Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for vSRX

 

These release notes accompany Junos OS Release 20.4R3 for vSRX. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for vSRX.

What's New in Release 20.4R3

There are no new features for vSRX in Junos OS Release 20.4R3.

What's New in Release 20.4R2

Platform and Infrastructure

  • vSRX 3.0 support in Oracle Cloud Infrastructure (vSRX 3.0)—Starting in Junos OS Release 20.4R2, you can deploy vSRX 3.0 in Oracle Cloud Infrastructure (OCI).

    You must download the vSRX 3.0 software from the Juniper Support Downloads page and upload the software into an OCI compartment.​ vSRX 3.0 software download is not available in the OCI Marketplace.

    vSRX 3.0 is available with built-in 60 days free trial eval license. The eval license expires after 60 days. OCI supports Bring Your Own License (BYOL) licensing model. The BYOL license model allows you to customize your license, subscription, and support to fit your needs. You can purchase BYOL from Juniper Networks or Juniper Networks authorized reseller.

    [See Licenses for vSRX and vSRX Deployment Guide for Private and Public Cloud Platforms.]

What's New in Release 20.4R1

ATP Cloud

  • Support for filtering DNS requests for disallowed domains (SRX4100, SRX4200, SRX4600, and vSRX)—Starting in Junos OS Release 20.4R1, you can configure DNS filtering to identify DNS requests for disallowed domains. You can either:

    • Block access to the disallowed domain by sending a DNS response that contains the IP address or fully qualified domain name (FQDN) of a DNS sinkhole server. This ensures that when the client attempts to send traffic to the disallowed domain, the traffic instead goes to the sinkhole server.

    • Log the DNS request and reject access.

    The DNS sinkhole must be configured only for DNS profile category.

    [See dns-filtering, security-intelligence, clear services security-intelligence dns-statistics, and show services security-intelligence dns-statistics.]

Flow-Based Packet-Based Processing

  • Pass-through authentication of IP-IP and GRE tunnel traffic in TAP mode (SRX300, SRX320, SRX340, SRX345, SRX380, SRX550 HM, SRX1500, and vSRX)—Starting in Junos OS Release 20.4R1, SRX Series devices perform pass-through authentication of IP-IP and GRE tunnel traffic when in TAP mode. To use TAP mode, connect the SRX Series device to the mirror port of the connected switch, which provides a copy of the traffic traversing the switch. In TAP mode, the SRX Series device processes incoming traffic from the TAP interface and generates a security log or report containing with information about threats detected, application usage, and user details.

    [See Configure User Authentication Methods.]

  • Support for trace and debug of data packets (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 20.4R1, you can trace packet footprints. To enable tracing of packet footprints, use the traceoptions flag jexec command at the [edit security flow] or [edit logical-systems logical system name security flow] hierarchy level.

    The packet trace logs are captured in a sequential time order. The sequential trace enhances flow debuggability for packet processing with multiple logical systems and tenant systems, tunnel piping, multiple reinjection, and so on.

    [See traceoptions (Security Flow) and show security flow status.]

High Availability

  • SR-IOV 10GbE high availability support (vSRX 3.0)—Starting in Junos OS Release 20.4R1, vSRX 3.0 supports high availability (HA) single-root I/O virtualization (SR-IOV) deployment.

    If you have a physical network interface card (NIC) that supports SR-IOV, you can attach SR-IOV-enabled vNICs or virtual functions to the vSRX 3.0 instance.

    With this feature, you can access the hardware directly from a virtual machines environment and efficiently share the PCIe devices to optimize performance and capacity. Also, this feature allows you to create many VFs associated with a single physical function (PF) extending the capacity of a device and lowering hardware costs.

    We recommend that you configure all revenue ports of vSRX 3.0 as SR-IOV. On KVM, you can configure SR-IOV high availability on management port: -fxp0/ control port- em0 / fabric port-ge-0/0/*.

    SR-IOV high availability Layer 2 function is not supported. Also, SR-IOV high availability with the vSRX 3.0 on VMWare and Mellanox NICs is not supported.

    [See Configuring SR-IOV 10-Gigabit High Availability on vSRX 3.0.]

Juniper Extension Toolkit (JET)

  • Juniper Extension Toolkit (JET) support for 64-bit applications (MX5, MX10, MX40, MX80, MX104, MX150, MX204, MX240, MX480, MX960, MX2008, MX2010, MX2020, MX10003, MX10008, MX ELM, JunosV Firefly, cSRX, SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM, SRX650, SRX720E, SRX750E, SRX1400, SRX1500,SRX3400, SRX3600, SRX4100, SRX4200, SRX4400, SRX4600, SRX4800, SRX5400, SRX5600, SRX5800, SRX7X0E, SRX-ES7, SRX-ES8, VMX, and VSRX)—Starting in Junos OS Release 20.4R1, JET supports 64-bit applications. Use the following commands to compile 64-bit applications for use with the AMD64 or ARM64 64-bit processor architecture.

