advertisement
Junos
®
OS 12.1X44-D50 Release Notes
Release 12.1X44-D50
16 July 2015
Revision 2
Contents
These release notes accompany Release 12.1X44-D50 of the Junos
®
OS. They describe device documentation and known problems with the software. Junos OS runs on all
Juniper
®
Networks SRX Series Services Gateways and J Series Services Routers.
For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at http://www.juniper.net/prsearch .
You can also find these release notes on the Juniper Networks Junos OS Documentation web page, which is located at https://www.juniper.net/techpubs/software/junos/ .
Junos OS Release Notes for Branch SRX Series Services Gateways and J Series
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX
Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . . 6
Release 12.1X44-D20 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Release 12.1X44-D15 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Release 12.1X44-D15 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Release 12.1X44-D10 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Release 12.1X44-D10 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch
SRX Series Services Gateways and J Series Services Routers . . . . . . . . . 25
Chassis Cluster Redundancy Group Manual Failover . . . . . . . . . . . . . . . . 29
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . 31
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . 31
Junos OS Federal Information Processing Standard (FIPS) . . . . . . . . . . 36
1
Junos OS 12.1X44 Release Notes
Session Timeout for Reroute Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 40
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Connectivity Fault Management (CFM) . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 42
Group VPN Interoperability with Cisco’s GET VPN for Juniper Networks
Security Devices that Support Group VPN . . . . . . . . . . . . . . . . . . . . 43
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 48
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . 55
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Known Issues in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Known Issues in Junos OS Release 12.1X44-D50 for Branch SRX Series
Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . 59
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Resolved Issues in Junos OS Release 12.1X44-D50 for Branch SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Resolved Issues in Junos OS Release 12.1X44-D45 for Branch SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
2
Resolved Issues in Junos OS Release 12.1X44-D40 for Branch SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Resolved Issues in Junos OS Release 12.1X44-D35 for Branch SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Resolved Issues in Junos OS Release 12.1X44-D30 for Branch SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Resolved Issues in Junos OS Release 12.1X44-D25 for Branch SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Resolved Issues in Junos OS Release 12.1X44-D20 for Branch SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Resolved Issues in Junos OS Release 12.1X44-D15 for Branch SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Resolved Issues in Junos OS Release 12.1X44-D10 for Branch SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series
Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . 105
Errata for the Junos OS Software Documentation . . . . . . . . . . . . . . . . . 105
Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . . 113
Migration, Upgrade and Downgrade Instructions for Junos OS Release
12.1X44 for Branch SRX Series Services Gateways and J Series Services
Upgrading and Downgrading among Junos OS Releases . . . . . . . . . . . . 116
Upgrading an AppSecure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Upgrade and Downgrade Scripts for Address Book Configuration . . . . . 119
Hardware Requirements for Junos OS Release 12.1X44 for SRX Series
Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . 121
Junos OS Release Notes for High-End SRX Series Services Gateways . . . . . . . . 124
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX
Release 12.1X44-D30 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . 124
Release 12.1X44-D20 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . 125
Release 12.1X44-D15 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . 125
Release 12.1X44-D15 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . 129
Release 12.1X44-D10 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . 130
Release 12.1X44-D10 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . 133
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End
SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
AppSecure Application Package Upgrade Changes . . . . . . . . . . . . . . . . 152
Chassis Cluster Redundancy Group Manual Failover . . . . . . . . . . . . . . . 154
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Intrusion Detection Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Junos OS Federal Information Processing Standard (FIPS) . . . . . . . . . . 162
3
Junos OS 12.1X44 Release Notes
Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Session Timeout for Reroute Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Unified In-Service Software Upgrade (ISSU) . . . . . . . . . . . . . . . . . . . . . 165
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 170
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 174
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . 182
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Known Issues in Junos OS Release 12.1X44 for High-End SRX Series Services
Known Issues in Junos OS Release 12.1X44-D50 for High-End SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series
Resolved Issues in Junos OS Release 12.1X44-D50 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Resolved Issues in Junos OS Release 12.1X44-D45 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Resolved Issues in Junos OS Release 12.1X44-D40 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Resolved Issues in Junos OS Release 12.1X44-D35 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Resolved Issues in Junos OS Release 12.1X44-D30 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Resolved Issues in Junos OS Release 12.1X44-D25 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
4
Resolved Issues in Junos OS Release 12.1X44-D20 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Resolved Issues in Junos OS Release 12.1X44-D15 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Resolved Issues in Junos OS Release 12.1X44-D10 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . 230
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Errata for the Junos OS Software Documentation . . . . . . . . . . . . . . . . . 234
Migration, Upgrade and Downgrade Instructions for Junos OS Release
12.1X44 for High-End SRX Series Services Gateways . . . . . . . . . . . . . . . 243
Upgrading and Downgrading among Junos OS Releases . . . . . . . . . . . 243
Upgrading an AppSecure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Upgrade and Downgrade Scripts for Address Book Configuration . . . . 245
Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . 248
Hardware Requirements for Junos OS Release 12.1X44 for High-End
SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
5
Junos OS 12.1X44 Release Notes
Junos OS Release Notes for Branch SRX Series Services Gateways and J Series Services
Routers
Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust networking and security services. SRX Series Services Gateways range from lower-end branch devices designed to secure small distributed enterprise locations to high-end devices designed to secure enterprise infrastructure, data centers, and server farms. The branch SRX Series Services Gateways include the SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650 devices.
Juniper Networks J Series Services Routers running Junos OS provide stable, reliable, and efficient IP routing, WAN and LAN connectivity, and management services for small to medium-sized enterprise networks. These routers also provide network security features, including a stateful firewall with access control policies and screens to protect against attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320,
J2350, J4350, and J6350 devices.
