Junos OS Release Notes for vSRX
These release notes accompany Junos OS Release 20.4R3 for vSRX. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
What’s New
Learn about new features introduced in the Junos OS main and maintenance releases for vSRX.
What's New in Release 20.4R3
There are no new features for vSRX in Junos OS Release 20.4R3.
What's New in Release 20.4R2
Platform and Infrastructure
vSRX 3.0 support in Oracle Cloud Infrastructure (vSRX 3.0)—Starting in Junos OS Release 20.4R2, you can deploy vSRX 3.0 in Oracle Cloud Infrastructure (OCI).
You must download the vSRX 3.0 software from the Juniper Support Downloads page and upload the software into an OCI compartment. vSRX 3.0 software download is not available in the OCI Marketplace.
vSRX 3.0 is available with built-in 60 days free trial eval license. The eval license expires after 60 days. OCI supports Bring Your Own License (BYOL) licensing model. The BYOL license model allows you to customize your license, subscription, and support to fit your needs. You can purchase BYOL from Juniper Networks or Juniper Networks authorized reseller.
[See Licenses for vSRX and vSRX Deployment Guide for Private and Public Cloud Platforms.]
What's New in Release 20.4R1
ATP Cloud
Support for filtering DNS requests for disallowed domains (SRX4100, SRX4200, SRX4600, and vSRX)—Starting in Junos OS Release 20.4R1, you can configure DNS filtering to identify DNS requests for disallowed domains. You can either:
Block access to the disallowed domain by sending a DNS response that contains the IP address or fully qualified domain name (FQDN) of a DNS sinkhole server. This ensures that when the client attempts to send traffic to the disallowed domain, the traffic instead goes to the sinkhole server.
Log the DNS request and reject access.
The DNS sinkhole must be configured only for DNS profile category.
[See dns-filtering, security-intelligence, clear services security-intelligence dns-statistics, and show services security-intelligence dns-statistics.]
Flow-Based Packet-Based Processing
Pass-through authentication of IP-IP and GRE tunnel traffic in TAP mode (SRX300, SRX320, SRX340, SRX345, SRX380, SRX550 HM, SRX1500, and vSRX)—Starting in Junos OS Release 20.4R1, SRX Series devices perform pass-through authentication of IP-IP and GRE tunnel traffic when in TAP mode. To use TAP mode, connect the SRX Series device to the mirror port of the connected switch, which provides a copy of the traffic traversing the switch. In TAP mode, the SRX Series device processes incoming traffic from the TAP interface and generates a security log or report containing with information about threats detected, application usage, and user details.
Support for trace and debug of data packets (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 20.4R1, you can trace packet footprints. To enable tracing of packet footprints, use the traceoptions flag jexec command at the [edit security flow] or [edit logical-systems logical system name security flow] hierarchy level.
The packet trace logs are captured in a sequential time order. The sequential trace enhances flow debuggability for packet processing with multiple logical systems and tenant systems, tunnel piping, multiple reinjection, and so on.
[See traceoptions (Security Flow) and show security flow status.]
High Availability
SR-IOV 10GbE high availability support (vSRX 3.0)—Starting in Junos OS Release 20.4R1, vSRX 3.0 supports high availability (HA) single-root I/O virtualization (SR-IOV) deployment.
If you have a physical network interface card (NIC) that supports SR-IOV, you can attach SR-IOV-enabled vNICs or virtual functions to the vSRX 3.0 instance.
With this feature, you can access the hardware directly from a virtual machines environment and efficiently share the PCIe devices to optimize performance and capacity. Also, this feature allows you to create many VFs associated with a single physical function (PF) extending the capacity of a device and lowering hardware costs.
We recommend that you configure all revenue ports of vSRX 3.0 as SR-IOV. On KVM, you can configure SR-IOV high availability on management port: -fxp0/ control port- em0 / fabric port-ge-0/0/*.
SR-IOV high availability Layer 2 function is not supported. Also, SR-IOV high availability with the vSRX 3.0 on VMWare and Mellanox NICs is not supported.
[See Configuring SR-IOV 10-Gigabit High Availability on vSRX 3.0.]
