Junos OS Release Notes for SRX Series
These release notes accompany Junos OS Release 20.1R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
What’s New
Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.
Release 20.1R3 New and Changed Features
There are no new features in Junos OS Release 20.1R3 for the SRX Series devices.
Release 20.1R2 New and Changed Features
There are no new features in Junos OS Release 20.1R2 for the SRX Series devices.
Release 20.1R1 New and Changed Features
Application Security
Custom application enhancements (NFX Series, SRX Series, and vSRX)—Starting in Junos OS Release 20.1R1, we’ve enhanced the custom applications signature functionality by providing a new set of applications and contexts.
Application identification allows you to create custom application signatures to detect applications specific to your network environment. You can create custom application signatures for applications based on ICMP, IP protocol, IP address, and Layer 7 or TCP/UDP stream. While configuring the custom application signatures, you must specify the context values that the device can use to match the patterns in the application traffic.
Custom application signature contexts are part of application signature package. You must download and install the latest application signature package version 3248 or later to use new contexts for custom application signatures.
[See Custom Application Signatures for Application Identification.]
Default mechanism to forward the traffic through APBR rule (NFX Series, SRX Series, and vSRX)— Starting in Junos OS 20.1R1, you can configure a APBR rule by specifying the dynamic application match criteria with any keyword. This provides a default mechanism to forward the traffic to a specific next-hop device or to a destination if the traffic matches any dynamic application.
AppQoE support for granular APBR rules (NFX Seris, SRX Series, and vSRX)—Starting in Junos OS Release 20.1R1, AppQoE utilizes the granular rule matching functionality of advanced policy-based routing (APBR) for better quality of experience (QoE) for the application traffic.
In Junos OS Release 18.2R1, APBR supported configuring policies by defining source addresses, destination addresses, and applications as match conditions. After a successful match, the configured APBR profile is applied as an application services for the session. In this release, AppQoE leverages the APBR enhancement and selects the best possible link for the application traffic as sent by APBR to meet the performance requirements specified in SLA.
Authentication and Access Control
Support for UPN as user identity (SRX Series)—Starting in Junos OS Release 20.1R1, you can use User Principal Name (UPN) as logon name in firewall-authentication, which is working as a captive portal for JIMS or user-firewall.
You can use UPN as logon name along with cn or sAMAccountName at the same time. UPN can be used instead of sAMAccountName to authenticate a user.
Even if user uses UPN as logon name, firewall authentication pushes sAMAccountName (mapping to the UPN) to user ID rather than pushing the UPN.
Firewall-authentication pushes both UPN and sAMAccountName (mapping to the UPN) to JIMS.
[See Understanding Advanced Query Feature for Obtaining User Identity Information from JIMS.]
Trusted Platform Module (TPM) to bind secrets (SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 20.1R1, we’ve introduced the TPM support on the SRX5000 line of devices with SRX5K-RE3-128G Routing Engine (RE3). The TPM chip is enabled by default to make use of TPM functionality.
When TPM is activated, it protects the private keys stored in Junos OS.
[See Using Trusted Platform Module to Bind Secrets on SRX Series Devices.]
Flow-Based and Packet-Based Processing
Support of IPFIX formatting and Chassis Cluster for SRX J-Flow functionality (SRX300, SRX320, SRX340, SRX345, and SRX550HM) —Starting with Junos OS Release 20.1R1, you can configure Chassis Cluster and define an IPFIX flow record template suitable for IPv4 traffic or IPv6 traffic. IPFIX is an enhanced version of J-flow version 9 template. Using IPFIX, you can collect a set of sampled flows and send the record to a specified host.
Support service inspection for pass-through IP-IP and GRE tunnel in TAP mode (SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, and SRX4200)—Starting in Junos OS Release 20.1R1, TAP mode inspects IP-IP and GRE inner tunnel traffic by de-encapsulating the outer and inner IP header (up to two levels) to create flow sessions. You can configure up to eight TAP interfaces on an SRX Series device.
[See TAP Mode for Flow Sessions, and forwarding-options.]
GPRS
Increase in GTP scale for IoT and roaming firewall applications (SRX1500, SRX4100, SRX4200, and vSRX)—Starting in Junos OS Release 20.1R1, in addition to the existing support on SRX5400, SRX5600, SRX5800, and SRX4600, to enable the Internet of Things (IoT) and roaming firewall use cases, the GTP tunnel scale is increased for the following SRX Series devices:
SRX1500: 204,800 to 1,024,000
SRX4100: 409,600 to 4,096,000
SRX4200: 819,200 to 4,096,000
For vSRX instances, the number of tunnels supported depends on the available system memory.
Hardware
SRX380 Services Gateway—The SRX380 Services Gateway is a high performance and all-in-one networking device, which consolidates routing, switching, and security. With next-generation firewall features and advanced threat mitigation capabilities, the SRX380 device provides cost-effective and secure connectivity across distributed enterprise locations. A 1U form factor model with a 16-core MIPS processor and 4-GB DDR4 RAM, the SRX380 device supports up to 10-Gbps firewall performance.
The SRX380 device has an integrated 100-GB SSD and provides high port density with 16 on-board PoE-enabled 1-Gigabit Ethernet RJ-45 ports and 4 10-Gigabit Ethernet SFP+ ports. All the ports support AES-256 MACsec encryption. The SRX380 device has dual AC power supplies and supports up to four Mini-PIMs.
The SRX380 supports the same features as those supported on the existing SRX300 line of services gateways. For the complete list of features supported on the SRX380, see Feature Explorer.
Interfaces and Chassis
Support for new show | display set CLI commands (ACX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.1R1, the following new show commands have been introduced:
show | display set explicit—Display explicitly, as a series of commands, all the configurations that the system internally creates when you configure certain statements from the top level of the hierarchy.
show | display set relative explicit—Display explicitly, as a series of commands, all the configurations that the system internally creates when you configure certain statements from the current hierarchy level.
[See show | display set and show | display set relative.]
Intrusion Detection and Prevention
HTTP X-Forwarded-For header support in IDP (SRX Series)—Starting from Junos OS Release 20.1R1, we've introduced the log-xff-header option to record the x-forward-for header (xff-header) information. When this option is enabled. During the traffic flow, IDP saves the source IP addresses (IPv4 or IPv6) from the contexts for HTTP and SMTP traffics and displays in attack logs.
