Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 20.1R2 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.

Release 20.1R2 New and Changed Features

There are no new features in Junos OS Release 20.1R2 for the SRX Series devices.

Release 20.1R1 New and Changed Features

Application Security

  • Custom application enhancements (NFX Series, SRX Series, and vSRX)—Starting in Junos OS Release 20.1R1, we’ve enhanced the custom applications signature functionality by providing a new set of applications and contexts.

    Application identification allows you to create custom application signatures to detect applications specific to your network environment. You can create custom application signatures for applications based on ICMP, IP protocol, IP address, and Layer 7 or TCP/UDP stream. While configuring the custom application signatures, you must specify the context values that the device can use to match the patterns in the application traffic.

    Custom application signature contexts are part of application signature package. You must download and install the latest application signature package version 3248 or later to use new contexts for custom application signatures.

    [See Custom Application Signatures for Application Identification.]

  • Default mechanism to forward the traffic through APBR rule (NFX Series, SRX Series, and vSRX)— Starting in Junos OS 20.1R1, you can configure a APBR rule by specifying the dynamic application match criteria with any keyword. This provides a default mechanism to forward the traffic to a specific next-hop device or to a destination if the traffic matches any dynamic application.

    [See Advanced Policy-Based Routing.]

  • AppQoE support for granular APBR rules (NFX Seris, SRX Series, and vSRX)—Starting in Junos OS Release 20.1R1, AppQoE utilizes the granular rule matching functionality of advanced policy-based routing (APBR) for better quality of experience (QoE) for the application traffic.

    In Junos OS Release 18.2R1, APBR supported configuring policies by defining source addresses, destination addresses, and applications as match conditions. After a successful match, the configured APBR profile is applied as an application services for the session. In this release, AppQoE leverages the APBR enhancement and selects the best possible link for the application traffic as sent by APBR to meet the performance requirements specified in SLA.

    [See Application Quality of Experience.]

Authentication and Access Control

  • Support for UPN as user identity (SRX Series)—Starting in Junos OS Release 20.1R1, you can use User Principal Name (UPN) as logon name in firewall-authentication, which is working as a captive portal for JIMS or user-firewall.

    You can use UPN as logon name along with cn or sAMAccountName at the same time. UPN can be used instead of sAMAccountName to authenticate a user.

    Even if user uses UPN as logon name, firewall authentication pushes sAMAccountName (mapping to the UPN) to user ID rather than pushing the UPN.

    Firewall-authentication pushes both UPN and sAMAccountName (mapping to the UPN) to JIMS.

    [See Understanding Advanced Query Feature for Obtaining User Identity Information from JIMS.]

  • Trusted Platform Module (TPM) to bind secrets (SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 20.1R1, we’ve introduced the TPM support on the SRX5000 line of devices with SRX5K-RE3-128G Routing Engine (RE3). The TPM chip is enabled by default to make use of TPM functionality.

    When TPM is activated, it protects the private keys stored in Junos OS.

    [See Using Trusted Platform Module to Bind Secrets on SRX Series Devices.]

Flow-Based and Packet-Based Processing

  • Support of IPFIX formatting and Chassis Cluster for SRX J-Flow functionality (SRX300, SRX320, SRX340, SRX345, and SRX550HM) —Starting with Junos OS Release 20.1R1, you can configure Chassis Cluster and define an IPFIX flow record template suitable for IPv4 traffic or IPv6 traffic. IPFIX is an enhanced version of J-flow version 9 template. Using IPFIX, you can collect a set of sampled flows and send the record to a specified host.

    See [Configuring Flow Aggregation to Use IPFIX Flow Templates on MX, vMX and T Series Routers, EX Series Switches, and SRX devices.]

  • Support service inspection for pass-through IP-IP and GRE tunnel in TAP mode (SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, and SRX4200)—Starting in Junos OS Release 20.1R1, TAP mode inspects IP-IP and GRE inner tunnel traffic by de-encapsulating the outer and inner IP header (up to two levels) to create flow sessions. You can configure up to eight TAP interfaces on an SRX Series device.

    [See TAP Mode for Flow Sessions, and forwarding-options.]

GPRS

  • Increase in GTP scale for IoT and roaming firewall applications (SRX1500, SRX4100, SRX4200, and vSRX)—Starting in Junos OS Release 20.1R1, in addition to the existing support on SRX5400, SRX5600, SRX5800, and SRX4600, to enable the Internet of Things (IoT) and roaming firewall use cases, the GTP tunnel scale is increased for the following SRX Series devices:

    • SRX1500: 204,800 to 1,024,000

    • SRX4100: 409,600 to 4,096,000

    • SRX4200: 819,200 to 4,096,000

    For vSRX instances, the number of tunnels supported depends on the available system memory.

    [See Understanding Policy-Based GTP.]

Hardware

  • SRX380 Services Gateway—The SRX380 Services Gateway is a high performance and all-in-one networking device, which consolidates routing, switching, and security. With next-generation firewall features and advanced threat mitigation capabilities, the SRX380 device provides cost-effective and secure connectivity across distributed enterprise locations. A 1U form factor model with a 16-core MIPS processor and 4-GB DDR4 RAM, the SRX380 device supports up to 10-Gbps firewall performance.

