Junos OS Release Notes for vSRX
These release notes accompany Junos OS Release 20.3R1 for vSRX. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
What’s New
Learn about new features introduced in the Junos OS main and maintenance releases for vSRX.
Interfaces and Chassis
TAP mode support for (vSRX 3.0)—Starting in Junos OS Release 20.3R1, TAP mode is supported for IDP, UTM, and UserFW on vSRX 3.0 to generate security log information and to display the information on threats detected, application usage, and user details according to the incoming traffic.
Both client to server and server to client traffic is directed to vSRX port using switch mirror or fiber tap. In this mode, vSRX 3.0 receives packet only from the configured TAP interface. All sending packets to TAP interface are dropped silently before leaving the vSRX instance. Except the configured TAP interface, other interface can be configured as standard interface and can be used as management interface or connected to outside server.
Use the set security forwarding-options mode tap interface <interface-name> command to configure TAP mode on an interface.
To disable this TAP mode, delete the TAP mode for the related interface and the related zone and policy configuration of that interface.
[See TAP Mode Support Overview, TAP Mode for IDP, TAP Mode for Security Zones and Policies, and forwarding-options (Security).]
Juniper ATP Cloud
Support for integration of AWS GuardDuty with vSRX Firewalls and Juniper ATP Cloud (vSRX)—Starting with Junos OS Release 20.3R1, we support threat feeds from Amazon Web Services (AWS) GuardDuty. The threats are sent as a security feed to the vSRX firewalls in the AWS environment. The vSRX firewalls can access the feeds either by directly downloading it from the AWS S3 bucket or, if the vSRX firewall is enrolled with Juniper ATP Cloud, the feed is pushed to the firewall device along with the security intelligence (SecIntel) feeds.
Junos Telemetry Interface
Packet Forwarding Engine and Routing Engine sensor support on JTI (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX)—Junos OS Release 20.3R1 provides streaming support for revenue interface statistics through Packet Forwarding Engine (PFE) sensors and pseudo interface statistics through Routing Engine sensors. Sensors are supported through Junos telemetry interface (JTI) and remote procedure calls (gRPC) or gRPC Network Management Interface (gNMI) services. gNMI service is also enabled for other supported Routing Engine sensors.
Using JTI and gRPC or gNMI services, you can stream telemetry statistics to an outside collector.
These interface sensors are supported:
Physical interfaces (IFD) (resource path
/interfaces/interface/).Logical interfaces (IFL) (resource path
/interfaces/interface/subinterfaces/).
These Routing Engine sensors are supported using gNMI services (previously, only gRPC services were supported):
System events (resource path
/junos/events).BGP peer information (resource path
/network-instances/network-instance/protocols/).
protocol/bgp/Memory utilization for routing protocol task (resource path
/junos/task-memory-information/).Operational state of Routing Engines, power supply modules, Switch Fabric Boards, Control Boards, Switch Interface Boards, Modular Interface Cards, and Physical Interface Cards (resource path
/components/).Link Layer Discovery Protocol (LLDP) (resource path
/lldp/).Address Resolution Protocol (ARP) statistics for IPv4 routes (resource path
/arp-information/).Network Discovery Protocol (NDP) table state information for IPv6 routes (resource path
/nd6-information/).NDP router-advertisement statistics (resource path
/ipv6-ra/).IS-IS routing protocol statistics (resource path
/network-instances/network-instance/protocols/protocol/isis/levels/level/andnetwork-instances/network-instance/protocols/protocol/isis/interfaces/interface/levels/level/).
[See Guidelines for gRPC and gNMI Sensors (Junos Telemetry Interface.]
Management
Enhanced Service Mode Support (vSRX 3.0)—Starting in Junos OS Release 20.3R1, vSRX 3.0 supports Enhanced Service Mode (ESM). When this mode is enabled, vSRX 3.0 can support maximum of 128K sessions for Layer 7 services with increased service memory and the number of L4 sessions will be reduced to 50%.
By default, ESM is disabled and the vSRX 3.0 is in basic firewall mode. You can enable ESM using the set security forwarding-process enhanced-services-mode command. After enabling this mode, you need to reboot the instance.
When you enable this configuration, you will receive a warning message warning: You have changed enhanced services mode. You must reboot the system for your change to take effect. If you have deployed a cluster, be sure to reboot all nodes.
[See forwarding-process and show security flow status.]