The xff-header is not processed unless its enabled through sensor-configuration.
To enable the xff-header, use the set security idp sensor-configuration global log-xff-header command.
To disable the xff-header, use the delete security idp sensor-configuration global log-xff-header command.
Previously, when you access internet, to lessen the external bandwidth the servers used transparent proxies. It was difficult to identify the originating source IP address as the proxy server converted it into an anonymous source IP address.
Juniper Sky ATP
Juniper Sky ATP support for disabling standard Juniper C&C and URL feeds—Starting in Junos OS Release 20.1R1, you can disable standard Juniper command and control (C&C) and URL feeds on SRX Series devices. Disabling the Juniper C&C and URL feeds helps to free the resources on SRX Series devices and makes the resources available for loading custom feeds. Use the set services security-intelligence disable-global-feed (all | feed name feed-name) command to disable the feeds. To enable the feeds, use the delete services security-intelligence disable-global-feed (all | feed name feed-name) command.
[See set services security-intelligence and show services security-intelligence category summary.]
Junos OS XML API and Scripting
The
jcs:load-configurationtemplate supports loading the rescue configuration (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.1R1, thejcs:load-configurationtemplate supports therescueparameter to load and commit the rescue configuration on a device. SLAX and XSLT scripts can call thejcs:load-configurationtemplate with therescueparameter set to"rescue"to replace the active configuration with the rescue configuration.[See Changing the Configuration Using SLAX and XSLT Scripts and jcs:load-configuration Template.]
J-Web
J-Web supports SRX380 device—Starting in Junos OS Release 20.1R1, you can use J-Web to manage your SRX380 device. Additionally, you can also:
Monitor wireless LAN setting of the supported Wi-Fi Mini-PIM: Monitor > Wireless LAN.
View power statistics information using the new Power Budget Statistics tab: Monitor > Chassis Information > Chassis Component Details.
Note You can view the power statistics information only when the device is in standalone mode.
Configure wireless LAN setting of the supported Wi-Fi Mini-PIM: Configure > Wireless LAN > Settings.
Configure redundant power supply for power management using the new Redundant PSU menu: Configure > Basic Settings.
[See Dashboard Overview, Monitor Wireless LAN, and About the Settings Page.]
Network Management and Monitoring
SNMP support to export statistics of user firewall (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, the new MIB jnxUserFirewalls OID is introduced to expose statistics of user firewall identity-management counters to network monitoring tools supporting SNMP.
SNMP support to monitor Express Path status (SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.1R1, the new SNMP MIB jnxJsFlowSofSummary is introduced to improve the Express Path mode (formerly known as services offloading) session status using CLI monitoring and traffic logging. The jnxJsFlowSofSummary MIB Provides the total number of Express Path sessions in use and total number of packets processed so far in the logical system.
Enhanced PKI traps, log notifications, and SNMP for IPsec VPN (MX Series with USF and the SRX5000 line of devices with SPC3 card)—Starting in Junos OS Release 20.1R1, you can enable the peer down and IPsec tunnel down traps and configure the certificate authority (CA) and local certificate traps. We’ve enhanced the existing IPsec VPN flow monitor MIB jnxIpSecFlowMonMIB to support the global data plane, active IKE SA, active IPsec SA, and active peer statistics for tunnels using IKEv2. We've also enhanced the output of the show security ike stats command to add additional options (<brief> | <detail>). Use the clear security ike stats command to clear the IKEv2 statistic counters.
[See Configure the Certificate Expiration Trap, Enterprise-Specific SNMP MIBs Supported by Junos OS, Enable Peer Down and IPsec Tunnel Down Traps, trap (Security PKI), trap (Security IKE), clear security ike stats, show security ike stats, show security ipsec statistics, show security ike security-associations, and show security ike active-peer.]
Port Security
Media Access Control Security (MACsec) support (SRX380)—SRX380 supports MACsec in on all 16 1GbE ports and all four 10GbE ports. MACsec is an industry-standard security technology that provides secure communication for all traffic on point-to-point Ethernet links. The supported cipher suites are GCM-AES-256 and GCM-AES-128. Only static CAK mode is supported.
Security
Support for security policy reports (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, you can use the show security policy-report command to display detailed security policy reports.
Optimizing security policies ensure that the policies are efficient. Over time, policies become disorganized and hence ineffective. You can use the show security policy-report command to notify end users when you create new policies or change existing policies that adversely affect other security policies.
You can use the report-skip command at the [edit security policies from-zone zone-name to-zone zone-name policy policy-name] hierarchy level to exclude the policy from the policy analysis and prevent it from appearing in any future report.
[See show security policy-report and report-skip.]
Support to clear DNS cache if DNS error responses are received (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, you can clear the DNS cache entry IP list when DNS error responses are received. We have introduced a new command, dns-cache under the [edit security policies] hierarchy level, to configure the security policy DNS cache behavior.
[See dns-cache.]
System Management
Restrict option under NTP configuration is now visible (ACX Series, QFX Series, MX Series, PTX Series, and SRX Series)—Starting in Junos OS Release 20.1R1, the noquery command under the restrict hierarchy is now available and can be configured with a mask address. The noquery command is used to restrict ntpq and ntpdc queries coming from hosts and subnets.
[See Configuring NTP Access Restrictions for a Specific Address.]
Tenant Systems and Logical Systems
ICAP service redirect support for tenant systems (SRX Series and vSRX)—You can prevent data loss from your network by employing Internet Content Adaptation Protocol (ICAP) redirect services. Starting in Junos OS Release 20.1R1, you can enable ICAP at the tenant system level, and you can view/clear the ICAP services redirect status and statistics at the tenant systems level.
In addition, we’ve introduced the X-Client-IP, X-Server-IP, X-Authenticated-User, and X-Authenticated-Groups header extensions in an ICAP message to provide information about the source of the encapsulated HTTP message.
[See ICAP Service Redirect and icap-redirect.]
Express Path session status CLI monitoring improvement and traffic logging (SRX4600, SRX5400, SRX5600, and SRX5800)—The Express Path (formerly known as services offloading) support is already available on SRX4600, SRX5400, SRX5600, and SRX5800 Series devices. Express Path considerably reduces packet-processing latency. Starting in Junos OS Release 20.1R1, you can view the total number of services-offload sessions and total number of services-offload packets processed in the CLI. In addition, you can configure the services-offload traffic logging at the logical system and tenant system level.