Juniper Extension Toolkit (JET)
Juniper Extension Toolkit (JET) support for 64-bit applications (MX5, MX10, MX40, MX80, MX104, MX150, MX204, MX240, MX480, MX960, MX2008, MX2010, MX2020, MX10003, MX10008, MX ELM, JunosV Firefly, cSRX, SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM, SRX650, SRX720E, SRX750E, SRX1400, SRX1500,SRX3400, SRX3600, SRX4100, SRX4200, SRX4400, SRX4600, SRX4800, SRX5400, SRX5600, SRX5800, SRX7X0E, SRX-ES7, SRX-ES8, VMX, and VSRX)—Starting in Junos OS Release 20.4R1, JET supports 64-bit applications. Use the following commands to compile 64-bit applications for use with the AMD64 or ARM64 64-bit processor architecture.
mk-amd64: Compiles the application for use with AMD64 and Junos OS with FreeBSD.
mk-amd64,bsdx: Compiles the application for use with AMD64 and Junos OS with upgraded FreeBSD.
mk-arm64,bsdx: Compiles the application for use with ARM64 and Junos OS with upgraded FreeBSD.
Junos OS XML ,API, and Scripting
Support for Certificate Authority Chain Profile (EX2300, EX3400, EX4300, MX240, MX480, MX960, PTX-5000, VMX, vSRX and QFX5200)—Starting in Junos OS Release 20.4R1, you can configure intermediate Certificate Authority (CA) chain profile certificate and perform https REST API request using mutual and server authentications.
To configure intermediate ca-chain certificate, configure ca-chain ca-chain statement at the [edit system services rest https] hierarchy level.
Network Management and Monitoring
Configuration retrieval using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you can use the configuration revision identifier feature to view the configuration for a specific revision. This configuration database revision can be viewed with the CLI command show system configuration revision.
Junos XML protocol operations support loading and comparing configurations using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, the Junos XML management protocol operations support loading and comparing configurations by referencing the configuration revision identifier of a committed configuration. You can execute the
<load-configuration>operation with theconfiguration-revisionattribute to load the configuration with the given revision identifier into the candidate configuration. Additionally, you can compare the candidate or active configuration to a previously committed configuration by referencing the configuration revision identifier for the comparison configuration. The<get-configuration>operation supports thecompare="configuration-revision"andconfiguration-revisionattributes to perform the comparison.[See <get-configuration> and <load-configuration>.]
Platform and Infrastructure
LiquidIO DPDK driver support (vSRX3.0)—Starting in Junos OS Release 20.4R1, vSRX3.0 supports LiquidIO DPDK driver with KVM hypervisor. If you use the LiquidIO II smart NICs, then you can use vSRX3.0 by the virtual function of SR-IOV.
[See Requirements for vSRX on KVM.]
Routing Protocols
Support for multiple single-hop EBGP sessions on different links using the same IPv6 link-local address (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you are no longer required to have unique peer addresses for Juniper devices for every EBGP session. You can now enable single-hop EBGP sessions on different links over multiple directly connected peers that use the same IPv6 link-local address.
In earlier Junos OS Releases, BGP peers could be configured with link-local addresses, but multiple BGP peers could not be configured to use the same link-local address on different interfaces.
VPNs
AWS Key Management Service (KMS) Integration support (vSRX 3.0)—Starting in Junos OS Release 20.4R1, you can safeguard the private keys used by the PKI daemon and IKED using AWS Key Management Service (KMS). You can establish a PKI daemon-based VPN tunnel using the keypairs generated at the KMS. The KMS server creates, stores, and performs the needed keypair operations.After you enable KMS, all the PKI daemons keypairs previously created are deleted.
[See Deploying vSRX 3.0 for Securing Data using AWS KMS.]
What's Changed
Learn about what changed in the Junos OS main and maintenance releases for vSRX.
What’s Changed in Release 20.4R3
Network Management and Monitoring
The configuration accepts only defined identity values for nodes of type identityref in YANG data models (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—If you configure a statement that has type identityref in the corresponding YANG data model, the device accepts only defined identity values (as defined by an identity statement) as valid input. In earlier releases, the device also accepts values that are not defined identity values.
