfe process might crash when advanced anti-malware service is used. PR1437270
The applications that get declassified in the middle of a session are not identified properly. PR1437816
The flowd process core files might be seen when the traffic hits AppQoS policy. PR1446080
Authentication and Access Control
Support redirecting HTTP or HTTPS request to firewall Web authentication server with the server's domain name. PR1421725
The CPU utilization of the uacd is high, about 100 percent, in the output of show chassis routing-engine. PR1424971
Chassis Clustering
Mixed mode (SPC3 coexisting with SPC2 cards) high availability (HA) IP monitoring fails on the secondary node with secondary arp entry not found error. PR1407056
Memory leaks might be seen on the jsqlsyncd process on SRX Series chassis clusters. PR1424884
The flowd or srxpfe process might stop when SCCP or MGCP ALG works on SRX Series chassis clusters. PR1426722
RG0 failover sometimes causes FPC offline/present status. PR1428312
Class of Service (CoS)
Frequent issuance of the show class-of-service spu statistics command cause rtlogd busy. PR1438747
Flow-Based and Packet-Based Processing
Password recovery menu does not appear on SRX Series device. PR1381653
Invalid sessions timeout over 48 hours with stress TCP traffics in the backup node. PR1383139
On SRX5400, SRX5600, and SRX5800 devices with SPC3, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary commands do not count or display the number of packets processed within PowerMode IPsec, because these packets do not go through the regular flow path. PR1403037
CPU is hitting 100 percent with fragmented traffic. PR1402471
Throughput or latency performance of TCP traffic is dropped when TCP traffic is passing through from one logical system to another logical system. PR1403727
While PMI is on, IPsec-encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets. PR1411486
The input and output bytes or bps statistic values might not be identical for the same size of packets. PR1415117
None of the operational web-proxy command have clear support. PR1415753
Force clearing client session from flow does not clean up proxy session. PR1415756
Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093
The TCP session might not get cleared even after it reaches the timeout value. PR1416385
TCP segmented client-side session fails to create transparent proxied relay session, and session stays idle. PR1417389
The show security flow session session-identifier <sessID> command is not working if the session ID is bigger than 10M on SRX4600 platform. PR1423818
The tunnel ID information is displayed in the flow session. PR1423889
PIM neighbors might not come up on SRX Series chassis cluster. PR1425884
When configuring a GRE tunnel (GRE-over-IPsec-tunnel) or an IPsec tunnel on an SRX Series device, the MTU of the tunnel interface is calculated incorrectly. PR1426607
The IPsec traffic going through the SRX5000 line of devices with SPC2 cards installed causes high SPU CPU utilization. PR1427912
The flowd process might stop on the SRX5000 line of devices. PR1430804
SRX550M running Junos OS Release 18.4R1 shows PEM 1 output failure message, whereas with Junos OS Release 15.1X49 or Junos OS Release 18.1R3.3 it does not show any alarms. PR1433577
Currently PMI doesn't support mirror-filter functionality. If there are any mirror filters configured, PMI flaps all of the traffic to the regular flow path. PR1434583
Intermittent packets drop might be observed if IPsec is configured. PR1434757
On SRX series, syslog severity level of msg subtype is end of policy is set to error although this message can be ignored. PR1435233
The rtlogd process on the two Routing Engine HA nodes go into deadlock state when rtlogd on both nodes are busy with sending data to each other in the single thread context. PR1435352
The second IPsec ESP tunnel might not be able to establish between two IPv6 IKE peers. PR1435687
On an SRX4600 device, core file generation might be observed and SPM might be in present state. PR1436421
The ipfd process might crash when SecIntel is used. PR1436455
Packet reorder does not work when sending traffic over IPsec tunnel with session-affinity. PR1436720
Member of dynamically created VLANs information is not displaying on show VLANs. PR1438153
Security logs cannot be sent to the external syslog server through TCP. PR1438834
Decryption traffic doesn’t take PMI path after IPsec rekey (initiated by peer) when loopback interface is configured as external interface. PR1438847
The wmic process might stop and restart when using user firewall with Active Directory. PR1439538
The IKE pass-through packet might be dropped after source NATed. PR1440605
Performance improvements were made to Screens, which benefit multi-socket systems. PR1440677
SPC2 wrongly forwarded packet to SPC3 core0 and core14. PR1441234