[See Express Path.]
VPNs
Common configuration payload password support for RADIUS server (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, you can configure a common password for IKEv2 configuration payload requests for an IKE gateway configuration. The common password in the range of 1 to 128 characters allows the administrator to define a common password. This password is used when the SRX Series device is requesting an IP address on behalf of a remote IPsec peer using IKEv2 configuration payload over the RADIUS server. The RADIUS server matches the credentials before it assigns any IP information to the configuration payload request.
What's Changed
Learn about what changed in the Junos OS main and maintenance releases for SRX Series.
What's Changed in Release 20.1R3
Junos XML API and Scripting
The
jcs:invoke()function supports suppression of root login and logout events in system log files for SLAX commit scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Thejcs:invoke()extension function supports theno-login-logoutparameter in SLAX commit scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.The
jcs:invoke()function supports suppression of root login and logout events in system log files for SLAX event scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Thejcs:invoke()extension function supports theno-login-logoutparameter in SLAX event scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.
Network Management and Monitoring
Support for specifying the YANG modules to advertise in the NETCONF capabilities and supported schema list (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—You can configure devices to emit third-party, standard, and Junos OS native YANG modules in the capabilities exchange of a NETCONF session by configuring the appropriate statements at the [edit system services netconf hello-message yang-module-capabilities] hierarchy level. In addition, you can specify the YANG schemas that the NETCONF server should include in its list of supported schemas by configuring the appropriate statements at the [edit system services netconf netconf-monitoring netconf-state-schemas] hierarchy level.
[See hello-message and netconf-monitoring.]
Routing Protocols
Advertising /32 secondary loopback addresses to traffic engineering database as prefixes (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—We've made changes to export multiple loopback addresses to the lsdist.0 and lsdist.1 routing tables as prefixes. This eliminates the issue of advertising secondary loopback addresses as router IDs instead of prefixes. In earlier releases, we added multiple secondary loopback addresses in the traffic engineering database to the lsdist.0 and lsdist.1 routing tables as part of node characteristics and advertised them as the router ID.
User Interface and Configuration
Verbose format option to export JSON configuration data (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The Junos OS CLI exposes the verbose statement at the [edit system export-format json] hierarchy level. We changed the default format to export configuration data in JavaScript Object Notation (JSON) from verbose to ietf starting in Junos OS Release 16.1R1. You can explicitly specify the default export format for JSON configuration data by configuring the appropriate statement at the [edit system export-format json] hierarchy level. Although the verbose statement is exposed in the Junos OS CLI as of the current release, you can configure this statement starting in Junos OS Release 16.1R1.
[See export-format.]
What's Changed in Release 20.1R2
ATP Cloud
Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 20.1R2, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Advanced Threat Prevention Cloud (ATP Cloud).
Flow-Based and Packet-Based Processing
On SRX Series devices in earlier releases, when the session table was full there was no alarm set to indicate this. Starting from this release, when the percent of flow session table utilization is 95% on FPC and PIC, an alarm message Flow session table is almost full on FPC <number> PIC <number> is set. Similarly, when the percent of DCP session table utilization is 95% on FPC and PIC, an alarm message DCP session table is almost full on FPC <number> PIC <number> is set.
[See Understanding Session Cache.]
J-Web
Change in the J-Web browser tab title (SRX Series)—Starting in Junos OS Release 20.1R2, the J-Web browser tab title displays the device model and the hostname. The same details are displayed when you hover over the J-Web browser tab.
For example, when you access J-Web for an SRX320 device with a host name srx320-xyz, the J-Web browser tab displays the title as J-Web (srx320 – srx320-xyz).
If the hostname is not configured, you can see the host URL or IP address in the J-Web browser tab title. For example, J-Web (srx320 – <device IP address>).
VPNs
The junos-ike package installed by default (SRX5000 Series devices)— For SRX5000 Series devices with RE3 installed, the junos-ike package is installed by default. As a result, iked and ikemd process runs on the Routing Engine by default instead of IPsec key management daemon (kmd). In earlier Junos OS Releases, junos-ike package is an optional package for SRX5000 Series devices with RE3 and IPsec Key Management Daemon (KMD) runs by default.
[ See Enabling IPsec VPN Feature Set on SRX5K-SPC3 Services Processing Card.]
IKE Index displayed in show security ipsec security-associations detail Output (SRX5400,SRX5600, SRX5800)— When you execute the show security ipsec security-associations detail command, a new output field IKE SA Index corresponding to every IPsec Security Association (SA) within a tunnel is displayed under each IPsec SA information.
What's Changed in Release 20.1R1
ALG
Disable the do not fragment flag from packet IP header (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, we’ve introduced the clear-dont-frag-bit option at the [edit security alg alg-manager] hierarchy level to disable the do not fragment flag from the packet IP header, which allows the packet to be split after NAT is performed.
In Junos OS releases earlier than Release 20.1R1, when the ALG performs payload-NAT, sometimes the size of the packet becomes bigger than the outgoing interface maximum transmission unit (MTU). If the packet IP header has the do not fragment flag, this packet cannot be sent out.
[See alg-manager.]
Application Security
Starting in Junos OS Release 20.1R1, you can enable application identification (AppID) to classify a web application that is hosted on a content delivery network (CDN) such as AWS, Akamai, Azure, Fastly, and Cloudflare and so on accurately. Use the following configuration statement to enable CDN application classification:
[edit]user@host# user@hots# set service application-identification enable-cdn-application-detectionWhen you apply the configuration, AppID identifies and classifies actual applications that are hosted on the CDN.
You can configure maximum memory limit for the deep packet inspection (DPI) by using the following configuration statement:
user@host# set services application-identification max-memory memory-valueYou can set 1 through 200000 MB as memory value.
Once the JDPI memory consumption reaches to 90% of the configured value, then DPI stops processing new sessions.
Starting in Junos OS Release 20.1R1, you can configure and use IP protocol-based custom application signatures on your SRX Series device. In previous versions of Junos OS Releases from 19.2 through 19.4 release, IP protocol based custom application signatures did not work as expected.
