Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 19.4R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.

Release 19.4R3 New and Changed Features

There are no new features in Junos OS Release 19.4R3 for the SRX Series devices.

Release 19.4R2 New and Changed Features

There are no new features in Junos OS Release 19.4R2 for the SRX Series devices.

Release 19.4R1 New and Changed Features

Application Security

  • Selectively disable midstream APBR (SRX Series and vSRX)—Starting in Junos OS Release 19.4R1, you can selectively turn-off midstream routing for a specific APBR rule while retaining the global APBR functionality for the remaining sessions.

    When you disable the midstream routing for a specific APBR rule, the system does not apply midstream APBR for corresponding application traffic, and routes the traffic through a non-APBR route

    [See Advanced Policy-Based Routing.]

  • DSCP support for AppQoE (SRX Series and vSRX)—Starting in Junos OS Release 19.4R1, AppQoE supports SLA-based path selection for an incoming traffic based on Differentiated Services Code Point (DSCP) value.

    AppQoE depends on AppID and APBR to select the best possible link for the application traffic to meet the performance requirements specified in SLA. Junos OS Release 19.3R1 introduced APBR functionality for DSCP-tagged traffic. Using this enhancement, AppQoE selects the best possible link for the application traffic based on the application signature, or DSCP value, or a combination of both application signature and DSCP value.

    With this enhancement, now you can apply AppQoE for the encrypted traffic based on the DSCP value.

    [See Application Quality of Experience].

  • Support for server certificates with key size 4096 bits (SRX300 and SRX320)—Starting in Junos OS Release 19.4R1, SRX300 and SRX320 devices support RSA certificates with key size 4096 bits. You must explicitly configure the SSL proxy profile on these devices to use the server certificate with key size 4096 bits.

    The RSA certificates with key size 4096 bits support is available only when the SRX300 and SRX320 devices are operating in standalone mode.

    [See Managing Certificates and Keys for SSL Proxy.]

Chassis Clustering

Flow-Based and Packet-Based Processing

  • Express Path for Flow Processing (SRX4600)—Starting from Junos OS 19.4R1, Express Path is enabled by default on SRX4600 devices. You must configure Express Path only in policies. There is no need to configure Express Path on Flexible PIC Concentrator (FPC) or on Physical Interface Cards (PIC).

    See [Express Path.]

  • Support of IPFIX formatting for SRX J-Flow functionality (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, vSRX, and vSRX3.0) —Starting with Junos OS Release 19.4R1, you can use IPFIX flow templates to define a flow record for IPv4 traffic or IPv6 traffic. IPFIX is an enhanced version of J-flow version 9 template. Using IPFIX, you can collect a set of sampled flows and send the record to a specified host.

    See [Configuring Flow Aggregation to Use IPFIX Flow Templates on MX, vMX and T Series Routers, EX Series Switches.]

  • Symmetric Fat Tunnel (SRX5400, SRX5600, and SRX5800 devices with SPC3 card, and vSRX)—Starting from Junos OS 19.4R1, fat tunnel technology is introduced to improve the single IPsec tunnel throughput value to 10 times of current value.

    To enable this feature, a new CLI command fat-core is introduced at the set security distribution-profile hierarchy level.

    See [Understanding Symmetric Fat IPsec Tunnel.]

General Packet Radio Switching (GPRS)

  • Increase in GTP scale for IoT and roaming firewall applications (SRX5400, SRX5600, SRX5800, and SRX4600)—Starting in Junos OS Release 19.4R1, to enable Internet of Things (IoT) and roaming firewall use cases, the GTP tunnel scale per SPU is increased for the following SRX devices:

    • SRX5000 (SRX5400, SRX5600, SRX5800) SPC3: 1.2M to 12M

    • SRX5000 (SRX5400, SRX5600, SRX5800) SPC2: 600K to 3M

    • SRX4600: 400K to 4M

    [See Understanding Policy-Based GTP.]

Hardware

  • Wi-Fi mini-physical interface module (SRX320, SRX340, SRX345, and SRX550M)—The Wi-Fi mini-physical interface module (mini-PIM) provides an integrated wireless LAN access point solution for branch SRX Series Services Gateways. The Mini-PIM supports the 802.11ac Wave 2 wireless standards and is backward-compatible with 802.11a, 802.11b, 802.11g, and 802.11n.

    The Mini-PIM supports the following key features:

    • 2x2 MU-MIMO

    • Dual radios, which provide concurrent dual bands of 2.4 GHz and 5 GHz

    • Eight virtual access points (VAPs) per radio

    • Configurable transmit power

    • 128 concurrent users

    The Wi-Fi Mini-PIM is available in three models based on the regional wireless standards:

    • SRX-MP-WLAN-US (United States)

    • SRX-MP-WLAN-IL (Israel)

    • SRX-MP-WLAN-WW (other countries)

    [See Wi-Fi Mini-Physical Interface Module].

  • SRX5K-SPC3 LTC firmware version check and upgrade—Starting in Junos OS Release 19.4R1, you can check the current LTC Firmware version on an SRX5K-SPC3 card and upgrade the firmware version manually.

    The LEDs on the front panel of the services gateway chassis indicate a major alarm when the chassis detects that a newer version of LTC firmware is available and the firmware on the SRX5K-SPC3 card is outdated. The CLI commands:

    • show chassis alarm—displays the alarm description

    • show system firmware—displays the current version, available version, and the Status of the LTC firmware

    • request system firmware upgrade pic fpc-slot 0 pic-slot 0 tag 0—updates the LTC firmware version.

    [See Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Services Gateways.]

Interfaces and Chassis

  • Wi-Fi Mini-Physical Interface Module (SRX320, SRX340, SRX345, and SRX550M)—In Junos OS Release 19.4R1, we introduce the Wi-Fi Mini-Physical Interface Module (Mini-PIM). For retail and small offices, the Wi-Fi Mini-PIM provides secure wireless LAN connectivity to endpoint devices. The Wi-Fi Mini-PIM supports 802.11ac wave 2 wireless standards.

    [See Wi-Fi Mini-Physical Interface Module Overview.]

  • LTE Support in HA deployments (SRX300, SRX320, SRX340, SRX345, and SRX550HM)—Starting in Junos OS Release 19.4R1, you can provide a backup WAN connection by configuring LTE modules on a pair of SRX devices operating in cluster mode.

    [See Configure LTE Mini-PIM in HA cluster mode.]

Intrusion Detection and Prevention (IDP)

  • IDP utility to read packet capture and generate protocol contexts (SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM)—Starting from Junos OS Release 19.4R1, on SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM devices, to improve the IDP validation process, a CLI command is introduced to display and clear the contexts and the associated data only for the packet capture (PCAP) traffic.

    You can run the packet capture utility in either inet mode or transparent mode to generate attack contexts.

    See [IPD Utility for PCAP.]

  • Signature Language Constructs (SRX Series)—Starting from Junos OS 19.4R1, signature language constructs are supported in the IDP engine code to write more efficient signatures that helps in reducing false positives.

