Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

What's Changed

Learn about what changed in this release for SRX Series Firewalls.

VPNs

  • Enhancements to address error in generating RSA key pair with bigger key size (SRX Series)–In earlier Junos OS releases, when you generate RSA key pair of size 4096 or greater, the command request security pki generate-key-pair certificate-id name type rsa size 4096, displays the error message error: timeout communicating with pki-service daemon sometimes when PKID takes more time to respond. Starting in Junos OS release 23.4R1, the command runs successfully without this error message.

  • Enhancements to the output of show security ipsec security-associations detail command (SRX Series and vSRX 3.0)–We've enhanced the output of show security ipsec security-associations detail when you enable vpn-monitor at the [edit security ipsec vpn vpn-name] hierarchy level, when your firewall runs IPsec VPN services with the new iked process. The output displays threshold and interval values in the command output. Starting in Junos OS Release 23.4R1, you'll notice these changes.

    [See show security ipsec security-associations.]

  • Enhancements to address certificate validation failures after RG0 failover (SRX Series)–Following RG0 failover in the chassis cluster, you may notice that the output of the command show services advanced-anti-malware status displays Requesting server certificate validation status due to CRL download failure on the secondary node before the failover. We've made enhancements to address the issue and you?ll see the following changes:

    • If there's a repeated failure to download the CRL even after multiple retry attempts, you will notice the error message PKID_CRL_DOWNLOAD_RETRY_FAILED: CRL download for the CA failed even after multiple retry attempts, Check CRL server connection until the CRL downloads successfully.

    • When the cluster performs a failover from the secondary to the primary node, the PKI triggers a fresh CRL download on the new primary node, resulting in successful certificate verification.