Junos OS Release Notes for vSRX
These release notes accompany Junos OS Release 20.2R3 for vSRX. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
What’s New
Learn about new features introduced in the Junos OS main and maintenance releases for vSRX.
What's New in Release 20.2R3
There are no new features for vSRX in Junos OS Release 20.2R3.
What's New in Release 20.2R2
There are no new features for vSRX in Junos OS Release 20.2R2.
What's Changed
Learn about what changed in the Junos OS main and maintenance releases for vSRX.
What’s Changed in Release 20.2R3
Junos OS XML API and Scripting
Refreshing scripts from an HTTPS server requires a certificate (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When you refresh a local commit, event, op, SNMP, or Juniper Extension Toolkit (JET) script from an HTTPS server, you must specify the certificate (Root CA or self-signed) that the device uses to validate the server's certificate, thus ensuring that the server is authentic. In earlier releases, when you refresh scripts from an HTTPS server, the device does not perform certificate validation.
When you refresh a script using the
request system scripts refresh-fromoperational mode command, include thecert-fileoption and specify the certificate path. Before you refresh a script using theset refreshor setrefresh-fromconfiguration mode command, first configure thecert-filestatement under the hierarchy level where you configure the script. The certificate must be in Privacy-Enhanced Mail (PEM) format.[See request system scripts refresh-from and cert-file.]
What’s Changed in Release 20.2R2
Platform and Infrastructure
Repetition of WALinuxAgent logs causing file size increase (vSRX 3.0)—The Azure WALinuxAgent performs the provisioning job for the vSRX instances. When a new vSRX instance is deployed, the continued increasing size of the waagent log file might cause the vSRX to stop.
If the vSRX is still operating, then delete the /var/log/waagent.log directly or run the clear log waagent.log all command to clear the log file.
Or you can run the set groups azure-provision system syslog file waagent.log archive size 1m and set groups azure-provision system syslog file waagent.log archive files 10 commands to prevent the growing of the waagent logs. These configurations will cause the rotation of log of waagent with the size bigger than 1MB and set a maximum of 10 backups.
vSRX 3.0 instances with AWS Key Management Service (KMS)—On vSRX 3.0 instances with AWS Key Management Service (KMS), if the MEK is changed, then the keypairs will be re-encrypted using the newly set Master Encryption Key (MEK).
Known Limitations
Learn about known limitations in Junos OS Release 20.2R3 for vSRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
J-Web
When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214
For a spoke device in a hub-and-spoke topology, J-Web shows the VPN topology as Site to Site. PR1495973
Open Issues
Learn about open issues in Junos OS Release 20.2R3 for vSRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Intrusion Detection and Prevention (IDP)
IDP database file format or convention has changed in Junos OS Release 15.1X49 and later releases. So, if the IDP configuration contains some predefined attacks or attack-groups related configurations, then the system will go to amnesiac mode after upgrade. This is due to the failure in IDP configuration commit. PR1455125
J-Web
Configuration of global settings options of IPsec VPN such as TCP encap profile, IPsec power mode, and IKE package installation are not supported from J-Web. PR1496439
Platform and Infrastructure
On vSRX 3.0 on Azure, with Microsoft Azure Hardware Security Module (HSM) enabled, keypair generation fails if the user reuses the certificate ID for creating a new keypair, even if the previous keypair has been deleted. PR1490558
When using Juniper vSRX deployment script deploy-azure-vsrx.sh to create new vSRX instance, if the same user was defined in both parameter.json file and YAML file (using write_files module), both passwords will be configured in different configuration groups in the running configuration of vSRX. The password defined in the YAML file will be considered. PR1491074
vSRX instances starts to support using cloud feed as source address or destination address in the security policy. Due to the dynamic nature of cloud provisioning, we use warning instead of error when the policy's source address or destination address is not found. PR1521739
Resolved Issues
Learn which issues were resolved in the Junos OS main and maintenance releases for vSRX.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: 20.2R3
Intrusion Detection and Prevention (IDP)
The flowd or srxpfe process might generate core files during the idpd process commit. PR1521682
Platform and Infrastructure
SRX series devices or vSRX instances fail to download dynamic-address feed from Security Director. PR1442248
The control link might be broken when there is excessive traffic load on the control link in vSRX cluster deployment. PR1524243
The master-password configuration is rejected if master encryption password is not set. PR1537251
