Junos OS Release Notes for vSRX
These release notes accompany Junos OS Release 19.4R3 for vSRX. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
What’s New
Learn about new features introduced in the Junos OS main and maintenance releases for vSRX.
Release 19.4R3 New and Changed Features
There are no new features for vSRX in in Junos OS Release 19.4R3.
What's Changed
Learn about what changed in the Junos OS main and maintenance releases for vSRX.
Management
Repetition of WALinuxAgent logs causing file size increase (vSRX 3.0)—The Azure WALinuxAgent performs the provisioning job for the vSRX instances. When a new vSRX instance is deployed, the continued increasing size of the waagent log file might cause the vSRX to stop.
If the vSRX is still operating, then delete the /var/log/waagent.log directly or run the clear log waagent.log all command to clear the log file.
Or you can run the set groups azure-provision system syslog file waagent.log archive size 1m and set groups azure-provision system syslog file waagent.log archive files 10 commands to prevent the growing of the waagent logs. These configurations will cause the rotation of log of waagent with the size bigger than 1MB and set a maximum of 10 backups.
Known Limitations
Learn about known limitations in Junos OS Release 19.4R3 for vSRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
J-Web
The CA profile group imported using J-Web is not populated in the Certificate Authority Group initial landing page grid, but all the CA profiles of a group are populated on the Trusted Certificate Authorities landing page. PR1426682
When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214
Platform and Infrastructure
When the traffic flow is high (throughput of 2 Gbps or more), reboot of vSRX 3.0 running with Hyper-V on windows server 2016 is not recommended. vSRX 3.0 VM might hang during boot process. We recommend that you schedule a reboot or an upgrade when there is no traffic. As a workaround, to recover the vSRX 3.0 VM, restart the instance again when the traffic stops. PR1394792
Unified Threat Management (UTM)
vSRX and vSRX 3.0 platforms with less than 8 GB of memory do not support HA on-box AV light mode or heavy mode. PR1454623
User Access and Authentication
On vSRX 3.0 running on Azure, there might be one more IP address 10.1.1.1 configured on fxp0 intermittently besides the IP assigned by DHCP, which would cause CLI upgrade failure when HSM is enabled. PR1461678
Open Issues
Learn about open issues in Junos OS Release 19.4R3 for vSRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
VPNs
If multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector rekeys at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. New negotiation of those traffic selectors might be triggered through other mechanisms such as traffic or peer. PR1287168
Resolved Issues
Learn which issues were resolved in the Junos OS main and maintenance releases for vSRX.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Application Security
The flow performance might be reduced in the Security Intelligence scenario. PR1491682
The flowd srxpfe process might stop when SSL proxy and AppSecure process traffic simultaneously. PR1516969
CLI
On Microsoft Azure deployments, SSH public key authentication is not supported for vSRX 3.0 CLI and portal deployment. PR1402028
Flow-Based and Packet-Based Processing
A chassis cluster node might stop passing traffic. PR1528898
Intrusion Detection and Prevention (IDP)
The IDP attack detection might not work in a specific situation. PR1497340
J-Web
Infinite loading circle may be encountered via J-Web. PR1493601
Platform and Infrastructure
The vSRX instance might restart unexpectedly. PR1479156
The srxpfe process might stop if a reboot or upgrade is performed. PR1490878
The clock drift issue might cause control link failure of a vSRX cluster running on KVM hypervisor. PR1496937
On vSRX the interfaces might remain shut as the FPC faces issues while coming online after an upgrade attempt on the device. PR1499092
When SSL proxy is enabled and if the vSRX instance runs out of memory, then the SSL proxy module might stop. PR1505013
Changes to the configuration command for assigning more vCPUs to the Routing Engine. PR1505724
With CSO SD-WAN configuration loaded, flowd process generates core files while deleting the GRE IPsec configuration. PR1513461
Routing Policy and Firewall Filters
Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002
Unified Threat Management (UTM)
The source and destination IP or port fields were reversed for Content-Filtering and Anti-Virus logs. These fields now reflect the source and destination of the flow correctly. PR1499327
VPNs
The Ping-icmp test fails after configuring ecmp routes over multipoint tunnel interface VPNs PR1438311
The flowd process might stop in IPsec VPN scenario. PR1517262
Migration, Upgrade, and Downgrade Instructions
This section contains information about how to upgrade Junos OS for vSRX using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
You also can upgrade to Junos OS Release 19.4R3 for vSRX using J-Web (see J-Web) or the Junos Space Network Management Platform (see Junos Space).
Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Releases 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, or 19.2 is supported.
The following limitations apply:
Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Release 19.3 and higher is not supported. For upgrade between other combinations of Junos OS Releases in vSRX and vSRX 3.0, the general Junos OS upgrade policy applies.
The file system mounted on /var usage must be below 14% of capacity.
Check this using the following command:
show system storage | match " /var$" /dev/vtbd1s1f2.7G 82M 2.4G 3% /var
Using the request system storage cleanup command might help reach that percentage.
The Junos OS upgrade image must be placed in the directory /var/host-mnt/var/tmp/. Use the request system software add /var/host-mnt/var/tmp/<upgrade_image>
We recommend that you deploy a new vSRX virtual machine (VM) instead of performing a Junos OS upgrade. That also gives you the option to move from vSRX to the newer and more recommended vSRX 3.0.
Ensure to back up valuable items such as configurations, license-keys, certificates, and other files that you would like to keep.
For ESXi deployments, the firmware upgrade from Junos OS Release 15.1X49-Dxx to Junos OS releases 17.x, 18.x, or 19.x is not recommended if there are more than three network adapters on the 15.1X49-Dxx vSRX instance. If there are more than three network adapters and you want to upgrade, then we recommend that you either delete all the additional network adapters and add the network adapters after the upgrade or deploy a new vSRX instance on the targeted OS version.
Upgrading Software Packages
To upgrade the software using the CLI:
- Download the
Junos OS Release 19.4R3 for vSRX .tgzfile from the Juniper Networks website. Note the size of the software image. - Verify that you have enough free disk space on the vSRX
instance to upload the new software image.
root@vsrx> show system storage Filesystem Size Used Avail Capacity Mounted on /dev/vtbd0s1a 694M 433M 206M 68% / devfs 1.0K 1.0K 0B 100% /dev /dev/md0 1.3G 1.3G 0B 100% /junos /cf 694M 433M 206M 68% /junos/cf devfs 1.0K 1.0K 0B 100% /junos/dev/ procfs 4.0K 4.0K 0B 100% /proc /dev/vtbd1s1e 302M 22K 278M 0% /config /dev/vtbd1s1f 2.7G 69M 2.4G 3% /var /dev/vtbd3s2 91M 782K 91M 1% /var/host /dev/md1 302M 1.9M 276M 1% /mfs /var/jail 2.7G 69M 2.4G 3% /jail/var /var/jails/rest-api 2.7G 69M 2.4G 3% /web-api/var /var/log 2.7G 69M 2.4G 3% /jail/var/log devfs 1.0K 1.0K 0B 100% /jail/dev 192.168.1.1:/var/tmp/corefiles 4.5G 125M 4.1G 3% /var/crash/corefiles 192.168.1.1:/var/volatile 1.9G 4.0K 1.9G 0% /var/log/host 192.168.1.1:/var/log 4.5G 125M 4.1G 3% /var/log/hostlogs 192.168.1.1:/var/traffic-log 4.5G 125M 4.1G 3% /var/traffic-log 192.168.1.1:/var/local 4.5G 125M 4.1G 3% /var/db/host 192.168.1.1:/var/db/aamwd 4.5G 125M 4.1G 3% /var/db/aamwd 192.168.1.1:/var/db/secinteld 4.5G 125M 4.1G 3% /var/db/secinteld - Optionally, free up more disk space if needed to upload
the image.