    The following constructs are supported:

    • Depth

    • Offset

    • Within

    • Distance

    • Ipopts

    See [IDP Signature Language Enhancements.]

Junos OS XML API and Scripting

  • Python 3 support for commit, event, op, and SNMP scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 19.4R1, you can use Python 3 to execute commit, event, op, and SNMP scripts on devices running Junos OS. To use Python 3, configure the language python3 statement at the [edit system scripts] hierarchy level. When you configure the language python3 statement, the device uses Python 3 to execute scripts that support this Python version and uses Python 2.7 to execute scripts that do not support Python 3 in the given release.

    The Python 2.7 end-of-support date is January 1, 2020, and Python 2.7 will be EOL in 2020. The official upgrade path for Python 2.7 is to Python 3. As support for Python 3 is added to devices running Junos OS for the different types of onbox scripts, we recommend that you migrate supported script types from Python 2 to Python 3, because support for Python 2.7 might be removed from devices running Junos OS in the future.

    [See Understanding Python Automation Scripts for Devices Running Junos OS.]

  • Automation script library upgrades (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 19.4R1, devices running Junos OS that support the Python extensions package include upgraded Python modules. Python scripts can leverage the upgraded versions of the following modules:

    • idna (2.8)

    • jinja2 (2.10.1)

    • jnpr.junos (Junos PyEZ) (2.2.0)

    • lxml (4.3.3)

    • markupsafe (1.1.1)

    • ncclient (0.6.4)

    • packaging (19.0)

    • paho.mqtt (1.4.0)

    • pyasn1 (0.4.5)

    • yaml (PyYAML package) (5.1)

    [See Overview of Python Modules Available on Devices Running Junos OS.]

J-Web

  • Threat Assessment report enhancement (SRX Series)—Starting in Junos OS Release 19.4R1, the Threat Assessment report displays a new Filename column in the Malware downloaded by User table. This column helps you to identify the malware filename.

    [See About Reports Page.]

  • UTM enhancement (SRX Series)—Starting in Junos OS Release 19.4R1, the following UTM pages (Configure > Security Services > UTM) are refreshed for a seamless experience:

    • Antivirus

    • Content Filtering

    • Policy

    [See About the Antivirus Page, About the Content Filtering Page, and About the Policy Page.]

  • Support for Wi-Fi Mini-PIM (SRX320, SRX340, SRX345, and SRX550M devices)—Starting in Junos OS Release 19.4R1, J-Web supports the Wi–Fi Mini-Physical Interface Module (Mini-PIM). The physical interface for the Wi-Fi Mini-PIM uses the name wl-x/0/0, where x identifies the slot on the services gateway where the Mini-PIM is installed.

    You can monitor and configure the wireless LAN settings using the J-Web interface.

    [See Dashboard Overview, Monitor Ports, About the Ports Page, Monitor Wireless LAN, and About the Settings Page.]

Logical Systems and Tenant Systems

  • Flow trace support at logical system and tenant system level (SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.4R1, you can trace the packet flow at the logical system level and tenant system level. Traceoptions enables you to monitor traffic flow into and out of an SRX Series device.

    When you trace traffic flow, you can generate and save the trace logs to the respective logical system and tenant system log files.

    Flow trace at the level of logical system and tenant system helps you avoid generating large log files from the root level.

    [See Flow Trace Support for Logical Systems and Flow Trace Support for Tenant Systems.]

  • AppID statistics at tenant system level (SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 19.4R1, you can view or clear the application identification (AppID) statistics, counters, and application system cache at the tenant system level.

    [See Application Security for Tenant Systems.]

Network Management and Monitoring

  • SNMP support for Wi-Fi Mini-Physical Interface Module (Mini-PIM) monitoring (SRX320, SRX340, SRX345, and SRX550M)—Starting in Junos OS Release 19.4R1, you can monitor the Wi-Fi Mini-PIM status from remote network using SNMP. Use the show snmp mib walk ascii jnxWlanWAPStatusTable and show snmp mib walk jnxWlanWAPClientTable commands to monitor the Wi-Fi Mini-PIM status and client information.

    [See SNMP MIB Explorer and show snmp mib.]

  • SNMP support for IPsec VPN flow monitoring (SRX5000 Series devices with SRX5K-SPC3 card)—Starting in Junos OS Release 19.4R1, we have enhanced the existing IPsec VPN flow monitor MIB jnxIpSecFlowMonMIB to support the global IKE statistics for tunnels using IKEv2. Use the show security ike stats command to display the global statistics of tunnels such as in-progress, established, and expired negotiations using IKEv2.

    [See Enterprise-Specific SNMP MIBs Supported by Junos OS and show security ike stats.]

  • Improved query performance in on-box reporting (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX4600, and vSRX)—Starting in Junos OS Release 19.4R1, we've upgraded the on-box logging database to improve query performance. For example, if you expect fewer traffic logs, you can use the default configuration with a start time and a stop time. If you expect a large number of traffic logs and greater time intervals for which the logs will be generated, we recommend you enable table dense mode.

    [See Understanding On-Box Logging and Reporting.]

  • Enhanced support for the non-default management instance (SRX Series)—Starting in Junos OS 19.4R1, you can access information related to all routing instances and logical system networks and not specific to ingress routing instance by configuring the SNMPv3 management interface in a required management instance. Configuring the SNMPv3 management interface in a required management instance enables all the SNMPv3 requests coming from non-default routing instance is treated as if the requests are coming from default routing instance. You can configure the management instance configuration statement at the [edit SNMP v3] hierarchy level.

    [See SNMPv3 Management Routing Instance.]

System Logging

  • Improved intermodule communication between FFP and MGD (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 19.4R1, intermodule communication is improved to enhance software debugging. To enhance error messages with more context, the exit conditions from libraries have been updated as follows:

    • Additional information is now logged for MGD-FFP intermodule communication.

    • Commit errors that previously were only shown onscreen are now logged.

    We provide a new operational command, request debug information, to speed up the initial information-gathering phase of debugging.

    [See request debug information.]

Unified Threat Management (UTM)

  • UTM support for active/active chassis cluster (SRX Series devices)—Starting in Junos OS Release 19.4R1, you can configure all Unified Threat Management (UTM) features when the device is in active/active chassis cluster mode. The UTM features supported on an active/active chassis cluster include, Antispam Filtering, Content Filtering, Sophos Antivirus Scanning, Enhanced Web Filtering, Local Web Filtering, and Websense Redirect Web Filtering, and On-box/AviraAV. Enhanced Web Filtering and Sophos Antivirus Scanning remain active on both the primary node and the secondary node.

    [See Understanding UTM Support for Active/Active Chassis Cluster.]