    The SRX380 device has an integrated 100-GB SSD and provides high port density with 16 on-board PoE-enabled 1-Gigabit Ethernet RJ-45 ports and 4 10-Gigabit Ethernet SFP+ ports. All the ports support AES-256 MACsec encryption. The SRX380 device has dual AC power supplies and supports up to four Mini-PIMs.

    The SRX380 supports the same features as those supported on the existing SRX300 line of services gateways. For the complete list of features supported on the SRX380, see Feature Explorer.

    [See SRX380 Services Gateway Overview.]

Interfaces and Chassis

  • Support for new show | display set CLI commands (ACX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.1R1, the following new show commands have been introduced:

    • show | display set explicit—Display explicitly, as a series of commands, all the configurations that the system internally creates when you configure certain statements from the top level of the hierarchy.

    • show | display set relative explicit—Display explicitly, as a series of commands, all the configurations that the system internally creates when you configure certain statements from the current hierarchy level.

    [See show | display set and show | display set relative.]

Intrusion Detection and Prevention

  • HTTP X-Forwarded-For header support in IDP (SRX Series)—Starting from Junos OS Release 20.1R1, we've introduced the log-xff-header option to record the x-forward-for header (xff-header) information. When this option is enabled. During the traffic flow, IDP saves the source IP addresses (IPv4 or IPv6) from the contexts for HTTP and SMTP traffics and displays in attack logs.

    The xff-header is not processed unless its enabled through sensor-configuration.

    • To enable the xff-header, use the set security idp sensor-configuration global log-xff-header command.

    • To disable the xff-header, use the delete security idp sensor-configuration global log-xff-header command.

    Previously, when you access internet, to lessen the external bandwidth the servers used transparent proxies. It was difficult to identify the originating source IP address as the proxy server converted it into an anonymous source IP address.

    [See Understanding Multiple IDP Detector Support.]

Juniper Sky ATP

  • Juniper Sky ATP support for disabling standard Juniper C&C and URL feeds—Starting in Junos OS Release 20.1R1, you can disable standard Juniper command and control (C&C) and URL feeds on SRX Series devices. Disabling the Juniper C&C and URL feeds helps to free the resources on SRX Series devices and makes the resources available for loading custom feeds. Use the set services security-intelligence disable-global-feed (all | feed name feed-name) command to disable the feeds. To enable the feeds, use the delete services security-intelligence disable-global-feed (all | feed name feed-name) command.

    [See set services security-intelligence and show services security-intelligence category summary.]

Junos OS XML API and Scripting

  • The jcs:load-configuration template supports loading the rescue configuration (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.1R1, the jcs:load-configuration template supports the rescue parameter to load and commit the rescue configuration on a device. SLAX and XSLT scripts can call the jcs:load-configuration template with the rescue parameter set to "rescue" to replace the active configuration with the rescue configuration.

    [See Changing the Configuration Using SLAX and XSLT Scripts and jcs:load-configuration Template.]

J-Web

  • J-Web supports SRX380 device—Starting in Junos OS Release 20.1R1, you can use J-Web to manage your SRX380 device. Additionally, you can also:

    • Monitor wireless LAN setting of the supported Wi-Fi Mini-PIM: Monitor > Wireless LAN.

    • View power statistics information using the new Power Budget Statistics tab: Monitor > Chassis Information > Chassis Component Details.

      Note

      You can view the power statistics information only when the device is in standalone mode.

    • Configure wireless LAN setting of the supported Wi-Fi Mini-PIM: Configure > Wireless LAN > Settings.

    • Configure redundant power supply for power management using the new Redundant PSU menu: Configure > Basic Settings.

    [See Dashboard Overview, Monitor Wireless LAN, and About the Settings Page.]

Network Management and Monitoring

Port Security

  • Media Access Control Security (MACsec) support (SRX380)—SRX380 supports MACsec in on all 16 1GbE ports and all four 10GbE ports. MACsec is an industry-standard security technology that provides secure communication for all traffic on point-to-point Ethernet links. The supported cipher suites are GCM-AES-256 and GCM-AES-128. Only static CAK mode is supported.

    [See Understanding Media Access Control Security (MACsec).]

Security

  • Support for security policy reports (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, you can use the show security policy-report command to display detailed security policy reports.

    Optimizing security policies ensure that the policies are efficient. Over time, policies become disorganized and hence ineffective. You can use the show security policy-report command to notify end users when you create new policies or change existing policies that adversely affect other security policies.

    You can use the report-skip command at the [edit security policies from-zone zone-name to-zone zone-name policy policy-name] hierarchy level to exclude the policy from the policy analysis and prevent it from appearing in any future report.

    [See show security policy-report and report-skip.]

  • Support to clear DNS cache if DNS error responses are received (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, you can clear the DNS cache entry IP list when DNS error responses are received. We have introduced a new command, dns-cache under the [edit security policies] hierarchy level, to configure the security policy DNS cache behavior.

    [See dns-cache.]

System Management

  • Restrict option under NTP configuration is now visible (ACX Series, QFX Series, MX Series, PTX Series, and SRX Series)—Starting in Junos OS Release 20.1R1, the noquery command under the restrict hierarchy is now available and can be configured with a mask address. The noquery command is used to restrict ntpq and ntpdc queries coming from hosts and subnets.