The srxpfe process might crash when Application Identification Packet-Capture functionality is enabled. PR1538991
Configuration integrity mismatch is observed error in vSRX3.0 running on Azure with key-vault integrated. PR1551419
High CPU usage on pkid process might be seen when the device is unable to connect to a particular CRL URL. PR1560374
Resolved Issues: 20.2R2
Intrusion Detection and Prevention (IDP)
When adaptive threat profiling is configured within an IDP rule base and logging is enabled, on the vSRX instances the Packet Forwarding Engine process might stop and generate the core file. PR1532737
J-Web
While creating a firewall policy rule, the list of available dynamic applications is empty in HA on the Select Dynamic Application page. PR1490346
Infinite loading circle may be encountered via J-Web. PR1493601
Platform and Infrastructure
On Microsoft Azure deployments, SSH public key authentication is not supported for vSRX 3.0 CLI and portal deployment. PR1402028
The vSRX may restart unexpectedly. PR1479156
Changes to the configuration command for assigning more vCPUs to the Routing Engine. PR1505724
In vSRX3.0 on Azure with keyvault enabled, change in MEK results in deletion of certificates. PR1513456
With CSO SD-WAN configuration loaded, flowd process generates core files while deleting the GRE IPsec configuration. PR1513461
The flowd or srxpfe process might crash when SSL proxy and AppSecure process traffic simultaneously. PR1516969
Routing Policy and Firewall Filters
Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002
Junos OS upgrade may encounter failure in certain conditions when enabling ATP. PR1519222
VPNs
On vSRX3.0 instances, when ECMP routes are configured to load balance over multiple IPSec VPNs connected to a single multipoint tunnel interface, the traffic may not flow. PR1438311
The flowd process might stop in a IPsec VPN scenario. PR1517262
Migration, Upgrade, and Downgrade Instructions
This section contains information about how to upgrade Junos OS for vSRX using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
You also can upgrade to Junos OS Release 20.2R3 for vSRX using J-Web (see J-Web) or the Junos Space Network Management Platform (see Junos Space).
Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Releases 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, or 19.2 is supported.
The following limitations apply:
Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Release 19.3 and higher is not supported. For upgrade between other combinations of Junos OS Releases in vSRX and vSRX 3.0, the general Junos OS upgrade policy applies.
The file system mounted on /var usage must be below 14% of capacity.
Check this using the following command:
show system storage | match " /var$" /dev/vtbd1s1f2.7G 82M 2.4G 3% /var
Using the request system storage cleanup command might help reach that percentage.
The Junos OS upgrade image must be placed in the directory /var/host-mnt/var/tmp/. Use the request system software add /var/host-mnt/var/tmp/<upgrade_image>
We recommend that you deploy a new vSRX virtual machine (VM) instead of performing a Junos OS upgrade. That also gives you the option to move from vSRX to the newer and more recommended vSRX 3.0.
Ensure to back up valuable items such as configurations, license-keys, certificates, and other files that you would like to keep.
For ESXi deployments, the firmware upgrade from Junos OS Release 15.1X49-Dxx to Junos OS releases 17.x, 18.x, or 19.x is not recommended if there are more than three network adapters on the 15.1X49-Dxx vSRX instance. If there are more than three network adapters and you want to upgrade, then we recommend that you either delete all the additional network adapters and add the network adapters after the upgrade or deploy a new vSRX instance on the targeted OS version.
Upgrading Software Packages
To upgrade the software using the CLI:
- Download the
Junos OS Release 20.2R3 for vSRX .tgzfile from the Juniper Networks website. Note the size of the software image. - Verify that you have enough free disk space on the vSRX
instance to upload the new software image.
root@vsrx> show system storage Filesystem Size Used Avail Capacity Mounted on /dev/vtbd0s1a 694M 433M 206M 68% / devfs 1.0K 1.0K 0B 100% /dev /dev/md0 1.3G 1.3G 0B 100% /junos /cf 694M 433M 206M 68% /junos/cf devfs 1.0K 1.0K 0B 100% /junos/dev/ procfs 4.0K 4.0K 0B 100% /proc /dev/vtbd1s1e 302M 22K 278M 0% /config /dev/vtbd1s1f 2.7G 69M 2.4G 3% /var /dev/vtbd3s2 91M 782K 91M 1% /var/host /dev/md1 302M 1.9M 276M 1% /mfs /var/jail 2.7G 69M 2.4G 3% /jail/var /var/jails/rest-api 2.7G 69M 2.4G 3% /web-api/var /var/log 2.7G 69M 2.4G 3% /jail/var/log devfs 1.0K 1.0K 0B 100% /jail/dev 192.168.1.1:/var/tmp/corefiles 4.5G 125M 4.1G 3% /var/crash/corefiles 192.168.1.1:/var/volatile 1.9G 4.0K 1.9G 0% /var/log/host 192.168.1.1:/var/log 4.5G 125M 4.1G 3% /var/log/hostlogs 192.168.1.1:/var/traffic-log 4.5G 125M 4.1G 3% /var/traffic-log 192.168.1.1:/var/local 4.5G 125M 4.1G 3% /var/db/host 192.168.1.1:/var/db/aamwd 4.5G 125M 4.1G 3% /var/db/aamwd 192.168.1.1:/var/db/secinteld 4.5G 125M 4.1G 3% /var/db/secinteld - Optionally, free up more disk space if needed to upload
the image.
