Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What’s Changed

Learn about what changed in this release for vSRX.

Authentication and Access Control

  • SHA-1 password format deprecated (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX and vSRX)—We've removed the sha1 option at the [edit system login password format] hierarchy level because SHA-1 is no longer supported for plain-text password encryption.

Network Management and Monitoring

  • Changes to the NETCONF <edit-config> RPC response (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When the <edit-config> operation returns an error, the NETCONF server does not emit a <load-error-count> element in the RPC response. In earlier releases, the <edit-config> RPC response includes the <load-error-count> element when the operation fails.

VPNs

  • Deprecating IPsec Manual VPN Configuration Statement (SRX Series Devices and vSRX running kmd process)—Starting in Junos OS Release 22.3R1, we’ll be deprecating the Manual IPsec VPN (flow mode). This means that you cannot establish a manual IPsec security association (SA) using the [edit security ipsec vpn vpn-name manual] configuration hierarchy.

    As part of this change, we’ll be deprecating the [edit security ipsec vpn vpn-name manual] hierarchy level and its configuration options.

    [See manual.]

  • IPsec VPN traffic selector routes are changed from ‘static routes’ to ‘ARI-TS’ routes (MX-SPC3, SRX Series and vSRX running iked process)—Starting in Junos OS Release 22.2R1, when an IPsec negotiation is completed using traffic selectors configuration, these routes are now installed as ARI-TS (Auto route insertion for traffic selectors) routes instead of static routes. These routes are by default installed with the same route preference and metric as the previous implementation. ARI-TS routes are inserted as '[ARI-TS/5]'.

    With this approach, you can change the route preference of the ARI-TS routes without impacting other routing protocols.

    [See New ARI-TS Routing protocol.]

  • Include IPv6 address in a self-signed certificate (SRX Series devices and vSRX3.0)—We support manual generation of a self-signed certificate for the given distinguished name using IPv6 address in addition to the IPv4 address that was supported earlier. Use the request security pki local-certificate generate-self-signed command with ipv6-address option to include ipv6 address in a self-signed certificate.

    [See request security pki local-certificate generate-self-signed (Security).]

  • Unable to connect with OCSP Server for Revocation Check (SRX Series Devices and vSRX)—When performing revocation check using OCSP, the SRX device does not attempts to connect with the OCSP server when the OCSP server URL contains a domain name that the DNS server cannot resolve. In this case, when the SRX device cannot establish connection to the OCSP server and when one of the following configuration options is set, the OCSP revocation check will either allow or fallback to using CRL:
    • set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure disable
    • set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure fallback-crl

    When the SRX device cannot establish connection to the OCSP server and if these options are not configured, then the certificate validation fails.

    [See ocsp (Security PKI).]