Skip to main content

SSR 7.1 Release Notes

The SSR has moved away from the historical package-based delivery to an image-based delivery. As such, it is strongly suggested that you revisit your "standard" procedures for installation and upgrade of SSR Software.

Beginning with SSR v6.3.0, the use of the interactive installer is not supported, or necessary. Software installation and upgrade activities are supported from the Web Interface or the Command Line Interface.

Installation from ISO

When installing SSR V6.3.0 or newer on a new system, use the image-based ISO - identified by the filename prefix "SSR": SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso. Installation documentation for the image-based process can be found in the Image-based ISO Installation Overview.

Offline mode conductor and router upgrades to image-based installations are detailed in the Single-Version 6.3.0 Upgrade instructions.

Upgrade Considerations

important

Before upgrading please review the Upgrade Considerations and the Rolling Back Software pages. Several modifications have been made to the process for verifying configurations, which will impact existing configurations.

warning

An issue has been identified involving the use of the HA Sync Redundancy Plugin with SSR 7.0.0, which prevents proper functioning of the plugin. If you use the HA Plugin in your SSR deployment, it is not advised to upgrade at this time. The issue is being investigated and will be resolved in a future release.

7.0.1 Conductor Upgrades

If you are upgrading a conductor that is currently installed with version 6.3.4 or lower, and you wish to upgrade to version 7.0.1 or higher, you must first upgrade the conductor to any version of the 6.3.x software, including and higher than 6.3.5.

Routers running SSR software versions earlier than 6.3.5 cannot connect to conductors running SSR software version 7.0.1 and higher. A transitional step is required to enable routers running versions earlier than 6.3.5 (6.0.x, 6.1.x, 6.2.x, 6.3.4 and lower) to communicate with a conductor running 7.0.1+.

  1. Upgrade the conductor to any version of the 6.3.x software, including and higher than 6.3.5.
  2. Upon completion of the install, allow all managed routers to connect and reach the Synchronized state. The new keying requirements that are part of 6.3.5+ are loaded onto the routers during synchronization. These are required for routers to communicate with a 7.0.1+ conductor. If the routers do not reach the synchronized state, those routers will not be able to communicate with the 7.0.1+ conductor.
  3. Once the routers are synchronized, you may upgrade the conductor to 7.0.1. All synchronized routers, regardless of version, will be able to communicate with the upgraded conductor. The routers are not required to upgrade to 7.0.1 or to 6.3.5.

If your conductor is currently running SSR version 6.3.5+, you may upgrade to 7.0.1 normally.

VM Upgrades 6.2.x to 7.x

Users upgrading a virtual machine, including those on AWS or Azure, previously installed with package-based SSR releases (6.2 and prior on Conductor-managed deployments only) should be aware of the following:

Due to changes in the base SSR/Linux OS in 7.X, interface naming behavior has changed for virtual machines. Older SSR versions using earlier versions of the SSR OS may have named Linux interfaces with the ethX naming convention. Interfaces in 7.X and above use the Linux predictable interface naming convention as seen in SSR hardware installs. This change in interface naming could prevent existing Linux interface configurations not to apply to the ethX-named interface. This applies to interfaces configured directly in Linux, such as dedicated management interfaces, and not interfaces configured via SSR configuration.

This issue is currently being addressed by engineering. However, if your deployment requires an upgrade to 7.X on a VM configured with interfaces using the ethX naming convention, please ensure that console access is available, as manual updates to the Linux interface configuration may be required.

System Disk Considerations

As mentioned above, during the upgrade to an image-based installation, existing systems will go through a conversion process to support image-based delivery. This process involves resizing the existing disk partition to support writing a new disk image to the remaining disk space. As such, the usable disk space seen after this conversion will be approximately halved. The system will automatically detect if there is not enough usable disk space on the existing drive to support this partition resizing and, if so, will trigger an upgrade failure. Even if the conversion is succesful and the upgrade succeeds, users may note that the system is experiencing disk space alarms after the upgrade due to the reduction in overall capacity. It is suggested to remove unnecessary large files from systems before upgrading. Old saved tech-support-info archives (check for tar.gz or zip files in /var/log/128technology) and uploaded ISO images are frequent contributors to used disk space and should be manually deleted.