root@vsrx> request system storage cleanup List of files to delete: Size Date Name 11B Sep 25 14:15 /var/jail/tmp/alarmd.ts 259.7K Sep 25 14:11 /var/log/hostlogs/vjunos0.log.1.gz 494B Sep 25 14:15 /var/log/interactive-commands.0.gz 20.4K Sep 25 14:15 /var/log/messages.0.gz 27B Sep 25 14:15 /var/log/wtmp.0.gz 27B Sep 25 14:14 /var/log/wtmp.1.gz 3027B Sep 25 14:13 /var/tmp/BSD.var.dist 0B Sep 25 14:14 /var/tmp/LOCK_FILE 666B Sep 25 14:14 /var/tmp/appidd_trace_debug 0B Sep 25 14:14 /var/tmp/eedebug_bin_file 34B Sep 25 14:14 /var/tmp/gksdchk.log 46B Sep 25 14:14 /var/tmp/kmdchk.log 57B Sep 25 14:14 /var/tmp/krt_rpf_filter.txt 42B Sep 25 14:13 /var/tmp/pfe_debug_commands 0B Sep 25 14:14 /var/tmp/pkg_cleanup.log.err 30B Sep 25 14:14 /var/tmp/policy_status 0B Sep 25 14:14 /var/tmp/rtsdb/if-rtsdb Delete these files ? [yes,no] (no) yes < output omitted>Note If this command does not free up enough disk space, see [SRX] Common and safe files to remove in order to increase available system storage for details on safe files you can manually remove from vSRX to free up disk space.
- Use FTP, SCP, or a similar utility to upload the Junos
OS Release 20.2R3 for vSRX .tgz file to
/var/crash/corefiles/on the local file system of your vSRX VM. For example:root@vsrx> file copy ftp://username:prompt@ftp.hostname.net/pathname/
junos-vsrx-x86-64-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE.tgz /var/crash/corefiles/ - From operational mode, install the software upgrade package.
root@vsrx> request system software add /var/crash/corefiles/junos-vsrx-x86-64-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE.tgz no-copy no-validate reboot Verified junos-vsrx-x86-64-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE signed by PackageDevelopmentEc_2020 method ECDSA256+SHA256 THIS IS A SIGNED PACKAGE WARNING: This package will load JUNOS 20.2R3 software. WARNING: It will save JUNOS configuration files, and SSH keys WARNING: (if configured), but erase all other files and information WARNING: stored on this machine. It will attempt to preserve dumps WARNING: and log files, but this can not be guaranteed. This is the WARNING: pre-installation stage and all the software is loaded when WARNING: you reboot the system. Saving the config files ... Pushing Junos image package to the host... Installing /var/tmp/install-media-srx-mr-vsrx-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE.tgz Extracting the package ... total 975372 -rw-r--r-- 1 30426 950 710337073 Oct 19 17:31 junos-srx-mr-vsrx-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE-app.tgz -rw-r--r-- 1 30426 950 288433266 Oct 19 17:31 junos-srx-mr-vsrx-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE-linux.tgz Setting up Junos host applications for installation ... ============================================ Host OS upgrade is FORCED Current Host OS version: 3.0.4 New Host OS version: 3.0.4 Min host OS version required for applications: 0.2.4 ============================================ Installing Host OS ... upgrade_platform: ------------------- upgrade_platform: Parameters passed: upgrade_platform: silent=0 upgrade_platform: package=/var/tmp/junos-srx-mr-vsrx-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE-linux.tgz upgrade_platform: clean install=0 upgrade_platform: clean upgrade=0 upgrade_platform: Need reboot after staging=0 upgrade_platform: ------------------- upgrade_platform: upgrade_platform: Checking input /var/tmp/junos-srx-mr-vsrx-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE-linux.tgz ... upgrade_platform: Input package /var/tmp/junos-srx-mr-vsrx-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE-linux.tgz is valid. upgrade_platform: Backing up boot assets.. cp: omitting directory '.' bzImage-intel-x86-64.bin: OK initramfs.cpio.gz: OK version.txt: OK initrd.cpio.gz: OK upgrade_platform: Checksum verified and OK... /boot upgrade_platform: Backup completed upgrade_platform: Staging the upgrade package - /var/tmp/junos-srx-mr-vsrx-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE-linux.tgz.. ./ ./bzImage-intel-x86-64.bin ./initramfs.cpio.gz ./upgrade_platform ./HOST_COMPAT_VERSION ./version.txt ./initrd.cpio.gz ./linux.checksum ./host-version bzImage-intel-x86-64.bin: OK initramfs.cpio.gz: OK version.txt: OK upgrade_platform: Checksum verified and OK... upgrade_platform: Staging of /var/tmp/junos-srx-mr-vsrx-20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE-linux.tgz completed upgrade_platform: System need *REBOOT* to complete the upgrade upgrade_platform: Run upgrade_platform with option -r | --rollback to rollback the upgrade Host OS upgrade staged. Reboot the system to complete installation! WARNING: A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the WARNING: 'request system reboot' command when software installation is WARNING: complete. To abort the installation, do not reboot your system, WARNING: instead use the 'request system software rollback' WARNING: command as soon as this operation completes. NOTICE: 'pending' set will be activated at next reboot... Rebooting. Please wait ... shutdown: [pid 13050] Shutdown NOW! *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY Shutdown NOW! System shutdown time has arrived\x07\x07If no errors occur, Junos OS reboots automatically to complete the upgrade process. You have successfully upgraded to Junos OS Release 20.2R3 for vSRX.