root@vsrx> request system storage cleanup List of files to delete: Size Date Name 11B Sep 25 14:15 /var/jail/tmp/alarmd.ts 259.7K Sep 25 14:11 /var/log/hostlogs/vjunos0.log.1.gz 494B Sep 25 14:15 /var/log/interactive-commands.0.gz 20.4K Sep 25 14:15 /var/log/messages.0.gz 27B Sep 25 14:15 /var/log/wtmp.0.gz 27B Sep 25 14:14 /var/log/wtmp.1.gz 3027B Sep 25 14:13 /var/tmp/BSD.var.dist 0B Sep 25 14:14 /var/tmp/LOCK_FILE 666B Sep 25 14:14 /var/tmp/appidd_trace_debug 0B Sep 25 14:14 /var/tmp/eedebug_bin_file 34B Sep 25 14:14 /var/tmp/gksdchk.log 46B Sep 25 14:14 /var/tmp/kmdchk.log 57B Sep 25 14:14 /var/tmp/krt_rpf_filter.txt 42B Sep 25 14:13 /var/tmp/pfe_debug_commands 0B Sep 25 14:14 /var/tmp/pkg_cleanup.log.err 30B Sep 25 14:14 /var/tmp/policy_status 0B Sep 25 14:14 /var/tmp/rtsdb/if-rtsdb Delete these files ? [yes,no] (no) yes < output omitted>Note If this command does not free up enough disk space, see [SRX] Common and safe files to remove in order to increase available system storage for details on safe files you can manually remove from vSRX to free up disk space.
- Use FTP, SCP, or a similar utility to upload the Junos
OS Release 19.4R3 for vSRX .tgz file to
/var/crash/corefiles/on the local file system of your vSRX VM. For example:root@vsrx> file copy ftp://username:prompt@ftp.hostname.net/pathname/
junos-vsrx-x86-64-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE.tgz /var/crash/corefiles/ - From operational mode, install the software upgrade package.
root@vsrx> request system software add /var/crash/corefiles/junos-vsrx-x86-64-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE.tgz no-copy no-validate reboot Verified junos-vsrx-x86-64-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE signed by PackageDevelopmentEc_2017 method ECDSA256+SHA256 THIS IS A SIGNED PACKAGE WARNING: This package will load JUNOS 20.3 software. WARNING: It will save JUNOS configuration files, and SSH keys WARNING: (if configured), but erase all other files and information WARNING: stored on this machine. It will attempt to preserve dumps WARNING: and log files, but this can not be guaranteed. This is the WARNING: pre-installation stage and all the software is loaded when WARNING: you reboot the system. Saving the config files ... Pushing Junos image package to the host... Installing /var/tmp/install-media-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE.tgz Extracting the package ... total 975372 -rw-r--r-- 1 30426 950 710337073 Oct 19 17:31 junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-app.tgz -rw-r--r-- 1 30426 950 288433266 Oct 19 17:31 junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz Setting up Junos host applications for installation ... ============================================ Host OS upgrade is FORCED Current Host OS version: 3.0.4 New Host OS version: 3.0.4 Min host OS version required for applications: 0.2.4 ============================================ Installing Host OS ... upgrade_platform: ------------------- upgrade_platform: Parameters passed: upgrade_platform: silent=0 upgrade_platform: package=/var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz upgrade_platform: clean install=0 upgrade_platform: clean upgrade=0 upgrade_platform: Need reboot after staging=0 upgrade_platform: ------------------- upgrade_platform: upgrade_platform: Checking input /var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz ... upgrade_platform: Input package /var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz is valid. upgrade_platform: Backing up boot assets.. cp: omitting directory '.' bzImage-intel-x86-64.bin: OK initramfs.cpio.gz: OK version.txt: OK initrd.cpio.gz: OK upgrade_platform: Checksum verified and OK... /boot upgrade_platform: Backup completed upgrade_platform: Staging the upgrade package - /var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz.. ./ ./bzImage-intel-x86-64.bin ./initramfs.cpio.gz ./upgrade_platform ./HOST_COMPAT_VERSION ./version.txt ./initrd.cpio.gz ./linux.checksum ./host-version bzImage-intel-x86-64.bin: OK initramfs.cpio.gz: OK version.txt: OK upgrade_platform: Checksum verified and OK... upgrade_platform: Staging of /var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz completed upgrade_platform: System need *REBOOT* to complete the upgrade upgrade_platform: Run upgrade_platform with option -r | --rollback to rollback the upgrade Host OS upgrade staged. Reboot the system to complete installation! WARNING: A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the WARNING: 'request system reboot' command when software installation is WARNING: complete. To abort the installation, do not reboot your system, WARNING: instead use the 'request system software rollback' WARNING: command as soon as this operation completes. NOTICE: 'pending' set will be activated at next reboot... Rebooting. Please wait ... shutdown: [pid 13050] Shutdown NOW! *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY Shutdown NOW! System shutdown time has arrived\x07\x07If no errors occur, Junos OS reboots automatically to complete the upgrade process. You have successfully upgraded to Junos OS Release 19.4R3 for vSRX.