The configured RPM probe server hardware timestamp does not respond with correct timestamp to the RPM client. PR1441743
New CLI option to show only userful group infotmations for an Active Directrory user. PR1442567
The flowd or srxpfe process might crash when processing fragmented packets. PR1443868
Packet loss happens during cold sync from secondary node after rebooting. PR1447122
LACP cannot work with the encapsulation flexible-ethernet-services configuration. PR1448161
SPC3 talus FPGA stuck on 0x3D or 0x69 golden version. PR1448722
FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122
Traffic forwarding on Q-in-Q port and VLAN tagging is not observed properly on R0. PR1451474
Infrastructure
Increase in Junos OS image size for Junos OS Release 19.1R1. PR1423139
Interfaces and Routing
The fxp0 interface might redirect packet not destined itself. PR1453154
Installation and Upgrade
SRX Series devices go into DB mode after USB installation. PR1390577
SPMC version mismatch errors after Junos OS install using USB method. PR1437065
Interfaces and Chassis
Both nodes in the SRX Series chassis cluster go into DB mode after downgrading to Junos OS Release 18.1. PR1407295
The reth interfaces are now supported when configuring SSL decryption mirroring (mirror-decrypt-traffic interface). PR1415352
Disabling the interface on the primary node causes traffic to get silently dropped through the secondary. PR1424705
SCB4 or SCB3 ZF or XF2 fabric plane retraining is needed after switching the fabric redundancy mode. PR1427119
MTU change after a CFM session is up can impact L2 Ethernet ping (loopback messages). If the new change is less than the value in the initial incarnation then L2 Ethernet ping would fail. PR1427589
LFM remote loopback is not working as expected. PR1428780
The LACP interface might flap if performing a failover. PR1429712
Intrusion Detection and Prevention (IDP)
NSD fails to push security zone to the Packet Forwarding Engine after reboot, if there is an active IDP rule configured with FQDN. PR1420787
J-Web
J-Web configuration change for an address set using the search function results in a commit error. PR1426321
User unable to view GUI when logged in as read-only user. The user is presented with an empty page after login. PR1428520
IRB interface is not available in the zone option of J-Web. PR1431428
Launch pad is not loading in the foreground and not showing details for any widgets. PR1446802
The idle-timeout for J-Web access doesn't work properly. PR1446990
J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541
Network Address Translation (NAT)
RTSP resource session is not found during NAT64 static mapping. PR1443222
Network Management and Monitoring
MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979
Partial traffic might get dropped on an existing LAG. PR1423989
SNMPD might generate core files after restarting NSD process by restart network-security gracefully. PR1443675
Platform and Infrastructure
Memory leak might occur on the data plane during composite next-hop installation failure. PR1391074
On SRX4600 device, the 40-Gigabit Ethernet interface might flap continuously by MAC local fault. PR1397012
The show security flow session command fails with error messages when SRX4600 has over a million routing entries. PR1408172
On PEM 0 or PEM 1 or fan, I2C failure major alarm might be set and cleared multiple times. PR1413758
Complete device outage might be seen when an SPU VM core file is generated. PR1417252
Some applications might not be installed during upgrade from an earlier version that does not support FreeBSD 10 to FreeBSD 10 (based system). PR1417321
On SRX Series device, the flowd process might stop. PR1417658
On SRX4600 devices, commit failed while configuring 2047 VLAN IDs on the reth interface. PR1420685
SPC in slot1 of node0 remained in offline state for more than 1 hour after the cluster was upgraded from Junos OS Release 18.2R2-S1.3 to Junos OS Release 18.2X41.1. PR1423169
Screen sync cookie causes 100 percent CPU utilization across all SPC3 cards of SRX5800, when packet rate is high. PR1425332
The ipfd process might crash if the security intelligence feature is configured. PR1425366
Alarms triggered due to high temperature when operating within expected temperatures. PR1425807
The PICs might go offline and split-brain might be seen when interrupt storm happens on internal Ethernet interface em0 or em1. PR1429181
REST API does not work properly. PR1430187
Uneven distribution of CPU with high PPS on device. PR1430721
Packet Forwarding Engine crashes might be seen on SRX1500 platform. PR1431380
The false license alarm may be seen even if there is a valid license. PR1431609
The kmd log shows resource temporarily unavailable repeatedly and VPNs might be down. PR1434137
The interface using LACP flaps when the Routing Engine is busy. PR1435955
CLI giving error as usp_ipc_client_open: failed to connect to the server after 1 retries(61) when SRX4100 or SRX4200 has large entries on RIB or FIB. PR1445791