In Junos OS Releases in 19.2 through Junos OS Releases 19.4 and their maintenance releases, IP protocol based custom application signatures do not work as expected. As a workaround, you can configure the IP protocol-based applications at the following hierarchy levels:
For unified policy: Use service based application configuration as below:
user@host# set applications application application-name protocol IP -proto-numberFor legacy application firewall: Use predefined IP protocol applications as below:
user@host# set security application-firewall rule-sets rule-set-name rule rule-name match dynamic-application junos:IPP-IGMP
[See Custom Application Signatures for Application Identification.]
Ethernet Switching and Bridging
LLDP support on redundant Ethernet interfaces (SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500)—Starting in Junos OS Release 20.1R1, you can configure the Link Layer Discovery Protocol (LLDP) on redundant Ethernet (reth) interfaces. Use the set protocol lldp interface <reth-interface> command to configure LLDP on the reth interface.
[See Configuring LLDP and Ethernet Ports Switching Overview for Security Devices.]
J-Web
Deactivated policy rules are not visible in the J-Web UI (SRX Series)—J-Web does not support disabling or enabling the security firewall or global policy rules from Junos OS Release 20.1R1. The policy rules that are deactivated through CLI are also not visible in the J-Web UI. As a workaround, use CLI to disable or enable the policy rules on the device.
Unified Threat Management (UTM)
Increase in the UTM scale number (SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 20.1R1, on SRX Series devices, UTM policies, profiles, MIME patterns, filename extensions, protocol commands, and custom messages are increased up to 1500. Custom URL patterns and custom URL categories are increased up to 3000.
VPNs
Public key infrastructure warning message (SRX Series)—Starting in Junos OS Release 20.1R1, a warning message ECDSA Keypair not supported with SCEP for cert_id <certificate id> is displayed when you try to enroll a local certificate using an Elliptic Curve Digital Signature Algorithm (ECDSA) key with Simple Certificate Enrollment Protocol (SCEP) because ECDSA key is not supported with SCEP.
Prior to Junos OS Release 20.1R1, the warning message is not displayed.
[See Example: Enrolling a Local Certificate Online Using SCEP.]
Change in display of local certificate serial number (SRX Series)—In Junos OS Release 20.1R1, the output of the show security pki local-certificate detail command is modified to display the PKI local certificate serial number with 0x as prefix to indicate that the PKI local certificate is in the hexadecimal format.
Known Limitations
Learn about known limitations in this release for SRX Series.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
General Routing
On an SRX4600 device, when LLDP is configured on the interfaces, Packet Forwarding Engine stops operating is seen due to the segmentation problem. LLDP is not supported on SRX4600 currently, but can be configured. PR1422466
On SRX5400, SRX5600, and SRX5800 devices, on reth interfaces that are configured as DHCP clients, after a reboot of the device the interface might not get an IP address when you use the default number of DHCP retransmission attempts. When the number of retransmission attempts is increased to 5 or higher, it works fine. PR1458490
MACsec is not working as expected on ports of the SRX380 device with peer interfaces on the same cluster. PR1479705
Due to enhancements in AppID starting Junos OS Release 21.1R1, database files are not compatible with earlier releases. Hence, this issue is expected to be seen during downgrade from Junos OS Release 21.1R1 to earlier releases. PR1554490
J-Web
When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214
VPNs
When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585
On the SRX5000 line of devices with SPC3 cards, sometimes the IKE SA is not seen on the device when an st0 binding on a VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411
On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with 60,000 tunnels up, when RG0 failover happens while an IPsec and/or IKE rekey is in progress, those rekeying tunnels might go down and traffic loss might be seen until the tunnel is reestablished. PR1471499
In SPC2 and SPC3 mixed-mode HA deployments, tunnel per second (TPS) is getting affected while dead peer detection (DPD) is being served on existing tunnels. This limitation is due to a large chunk of CPU being occupied by infrastructure (gencfg) used by IKED to synchronize its DPD state to the backup nodes. PR1473482
After IPsec tunnel using policy-based VPN is overwritten by another VPN client, traffic using this IPsec tunnel will be dropped. PR1546537
Open Issues
Learn about open issues in this release for SRX Series.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Flow-Based and Packet-Based Processing
Use an antireplay window size of 512 for IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637
General Routing
Command show security pki local-certificate logical-system all is not showing any output. PR1414628
On an SRX340 device with J-Flow version 9 configured, the flowd process might generate core files frequently when the device is busy. PR1463689
The firewall Web authentication graphics have been updated. PR1482433
CLI autocomplete is now available for both secintel and advanced anti-malware products. PR1487419
The SRX380 device has a large number of switch ports and needs to monitor their statistics in real time. Due to this, some of the Routing Engine CPU is always consumed during these operations. If you need to ensure maximum Routing Engine performance, you can dedicate a Packet Forwarding Engine core to the uKernel to more efficiently manage this task. To do this, use the set chassis dedicated-kern-cpu command. PR1527147
Kernel might stop, with VM core files generated, and the system might reboot continuously after five child interfaces are added to the reth interface on one node. This might cause service impact. PR1551297
Intrusion Detection and Prevention (IDP)
Starting from Junos OS Release 21.1, either greater-than or less-than are allowed for age-of-attack filter of dynamic attack group configuration. The age-of-attack field in signatures will be changed to CVE dates from activation dates. Anomalies and generic attacks will be part of all groups created. PR1397599
J-Web
On the SRX5000 line of devices, J-Web might not be responsive sometimes when you commit configuration changes after adding a new dynamic application while creating a new firewall rule. J-Web displays a warning while validating the configuration due to dynamic application or any other configuration changes. As a workaround, refresh the J-Web page. PR1460001
Routing Policy and Firewall Filters
If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907
VPNs
In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329
On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX Series device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE IDs. PR1407356
On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334