    [See Configuring NTP Access Restrictions for a Specific Address.]

Tenant Systems and Logical Systems

  • ICAP service redirect support for tenant systems (SRX Series and vSRX)—You can prevent data loss from your network by employing Internet Content Adaptation Protocol (ICAP) redirect services. Starting in Junos OS Release 20.1R1, you can enable ICAP at the tenant system level, and you can view/clear the ICAP services redirect status and statistics at the tenant systems level.

    In addition, we’ve introduced the X-Client-IP, X-Server-IP, X-Authenticated-User, and X-Authenticated-Groups header extensions in an ICAP message to provide information about the source of the encapsulated HTTP message.

    [See ICAP Service Redirect and icap-redirect.]

  • Express Path session status CLI monitoring improvement and traffic logging (SRX4600, SRX5400, SRX5600, and SRX5800)—The Express Path (formerly known as services offloading) support is already available on SRX4600, SRX5400, SRX5600, and SRX5800 Series devices. Express Path considerably reduces packet-processing latency. Starting in Junos OS Release 20.1R1, you can view the total number of services-offload sessions and total number of services-offload packets processed in the CLI. In addition, you can configure the services-offload traffic logging at the logical system and tenant system level.

    [See Express Path.]

VPNs

  • Common configuration payload password support for RADIUS server (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, you can configure a common password for IKEv2 configuration payload requests for an IKE gateway configuration. The common password in the range of 1 to 128 characters allows the administrator to define a common password. This password is used when the SRX Series device is requesting an IP address on behalf of a remote IPsec peer using IKEv2 configuration payload over the RADIUS server. The RADIUS server matches the credentials before it assigns any IP information to the configuration payload request.

    [See Understanding IKEv2 Configuration Payload.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for SRX Series.

What's Changed in Release 20.1R2

ATP Cloud

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 20.1R2, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Advanced Threat Prevention Cloud (ATP Cloud).

Flow-Based and Packet-Based Processing

  • On SRX Series devices in earlier releases, when the session table was full there was no alarm set to indicate this. Starting from this release, when the percent of flow session table utilization is 95% on FPC and PIC, an alarm message Flow session table is almost full on FPC <number> PIC <number> is set. Similarly, when the percent of DCP session table utilization is 95% on FPC and PIC, an alarm message DCP session table is almost full on FPC <number> PIC <number> is set.

    [See Understanding Session Cache.]

J-Web

  • Change in the J-Web browser tab title (SRX Series)—Starting in Junos OS Release 20.1R2, the J-Web browser tab title displays the device model and the hostname. The same details are displayed when you hover over the J-Web browser tab.

    For example, when you access J-Web for an SRX320 device with a host name srx320-xyz, the J-Web browser tab displays the title as J-Web (srx320 – srx320-xyz).

    If the hostname is not configured, you can see the host URL or IP address in the J-Web browser tab title. For example, J-Web (srx320 – <device IP address>).

VPNs

  • The junos-ike package installed by default (SRX5000 Series devices)— For SRX5000 Series devices with RE3 installed, the junos-ike package is installed by default. As a result, iked and ikemd process runs on the Routing Engine by default instead of IPsec key management daemon (kmd). In earlier Junos OS Releases, junos-ike package is an optional package for SRX5000 Series devices with RE3 and IPsec Key Management Daemon (KMD) runs by default.

    [ See Enabling IPsec VPN Feature Set on SRX5K-SPC3 Services Processing Card.]

  • IKE Index displayed in show security ipsec security-associations detail Output (SRX5400,SRX5600, SRX5800)— When you execute the show security ipsec security-associations detail command, a new output field IKE SA Index corresponding to every IPsec Security Association (SA) within a tunnel is displayed under each IPsec SA information.

    [ See show security ipsec security-associations.]

What's Changed in Release 20.1R1

ALG

  • Disable the do not fragment flag from packet IP header (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, we’ve introduced the clear-dont-frag-bit option at the [edit security alg alg-manager] hierarchy level to disable the do not fragment flag from the packet IP header, which allows the packet to be split after NAT is performed.

    In Junos OS releases earlier than Release 20.1R1, when the ALG performs payload-NAT, sometimes the size of the packet becomes bigger than the outgoing interface maximum transmission unit (MTU). If the packet IP header has the do not fragment flag, this packet cannot be sent out.

    [See alg-manager.]

Application Security

  • Starting in Junos OS Release 20.1R1, you can enable application identification (AppID) to classify a web application that is hosted on a content delivery network (CDN) such as AWS, Akamai, Azure, Fastly, and Cloudflare and so on accurately. Use the following configuration statement to enable CDN application classification:

    When you apply the configuration, AppID identifies and classifies actual applications that are hosted on the CDN.

    [See Application Identification]

  • You can configure maximum memory limit for the deep packet inspection (DPI) by using the following configuration statement:

    You can set 1 through 200000 MB as memory value.

    Once the JDPI memory consumption reaches to 90% of the configured value, then DPI stops processing new sessions.

