What’s Changed

SHA-1 password format deprecated (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX and vSRX)—We've removed the sha1 option at the [edit system login password format] hierarchy level because SHA-1 is no longer supported for plain-text password encryption.

Group routing instances (SRX5600)—Starting in Junos OS release 22.2R1, you can group the routing instances using the routing-group command. The routing-group option is added at [edit security nat destination], [edit security nat source], and [edit security nat static] hierarchies.

[See rule-set (Security Source NAT), rule-set (Security Destination NAT), and rule-set (Security Static NAT).]

Changes to the NETCONF <edit-config> RPC response (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When the <edit-config> operation returns an error, the NETCONF server does not emit a <load-error-count> element in the RPC response. In earlier releases, the <edit-config> RPC response includes the <load-error-count> element when the operation fails.

No session cache entry store during SSL session resumption (SRX Series Devices)— When an SSL session attempts to re-initiates a full handshake and the server rejects that session resumption, the session cache does not store session information and remains empty. This issue is seen in a setup where a client device is using TLS1.1 version and the server is using TLS1.3 (maximum) version.

In Junos OS Release 22.1R1 and later releases, the session cache stores session information even when the session resumption is rejected, and you can see the session cache entries using the show services ssl proxy session-cache entries summary command.

Deprecating IPsec Manual VPN Configuration Statement (SRX Series Devices and vSRX running kmd process)—Starting in Junos OS Release 22.2R1, we’ll be deprecating the Manual IPsec VPN (flow mode). This means that you cannot establish a manual IPsec security association (SA) using the [edit security ipsec vpn vpn-name manual] configuration hierarchy.

As part of this change, we’ll be deprecating the [edit security ipsec vpn vpn-name manual] hierarchy level and its configuration options.

[See manual.]

IPsec VPN traffic selector routes are changed from ‘static routes’ to ‘ARI-TS’ routes (MX-SPC3, SRX Series and vSRX running iked process)—Starting in Junos OS Release 22.2R1, when an IPsec negotiation is completed using traffic selectors configuration, these routes are now installed as ARI-TS (Auto route insertion for traffic selectors) routes instead of static routes. These routes are by default installed with the same route preference and metric as the previous implementation. ARI-TS routes are inserted as '[ARI-TS/5]'.

With this approach, you can change the route preference of the ARI-TS routes without impacting other routing protocols.

[See New ARI-TS Routing protocol.]

Include IPv6 address in a self-signed certificate (SRX Series devices and vSRX3.0)—We support manual generation of a self-signed certificate for the given distinguished name using IPv6 address in addition to the IPv4 address that was supported earlier. Use the request security pki local-certificate generate-self-signed command with ipv6-address option to include ipv6 address in a self-signed certificate.

[See request security pki local-certificate generate-self-signed (Security).]

• set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure disable
• set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure fallback-crl

When the SRX device cannot establish connection to the OCSP server and if these options are not configured, then the certificate validation fails.

[See ocsp (Security PKI).]

No output byte increment on VPLS interface when configured with output filter with policer action (SRX Series Devices)— When you upgrade your device to Junos OS Release 19.4R3-S1 or later, and the VPLS interface has an output filter with policer action applied to it, the VPLS interface does not pass the traffic. Because of this issue, the output bytes do not increment on that interface, and when you display details using the show interfaces <interface-name> extensive | no-more output, the VPLS interface shows output bytes as 0. In Junos OS Release 22.2R1, the show interfaces <interface-name> extensive | no-more command output shows the correct details.