On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when the st0 binding on the VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411
In an IPsec VPN scenario on SRX5400, SRX5600, and SRX5800 platforms, the iked process treats retransmission of IKE_INIT request packets as new connections when the SRX Series device acts as a responder of IKE negotiation. This causes IKE tunnel negotiation to fail, and IPsec VPN traffic might be impacted. PR1460907
On the SRX5000 line of devices with SPC3 and SPC2 mixed mode, with a very large number of IKE peers (60,000) with dead peer detection (DPD) enabled, IPsec tunnels might flap in some cases when IKE and IPsec rekeys are happening at the same time. PR1473523
Some TCP connections going through IPsec tunnels are getting stuck after RG1 failover. PR1477184
During 10,000 tunnel ramp-up, sometimes, IKED generates a core file. PR1479548
Unexpected extra characters NL were seen with PyEZ XML outputs. This caused issues while writing op-scripts. However, with normalize=True in PyEz script, you can avoid having NL between each tag and with the pretty_print option ensure that the print is clean. PR1492146
The SRX5000 line of devices with SPC3 does not support simultaneous IKE negotiation in Junos OS Releases 19.2, 19.3, 19.4, and 20.1. PR1497297
Resolved Issues
Learn which issues were resolved in the Junos OS main and maintenance releases for SRX Series devices.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: 20.1R3
Chassis Clustering
Disabled node on SRX chassis cluster sends out ARP request packets. PR1548173
SPU might stop under GPRS tunneling protocol scenario. PR1559802
Flow-Based and Packet-Based Processing
The rst-invalidate-session command does not work if configured together with the no-sequence-check command. PR1541954
Forwarding and Sampling
Configuration archive transfer-on-commit fails on Junos OS Release 18.2R3-S6.5. PR1563641
General Routing
During an upgrade, system displays the following incorrect license warnings when utilizing licensable features even if the license is present on the device: requires 'idp-sig' license. PR1519672
Packet drops might be seen with all commit events with 1G speed configured interface. PR1524614
The MAC table is null in Layer 2 mode after one pass-through session is created successfully. PR1528286
Junos OS: Memory leak when querying Aggregated Ethernet (AE) interface statistics (CVE-2021-0230). PR1528605
The firewall filter SA and DA tags are not in the log messages as expected in port details. PR1539338
Packet drop might be seen when a packet with destination port 0 is received on the SRX380 device. PR1540414
The JNH memory might leak on the Trio-based line cards. PR1542882
Tail drops might occur on SRX Series devices if shaping-rate is configured on lt interface. PR1542931
The kmd process might crash when the interface flaps. PR1544800
The flowd process might crash on SRX Series devices. PR1545628
SRX1500 reports fans running at over speed. PR1546132
On SRX4100 and SRX4200, if PEM0 is removed, the output of jnxOperatingDescr.2 might be incomplete. PR1547053
Advanced anti-malware file or email statistics does not get incremented with the latest PB version. PR1547094
On vSRX2.0, vSRX3.0, SRX1500, SRX4100, SRX4200, SRX4600 running chassis cluster in Junos OS Release 18.3 or later releases, multiple messages of "LCC: ch_cluster_lcc_set_context:564: failed to lock chassis_vmx mutex 11" are generated in the chassisd log file. These messages may recur after every few seconds and they do not have any impact on system operation. PR1547953
When Junos OS software is upgraded to Junos OS Release 20.3, you might see the error "ERROR: Failed to setup symlinks in alternate root". PR1548626
PKI CMPv2 client certificate enrolment does not work on SRX Series devices when using root-CA. PR1549954
Lcmd log "gw_cb_presence:136: PEM(slot = 0): error detecting presence ( fruid = 15, drv_id = 30, status = -11 )" generates every second on the SRX4100 and SRX4200 devices. PR1550249
The speed mismatch error is seen while trying to commit reth0 with gigether-options. PR1553888
On the SRX550M device, the dumpdisklabel command fails with message "ERROR: Unknown platform srx550m". PR1557311
The idpd process might stop when committing IDP configuration under logical systems and tenant systems during RGs failover. PR1561298
The flowd process might stop and generates a core files if Jflow V9 is configured. PR1567871
Wi-Fi mPIM on SRX Series devices is reaching out to NTP and DNS servers. PR1569680
MACsec not using network-control queue. PR1571977
Traffic going through the VRRP interface might be dropped when VRRP enabled IRB interface goes down. PR1572920
The 1G interfaces might not come up after device reboot. PR1585698
Interfaces and Chassis
When SRX Series devices receive proxy ARP requests on VRRP interfaces, SRX Series devices send ARP replies with the underlying interface MAC address. PR1526851
Backup Routing Engine or backup node may stuck in bad status with improper "backup-router" configuration. PR1530935
Intrusion Detection and Prevention (IDP)
The flowd or srxpfe process might generate core files during the idpd process commit on SRX Series devices. PR1521682
Need system log to indicate signature download completion. PR1543571
IDP policy load might fail post image upgrade for Junos OS 15.1x49 releases. PR1546542
The idpd process might stop and generates a core files. PR1547610
The IDP policy process might become unresponsive and fail to compile the IDP policy after an IDP automatic update. PR1577684
J-Web
The "+" button is not shown in the J-Web interface menu. PR1550755
Network Management and Monitoring
The mib2d process pause and generates a core file on backup Routing Engine. PR1557384
Platform and Infrastructure
Continuous L2ALD and L2ALM log messages seen on nodes of chassis cluster of SRX5000 line of devices. PR1501752
Syslog reporting "PFE_FLOWD_SELFPING_PACKET_LOSS: Traffic impact: Selfping packets loss/err: 300 within 600 second" error messages in node 0 and node 1 control panel. PR1522130
The commit might not fail as expected when the reth interface is deleted. PR1538273
Routing Policy and Firewall Filters
The flowd or srxpfe process might stop when an SRX Series or NFX Series device running Junos OS Release 18.2R1 or later supports the unified policy feature. PR1544554
Traffic might be dropped unexpectedly when the url-category match condition is used on a security policy. PR1546120
Global policies working with multi-zones cause high PFE CPU utilization. PR1549366
Policy configured with "route-active-on" condition may incorrectly work for local routes. PR1549592
The junos-defaults construct within a unified-policies application match criteria now restricts the ports and protocols of a flow on a per-dynamic-application basis. PR1551984
On the SRX5000 line of devices, the secondary node might get stuck in performing ColdSync after a reboot, upgrade, or if ISSU is performed. PR1558382
Traffic loss might be seen when a big number of applications or addresses is referenced by one policy. PR1576038
Unified Threat Management (UTM)
Stream buffer memory leak might happen when UTM is configured under unified policies. PR1557278