•
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 6
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series
Services Gateways and J Series Services Routers on page 25
•
•
•
•
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 105
•
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for
Branch SRX Series Services Gateways and J Series Services Routers on page 116
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers
The following features have been added to Junos OS Release 12.1X44. Following the description is the title of the topics and pathway pages to consult for more information on the feature.
•
Release 12.1X44-D20 Software Features on page 7
•
Release 12.1X44-D15 Hardware Features on page 7
•
Release 12.1X44-D15 Software Features on page 9
•
Release 12.1X44-D10 Hardware Features on page 9
•
Release 12.1X44-D10 Software Features on page 10
6
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Release 12.1X44-D20 Software Features
Application Layer Gateways (ALG)
• Transparent mode support for ALGs—This feature is supported on all branch SRX
Series devices.
Beginning with Junos OS Release 12.1X44-D20, Avaya H.323, G-H323, IKE, MGCP, MS
RPC, PPTP, RSH, SUN RPC, SCCP, SIP, SQL, and TALK ALGs support layer 2 transparent mode. Transparent mode on SRX Series devices provides standard Layer 2 switching capabilities and full security services.
In transparent mode, the SRX Series device filters packets that traverse the device without modifying any of the source or destination information in the packet MAC headers. Transparent mode is useful for protecting servers that mainly receive traffic from untrusted sources because there is no need to reconfigure the IP settings of routers or protected servers.
NOTE: Transparent mode is supported on all data and VOIP ALGs.
A device operates in Layer 2 transparent mode when all physical interfaces on the device are configured as Layer 2 interfaces. There is no command to define or enable transparent mode on the device. The device operates in transparent mode when there are interfaces defined as Layer 2 interfaces. The device operates in route mode (the default mode) if there are no physical interfaces configured as Layer 2 interfaces.
•
[Layer 2 Bridging and Transparent Mode Overview]
• [Layer 2 Bridging and Switching for Security Devices]
• [Layer 2 Bridging and Transparent Mode for Security Devices]
•
[Transparent Mode]
Release 12.1X44-D15 Hardware Features
Hardware Features - SRX100 Services Gateway
This release introduces the following model of the SRX100 Services Gateway with increased memory. The features for the new model are the same as that of the existing models. For information on the specification changes, refer to the relevant product datasheet.
Model
SRX100H2
Description
SRX100 Services Gateway with 8 Fast Ethernet ports, 2 GB
DRAM, and 2 GB NAND Flash memory
Hardware Features - SRX110 Services Gateway
This release introduces the following models of the SRX110 Services Gateway with increased memory. The features for the new model are the same as that of the existing
7
Junos OS 12.1X44 Release Notes models. For information on the specification changes, refer to the relevant product datasheet.
Model
SRX110H2-VA
SRX110H2-VB
Description
SRX110 Services Gateway with 8 Fast Ethernet ports, 2 GB
DRAM, 2 GB CompactFlash memory, and 1 VDSL/ADSL-POTS port
SRX110 Services Gateway with 8 Fast Ethernet ports, 2 GB
DRAM, 2 GB CompactFlash memory, and 1 VDSL/ADSL-ISDN port
Hardware Features – SRX210 Services Gateway
This release introduces the following models of the SRX210 Services Gateway with increased memory. The features for the new model are the same as that of the existing models. For information on the specification changes, refer to the relevant product datasheet.
Model
SRX210HE2
SRX210HE2-POE
Description
SRX210 Services Gateway with 1 Mini-PIM slot, 2 GB DRAM, and
2 GB NAND Flash memory
SRX210 Services Gateway with 1 Mini-PIM slot, 2 GB DRAM, 2
GB NAND Flash memory, and 4 Power over Ethernet (PoE) ports
Hardware Features – SRX220 Services Gateway
This release introduces the following models of the SRX220 Services Gateway with increased memory. The features for the new model are the same as that of the existing models. For information on the specification changes, refer to the relevant product datasheet.
Model
SRX220H2
SRX220H2-POE
Description
SRX220 Services Gateway with 2 Mini-PIM slots, 2 GB DRAM, and 2 GB CompactFlash memory
SRX220 Services Gateway with 2 Mini-PIM slots, 2 GB DRAM,
2 GB CompactFlash memory, and 8 PoE ports
8
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Release 12.1X44-D15 Software Features
Hardware
• 2G Memory Upgrade— This feature is supported on SRX100, SRX110, SRX210, and
SRX220 devices. See Hardware Features section for more details.
Release 12.1X44-D10 Hardware Features
This topic includes the following sections:
•
8-Port Gigabit Ethernet SFP XPIM on page 9
8-Port Gigabit Ethernet SFP XPIM
The ports of the 8-Port Gigabit Ethernet small form-factor pluggable (SFP) XPIM can be used for connecting to Ethernet WAN service as well as for local server connectivity at Gigabit Ethernet speeds. The XPIM enables Layer 2 line-rate Gigabit switching and system-processor dependent Layer 3 service with connection of up to eight SFP Gigabit
Ethernet ports. The 8-Port Gigabit Ethernet SFP XPIM complements the on-board
10/100/1000 Mbps Ethernet interfaces with extended WAN connectivity. It supports a variety of transceivers. This XPIM can be used in copper and optical environments to provide maximum flexibility when upgrading from an existing infrastructure to Metro
Ethernet.
shows the front panel of 8-port Gigabit Ethernet XPIM.
