What's Changed
Learn about what changed in this release for SRX Series Firewalls.
VPNs
-
Enhancements to address error in generating RSA key pair with bigger key size (SRX Series)–In earlier Junos OS releases, when you generate RSA key pair of size 4096 or greater, the command
request security pki generate-key-pair certificate-id name type rsa size 4096
, displays the error messageerror: timeout communicating with pki-service daemon
sometimes when PKID takes more time to respond. Starting in Junos OS release 23.4R1, the command runs successfully without this error message. -
Enhancements to the output of show security ipsec security-associations detail command (SRX Series and vSRX 3.0)–We've enhanced the output of
show security ipsec security-associations detail
when you enablevpn-monitor
at the[edit security ipsec vpn vpn-name]
hierarchy level, when your firewall runs IPsec VPN services with the new iked process. The output displaysthreshold
andinterval
values in the command output. Starting in Junos OS Release 23.4R1, you'll notice these changes. -
Enhancements to address certificate validation failures after RG0 failover (SRX Series)–Following RG0 failover in the chassis cluster, you may notice that the output of the command
show services advanced-anti-malware status
displaysRequesting server certificate validation
status due to CRL download failure on the secondary node before the failover. We've made enhancements to address the issue and you?ll see the following changes:-
If there's a repeated failure to download the CRL even after multiple retry attempts, you will notice the error message
PKID_CRL_DOWNLOAD_RETRY_FAILED: CRL download for the CA failed even after multiple retry attempts, Check CRL server connection
until the CRL downloads successfully. -
When the cluster performs a failover from the secondary to the primary node, the PKI triggers a fresh CRL download on the new primary node, resulting in successful certificate verification.
-