Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 19.4R1 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.

Application Security

  • Selectively disable midstream APBR (SRX Series and vSRX)—Starting in Junos OS Release 19.4R1, you can selectively turn-off midstream routing for a specific APBR rule while retaining the global APBR functionality for the remaining sessions.

    When you disable the midstream routing for a specific APBR rule, the system does not apply midstream APBR for corresponding application traffic, and routes the traffic through a non-APBR route

    [See Advanced Policy-Based Routing.]

  • DSCP support for AppQoE (SRX Series and vSRX)—Starting in Junos OS Release 19.4R1, AppQoE supports SLA-based path selection for an incoming traffic based on Differentiated Services Code Point (DSCP) value.

    AppQoE depends on AppID and APBR to select the best possible link for the application traffic to meet the performance requirements specified in SLA. Junos OS Release 19.3R1 introduced APBR functionality for DSCP-tagged traffic. Using this enhancement, AppQoE selects the best possible link for the application traffic based on the application signature, or DSCP value, or a combination of both application signature and DSCP value.

    With this enhancement, now you can apply AppQoE for the encrypted traffic based on the DSCP value.

    [See Application Quality of Experience].

  • Support for server certificates with key size 4096 bits (SRX300 and SRX320)—Starting in Junos OS Release 19.4R1, SRX300 and SRX320 devices support RSA certificates with key size 4096 bits. You must explicitly configure the SSL proxy profile on these devices to use the server certificate with key size 4096 bits.

    The RSA certificates with key size 4096 bits support is available only when the SRX300 and SRX320 devices are operating in standalone mode.

    [See Managing Certificates and Keys for SSL Proxy.]

Chassis Clustering

Flow-Based and Packet-Based Processing

  • Express Path for Flow Processing (SRX4600)—Starting from Junos OS 19.4R1, Express Path is enabled by default on SRX4600 devices. You must configure Express Path only in policies. There is no need to configure Express Path on Flexible PIC Concentrator (FPC) or on Physical Interface Cards (PIC).

    See [Express Path.]

  • Support of IPFIX formatting for SRX J-Flow functionality (SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, vSRX, and vSRX3.0) —Starting with Junos OS Release 19.4R1, you can use IPFIX flow templates to define a flow record for IPv4 traffic or IPv6 traffic. IPFIX is an enhanced version of J-flow version 9 template. Using IPFIX, you can collect a set of sampled flows and send the record to a specified host.

    See [Configuring Flow Aggregation to Use IPFIX Flow Templates on MX, vMX and T Series Routers, EX Series Switches and NFX250.]

  • Symmetric Fat Tunnel (SRX5400, SRX5600, and SRX5800 devices with SPC3 card, and vSRX)—Starting from Junos OS 19.4R1, fat tunnel technology is introduced to improve the single IPsec tunnel throughput value to 10 times of current value.

    To enable this feature, a new CLI command fat-core is introduced at the set security distribution-profile hierarchy level.

General Packet Radio Switching (GPRS)

  • Increase in GTP scale for IoT and roaming firewall applications (SRX5400, SRX5600, SRX5800, and SRX4600)—Starting in Junos OS Release 19.4R1, to enable Internet of Things (IoT) and roaming firewall use cases, the GTP tunnel scale per SPU is increased for the following SRX devices:

    • SRX5000 (SRX5400, SRX5600, SRX5800) SPC3: 1.2M to 12M

    • SRX5000 (SRX5400, SRX5600, SRX5800) SPC2: 600K to 3M

    • SRX4600: 400K to 4M

    [See Understanding Policy-Based GTP.]

Hardware

  • Wi-Fi mini-physical interface module (SRX320, SRX340, SRX345, and SRX550M)—The Wi-Fi mini-physical interface module (mini-PIM) provides an integrated wireless LAN access point solution for branch SRX Series Services Gateways. The Mini-PIM supports the 802.11ac Wave 2 wireless standards and is backward-compatible with 802.11a, 802.11b, 802.11g, and 802.11n.

    The Mini-PIM supports the following key features:

    • 2x2 MU-MIMO

    • Dual radios, which provide concurrent dual bands of 2.4 GHz and 5 GHz

    • Eight virtual access points (VAPs) per radio

    • Configurable transmit power

    • 128 concurrent users

    The Wi-Fi Mini-PIM is available in three models based on the regional wireless standards:

    • SRX-MP-WLAN-US (United States)

    • SRX-MP-WLAN-IL (Israel)

    • SRX-MP-WLAN-WW (other countries)

    [See How to Install the Wi-Fi Mini-PIM for SRX Series Services Gateways].

  • SRX5K-SPC3 LTC firmware version check and upgrade—Starting in Junos OS Release 19.4R1, you can check the current LTC Firmware version on an SRX5K-SPC3 card and upgrade the firmware version manually.