    [See Application Identification]

  • Starting in Junos OS Release 20.1R1, you can configure and use IP protocol-based custom application signatures on your SRX Series device. In previous versions of Junos OS Releases from 19.2 through 19.4 release, IP protocol based custom application signatures did not work as expected.

    In Junos OS Releases in 19.2 through Junos OS Releases 19.4 and their maintenance releases, IP protocol based custom application signatures do not work as expected. As a workaround, you can configure the IP protocol-based applications at the following hierarchy levels:

    • For unified policy: Use service based application configuration as below:

    • For legacy application firewall: Use predefined IP protocol applications as below:

    [See Custom Application Signatures for Application Identification.]

Ethernet Switching and Bridging

  • LLDP support on redundant Ethernet interfaces (SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500)—Starting in Junos OS Release 20.1R1, you can configure the Link Layer Discovery Protocol (LLDP) on redundant Ethernet (reth) interfaces. Use the set protocol lldp interface <reth-interface> command to configure LLDP on the reth interface.

    [See Configuring LLDP and Ethernet Ports Switching Overview for Security Devices.]

J-Web

  • Deactivated policy rules are not visible in the J-Web UI (SRX Series)—J-Web does not support disabling or enabling the security firewall or global policy rules from Junos OS Release 19.4R1. The policy rules that are deactivated through CLI are also not visible in the J-Web UI. As a workaround, use CLI to disable or enable the policy rules on the device.

Unified Threat Management (UTM)

  • Increase in the UTM scale number (SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 20.1R1, on SRX Series devices, UTM policies, profiles, MIME patterns, filename extensions, protocol commands, and custom messages are increased up to 1500. Custom URL patterns and custom URL categories are increased up to 3000.

    [See Unified Threat Management overview.]

VPNs

  • Public key infrastructure warning message (SRX Series)—Starting in Junos OS Release 20.1R1, a warning message ECDSA Keypair not supported with SCEP for cert_id <certificate id> is displayed when you try to enroll a local certificate using an Elliptic Curve Digital Signature Algorithm (ECDSA) key with Simple Certificate Enrollment Protocol (SCEP) because ECDSA key is not supported with SCEP.

    Prior to Junos OS Release 20.1R1, the warning message is not displayed.

    [See Example: Enrolling a Local Certificate Online Using SCEP.]

  • Change in display of local certificate serial number (SRX Series)—In Junos OS Release 20.1R1, the output of the show security pki local-certificate detail command is modified to display the PKI local certificate serial number with 0x as prefix to indicate that the PKI local certificate is in the hexadecimal format.

    [See show security pki local-certificate (View).]

Known Limitations

Learn about known limitations in this release for SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

J-Web

  • When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214

Platform and Infrastructure

  • On an SRX4600 device, when LLDP is configured on the interfaces, Packet Forwarding Engine stops operating is seen due to the segmentation problem. LLDP is not supported on SRX4600 currently, but can be configured. PR1422466

  • On SRX5400, SRX5600, and SRX5800 devices, on reth interfaces that are configured as DHCP clients, after a reboot of the device the interface might not get an IP address when you use the default number of DHCP retransmission attempts. When the number of retransmission attempts is increased to 5 or higher, it works fine. PR1458490

  • MACsec is not working as expected on ports of the SRX380 device with peer interfaces on the same cluster. PR1479705

VPNs

  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • On the SRX5000 line of devices with SPC3 cards, sometimes the IKE SA is not seen on the device when an st0 binding on a VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with 60,000 tunnels up, when RG0 failover happens while an IPsec and/or IKE rekey is in progress, those rekeying tunnels might go down and traffic loss might be seen until the tunnel is reestablished. PR1471499

  • In SPC2 and SPC3 mixed-mode HA deployments, tunnel per second (TPS) is getting affected while dead peer detection (DPD) is being served on existing tunnels. This limitation is due to a large chunk of CPU being occupied by infrastructure (gencfg) used by IKED to synchronize its DPD state to the backup nodes. PR1473482

Open Issues

Learn about open issues in this release for SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

ATP Cloud

  • CLI autocomplete is now available for both SecIntel and advanced anti-malware products. PR1487419

Flow-Based and Packet-Based Processing

  • Use an antireplay window size of 512 for IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence there are no out-of-order packets with 512 antireplay window size. PR1470637

  • The SRX380 device has a large number of switch ports and needs to monitor their statistics in real time. Due to this, some of the Routing Engine CPU is always consumed during these operations. If you need to ensure maximum Routing Engine performance, you can dedicate a Packet Forwarding Engine core to the uKernel to more efficiently manage this task. To do this, use the set chassis dedicated-kern-cpu command. PR1527147

  • The MAC table is null in Layer 2 mode after one pass-through session is created successfully. PR1528286

J-Web

  • On the SRX5000 line of devices, J-Web might not be responsive sometimes when you commit configuration changes after adding a new dynamic application while creating a new firewall rule. J-Web displays a warning while validating the configuration due to dynamic application or any other configuration changes. As a workaround, refresh the J-Web page. PR1460001

  • The firewall Web authentication graphics have been updated. PR1482433

Routing Policy and Firewall Filters

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

  • An issue was discovered within unified policies that affected the url-category match condition that can cause it to over-match and apply to more traffic than it should. PR1546120