What’s Changed in Release 20.4R2
Junos OS XML API and Scripting
Refreshing scripts from an HTTPS server requires a certificate (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When you refresh a local commit, event, op, SNMP, or Juniper Extension Toolkit (JET) script from an HTTPS server, you must specify the certificate (Root CA or self-signed) that the device uses to validate the server's certificate, thus ensuring that the server is authentic. In earlier releases, when you refresh scripts from an HTTPS server, the device does not perform certificate validation.
When you refresh a script using the
request system scripts refresh-fromoperational mode command, include thecert-fileoption and specify the certificate path. Before you refresh a script using theset refreshor setrefresh-fromconfiguration mode command, first configure thecert-filestatement under the hierarchy level where you configure the script. The certificate must be in Privacy-Enhanced Mail (PEM) format.[See request system scripts refresh-from and cert-file.]
What’s Changed in Release 20.4R1
Platform and Infrastructure
On vSRX 3.0 instances with AWS Key Management Service (KMS), if the MEK is changed, then the keypairs will be re-encrypted using the newly set Master Encryption Key (MEK).
Repetition of WALinuxAgent logs causing file size increase (vSRX 3.0)—The Azure WALinuxAgent performs the provisioning job for the vSRX instances. When a new vSRX instance is deployed, the continued increasing size of the waagent log file might cause the vSRX to stop.
If the vSRX is still operating, then delete the /var/log/waagent.log directly or run the clear log waagent.log all command to clear the log file. Or you can run the set groups azure-provision system syslog file waagent.log archive size 1m and set groups azure-provision system syslog file waagent.log archive files 10 commands to prevent the growing of the waagent logs.
These configurations will cause the rotation of log of waagent with the size bigger than 1MB and set a maximum of 10 backups.
Known Limitations
There are no known behaviors for vSRX in Junos OS Release 20.4R3.
Open Issues
Learn about open issues in this release for vSRX.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Platform and Infrastructure
IPV6 Traffic redirection by NSX-T edge infrastructure is not supported. To get it working check possible workarround. PR1527130
Ensure the MTU on the host is large enough before setting the MTU in vSRX. PR1537984
When upgrading to Junos OS Release 20.4R1 or later, any existing entries within the on-box logging database (security logs) are cleared. This is due to the high performance database design that is not forward-compatible from Junos OS Release 20.3 or earlier versions. These are the logs normally visible within J-Web under the Monitoring>Logs page. PR1541674
With ssl-proxy configured along with web-proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526
SRX platforms using SkyATP with security-intelligence configured, might disconnect from the cloud after several days with the error "Connection status: Request client certificate failed". The issue can be recovered by the CLI command "restart pki-service". PR1585362
Web-proxy: Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages These messages can be seen in the RT-flow close log and these are due to JDPI not engaged for the session. This may affect the app identification for the web-proxy session traffic. PR1588139
Resolved Issues
Learn which issues were resolved in the Junos OS main and maintenance releases for vSRX.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: 20.4R3
Authentication and Access Control
Unified-access-control(UAC) authentication might not work post system reboot PR1585158
Flow-Based and Packet-Based Processing
The srxpfe process might crash during route churn PR1572240
The flowd/srxpfe process might crash when clearing the TCP-Proxy session PR1573842
Multicast traffic drop may occur on TAP interface on SRX devices PR1583214
Unexpected traffic drop happens if both PMI and flexible-vlan-tagging are implemented PR1584299
General Routing
IKE configure mode payload is not pushing secondary DNS and secondary WINS attributes to Xauth module with IKEv1. Hence, the client is not getting assigned with secondary DNS and secondary WINS with IKEv1. PR1558831
Delay in vSRX CLI prompt might be observed PR1559741
Fabric probe packets might be processed incorrectly when power-mode-ipsec (PMI) is enabled PR1564117
The srxpfe/flowd process might crash when Sky-ATP is used PR1573157
The srxpfe process might stop and generate a core file during the feed update process. PR1579631