  • UTM support for SMTPS, IMAPS, POP3S, and FTPS (SRX Series devices) —Starting in Junos OS Release 19.4R1, UTM supports implicit and explicit SMTPS, IMAPS, and POP3S protocol and explicit passive-mode FTPS. SMTPS, IMAPS, POP3S, and FTPS are methods for securing SMTP, IMAP, POP3, FTP protocols using Transport Layer Security (TLS). Antivirus and content filtering feature supports SMTPS, IMAPS, POP3S and FTPS protocol. Antispam feature only supports SMTPS protocol.

    [See Antispam Filtering Overview and Understanding Content Filtering Protocol Support.]

VPNs

  • Extended Sequence Number (SRX5400, SRX5600, and SRX5800 devices using SPC3)—Starting from Junos OS Release 19.4R1, Extended Sequence Number (ESN) is introduced in IPsec VPN using IKE version 2 (IKEv2).

    IPSec uses a 32-bit sequence number by default for the sequence number. When all sequence numbers are consumed, a rekey must be issued. By enabling ESN this 32-bit sequence numbering is increased to 64-bit.

    You can enable ESN using the set extended-sequence-number command at the edit security ipsec proposal proposal-name level.

    [See Understanding Extended Sequence Number (ESN).]

  • VPN support for inserting Services Processing Cards in Chassis Cluster (SRX5400, SRX5600, SRX5800)—Starting in Junos OS Release 19.4R1, on all SRX5000 Series devices chassis cluster, you can insert a new SRX5K-SPC3 (SPC3) on the device without affecting or disrupting the traffic on the existing IKE or IPsec VPN tunnels. When you insert the new SPC3 in each chassis of the cluster, the existing tunnels are not affected and traffic continues to flow without disruption. You must reboot the node after you insert the SPC3 to activate the card. After the node reboot is complete, IPsec tunnels are distributed to the cards. After you reboot the secondary node where the new spc3 card is inserted, the IPsec sessions remain active on the other active node, without disruption to those sessions except during the failover time.

    [See Understanding VPN Support for Inserting Services Processing Cards.]

  • IPsec Encapsulating Security Payload authentication-only mode in PowerMode IPsec (SRX5000 Series devices with SRX5K-SPC3 card, and vSRX)—Starting in Junos OS Release 19.4R1, you can enable the IPsec Encapsulating Security Payload (ESP) authentication-only mode in the PowerMode IPsec (PMI). The ESP authentication-only mode provides authentication, integrity checking, and replay protection in the PMI.

    [See Improving IPsec Performance with PowerMode IPsec.]

What's Changed

Learn about what changed in Junos OS main and maintenance releases for SRX Series.

What's Changed in 19.4R3

Juniper ATP Cloud

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 19.4R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Advanced Threat Prevention Cloud (ATP Cloud).

Routing Protocols

  • Advertising /32 secondary loopback addresses to Traffic Engineering Database (TED) as prefixes (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—In Junos OS Release, multiple loopback addresses export into lsdist.0 and lsdist.1 routing tables as prefixes. This eliminates the issue of advertising secondary loopback addresses as router-ids instead of prefixes. In earlier Junos OS releases, multiple secondary loopback addresses in TED were added into lsdist.0 and lsdist.1 routing tables as part of node characteristics and advertised them as the router-id.

What’s Changed in Release 19.4R2

Authentication and Access Control

  • Enhanced user firewall support—In Junos OS Release 19.4R2, for SRX300 devices with eUSB (SRX300, SRX320, SRX340, and SRX345), the SRX Series user firewall (UserFW) module tries to synchronize user entries from the domain controller or Juniper Identity Management Service (JIMS) after booting up. If the historical login events expired on the domain controller, then the SRX Series UserFW module is unable to retrieve those user entries after the UserFW module boots up.

    [See User Authentication Entries in the ClearPass Authentication Table.]

VPNs

  • Modified output of the show security pki local-certificate command (SRX Series)—In Junos OS Release 19.4R2, the output of the show security pki local-certificate command is modified to include the logical systems name along with the existing output.

    [See show security pki local-certificate (View).]

  • Change in encryption algorithm display (SRX Series)—Starting in Junos OS Release 19.4R2, when you configure aes-128-gcm or aes-256-gcm as an encryption algorithm at the [edit security ipsec proposal proposal-name] hierarchy level, the authentication algorithm field of the show security ike security-associations detail and show security ipsec security-associations detail commands displays the same configured encryption algorithm.

    Before Junos OS Release 19.4R2, the commands were displaying the authentication algorithm field as UNKNOWN AUTH ALG.

    [See show security ike security-associations and show security ipsec security-associations.]

What’s Changed in Release 19.4R1

Application Security

  • Starting in Junos OS Release 19.4R1, you have the flexibility to limit the application identification inspection as follows:

    • Inspection Limit for TCP and UDP Sessions

      You can set the byte limit and the packet limit for application identification (AppID) in a UDP or in a TCP session. AppID concludes the classification based on the configured inspection limit. On exceeding the limit, AppID terminates the application classification.

      If AppID does not conclude the final classification within the configured limits, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled. The global AppID cache is enabled by default.

      To configure the byte limit and the packet limit, use the following configuration statements from the [edit] hierarchy:

      Table 3 provides the range and default value for configuring the byte limit and the packet limit for TCP and UDP sessions.

      Table 3: Maximum Byte Limit and Packet Byte Limit for TCP and UDP Sessions

      Session

      Limit

      Range

      Default Value

      TCP

      Byte limit

      0 through 4294967295

      • 6000

      • For Junos OS Release 15.1X49-D200, the default value is 10000.

      Packet limit

      0 through 4294967295

      Zero

      UDP

      Byte limit

      0 through 4294967295

      Zero

      Packet limit

      0 through 4294967295

      • 10

      • For Junos OS Release 15.1X49-D200, the default value is 20.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

      If you set the both the byte-limit and the packet-limit options, AppID inspects the session until both the limits are reached.

      You can disable the TCP or UDP inspection limit by configuring the corresponding byte-limit and the packet-limit values to zero.

    • Global Offload Byte Limit (Other Sessions)

      You can set the byte limit for the AppID to conclude the classification and identify the application in a session. On exceeding the limit, AppID terminates the application classification.

      If AppID does not conclude the final classification within the configured limits, or the session is not offloaded due to tunneling behavior of some applications, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled (the global AppID cache is enabled by default).

      To configure the byte limit, use the following configuration statement from the [edit] hierarchy:

      The default value for the global-offload-byte-limit option is 10000 and the range is 0 through 4294967295.

      You can disable the global offload byte limit by configuring the global-offload-byte-limit value to zero.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

    • Starting in Junos OS Release 19.4R1, the maximum packet threshold for DPI performance mode option set services application-identification enable-performance-mode max-packet-threshold value is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. This option was used for setting the maximum packet threshold for the DPI performance mode.

      If your configuration includes enabled performance mode option with max-packet-threshold in Junos OS releases 15.1X49-D200 and 19.4R1, AppID concludes the application classification on reaching the lowest value configured in the TCP or UDP inspection limit or in the global offload byte limit, or in the maximum packet threshold for DPI performance mode option.