VPNs

  • In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329

  • The command show security pki local-certificate logical-system all is not showing any output. PR1414628

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • On the SRX5000 line of devices with SPC3 cards, sometimes the IKE SA is not seen on the device when an st0 binding on a VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951

  • In an IPsec VPN scenario on the SRX5000 line of devices, the iked process treats retransmission of IKE_INIT request packets as new connections when the SRX Series device acts as a responder of IKE negotiation. This causes IKE tunnel negotiation to fail, and IPsec VPN traffic might be impacted. PR1460907

  • On the SRX5000 line of devices with SPC3 and SPC2 mixed mode, with a very large amount of IKE peers (60,000) with dead peer detection (DPD) enabled, IPsec tunnels might flap in some cases when IKE and IPsec rekeys are happening at the same time. PR1473523

  • Some TCP connections going through IPsec tunnels are getting struck after RG1 failover. PR1477184

  • During 10,000 tunnel ramp-up, sometimes, IKED generates a core file. PR1479548

  • On SRX5000 line of devices with SPC3, the tunnel is not brought down immediately after disabling the interface of the peer device with DPD always-send configured on site-2-site route-based VPN. PR1480905

  • On SRX5000 line of devices, with extended-sequence-number (ESN) configured, the IPsec tunnel might be re-established. This issue could be self-recovered, and traffic loss happens during IPsec tunnel flapping. PR1488087

  • Unexpected extra characters NL were seen with PyEZ XML outputs. This caused issues while writing op-scripts. However, with normalize=True in PyEz script, we can avoid having NL between each tag and with the pretty_print option ensure that the print is clean. PR1492146

  • The SRX5000 line of devices with SPC3 was not supporting simultaneous IKE negotiation in Junos OS Releases 19.2, 19.3, 19.4, and 20.1. PR1497297

  • IPsec traffic might get dropped after RG0 failover. PR1522931

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 20.1R2

Application Layer Gateways (ALGs)

  • FTPS traffic might get dropped on SRX Series and MX Series devices if FTP ALG is used. PR1483834

  • The srxpfe and mspmand process might stop if FTPS is enabled in a specific scenario. PR1510678

Application Security

  • AppQoE support for dynamic-application. PR1503400

Chassis Clustering

  • The show chassis temperature-thresholds command displays extensive FPC 0 output. PR1485224

  • On SRX4100 and SRX4200 devices with chassis cluster in transparent mode, when a failover occurs for RG1, the interface on the new secondary node is getting flapped as expected to let the switch update its MAC address table. PR1490291

  • IP monitoring on SRX4100 and SRX4200 device might fail in the rare event that a chassis internal connection between Routing Engine and Packet Forwarding Engine is temporarily down after RG0 failover. PR1502462

  • The ISSU fails with timeout due to cold synchronization failure. PR1502872

Flow-Based and Packet-Based Processing

  • The show security group-vpn server statistics |display XML command output is not in expected format. PR1349959

  • ECMP load balancing does not happen when RG1 node 0 is secondary. PR1475853

  • The flowd or srxpfe process might stop when deleting the user firewall local authentication table entry. PR1477627

  • On Web proxy, memory leak in association hash table and DNS hash table. PR1480760

  • IMAP curl sessions stuck in the active state if AAMW IMAP block mode is configured. PR1484692

  • The flowd process might stop and impact services if J-Flow version 9 is configured. PR1486528

  • The configuration set chassis psu redundancy n-plus-n needs support on in high availability (HA) mode. PR1486746

  • Commit does not work after the installation through boot loader. PR1487831

  • If a cluster ID of 16 or multiples of 16 is used, the chassis cluster might not come up. PR1487951

  • CPU board inlet increases after OS upgrade from Junos OS Release 15.1X49 to Junos OS Release 18.x. PR1488203

  • All interfaces remain in the down status after the SRX300 line of devices power up or reboot. PR1488348

  • GRE or IPsec tunnel might not come up when the set security flow no-local-favor-ecmp command is run. PR1489276

  • Sometimes multiple flowd core files are generated on both nodes of a chassis cluster at the same time when changing media MTU. PR1489494

  • Continuous drops seen in control traffic, with high data queues in one SPC2 PIC. PR1490216

  • Not able to clear the warm sessions on the peer SRX Series devices. PR1493174

  • Phone client stop seen during SRX345 device ZTP with CSO. PR1496650

  • Outbound SSH connection flap or memory leak issue might be observed during the high rate of pushing the configuration to the ephemeral database. PR1497575

  • Unexpected flow logging traffic beyond the packet filter. PR1497939

  • Traffic interruption happens due to MAC address duplication between two devices running Junos OS. PR1497956

  • Don't use capital characters for source-identity when using the show security match-policies command. PR1499090

  • On SRX Series devices, when the GRE or IP-IP tunnel is used, if some interface change events happen (such as, interface flapping), traffic drop might be seen. PR1500091

  • The srxpfe or flowd process might stop due to memory corruption within JDPI. PR1500938

  • J-Flow version 9 does not display the correct outgoing interface for APBR traffic. PR1502432

  • A condition within TCP proxy could result in downloads becoming permanently stuck or not completing. TCP proxy is used by multiple services, including Juniper ATP Cloud in block mode, ICAP, SSL proxy, antivirus, content filtering, and antispam. PR1502977