    • mk-amd64: Compiles the application for use with AMD64 and Junos OS with FreeBSD.

    • mk-amd64,bsdx: Compiles the application for use with AMD64 and Junos OS with upgraded FreeBSD.

    • mk-arm64,bsdx: Compiles the application for use with ARM64 and Junos OS with upgraded FreeBSD.

    [See Develop On-Device JET Applications.]

Junos OS XML ,API, and Scripting

  • Support for Certificate Authority Chain Profile (EX2300, EX3400, EX4300, MX240, MX480, MX960, PTX-5000, VMX, vSRX and QFX5200)—Starting in Junos OS Release 20.4R1, you can configure intermediate Certificate Authority (CA) chain profile certificate and perform https REST API request using mutual and server authentications.

    To configure intermediate ca-chain certificate, configure ca-chain ca-chain statement at the [edit system services rest https] hierarchy level.

Network Management and Monitoring

  • Configuration retrieval using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you can use the configuration revision identifier feature to view the configuration for a specific revision. This configuration database revision can be viewed with the CLI command show system configuration revision.

    [See show system configuration revision.]

  • Junos XML protocol operations support loading and comparing configurations using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, the Junos XML management protocol operations support loading and comparing configurations by referencing the configuration revision identifier of a committed configuration. You can execute the <load-configuration> operation with the configuration-revision attribute to load the configuration with the given revision identifier into the candidate configuration. Additionally, you can compare the candidate or active configuration to a previously committed configuration by referencing the configuration revision identifier for the comparison configuration. The <get-configuration> operation supports the compare="configuration-revision" and configuration-revision attributes to perform the comparison.

    [See <get-configuration> and <load-configuration>.]

Platform and Infrastructure

  • LiquidIO DPDK driver support (vSRX3.0)—Starting in Junos OS Release 20.4R1, vSRX3.0 supports LiquidIO DPDK driver with KVM hypervisor. If you use the LiquidIO II smart NICs, then you can use vSRX3.0 by the virtual function of SR-IOV.

    [See Requirements for vSRX on KVM.]

Routing Protocols

  • Support for multiple single-hop EBGP sessions on different links using the same IPv6 link-local address (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you are no longer required to have unique peer addresses for Juniper devices for every EBGP session. You can now enable single-hop EBGP sessions on different links over multiple directly connected peers that use the same IPv6 link-local address.

    In earlier Junos OS Releases, BGP peers could be configured with link-local addresses, but multiple BGP peers could not be configured to use the same link-local address on different interfaces.

    [See Configure Multiple Single-Hop EBGP Sessions on Different Links Using the Same Link-Local Address (IPv6).]

VPNs

  • AWS Key Management Service (KMS) Integration support (vSRX 3.0)—Starting in Junos OS Release 20.4R1, you can safeguard the private keys used by the PKI daemon and IKED using AWS Key Management Service (KMS). You can establish a PKI daemon-based VPN tunnel using the keypairs generated at the KMS. The KMS server creates, stores, and performs the needed keypair operations.After you enable KMS, all the PKI daemons keypairs previously created are deleted.

    [See Deploying vSRX 3.0 for Securing Data using AWS KMS.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for vSRX.

What’s Changed in Release 20.4R3

Network Management and Monitoring

  • The configuration accepts only defined identity values for nodes of type identityref in YANG data models (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—If you configure a statement that has type identityref in the corresponding YANG data model, the device accepts only defined identity values (as defined by an identity statement) as valid input. In earlier releases, the device also accepts values that are not defined identity values.

What’s Changed in Release 20.4R2

There are no changes in behavior or syntax for vSRX in Junos OS Release 20.4R2.

What’s Changed in Release 20.4R1

Platform and Infrastructure

  • On vSRX 3.0 instances with AWS Key Management Service (KMS), if the MEK is changed, then the keypairs will be re-encrypted using the newly set Master Encryption Key (MEK).

  • Repetition of WALinuxAgent logs causing file size increase (vSRX 3.0)—The Azure WALinuxAgent performs the provisioning job for the vSRX instances. When a new vSRX instance is deployed, the continued increasing size of the waagent log file might cause the vSRX to stop.

    If the vSRX is still operating, then delete the /var/log/waagent.log directly or run the clear log waagent.log all command to clear the log file. Or you can run the set groups azure-provision system syslog file waagent.log archive size 1m and set groups azure-provision system syslog file waagent.log archive files 10 commands to prevent the growing of the waagent logs.