    The LEDs on the front panel of the services gateway chassis indicate a major alarm when the chassis detects that a newer version of LTC firmware is available and the firmware on the SRX5K-SPC3 card is outdated. The CLI commands:

    • show chassis alarm—displays the alarm description

    • show system firmware—displays the current version, available version, and the Status of the LTC firmware

    • request system firmware upgrade fpc slot 0 tag 0—updates the LTC firmware version.

    [See Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Services Gateways.]

Interfaces and Chassis

  • Wi-Fi Mini-Physical Interface Module (SRX320, SRX340, SRX345, and SRX550M)—In Junos OS Release 19.4R1, we introduce the Wi-Fi Mini-Physical Interface Module (Mini-PIM). For retail and small offices, the Wi-Fi Mini-PIM provides secure wireless LAN connectivity to endpoint devices. The Wi-Fi Mini-PIM supports 802.11ac wave 2 wireless standards.

    [See Wi-Fi Mini-Physical Interface Module Overview.]

Intrusion Detection and Prevention (IDP)

  • IDP utility to read packet capture and generate protocol contexts (SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM)—Starting from Junos OS Release 19.4R1, on SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM devices, to improve the IDP validation process, a CLI command is introduced to display and clear the contexts and the associated data only for the packet capture (PCAP) traffic.

    You can run the packet capture utility in either inet mode or transparent mode to generate attack contexts.

  • Signature Language Constructs (SRX Series)—Starting from Junos OS 19.4R1, signature language constructs are supported in the IDP engine code to write more efficient signatures that helps in reducing false positives.

    The following constructs are supported:

    • Depth

    • Offset

    • Within

    • Distance

    • Ipopts

Junos OS XML API and Scripting

  • Python 3 support for commit, event, op, and SNMP scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 19.4R1, you can use Python 3 to execute commit, event, op, and SNMP scripts on devices running Junos OS. To use Python 3, configure the language python3 statement at the [edit system scripts] hierarchy level. When you configure the language python3 statement, the device uses Python 3 to execute scripts that support this Python version and uses Python 2.7 to execute scripts that do not support Python 3 in the given release.

    The Python 2.7 end-of-support date is January 1, 2020, and Python 2.7 will be EOL in 2020. The official upgrade path for Python 2.7 is to Python 3. As support for Python 3 is added to devices running Junos OS for the different types of onbox scripts, we recommend that you migrate supported script types from Python 2 to Python 3, because support for Python 2.7 might be removed from devices running Junos OS in the future.

    [See Understanding Python Automation Scripts for Devices Running Junos OS.]

  • Automation script library upgrades (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 19.4R1, devices running Junos OS that support the Python extensions package include upgraded Python modules. Python scripts can leverage the upgraded versions of the following modules:

    • idna (2.8)

    • jinja2 (2.10.1)

    • jnpr.junos (Junos PyEZ) (2.2.0)

    • lxml (4.3.3)

    • markupsafe (1.1.1)

    • ncclient (0.6.4)

    • packaging (19.0)

    • paho.mqtt (1.4.0)

    • pyasn1 (0.4.5)

    • yaml (PyYAML package) (5.1)

    [See Overview of Python Modules Available on Devices Running Junos OS.]

J-Web

  • Threat Assessment report enhancement (SRX Series)—Starting in Junos OS Release 19.4R1, the Threat Assessment report displays a new Filename column in the Malware downloaded by User table. This column helps you to identify the malware filename.

    [See About Reports Page.]

  • UTM enhancement (SRX Series)—Starting in Junos OS Release 19.4R1, the following UTM pages (Configure > Security Services > UTM) are refreshed for a seamless experience:

    • Antivirus

    • Content Filtering

    • Policy

    [See About the Antivirus Page, About the Content Filtering Page, and About the Policy Page.]

  • Support for Wi-Fi Mini-PIM (SRX320, SRX340, SRX345, and SRX550M devices)—Starting in Junos OS Release 19.4R1, J-Web supports the Wi–Fi Mini-Physical Interface Module (Mini-PIM). The physical interface for the Wi-Fi Mini-PIM uses the name wl-x/0/0, where x identifies the slot on the services gateway where the Mini-PIM is installed.

    You can monitor and configure the wireless LAN settings using the J-Web interface.

    [See Dashboard Overview, Monitor Ports, About the Ports Page, Monitor Wireless LAN, and About the Settings Page.]

Logical Systems and Tenant Systems

  • Flow trace support at logical system and tenant system level (SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.4R1, you can trace the packet flow at the logical system level and tenant system level. Traceoptions enables you to monitor traffic flow into and out of an SRX Series device.

    When you trace traffic flow, you can generate and save the trace logs to the respective logical system and tenant system log files.

    Flow trace at the level of logical system and tenant system helps you avoid generating large log files from the root level.

    [See Flow Trace Support for Logical Systems and Flow Trace Support for Tenant Systems.]

  • AppID statistics at tenant system level (SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.4R1, you can view or clear the application identification (AppID) statistics, counters, and application system cache at the tenant system level.