  • Fabric interface might be monitored down after chassis cluster reboot. PR1503075

  • A cfmd core file is observed when LTM is triggered for the session configured on the ethernet-switching interface without bridge domain configuration. PR1503696

  • Layer 2 ping is not working with remote MEP. PR1504986

  • SOF asymmetric scenario is not working with the phase 1 solution. PR1507865

  • If the dynamic-app configured along with other Layer 7 application in different rules, after App identified still the SLA database with application any showing up some sessions. PR1514973

  • VRRP does not work on the redundant Ethernet interface with a VLAN ID greater than 1023. PR1515046

  • A logic issue was corrected in SSL proxy that could lead to an srxpfe or flowd core file under load. PR1516903

  • The PPPoE session does not come up after return to zero on SRX Series devices. PR1518709

  • The TCP packet might be dropped if syn-proxy protection is enabled. PR1521325

  • On SRX Series devices with chassis clusters, high CPU usage might be seen due to the llmd process. PR1521794

  • Certificate validation might fail when OCSP is used and the OCSP server is a dual-stack device. PR1525924

  • Traffic rate shown in the CLI command is not accurate. PR1527511

  • On SRX4100 and SRX4200 devices, four out of eight fans might not work. PR1534706

  • The rst-invalidate-session configuration does not work if configured together with no-sequence-check. PR1541954

  • NSD core file is generated at function nsd_malloc, file ../../../../../../src/usp/usr.sbin/nsd/common/nsd_common.c, line 482. PR1542942

Interfaces and Chassis

Intrusion Detection and Prevention (IDP)

  • When intelligent inspection status changes, syslog is not getting generated on SRX300 and SRX500 lines of devices. PR1448365

  • The IDP attack detection might not work in a specific situation. PR1497340

  • IDP's custom-attack time-binding interval command was mistakenly hidden within the CLI. PR1506765

J-Web

  • While creating a firewall policy rule, the list of available dynamic applications is empty in HA on the Select Dynamic Application page. PR1490346

  • Junos OS: Reflected Cross-site Scripting vulnerability in J-Web and web based (HTTP/HTTPS) services (CVE-2020-1673) PR1493385

  • You cannot configure Redundant PSU and Power Budget Statistics on the SRX380 device, which is in HA mode, through J-Web. PR1493713

  • The J-Web users might not be able to configure PPPoE using the PPPoE wizard. PR1502657

  • J-Web chassis status widget is incorrectly reporting temperature alarms. PR1507156

  • The parameters show another LSYS at J-Web in a multiple logical systems scenario. PR1518675

Layer 2 Ethernet Services

  • DHCP does not work after running request system zeroize or load factory-default. PR1521704

MPLS

  • BGP session might keep flapping between two directly connected BGP peers because of the wrong TCP-MSS in use. PR1493431

Network Address Translation (NAT)

  • Not all NAT sessions are synchronized from Node 1 to Node 2. PR1473788

  • Issuing the show security nat source paired-address command might return an error. PR1479824

Platform and Infrastructure

  • On the SRX1500 device and the SRX4000 line of devices, physically disconnecting the cable from the fxp0 interface causes hardware monitor failure and redundancy group failover, when the device is the primary node in a chassis cluster. PR1467376

  • The SRX1500 device and the SRX4000 line of devices might boot up with the rescue configuration after a power outage. PR1490181

  • Packets get dropped when the next hop is IRB over the LT interface. PR1494594

  • The /usr/libexec/ui/yang-pkg and /usr/libexec/ui/pyang files are not found in SRX Series devices during YANG installation. PR1496577

  • Junos OS: Arbitrary code execution vulnerability in Telnet server (CVE-2020-10188). PR1502386

  • On the SRX1500 device, the factory-default configuration for ge-0/0/0 and ge-0/0/15 should be set with family inet DHCP. PR1503636

  • Syslog reporting "PFE_FLOWD_SELFPING_PACKET_LOSS: Traffic impact: Selfping packets loss/err: 300 within 600 second" error messages in node 0 and node1 control panel. PR1522130

Routing Policy and Firewall Filters

  • TCP proxy was mistakenly engaged in unified policies when Web filtering was configured in potential match policies. PR1492436

  • Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002

Routing Protocols

  • The BGP route-target family might prevent the route reflector from reflecting Layer 2 VPN and Layer 3 VPN routes. PR1492743

  • The rpd might report 100% CPU usage with BGP route damping enabled. PR1514635

Unified Threat Management (UTM)

  • UTM websense redirect supports IPv6 messages. PR1481290

  • UTM doesn’t let e-mails from outside to inside to be received. PR1523222

VPNs

  • IKE SA does not get cleared and is showing very long lifetime. PR1439338

  • With NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145

  • The newly configured IPsec tunnels might be stuck in VPNM verify-path state in a tunnel scaled scenario. PR1464353

  • On an SRX4200 device, 35 percent of drop is seen in all TPS cases. PR1481625

  • On SRX Series devices with SPC3, when overlapping traffic selectors are configured, multiple IPsec SAs get negotiated with the peer device. PR1482446

  • Traffic might be lost after the rekey if SRX Series devices responder-only is configured. PR1485029