The incorrect DNS UDP checksums may be generated when vSRX3.0 performs DNS Sinkhole PR1582827
vSRX unreachable over SSH after integration with KMS on AWS PR1584415
Jflow V9 application-id record: Network based application recognition value for IPv4 application-id are not as expected PR1595787
ALG traffic might be dropped PR1598017
Intrusion Detection and Prevention (IDP)
Global data SHM utilization increase quickly and FTP traffic might impacted PR1585485
Application-identification related signatures might not get triggered PR1588450
J-Web
To improve performance in Monitoring > Network > Interfaces page, Admin Status is removed, Services and Protocols data merged into one Host inbound traffic. PR1574895
Platform and Infrastructure
COS queue egress interface forwarding-class might not work as expected PR1538286
Resolved Issues: 20.4R2
J-Web
J-Web GUI does not allow you to save a rule if the cumulative shared objects are more than 2500 before the policy grid is saved. When there are several shared objects, there will be a noticeable delay in opening sources and destinations of a rule, and performing the rule action. PR1540047
When the commit pending changes message is shown on the J-Web GUI, the contents of other messages, landing page, or pop-ups will not be clearly visible. PR1554024
Platform and Infrastructure
Configuration integrity mismatch error in vSRX3.0 running on Azure with key-vault integrated. PR1551419
The pkid process runs at 100 percent when the device is unable to connect to a particular URL. PR1560374
The srxpfe process might stop and generate a core file during the feed update process. PR1579631
Routing Protocols
Traffic might be lost during mirror data transmit from the primary ppmd or bfdd. PR1570228
Resolved Issues: 20.4R1
Application Security
The flowd or srxpfe process might crash when SSL proxy and AppSecure process traffic simultaneously. PR1516969
During rare circumstances, if the AppID unknown packet capture functionality is enabled, the srxpfe process might crash and generate a core file. PR1538991
Chassis Clustering
The control link might be broken when there is excessive traffic load on the control link in a vSRX cluster deployment. PR1524243
CLI
On Microsoft Azure deployments, SSH public key authentication is not supported for vSRX 3.0 CLI and portal deployment. PR1402028
Commit is not successful when configuration committed without active probe settings options (all options under active probe settings are optional). PR1533420
The master-password configuration is rejected if master-encryption-password (MEK) is not set. PR1537251
Flow-Based and Packet-Based Processing
A chassis cluster node might stop passing traffic. PR1528898
Install and Upgrade
Upgrading to Junos OS Release 20.4R1 or later releases with a large, pre-existing security-log database might result in LLMD consuming large amounts of CPU. PR1548423
Interfaces and Chassis
LiquidIO SR-IOV configuring ge interface as DHCP client does not work; no IP address obtained. PR1529228
Intrusion Detection and Prevention (IDP)
The flowd or srxpfe process might generate core files during the idpd process commit on SRX Series devices. PR1521682
When adaptive threat profiling is configured within an IDP rule base and logging is enabled, on the vSRX instances the Packet Forwarding Engine process might stop and generate a core file. PR1532737
Platform and Infrastructure
The vSRX may restart unexpectedly. PR1479156
In vSRX3.0 on Azure with key-vault enabled, change in MEK results in deletion of certificates. PR1513456
With CSO SD-WAN configuration loaded, the flowd process generates core files while deleting the GRE IPsec configuration. PR1513461
Configuration integrity mismatch error in vSRX3.0 running on Azure with key-vault integrated. PR1551419
Routing Policy and Firewall Filters
Junos OS upgrade may encounter failure in certain conditions when enabling ATP. PR1519222
User Access and Authentication
On vSRX 3.0 on Azure, with Microsoft Azure Hardware Security Module (HSM) enabled, keypair generation fails if you reuse the certificate ID for creating a new keypair—even if the previous keypair was deleted. PR1490558
VPNs
The Ping-icmp test fails after configuring ECMP routes over multipoint tunnel interface VPNs. PR1438311
The flowd process might stop in an IPsec VPN scenario. PR1517262
Migration, Upgrade, and Downgrade Instructions
This section contains information about how to upgrade Junos OS for vSRX using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
You also can upgrade to Junos OS Release 20.4R3 for vSRX using J-Web (see J-Web) or the Junos Space Network Management Platform (see Junos Space).
Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Releases 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, or 19.2 is supported.
The following limitations apply:
Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Release 19.3 and higher is not supported. For upgrade between other combinations of Junos OS Releases in vSRX and vSRX 3.0, the general Junos OS upgrade policy applies.
The file system mounted on /var usage must be below 14% of capacity.
Check this using the following command:
show system storage | match " /var$" /dev/vtbd1s1f2.7G 82M 2.4G 3% /var
Using the request system storage cleanup command might help reach that percentage.
The Junos OS upgrade image must be placed in the directory /var/host-mnt/var/tmp/. Use the request system software add /var/host-mnt/var/tmp/<upgrade_image>
We recommend that you deploy a new vSRX virtual machine (VM) instead of performing a Junos OS upgrade. That also gives you the option to move from vSRX to the newer and more recommended vSRX 3.0.
Ensure to back up valuable items such as configurations, license-keys, certificates, and other files that you would like to keep.
For ESXi deployments, the firmware upgrade from Junos OS Release 15.1X49-Dxx to Junos OS releases 17.x, 18.x, or 19.x is not recommended if there are more than three network adapters on the 15.1X49-Dxx vSRX instance. If there are more than three network adapters and you want to upgrade, then we recommend that you either delete all the additional network adapters and add the network adapters after the upgrade or deploy a new vSRX instance on the targeted OS version.
Upgrading Software Packages
To upgrade the software using the CLI:
- Download the
Junos OS Release 20.4R2 for vSRX .tgzfile from the Juniper Networks website. Note the size of the software image. - Verify that you have enough free disk space on the vSRX
instance to upload the new software image.
root@vsrx> show system storage Filesystem Size Used Avail Capacity Mounted on /dev/vtbd0s1a 694M 433M 206M 68% / devfs 1.0K 1.0K 0B 100% /dev /dev/md0 1.3G 1.3G 0B 100% /junos /cf 694M 433M 206M 68% /junos/cf devfs 1.0K 1.0K 0B 100% /junos/dev/ procfs 4.0K 4.0K 0B 100% /proc /dev/vtbd1s1e 302M 22K 278M 0% /config /dev/vtbd1s1f 2.7G 69M 2.4G 3% /var /dev/vtbd3s2 91M 782K 91M 1% /var/host /dev/md1 302M 1.9M 276M 1% /mfs /var/jail 2.7G 69M 2.4G 3% /jail/var /var/jails/rest-api 2.7G 69M 2.4G 3% /web-api/var /var/log 2.7G 69M 2.4G 3% /jail/var/log devfs 1.0K 1.0K 0B 100% /jail/dev 192.168.1.1:/var/tmp/corefiles 4.5G 125M 4.1G 3% /var/crash/corefiles 192.168.1.1:/var/volatile 1.9G 4.0K 1.9G 0% /var/log/host 192.168.1.1:/var/log 4.5G 125M 4.1G 3% /var/log/hostlogs 192.168.1.1:/var/traffic-log 4.5G 125M 4.1G 3% /var/traffic-log 192.168.1.1:/var/local 4.5G 125M 4.1G 3% /var/db/host 192.168.1.1:/var/db/aamwd 4.5G 125M 4.1G 3% /var/db/aamwd 192.168.1.1:/var/db/secinteld 4.5G 125M 4.1G 3% /var/db/secinteld - Optionally, free up more disk space, if needed, to upload
the image.