    These configurations will cause the rotation of log of waagent with the size bigger than 1MB and set a maximum of 10 backups.

    See vSRX with Microsoft Azure.

Known Limitations

There are no known behaviors for vSRX in Junos OS Release 20.4R3.

Open Issues

Learn about open issues in this release for vSRX.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Platform and Infrastructure

  • IPV6 Traffic redirection by NSX-T edge infrastructure is not supported. To get it working check possible workarround. PR1527130

  • Ensure the MTU on the host is large enough before setting the MTU in vSRX. PR1537984

  • When upgrading to Junos OS Release 20.4R1 or later, any existing entries within the on-box logging database (security logs) are cleared. This is due to the high performance database design that is not forward-compatible from Junos OS Release 20.3 or earlier versions. These are the logs normally visible within J-Web under the Monitoring>Logs page. PR1541674

  • With ssl-proxy configured along with web-proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526

  • SRX platforms using SkyATP with security-intelligence configured, might disconnect from the cloud after several days with the error "Connection status: Request client certificate failed". The issue can be recovered by the CLI command "restart pki-service". PR1585362

  • Web-proxy: Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages These messages can be seen in the RT-flow close log and these are due to JDPI not engaged for the session. This may affect the app identification for the web-proxy session traffic. PR1588139

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for vSRX.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 20.4R3

Authentication and Access Control

  • Unified-access-control(UAC) authentication might not work post system reboot PR1585158

Flow-Based and Packet-Based Processing

  • The srxpfe process might crash during route churn PR1572240

  • The flowd/srxpfe process might crash when clearing the TCP-Proxy session PR1573842

  • Multicast traffic drop may occur on TAP interface on SRX devices PR1583214

  • Unexpected traffic drop happens if both PMI and flexible-vlan-tagging are implemented PR1584299

General Routing

  • IKE configure mode payload is not pushing secondary DNS and secondary WINS attributes to Xauth module with IKEv1. Hence, the client is not getting assigned with secondary DNS and secondary WINS with IKEv1. PR1558831

  • Delay in vSRX CLI prompt might be observed PR1559741

  • Fabric probe packets might be processed incorrectly when power-mode-ipsec (PMI) is enabled PR1564117

  • The srxpfe/flowd process might crash when Sky-ATP is used PR1573157

  • The srxpfe process might stop and generate a core file during the feed update process. PR1579631

  • The incorrect DNS UDP checksums may be generated when vSRX3.0 performs DNS Sinkhole PR1582827

  • vSRX unreachable over SSH after integration with KMS on AWS PR1584415

  • Jflow V9 application-id record: Network based application recognition value for IPv4 application-id are not as expected PR1595787

  • ALG traffic might be dropped PR1598017

Intrusion Detection and Prevention (IDP)

  • Global data SHM utilization increase quickly and FTP traffic might impacted PR1585485

  • Application-identification related signatures might not get triggered PR1588450

J-Web

  • To improve performance in Monitoring > Network > Interfaces page, Admin Status is removed, Services and Protocols data merged into one Host inbound traffic. PR1574895

Platform and Infrastructure

  • COS queue egress interface forwarding-class might not work as expected PR1538286

Resolved Issues: 20.4R2

J-Web

  • J-Web GUI does not allow you to save a rule if the cumulative shared objects are more than 2500 before the policy grid is saved. When there are several shared objects, there will be a noticeable delay in opening sources and destinations of a rule, and performing the rule action. PR1540047

  • When the commit pending changes message is shown on the J-Web GUI, the contents of other messages, landing page, or pop-ups will not be clearly visible. PR1554024

Platform and Infrastructure

  • Configuration integrity mismatch error in vSRX3.0 running on Azure with key-vault integrated. PR1551419

  • The pkid process runs at 100 percent when the device is unable to connect to a particular URL. PR1560374

  • The srxpfe process might stop and generate a core file during the feed update process. PR1579631

Routing Protocols

  • Traffic might be lost during mirror data transmit from the primary ppmd or bfdd. PR1570228

Resolved Issues: 20.4R1

Application Security

  • The flowd or srxpfe process might crash when SSL proxy and AppSecure process traffic simultaneously. PR1516969

  • During rare circumstances, if the AppID unknown packet capture functionality is enabled, the srxpfe process might crash and generate a core file. PR1538991

Chassis Clustering

  • The control link might be broken when there is excessive traffic load on the control link in a vSRX cluster deployment. PR1524243

CLI

  • On Microsoft Azure deployments, SSH public key authentication is not supported for vSRX 3.0 CLI and portal deployment. PR1402028

  • Commit is not successful when configuration committed without active probe settings options (all options under active probe settings are optional). PR1533420

  • The master-password configuration is rejected if master-encryption-password (MEK) is not set. PR1537251