Figure 1: 8-Port Gigabit Ethernet SFP XPIM Front Panel
Hardware Specifications
gives the physical specifications of the 8-Port Gigabit Ethernet small form-factor pluggable (SFP) XPIM.
Table 1: 8-Port Gigabit Ethernet SFP XPIM Physical Specifications
Description Value
Dimensions (H x W x L)
Weight
Connector type
Form factor
0.78 in. x 6.72 in. x 8.1 in.
(1.98 cm x 17.1 cm x 20.57 cm)
17.6 oz (0.499 kg)
SFP
XPIM
Environmental operating temperature
Relative humidity
Altitude
32°F through 113°F (0°C through 45°C)
5% to 90% noncondensing
Up to 10,000 ft (3000 m)
9
Junos OS 12.1X44 Release Notes
Network Interface Specifications
gives the network interface specifications of the 8-Port Gigabit
Ethernet small form-factor pluggable (SFP) XPIM.
Table 2: 8-Port Gigabit Ethernet SFP XPIM Network Interface
Specifications
Network Interface Specification Value
Operating modes
Operating speed
VLAN support
Class-of-service support
Encapsulations
Full-duplex and half-duplex
10/100/1000 Mbps
802.1Q virtual LANs
Supported
DIX, LLC/SNAP, CCC, TCC, and VLAN-CCC
Loopback diagnostic feature
Autonegotiation
Supported
Supported
Release 12.1X44-D10 Software Features
Application Layer Gateways (ALG)
•
Real-Time Streaming Protocol (RTSP) interleave mode— This feature is supported on all branch SRX Series and J Series devices.
This feature is an enhancement to the current RTSP ALG. In most use cases the network carries UDP media streams based on an RTSP TCP connection, but there has been an increase in demand for the use of interleaving mode in which both media and control share the same TCP connection. The key reason to use interleaving is the ability to traverse firewalls. Because of the lower security restrictions around TCP port 80 to support Web traffic, RTSP makes use of interleaving mode for including media in the same connection to traverse firewalls.
[Understanding ALG Types]
AppSecure
• AppFW rule set features expanded—This feature is supported on all branch SRX
Series devices.
NOTE: On the SRX100, SRX110, and SRX210 platforms, this feature is only supported on the High Memory versions.
AppFW is enhanced to broaden the rule set options for defining an application-aware firewall, you can now:
10
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
Choose to close a TCP connection when matching traffic is rejected.
• Define explicit, coexisting permit rules and deny rules in a single rule set.
• Display session logs to view new session create, deny, and close messages that describe the AppFW actions that have been taken.
•
Display AppFW rules that are shadowed by others in the same rule set so that you can remove redundancy and avoid errors.
[Application Firewall]
•
Application identification at Layer 3 and Layer 4—This feature is supported on all branch SRX Series devices.
NOTE: This feature is supported on only the High Memory versions of
SRX100, SRX110, and SRX210 devices.
New services application-identification configuration options allow the ICMP type or code, the IP protocol, and the source or destination addresses that are available at
Layer 3 or Layer 4 to be mapped to an application. When implementing AppSecure services, such as AppFW, AppTrack, or AppQoS, you can apply Layer 3 or Layer 4 mapping techniques when applicable to bypass Layer 7 signature-based mapping and improve the efficiency of the network. The mapping techniques work as follows:
• Address mapping associates traffic to or from particular addresses with a known application.
•
ICMP mapping associates the type or code of ICMP messages with a known application.
• IP protocol mapping applies to IP traffic only and associates a particular IP protocol with a known application.
[Application Identification for Security Devices]
Chassis Cluster
• Logical interface scaling—On SRX Series devices, chassis cluster failover performance has been optimized to scale with more logical interfaces.
During redundancy group failover, Generic Attribute Registration Protocol (GARP) is sent on each logical interface to steer the traffic to the appropriate node. GARP was sent by the Juniper Services Redundancy Protocol (jsrpd) process running in the Routing
Engine in the previous release of Junos OS.
With logical interface scaling, the Routing Engine becomes the checkpoint and GARP is directly sent from the Services Processing Unit (SPU).
[Understanding Chassis Cluster Redundancy Group Failover]
DNS
•
DNS enhancements—This feature is supported on all branch SRX Series and J Series devices.
11
Junos OS 12.1X44 Release Notes
Junos OS Domain Name System (DNS) support allows you to use domain names as well as IP addresses to identify locations.
DNS enhancements include:
• DNS proxy
—The device proxies hostname resolution requests on behalf of the clients behind the J Series or SRX Series device.
• DNS proxy with split DNS
— You can configure your proxy server to split the DNS query based on both the interface and the domain name. You can also configure a set of name servers and associate them with a given domain name.
• Dynamic DNS (DDNS) client —Servers protected by the device remain accessible despite dynamic IP address changes.
[DNS Proxy Overview]
[Configuring the Device as a DNS Proxy]
[Junos OS CLI Reference]
Ethernet OAM Connectivity Fault Management
•
Ethernet OAM connectivity fault management—This feature is supported on SRX210,
SRX220, SRX240, SRX550, and SRX650 devices.
Ethernet interfaces on branch SRX Series devices support the IEEE 802.1ag standard for Operation, Administration, and Management (OAM). The 802.1ag is an IEEE standard for connectivity fault management (CFM). The IEEE 802.1ag provides a specification for Ethernet CFM. The Ethernet network can consist of one or more service instances.
A service instance could be a VLAN or a concatenation of VLANs. The goal of CFM is to provide a mechanism to monitor, locate, and isolate faulty links.