root@vsrx> request system storage cleanup List of files to delete: Size Date Name 11B Sep 25 14:15 /var/jail/tmp/alarmd.ts 259.7K Sep 25 14:11 /var/log/hostlogs/vjunos0.log.1.gz 494B Sep 25 14:15 /var/log/interactive-commands.0.gz 20.4K Sep 25 14:15 /var/log/messages.0.gz 27B Sep 25 14:15 /var/log/wtmp.0.gz 27B Sep 25 14:14 /var/log/wtmp.1.gz 3027B Sep 25 14:13 /var/tmp/BSD.var.dist 0B Sep 25 14:14 /var/tmp/LOCK_FILE 666B Sep 25 14:14 /var/tmp/appidd_trace_debug 0B Sep 25 14:14 /var/tmp/eedebug_bin_file 34B Sep 25 14:14 /var/tmp/gksdchk.log 46B Sep 25 14:14 /var/tmp/kmdchk.log 57B Sep 25 14:14 /var/tmp/krt_rpf_filter.txt 42B Sep 25 14:13 /var/tmp/pfe_debug_commands 0B Sep 25 14:14 /var/tmp/pkg_cleanup.log.err 30B Sep 25 14:14 /var/tmp/policy_status 0B Sep 25 14:14 /var/tmp/rtsdb/if-rtsdb Delete these files ? [yes,no] (no) yes < output omitted>Note If this command does not free up enough disk space, see [SRX] Common and safe files to remove in order to increase available system storage for details on safe files you can manually remove from vSRX to free up disk space.
- Use FTP, SCP, or a similar utility to upload the Junos
OS Release 20.4R2 for vSRX .tgz file to
/var/crash/corefiles/on the local file system of your vSRX VM. For example:root@vsrx> file copy ftp://username:prompt@ftp.hostname.net/pathname/
junos-vsrx-x86-64-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE.tgz /var/crash/corefiles/ - From operational mode, install the software upgrade package.
root@vsrx> request system software add /var/crash/corefiles/junos-vsrx-x86-64-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE.tgz no-copy no-validate reboot Verified junos-vsrx-x86-64-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE signed by PackageDevelopmentEc_2017 method ECDSA256+SHA256 THIS IS A SIGNED PACKAGE WARNING: This package will load JUNOS 20.4 software. WARNING: It will save JUNOS configuration files, and SSH keys WARNING: (if configured), but erase all other files and information WARNING: stored on this machine. It will attempt to preserve dumps WARNING: and log files, but this can not be guaranteed. This is the WARNING: pre-installation stage and all the software is loaded when WARNING: you reboot the system. Saving the config files ... Pushing Junos image package to the host... Installing /var/tmp/install-media-srx-mr-vsrx-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE.tgz Extracting the package ... total 975372 -rw-r--r-- 1 30426 950 710337073 Oct 19 17:31 junos-srx-mr-vsrx-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE-app.tgz -rw-r--r-- 1 30426 950 288433266 Oct 19 17:31 junos-srx-mr-vsrx-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE-linux.tgz Setting up Junos host applications for installation ... ============================================ Host OS upgrade is FORCED Current Host OS version: 3.0.4 New Host OS version: 3.0.4 Min host OS version required for applications: 0.2.4 ============================================ Installing Host OS ... upgrade_platform: ------------------- upgrade_platform: Parameters passed: upgrade_platform: silent=0 upgrade_platform: package=/var/tmp/junos-srx-mr-vsrx-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE-linux.tgz upgrade_platform: clean install=0 upgrade_platform: clean upgrade=0 upgrade_platform: Need reboot after staging=0 upgrade_platform: ------------------- upgrade_platform: upgrade_platform: Checking input /var/tmp/junos-srx-mr-vsrx-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE-linux.tgz ... upgrade_platform: Input package /var/tmp/junos-srx-mr-vsrx-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE-linux.tgz is valid. upgrade_platform: Backing up boot assets.. cp: omitting directory '.' bzImage-intel-x86-64.bin: OK initramfs.cpio.gz: OK version.txt: OK initrd.cpio.gz: OK upgrade_platform: Checksum verified and OK... /boot upgrade_platform: Backup completed upgrade_platform: Staging the upgrade package - /var/tmp/junos-srx-mr-vsrx-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE-linux.tgz.. ./ ./bzImage-intel-x86-64.bin ./initramfs.cpio.gz ./upgrade_platform ./HOST_COMPAT_VERSION ./version.txt ./initrd.cpio.gz ./linux.checksum ./host-version bzImage-intel-x86-64.bin: OK initramfs.cpio.gz: OK version.txt: OK upgrade_platform: Checksum verified and OK... upgrade_platform: Staging of /var/tmp/junos-srx-mr-vsrx-20.4-2021-09-04.0_RELEASE_20.4_THROTTLE-linux.tgz completed upgrade_platform: System need *REBOOT* to complete the upgrade upgrade_platform: Run upgrade_platform with option -r | --rollback to rollback the upgrade Host OS upgrade staged. Reboot the system to complete installation! WARNING: A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the WARNING: 'request system reboot' command when software installation is WARNING: complete. To abort the installation, do not reboot your system, WARNING: instead use the 'request system software rollback' WARNING: command as soon as this operation completes. NOTICE: 'pending' set will be activated at next reboot... Rebooting. Please wait ... shutdown: [pid 13050] Shutdown NOW! *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY Shutdown NOW! System shutdown time has arrived\x07\x07If no errors occur, Junos OS reboots automatically to complete the upgrade process. You have successfully upgraded to Junos OS Release 20.4R2 for vSRX.