    [See Application Security for Tenant Systems.]

Network Management and Monitoring

  • SNMP support for Wi-Fi Mini-Physical Interface Module (Mini-PIM) monitoring (SRX320, SRX340, SRX345, and SRX550M)—Starting in Junos OS Release 19.4R1, you can monitor the Wi-Fi Mini-PIM status from remote network using SNMP. Use the show snmp mib walk ascii jnxWlanWAPStatusTable and show snmp mib walk jnxWlanWAPClientTable commands to monitor the Wi-Fi Mini-PIM status and client information.

    [See SNMP MIB Explorer and show snmp mib.]

  • SNMP support for IPsec VPN flow monitoring (SRX5000 Series devices with SRX5K-SPC3 card)—Starting in Junos OS Release 19.4R1, we have enhanced the existing IPsec VPN flow monitor MIB jnxIpSecFlowMonMIB to support the global IKE statistics for tunnels using IKEv2. Use the show security ike stats command to display the global statistics of tunnels such as in-progress, established, and expired negotiations using IKEv2.

    [See Enterprise-Specific SNMP MIBs Supported by Junos OS and show security ike stats.]

  • Improved query performance in on-box reporting (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX4600, and vSRX)—Starting in Junos OS Release 19.4R1, we've upgraded the on-box logging database to improve query performance. For example, if you expect fewer traffic logs, you can use the default configuration with a start time and a stop time. If you expect a large number of traffic logs and greater time intervals for which the logs will be generated, we recommend you enable table dense mode.

    [See Understanding On-Box Logging and Reporting.]

  • Enhanced support for the non-default management instance (SRX Series)—Starting in Junos OS 19.4R1, you can access information related to all routing instances and logical system networks and not specific to ingress routing instance by configuring the SNMPv3 management interface in a required management instance. Configuring the SNMPv3 management interface in a required management instance enables all the SNMPv3 requests coming from non-default routing instance is treated as if the requests are coming from default routing instance. You can configure the management instance configuration statement at the [edit SNMP v3] hierarchy level.

    [See SNMPv3 Management Routing Instance.]

System Logging

  • Improved intermodule communication between FFP and MGD (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 19.4R1, intermodule communication is improved to enhance software debugging. To enhance error messages with more context, the exit conditions from libraries have been updated as follows:

    • Additional information is now logged for MGD-FFP intermodule communication.

    • Commit errors that previously were only shown onscreen are now logged.

    We provide a new operational command, request debug information, to speed up the initial information-gathering phase of debugging.

    [See request debug information.]

Unified Threat Management (UTM)

  • UTM support for active/active chassis cluster (SRX Series devices)—Starting in Junos OS Release 19.4R1, you can configure all Unified Threat Management (UTM) features when the device is in active/active chassis cluster mode. The UTM features supported on an active/active chassis cluster include, Antispam Filtering, Content Filtering, Sophos Antivirus Scanning, URL (Web) Filtering, Enhanced Web Filtering, Local Web Filtering, and Websense Redirect Web Filtering, and On-box/Avira AV. Enhanced Web Filtering and Sophos Antivirus Scanning remain active on both the primary node and the secondary node.

    [See Understanding UTM Support for Active/Active Chassis Cluster.]

  • UTM support for SMTPS, IMAPS, POP3S, and FTPS (SRX Series devices) —Starting in Junos OS Release 19.4R1, UTM supports implicit and explicit SMTPS, IMAPS, and POP3S protocol and explicit passive-mode FTPS. SMTPS, IMAPS, POP3S, and FTPS are methods for securing SMTP, IMAP, POP3, FTP protocols using Transport Layer Security (TLS). Antivirus and content filtering feature supports SMTPS, IMAPS, POP3S and FTPS protocol. Antispam feature only supports SMTPS protocol.

    [See Antispam Filtering Overview and Understanding Content Filtering Protocol Support.]

VPNs

  • Extended Sequence Number (SRX5400, SRX5600, and SRX5800 devices using SPC3)—Starting from Junos OS Release 19.4R1, Extended Sequence Number (ESN) is introduced in IPsec VPN using IKE version 2 (IKEv2).

    IPSec uses a 32-bit sequence number by default for the sequence number. When all sequence numbers are consumed, a rekey must be issued. By enabling ESN this 32-bit sequence numbering is increased to 64-bit.

    You can enable ESN using the set extended-sequence-number command at the edit security ipsec proposal proposal-name level.

    [See Replay Protection.]

  • VPN support for inserting Services Processing Cards in Chassis Cluster (SRX5400, SRX5600, SRX5800)—Starting in Junos OS Release 19.4R1, on all SRX5000 Series devices chassis cluster, you can insert a new SRX5K-SPC3 (SPC3) on the device without affecting or disrupting the traffic on the existing IKE or IPsec VPN tunnels. When you insert the new SPC3 in each chassis of the cluster, the existing tunnels are not affected and traffic continues to flow without disruption. You must reboot the node after you insert the SPC3 to activate the card. After the node reboot is complete, IPsec tunnels are distributed to the cards. After you reboot one node, the IPsec sessions remain active on the other active node, without disruption to those sessions except during the failover time.