CFM support includes the following features:
•
Fault monitoring using the Continuity Check Protocol. This is a neighbor discovery and health check protocol that discovers and maintains adjacencies at the VLAN or link level.
•
Path discovery and fault verification using the Linktrace protocol.
•
Fault isolation using the Loopback protocol.
The Loopback protocol is used to check access to maintenance association end points (MEPs) under the same maintenance association (MA). The Loopback messages are triggered by an administrator using the ping ethernet command.
[Understanding Ethernet OAM Connectivity Fault Management ]
[Junos OS CLI Reference]
Ethernet OAM Link Fault Management
• 802.3ah OAM link fault management—This feature is supported on SRX100, SRX210,
SRX220, SRX240, SRX550, and SRX650 devices.
The Ethernet interfaces on these SRX Series devices support the IEEE 802.3ah standard for Operation, Administration, and Maintenance (OAM). The standard defines OAM
12
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers link fault management (LFM). You can configure IEEE 802.3ah OAM LFM on point-to-point Ethernet links that are connected either directly or through Ethernet repeaters. The IEEE 802.3ah standard meets the requirement for OAM capabilities as
Ethernet moves from being solely an enterprise technology to a WAN and access technology, and the standard remains backward-compatible with existing Ethernet technology.
The following OAM LFM features are supported:
• Discovery and link monitoring
• Remote fault detection
•
Remote loopback
[Understanding Ethernet OAM Link Fault Management for SRX Series Services Gateways]
Interfaces and Routing
• 8-Port Gigabit Ethernet SFP XPIM—The 8-Port Gigabit Ethernet small form-factor pluggable (SFP) XPIM is supported on SRX550 and SRX650 Services Gateways.
An XPIM is a network interface card (NIC) that installs in the front slots of the SRX550 or SRX650 Services Gateway to provide physical connections to a LAN or a WAN.
Small form-factor pluggables (SFPs) are hot-pluggable modular interface transceivers for Gigabit Ethernet and Fast Ethernet connections. The 8-port SFP Gigabit Ethernet interface enables customers to connect to Ethernet WAN services as well as to local servers at gigabit speed.
Supported Features
The following features are supported on the 8-Port Gigabit Ethernet SFP XPIM:
• Pluggable on standard SFP Gigabit Ethernet ports
•
Operates in tri-rate (10/100/1000 Mbps) mode with copper SFPs
•
Routing and switched mode operation
• Layer 2 protocols
• LACP
•
LLDP
•
GVRP
• IGMP snooping (v1 and v2)
• STP, RSTP, and MSTP
•
802.1x
•
Encapsulation (supported at the Physical Layer)
•
Ethernet-bridge
• Ethernet-ccc
• Ethernet-tcc
13
Junos OS 12.1X44 Release Notes
•
Ethernet-vpls
• extended-vlan-ccc
• extended-vlan-tcc
• flexible-Ethernet-services
• vlan-ccc
•
Q in Q VLAN tagging
• Integrated routing and bridging (IRB)
• Jumbo frames (9192-byte size)
•
Chassis cluster switching
•
Chassis cluster fabric link using Gigabit Ethernet ports
NOTE:
The following Layer 2 switching features are not supported when the 8-Port
Gigabit Ethernet SFP XPIM is plugged in slots with speed less than 1 Gigabit:
•
Q in Q VLAN tagging
•
Link aggregation using ports across multiple XPIMs
Interface Names and Settings
The following format is used to represent the 8-Port Gigabit Ethernet SFP XPIM:
type-fpc/pic/port
Where:
• type—Media type (ge)
• fpc— Number of the Flexible PIC Concentrator (FPC) card where the physical interface resides
• pic—Number of the PIC where the physical interface resides (0)
• port—Specific port on a PIC (0)
Examples: ge-1/0/0 and ge-2/0/0
By default, the interfaces on the ports on the uplink module installed on the device are enabled. You can also specify the MTU size for the XPIM. Junos OS supports values from 256 through 9192. The default MTU size for the 8-Port Gigabit Ethernet SFP XPIM is 1514.
[Understanding the 8-Port Gigabit Ethernet SFP XPIM]
• 8-Port serial GPIM—The 8-Port synchronous serial GPIM is supported on SRX550 and
SRX650 devices. This GPIM provides 8 ports that operate in synchronous mode and supports a line rate of 64 Mbps or 8 Mbps per port.
14
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
The 8-Port synchronous serial GPIM supports the following features:
•
Operation modes (autoselect based on cable, no configuration required)
•
DTE (data terminal equipment)
• DCE (data communication equipment)
• Clocking
• Clock rates (baud rates) from 1.2 KHz to 8.0 MHz
NOTE: RS-232 serial interfaces might cause an error with a clock rate greater than 200 KHz.
• MTU—9192 bytes, default value is 1504 bytes
•
HDLC
•
Line encoding—NRZ and NRZI
• Invert data
• Line protocol—EIA530/EIA530A, X.21, RS-449, RS-232, V.35
•
Data cables—Separate cable for each line protocol (both DTE/DCE mode)
•
Error counters (conformance to ANSI specification)
• Alarms and defects
• Data signal—Rx clock
•
Control signals
•
Serial autoresync
• Diagnostic feature
• Layer 2
•
SNMP
•
Anticounterfeit check
[Understanding the 8-Port Synchronous Serial GPIM]
• Ethernet in the First Mile support on G.SHDSL Mini-PIMs—This feature is supported on SRX210, SRX220, SRX240, and SRX550 devices. This feature supports single-port
EFM mode in SHDSL 2-wire mode, without disrupting the existing functionality of the
PIC. Currently the G.SHDSL Mini-PIM supports ATM interfaces toward DSL lines in various modes like 2-wire, 4-wire, and 8-wire.