In certain scenarios, existing cloud routers may have been installed from images that did not use LVM for partitions. For these systems, the automatic resizing of disk partitions will fail and they cannot be upgraded. It is suggested to rebuild these instances from the official SSR BYOL image for either AWS or Azure.

When the conductor is initially upgraded to an image-based installation, it will be upgraded as a package-based system. This is because the system does not understand how to handle image-based delivery until it is running 6.3 software. Once the conductor is running 6.3 all router upgrades will be treated as image-based upgrades and any subsequent conductor upgrade will be treated as image-based. Therefore, it is possible that issues related to disk usage on conductor may not arise until a subsequent upgrade of the conductor beyond the initial step to 6.3.

Offline-Mode: Upgrading 6.3.x Conductor Deployments to 6.3.x+

An issue has been identified that may be observed in conductor deployments running version 6.3.x software, when attempting to upgrade from one 6.3.x patch release to another. This results in the message, “SSR firmware upgrade failed for the local node: SSR upgrade failed after reboot”. To work around this, run request system software upgrade installation-service from the command line of the Conductor, after importing the image-based ISO. Once complete, perform the full system upgrade from the Web interface. This issue will be resolved in a future release.

Offline-Mode: Onboarding Routers Running older SSR Software to a 6.3.x Conductor

An issue has been identified when onboarding SSR routers installed with older versions of software (such as 5.4.4) to Conductors running 6.3.x, when running in offline-mode. In some cases, certain software packages are not available to be installed during onboarding. To work around this issue, import the package-based (the "128T" prefixed) ISO for the current conductor version onto the conductor. This provides the necessary software packages to complete the onboarding process. This issue will be resolved in a future release.

Release 7.1.3-29r2

Release Date: March 10, 2026

New Features

  • I95-26081 Display negotiated BFD Interval: The command show peers bfd-interval has been added to display the negotiated bfd-interval in three columns, Rx Timer, Tx Timer, and Multiplier. See Negotiated BFD Intervals for more information.
  • I95-48934 Configuration Integrity: SSR Configuration Integrity protects authentication credentials, keys and certificates, network topology information, and other pieces of sensitive SSR configuration from unauthorized access when the system is powered off. It prevents network and SSR operations from executing when the system is determined to be in a compromised state. To learn more, see Configuration Integrity.
  • I95-54247 IMA - SSR Signed packages only execution: IMA is Linux’s Integrity Measurement Architecture. The SSR400 and SSR440 support IMA validation using GPG Signatures. IMA validation is enabled by default for the root user, allowing the kernel to check the signature of each file before loading it for execution. If these checks fail, execution is denied with a Permission denied (EACCES) error code. For more information, see Secure Boot - IMA.
  • I95-54248 Smart OS Download: The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See Smart OS Download for more information.
  • I95-56719 Conductor Scaling: Several improvements have been made to increase the scale of conductor managed router/node deployments, as well as the reporting of router information to the GUI and PCLI, and the efficiency of the device communications. The conductor can now manage up to a combination of 5000 nodes and routers (on appropriately resourced hardware platforms). Improvements to web interface responsiveness and updates to the following pages: Peer Path table, Event history, and Peering Connections panel of the Topology view.
  • I95-58446 EoSVR Loop Prevention: EoSVR A/S Loop Prevention has been added, allowing EoSVR traffic to pass Broadcast, unknown-unicast, and multicast traffic through a switch without causing the port to be shut down.
  • I95-58959 Secure Conductor Onboarding: Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. For more information, see Secure Conductor Onboarding.
  • I95-59948 SHA-384 and SHA-512 Support: Added support for CNSA 2.0 algorithms SHA-384 and SHA-512 to support US Federal government deployments. For additional information, see configure-authority-security-hmac-cipher.
  • I95-60209 ML-KEM support [FIPS-203]: ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. On the SSR, ML-KEM can be used alone, or in conjuction with Diffie-Hellman as a hybrid approach to peer-key exchange and encryption. For more information, see Post Quantum Cryptography Support.
  • I95-61176 Multicast Failover Optimization: Several internal improvements have been made to improve failover and convergence in both HA and non-HA scenarios for Multicast/PIM, as well as failover times in general.
  • I95-63476 Router/Peer path override for key-exchange-algorithm: A router/peer-path override has been added to enable the transition to a new algorithm within authority. For more information, see Key Exchange Algorithm Router Override.