Flow-Based and Packet-Based Processing

  • A chassis cluster node might stop passing traffic. PR1528898

Install and Upgrade

  • Upgrading to Junos OS Release 20.4R1 or later releases with a large, pre-existing security-log database might result in LLMD consuming large amounts of CPU. PR1548423

Interfaces and Chassis

  • LiquidIO SR-IOV configuring ge interface as DHCP client does not work; no IP address obtained. PR1529228

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process might generate core files during the idpd process commit on SRX Series devices. PR1521682

  • When adaptive threat profiling is configured within an IDP rule base and logging is enabled, on the vSRX instances the Packet Forwarding Engine process might stop and generate a core file. PR1532737

Platform and Infrastructure

  • The vSRX may restart unexpectedly. PR1479156

  • In vSRX3.0 on Azure with key-vault enabled, change in MEK results in deletion of certificates. PR1513456

  • With CSO SD-WAN configuration loaded, the flowd process generates core files while deleting the GRE IPsec configuration. PR1513461

  • Configuration integrity mismatch error in vSRX3.0 running on Azure with key-vault integrated. PR1551419

Routing Policy and Firewall Filters

  • Junos OS upgrade may encounter failure in certain conditions when enabling ATP. PR1519222

User Access and Authentication

  • On vSRX 3.0 on Azure, with Microsoft Azure Hardware Security Module (HSM) enabled, keypair generation fails if you reuse the certificate ID for creating a new keypair—even if the previous keypair was deleted. PR1490558

VPNs

  • The Ping-icmp test fails after configuring ECMP routes over multipoint tunnel interface VPNs. PR1438311

  • The flowd process might stop in an IPsec VPN scenario. PR1517262

Migration, Upgrade, and Downgrade Instructions

This section contains information about how to upgrade Junos OS for vSRX using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

You also can upgrade to Junos OS Release 20.4R3 for vSRX using J-Web (see J-Web) or the Junos Space Network Management Platform (see Junos Space).

Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Releases 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, or 19.2 is supported.

The following limitations apply:

  • Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Release 19.3 and higher is not supported. For upgrade between other combinations of Junos OS Releases in vSRX and vSRX 3.0, the general Junos OS upgrade policy applies.

  • The file system mounted on /var usage must be below 14% of capacity.

    Check this using the following command:

    show system storage | match " /var$" /dev/vtbd1s1f

    Using the request system storage cleanup command might help reach that percentage.

  • The Junos OS upgrade image must be placed in the directory /var/host-mnt/var/tmp/. Use the request system software add /var/host-mnt/var/tmp/<upgrade_image>

  • We recommend that you deploy a new vSRX virtual machine (VM) instead of performing a Junos OS upgrade. That also gives you the option to move from vSRX to the newer and more recommended vSRX 3.0.

  • Ensure to back up valuable items such as configurations, license-keys, certificates, and other files that you would like to keep.

Note

For ESXi deployments, the firmware upgrade from Junos OS Release 15.1X49-Dxx to Junos OS releases 17.x, 18.x, or 19.x is not recommended if there are more than three network adapters on the 15.1X49-Dxx vSRX instance. If there are more than three network adapters and you want to upgrade, then we recommend that you either delete all the additional network adapters and add the network adapters after the upgrade or deploy a new vSRX instance on the targeted OS version.

Upgrading Software Packages

To upgrade the software using the CLI:

  1. Download the Junos OS Release 20.4R2 for vSRX .tgz file from the Juniper Networks website. Note the size of the software image.
  2. Verify that you have enough free disk space on the vSRX instance to upload the new software image.
  3. Optionally, free up more disk space, if needed, to upload the image.
    Note

    If this command does not free up enough disk space, see [SRX] Common and safe files to remove in order to increase available system storage for details on safe files you can manually remove from vSRX to free up disk space.

  4. Use FTP, SCP, or a similar utility to upload the Junos OS Release 20.4R2 for vSRX .tgz file to /var/crash/corefiles/ on the local file system of your vSRX VM. For example:
  5. From operational mode, install the software upgrade package.

    If no errors occur, Junos OS reboots automatically to complete the upgrade process. You have successfully upgraded to Junos OS Release 20.4R2 for vSRX.

    Note

    Starting in Junos OS Release 17.4R1, upon completion of the vSRX image upgrade, the original image is removed by default as part of the upgrade process.

  6. Log in and use the show version command to verify the upgrade.

Validating the OVA Image

If you have downloaded a vSRX .ova image and need to validate it, see Validating the vSRX .ova File for VMware.

Note that only .ova (VMware platform) vSRX images can be validated. The .qcow2 vSRX images for use with KVM cannot be validated the same way. File checksums for all software images are, however, available on the download page.