Note Starting in Junos OS Release 17.4R1, upon completion of the vSRX image upgrade, the original image is removed by default as part of the upgrade process.
- Log in and use the
show versioncommand to verify the upgrade.--- JUNOS 20.4-2021-09-04.0_RELEASE_20.4_THROTTLE Kernel 64-bit JNPR-11.0-20171012.170745_fbsd- At least one package installed on this device has limited support. Run 'file show /etc/notices/unsupported.txt' for details. root@:~ # cli root> show version Model: vsrx Junos: 20.4-2021-09-04.0_RELEASE_20.4_THROTTLE JUNOS OS Kernel 64-bit [20171012.170745_fbsd-builder_stable_11] JUNOS OS libs [20171012.170745_fbsd-builder_stable_11] JUNOS OS runtime [20171012.170745_fbsd-builder_stable_11] JUNOS OS time zone information [20171012.170745_fbsd-builder_stable_11] JUNOS OS libs compat32 [20171012.170745_fbsd-builder_stable_11] JUNOS OS 32-bit compatibility [20171012.170745_fbsd-builder_stable_11] JUNOS py extensions [20171017.110007_ssd-builder_release_174_throttle] JUNOS py base [20171017.110007_ssd-builder_release_174_throttle] JUNOS OS vmguest [20171012.170745_fbsd-builder_stable_11] JUNOS OS crypto [20171012.170745_fbsd-builder_stable_11] JUNOS network stack and utilities [20171017.110007_ssd-builder_release_174_throttle] JUNOS libs [20171017.110007_ssd-builder_release_174_throttle] JUNOS libs compat32 [20171017.110007_ssd-builder_release_174_throttle] JUNOS runtime [20171017.110007_ssd-builder_release_174_throttle] JUNOS Web Management Platform Package [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx libs compat32 [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx runtime [20171017.110007_ssd-builder_release_174_throttle] JUNOS common platform support [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx platform support [20171017.110007_ssd-builder_release_174_throttle] JUNOS mtx network modules [20171017.110007_ssd-builder_release_174_throttle] JUNOS modules [20171017.110007_ssd-builder_release_174_throttle] JUNOS srxtvp modules [20171017.110007_ssd-builder_release_174_throttle] JUNOS srxtvp libs [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx libs [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx Data Plane Crypto Support [20171017.110007_ssd-builder_release_174_throttle] JUNOS daemons [20171017.110007_ssd-builder_release_174_throttle] JUNOS srx daemons [20171017.110007_ssd-builder_release_174_throttle] JUNOS Online Documentation [20171017.110007_ssd-builder_release_174_throttle] JUNOS jail runtime [20171012.170745_fbsd-builder_stable_11] JUNOS FIPS mode utilities [20171017.110007_ssd-builder_release_174_throttle]
Validating the OVA Image
If you have downloaded a vSRX .ova image and need to validate it, see Validating the vSRX .ova File for VMware.
Note that only .ova (VMware platform) vSRX images can be validated. The .qcow2 vSRX images for use with KVM cannot be validated the same way. File checksums for all software images are, however, available on the download page.