  • Use different XML tags for local and remote IKE IDs to avoid confusion. PR1493368

  • Issue with XML RPC show security ipsec tunnel-distribution summary output. PR1494274

  • On SRX Series devices using IPsec with NAT traversal, MTU size for the external interface might be changed after IPsec SA is reestablished. PR1530684

Resolved Issues: 20.1R1

Application Layer Gateways (ALGs)

  • Packet's IP header have DF flag might be dropped by SRX Series ALG after payload-NAT. PR1444068

  • On the SRX5000 line of devices, the H323 call with NAT64 could not be established. PR1462984

  • RTSP data sessions are cleared unexpectedly during cold sync. PR1468001

  • The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942

  • SIP messages that need to be fragmented might be dropped by SIP ALG. PR1475031

Authentication and Access Control

  • Same-source IP sessions are cleared when the IP entry is removed from the UAC table. PR1457570

Chassis Clustering

  • IP monitoring might fail on the secondary node. PR1468441

  • An unhealthy node might become primary in SRX4600 devices with chassis cluster scenario. PR1474233

Flow-Based and Packet-Based Processing

  • The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859

  • Packet loss is caused by FPGA back pressure on SPC3. PR1429899

  • Control logical interface is not created by default for LLDP. PR1436327

  • Security logs cannot be sent to the external syslog server through TCP. PR1438834

  • The SPC card might stop on the SRX5000 line of devices. PR1439744

  • Flowd process core files are generated in the device while testing NAT PBA in AA mode. PR1443148

  • The SSL-based AppID simplification effort (removal of HTTPS, POP3S, IMAPS, SMTPS). PR1444767

  • In the BERT test for E1 interface, bits counts number is not within the range. PR1445041

  • The flowd process might stop on SRX Series devices when chassis cluster and IRB interface are configured. PR1446833

  • The AAWM policy rules for IMAP traffic sometimes might not get applied when passed through SRX Series devices. PR1450904

  • Introduction of default inspection limits for application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180

  • The SRX Series devices stop and generate several core files. PR1455169

  • When you try to reset the system configuration on an SRX1500 device using the reset config button, it does not work properly. PR1458323

  • The security flow traceoptions fills in with RTSP ALG-related information. PR1458578

  • Optimizations were made to improve the connections-per-second performance of SPC3. PR1458727

  • LTE dual CPE support with mPIMs when modem receives disconnect event from ISP, need to increase wait timer. PR1460102

  • The security-intelligence CC feed does not block HTTPS traffic based on SNI. PR1460384

  • The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619

  • Added command to clear specified associated client. PR1461577

  • The srxpfe or flowd process might stop if the sampling configuration is changed. PR1462610

  • The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825

  • Fragmented traffic might get looped between the fab interface in a rare case. PR1465100

  • TCP session might not time out properly upon receiving TCP RESET packet. PR1467654

  • A core file might be generated when you perform an ISSU on SRX Series devices. PR1463159

  • The PKI daemon keeps leaking memory on SRX Series devices. PR1465614

  • HTTP block message stops working after SNI check for HTTPS session. PR1465626

  • Loading CA certificate causes PKI daemon core file to be generated. PR1465966

  • The jbuf process usage might increase up to 99 percent after Junos OS upgrade. PR1467351

  • The rpd process might stop after several changes to the flow-spec routes. PR1467838

  • Packet Forwarding Engine might generate core files because SSL proxy is enabled on NFX Series and SRX Series devices. PR1467856

  • Server unreachable is detected; ensure that port 443 is reachable. PR1468114

  • Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430

  • FTP data connection might be dropped if SRX Series devices send the FTP connection traffic through the dl interface. PR1468570

  • RPM test probe fails to show that round-trip time has been exceeded. PR1471606

  • Look up failure for expected e-mail address in DUT. PR1472748

  • Stateful firewall rule configuration deletion might lead to memory leak. PR1475220

  • The dfs-off function is enabled. PR1475294

  • The nsd process pause might be seen during device reboots if dynamic application groups are configured in policy. PR1478608

  • The show mape rule statistics command might display negative values. PR1479165

  • Sometimes multiple flowd core files are generated on both nodes of chassis cluster at the same time when changing media MTU. PR1489494

Interfaces and Chassis

  • The number of mgd processes increases because the mgd processes are not closed properly. PR1439440

  • Static route through dl0.0 interface is not active. PR1465199

  • MAC limiting on Layer 3 routing interfaces does not work. PR1465366

Intrusion Detection and Prevention (IDP)

  • SNMP queries might cause commit or show command to fail due to IDP PR1444043

  • Updating the IDP security package offline might fail in SRX Series devices. PR1466283

J-Web

  • The default log query time in J-Web monitoring functionality has been reduced. This increases the responsiveness of the landing pages. PR1423864

  • Editing destination NAT rule in J-Web introduces a nonconfigured routing instance field. PR1461599

  • The Go button within the J-Web Monitor>Events view now correctly refreshes the logs even when using a blank search query. PR1464593

  • J-Web security resources dashboard widget was not being populated correctly. PR1464769

Layer 2 Ethernet Services

  • The metric is not changing when configured under the DHCP. PR1461571

Network Address Translation (NAT)