UTM license expiry event loss may cause the device to not quit the advanced service mode and maximum-sessions is decreased by half. PR1563874
VPNs
IPsec tunnel could flap when ESN is enabled. PR1488087
IPsec SA is missing the keyword NULL after RG failover. PR1507270
The traffic might be dropped when IPsec VPN with NAT-T enabled. PR1522017
On all SRX series devices using IPsec with NAT Traversal, MTU size for the external interface might be changed after IPsec SA is re-established. PR1530684
The flowd process might stop during IPsec SA renegotiation on SRX5000 line of devices. PR1545916
After the IPsec tunnel using policy-based VPN is overwritten by another VPN client, traffic using this IPsec tunnel will be dropped. PR1546537
Traffic going through policy-based IPsec tunnel might be dropped after RG0 failover. PR1550232
A session might be closed when the session is created during the IPsec rekey. PR1564444
When there are multiple IPsec SA, backup SA start IPsec rekey. PR1565132
SPI mismatch caused by simultaneous rekeys under kmd stress. PR1571105
Resolved Issues: 20.1R2
Application Layer Gateways (ALGs)
FTPS traffic might get dropped on SRX Series and MX Series devices if FTP ALG is used. PR1483834
The srxpfe and mspmand process might stop if FTPS is enabled in a specific scenario. PR1510678
Application Security
AppQoE support for dynamic-application. PR1503400
Chassis Clustering
The show chassis temperature-thresholds command displays extensive FPC 0 output. PR1485224
On SRX4100 and SRX4200 devices with chassis cluster in transparent mode, when a failover occurs for RG1, the interface on the new secondary node is getting flapped as expected to let the switch update its MAC address table. PR1490291
IP monitoring on SRX4100 and SRX4200 device might fail in the rare event that a chassis internal connection between Routing Engine and Packet Forwarding Engine is temporarily down after RG0 failover. PR1502462
The ISSU fails with timeout due to cold synchronization failure. PR1502872
Flow-Based and Packet-Based Processing
The show security group-vpn server statistics |display XML command output is not in expected format. PR1349959
ECMP load balancing does not happen when RG1 node 0 is secondary. PR1475853
The flowd or srxpfe process might stop when deleting the user firewall local authentication table entry. PR1477627
On Web proxy, memory leak in association hash table and DNS hash table. PR1480760
IMAP curl sessions stuck in the active state if AAMW IMAP block mode is configured. PR1484692
The flowd process might stop and impact services if J-Flow version 9 is configured. PR1486528
The configuration set chassis psu redundancy n-plus-n needs support on in high availability (HA) mode. PR1486746
Commit does not work after the installation through boot loader. PR1487831
If a cluster ID of 16 or multiples of 16 is used, the chassis cluster might not come up. PR1487951
CPU board inlet increases after OS upgrade from Junos OS Release 15.1X49 to Junos OS Release 18.x. PR1488203
All interfaces remain in the down status after the SRX300 line of devices power up or reboot. PR1488348
GRE or IPsec tunnel might not come up when the set security flow no-local-favor-ecmp command is run. PR1489276
Sometimes multiple flowd core files are generated on both nodes of a chassis cluster at the same time when changing media MTU. PR1489494
Continuous drops seen in control traffic, with high data queues in one SPC2 PIC. PR1490216
Not able to clear the warm sessions on the peer SRX Series devices. PR1493174
Phone client stop seen during SRX345 device ZTP with CSO. PR1496650
Outbound SSH connection flap or memory leak issue might be observed during the high rate of pushing the configuration to the ephemeral database. PR1497575
Unexpected flow logging traffic beyond the packet filter. PR1497939
Traffic interruption happens due to MAC address duplication between two devices running Junos OS. PR1497956
Don't use capital characters for source-identity when using the show security match-policies command. PR1499090
On SRX Series devices, when the GRE or IP-IP tunnel is used, if some interface change events happen (such as, interface flapping), traffic drop might be seen. PR1500091
The srxpfe or flowd process might stop due to memory corruption within JDPI. PR1500938
J-Flow version 9 does not display the correct outgoing interface for APBR traffic. PR1502432
A condition within TCP proxy could result in downloads becoming permanently stuck or not completing. TCP proxy is used by multiple services, including Juniper ATP Cloud in block mode, ICAP, SSL proxy, antivirus, content filtering, and antispam. PR1502977
Fabric interface might be monitored down after chassis cluster reboot. PR1503075
A cfmd core file is observed when LTM is triggered for the session configured on the ethernet-switching interface without bridge domain configuration. PR1503696
Layer 2 ping is not working with remote MEP. PR1504986
SOF asymmetric scenario is not working with the phase 1 solution. PR1507865
If the dynamic-app configured along with other Layer 7 application in different rules, after App identified still the SLA database with application any showing up some sessions. PR1514973
VRRP does not work on the redundant Ethernet interface with a VLAN ID greater than 1023. PR1515046
A logic issue was corrected in SSL proxy that could lead to an srxpfe or flowd core file under load. PR1516903
The PPPoE session does not come up after return to zero on SRX Series devices. PR1518709
The TCP packet might be dropped if syn-proxy protection is enabled. PR1521325
On SRX Series devices with chassis clusters, high CPU usage might be seen due to the llmd process. PR1521794
Certificate validation might fail when OCSP is used and the OCSP server is a dual-stack device. PR1525924
Traffic rate shown in the CLI command is not accurate. PR1527511
On SRX4100 and SRX4200 devices, four out of eight fans might not work. PR1534706
The rst-invalidate-session configuration does not work if configured together with no-sequence-check. PR1541954
NSD core file is generated at function nsd_malloc, file ../../../../../../src/usp/usr.sbin/nsd/common/nsd_common.c, line 482. PR1542942
Interfaces and Chassis
PPO IPv6 route does not work. PR1495839
Intrusion Detection and Prevention (IDP)
When intelligent inspection status changes, syslog is not getting generated on SRX300 and SRX500 lines of devices. PR1448365
The IDP attack detection might not work in a specific situation. PR1497340
IDP's custom-attack time-binding interval command was mistakenly hidden within the CLI. PR1506765
J-Web
While creating a firewall policy rule, the list of available dynamic applications is empty in HA on the Select Dynamic Application page. PR1490346
Junos OS: Reflected Cross-site Scripting vulnerability in J-Web and web based (HTTP/HTTPS) services (CVE-2020-1673) PR1493385
You cannot configure Redundant PSU and Power Budget Statistics on the SRX380 device, which is in HA mode, through J-Web. PR1493713
The J-Web users might not be able to configure PPPoE using the PPPoE wizard. PR1502657
J-Web chassis status widget is incorrectly reporting temperature alarms. PR1507156
The parameters show another LSYS at J-Web in a multiple logical systems scenario. PR1518675