Resolved Issues

  • I95-57605 BFD link-test-interval not accurate: Resolved as part of I95-59720. Several modifications have been made to the BFD timers to improve accuracy.
  • I95-60545 Attempting network interface lookup with invalid ID: Resolved an issue where errors due to an invalid ID were flooding the logs. Error logs in highway regarding a failed interface lookup for an invalid interface are now suppressed.
  • I95-61588 Console access failures post-migration: Resolved an issue where a lower baud rate was being used by the serial console. The check / enforcement for the 115200 baud rate has been improved.
  • I95-61823 Change ESKM_DISABLED to ESKM_STANDBY for HA router in standby state: For routers configured as part of an HA Enhanced Security Key Management (ESKM) deployment, the standby state is now correctly identified as ESKM_STANDBY.
  • I95-61856 Add reload local certificates command for ESKM: The reload local certificates command has been added to allow the updating of local certificates. See reload local certificates for more information.
  • I95-62074 Highway requests metadata key when enhanced-security-key-management feature is disabled: Resolved an issue where even when enhanced-security-key-management was disabled, it continued to attempt to get the key information.
  • I95-62343 Routers disconnecting from the Conductor while still successfully routing traffic: Resolved an issue where Salt gets stuck with a bad network connection. Added new functionality to the minion-watchdog service which will restart the salt-minion if there is a salt job stuck for over an hour.
  • I95-62580 Conflicting network interface names slowing application traffic: Resolved an issue in the app summary tracking logic related to conflicting network interface names for non-redundant ports of an HA router.
  • I95-62631 Race condition for multiple dhcp servers startup: Resolved and issue where the multiple DHCP server config change from single DHCP server to multiple DHCP server under the same device interface would stop working. Updates have been made to the monitoring script to identify the changes and prevent the issue.
  • I95-62662 SSR4x0 Time not synchronized after reboot: Resolved an issue with the SSR400 and SSR440 where the hardware real time clock (RTC) was not updated after synchronizing with the NTP server. This has been resolved and the time is now fully synchronized. Note that this is an SSR4x0-only issue.
  • I95-62772 Add details to show peers certificate output: The show peers certificate output no longer just shows PEM file output; the data has been rendered in a more friendly format.
  • I95-62859 Duplicate alarms created for duplicate asset IDs: Resolved an issue where the Conductor created a duplicate asset ID alarm each time an asset with a duplicate ID tried to authenticate.
  • I95-62956 Configuration failure due to service definition expecting subnet mask: Resolved an issue where the Anti-Virus and IDP configuration expected a subnet mask as part of the Service Address. The subnet mask has been added.
  • I95-62957 Configuration failure due to invalid name: Anti-Virus and IDP do not allow policynames using a dot (.). This has been resolved - configurations will use an underscore for policyname creation.
  • I95-62982 SSR limits the number of supported network-interfaces: Resolved an issue where the limit on the number of network-interfaces was low. Improved implementation of data structure storing network-interface objects, resulting in an increase of 7x the current capacity.
  • I95-63018 memory corruption after reading VSA: Resolved a rare issue where in remote authentication through Radius server, pam_radius was causing memory corruption after VSA is read.
  • I95-63124 Harden HTTPS security: HTTPS security has been improved and hardened by following best practices. Security headers and SSL algorithms have been updated so that browsers and external clients are only using strong algorithms. Users on older Windows/IE versions can choose to extend the SSR secuirty using configure authority router <name> system services webserver ssl ciphers to allow older ciphers.
  • I95-63190 Router intermittently disconnects from conductor: Resolved an issue where process errors were filling the buffer queue, dropping messages, and causing node disconnections.
  • I95-63202 Unable to bind interfaces in Azure F8 flavor in West Europe region: Resolved an issue where driver optimization on lower core count systems required more more memory usage, causing initialization failures.
  • I95-63228 Premature route installation complete notification: In some cases an internal notification that the route installation was complete was being transmitted, causing the Graceful Restart process to terminate early. This issue has been resolved.