    [See Understanding VPN Support for Inserting Services Processing Cards.]

  • IPsec Encapsulating Security Payload authentication-only mode in PowerMode IPsec (SRX5000 Series devices with SRX5K-SPC3 card, and vSRX)—Starting in Junos OS Release 19.4R1, you can enable the IPsec Encapsulating Security Payload (ESP) authentication-only mode in the PowerMode IPsec (PMI). The ESP authentication-only mode provides authentication, integrity checking, and replay protection in the PMI.

    [See Improving IPsec Performance with PowerMode IPsec.]

What's Changed

Learn about what changed in Junos OS main and maintenance releases for SRX Series.

Application Security

  • Starting in Junos OS Release 19.4R1, you have the flexibility to limit the application identification inspection as follows:

    • Inspection Limit for TCP and UDP Sessions

      You can set the byte limit and the packet limit for application identification (AppID) in a UDP or in a TCP session. AppID concludes the classification based on the configured inspection limit. On exceeding the limit, AppID terminates the application classification.

      If AppID does not conclude the final classification within the configured limits, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled. The global AppID cache is enabled by default.

      To configure the byte limit and the packet limit, use the following configuration statements from the [edit] hierarchy:

      Table 1 provides the range and default value for configuring the byte limit and the packet limit for TCP and UDP sessions.

      Table 1: Maximum Byte Limit and Packet Byte Limit for TCP and UDP Sessions

      Session

      Limit

      Range

      Default Value

      TCP

      Byte limit

      0 through 4294967295

      • 6000

      • For Junos OS Release 15.1X49-D200, the default value is 10000.

      Packet limit

      0 through 4294967295

      Zero

      UDP

      Byte limit

      0 through 4294967295

      Zero

      Packet limit

      0 through 4294967295

      • 10

      • For Junos OS Release 15.1X49-D200, the default value is 20.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

      If you set the both the byte-limit and the packet-limit options, AppID inspects the session until both the limits are reached.

      You can disable the TCP or UDP inspection limit by configuring the corresponding byte-limit and the packet-limit values to zero.

    • Global Offload Byte Limit (Other Sessions)

      You can set the byte limit for the AppID to conclude the classification and identify the application in a session. On exceeding the limit, AppID terminates the application classification.

      If AppID does not conclude the final classification within the configured limits, or the session is not offloaded due to tunnelling behavior of some applications, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled (the global AppID cache is enabled by default).

      To configure the byte limit, use the following configuration statement from the [edit] hierarchy:

      The default value for the global-offload-byte-limit option is 10000 and the range is 0 through 4294967295.

      You can disable the global offload byte limit by configuring the global-offload-byte-limit value to zero.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

    • Starting in Junos OS Release 19.4R1, the maximum packet threshold for DPI performance mode option set services application-identification enable-performance-mode max-packet-threshold value is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. This option was used for setting the maximum packet threshold for the DPI performance mode.

      If your configuration includes enabled performance mode option with max-packet-threshold in Junos OS releases 15.1X49-D200 and 19.4R1, AppID concludes the application classification on reaching the lowest value configured in the TCP or UDP inspection limit or in the global offload byte limit, or in the maximum packet threshold for DPI performance mode option.

    [See Application Identification Inspection Limit and application-identification]

  • Starting in Junos OS Release 19.4R1, the apbr-rule-type field in the system log message displays the value as none if no rule is applied when you have disabled midstream for the application. Updated syslog message sample is as following:

  • Starting in Junos OS Releases 19.4R1, security policy does not support using following applications as dynamic-applications match criteria:

    • junos:HTTPS

    • junos:POP3S

    • junos:IMAPS

    • junos:SMTPS

    Software upgrade to the Junos OS Releases 19.4R1 fails during the validation if any of the security policies are configured with junos:HTTPS, junos:POP3S, junos:IMAPS, junos:SMTPS as dynamic-applications as match criteria. We recommend you to remove any configuration that includes these dynamic-applications as match criteria in security policies.

    We recommend you to use the request system software validate package-name option before upgrading to the above mentioned releases.

Authentication and Access Control

  • Enabling and disabling SSH login password or challenge-response authentication (SRX Series)—Starting in Junos OS Release 19.4R1, you can disable either the SSH login password or the challenge-response authentication at the [edit system services ssh] hierarchy level.

    In Junos OS releases earlier than Release 19.4R1, you can enable and disable both SSH login password and the challenge-response authentication simultaneously at the [edit system services ssh] hierarchy level.

    [See Configuring SSH Service for Remote Access to the Router or Switch.]