NOTE: EFM is not supported in 4-wire and 8-wire modes.
15
Junos OS 12.1X44 Release Notes
The following key features are supported on EFM mode on G.SHDSL Mini-PIMs:
•
IEEE 802.3-2004 compliant
•
VLAN over G.SHDSL EFM
• Chassis cluster
• IPV6 over EFM
•
Annexes A/B/F/G/Auto
•
Dying gasp
• Line coding of 16- and 32-TCPAM (trellis coded pulse amplitude modulation)
[DSL Interfaces]
•
Q-in-Q support on Layer 3 interfaces—This feature is supported on all branch SRX
Series and J Series devices.
The Q-in-Q feature is supported in both packet mode and flow mode. This feature allows you to configure flexible VLANs at the Ethernet port level. Flexible VLAN tagging is supported only in plain encapsulation and on Fast Ethernet/Gigabit
Ethernet/10-Gigabit Ethernet interfaces.
The flexible VLAN is enabled to accept the following VLAN packets on the same physical
Interface:
•
Untagged VLAN packets (using native-vlan-id)
•
Single VLAN packets
• Double VLAN packets
[Configuring VLAN Tagging]
[Junos OS CLI Reference]
Intrusion Detection and Prevention (IDP)
• IDP policy compilation improvements—This feature is supported on all SRX branch devices. On SRX100, SRX210, SRX240 these improvements are supported only on the high-memory variants.
The IDP policy compilation process has been optimized to provide significant reductions in compilation time and memory utilization.
[Security IDP]
J-Web
•
New Setup Wizard—This feature is supported on all branch SRX Series devices.
The New Setup wizard simplifies device configuration by guiding you through the process of setting up a device from start to finish.
You can select one of the following modes:
16
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
Guided Setup — Default mode that takes you through the complete configuration process. Using Guided Setup mode, you can customize options for the Internet, DMZ, internal zones, policies, RVPN, and NAT.
•
Default Setup — Quick way to configure basic device elements. Using Default Setup mode, you can configure the device name, root password, user accounts, device time, and license details.
The New Setup wizard has the following advantages:
•
Input validation
• Context-sensitive Help
• Smart navigation bar
•
Pending changes review
•
Accelerated quick start
• Can be relaunched from J-Web
Monitoring
•
System health monitoring—This feature is supported on all branch SRX Series devices.
The system health monitor can monitor resources such as CPU, memory, storage, open-file-descriptor, process-count, and temperature. Tracking critical resources utilization ensures that all parameters stay within normal limits and the system remains functional. In the event of a malfunction caused by abnormal resource usage, system health monitoring provides the diagnostic information required to identify the source of the problem.
To enable the system health monitor, run the set snmp health-monitor routing engine
CLI command.
[Monitoring System Resources for Branch SRX Series Devices]
[Junos OS CLI Reference]
Network Address Translation (NAT)
• Increase in the maximum sessions allowed for a persistent NAT binding—This feature is supported on all branch SRX Series devices.
Previously, the maximum number of sessions allowed for a persistent NAT binding was 100. This limit is now 65,536. You can now configure the maximum number of sessions ranging from 8 through 65,536.
[max-session-number]
[Junos OS CLI Reference]
• Static NAT support for port mapping—This feature is supported on all branch SRX
Series and J Series devices.
17
Junos OS 12.1X44 Release Notes
Static NAT defines a one-to-one mapping from one IP subnet to another IP subnet.
The existing static NAT functionality is enhanced to support the following types of translation:
•
To map multiple IP addresses and specified ranges of ports to the same IP address and a different range of ports
• To map a specific IP address and port to a different IP address and port
The new CLI statements destination-port low to high and mapped-port low to high are introduced as part of this enhancement.
[Example: Configuring Static NAT for Port Mapping]
Security Profiles
• New match criteria for user role firewall policies—This feature is supported on all branch SRX Series devices.
User role firewall policies can now specify the username as match criteria in the source-identity field. In the previous release, roles were the only valid input for the source-identity field. Roles are now considered optional.
Two additional show commands display the users and the combined users and roles that are specified in the user identification tables (UITs) and available for user and role provisioning:
• show security user-identification user-provision all
• show security user-identification source-identity-provision all
In addition, the connection setup rate has been improved when a user role firewall is enabled.
[Understanding User Role Firewalls]
•
Shadow policy check—This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
You can now check if there is any policy shadowing in the policy list using the following
CLI commands:
• For logical systems, run the show security shadow-policies logical-system lsys-name from-zone from-zone-name to-zone to-zone-name policy policy-name reverse command.
• For global policies, run the show security shadow-policies logical-system lsys-name global policy policy-name reverse command.
The CLI commands can be used to display:
• All shadow policies within a context
• If a given policy shadows one or more policies
•
If a given policy is shadowed by one or more policies
[Understanding Security Policy Ordering]
[Verifying Shadow Policies]
18
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
[show security shadow-policies logical-system]
[Junos OS CLI Reference]
System Logs
The following system logs are introduced in Junos OS Release 12.1X44-D10:
• PKID_CERT_BASIC_CNSTRS_MISSING—Certificate does not have the basic constraints field.
•
PKID_CERT_BASIC_CNSTRS_INV_CA—Certificate does not have a valid CA flag.
• ERRMSG(PKID_CERT_BASIC_CNSTRS_MISSING, LOG_ERR—Basic constraints field is missing for the CA certificate <certificate-subject>.