  • I95-63292 Add upgrade timeout and rpm operation timeout: Added the ability to configure the timeout for upgrades and for rpm download/install operations under config authority router <RouterName> system software-update. The defaults are 1 hour for SSR upgrade and 10 minutes for rpm operations.
  • I95-63295 Highway crash when show fib is executed on very large FIB: Resolved an issue where a time intensive operation on a large entry was preventing other threads from accessing data and causing a crash.
  • I95-63299 Keys signed with ECDSA do not work with Enhanced Security Key Management: Resolved an issue where ECC-based keys fail during the validation process, because the SSR was using hardcoded SHA256 for its signature validation checking. This issue has been resolved.
  • I95-63306 Allow RSA keys with ECC signatures on certificates: Resolved an unnecessary restriction between the allowed PKI private key algorithm and the CA signature algorithm. The key is now validated independently from the signature on the certificate.
  • I95-63324 Duplicate static DHCP addresses cause crashes: Added validation steps to identify and prevent duplicate MAC addresses for the static address assignment.
  • I95-63330 Repeated interface flaps on vSSR led to crash in highway process: Truncated packets are validated prior to processing, preventing crash.
  • I95-63353 Invalid assert that leads to a crash: Resolved an issue where an incorrect assertion led to a crash. Protections have been added to prevent the race condition leading to the crash.
  • I95-63356 Do not allow new sessions after peer's certificate expired/revoked: Resolved an issue where sessions were one peer continued to send new sessions after the other peers' certificate was revoked. When the peer's certificate expires, the peer is now forced to re-initiate the key exchange.
  • I95-63368 SSR400/SSR440 PMTU cannot exceed 8978: Resolved an issue where SSR400/SSR440 PMTU discovery was lower than other platforms. The issue has been resolved, and SSR400/SSR440 PMTU now discovers at 9198.
  • I95-63412 Glare condition leading to highway crash when session terminates prematurely: Resolved an issue where session exception processing was not handled properly.
  • I95-63422 Factory reset routers not re-onboarding when ESKM enabled: Resolved an issue where if ESKM was initially started using invalid certificate on one node, it would be unable to onboard until the remote peering relationship is restarted.
  • I95-63675 Node page in the GUI appears to load indefinitely: Resolved an issue where the GUI Node page would load infinitely.
  • I95-63676 Waypoints fail to allocate when the service-path peer next-hop gateway is off the subnet: Resolved an issue where the first network-interface IP was selected as the local IP for waypoint allocation, even if that IP is not a valid waypoint.
  • I95-63729 Asset state not accurately reported in conductor: Resolved an issue where issue where the SSH authorized keys from one HA conductor node were deleted after restarting both HA conductor nodes.
  • I95-63817 Default peering certificates are unable to use the configured peering-common-name: Resolved an issue where the default peering certificates were generated before receiving the configuration. The default generated peering certificate now properly uses the peering-common-name SSR configuration element.
  • I95-63923 Redundant conductor fails to upgrade: Resolved an issue where a minion disconnects from the conductor node and never attempts to reconnect. The minion watchdog process now restarts the salt minion if it is not connected to all conductor nodes.
  • I95-63943 Edge-case crash when changing from regular services to app-id: Resolved an issue where a system that never had app-id services or had app-id services, reverted them and restarted the highway process; and then modified an existing service to use app-id caused a crash. Protections have been added to safeguard against this edge case.
  • I95-64066 Race condition when syncing SSH keys to the peer node: Resolved an issue where SSH keys were not synced between peer nodes automatically by the Conductor.

Caveats

  • I95-64317 Dropped Packets Capture continues to run: If you have initiated a packet Capture from any page in the GUI, it will continue to run on the web server even after the request is terminated, resulting in expensive per packet export overhead. The web server must be restarted to terminate the packet capture. This issue is under investigation and will be resolved in an upcoming release.