Network Management and Monitoring

  • SSHD process authentication logs timestamp (SRX Series)—Starting in Junos OS Release 19.4R1, the SSHD process authentication logs use only the time zone that is defined in the system time zone. In Junos OS releases earlier than Release 19.4R1, the SSHD process authentication logs sometimes use the system time zone and the UTC time zone.

    [See Overview of Junos OS System Log Messages.]

  • Change in On-box reporting factory-default configuration (SRX1500, SRX4100, SRX4200, SRX4600 and vSRX)—Starting in Junos OS Release 19.4R1, the factory-default configuration does not include on-box reporting configuration to increase the solid-state drive (SSD) lifetime. You can enable the on-box reporting by configuring the set security log report CLI command at [edit security log] hierarchy.

    [See Understanding On-Box Logging and Reporting.]

  • Change in jnxJsFlowMIB statistics display (SRX Series)—Starting in Junos OS Release 19.4R1, in a chassis cluster, you can see the statistics on all SPUs of both nodes using the show snmp mib walk jnxJsFlowMIB command. In the earlier releases, you can see the statistics only on local SPUs.

    [See SNMP MIB Explorer.]

Port Security

  • Configuring source mac filters (SRX300 and SRX550 Services Gateway)—In this release of Junos OS, fixed an issue that prevented source mac filters from being configured on an interface. The error effected both the accept-source-mac and source-address-filter statements and resulted in one of the following error messages: accept-source-mac not allowed in switching mode and source mac filters not allowed in switching mode.

VPNs

  • IKE gateway dynamic distinguished name attributes (SRX Series devices)—Starting in Junos OS Release 19.4R1, you can now configure only one dynamic distinguished name (DN) attribute among container-string and wildcard-string at [edit security ike gateway gateway_name dynamic distinguished-name] hierarchy. If you try configuring the second attribute after you configure the first attribute, the first attribute is replaced with the second attribute. Before you upgrade your device, you must remove one of the attributes if you have configured both the attributes.

    [See distinguished-name (Security) and Understanding IKE Identity Configuration.]

  • CoS Forward Class name (SRX Series devices)—Starting in Junos OS Release 19.4R1, we have deprecated the CLI option fc-name (CoS Forward Class name) in the new iked process that displays security associations (SAs) under show command show security ipsec sa.

    [See show security ipsec security-associations.]

Known Limitations

Learn about known limitations in Junos OS Release 19.4R1 for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Layer Gateways (ALGs)

  • Due to an SSL-FP limitation, the active mode of TLS-based FTP is not supported in Junos OS Release 19.4R1. PR1450924

Ethernet Switching

  • SRX300, SRX320, SRX340, SRX345, and SRX550HM devices do not support CoS features such as classification, scheduling, shaping, policing, PCP, and DSCP rewrite in Ethernet switching mode. PR1476310

Flow-Based and Packet-Based Processing

  • For any WiFi configuration change, the access point restarts to make the configuration active. PR1436587

  • The SSID in different WLANs uses the same IP address as the source IP address of the radius packet. PR1445276

  • TKIP is not supported in acn mode. PR1459160

J-Web

  • The CA profile group imported using J-Web is not populated in the Certificate Authority Group initial landing page grid, but all the CA profiles of a group are populated on the Trusted Certificate Authorities landing page. PR1426682

  • J-Web does not provide an option to enable or disable security objects. Security objects that are deactivated or disabled through the CLI are not displayed in the J-Web UI.

Open Issues

Learn about open issues in Junos OS Release 19.4R1 for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

ALG

  • On SRX5000 line of devices, the H323 call with NAT64 could not be established. PR1462984

Flow-Based and Packet-Based Processing

  • Use 512 anti-replay window size for IPv6 in fat-tunnel. The esp sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). So that there is no out-of-order with 512 anti-replay window size. PR1470637

IDP

  • Rogue .gz files in /var/tmp/sec-download/ might cause offline secpack update to fail. PR1466283

J-Web

  • While adding a policy rule, the creation of inline scheduler or UTM or redirect profile objects automatically refreshes the policy grid, and the changes made to the policy rule are lost unless the changes are updated. PR1451274

  • The Interconnect Ports page cannot be used from J-Web because the Type list does not contain any values. PR1478333

Platform and Infrastructure

  • Multiple monitor failures are seen on the rg1 interface after ISSU from Junos OS Release 17.4R1-S3 to Junos OS Release 18.1R1.9. PR1354395

  • On SRX4600 devices, the Packet Forwarding Engine stops due to a segmentation problem. PR1422466

  • If security datapath configuration is applied on tunnel transit traffic, ESP traffic is not captured. PR1442132

  • On the SRX300 line of devices with Mini-PIM installed, tail-drop might happen on all ports when the serial egress port gets congested. PR1468430

  • The request chassic fpc restart command does not work in Layer 2 mode on Wi-Fi Mini-PIM. PR1479396