•
ERRMSG(PKID_CERT_BASIC_CNSTRS_INV_CA, LOG_ERR—Basic constraints field contains an invalid CA flag for the CA certificate <certificate-subject>.
• PKID_CERT_NOT_BEFORE_FAIL—Certificate
/C=US/DC=juniper/ST=CA/L=Sunnyvale/O=PKI/OU=SSD/CN=bubba is not valid until 06-12-2012 21:44.
•
PKID_CERT_NOT_AFTER_FAIL—Certificate
/C=US/DC=juniper/ST=CA/L=Sunnyvale/O=PKI/OU=SSD/CN=bubba has expired, not valid after 06-12-2014 .21:44
•
PKID_CERT_ID_LOOKUP_FAIL—Certificate chain does not contain certificate with ID
30.1.1.31 and Type IPSEC_ID_IPV4_ADDR.
• PKID_CERT_ID_LOOKUP_FAIL—Certificate chain does not contain certificate with ID
/C=US/DC=juniper/ST=CA/L=Sunnyvale/O=PKI/OU=SSD/CN=bubba and Type
IPSEC_ID_DER_ASN1_DN.
•
PKID_CERT_ID_LOOKUP_FAIL—Certificate chain does not contain certificate with ID [email protected] and Type IPSEC_ID_USER_FQDN.
• PKID_CERT_ID_LOOKUP_FAIL—Certificate chain does not contain certificate with ID bubba.juniper.net and Type IPSEC_ID_FQDN.
Unified Threat Management (UTM)
• UTM Enhanced Web Filtering - action on site reputation score—This feature is supported on all branch SRX Series devices.
In previous releases of Junos OS, the Threat Seeker Cloud (TSC) returned site reputation information to a device only if there was no category match found for a particular URL.
With the introduction of this feature, TSC returns site reputation information for both categorized and uncategorized URLs. In addition, the UTM Enhanced Web Filtering supports configuring actions such as permit, log-and-permit, block, or quarantine on the site-reputation returned by TSC for both categorized and uncategorized URLs.
[UTM Web Filtering for Security Devices]
[Junos OS CLI Reference Guide]
19
Junos OS 12.1X44 Release Notes
•
UTM Enhanced Web Filtering - quarantine action—This feature is supported on all branch SRX Series devices.
In previous releases of Junos OS, UTM Enhanced Web filtering supported block, log-and-permit, and permit actions for HTTP/HTTPS requests. The block option restricted access to websites that did not adhere to organizations’ security policies.
With the introduction of this feature, UTM Enhanced Web filtering now also supports a quarantine action. When a user attempts to access a quarantined website, a warning message appears. Based on the user’s response to the message, UTM Enhanced Web filtering allows or denies access to the site.
[UTM Web Filtering for Security Devices]
[Junos OS CLI Reference Guide]
20
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
USB
• USB enable/disable feature—This feature is supported on all branch SRX Series and on J Series devices.
This feature allows the administrator to disable all USB ports on the device to block users from connecting a USB to the device. If a USB device is already mounted and connected, this feature unmounts and disables the device. Any transactions in progress on the USB device are aborted.
lists the supported CLI commands:
Table 3: CLI Commands and Description
CLI Command Description show chassis usb storage set chassis usb storage disable delete chassis usb storage disable
Displays the current status of any USB mass storage device and whether it is enabled or disabled.
Disables mass storage devices that are connected on the USB ports.
Enables the use of USB mass storage devices on USB ports.
•
NOTE:
The USB ports on a services gateway or services router are functional by default.
•
Even if the USB ports are disabled, the USB LEDs still light up when the device is plugged in.
• This feature is supported only in Junos OS and is not supported in the uboot or loader phase.
•
When Junos OS is booted from a USB storage device, this feature is unavailable.
• If a USB port is disabled, the request system reboot media usb command is not supported.
• If the kernel is configured to boot from USB, the kernel checks if USB is disabled early in the boot process. If USB is disabled, then the kernel might reboot.
[Junos OS CLI Reference]
Virtual Private Network (VPN)
21
Junos OS 12.1X44 Release Notes
•
AutoVPN—AutoVPN hubs are supported on SRX240, SRX550, and SRX650 devices.
AutoVPN spokes are supported on all branch SRX Series devices.
AutoVPN allows network administrators to configure the hub in a hub-and-spoke IPsec
VPN topology for current and future client device connections. No configuration changes are required on the hub when spoke devices are added or deleted, thus allowing administrators flexibility in managing large-scale network deployments.
AutoVPN is supported on route-based IPsec VPNs. AutoVPN traffic must be IPv4.
Dynamic routing protocols are supported to forward packets through the VPN tunnels.
NOTE: The RIP dynamic routing protocol is not supported with AutoVPN.
The supported authentication for AutoVPN hubs and spokes is X.509 public key infrastructure (PKI) certificates. The group IKE user type configured on the hub allows you to specify strings, to match the alternate subject field in spoke certificates. Partial matches for the subject fields in spoke certificates can also be specified.
AutoVPN is configured and managed on SRX Series devices using the CLI. Multiple
AutoVPN hubs can be configured on a single SRX Series device. The maximum spokes supported by a configured hub is specific to the model of the SRX Series device.
AutoVPN supports VPN monitoring and dead peer detection.
[AutoVPNs for Security Devices]
•
Dynamic VPN enhancement—This feature is supported on SRX100, SRX210, SRX220,
SRX240, and SRX650 devices.