    [See Application Identification Inspection Limit and application-identification]

  • Starting in Junos OS Release 19.4R1, the apbr-rule-type field in the system log message displays the value as none if no rule is applied when you have disabled midstream for the application. Updated syslog message sample is as following:

  • Starting in Junos OS Releases 19.4R1, security policy does not support using following applications as dynamic-applications match criteria:

    • junos:HTTPS

    • junos:POP3S

    • junos:IMAPS

    • junos:SMTPS

    Software upgrade to the Junos OS Releases 19.4R1 fails during the validation if any of the security policies are configured with junos:HTTPS, junos:POP3S, junos:IMAPS, junos:SMTPS as dynamic-applications as match criteria. We recommend that you remove any configuration that includes these dynamic-applications as match criteria in security policies.

    We recommend that you use the request system software validate package-name option before upgrading to the above mentioned releases.

Authentication and Access Control

  • Enabling and disabling SSH login password or challenge-response authentication (SRX Series)—Starting in Junos OS Release 19.4R1, you can disable either the SSH login password or the challenge-response authentication at the [edit system services ssh] hierarchy level.

    In Junos OS releases earlier than Release 19.4R1, you can enable and disable both SSH login password and the challenge-response authentication simultaneously at the [edit system services ssh] hierarchy level.

    [See Configuring SSH Service for Remote Access to the Router or Switch.]

Network Management and Monitoring

  • SSHD process authentication logs timestamp (SRX Series)—Starting in Junos OS Release 19.4R1, the SSHD process authentication logs use only the time zone that is defined in the system time zone. In Junos OS releases earlier than Release 19.4R1, the SSHD process authentication logs sometimes use the system time zone and the UTC time zone.

    [See Overview of Junos OS System Log Messages.]

  • Change in On-box reporting factory-default configuration (SRX1500, SRX4100, SRX4200, SRX4600 and vSRX)—Starting in Junos OS Release 19.4R1, the factory-default configuration does not include on-box reporting configuration to increase the solid-state drive (SSD) lifetime. You can enable the on-box reporting by configuring the set security log report CLI command at [edit security log] hierarchy.

    [See Understanding On-Box Logging and Reporting.]

  • Change in jnxJsFlowMIB statistics display (SRX Series)—Starting in Junos OS Release 19.4R1, in a chassis cluster, you can see the statistics on all SPUs of both nodes using the show snmp mib walk jnxJsFlowMIB command. In the earlier releases, you can see the statistics only on local SPUs.

    [See SNMP MIB Explorer.]

Port Security

  • Configuring source mac filters (SRX300 and SRX550 Services Gateway)—In this release of Junos OS, fixed an issue that prevented source mac filters from being configured on an interface. The error effected both the accept-source-mac and source-address-filter statements and resulted in one of the following error messages: accept-source-mac not allowed in switching mode and source mac filters not allowed in switching mode.

VPNs

  • IKE gateway dynamic distinguished name attributes (SRX Series devices)—Starting in Junos OS Release 19.4R1, you can now configure only one dynamic distinguished name (DN) attribute among container-string and wildcard-string at [edit security ike gateway gateway_name dynamic distinguished-name] hierarchy. If you try configuring the second attribute after you configure the first attribute, the first attribute is replaced with the second attribute. Before you upgrade your device, you must remove one of the attributes if you have configured both the attributes.

    [See distinguished-name (Security) and Understanding IKE Identity Configuration.]

  • CoS Forward Class name (SRX Series devices)—Starting in Junos OS Release 19.4R1, we have deprecated the CLI option fc-name (CoS Forward Class name) in the new iked process that displays security associations (SAs) under show command show security ipsec sa.

    [See show security ipsec security-associations.]

Known Limitations

Learn about known limitations in Junos OS Release 19.4R3 for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Layer Gateways (ALGs)

  • Due to an SSL-FP limitation, the active mode of TLS-based FTP is not supported in Junos OS Release 19.4R1. PR1450924

Class of Service (CoS)

  • On SRX Series devices, passthrough traffic which is encapsulated in PPPoE using pp0 interface is currently unable to be marked by IEEE 802.1p (p-bit) CoS marking. PR1513932

Flow-Based and Packet-Based Processing

  • For any WiFi configuration change, the access point restarts to make the configuration active.PR1436587

  • The SSID in different WLANs uses the same IP address as the source IP address of the RADIUS packet. PR1445276

  • TKIP is not supported in acn mode. PR1459160

  • Use 512 antireplay window size for IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence there are no out-of-order packets with 512 antireplay window size. PR1470637

  • Use show security macsec statistics detail command to see MACsec statistics for control interfaces. The interface specifier does not work. PR1475371

J-Web

  • The CA profile group imported using J-Web is not populated in the Certificate Authority Group initial landing page grid, but all the CA profiles of a group are populated on the Trusted Certificate Authorities landing page. PR1426682

  • When a dynamic application is created for an edited policy rule, the list of services will be blank when the services tab is clicked and then the policy grid will be autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214

Platform and Infrastructure

  • On the SRX5000 line of devices with SPC3 cards, if security datapath configuration is applied on tunnel transit traffic, ESP traffic is not captured. PR1442132

Routing Policy and Firewall Filters

  • On SRX5400, SRX5600, and SRX5800 devices, on reth interfaces that are configured as DHCP clients, after a reboot of the device the interface might not get an IP address when you use the default number of DHCP retransmission attempts. When the number of retransmission attempts is increased to 5 or higher, it works fine. PR1458490

Switching

  • SRX300, SRX320, SRX340, SRX345, and SRX550HM devices do not support CoS features such as classification, scheduling, shaping, policing, PCP, and DSCP rewrite in Ethernet switching mode. PR1476310

VPNs

  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe will be sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • When using the operational mode request security ike debug-enable command for IKE debugging after using IKE traceoptions with a filename specified in the configuration, the debugs are written to the same filename. PR1381328

  • In SRX Series HA environment with thousands of IPsec tunnels, if rebooting a secondary node, some of the IPsec or IKE tunnels might go down due to the iked getting stuck in cold sync for a long time and not responding to peer DPD messages. Because of above problem, the traffic on down tunnels would be affected until either the SRX Series device or peer brings up the tunnel back, which typically happens in seconds. PR1471243

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with 60,000 tunnels up, when RG0 failover happens while an IPsec and/or IKE rekey is in progress, those rekeying tunnels might go down and traffic loss might be seen until the tunnel is reestablished. PR1471499

  • In SPC2 and SPC3 mixed mode HA deployments, tunnel per second (TPS) is getting affected while dead peer detection (DCD) is being served on existing tunnels. This limitation is due to a large chunk of CPU being occupied by infrastructure (gencfg) used by IKED to synchronize its DPD state to the backup nodes. PR1473482

Open Issues

Learn about open issues in Junos OS Release 19.4R3 for SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

ATP Cloud

  • In SRX4600 device running Junos OS Release 19.4R3.2, we’ve observed 16.7% performance drop in skyatp_stream(throughput). PR1533862

