Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for NFX Series


These release notes accompany Junos OS Release 20.2R1 for the NFX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for NFX Series.


For information about NFX product compatibility, see NFX Product Compatibility.

Application Security

  • AppQoE multihoming with active-active deployment (NFX150, NFX250, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and vSRX)—Starting In Junos OS Release 20.2R1, AppQoE is enhanced to support multihoming with active/active deployment. In previous releases, AppQoE supports multihoming with active/standby deployment.

    In active/active deployment, the spoke device connects to multiple hub devices. Application traffic can transit through any of the hub devices if the link to the hub device meets SLA requirements. Application traffic can switch seamlessly between the hub devices in case of SLA violation or if the active hub device is not responding.

    To support active/active mode, you must enable the BGP multipath to allow the device to select multiple equal-cost BGP paths to reach a given destination.

    [Application Quality of Experience (AppQoE).]

  • Packet capture for unknown application traffic (NFX Series, SRX Series, and vSRX)—Starting in Junos OS Release 20.2R1, you can generate packet capture information for unknown application traffic on your security device. You can use this information to get more insight on unknown applications.

    After you configure packet capture for the application traffic on your device, the packet capture function captures the packet details and stores the information in a packet capture (.pcap) file. You can use the packet capture details of an unknown application to define a new custom application signature and create a security policy rule to manage the application traffic more efficiently.

    You can submit the packet capture information to Juniper Networks to debug why an application is not detected, and if required, request to create an application signature.

    [See Application Identification.]

High Availability

  • High availability on NFX250 NextGen devices—Starting in Junos OS Release 20.2R1, NFX250 NextGen devices support the high availability feature. You can configure a cluster of two NFX250 NextGen devices to act as primary and secondary devices for protection against device failures. The high availability feature supports Layer 2 and Layer 3 features in dual CPE deployments.

    By default, the ge-0/0/0 interface functions as the control interface. You can configure one of the remaining front panel interfaces as the fabric interface. On the LAN, the active/backup mechanism is used. If the primary device fails, the secondary device takes over the operation. On the WAN, both active/active and active/backup mechanisms are supported.

    [How to Configure the NFX250 NextGen.]


  • ADSL and VDSL interfaces on NFX350 devices—Starting in Junos OS Release 20.2R1, NFX350 devices support ADSL and VDSL interfaces.

    [How to Configure the NFX350.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for NFX Series devices.

What’s Changed in Release 20.2R1

There are no changes in the behavior of Junos OS features or in the syntax of Junos OS statements and commands in Junos OS Release 20.2R1 for NFX Series devices.

Known Limitations

Learn about known limitations in this release for NFX Series devices. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

High Availability

  • On an NFX250 chassis cluster, commit fails for LAG deployment on a reth interface. PR1487857

Platform and Infrastructure

  • With an SRX1500 device used as a hub device and an NFX350 device as spoke device, IPsec replay errors are seen with HTTP traffic when the AppQoE passive probing is enabled. As a workaround, use SRX4200 as the hub device. PR1461068

Open Issues

Learn about open issues in Junos OS Release 20.2R1 for NFX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

High Availability

  • In an NFX250 chassis cluster, successive FPC0 manual restarts using the request chassis fpc slot 0 restart command must be 120 seconds apart. If restart is attempted within this interval, it is rejected with an error message, Router is in transition, try again.

    As a workaround, wait for 120 seconds between successive FPC0 restarts. PR1486155

  • For an NFX250 chassis cluster, MAC learning should be disabled on fabric VLANs. We also recommend that you have only one L2 and L3 interface per node as part of the fabric VLAN. PR1495188


  • When you issue a show interface command on NFX150 devices to check the interface details, the system does not check whether the interface name provided is valid or invalid. The system does not generate an error message if the interface name is invalid. PR1306191

  • On NFX150 and NFX250 NextGen devices, when you add, modify, or delete a VNF interface that is mapped to an L2 or L3 data plane, kernel traces might be observed on the NFX Series device console. PR1435361

  • The heth-0-4 and heth-0-5 ports do not detect traffic when you try to activate the ports by plugging in or unplugging the cable. As a workaround, perform a link flap or enable or disable the interface using the CLI. PR1449278

  • The link disable option puts the analyzer interface in an inconsistent state with link state as DOWN and admin state as UP. PR1442224