Release 7.1.0-50r1

Release Date: December 4, 2025

New Features

  • I95-34739 SSR400 and SSR440 Factory reset: The SSR4x0 devices provide the ability to reset the device to either a pre-defined rescue (or Golden) configuration, or a secure zeroization of the system and a return to the factory default configuration. For more information, see Factory Reset.
  • I95-44742 SFP Optical interface transceiver stats: Support has been added to display optical interface transceiver stats in the CLI. Issuing the show device-interface node all name <interface> optics-statistics will display information for debugging and diagnostic information from network transceiver modules (SFP, SFP+, QSFP, etc.). It displays optical power levels, vendor information, and hardware thresholds for monitoring physical layer connectivity.
  • I95-53402 SSR400/SSR440 Chassis Manager: The SSR400 and SSR440 support an integrated Chassis Manager to help monitor connectivity, power, temperature, as well as providing insight into other vital operational data. For more information, see the SSR Chassis Manager.
  • I95-53405 5G modem support: Support for 5G modems as provided in the SSR400 and SSR440 devices has been added.
  • I95-54238 Uninterruptable Boot Process: When the uninterruptable boot process is configured, a failed upgrade will not allow the user to select the image on the other volume (since the Console port is disabled, no user input is possible). For more information, see the Uniterruptable Boot Process.
  • I95-54244 Secure Boot: The SSR400 and SSR440 are factory configured with a cryptographic public key that only allows an authenticated firmware image to run on the device. This ensures that only trusted (Juniper-signed) code will run from power-on through to linux OS boot. For additional information, see Secure Boot.
  • I95-55746 Connection to Mist via proxy server/Support Mist Secure ZTP Onboarding: Support has been added to allow a connection to a public URL or to MIST using an explicit proxy and a private web proxy. See Proxy Server Configuration for information to configure the SSR to identify and use the non-transparent proxy. For information about the secure ztp process using Mist, see Secure ZTP Onboarding Using a Mist Proxy.
  • I95-55936 Alarm and Events when service area hits threshold: Support has been added to allow users to configure alarms thresholds to monitor session processing capacity, and provide visibility into the system’s capacity to establish new sessions. For more information, see Session Processing Alarms.
  • I95-57174 DCSP Steering - UDP/TCP destination port: With SSR version 7.1.0, the restriction for matching ports has been lifted, and support has been added for DCSP steering over non-IPSEC tunnels. For more information, see DSCP Steering Using GTP.
  • I95-58502 Disable on box management ports: Configuration fields have been added to the SSR400 and SSR440 devices, allowing you to control physical security features. For more information, see Disable SSR400 and SSR440 Management Interfaces.
  • I95-59235 HTTP/S proxy server for all public URLs: Support has been added to allow a connection to a public URL or to MIST using an explicit proxy and a private web proxy. See Proxy Server Configuration for information to configure the SSR to identify and use the non-transparent proxy. This process can also be used to support the Mist secure ZTP onboarding process.