Chassis Clustering

  • On SRX Series devices with chassis cluster, when the H.323 Application Layer Gateway (ALG) is enabled and the H.323 traffic passing through the device, an RG 1 failover might generate core files and FPC0 restart on both nodes. PR1516612

Flow-Based and Packet-Based Processing

  • On an SRX4600 device, when the next hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725

  • Use 512 antireplay window size for IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence there are no out-of-order packets with 512 antireplay window size. PR1470637

  • The firewall Web authentication graphics have been updated. PR1482433

  • On SRX Series devices, when the commit fails, the rollback of the previous commit might not happen which could impact the services. Ideally, a commit confirmed must be rolled back if there is no subsequent successful commit or commit check performed before the timer expires. PR1527848

Intrusion Detection and Prevention (IDP)

  • When intelligent inspection status changes, syslog is not generated on SRX300 and SRX500 line of devices. PR1448365

  • The flwd or srxpfe process might generate core file during the idpd process commit on SRX Series devices. PR1521682

J-Web

  • On the SRX5000 line of devices, J-Web might not be responsive sometimes when you commit configuration changes after adding a new dynamic application while creating a new firewall rule. J-Web displays a warning while validating the configuration due to dynamic application or any other configuration changes. As a workaround, refresh the J-Web page. PR1460001

Platform and Infrastructure

  • On SRX Series devices with chassis clusters, high CPU usage might be seen due to llmd process. PR1521794

  • Syslog reporting "PFE_FLOWD_SELFPING_PACKET_LOSS: Traffic impact: Selfping packets loss/err: 300 within 600 second" error messages in node 0 and node1 control panel. PR1522130

Routing Policy and Firewall Filters

  • SSL reverse proxy feature must be used instead of SSL inspection feature because SSL inspection is being deprecated in favor of SSL reverse proxy. PR1450900

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

VPNs

  • On SRX Series devices, if multiple traffic selectors are configured for a peer with Internet Key Exchange version 2 (IKEv2) reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. A new negotiation of these traffic selectors is triggered through other mechanisms—for example, by traffic or by a peer. PR1287168

  • In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX Series device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE-IDs. PR1407356

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, when SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, the IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when st0 binding on VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • Tunnel debugging configuration is not synchronized to backup node. It needs to be configured again after RG0 failover. PR1450393

  • In an IPsec VPN scenario on the SRX5000 line of devices, the iked process treats retransmission of IKE_INIT request packets as new connections when the SRX Series device acts as a responder of IKE negotiation. This causes IKE tunnel negotiation to fail, and IPsec VPN traffic might be impacted. PR1460907

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with 60,000 tunnels up, when RG0 failover happens while an IPsec and/or IKE rekey is in progress, those rekeying tunnels might go down and traffic loss might be seen until the tunnel is reestablished. PR1471499

  • In SPC2 and SPC3 mixed mode HA deployments, tunnel per second (TPS) is getting affected while dead peer detection (DCD) is being served on existing tunnels. This limitation is due to a large chunk of CPU being occupied by infrastructure (gencfg) used by IKED to synchronize its DPD state to the backup nodes. PR1473482

  • On the SRX5000 line of devices with SPC3 and SPC2 mixed mode, with a very large amount of IKE peers (60,000) with dead peer detection (DPD) enabled, IPsec tunnels might flap in some cases when IKE and IPsec rekeys are happening at the same time. PR1473523

  • Some TCP connections going through IPsec tunnels are getting struck after RG1 failover. PR1477184

  • On SRX5000 line of devices with SPC3, tunnel is not brought down immediately after disabling interface of peer device with DPD always-send configured on site-2-site route-based VPN. PR1480905

  • The SRX5000 line of devices with SPC3 was not supporting simultaneous IKE negotiation in Junos OS Release 19.2, 19.3, 19.4 or 20.1. PR1497297

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 19.4R3

Application Layer Gateways (ALGs)

  • The srxpfe and mspmand process might stop if FTPS is enabled in a specific scenario. PR1510678

Chassis Clustering

  • SRX4100 and SRX4200 devices are not able to detect SPU failure through chassis info command. PR1501018

  • The ISSU fails with timeout due to cold synchronization failure. PR1502872

Flow-Based and Packet-Based Processing

  • The show security group-vpn server statistics |display XML is not in expected format. PR1349959

  • TCP session cannot time out properly upon receiving the TCP RESET packet, and the session timeout does not change to two seconds. PR1467654

  • ECMP load balancing does not happen when RG1 node 0 is secondary. PR1475853

  • On Web proxy, memory leak occurs in association hash table and DNS hash table. PR1480760

  • Not able to clear the warm sessions on the peer SRX Series devices. PR1493174

  • Phone client stop seen while configuring SRX345 device ZTP with CSO. PR1496650

  • Outbound SSH connection flap or memory leak issue might be observed during pushing configuration to ephemeral database with high rate. PR1497575

  • Traffic interruption happens due to MAC address duplication between two Junos OS devices. PR1497956

  • Don’t use capital characters for source-identity when using show security match-policies command. PR1499090

  • J-Flow v9 does not display correct outgoing interface for APBR traffic. PR1502432

  • A condition within TCP proxy could result in downloads becoming permanently stuck or not completing. TCP proxy is used by multiple services, including Juniper ATP Cloud in block mode, ICAP, SSL proxy, anti-virus, content filtering, and anti-spam. PR1502977

  • The cfmd core is observed when LTM is triggered for the session configured on ethernet-switching interface without bridge domain configuration. PR1503696

  • Layer 2 ping is not working with remote mep. PR1504986

  • SOF asymmetric scenario is not working with the phase 1 solution. PR1507865

  • VRRP does not work on the redundant Ethernet interface with a VLAN ID greater than 1023. PR1515046

  • A logic issue was corrected in SSL proxy that could lead to an srxpfe or flowd core file under load. PR1516903

  • The PPPoE session does not come up after return to zero on SRX Series devices. PR1518709

Interfaces and Chassis

  • Continuous drops are seen in control traffic, with high data queues in one SPC2 PIC. PR1490216

  • Fabric interface might be monitored down after chassis cluster reboot. PR1503075

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process stops and generates core files when processing IDP packets. PR1416275

  • The IDP attack detection might not work in a specific situation. PR1497340

  • IDP's custom-attack time-binding interval command was mistakenly hidden within the CLI. PR1506765

J-Web

  • The J-Web users might not be able to configure PPPoE using the PPPoE wizard. PR1502657

  • The parameters show another LSYS at J-Web in a multiple LSYS scenario. PR1518675

Layer 2 Ethernet Services

  • DHCP does not work after running request system zeroize or load factory-default. PR1521704

Network Address Translation (NAT)

  • Not all NAT sessions are synchronized from Node 1 to Node 2. PR1473788

  • Continuous drops on primary node after it comes up from reboot on SRX4100 and SRX4200 devices. PR1494431

Platform and Infrastructure

  • The commands request system power-off and request system halt might not work correctly. PR1474985