Routing Policy and Firewall Filters

  • SSL reverse proxy feature must be used instead of SSL inspection feature. SSL inspection on IDP level is being deprecated in favor of SSL reverse proxy. PR1450900

  • On SRX5400, SRX5600, and SRX5800 devices, in some scenarios, DHCPv4 client might return to INIT state after chassis reboot if DHCPv4 retries are insufficient. PR1458490

  • Whenever a high CPS traffic being passed through the SRX device making use of SSL proxy feature with SSL session resumption enabled (by default SSL session-resumption is enabled) the device might run into low memory and the sessions being bypassed by SSL proxy. PR1472077

VPNs

  • On SRX Series devices, if multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector rekeys at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekey. New negotiation of those traffic selectors might trigger through other mechanisms such as traffic or by peer. PR1287168

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, when SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, the IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, if an existing IKE gateway configuration is changed from AutoVPN to Site-to-Site VPN, the IKE negotiation behavior remains in responder-only mode. PR1413619

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, disrupting traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with IKEv1 enabled IKE daemon might core, when IKESA is expired and IPsec tunnel associated with the expired IKESA exists in case of an RG0 failover. Daemon recovers eventually. PR1463501

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, when RG0 failover happens while a IPsec and/or IKE rekey in progress, those re keying tunnels might go down and possible traffic loss seen till tunnel is reestablished by the peer. PR1471499

Resolved Issues

This section lists the issues fixed in hardware and software in Junos OS Release 19.4R1 for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Layer Gateways

  • Unexpected forwarding sessions might appear for tenant SIP ALG traffic in the case of cross-tenants. PR1409748

  • The flowd or srxpfe process might stop in SRX Series devices with chassis cluster when SIP ALG is used. PR1445766

  • Packet loss happens during cold synchronization from the secondary node after rebooting. PR1448252

  • After Layer 3 HA is enabled, ALG H.323 group or resource cannot be synchronized to the peer node correctly. PR1456709

Application Security

  • The AAMW diagnostic script generates incorrect error: Error: Platform does not support SkyATP: srx300. PR1423378

  • If automatic application-identification download is configured with a start-time specified, the automatic download stops when the time has progressed to the next year and a reboot is done before the start-time is reached that year. PR1436265

  • SSL-based AppID simplification effort (removal of HTTPS, POP3S, IMAPS, SMTPS). PR1444767

  • The flowd process core files might be generated when traffic hits the AppQoS policy. PR1446080

  • The AAMW diagnostic script generates incorrect error when there is Internet latency: Error: server unreachable is detected, please make sure port 443 is reachable. PR1468114

Authentication and Access Control

  • Same-source IP sessions are cleared when the IP entry is removed from the UAC table. PR1457570

Chassis Clustering

  • Hardware failure is seen on both nodes in the output of the show chassis cluster status command. PR1452137

  • On SRX Series devices with chassis cluster, the control link remains up even though the control link is actually down. PR1452488

Class of Service

  • Frequent issuance of the show class-of-service spu statistics command causes the rtlogd process to be busy. PR1438747

Flow-Based and Packet-Based Processing

  • Throughput or latency performance of TCP traffic is dropped when TCP traffic passes from one logical system to another logical system. PR1403727

  • Packet loss is caused by FPGA back pressure on the SPC3 card. PR1429899

  • VPN traffic fails after the primary node is rebooted or powered off. PR1433336

  • Currently, PMI doesn't support the mirror-filter functionality. If mirror filters are configured, PMI flaps all of the traffic to the regular flow path. PR1434583

  • Intermittent packet drop might be observed if IPsec is configured. PR1434757

  • On an SRX4600 device, core file might be generated and SPM might be in present state. PR1436421

  • Security logs cannot be sent to the external syslog server through TCP. PR1438834

  • Decryption traffic doesn’t take PMI path after IPsec rekey (initiated by peer) when the loopback interface is configured as an external interface. PR1438847

  • The IKE pass-through packet might be dropped after a NAT operation on the source. PR1440605

  • New CLI option to show only useful group information for an Active Directrory user. PR1442567

  • While checking the flow session XML for source NAT under tenant, there is no value identifier for tenant-name. PR1440652

  • The flowd or srxpfe process might stop when processing fragmented packets. PR1443868

  • Junos OS: SRX5000 Series: flowd process crash due to receipt of specific TCP packet (CVE-2019-0064). PR1445480

  • J-Flow version 5 stops working after changing the input rate value. PR1446996

  • Packet loss happens during cold synchronization from secondary node after rebooting. PR1447122

  • On the SRX1500 device, automatic installation is removed from CLI. PR1447796

  • SPC3 talus FPGA stuck on 0x3D or 0x69 golden version. PR1448722

  • Host inbound or host outbound traffic on VR does not work when the SRX5000 line of devices works in SPC3 mixed mode. PR1449059

  • SPU priority does not work when PMI is enabled on the SRX5000 line of devices with an SPC3 card. PR1449587