Performance and Scaling
Scaling vSRX 3.0 using Microsoft Azure Load Balancer and Virtual Machine Scale Sets (vSRX 3.0)—Starting in Junos OS Release 20.3R1, vSRX 3.0 can automatically scale out or scale in for internal and outbound traffic using Azure Load Balancer (LB) and Microsoft Azure Virtual Machine Scale Sets (VMSS).
vSRX 3.0 instances are inline firewalls and any throughput or connection scaling limitations on these firewalls limit the performance and scaling of the entire virtual network. In such cases autoscaling of infrastructure for traffic inside the virtual network and for the outbound traffic is required. You can use the suggested deployments with Azure Load Balancer and Virtual Machine Scale Sets to achieve vSRX 3.0 scaling and better performance for your business needs.
VPNs
Increase in IPsec VPN tunnels (vSRX)—Starting in Junos OS Release 20.3R1, vSRX instances support up to 10,000 IPsec VPN tunnels. Previously, vSRX instances with 17 vCPUs supported 512 IPsec VPN tunnels.
To support the increased number of IPsec VPN tunnels, a minimum of 19 vCPUs are required. Out of the 19 vCPUs, 3 vCPUs must be dedicated to RE.
You must run the request system software add optional://junos-ike.tgz command the first time you wish to enable increased IPsec tunnel capacity. For subsequent software upgrades of the instance, the junos-ike package is upgraded automatically from the new Junos OS releases installed in the instance. If chassis cluster is enabled then run this command on both the nodes.
You can configure the number of vCPUs allocated to Junos Routing Engine using the set security forwarding-options resource-manager cpu re <value>. You must reboot the system to activate the new vCPU allocation for RE and Flow RT threads. Run the show security forward-options resource-manager status command to verify the vCPU allocation between routing engine and the flow RT threads.
[See Junos OS Features Supported on vSRX, forwarding-options (Security), and show security forward-options resource-manager.]
Increased Tunnel Scaling (vSRX)—Starting in Junos OS Release 20.3R1, vSRX is supported by a new architecture similar to SRX5000 line of devices with SPC3 which increases the tunnel scale.
IPsec VPN features that are supported on SRX5000 line of devices with SPC3 (SRX5K-SPC3) are also supported on vSRX instances.
By default, when the vSRX boots up, the legacy architecture is executed. To enable the new architecture its mandatory to load and install this new junos-ike package. This is an optional package that is included in the Junos release. As an administrator, you must execute the request system software add optional://junos-ike.tgz command to load the junos-ike package.
[See IPsec VPN Features and Configurations Not Supported on SRX5K-SPC3 and vSRX Instances.]
Known Limitations
Learn about known limitations in this release for vSRX.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Intrusion Detection and Prevention (IDP)
Disable IDP before upgrading vSRX from a Junos OS Release 15.1X49 to Junos OS Release 17.4 or higher releases. Due to a change in IDP database format after Junos OS Release 15.1X49, there is no IDP database initially after the upgrade and the IDP configuration may fail to load, potentially leading to the entire Junos OS configuration not to load at the first bootup after the upgrade. After the upgrade, first download and install the IDP security package before re-enabling IDP again. PR1455125
J-Web
For a spoke device in a hub-and-spoke topology, the UI will show VPN topology as Site to Site. PR1495973
Open Issues
Learn about open issues in this release for vSRX.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
J-Web
Configuration of global setting options of IPSec VPN such as TCP-Encap profile, IPSec Power Mode, and IKE package installation is not supported from the UI. PR1496439
User Access and Authentication
On vSRX 3.0 on Azure, with Microsoft Azure Hardware Security Module (HSM) enabled, keypair generation fails if the user re-uses the certificate ID for creating a new keypair, even if the previous keypair has been deleted. PR1490558
Resolved Issues
Learn which issues were resolved in the Junos OS main and maintenance releases for vSRX.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Application Security
Application Quality of Experience (AppQoE) system log shows best-path previous-interface value as “N/A” when deactivating DBG or the link. PR1487056
When destination-path-group is deleted in the configuration and added again, the fc-id, dscp, fc name, and loss priority fields are reset. PR1489948
The flow performance might be reduced in the Security Intelligence scenario. PR1491682
Intrusion Detection and Prevention (IDP)
The IDP attack detection may not work in a specific situation. PR1497340
J-Web