Dynamic VPN (DVPN) includes the following enhancements:
•
Grouping of users—The duplication of the list of users configured under the
[dynamic vpn] hierarchy and under the [access] hierarchy has been removed, and the configuration of DVPN users and the association of the users with client VPN has been simplified. Users are now grouped under the [access] hierarchy alone.
A reference from security dynamic VPN to the configured user group under [access] hierarchy still needs to be configured under [security dynamic vpn] hierarchy so that you can associate a user with a client configuration.
•
IKE and IPsec configuration validation—There is no restriction on the set of IKE and
IPsec parameters needed. IKE and IPsec configuration validation is done through commit checks.
A commit time check is performed by the httpd gk to verify if all IKE and IPsec parameters needed for DVPN are correctly configured. If the configuration is invalid for IKE or IPsec, the commit fails and an error message is displayed.
NOTE: The commit checks are turned off by default. You can enable the commit checks by using the security dynamic vpn commit checks command.
22
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
Removal of the requirement to configure Web management services—Beginning with Junos OS Release 12.1X44 D10, you do not have to configure Web management services to enable DVPN.
NOTE: Previous configurations that had the loopback interface set to disable Web management now enables Web management on the loopback interface.
The Appweb webserver is started when Web management is not configured. All other Web management configuration parameters such as https (by default, a system-generated certificate must be used) and debug level limits (by default, this is be 9 for the webserver) that are needed to start the Appweb webserver now have the default values.
Traceoptions is added under [security dynamic vpn] hierarchy to log dvpn related messages. You need to configure trace option to view the DVPN trace log messages.
[Example: Configuring Dynamic VPN]
[Example: Configuring Unique URLs for J-Web and Dynamic VPN]
[Dynamic VPN Configuration Overview]
[Dynamic Virtual Private Network (DVPN) Enhancement]
[dynamic-vpn]
[show security dynamic-vpn users]
[show security dynamic-vpn users terse]
[interface (Security Dynamic VPN)]
[user-groups (Security Dynamic VPN)]
[traceoptions (Security Dynamic VPN)]
[clients (Security) ]
[config-check (Security Dynamic VPN)]
• Improvements in VPN debugging capabilities— This feature is supported on all branch
SRX Series devices.
The following enhancements are now available to improve the VPN debugging capabilities:
• Previously, debugging of tunnels was limited to the policy manager; which is now extended to include QuickSec software stacks.
•
The show security ipsec security-associations detail command is enhanced to provide information such as VPN name, tunnel ID, and bind interface in the security associations (SA) output.
• The show security ike security-associations detail command is enhanced to provide gateway name and Diffie-Hellman (DH) group information in the SA output.
23
Junos OS 12.1X44 Release Notes
•
The show security ipsec security-associations vpn-name vpn-name command displays the IPsec SA based on the VPN name. For policy-based VPNs and dial-up VPNs, the output displays multiple SAs because the VPN names are shared.
• The new show security ipsec inactive-tunnels command displays security information about the inactive tunnels.
•
The new request security ike (debug-enable | debug-disable) command enables IKE debugging through operational mode commands.
•
The common log location for all SRX Series devices is now /var/log/log-filename.
NOTE: If you do not specify the log filename for the log-filename field, then all logs are written to the kmd log.
[Junos OS CLI Reference]
•
Loopback interface for chassis cluster VPN—This feature is supported on all SRX
Series devices.
An Internet Key Exchange (IKE) gateway needs an external interface to communicate with a peer device. In a chassis cluster setup, the node on which the external interface is active selects a Services Processing Unit (SPU) to support the VPN tunnel. IKE and
IPsec packets are processed on that SPU. Therefore, the active external interface determines the anchor SPU.
In a chassis cluster setup, this external interface can be the redundant Ethernet (reth) interface or a standalone interface. These interfaces can go down when the physical interfaces are down. Therefore, loopback interfaces can be used to reach the peer gateway because the loopback interfaces are alternate physical interfaces.
This feature allows the loopback interface to be configured for any redundancy group.
This redundancy group configuration is only checked for VPN packets, because only
VPN packets must find the anchor SPU through the active interface.
On branch SRX Series devices, the lo0 pseudo interface can be configured in any redundancy group; for example, RG0, RG1, RG2, and so on.
You can use the show chassis cluster interfaces command to view the redundant pseudo interface information.
[VPN for Security Devices]
[Junos OS CLI Reference]
Related
Documentation
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series
Services Gateways and J Series Services Routers on page 25
•
•
24
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
•
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 105
•
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for
Branch SRX Series Services Gateways and J Series Services Routers on page 116
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers
The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the Junos OS documentation:
Application Firewall
• Prior to Junos OS release 11.4R6, when a rule specifies dynamic-application junos:HTTP without specifying any other nested application, the rule matches all HTTP traffic whether the traffic contains a nested application or not.
In Junos OS release 11.4R6 and later, that functionality has changed. When a rule specifies dynamic-application junos:HTTP, only HTTP traffic with no nested members is matched.
Consider the following application firewall ruleset: rule-sets http-ruleset { rule rule1 { match { dynamic-application [junos:FACEBOOK];
} then { deny;
}
} rule rule2 { match { dynamic-application [junos:HTTP];
} then { permit;
}
} default-rule { deny;
}
}
Prior to Junos OS release 11.4R6, the sample rules would be applied to traffic as shown in the following list:
• HTTP traffic with junos:FACEBOOK as a nested application would be denied by rule1.
•
HTTP traffic with no nested application would be permitted by rule2.
25
Junos OS 12.1X44 Release Notes
•
HTTP traffic with a nested application other than junos:FACEBOOK, such as junos:TWITTER, would be permitted by rule2 because it is HTTP traffic that does not match any previous rule.