On the SRX300 line of devices, interface LED does not work properly. PR1446035
IS-IS adjacencies between the GE link is not up. PR1446533
Routing Policy and Firewall Filters
Memory leak in nsd causes configuration change to not take effect after a commit. PR1414319
The flowd process stops on SRX Series devices while deleting a lot of policies from Junos Space. PR1419704
A commit warning is now presented to the user when a traditional policy is placed below a unified policy. PR1420471
The dynamic-address summary's IP entry count does not include IP entries in the root logical system. PR1422525
After a new alarm is created, the NSD process fails to restart because subcomponents fail. PR1422738
DNS cache entry does not time out from device even after TTL=0. PR1426186
The ipfd generates a core file while scaling. PR1431861
An SRX1500 device allows only a maximum of 256 policies with counting enabled. PR1435231
Two ipfd processes appear in ps command and the process pauses. PR1444472
Unified Threat Management (UTM)
Unable to achieve better Avira antivirus TP on SRX4600 as mbuf high watermark is reached. PR1419064
When using unified policies, the base filter for certain UTM profiles might not be applied correctly. PR1424633
The custom-url-categories configuration is now pushed correctly to the Packet Forwarding Engine under all circumstances. PR1426189
Memory issue due to SSL proxy whitelist or whitelist URL category. PR1430277
Replace the bypass-on-dns-cache-miss command with the drop_on_dns_error command in the Web proxy profile. If the drop_on_dns_error command is not set and DNS failure occurs for a session, that session passes through bypass mode. If the drop_on_dns_error command is set and DNS failure occurs for a session, that session is dropped by the Web proxy plug-in. PR1430425
Adjust core allocation ratio for on-box antivirus. PR1431780
User Interface and Configuration
Tenant system administrator cannot view its configuration with empty database message when using groups. PR1422036
VPNs
Tunnel flapping is seen after doing RG0 failover. PR1357402
With a large number of IPsec tunnels established, a few tunnels may fail during rekey negotiation if the SRX Series device initiates the rekey. PR1389607
VPN tunnels may flap upon commiting changes in configuration groups on SRX Series devices. PR1390831
Idle IPsec VPN tunnels without traffic and with ongoing DPD probes can be affected during RG0 failover. PR1405515
On SRX5400, SRX5600, and SRX5800 devices with SPC3, when the SRX Series device is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication might fail. PR1414193
The iked process does not handle cases and core files might be generated when a remote gateway address is configured as an IPv6 address while the local interface where the tunnel is anchored has an IPv4 address. PR1416081
Group VPN IKE security associations cannot be established before RG0 failover. PR1419341
SSL proxy did not correctly warn users about unsupported certificates. PR1419485
The iked process might stop when IKE and IPsec SA rekey happens simultaneously. PR1420762
The 4G network connection might not be established if LTE mPIM card is in use. PR1421418
Tenant system administrator can change VLAN assignment beyond the allocated tenant system. PR1422058
The show security ike sa detail command shows incorrect values in the IPsec security associations column. PR1423249
IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post fragment happens. PR1424937
On SRX Series devices with SPC3, the device does not send IKE delete notification to the peer if the traffic selector configuration is changed. PR1426714
The kmd process stops and generates a core file after running the show security ipsec traffic-selector command. PR1428029
In SPC3 and SPC2 mixed mode, IPsec SA is not getting cleared by executing the clear security ipsec sa command. PR1428082
On the SRX5000 line of devices with SPC3, with P2MP and IKEv1 configured, if negotiation fails on the peer device, then multiple IPsec SA entries are created on the device if the peer keeps triggering a new negotiation. PR1432852
IPsec rekey triggers for when sequence number in AH and ESP packet is about to exhaust is not working. PR1433343
On SRX Series devices, fragments exit VPN traffic earlier than required by ingress packet sizes. PR1435700
The IPsec VPN traffic drop might be seen on SRX Series platforms with NAT-T scenario. PR1444730
Documentation Updates
There are no errata or changes in Junos OS Release 19.3R3 documentation for the SRX Series.
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases
Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.
You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.
For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.
For information about ISSU, see the Chassis Cluster User Guide for Security Devices.