Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for vSRX

 

These release notes accompany Junos OS Release 20.2R3 for vSRX. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for vSRX.

What's New in Release 20.2R3

There are no new features for vSRX in Junos OS Release 20.2R3.

What's New in Release 20.2R2

There are no new features for vSRX in Junos OS Release 20.2R2.

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for vSRX.

What’s Changed in Release 20.2R3

There are no changes in behavior or syntax for vSRX in Junos OS Release 20.2R3.

What’s Changed in Release 20.2R2

Platform and Infrastructure

  • Repetition of WALinuxAgent logs causing file size increase (vSRX 3.0)—The Azure WALinuxAgent performs the provisioning job for the vSRX instances. When a new vSRX instance is deployed, the continued increasing size of the waagent log file might cause the vSRX to stop.

    If the vSRX is still operating, then delete the /var/log/waagent.log directly or run the clear log waagent.log all command to clear the log file.

    Or you can run the set groups azure-provision system syslog file waagent.log archive size 1m and set groups azure-provision system syslog file waagent.log archive files 10 commands to prevent the growing of the waagent logs. These configurations will cause the rotation of log of waagent with the size bigger than 1MB and set a maximum of 10 backups.

    See vSRX with Microsoft Azure.

  • vSRX 3.0 instances with AWS Key Management Service (KMS)—On vSRX 3.0 instances with AWS Key Management Service (KMS), if the MEK is changed, then the keypairs will be re-encrypted using the newly set Master Encryption Key (MEK).

Known Limitations

Learn about known limitations in Junos OS Release 20.2R3 for vSRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

J-Web

  • When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214

  • For a spoke device in a hub-and-spoke topology, J-Web shows the VPN topology as Site to Site. PR1495973

Open Issues

Learn about open issues in Junos OS Release 20.2R3 for vSRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Intrusion Detection and Prevention (IDP)

  • IDP database file format or convention has changed in Junos OS Release 15.1X49 and later releases. So, if the IDP configuration contains some predefined attacks or attack-groups related configurations, then the system will go to amnesiac mode after upgrade. This is due to the failure in IDP configuration commit. PR1455125

J-Web

  • Configuration of global settings options of IPsec VPN such as TCP encap profile, IPsec power mode, and IKE package installation are not supported from J-Web. PR1496439

Platform and Infrastructure

  • On vSRX 3.0 on Azure, with Microsoft Azure Hardware Security Module (HSM) enabled, keypair generation fails if the user reuses the certificate ID for creating a new keypair, even if the previous keypair has been deleted. PR1490558

  • When using Juniper vSRX deployment script deploy-azure-vsrx.sh to create new vSRX instance, if the same user was defined in both parameter.json file and YAML file (using write_files module), both passwords will be configured in different configuration groups in the running configuration of vSRX. The password defined in the YAML file will be considered. PR1491074

  • vSRX instances starts to support using cloud feed as source address or destination address in the security policy. Due to the dynamic nature of cloud provisioning, we use warning instead of error when the policy's source address or destination address is not found. PR1521739

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for vSRX.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 20.2R3

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process might generate core files during the idpd process commit. PR1521682

Platform and Infrastructure

  • SRX series devices or vSRX instances fail to download dynamic-address feed from Security Director. PR1442248

  • The control link might be broken when there is excessive traffic load on the control link in vSRX cluster deployment. PR1524243

  • The master-password configuration is rejected if master encryption password is not set. PR1537251

  • The srxpfe process might crash when Application Identification Packet-Capture functionality is enabled. PR1538991

  • Configuration integrity mismatch is observed error in vSRX3.0 running on Azure with key-vault integrated. PR1551419

  • High CPU usage on pkid process might be seen when the device is unable to connect to a particular CRL URL. PR1560374

Resolved Issues: 20.2R2

Intrusion Detection and Prevention (IDP)

  • When adaptive threat profiling is configured within an IDP rule base and logging is enabled, on the vSRX instances the Packet Forwarding Engine process might stop and generate the core file. PR1532737

J-Web

  • While creating a firewall policy rule, the list of available dynamic applications is empty in HA on the Select Dynamic Application page. PR1490346