Note Starting in Junos OS Release 17.4R1, upon completion of the vSRX image upgrade, the original image is removed by default as part of the upgrade process.
- Log in and use the
show versioncommand to verify the upgrade.--- JUNOS 20.2R3-2021-02-02.0_RELEASE_20.2R3_THROTTLE Kernel 64-bit JNPR-11.0-20210202.170745_fbsd- At least one package installed on this device has limited support. Run 'file show /etc/notices/unsupported.txt' for details. root@:~ # cli root> show version Model: vsrx Junos: 20.2R3-2020-9-10.0_RELEASE_20.2R3_THROTTLE JUNOS OS Kernel 64-bit [20210202.170745_fbsd-builder_stable_11] JUNOS OS libs [20210202.170745_fbsd-builder_stable_11] JUNOS OS runtime [20210202.170745_fbsd-builder_stable_11] JUNOS OS time zone information [20210202.170745_fbsd-builder_stable_11] JUNOS OS libs compat32 [20210202.170745_fbsd-builder_stable_11] JUNOS OS 32-bit compatibility [20210202.170745_fbsd-builder_stable_11] JUNOS py extensions [20201017.110007_ssd-builder_release_174_throttle] JUNOS py base [20201017.110007_ssd-builder_release_174_throttle] JUNOS OS vmguest [20210202.170745_fbsd-builder_stable_11] JUNOS OS crypto [20210202.170745_fbsd-builder_stable_11] JUNOS network stack and utilities [20201017.110007_ssd-builder_release_174_throttle] JUNOS libs [20201017.110007_ssd-builder_release_174_throttle] JUNOS libs compat32 [20201017.110007_ssd-builder_release_174_throttle] JUNOS runtime [20201017.110007_ssd-builder_release_174_throttle] JUNOS Web Management Platform Package [20201017.110007_ssd-builder_release_174_throttle] JUNOS srx libs compat32 [20201017.110007_ssd-builder_release_174_throttle] JUNOS srx runtime [20201017.110007_ssd-builder_release_174_throttle] JUNOS common platform support [20201017.110007_ssd-builder_release_174_throttle] JUNOS srx platform support [20201017.110007_ssd-builder_release_174_throttle] JUNOS mtx network modules [20201017.110007_ssd-builder_release_174_throttle] JUNOS modules [20201017.110007_ssd-builder_release_174_throttle] JUNOS srxtvp modules [20201017.110007_ssd-builder_release_174_throttle] JUNOS srxtvp libs [20201017.110007_ssd-builder_release_174_throttle] JUNOS srx libs [20201017.110007_ssd-builder_release_174_throttle] JUNOS srx Data Plane Crypto Support [20201017.110007_ssd-builder_release_174_throttle] JUNOS daemons [20201017.110007_ssd-builder_release_174_throttle] JUNOS srx daemons [20201017.110007_ssd-builder_release_174_throttle] JUNOS Online Documentation [20201017.110007_ssd-builder_release_174_throttle] JUNOS jail runtime [20210202.170745_fbsd-builder_stable_11] JUNOS FIPS mode utilities [20201017.110007_ssd-builder_release_174_throttle]
Validating the OVA Image
If you have downloaded a vSRX .ova image and need to validate it, see Validating the vSRX .ova File for VMware.
Note that only .ova (VMware platform) vSRX images can be validated. The .qcow2 vSRX images for use with KVM cannot be validated the same way. File checksums for all software images are, however, available on the download page.