Note Starting in Junos OS Release 17.4R1, upon completion of the vSRX image upgrade, the original image is removed by default as part of the upgrade process.
- Log in and use the
show versioncommand to verify the upgrade.--- JUNOS 20.3-2020-9-10.0_RELEASE_20.3_THROTTLE Kernel 64-bit JNPR-11.0-20171012.170745_fbsd- At least one package installed on this device has limited support. Run 'file show /etc/notices/unsupported.txt' for details. root@:~ # cli root> show version Model: vsrx Junos: 20.3-2020-9-10.0_RELEASE_20.3_THROTTLE JUNOS OS Kernel 64-bit [20171012.170745_fbsd-builder_stable_11] JUNOS OS libs [20171012.170745_fbsd-builder_stable_11] JUNOS OS runtime [20171012.170745_fbsd-builder_stable_11] JUNOS OS time zone information [20171012.170745_fbsd-builder_stable_11] JUNOS OS libs compat32 [20171012.170745_fbsd-builder_stable_11] JUNOS OS 32-bit compatibility [20171012.170745_fbsd-builder_stable_11] JUNOS py extensions [20171017.110007_ssd-builder_release_174_throttle] JUNOS py base [20171017.110007_ssd-builder_release_174_throttle] JUNOS OS vmguest [20171012.170745_fbsd-builder_stable_11] JUNOS OS crypto [20171012.170745_fbsd-builder_stable_11] JUNOS network stack and utilities [20171017.110007_ssd-builder_release_174_throttle] JUNOS libs [20171017.110007_ssd-builder_release_174_throttle] JUNOS libs compat32 [20171017.110007_ssd-builder_release_174_throttle] JUNOS runtime [20171017.110007_ssd-builder_release_174_throttle] JUNOS Web Management Platform Package [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx libs compat32 [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx runtime [20171017.110007_ssd-builder_release_174_throttle] JUNOS common platform support [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx platform support [20171017.110007_ssd-builder_release_174_throttle] JUNOS mtx network modules [20171017.110007_ssd-builder_release_174_throttle] JUNOS modules [20171017.110007_ssd-builder_release_174_throttle] JUNOS srxtvp modules [20171017.110007_ssd-builder_release_174_throttle] JUNOS srxtvp libs [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx libs [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx Data Plane Crypto Support [20171017.110007_ssd-builder_release_174_throttle] JUNOS daemons [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx daemons [20171017.110007_ssd-builder_release_174_throttle] JUNOS Online Documentation [20171017.110007_ssd-builder_release_174_throttle] JUNOS jail runtime [20171012.170745_fbsd-builder_stable_11] JUNOS FIPS mode utilities [20171017.110007_ssd-builder_release_174_throttle]
Validating the OVA Image
If you have downloaded a vSRX .ova image and need to validate it, see Validating the vSRX .ova File for VMware.
Note that only .ova (VMware platform) vSRX images can be validated. The .qcow2 vSRX images for use with KVM cannot be validated the same way. File checksums for all software images are, however, available on the download page.