What’s Changed
Learn about what changed in this release for SRX Series.
Authentication and Access Control
-
SHA-1 password format deprecated (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX and vSRX)—We've removed the
sha1
option at the[edit system login password format]
hierarchy level because SHA-1 is no longer supported for plain-text password encryption.
Network Address Translation (NAT)
-
Group routing instances (SRX5600)—Starting in Junos OS release 22.2R1, you can group the routing instances using the
routing-group
command. Therouting-group
option is added at [edit security nat destination
], [edit security nat source
], and [edit security nat static
] hierarchies.[See rule-set (Security Source NAT), rule-set (Security Destination NAT), and rule-set (Security Static NAT).]
Network Management and Monitoring
-
Changes to the NETCONF
<edit-config>
RPC response (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When the<edit-config>
operation returns an error, the NETCONF server does not emit a<load-error-count>
element in the RPC response. In earlier releases, the<edit-config>
RPC response includes the<load-error-count>
element when the operation fails.
SSL Proxy
-
No session cache entry store during SSL session resumption (SRX Series Devices)— When an SSL session attempts to re-initiates a full handshake and the server rejects that session resumption, the session cache does not store session information and remains empty. This issue is seen in a setup where a client device is using TLS1.1 version and the server is using TLS1.3 (maximum) version.
In Junos OS Release 22.1R1 and later releases, the session cache stores session information even when the session resumption is rejected, and you can see the session cache entries using the
show services ssl proxy session-cache entries summary
command.
VPNs
-
Deprecating IPsec Manual VPN Configuration Statement (SRX Series Devices and vSRX running kmd process)—Starting in Junos OS Release 22.2R1, we’ll be deprecating the Manual IPsec VPN (flow mode). This means that you cannot establish a manual IPsec security association (SA) using the
[edit security ipsec vpn vpn-name manual]
configuration hierarchy.As part of this change, we’ll be deprecating the
[edit security ipsec vpn
hierarchy level and its configuration options.vpn-name
manual][See manual.]
-
IPsec VPN traffic selector routes are changed from ‘static routes’ to ‘ARI-TS’ routes (MX-SPC3, SRX Series and vSRX running iked process)—Starting in Junos OS Release 22.2R1, when an IPsec negotiation is completed using traffic selectors configuration, these routes are now installed as ARI-TS (Auto route insertion for traffic selectors) routes instead of static routes. These routes are by default installed with the same route preference and metric as the previous implementation. ARI-TS routes are inserted as '[ARI-TS/5]'.
With this approach, you can change the route preference of the ARI-TS routes without impacting other routing protocols.
[See New ARI-TS Routing protocol.]
-
Include IPv6 address in a self-signed certificate (SRX Series devices and vSRX3.0)—We support manual generation of a self-signed certificate for the given distinguished name using IPv6 address in addition to the IPv4 address that was supported earlier. Use the
request security pki local-certificate generate-self-signed
command withipv6-address
option to include ipv6 address in a self-signed certificate.[See request security pki local-certificate generate-self-signed (Security).]
- Unable to connect with OCSP Server for Revocation Check (SRX Series Devices
and vSRX)—When performing revocation check using OCSP, the SRX device
does not attempts to connect with the OCSP server when the OCSP server URL
contains a domain name that the DNS server cannot resolve. In this case, when
the SRX device cannot establish connection to the OCSP server and when one of
the following configuration options is set, the OCSP revocation check will
either allow or fallback to using CRL:
- set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure disable
- set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure fallback-crl
When the SRX device cannot establish connection to the OCSP server and if these options are not configured, then the certificate validation fails.
[See ocsp (Security PKI).]
VPLS
-
No output byte increment on VPLS interface when configured with output filter with policer action (SRX Series Devices)— When you upgrade your device to Junos OS Release 19.4R3-S1 or later, and the VPLS interface has an output filter with policer action applied to it, the VPLS interface does not pass the traffic. Because of this issue, the output bytes do not increment on that interface, and when you display details using the
show interfaces <interface-name> extensive | no-more
output, the VPLS interface shows output bytes as 0. In Junos OS Release 22.2R1, theshow interfaces <interface-name> extensive | no-more
command output shows the correct details.