Layer 2 Ethernet Services
DHCP does not work after running request system zeroize or load factory-default. PR1521704
MPLS
BGP session might keep flapping between two directly connected BGP peers because of the wrong TCP-MSS in use. PR1493431
Network Address Translation (NAT)
Not all NAT sessions are synchronized from Node 1 to Node 2. PR1473788
Issuing the show security nat source paired-address command might return an error. PR1479824
Platform and Infrastructure
On the SRX1500 device and the SRX4000 line of devices, physically disconnecting the cable from the fxp0 interface causes hardware monitor failure and redundancy group failover, when the device is the primary node in a chassis cluster. PR1467376
The SRX1500 device and the SRX4000 line of devices might boot up with the rescue configuration after a power outage. PR1490181
Packets get dropped when the next hop is IRB over the LT interface. PR1494594
The /usr/libexec/ui/yang-pkg and /usr/libexec/ui/pyang files are not found in SRX Series devices during YANG installation. PR1496577
Junos OS: Arbitrary code execution vulnerability in Telnet server (CVE-2020-10188). PR1502386
On the SRX1500 device, the factory-default configuration for ge-0/0/0 and ge-0/0/15 should be set with family inet DHCP. PR1503636
Syslog reporting "PFE_FLOWD_SELFPING_PACKET_LOSS: Traffic impact: Selfping packets loss/err: 300 within 600 second" error messages in node 0 and node1 control panel. PR1522130
Routing Policy and Firewall Filters
TCP proxy was mistakenly engaged in unified policies when Web filtering was configured in potential match policies. PR1492436
Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002
Routing Protocols
The BGP route-target family might prevent the route reflector from reflecting Layer 2 VPN and Layer 3 VPN routes. PR1492743
The rpd might report 100% CPU usage with BGP route damping enabled. PR1514635
Unified Threat Management (UTM)
UTM websense redirect supports IPv6 messages. PR1481290
UTM doesn’t let e-mails from outside to inside to be received. PR1523222
VPNs
IKE SA does not get cleared and is showing very long lifetime. PR1439338
With NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145
The newly configured IPsec tunnels might be stuck in VPNM verify-path state in a tunnel scaled scenario. PR1464353
On an SRX4200 device, 35 percent of drop is seen in all TPS cases. PR1481625
On SRX Series devices with SPC3, when overlapping traffic selectors are configured, multiple IPsec SAs get negotiated with the peer device. PR1482446
Traffic might be lost after the rekey if SRX Series devices responder-only is configured. PR1485029
Use different XML tags for local and remote IKE IDs to avoid confusion. PR1493368
Issue with XML RPC show security ipsec tunnel-distribution summary output. PR1494274
On SRX Series devices using IPsec with NAT traversal, MTU size for the external interface might be changed after IPsec SA is reestablished. PR1530684
Resolved Issues: 20.1R1
Application Layer Gateways (ALGs)
Packet's IP header have DF flag might be dropped by SRX Series ALG after payload-NAT. PR1444068
On the SRX5000 line of devices, the H323 call with NAT64 could not be established. PR1462984
RTSP data sessions are cleared unexpectedly during cold sync. PR1468001
The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942
SIP messages that need to be fragmented might be dropped by SIP ALG. PR1475031
Authentication and Access Control
Same-source IP sessions are cleared when the IP entry is removed from the UAC table. PR1457570
Chassis Clustering
IP monitoring might fail on the secondary node. PR1468441
An unhealthy node might become primary in SRX4600 devices with chassis cluster scenario. PR1474233
Flow-Based and Packet-Based Processing
The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859
Packet loss is caused by FPGA back pressure on SPC3. PR1429899
Control logical interface is not created by default for LLDP. PR1436327
Security logs cannot be sent to the external syslog server through TCP. PR1438834
The SPC card might stop on the SRX5000 line of devices. PR1439744
Flowd process core files are generated in the device while testing NAT PBA in AA mode. PR1443148
The SSL-based AppID simplification effort (removal of HTTPS, POP3S, IMAPS, SMTPS). PR1444767
In the BERT test for E1 interface, bits counts number is not within the range. PR1445041
The flowd process might stop on SRX Series devices when chassis cluster and IRB interface are configured. PR1446833
The AAWM policy rules for IMAP traffic sometimes might not get applied when passed through SRX Series devices. PR1450904
Introduction of default inspection limits for application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180
The SRX Series devices stop and generate several core files. PR1455169
When you try to reset the system configuration on an SRX1500 device using the reset config button, it does not work properly. PR1458323
The security flow traceoptions fills in with RTSP ALG-related information. PR1458578
Optimizations were made to improve the connections-per-second performance of SPC3. PR1458727
LTE dual CPE support with mPIMs when modem receives disconnect event from ISP, need to increase wait timer. PR1460102
The security-intelligence CC feed does not block HTTPS traffic based on SNI. PR1460384
The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619
Added command to clear specified associated client. PR1461577
The srxpfe or flowd process might stop if the sampling configuration is changed. PR1462610
The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825
Fragmented traffic might get looped between the fab interface in a rare case. PR1465100
TCP session might not time out properly upon receiving TCP RESET packet. PR1467654
A core file might be generated when you perform an ISSU on SRX Series devices. PR1463159
The PKI daemon keeps leaking memory on SRX Series devices. PR1465614
HTTP block message stops working after SNI check for HTTPS session. PR1465626
Loading CA certificate causes PKI daemon core file to be generated. PR1465966
The jbuf process usage might increase up to 99 percent after Junos OS upgrade. PR1467351
The rpd process might stop after several changes to the flow-spec routes. PR1467838
Packet Forwarding Engine might generate core files because SSL proxy is enabled on NFX Series and SRX Series devices. PR1467856
Server unreachable is detected; ensure that port 443 is reachable. PR1468114
Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430
FTP data connection might be dropped if SRX Series devices send the FTP connection traffic through the dl interface. PR1468570
RPM test probe fails to show that round-trip time has been exceeded. PR1471606
Look up failure for expected e-mail address in DUT. PR1472748
Stateful firewall rule configuration deletion might lead to memory leak. PR1475220
The dfs-off function is enabled. PR1475294
The nsd process pause might be seen during device reboots if dynamic application groups are configured in policy. PR1478608
The show mape rule statistics command might display negative values. PR1479165
Sometimes multiple flowd core files are generated on both nodes of chassis cluster at the same time when changing media MTU. PR1489494