Resolved Issues

  • I95-39653 Negative duration in session table after applying filter: Resolved an issue where applying a filter to the session table resulted in sessions displaying a negative duration.
  • I95-57019 KNI host interfaces erroneously generate LLDP: Resolved an issue where host KNI interfaces are incrementally generating out-errors in show device-interface.
  • I95-58007 Add ability to set PIM graceful restart-time: The routing default-instance pim restart-time command has been added to allow users to define the number of seconds that the PIM protocol will perform graceful-restart after a node failure. For more information, see PIM Graceful Restart Timer.
  • I95-60767 service-route next-hop validation rejects configuration: Resolved an issue where the rule validator did not consider the service application-type as DNS proxy into consideration during the configuration rule validation. This issue has been resolved.
  • I95-60799 Tenant prefix use within a VRF: The SSR allows the configuration of tenant-prefixes without giving an error, and correctly handles interfaces with tenant-prefixes within the protocol code.
  • I95-61058 Peer paths fail when additional IPs are added to a WAN interface: Resolved a case where adding a second address for use in nat-pools to a peering interface caused continuous bfd peer flaps. The SSR now handles address changes when the local IP address changes.
  • I95-61075 BGP does not re-establish after firewall failover: Resolved an issue where when initiating a BFD for BGP session, the cached MAC to IP mapping was being used. If the MAC address had changed, stale information was used and the BFD session would not be established. We now issue an ARP request to get the latest MAC Address.
  • I95-61093 Router first time synchronization: Resolved an issue where a minion is restarted multiple times during the first connection to the conductor, resulting an extended wait time before synchronization.
  • I95-61453 'mist' user missing from '128t-user' group at login: Resolved an issue that prevented the modification of lock files causing the process responsible for managing user permissions to fail.
  • I95-61580 CLI does not prompt for required router restart: Resolved an issue where making a configuration change requiring a restart only generates a warning only for the router that the PCLI is running on. Committing a configuration change that requires a restart now results in a warning even when the change is on a different router.
  • I95-61866 Unnecessary events sync: Resolved an issue where data is unintentionally sync'ed between HA nodes.
  • I95-61869 Peer paths not coming back up after manual reboot: Resolved an issue with the control message capacity. In configurations with more than 1000 VLANs, the aggregate size of all the control messages grew larger than the space allocated for the messages, and messages failed to send and some packet processing threads were left with incomplete interface tables. The capacity to handle these messages has been increased and can now handle up to 12,000 VLANs.
  • I95-61910 FIPS installation failure: Resolved an issue where package renaming resulted in missing installation files.
  • I95-61999 ATT SIM card MNC code update: Resolved an issue with the ATT SIM card using an unexpected MNC code.
  • I95-62011 Stats from adjacency traffic engineering throw an exception when a hostname is used: Resolved an issue where dynamic reconfiguration when adding neighbors/adjacencies that use an FQDN and have adjacency Traffic Engineering enabled, caused the device interface to reach a failure state.
  • I95-62071 Multicast Traffic contributing to service area resource contention: The resource contention issue has been resolved.
  • I95-62179 Software Lifecycle History not up to date: Resolved an issue where the software lifecycle page was not showing any history, or in some cases, the history was outdated. Internal functionality has been updated, and both the GUI and CLI outputs now show the correct information.
  • I95-62258 Packet steered to egress non-existent interface causes highway crash: Added logic to capture the errant packet and prevent the crash. An exception is logged so that the issue can be more easily rectified.
  • I95-62369 Session error record shows 0s for session-id: Resolved an issue where the session record information was incomplete. The SSR now also uses the redundancy session data to gather records.
  • I95-62449 HA conductor fails to initialize secondary node: Resolved an issue with password validation that was preventing the secondary node from accessing the primary node to download files needed for initialization. The user is now prompted to enter the new password for the primary node when setting up the secondary node.
  • I95-62695 Management interface placed in incorrect zone during conductor onboarding: Resolved an issue where an earlier change did not put the management infterface in the t128 zone.
  • I95-62703 Highway process crashed when BGP over SVR is activated: Resolved an issue where the unicast code path was incorrectly calling the multicast variant of getBestMultiHomedPathIndex() and causing a highway crash.
  • I95-62742 Cannot see sync errors for nodes that are stuck synchronizing: Resolved an issue where errors in show assets disappeared when the synchronizing state retries.
  • I95-63334 HA node failover causing mismatched node IDs: Resolved an issue where where Enhanced Security Key Management security exchange state may get stuck on HA node failover.

Caveats

  • I95-63422 Unable to establish peering: An issue has been identified where the factory reset process or bringing online a new router results in the device getting stuck in a cert-exchange-init state when establishing peering using Enhanced Security Key Management.

    Workaround: When adding a new router, ensure that the certificate intended for use is installed before onboarding the router to the conductor, or delay adding the router to the neighborhood until after the certificate is installed.

    For factory reset of an existing router, remove the router from the neighborhood before re-onboarding the router. Ensure that the desired certificate is installed before adding the neighborhood back to the router and re-onboarding to the conductor.