  • Infinite loading circle may be encountered via J-Web. PR1493601

Platform and Infrastructure

  • On Microsoft Azure deployments, SSH public key authentication is not supported for vSRX 3.0 CLI and portal deployment. PR1402028

  • The vSRX may restart unexpectedly. PR1479156

  • Changes to the configuration command for assigning more vCPUs to the Routing Engine. PR1505724

  • In vSRX3.0 on Azure with keyvault enabled, change in MEK results in deletion of certificates. PR1513456

  • With CSO SD-WAN configuration loaded, flowd process generates core files while deleting the GRE IPsec configuration. PR1513461

  • The flowd or srxpfe process might crash when SSL proxy and AppSecure process traffic simultaneously. PR1516969

Routing Policy and Firewall Filters

  • Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002

  • Junos OS upgrade may encounter failure in certain conditions when enabling ATP. PR1519222

VPNs

  • On vSRX3.0 instances, when ECMP routes are configured to load balance over multiple IPSec VPNs connected to a single multipoint tunnel interface, the traffic may not flow. PR1438311

  • The flowd process might stop in a IPsec VPN scenario. PR1517262

Migration, Upgrade, and Downgrade Instructions

This section contains information about how to upgrade Junos OS for vSRX using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

You also can upgrade to Junos OS Release 20.2R3 for vSRX using J-Web (see J-Web) or the Junos Space Network Management Platform (see Junos Space).

Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Releases 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, or 19.2 is supported.

The following limitations apply:

  • Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Release 19.3 and higher is not supported. For upgrade between other combinations of Junos OS Releases in vSRX and vSRX 3.0, the general Junos OS upgrade policy applies.

  • The file system mounted on /var usage must be below 14% of capacity.

    Check this using the following command:

    show system storage | match " /var$" /dev/vtbd1s1f

    Using the request system storage cleanup command might help reach that percentage.

  • The Junos OS upgrade image must be placed in the directory /var/host-mnt/var/tmp/. Use the request system software add /var/host-mnt/var/tmp/<upgrade_image>

  • We recommend that you deploy a new vSRX virtual machine (VM) instead of performing a Junos OS upgrade. That also gives you the option to move from vSRX to the newer and more recommended vSRX 3.0.

  • Ensure to back up valuable items such as configurations, license-keys, certificates, and other files that you would like to keep.

Note

For ESXi deployments, the firmware upgrade from Junos OS Release 15.1X49-Dxx to Junos OS releases 17.x, 18.x, or 19.x is not recommended if there are more than three network adapters on the 15.1X49-Dxx vSRX instance. If there are more than three network adapters and you want to upgrade, then we recommend that you either delete all the additional network adapters and add the network adapters after the upgrade or deploy a new vSRX instance on the targeted OS version.

Upgrading Software Packages

To upgrade the software using the CLI:

  1. Download the Junos OS Release 20.2R3 for vSRX .tgz file from the Juniper Networks website. Note the size of the software image.
  2. Verify that you have enough free disk space on the vSRX instance to upload the new software image.
  3. Optionally, free up more disk space if needed to upload the image.
    Note

    If this command does not free up enough disk space, see [SRX] Common and safe files to remove in order to increase available system storage for details on safe files you can manually remove from vSRX to free up disk space.

  4. Use FTP, SCP, or a similar utility to upload the Junos OS Release 20.2R3 for vSRX .tgz file to /var/crash/corefiles/ on the local file system of your vSRX VM. For example:
  5. From operational mode, install the software upgrade package.

    If no errors occur, Junos OS reboots automatically to complete the upgrade process. You have successfully upgraded to Junos OS Release 20.2R3 for vSRX.

    Note

    Starting in Junos OS Release 17.4R1, upon completion of the vSRX image upgrade, the original image is removed by default as part of the upgrade process.

  6. Log in and use the show version command to verify the upgrade.

Validating the OVA Image

If you have downloaded a vSRX .ova image and need to validate it, see Validating the vSRX .ova File for VMware.

Note that only .ova (VMware platform) vSRX images can be validated. The .qcow2 vSRX images for use with KVM cannot be validated the same way. File checksums for all software images are, however, available on the download page.