  • All ingress packets are dropped if the traffic transit network is also the same network for LTE mPIM internal management. PR1450046

  • The flowd or srxpfe process might stop when SSL proxy service is used. PR1450829

  • The AAWM policy rules for IMAP traffic sometimes might not get applied when passed through SRX Series devices. PR1450904

  • FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122

  • Traffic forwarding on Q-in-Q port and VLAN tagging are not observed properly on R0. PR1451474

  • The rpd process might stop and restart with the generation of an rpd core file when committing the configuration. PR1451860

  • The SRX Series devices stop and several core files are generated. PR1455169

  • Added some JP APN settings to default list in LTE mPIM. PR1457838

  • Changing the RESET configuration button behavior on the SRX1500 does not work. PR1458323

  • The security flow traceoptions fills in with RTSP ALG related information. PR1458578

  • Optimizations were made to improve the connections-per-second performance of SPC3. PR1458727

  • The security-intelligence CC feed does not block HTTPS traffic based on SNI. PR1460384

  • The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619

  • Added command to clear specified associated client. PR1461577

  • The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825

  • Fragmented traffic might get looped between the fab interface in a rare case. PR1465100

  • Track Jbuf double free issue. PR1465286

  • HTTP block message stops working after SNI check for HTTPS session. PR1465626

  • The jbuf process usage might increase up to 99 percent after Junos OS upgrade. PR1467351

  • The rpd process might stop after several changes to the flow-spec routes PR1467838

  • FTP data connection might be dropped on dl interface. PR1468570

Interfaces and Chassis

  • SCB4 or SCB3 ZF or XF2 fabric plane retraining is needed after switching the fabric redundancy mode. PR1427119

  • MTU change after a CFM session is up can impact Layer 2 Ethernet ping (loopback messages). If the new change is less than the value in the initial incarnation, then Layer 2 Ethernet ping fails. PR1427589

  • The LACP interface might flap while performing a failover. PR1429712

  • LFM remote loopback is not working as expected. PR1428780

  • The number of mgd processes increases as the mgd processes are not closed properly. PR1439440

  • The fxp0 interface might redirect packets not destined to itself. PR1453154

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process crashes and generates a core file. PR1437569

  • CLI helper text was added to the IDP's attack chain expressions. PR1438620

J-Web

  • The default log query time in J-Web monitoring functionality has been reduced. This increases the responsiveness of the landing pages. PR1423864

  • Phone home UI portal to be removed from SRX Series devices. PR1428717

  • Some error messages might be seen when using J-Web. PR1446081

  • The idle-timeout for J-Web access does not work properly. PR1446990

  • J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541

  • Editing destination NAT rule in J-Web introduces a non-configured routing-instance field. PR1461599

  • The Go button within the J-Web Monitor->Events view now correctly refreshes the logs even when using a blank search query. PR1464593

  • J-Web security resources dashboard widget was not being populated correctly. PR1464769

Layer 2 Ethernet Services

  • DHCP requests might get dropped in a DHCP relay scenario. PR1435039

Network Address Translation

  • The nsd process might stop when SNMP queries deterministic NAT pool information. PR1436775

  • Flowd process core files are generated in the device while testing NAT PBA in AA mode. PR1443148

  • RTSP resource session is not found during NAT64 static mapping. PR1443222

  • A port endian issue in SPU messages between SPC3 and SPC2 results in one redundant NAT binding being created in central point when one binding is allocated in SPC2 SPC. PR1450929

  • Packet loss is observed when multiple source NAT pools and rules are configured. PR1457904

Network Management and Monitoring

  • MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979

  • Snmpd process might generate core files after restarting NSD process by using the restart network-security gracefully command. PR1443675

  • Control links are logically down on SRX Series devices with chassis cluster running Junos OS Release 12.3X48. PR1458314

Platform and Infrastructure

  • On SRX4600 platform, when manual RG0 failover is performed, sometimes node0 (the original primary node) stays in secondary-hold status for a long time and cannot change back to secondary status. PR1421242

  • Packet drops, replication failure, or ksyncd stops might be seen on the logical system of a Junos OS device after Routing Engine switchover. PR1427842

  • The PICs might go offline and split brain might be seen when interrupt storm happens on internal Ethernet interface em0 or em1. PR1429181

  • REST API does not work properly. PR1430187

  • Unable to launch J-Web when the device is upgraded through USB image. PR1430941

  • Packet Forwarding Engine crashes might be seen on SRX1500 platform. PR1431380

  • The ksyncd process might stop and restart. PR1440576

  • The configured RPM probe server hardware timestamp does not respond with the correct timestamp to the RPM client. PR1441743

  • ARP resolution might fail after ARP HOLD NHs are added and deleted continuously PR1442815

  • The SRX300 line of device does not have MIB that can retrieve the fan status. PR1443649

  • IS-IS adjacencies between the GE link are not up. PR1446533

  • The flowd process might stop on SRX Series devices when chassis cluster and IRB interface are configured. PR1446833

