What’s Changed in Release 21.2R1

Unable to Upgrade a Chassis Cluster Using In-Service Software Upgrade (SRX5400)— In chassis cluster mode, the backup router's destination address for IPv4 and IPv6 routers using the commands edit system backup-router address destination destination-address and edit system inet6-backup-router address destination destination-address must not be same as interface address configured for IPv4 and IPv6 using the commands edit interfaces interface-name unit logical-unit-number family inet address ipv4-address and edit interfaces interface-name unit logical-unit-number family inet6 address ipv6-address.

[See Troubleshooting Chassis Cluster Management Issues.]

Changes to how command-line arguments are passed to Python op scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When the device passes command-line arguments to a Python op script, it prefixes a hyphen (-) to single-character argument names, and it prefixes two hyphens (--) to multi-character argument names. The prefix enables you to use standard command-line parsing libraries to handle the arguments. In earlier releases, the device prefixes a single hyphen (-) to all argument names.

[See Declaring and Using Command-Line Arguments in Op Scripts.]

Refreshing scripts from an HTTPS server requires a certificate (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When you refresh a local commit, event, op, SNMP, or Juniper Extension Toolkit (JET) script from an HTTPS server, you must specify the certificate (Root CA or self-signed) that the device uses to validate the server's certificate, thus ensuring that the server is authentic. In earlier releases, when you refresh scripts from an HTTPS server, the device does not perform certificate validation.

When you refresh a script using the request system scripts refresh-from operational mode command, include the cert-file option and specify the certificate path. Before you refresh a script using the set refresh or set refresh-from configuration mode command, first configure the cert-file statement under the hierarchy level where you configure the script. The certificate must be in Privacy-Enhanced Mail (PEM) format.

[See request system scripts refresh-from and cert-file (Scripts).]

Changes to how command-line arguments are passed to Python action scripts (ACX Series, EX Series, MX Series, NFX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When a custom YANG RPC invokes a Python action script and passes command-line arguments to the script, the device prefixes a hyphen (-) to single-character argument names, and it prefixes two hyphens (--) to multi-character argument names. The prefix enables you to use standard command-line parsing libraries to handle the arguments. In earlier releases, the device passes the unmodified argument names to the script.

[See Creating Action Scripts for YANG RPCs on Devices Running Junos OS and Displaying Valid Command Option and Configuration Statement Values in the CLI for Custom YANG Modules.]

Changes to <commit> RPC responses in RFC-compliant NETCONF sessions (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—When you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level, the NETCONF server's response for <commit> operations includes the following changes:

• If a successful <commit> operation returns a response with one or more warnings, the warnings are redirected to the system log file, in addition to being omitted from the response.
• The NETCONF server response emits the <source-daemon> element as a child of the <error-info> element instead of the <rpc-error> element.
• If you also configure the flatten-commit-results statement at the [edit system services netconf] hierarchy level, the NETCONF server suppresses any <commit-results> XML subtree in the response and only emits an <ok/> or <rpc-error> element.

[See Configuring RFC-Compliant NETCONF Sessions.]

New output field added in show pfe statistics traffic command (SRX380)—Starting in Junos OS Release, you'll see Unicast EAPOL in the output of the show pfe statistics traffic command.

[See show-pfe-statistics-traffic.]

View the traffic selector type for an IPsec tunnel (SRX Series and MX Series)—You can run the show security ipsec security-associations detail command to display the traffic selector type for a VPN. The command displays proxy-id or traffic-selector as a value for the TS Type output field based on your configuration.

[See show-security-ipsec-security-associations.]

Deprecating Dynamic VPN CLI configuration statements and operational commands (SRX Series Devices)—Starting in Junos OS Release 21.4R1, we’ll be deprecating the dynamic VPN remote access solution. This means that you cannot use Pulse Secure Client on these devices.

As part of this change, we’ll be deprecating the [edit security dynamic-vpn] hierarchy level and its configuration options. We’ll also be deprecating the show and clear commands under the [dynamic-vpn] hierarchy level.

As an alternative, you can use the Juniper Secure Connect remote access VPN client that we introduced in Junos OS Release 20.3R1. Juniper Secure Connect is a user-friendly VPN client that supports more features and platforms than dynamic VPN does. SRX comes with two built-in concurrent users on all SRX Series devices. If you need additional concurrent users, then contact your Juniper Networks representative for remote-access licensing. To understand more about Juniper Secure Connect licenses, see Licenses for Juniper Secure Connect and Managing Licenses.

[See Juniper Secure Connect User Guide, Juniper Secure Connect Administrator Guide, Licenses for Juniper Secure Connect, and Managing Licenses.]