Platform and Infrastructure

  • On NFX150 devices, MAP-E customer edge (CE) configurations do not perform validation to check whether the suffix part is nonzero. The configuration must ensure that the suffix part of configurations involving MAP-E prefixes are zeros. PR1457927

  • On NFX350 devices, traffic drop is seen with fragmented traffic, and the log reports FLOW_REASSEMBLE_FAIL. PR1475023

  • On NFX150 devices, srxpfe core file is observed while testing the ADSL interface. PR1485384

  • Login access to JDM through TACACS failed after upgrade to Junos OS Release 18.4R3

    As a workaround, log in as a local user. PR1504915

Virtual Network Functions (VNFs)

  • On NFX Series devices, while configuring vmhost vlans using vlan-id-list, the system allows duplicate VLAN IDs in the VLAN ID list. PR1438907.

Resolved Issues

Learn which issues were resolved in the Junos OS Release 20.2R1 for NFX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Security

  • AppQoE is sending active prob packets for the deleted active-probe-params. PR1492208

High Availability

  • On NFX250 chassis cluster, L3 interfaces are not getting created after secondary automatic reboot when control port recovery is enabled. PR1502449


  • On NFX150 devices, no error is displayed when the commit fails after you configure native-vlan-id on an access VNF interface. PR1438854

  • On NFX250 NextGen devices, the monitor interface traffic command might not display the pps output for SXE and physical interfaces. PR1464376

  • On NFX350 devices, the clear interface statistics all command takes a longer time to execute. PR1475804

  • On NFX350 devices, if you delete and add an SXE interface, the SXE interface moves to the Spanning Tree Protocol blocking (STP BLK) state, and the traffic drops on that interface. PR1475854

Mapping of Address and Port with Encapsulation (MAP-E)

  • On NFX Series devices, IP identification (IP ID) is not changed after MAP-E NAT44 is performed on fragment packets when the packets reach the customer edge (CE) device.


Platform and Infrastructure

  • On NFX150 devices, MAC aging does not work. You must remove aged MAC entries from the CLI. PR1502700

  • On NFX350 devices, if you execute the show vmhost mode command multiple times, JDM might crash and cause the show vmhost mode commands to stop working. PR1474220

  • Core files on NFX250 while adding the second LAN subnet. PR1490077

  • After initiation of zeroization, the NFX250 device is going into a reboot loop. PR1491479

  • The request vmhost power-off command reboots the NFX250 NextGen device instead of powering off the device. PR1493062

Virtualized Network Functions (VNFs)

  • On NFX150 and NFX250 NextGen devices, when two flowd interfaces are mapped to the same physical interface and if you delete the interface mapping to VF0, the traffic flow is disrupted. Even though the mapping is moved to VF0, the MAC address is not cleared in VF1, which disrupts the traffic. PR1448595

  • On NFX350 devices, VNF instantiation is not working properly. PR1478456

Documentation Updates

There are no errata or changes in Junos OS Release 20.2R1 documentation for NFX Series devices.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS for the NFX Series. Upgrading or downgrading Junos OS might take several hours, depending on the size and configuration of the network.


For information about NFX product compatibility, see NFX Product Compatibility.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information on EEOL releases and to review a list of EEOL releases, see

Basic Procedure for Upgrading to Release 20.2

When upgrading or downgrading Junos OS, use the jinstall package. For information about the contents of the jinstall package and details of the installation process, see the Installation and Upgrade Guide. Use other packages, such as the jbundle package, only when so instructed by a Juniper Networks support representative.


The installation process rebuilds the file system and completely reinstalls Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the device, such as configuration templates and shell scripts (the only exceptions are the juniper.conf and ssh files), might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the device. For more information, see the Software Installation and Upgrade Guide.


We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process.

To download and install Junos OS Release 20.2R1:

  1. Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage:

  2. Select the name of the Junos OS platform for the software that you want to download.
  3. Select the Software tab.
  4. Select the release number (the number of the software version that you want to download) from the Version drop-down list to the right of the Download Software page.
  5. In the Install Package section of the Software tab, select the software package for the release.
  6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
  7. Review and accept the End User License Agreement.
  8. Download the software to a local host.
  9. Copy the software to the device or to your internal software distribution site.
  10. Install the new package on the device.