  • The show security flow session command fails with error messages when SRX4100 or SRX4200 has around 1 million routing entries in FIB. PR1445791

  • LACP cannot work with the encapsulation flexible-ethernet-services configuration. PR1448161

  • On certain MPC line cards, cm errors need to be reclassified. PR1449427

  • The REST service might become nonresponsive when the REST API receives several continuous HTTP requests. PR1449987

  • VM core files might be generated if the configured sampling rate is more than 65,535. PR1461487

  • Loading CA certificate causes pkid core file to be generated. PR1465966

Routing Policy and Firewall Filters

  • The NSD process might stop due to a memory corruption issue. PR1419983

  • Two ipfd processes appear in ps command and the process pauses. PR1444472

  • During commit, the nsd_vrf_group_config_lsys log messages are displayed. PR1446303

  • Traffic log shows wrong custom-application name when the alg ignore option is used in application configuration. PR1457029

  • The NSD process might get stuck and cause problems. PR1458639

  • The policy detail does not print out policy statistics counter, even when policy count is enabled. PR1471621

Services Applications

  • The flowd process stops when the SRX5000 line of devices works in SPC3 mixed mode with one SPC3 card or seven SPC2 cards. PR1448395

  • The srxpfe lcore-slave core files are generated. PR1460035

Unified Threat Management

  • The show security utm web-filtering status command now provides additional context when the status of EWF is down. PR1426748

  • Memory issue due to SSL proxy whitelist or whitelist URL category. PR1430277

  • Adjust core allocation ratio for on-box antivirus. PR1431780

VLAN Infrastructure

  • ISSU failed from Junos OS Release 18.4R2.7 to Junos OS Release 19.4, with secondary node PICs in present state after upgrading to Junos OS Release 19.4. PR1468609

VPNs

  • IPsec SA inconsistent on SPCs of node0 and node1 in SRX Series devices with chassis cluster. PR1351646

  • After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457

  • With a large number of IPsec tunnels established, a few tunnels might fail during rekey negotiation if the SRX Series device initiates the rekey. PR1389607

  • Displaying incorrect port number when scale is 1,000 on IKEv1 AutoVPN tunnels. PR1399147

  • The IKE and IPsec configuration under groups is not supported in this release. PR1405840

  • The IKED process stops due to a misconfiguration. PR1416081

  • The VPN tunnel might flap when IKE and IPsec rekey happen simultaneously. PR1421905

  • Old tunnel entries are also seen when new tunnel negotiation happens from peer device after change in IKE gateway configuration at peer side. PR1423821

  • IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post fragment happens. PR1424937

  • Tunnel does not come up after changing configurations from IPv4 to IPv6 tunnels in the script with gateway lookup failed error. PR1431265

  • P1 configuration delete message is not sent on loading baseline configuration if there has been a prior change in VPN configuration. PR1432434

  • IPsec rekey triggers for when sequence number in AH and ESP packet is about to exhaust. PR1433343

  • P1 or P2 SAs are deleted after RG0 failover. PR1433355

  • IPsec SA in and out key sequence number update missing after cold synchronization. PR1433424

  • Sequence number reset to zero while recovering SA after SPC3 or flowd stops or reboots. PR1433568

  • The kmd log shows resource temporarily unavailable repeatedly and VPNs might be down. PR1434137

  • The IKED process stops on SRX5000 line of devices with SPC3 when IPsec VPN or IKE is configured. PR1443560

  • The IPsec VPN traffic drop might be seen on SRX Series devices with NAT-T scenario. PR1444730

  • Sometimes old SAs are not deleted after rekey and the number of IPSec tunnels shows up more than the configured tunnels. PR1449296

  • Some IPSec tunnels flap after RGs failover on SRX5000 line of devices. PR1450217

  • The VPN flaps on the primary node after a reboot of the secondary node. PR1455389

  • IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951

  • IPsec VPN tunnels are losing routes for traffic selector randomly while tunnel is still up, causing traffic loss of these IPsec VPN tunnels. PR1456301

  • On all SRX Series devices, the no-anti-replay option does not take effect immediately. Traffic is not sent out through IPsec VPN after upgrading to Junos OS Release 18.2 or later. PR1461793

  • The IPsec VPN tunnels cannot be established if overlapped subnets are configured in traffic selectors. PR1463880

Documentation Updates

This section lists the errata and changes in Junos OS Release 19.4R1 for the SRX Series documentation.

Feature Guides Are Renamed As User Guides

  • Starting with Junos OS 19.4R1, we renamed our Feature Guides to User Guides to better reflect the purpose of the guides. For example, the BGP Feature Guide is now the BGP User Guide. We didn’t change the URLs of the guides, so any existing bookmarks you have will continue to work. To keep the terminology consistent on our documentation product pages, we renamed the Feature Guides section to User Guides. To find documentation for your specific product, check out this Junos OS Documentation.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.