  • Packets get dropped when the next hop is IRB over lt interface. PR1494594

  • On the SRX1500 device, the factory-default configuration for ge-0/0/0 and ge-0/0/15 should be set with family inet DHCP. PR1503636

Routing Policy and Firewall Filters

  • The srxpfe or flowd process might stop due to memory corruption within JDPI. PR1500938

  • Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002

Routing Protocols

  • The BGP route target family might prevent the route reflector from reflecting Layer 2 VPN and Layer 3 VPN routes. PR1492743

VPNs

  • With NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145

  • On an SRX4200 device, 35 percent of drop is seen in all TPS cases. PR1481625

  • On SRX Series devices with SPC3, when overlapping traffic-selectors are configured, multiple IPsec SAs get negotiated with the peer device. PR1482446

Resolved Issues: 19.4R2

Application Layer Gateways (ALGs)

  • The H323 call with NAT64 cannot be established on the SRX5000 line of devices. PR1462984

  • The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942

  • SIP messages that need to be fragmented might be dropped by the SIP ALG. PR1475031

  • FTPS traffic might get dropped on SRX Series and MX Series devices if FTP ALG is used. PR1483834

Authentication and Access Control

  • SRX Series: Unified Access Control (UAC) bypass vulnerability (CVE-2020-1637). PR1475435

Chassis Clustering

  • IP monitoring might fail on the secondary node. PR1468441

  • An unhealthy node might become primary in an SRX4600 chassis cluster scenario. PR1474233

  • The show chassis temperature-thresholds command displays extensive FPC 0 output. PR1485224

  • If a cluster id of 16 or multiples of 16 is used, the chassis cluster might not come up. PR1487951

Flow-Based and Packet-Based Processing

  • The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859

  • The SPC card might stop on SRX5000 line of devices. PR1439744

  • SRX Series devices upgrades to Junos OS Release 19.4R1 and later versions fail when certain SSL based dynamic applications are used. PR1444767

  • On E1 interface, BERT bits count is not within the range. PR1445041

  • Introduction of default inspection limits to application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180

  • LTE dual CPE support with mPIMs when modem receives disconnect event from ISP; need to increase wait timer. PR1460102

  • A core file is generated when you perform an ISSU on SRX Series devices. PR1463159

  • The pkid process keeps leaking memory on SRX Series devices. PR1465614

  • Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430

  • RPM test probe failure due to exceeded round-trip time is not working. PR1471606

  • Lookup failure for expected e-mail address in DUT. PR1472748

  • Stateful firewall rule configuration deletion might lead to memory leak. PR1475220

  • The dfs-off function is enabled. PR1475294

  • The flowd or srxpfe process might stop when deleting user firewall local authentication table entry. PR1477627

  • MPCs might stop when there is bulk route update failure in a corner case. PR1478392

  • The nsd process pause might be seen during device reboots if dynamic application groups are configured in policy. PR1478608

  • The show mape rule statistics command might display negative values. PR1479165

  • On Web proxy, memory leak in association hash table and DNS hash table. PR1480760

  • IMAP curl sessions stuck in the active state if AAMW IMAP block mode is configured. PR1484692

  • Sometimes multiple flowd core files are generated on both nodes of chassis cluster at the same time when changing media MTU. PR1489494

Installation and Upgrade

  • CPU board inlet increases after OS upgrade from Junos OS Release 15.1X49 to Junos OS Release 18.x. PR1488203

  • Has the risk of service interruption on all SRX Series devices with a dual stacked CA server. PR1489249

Interfaces and Chassis

  • Static route through dl0.0 interface is not active. PR1465199

  • All interfaces remain in the down status after the SRX300 line of devices power up or reboot. PR1488348

Intrusion Detection and Prevention (IDP)

  • SNMP queries might cause commit or show command to fail due to IDP. PR1444043

  • Rogue .gz files in /var/tmp/sec-download/ might cause an offline security package update to fail. PR1466283

J-Web

  • The Interconnect ports page cannot be used from J-Web because the Type list does not contain any values. PR1478333

Layer 2 Ethernet Services

  • Member links state might be asychronized on a connection between PE and CE devices in EVPN Active/Active scenario. PR1463791

MPLS

  • BGP session might keep flapping between two directly connected BGP peers because of the wrong TCP MSS (maximum segment size) in use. PR1493431

Network Address Translation (NAT)

  • The flowd and srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932

  • Issuing the show security nat source paired-address command might return an error. PR1479824

Network Management and Monitoring

  • The flowd and srxpfe process might stop immediately after you commit the J-Flowv9 configuration or after you upgrade Junos OS to affected releases. PR1471524

  • SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288

Platform and Infrastructure

  • Modifying the REST configuration might cause the system to become unresponsive. PR1461021

  • Physically disconnecting the cable from the fxp0 interface causes hardware monitor failure. PR1467376

  • On the SRX300 line of devices, you might encounter slow loading of Authentication-Table while using user identification. PR1462922

  • On SRX Series devices, Packet Forwarding Engine memory might be used up if the security intelligence feature is configured. PR1472926

  • Supports LLDP on reth interfaces. PR1473456

  • Certificate error while validating configuration during Junos OS upgrade. PR1474225

  • Packet drop might be observed on the SRX300 line of devices when an interface is added to or removed from MACsec. PR1474674

  • The flowd process core files might be seen when there is mixed NAT-T traffic or non-NAT-T traffic with PMI enabled. PR1478812

  • When SRX5K-SPC3s or MX-SPC3s are installed in slots 0 or 1 in SRX5800 or MX960 devices, EMI radiated emissions are observed to be higher than regulatory compliance requirements. PR1479001

  • The RGx might fail over after RG0 failover in a rare case. PR1479255

  • The wl-interface stays in ready status after you execute request chassis fpc restart command in Layer 2 mode. PR1479396

  • Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684

  • The flowd or srxpfe process might stop when advanced anti-malware service is used. PR1480005

  • Commit does not work after the installation through boot loader. PR1487831

Routing Policy and Firewall Filters

  • Security policies cannot be synchronized between the Routing Engine and the Packet Forwarding Engine on SRX Series devices. PR1453852

  • Some domains are not resolved by the SRX Series devices when using the DNS address book. PR1471408

  • The policy detail does not display the policy statistics counter, even when policy count is enabled. PR1471621

  • Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530

  • Request security policies check output shows policies out of syn command. PR1482200

  • TCP proxy was mistakenly engaged in unified policies when Web filtering was configured in potential match policies. PR1492436

Routing Protocols

  • SSH login might fail if a user account exists in both local database and RADIUS/TACACS+. PR1454177

  • The rpd might stop when both instance-import and instance-export policies contain the as-path-prepend action. PR1471968

Unified Threat Management (UTM)

  • Increase the scale number of a UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321

  • The UTMD process pauses after you deactivate UTM configuration with predefined category upgrading used. PR1478825

  • UTM Websense redirect support IPv6 message. PR1481290

VPNs

  • The established tunnels might remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN. PR1413619