Interfaces and Chassis
The number of mgd processes increases because the mgd processes are not closed properly. PR1439440
Static route through dl0.0 interface is not active. PR1465199
MAC limiting on Layer 3 routing interfaces does not work. PR1465366
Intrusion Detection and Prevention (IDP)
SNMP queries might cause commit or show command to fail due to IDP PR1444043
Updating the IDP security package offline might fail in SRX Series devices. PR1466283
J-Web
The default log query time in J-Web monitoring functionality has been reduced. This increases the responsiveness of the landing pages. PR1423864
Editing destination NAT rule in J-Web introduces a nonconfigured routing instance field. PR1461599
The Go button within the J-Web Monitor>Events view now correctly refreshes the logs even when using a blank search query. PR1464593
J-Web security resources dashboard widget was not being populated correctly. PR1464769
Layer 2 Ethernet Services
The metric is not changing when configured under the DHCP. PR1461571
Network Address Translation (NAT)
The flowd or srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932
Issuing the show security nat source paired-address command might return an error. PR1479824
Network Management and Monitoring
The flowd or srxpfe process might stop immediately after committing the jflowv9 configuration or after upgrading to affected releases. PR1471524
SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288
Platform and Infrastructure
Modifying the REST configuration might cause the system to become unresponsive. PR1461021
VM core files might be generated if the configured sampling rate is more than 65,535. PR1461487
On the SRX300 line of devices, you might encounter Authentication-Table loading slowly while using user-identification. PR1462922
The AE interface cannot be configured on an SRX4600 device. PR1465159
On SRX Series devices, Packet Forwarding Engine memory might be used up if the security intelligence feature is configured. PR1472926
Support LLDP protocol on reth interface. PR1473456
Certificate error while configuration validation during Junos OS upgrade. PR1474225
Packet drop might be observed on the SRX300 line of devices when adding or removing an interface from MACsec. PR1474674
The commands request system power-off and request system halt might not work correctly. PR1474985
The flowd process core files might be seen when there are mixed NAT-T traffic or non-NAT-T traffic with PMI enabled. PR1478812
When SRX5K-SPC3s or MX-SPC3s are installed in slots 0 or 1 in SRX5800 or MX960 devices, EMI radiated emissions are observed to be higher than regulatory compliance requirements. PR1479001
The RGx might fail over after RG0 failover in a rare case. PR1479255
The wl- interface stays in ready status after you execute request chassis fpc restart command in Layer 2 mode. PR1479396
Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684
The flowd or srxpfe process might crash when advanced anti-malware services are used. PR1480005
Routing Policy and Firewall Filters
Security policies cannot synchronize between Routing Engine and Packet Forwarding Engine on SRX Series devices. PR1453852
Traffic log shows wrong custom-application name when the alg ignore option is used in application configuration. PR1457029
The NSD process might get stuck and cause problems. PR1458639
Some domains are not resolved by the SRX Series devices when using DNS address book. PR1471408
The count option in security policy does not take effect even if the policy count is enabled. PR1471621
Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530
Routing Protocols
SSH login might fail if a user account exists in both local database and RADIUS or TACACS+. PR1454177
The rpd might stop when both instance-import and instance-export policies contain as-path-prepend action. PR1471968
Unified Threat Management (UTM)
Increase the scale number of UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321
The utmd process might pause after deactivating UTM configuration with predefined category upgrading used. PR1478825
VLAN Infrastructure
ISSU failed from Junos OS Release 18.4R2.7 to Junos OS Release 19.4, with secondary node PICs in present state after upgrading to Junos OS Release 19.4. PR1468609
VPNs
IPsec SA inconsistent on SPCs of node0 and node1 in SRX Series devices with chassis cluster. PR1351646
After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457
IPsec VPN missing half of the IKE SA and IPsec SA showing incorrect port number when scaling to 1000 IKEv1 AutoVPN tunnels. PR1399147
The IKE and IPsec configuration under groups is not supported. PR1405840
The established tunnels might remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN. PR1413619
The VPN tunnel might flap when IKE and IPsec rekey happen simultaneously. PR1421905
Old tunnel entries might be observed in the output of show security IPsec or IKE SA. PR1423821
The show security ipsec statistics command output displays buffer overflow and wraps around 4,---,---,--- count. PR1424558
Tunnel does not come up after changing configurations from IPv4 to IPv6 tunnels in the script with gateway lookup failed error. PR1431265
P1 configuration delete message is not sent on loading baseline configuration if there has been a prior change in VPN configuration. PR1432434
After a long time (a few hours) of traffic during a mini PDT test, the number of IPsec tunnels is much higher than expected. PR1449296
Some IPsec tunnels flap after RGs failover on the SRX5000 line of devices. PR1450217
IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951
Traffic is not sent out through an IPsec VPN after update to Junos OS Release 18.2 or later. PR1461793
On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with IKEv1 enabled IKE, the daemon might generate a core file, when IKESA is expired and IPsec tunnel associated with the expired IKESA exists in case of an RG0 failover. Daemon recovers eventually. PR1463501
The IPsec VPN tunnels cannot be established if overlapped subnets are configured in traffic selectors. PR1463880
IPsec tunnels might lose connectivity on SRX Series devices after chassis cluster failover when using AutoVPN point-to-multipoint mode. PR1469172
IPsec tunnels might flap when one secondary node is coming online after reboot in SRX Series high availability environment. PR1471243
The kmd process might crash continually after the chassis cluster failover in the IPsec ADVPN scenario. PR1479738
Documentation Updates
Dynamic Host Configuration Protocol (DHCP)
Introducing DHCP User Guide—Starting in Junos OS Release 20.1R1, we are introducing the DHCP User Guide for Junos OS routing, switching, and security platforms. This guide provides basic configuration details for your Junos OS device as DHCP Server, DHCP client, and DHCP relay agent.
[See DHCP User Guide.]
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases
Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.
You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.
For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.
For information about ISSU, see the Chassis Cluster User Guide for Security Devices.