  • The flowd or srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932

  • Issuing the show security nat source paired-address command might return an error. PR1479824

Network Management and Monitoring

  • The flowd or srxpfe process might stop immediately after committing the jflowv9 configuration or after upgrading to affected releases. PR1471524

  • SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288

Platform and Infrastructure

  • Modifying the REST configuration might cause the system to become unresponsive. PR1461021

  • VM core files might be generated if the configured sampling rate is more than 65,535. PR1461487

  • On the SRX300 line of devices, you might encounter Authentication-Table loading slowly while using user-identification. PR1462922

  • The AE interface cannot be configured on an SRX4600 device. PR1465159

  • On SRX Series devices, Packet Forwarding Engine memory might be used up if the security intelligence feature is configured. PR1472926

  • Support LLDP protocol on reth interface. PR1473456

  • Certificate error while configuration validation during Junos OS upgrade. PR1474225

  • Packet drop might be observed on the SRX300 line of devices when adding or removing an interface from MACsec. PR1474674

  • The commands request system power-off and request system halt might not work correctly. PR1474985

  • The flowd process core files might be seen when there are mixed NAT-T traffic or non-NAT-T traffic with PMI enabled. PR1478812

  • When SRX5K-SPC3s or MX-SPC3s are installed in slots 0 or 1 in SRX5800 or MX960 devices, EMI radiated emissions are observed to be higher than regulatory compliance requirements. PR1479001

  • The RGx might fail over after RG0 failover in a rare case. PR1479255

  • The wl- interface stays in ready status after you execute request chassis fpc restart command in Layer 2 mode. PR1479396

  • Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684

  • The flowd or srxpfe process might crash when advanced anti-malware services are used. PR1480005

Routing Policy and Firewall Filters

  • Security policies cannot synchronize between Routing Engine and Packet Forwarding Engine on SRX Series devices. PR1453852

  • Traffic log shows wrong custom-application name when the alg ignore option is used in application configuration. PR1457029

  • The NSD process might get stuck and cause problems. PR1458639

  • Some domains are not resolved by the SRX Series devices when using DNS address book. PR1471408

  • The count option in security policy does not take effect even if the policy count is enabled. PR1471621

  • Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530

Routing Protocols

  • SSH login might fail if a user account exists in both local database and RADIUS or TACACS+. PR1454177

  • The rpd might stop when both instance-import and instance-export policies contain as-path-prepend action. PR1471968

Unified Threat Management (UTM)

  • Increase the scale number of UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321

  • The utmd process might pause after deactivating UTM configuration with predefined category upgrading used. PR1478825

VLAN Infrastructure

  • ISSU failed from Junos OS Release 18.4R2.7 to Junos OS Release 19.4, with secondary node PICs in present state after upgrading to Junos OS Release 19.4. PR1468609

VPNs

  • IPsec SA inconsistent on SPCs of node0 and node1 in SRX Series devices with chassis cluster. PR1351646

  • After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457

  • IPsec VPN missing half of the IKE SA and IPsec SA showing incorrect port number when scaling to 1000 IKEv1 AutoVPN tunnels. PR1399147

  • The IKE and IPsec configuration under groups is not supported. PR1405840

  • The established tunnels might remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN. PR1413619

  • The VPN tunnel might flap when IKE and IPsec rekey happen simultaneously. PR1421905

  • Old tunnel entries might be observed in the output of show security IPsec or IKE SA. PR1423821

  • The show security ipsec statistics command output displays buffer overflow and wraps around 4,---,---,--- count. PR1424558

  • Tunnel does not come up after changing configurations from IPv4 to IPv6 tunnels in the script with gateway lookup failed error. PR1431265

  • P1 configuration delete message is not sent on loading baseline configuration if there has been a prior change in VPN configuration. PR1432434

  • After a long time (a few hours) of traffic during a mini PDT test, the number of IPsec tunnels is much higher than expected. PR1449296

  • Some IPsec tunnels flap after RGs failover on the SRX5000 line of devices. PR1450217

  • IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951

  • Traffic is not sent out through an IPsec VPN after update to Junos OS Release 18.2 or later. PR1461793

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with IKEv1 enabled IKE, the daemon might generate a core file, when IKESA is expired and IPsec tunnel associated with the expired IKESA exists in case of an RG0 failover. Daemon recovers eventually. PR1463501

  • The IPsec VPN tunnels cannot be established if overlapped subnets are configured in traffic selectors. PR1463880

  • IPsec tunnels might lose connectivity on SRX Series devices after chassis cluster failover when using AutoVPN point-to-multipoint mode. PR1469172

  • IPsec tunnels might flap when one secondary node is coming online after reboot in SRX Series high availability environment. PR1471243

  • The kmd process might crash continually after the chassis cluster failover in the IPsec ADVPN scenario. PR1479738

Documentation Updates

Dynamic Host Configuration Protocol (DHCP)

  • Introducing DHCP User Guide—Starting in Junos OS Release 20.1R1, we are introducing the DHCP User Guide for Junos OS routing, switching, and security platforms. This guide provides basic configuration details for your Junos OS device as DHCP Server, DHCP client, and DHCP relay agent.

    [See DHCP User Guide.]

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.