  • The show security ipsec statistics command output displays buffer overflow and wraps around 4,---,---,--- count. PR1424558

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with IKEv1 enabled IKE, the daemon might generate a core file, when IKE SA is expired and IPsec tunnel associated with the expired IKE SA exists in case of an RG0 failover. Daemon recovers eventually. PR1463501

  • IPsec tunnels might lose connectivity after an SRX Series chassis cluster failover when using AutoVPN point-to-multipoint mode. PR1469172

  • IPsec tunnels might flap when one secondary node is coming online after reboot in SRX Series high availability environment. PR1471243

  • The kmd process might crash continually after the chassis cluster failover in the IPsec ADVPN scenario. PR1479738

Resolved Issues: 19.4R1

Application Layer Gateways

  • Unexpected forwarding sessions might appear for tenant SIP ALG traffic in the case of cross-tenants. PR1409748

  • The flowd or srxpfe process might stop in SRX Series devices with chassis cluster when SIP ALG is used. PR1445766

  • Packet loss happens during cold synchronization from the secondary node after rebooting. PR1448252

  • After Layer 3 HA is enabled, ALG H.323 group or resource cannot be synchronized to the peer node correctly. PR1456709

Application Security

  • The AAMW diagnostic script generates incorrect error: Error: Platform does not support SkyATP: srx300. PR1423378

  • If automatic application-identification download is configured with a start-time specified, the automatic download stops when the time has progressed to the next year and a reboot is done before the start-time is reached that year. PR1436265

  • SSL-based AppID simplification effort (removal of HTTPS, POP3S, IMAPS, SMTPS). PR1444767

  • The flowd process core files might be generated when traffic hits the AppQoS policy. PR1446080

  • The AAMW diagnostic script generates incorrect error when there is Internet latency: Error: server unreachable is detected, please make sure port 443 is reachable. PR1468114

Authentication and Access Control

  • Same-source IP sessions are cleared when the IP entry is removed from the UAC table. PR1457570

Chassis Clustering

  • Hardware failure is seen on both nodes in the output of the show chassis cluster status command. PR1452137

  • On SRX Series devices with chassis cluster, the control link remains up even though the control link is actually down. PR1452488

Class of Service

  • Frequent issuance of the show class-of-service spu statistics command causes the rtlogd process to be busy. PR1438747

Flow-Based and Packet-Based Processing

  • Throughput or latency performance of TCP traffic is dropped when TCP traffic passes from one logical system to another logical system. PR1403727

  • Packet loss is caused by FPGA back pressure on the SPC3 card. PR1429899

  • VPN traffic fails after the primary node is rebooted or powered off. PR1433336

  • Currently, PMI doesn't support the mirror-filter functionality. If mirror filters are configured, PMI flaps all of the traffic to the regular flow path. PR1434583

  • Intermittent packet drop might be observed if IPsec is configured. PR1434757

  • On an SRX4600 device, core file might be generated and SPM might be in present state. PR1436421

  • Security logs cannot be sent to the external syslog server through TCP. PR1438834

  • Decryption traffic doesn’t take PMI path after IPsec rekey (initiated by peer) when the loopback interface is configured as an external interface. PR1438847

  • The IKE pass-through packet might be dropped after a NAT operation on the source. PR1440605

  • New CLI option to show only useful group information for an Active Directrory user. PR1442567

  • While checking the flow session XML for source NAT under tenant, there is no value identifier for tenant-name. PR1440652

  • The flowd or srxpfe process might stop when processing fragmented packets. PR1443868

  • Junos OS: SRX5000 Series: flowd process crash due to receipt of specific TCP packet (CVE-2019-0064). PR1445480

  • J-Flow version 5 stops working after changing the input rate value. PR1446996

  • Packet loss happens during cold synchronization from secondary node after rebooting. PR1447122

  • On the SRX1500 device, automatic installation is removed from CLI. PR1447796

  • SPC3 talus FPGA stuck on 0x3D or 0x69 golden version. PR1448722

  • Host inbound or host outbound traffic on VR does not work when the SRX5000 line of devices works in SPC3 mixed mode. PR1449059

  • SPU priority does not work when PMI is enabled on the SRX5000 line of devices with an SPC3 card. PR1449587

  • All ingress packets are dropped if the traffic transit network is also the same network for LTE mPIM internal management. PR1450046

  • The flowd or srxpfe process might stop when SSL proxy service is used. PR1450829

  • The AAWM policy rules for IMAP traffic sometimes might not get applied when passed through SRX Series devices. PR1450904

  • FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122

  • Traffic forwarding on Q-in-Q port and VLAN tagging are not observed properly on R0. PR1451474

  • The rpd process might stop and restart with the generation of an rpd core file when committing the configuration. PR1451860

  • The SRX Series devices stop and several core files are generated. PR1455169

  • Added some JP APN settings to default list in LTE mPIM. PR1457838

  • Changing the RESET configuration button behavior on the SRX1500 does not work. PR1458323

  • The security flow traceoptions fills in with RTSP ALG related information. PR1458578

  • Optimizations were made to improve the connections-per-second performance of SPC3. PR1458727

  • The security-intelligence CC feed does not block HTTPS traffic based on SNI. PR1460384

  • The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619

  • Added command to clear specified associated client. PR1461577

  • The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825

  • Fragmented traffic might get looped between the fab interface in a rare case. PR1465100

  • Track Jbuf double free issue. PR1465286

  • HTTP block message stops working after SNI check for HTTPS session. PR1465626

  • The jbuf process usage might increase up to 99 percent after Junos OS upgrade. PR1467351

  • The rpd process might stop after several changes to the flow-spec routes PR1467838

  • FTP data connection might be dropped on dl interface. PR1468570

Interfaces and Chassis

  • SCB4 or SCB3 ZF or XF2 fabric plane retraining is needed after switching the fabric redundancy mode. PR1427119

  • MTU change after a CFM session is up can impact Layer 2 Ethernet ping (loopback messages). If the new change is less than the value in the initial incarnation, then Layer 2 Ethernet ping fails. PR1427589

  • The LACP interface might flap while performing a failover. PR1429712

  • LFM remote loopback is not working as expected. PR1428780

  • The number of mgd processes increases as the mgd processes are not closed properly. PR1439440

  • The fxp0 interface might redirect packets not destined to itself. PR1453154

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process crashes and generates a core file. PR1437569

  • CLI helper text was added to the IDP's attack chain expressions. PR1438620

J-Web

  • The default log query time in J-Web monitoring functionality has been reduced. This increases the responsiveness of the landing pages. PR1423864

  • Phone home UI portal to be removed from SRX Series devices. PR1428717

  • Some error messages might be seen when using J-Web. PR1446081

  • The idle-timeout for J-Web access does not work properly. PR1446990

  • J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541

  • Editing destination NAT rule in J-Web introduces a non-configured routing-instance field. PR1461599

  • The Go button within the J-Web Monitor->Events view now correctly refreshes the logs even when using a blank search query. PR1464593

