Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for vSRX


These release notes accompany Junos OS Release 19.4R3 for vSRX. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for vSRX.

Release 19.4R3 New and Changed Features

There are no new features for vSRX in in Junos OS Release 19.4R3.

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for vSRX.


  • Repetition of WALinuxAgent logs causing file size increase (vSRX 3.0)—The Azure WALinuxAgent performs the provisioning job for the vSRX instances. When a new vSRX instance is deployed, the continued increasing size of the waagent log file might cause the vSRX to stop.

    If the vSRX is still operating, then delete the /var/log/waagent.log directly or run the clear log waagent.log all command to clear the log file.

    Or you can run the set groups azure-provision system syslog file waagent.log archive size 1m and set groups azure-provision system syslog file waagent.log archive files 10 commands to prevent the growing of the waagent logs. These configurations will cause the rotation of log of waagent with the size bigger than 1MB and set a maximum of 10 backups.

    See vSRX with Microsoft Azure.

Known Limitations

Learn about known limitations in Junos OS Release 19.4R3 for vSRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.


  • The CA profile group imported using J-Web is not populated in the Certificate Authority Group initial landing page grid, but all the CA profiles of a group are populated on the Trusted Certificate Authorities landing page. PR1426682

  • When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214

Platform and Infrastructure

  • When the traffic flow is high (throughput of 2 Gbps or more), reboot of vSRX 3.0 running with Hyper-V on windows server 2016 is not recommended. vSRX 3.0 VM might hang during boot process. We recommend that you schedule a reboot or an upgrade when there is no traffic. As a workaround, to recover the vSRX 3.0 VM, restart the instance again when the traffic stops. PR1394792

Unified Threat Management (UTM)

  • vSRX and vSRX 3.0 platforms with less than 8 GB of memory do not support HA on-box AV light mode or heavy mode. PR1454623

User Access and Authentication

  • On vSRX 3.0 running on Azure, there might be one more IP address configured on fxp0 intermittently besides the IP assigned by DHCP, which would cause CLI upgrade failure when HSM is enabled. PR1461678

Open Issues

Learn about open issues in Junos OS Release 19.4R3 for vSRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.


  • If multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector rekeys at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. New negotiation of those traffic selectors might be triggered through other mechanisms such as traffic or peer. PR1287168

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for vSRX.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Security

  • The flow performance might be reduced in the Security Intelligence scenario. PR1491682

  • The flowd srxpfe process might stop when SSL proxy and AppSecure process traffic simultaneously. PR1516969


  • On Microsoft Azure deployments, SSH public key authentication is not supported for vSRX 3.0 CLI and portal deployment. PR1402028

Flow-Based and Packet-Based Processing

  • A chassis cluster node might stop passing traffic. PR1528898

Intrusion Detection and Prevention (IDP)

  • The IDP attack detection might not work in a specific situation. PR1497340


  • Infinite loading circle may be encountered via J-Web. PR1493601

Platform and Infrastructure

  • The vSRX instance might restart unexpectedly. PR1479156

  • The srxpfe process might stop if a reboot or upgrade is performed. PR1490878

  • The clock drift issue might cause control link failure of a vSRX cluster running on KVM hypervisor. PR1496937

  • On vSRX the interfaces might remain shut as the FPC faces issues while coming online after an upgrade attempt on the device. PR1499092

  • When SSL proxy is enabled and if the vSRX instance runs out of memory, then the SSL proxy module might stop. PR1505013

  • Changes to the configuration command for assigning more vCPUs to the Routing Engine. PR1505724

  • With CSO SD-WAN configuration loaded, flowd process generates core files while deleting the GRE IPsec configuration. PR1513461

Routing Policy and Firewall Filters

  • Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002

Unified Threat Management (UTM)

  • The source and destination IP or port fields were reversed for Content-Filtering and Anti-Virus logs. These fields now reflect the source and destination of the flow correctly. PR1499327


  • The Ping-icmp test fails after configuring ecmp routes over multipoint tunnel interface VPNs PR1438311

  • The flowd process might stop in IPsec VPN scenario. PR1517262

Migration, Upgrade, and Downgrade Instructions

This section contains information about how to upgrade Junos OS for vSRX using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

You also can upgrade to Junos OS Release 19.4R3 for vSRX using J-Web (see J-Web) or the Junos Space Network Management Platform (see Junos Space).

Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Releases 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, or 19.2 is supported.

The following limitations apply:

  • Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Release 19.3 and higher is not supported. For upgrade between other combinations of Junos OS Releases in vSRX and vSRX 3.0, the general Junos OS upgrade policy applies.

  • The file system mounted on /var usage must be below 14% of capacity.

    Check this using the following command:

    show system storage | match " /var$" /dev/vtbd1s1f

    Using the request system storage cleanup command might help reach that percentage.

  • The Junos OS upgrade image must be placed in the directory /var/host-mnt/var/tmp/. Use the request system software add /var/host-mnt/var/tmp/<upgrade_image>

  • We recommend that you deploy a new vSRX virtual machine (VM) instead of performing a Junos OS upgrade. That also gives you the option to move from vSRX to the newer and more recommended vSRX 3.0.

  • Ensure to back up valuable items such as configurations, license-keys, certificates, and other files that you would like to keep.


For ESXi deployments, the firmware upgrade from Junos OS Release 15.1X49-Dxx to Junos OS releases 17.x, 18.x, or 19.x is not recommended if there are more than three network adapters on the 15.1X49-Dxx vSRX instance. If there are more than three network adapters and you want to upgrade, then we recommend that you either delete all the additional network adapters and add the network adapters after the upgrade or deploy a new vSRX instance on the targeted OS version.

Upgrading Software Packages

To upgrade the software using the CLI:

  1. Download the Junos OS Release 19.4R3 for vSRX .tgz file from the Juniper Networks website. Note the size of the software image.
  2. Verify that you have enough free disk space on the vSRX instance to upload the new software image.
  3. Optionally, free up more disk space if needed to upload the image.

    If this command does not free up enough disk space, see [SRX] Common and safe files to remove in order to increase available system storage for details on safe files you can manually remove from vSRX to free up disk space.

  4. Use FTP, SCP, or a similar utility to upload the Junos OS Release 19.4R3 for vSRX .tgz file to /var/crash/corefiles/ on the local file system of your vSRX VM. For example:
  5. From operational mode, install the software upgrade package.

    If no errors occur, Junos OS reboots automatically to complete the upgrade process. You have successfully upgraded to Junos OS Release 19.4R3 for vSRX.


    Starting in Junos OS Release 17.4R1, upon completion of the vSRX image upgrade, the original image is removed by default as part of the upgrade process.

  6. Log in and use the show version command to verify the upgrade.

Validating the OVA Image

If you have downloaded a vSRX .ova image and need to validate it, see Validating the vSRX .ova File for VMware.

Note that only .ova (VMware platform) vSRX images can be validated. The .qcow2 vSRX images for use with KVM cannot be validated the same way. File checksums for all software images are, however, available on the download page.