While creating a firewall policy rule, the list of available dynamic applications is empty in HA on the Select Dynamic Application page. PR1490346
Infinite loading circle may be encountered via J-Web. PR1493601
Platform and Infrastructure
The clock drift issue might cause control link failure of a vSRX cluster running on KVM hypervisor. PR1496937
The vSRX may restart unexpectedly. PR1479156
In vSRX3.0 on Azure with keyvault enabled, change in MEK results in deletion of certificates. PR1513456
With CSO SD-WAN configuration loaded, flowd process generates core files while deleting the GRE IPsec configuration. PR1513461
Changes to the configuration command for assigning more vCPUs to the Routing Engine. PR1505724
On vSRX the interfaces might remain shut as the FPC faces issues while coming online after an upgrade attempt on the device. PR1499092
When SSL proxy is enabled and if the vSRX runs out of memory, then the SSL proxy module might stop. PR1505013
Routing Policy and Firewall Filters
Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002
Junos OS upgrade may encounter failure in certain conditions when enabling ATP. PR1519222
Unified Threat Management (UTM)
The source and destination IP or port fields were reversed for Content-Filtering and Anti-Virus logs. PR1499327
VPNs
On vSRX3.0 instances, when ECMP routes are configured to load balance over multiple IPSec VPNs connected to a single multipoint tunnel interface, the traffic may not flow. PR1438311
The flowd process might stop in IPsec VPN scenario. PR1517262
Migration, Upgrade, and Downgrade Instructions
This section contains information about how to upgrade Junos OS for vSRX using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
You also can upgrade to Junos OS Release 20.3R1 for vSRX using J-Web (see J-Web) or the Junos Space Network Management Platform (see Junos Space).
Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Releases 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, or 19.2 is supported.
The following limitations apply:
Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Release 19.3 and higher is not supported. For upgrade between other combinations of Junos OS Releases in vSRX and vSRX 3.0, the general Junos OS upgrade policy applies.
The file system mounted on /var usage must be below 14% of capacity.
Check this using the following command:
show system storage | match " /var$" /dev/vtbd1s1f2.7G 82M 2.4G 3% /var
Using the request system storage cleanup command might help reach that percentage.
The Junos OS upgrade image must be placed in the directory /var/host-mnt/var/tmp/. Use the request system software add /var/host-mnt/var/tmp/<upgrade_image>
We recommend that you deploy a new vSRX virtual machine (VM) instead of performing a Junos OS upgrade. That also gives you the option to move from vSRX to the newer and more recommended vSRX 3.0.
Ensure to back up valuable items such as configurations, license-keys, certificates, and other files that you would like to keep.
For ESXi deployments, the firmware upgrade from Junos OS Release 15.1X49-Dxx to Junos OS releases 17.x, 18.x, or 19.x is not recommended if there are more than three network adapters on the 15.1X49-Dxx vSRX instance. If there are more than three network adapters and you want to upgrade, then we recommend that you either delete all the additional network adapters and add the network adapters after the upgrade or deploy a new vSRX instance on the targeted OS version.
Upgrading Software Packages
To upgrade the software using the CLI:
- Download the
Junos OS Release 20.3R1 for vSRX .tgzfile from the Juniper Networks website. Note the size of the software image. - Verify that you have enough free disk space on the vSRX
instance to upload the new software image.
root@vsrx> show system storage Filesystem Size Used Avail Capacity Mounted on /dev/vtbd0s1a 694M 433M 206M 68% / devfs 1.0K 1.0K 0B 100% /dev /dev/md0 1.3G 1.3G 0B 100% /junos /cf 694M 433M 206M 68% /junos/cf devfs 1.0K 1.0K 0B 100% /junos/dev/ procfs 4.0K 4.0K 0B 100% /proc /dev/vtbd1s1e 302M 22K 278M 0% /config /dev/vtbd1s1f 2.7G 69M 2.4G 3% /var /dev/vtbd3s2 91M 782K 91M 1% /var/host /dev/md1 302M 1.9M 276M 1% /mfs /var/jail 2.7G 69M 2.4G 3% /jail/var /var/jails/rest-api 2.7G 69M 2.4G 3% /web-api/var /var/log 2.7G 69M 2.4G 3% /jail/var/log devfs 1.0K 1.0K 0B 100% /jail/dev 192.168.1.1:/var/tmp/corefiles 4.5G 125M 4.1G 3% /var/crash/corefiles 192.168.1.1:/var/volatile 1.9G 4.0K 1.9G 0% /var/log/host 192.168.1.1:/var/log 4.5G 125M 4.1G 3% /var/log/hostlogs 192.168.1.1:/var/traffic-log 4.5G 125M 4.1G 3% /var/traffic-log 192.168.1.1:/var/local 4.5G 125M 4.1G 3% /var/db/host 192.168.1.1:/var/db/aamwd 4.5G 125M 4.1G 3% /var/db/aamwd 192.168.1.1:/var/db/secinteld 4.5G 125M 4.1G 3% /var/db/secinteld - Optionally, free up more disk space if needed to upload
the image.