  • J-Web security resources dashboard widget was not being populated correctly. PR1464769

Layer 2 Ethernet Services

  • DHCP requests might get dropped in a DHCP relay scenario. PR1435039

Network Address Translation

  • The nsd process might stop when SNMP queries deterministic NAT pool information. PR1436775

  • Flowd process core files are generated in the device while testing NAT PBA in AA mode. PR1443148

  • RTSP resource session is not found during NAT64 static mapping. PR1443222

  • A port endian issue in SPU messages between SPC3 and SPC2 results in one redundant NAT binding being created in central point when one binding is allocated in SPC2 SPC. PR1450929

  • Packet loss is observed when multiple source NAT pools and rules are configured. PR1457904

Network Management and Monitoring

  • MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979

  • Snmpd process might generate core files after restarting NSD process by using the restart network-security gracefully command. PR1443675

  • Control links are logically down on SRX Series devices with chassis cluster running Junos OS Release 12.3X48. PR1458314

Platform and Infrastructure

  • On SRX4600 platform, when manual RG0 failover is performed, sometimes node0 (the original primary node) stays in secondary-hold status for a long time and cannot change back to secondary status. PR1421242

  • Packet drops, replication failure, or ksyncd stops might be seen on the logical system of a Junos OS device after Routing Engine switchover. PR1427842

  • The PICs might go offline and split brain might be seen when interrupt storm happens on internal Ethernet interface em0 or em1. PR1429181

  • REST API does not work properly. PR1430187

  • Unable to launch J-Web when the device is upgraded through USB image. PR1430941

  • Packet Forwarding Engine crashes might be seen on SRX1500 platform. PR1431380

  • The ksyncd process might stop and restart. PR1440576

  • The configured RPM probe server hardware timestamp does not respond with the correct timestamp to the RPM client. PR1441743

  • ARP resolution might fail after ARP HOLD NHs are added and deleted continuously PR1442815

  • The SRX300 line of device does not have MIB that can retrieve the fan status. PR1443649

  • IS-IS adjacencies between the GE link are not up. PR1446533

  • The flowd process might stop on SRX Series devices when chassis cluster and IRB interface are configured. PR1446833

  • The show security flow session command fails with error messages when SRX4100 or SRX4200 has around 1 million routing entries in FIB. PR1445791

  • LACP cannot work with the encapsulation flexible-ethernet-services configuration. PR1448161

  • On certain MPC line cards, cm errors need to be reclassified. PR1449427

  • The REST service might become nonresponsive when the REST API receives several continuous HTTP requests. PR1449987

  • VM core files might be generated if the configured sampling rate is more than 65,535. PR1461487

  • Loading CA certificate causes pkid core file to be generated. PR1465966

Routing Policy and Firewall Filters

  • The NSD process might stop due to a memory corruption issue. PR1419983

  • Two ipfd processes appear in ps command and the process pauses. PR1444472

  • During commit, the nsd_vrf_group_config_lsys log messages are displayed. PR1446303

  • Traffic log shows wrong custom-application name when the alg ignore option is used in application configuration. PR1457029

  • The NSD process might get stuck and cause problems. PR1458639

  • The policy detail does not print out policy statistics counter, even when policy count is enabled. PR1471621

Services Applications

  • The flowd process stops when the SRX5000 line of devices works in SPC3 mixed mode with one SPC3 card or seven SPC2 cards. PR1448395

  • The srxpfe lcore-slave core files are generated. PR1460035

Unified Threat Management

  • The show security utm web-filtering status command now provides additional context when the status of EWF is down. PR1426748

  • Memory issue due to SSL proxy whitelist or whitelist URL category. PR1430277

  • Adjust core allocation ratio for on-box antivirus. PR1431780

VLAN Infrastructure

  • ISSU failed from Junos OS Release 18.4R2.7 to Junos OS Release 19.4, with secondary node PICs in present state after upgrading to Junos OS Release 19.4. PR1468609

VPNs

  • IPsec SA inconsistent on SPCs of node0 and node1 in SRX Series devices with chassis cluster. PR1351646

  • After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457

  • With a large number of IPsec tunnels established, a few tunnels might fail during rekey negotiation if the SRX Series device initiates the rekey. PR1389607

  • Displaying incorrect port number when scale is 1,000 on IKEv1 AutoVPN tunnels. PR1399147

  • The IKE and IPsec configuration under groups is not supported in this release. PR1405840

  • The IKED process stops due to a misconfiguration. PR1416081

  • The VPN tunnel might flap when IKE and IPsec rekey happen simultaneously. PR1421905

  • Old tunnel entries are also seen when new tunnel negotiation happens from peer device after change in IKE gateway configuration at peer side. PR1423821

  • IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post fragment happens. PR1424937

  • Tunnel does not come up after changing configurations from IPv4 to IPv6 tunnels in the script with gateway lookup failed error. PR1431265

  • P1 configuration delete message is not sent on loading baseline configuration if there has been a prior change in VPN configuration. PR1432434

  • IPsec rekey triggers for when sequence number in AH and ESP packet is about to exhaust. PR1433343

  • P1 or P2 SAs are deleted after RG0 failover. PR1433355

  • IPsec SA in and out key sequence number update missing after cold synchronization. PR1433424

  • Sequence number reset to zero while recovering SA after SPC3 or flowd stops or reboots. PR1433568

  • The kmd log shows resource temporarily unavailable repeatedly and VPNs might be down. PR1434137

  • The IKED process stops on SRX5000 line of devices with SPC3 when IPsec VPN or IKE is configured. PR1443560

  • The IPsec VPN traffic drop might be seen on SRX Series devices with NAT-T scenario. PR1444730

  • Sometimes old SAs are not deleted after rekey and the number of IPSec tunnels shows up more than the configured tunnels. PR1449296

  • Some IPSec tunnels flap after RGs failover on SRX5000 line of devices. PR1450217

  • The VPN flaps on the primary node after a reboot of the secondary node. PR1455389

  • IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951

  • IPsec VPN tunnels are losing routes for traffic selector randomly while tunnel is still up, causing traffic loss of these IPsec VPN tunnels. PR1456301

  • On all SRX Series devices, the no-anti-replay option does not take effect immediately. Traffic is not sent out through IPsec VPN after upgrading to Junos OS Release 18.2 or later. PR1461793

  • The IPsec VPN tunnels cannot be established if overlapped subnets are configured in traffic selectors. PR1463880

Documentation Updates

This section lists the errata and changes in Junos OS Release 19.4R3 for the SRX Series documentation.

Feature Guides Are Renamed As User Guides

  • Starting with Junos OS 19.4R1, we renamed our Feature Guides to User Guides to better reflect the purpose of the guides. For example, the BGP Feature Guide is now the BGP User Guide. We didn’t change the URLs of the guides, so any existing bookmarks you have will continue to work. To keep the terminology consistent on our documentation product pages, we renamed the Feature Guides section to User Guides. To find documentation for your specific product, check out this Junos OS Documentation.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.