root@vsrx> request system storage cleanup List of files to delete: Size Date Name 11B Sep 25 14:15 /var/jail/tmp/alarmd.ts 259.7K Sep 25 14:11 /var/log/hostlogs/vjunos0.log.1.gz 494B Sep 25 14:15 /var/log/interactive-commands.0.gz 20.4K Sep 25 14:15 /var/log/messages.0.gz 27B Sep 25 14:15 /var/log/wtmp.0.gz 27B Sep 25 14:14 /var/log/wtmp.1.gz 3027B Sep 25 14:13 /var/tmp/BSD.var.dist 0B Sep 25 14:14 /var/tmp/LOCK_FILE 666B Sep 25 14:14 /var/tmp/appidd_trace_debug 0B Sep 25 14:14 /var/tmp/eedebug_bin_file 34B Sep 25 14:14 /var/tmp/gksdchk.log 46B Sep 25 14:14 /var/tmp/kmdchk.log 57B Sep 25 14:14 /var/tmp/krt_rpf_filter.txt 42B Sep 25 14:13 /var/tmp/pfe_debug_commands 0B Sep 25 14:14 /var/tmp/pkg_cleanup.log.err 30B Sep 25 14:14 /var/tmp/policy_status 0B Sep 25 14:14 /var/tmp/rtsdb/if-rtsdb Delete these files ? [yes,no] (no) yes < output omitted>Note If this command does not free up enough disk space, see [SRX] Common and safe files to remove in order to increase available system storage for details on safe files you can manually remove from vSRX to free up disk space.
- Use FTP, SCP, or a similar utility to upload the Junos
OS Release 20.3R1 for vSRX .tgz file to
/var/crash/corefiles/on the local file system of your vSRX VM. For example:root@vsrx> file copy ftp://username:prompt@ftp.hostname.net/pathname/
junos-vsrx-x86-64-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE.tgz /var/crash/corefiles/ - From operational mode, install the software upgrade package.
root@vsrx> request system software add /var/crash/corefiles/junos-vsrx-x86-64-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE.tgz no-copy no-validate reboot Verified junos-vsrx-x86-64-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE signed by PackageDevelopmentEc_2017 method ECDSA256+SHA256 THIS IS A SIGNED PACKAGE WARNING: This package will load JUNOS 20.3 software. WARNING: It will save JUNOS configuration files, and SSH keys WARNING: (if configured), but erase all other files and information WARNING: stored on this machine. It will attempt to preserve dumps WARNING: and log files, but this can not be guaranteed. This is the WARNING: pre-installation stage and all the software is loaded when WARNING: you reboot the system. Saving the config files ... Pushing Junos image package to the host... Installing /var/tmp/install-media-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE.tgz Extracting the package ... total 975372 -rw-r--r-- 1 30426 950 710337073 Oct 19 17:31 junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-app.tgz -rw-r--r-- 1 30426 950 288433266 Oct 19 17:31 junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz Setting up Junos host applications for installation ... ============================================ Host OS upgrade is FORCED Current Host OS version: 3.0.4 New Host OS version: 3.0.4 Min host OS version required for applications: 0.2.4 ============================================ Installing Host OS ... upgrade_platform: ------------------- upgrade_platform: Parameters passed: upgrade_platform: silent=0 upgrade_platform: package=/var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz upgrade_platform: clean install=0 upgrade_platform: clean upgrade=0 upgrade_platform: Need reboot after staging=0 upgrade_platform: ------------------- upgrade_platform: upgrade_platform: Checking input /var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz ... upgrade_platform: Input package /var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz is valid. upgrade_platform: Backing up boot assets.. cp: omitting directory '.' bzImage-intel-x86-64.bin: OK initramfs.cpio.gz: OK version.txt: OK initrd.cpio.gz: OK upgrade_platform: Checksum verified and OK... /boot upgrade_platform: Backup completed upgrade_platform: Staging the upgrade package - /var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz.. ./ ./bzImage-intel-x86-64.bin ./initramfs.cpio.gz ./upgrade_platform ./HOST_COMPAT_VERSION ./version.txt ./initrd.cpio.gz ./linux.checksum ./host-version bzImage-intel-x86-64.bin: OK initramfs.cpio.gz: OK version.txt: OK upgrade_platform: Checksum verified and OK... upgrade_platform: Staging of /var/tmp/junos-srx-mr-vsrx-20.3-2020-9-10.0_RELEASE_20.3_THROTTLE-linux.tgz completed upgrade_platform: System need *REBOOT* to complete the upgrade upgrade_platform: Run upgrade_platform with option -r | --rollback to rollback the upgrade Host OS upgrade staged. Reboot the system to complete installation! WARNING: A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the WARNING: 'request system reboot' command when software installation is WARNING: complete. To abort the installation, do not reboot your system, WARNING: instead use the 'request system software rollback' WARNING: command as soon as this operation completes. NOTICE: 'pending' set will be activated at next reboot... Rebooting. Please wait ... shutdown: [pid 13050] Shutdown NOW! *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY Shutdown NOW! System shutdown time has arrived\x07\x07If no errors occur, Junos OS reboots automatically to complete the upgrade process. You have successfully upgraded to Junos OS Release 20.3R1 for vSRX.
Note Starting in Junos OS Release 17.4R1, upon completion of the vSRX image upgrade, the original image is removed by default as part of the upgrade process.
- Log in and use the
show versioncommand to verify the upgrade.--- JUNOS 20.3-2020-9-10.0_RELEASE_20.3_THROTTLE Kernel 64-bit JNPR-11.0-20171012.170745_fbsd- At least one package installed on this device has limited support. Run 'file show /etc/notices/unsupported.txt' for details. root@:~ # cli root> show version Model: vsrx Junos: 20.3-2020-9-10.0_RELEASE_20.3_THROTTLE JUNOS OS Kernel 64-bit [20171012.170745_fbsd-builder_stable_11] JUNOS OS libs [20171012.170745_fbsd-builder_stable_11] JUNOS OS runtime [20171012.170745_fbsd-builder_stable_11] JUNOS OS time zone information [20171012.170745_fbsd-builder_stable_11] JUNOS OS libs compat32 [20171012.170745_fbsd-builder_stable_11] JUNOS OS 32-bit compatibility [20171012.170745_fbsd-builder_stable_11] JUNOS py extensions [20171017.110007_ssd-builder_release_174_throttle] JUNOS py base [20171017.110007_ssd-builder_release_174_throttle] JUNOS OS vmguest [20171012.170745_fbsd-builder_stable_11] JUNOS OS crypto [20171012.170745_fbsd-builder_stable_11] JUNOS network stack and utilities [20171017.110007_ssd-builder_release_174_throttle] JUNOS libs [20171017.110007_ssd-builder_release_174_throttle] JUNOS libs compat32 [20171017.110007_ssd-builder_release_174_throttle] JUNOS runtime [20171017.110007_ssd-builder_release_174_throttle] JUNOS Web Management Platform Package [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx libs compat32 [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx runtime [20171017.110007_ssd-builder_release_174_throttle] JUNOS common platform support [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx platform support [20171017.110007_ssd-builder_release_174_throttle] JUNOS mtx network modules [20171017.110007_ssd-builder_release_174_throttle] JUNOS modules [20171017.110007_ssd-builder_release_174_throttle] JUNOS srxtvp modules [20171017.110007_ssd-builder_release_174_throttle] JUNOS srxtvp libs [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx libs [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx Data Plane Crypto Support [20171017.110007_ssd-builder_release_174_throttle] JUNOS daemons [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx daemons [20171017.110007_ssd-builder_release_174_throttle] JUNOS Online Documentation [20171017.110007_ssd-builder_release_174_throttle] JUNOS jail runtime [20171012.170745_fbsd-builder_stable_11] JUNOS FIPS mode utilities [20171017.110007_ssd-builder_release_174_throttle]
Validating the OVA Image
If you have downloaded a vSRX .ova image and need to validate it, see Validating the vSRX .ova File for VMware.
Note that only .ova (VMware platform) vSRX images can be validated. The .qcow2 vSRX images for use with KVM cannot be validated the same way. File checksums for all software images are, however, available on the download page.