After Junos OS release 11.4R6, the dynamic application junos:HTTP matches only the traffic that does not contain a recognizable nested application. The sample rules would now be applied differently:
• HTTP traffic with junos:FACEBOOK as a nested application would be denied by rule1.
•
HTTP traffic with no nested application would be permitted by rule2.
•
However, HTTP traffic with a nested application other than junos:FACEBOOK, such as junos:TWITTER, would no longer match rule2. Instead, the traffic would be denied by the default rule.
AppSecure
•
On all branch SRX Series devices, application tracking is enabled by default. You can disable application tracking with the set security application-tracking disable command.
This command allows you to disable and reenable application tracking without modifying your existing zone selections.
• The following new counters have been added to the show services application-identification counter command output:
• Application Identification Module Statistics
Sessions that triggered interest callback
Sessions that triggered create callback
Sessions that triggered packet process callback
Sessions that triggered session close callback
Client-to-server flows ignored
Server-to-client flows ignored
Negative cache hits
Cache inserted
Cache expired
Session ignored due to disabled AppId
Session ignored due to unsupported protocol
Session ignored due to no active signature set
Session ignored due to max concurrent session reached
•
Application Identification TCP Reordering Statistics
Stream constructed
Stream destructed
26
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Segment allocated
Segment freed
Packet cloned
Packet freed
Fast path segment
Segment case 1
Segment case 2
Segment case 3
Segment case 4
Segment case 5
Segment case 6
• Application Identification Decoder Statistics
Session state constructed
Session state destructed
Packet decoded
HTTP session state constructed
HTTP session state destructed
HTTP packet decoded
• Application Identification Heuristics Statistics
Unspecified encrypted sessions called
Encrypted P2P sessions called
Chassis Cluster
•
In Junos OS Release 12.1X44-D30 and earlier, in a chassis cluster mode, when a secondary node failed, no notification was sent to report the secondary node failure.
Starting in Junos OS Release 12.1X44-D35, in a chassis cluster mode, the primary node sends the SNMP generic event trap to report failures on primary node and secondary node.
Sample SNMP trap sent when the monitored interface failed on the secondary node:
2014-02-18 17:36:56 10.157.83.10(via 10.157.84.10 [10.157.84.10]) TRAP, SNMP v1, community ntrap .iso.3.6.1.4.1.2636.3.39.1.14.1 Enterprise Specific
Trap (1) Uptime: 1:29:31.53 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0 =
"1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "100"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "0"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority is set to 0, Monitoring objects are down"
27
Junos OS 12.1X44 Release Notes
2014-02-18 17:36:56 10.157.84.10 [10.157.84.10]: .iso.3.6.1.2.1.1.3.0
= Timeticks: (537153) 1:29:31.53 .iso.3.6.1.6.3.1.1.4.1.0 = OID:
.iso.3.6.1.4.1.2636.3.39.1.14.1.0.1 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0
= "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "100"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "0"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority is set to 0, Monitoring objects are down" .iso.3.6.1.6.3.1.1.4.3.0 = OID:
.iso.3.6.1.4.1.2636.1.1.1.2.28
Sample SNMP trap sent when the failed interface is restored on the secondary node:
2014-02-18 17:38:46 10.157.83.10(via 10.157.84.10 [10.157.84.10]) TRAP, SNMP v1, community ntrap .iso.3.6.1.4.1.2636.3.39.1.14.1 Enterprise Specific
Trap (1) Uptime: 1:31:20.64 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0 =
"1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "0"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "100"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority restored, Monitoring object
failures are cleared"
2014-02-18 17:38:46 10.157.84.10 [10.157.84.10]: .iso.3.6.1.2.1.1.3.0
= Timeticks: (548064) 1:31:20.64 .iso.3.6.1.6.3.1.1.4.1.0 = OID:
.iso.3.6.1.4.1.2636.3.39.1.14.1.0.1 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0
= "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "0"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "100"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority restored, Monitoring object
failures are cleared" .iso.3.6.1.6.3.1.1.4.3.0 = OID:
.iso.3.6.1.4.1.2636.1.1.1.2.28
28
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Chassis Cluster Redundancy Group Manual Failover
• Prior to Junos OS Release 12.1X44-D25, for redundancy groups x, it is possible to do a manual failover on a node that has 0 priority. We recommend that you use the show chassis cluster status command to check the redundancy group node priorities before doing the manual failover. However, in Junos OS Release 12.1X44-D25 and later, the readiness check mechanism for manual failover is enhanced to be more restrictive, so that you cannot set manual failover to a node in a redundancy group that has 0 priority.
This enhancement prevents traffic from being dropped unexpectedly due to a failover attempt to a 0 priority node, which is not ready to accept traffic.
Command-Line Interface (CLI)
New or Changed CLI
• In Junos OS releases earlier than Junos OS Release 12.1X44-D30, TACACS+ options for authentication and accounting did not include an option for configuring a timestamp and time zone.
In Junos OS Release 12.1X44-D30 and later releases, you can use the timestamp-and-timezone option at the [edit system tacplus-options] hierarchy to include start time, stop time, and time zone attributes in start/stop accounting records.
[See tacplus-options.]
•
On all J Series devices, a new CLI request system (halt | power-off | reboot) power-off fpc command has been introduced to bring Flexible PIC Concentrators (FPCs) offline before Routing Engines are shut down. This command prevents the short network outage because of the Layer2 loop.
Description CLI Command request system halt power-off fpc request system power-off power-off fpc request system reboot power-off fpc
Bring FPC offline and then halt the system.
Bring FPC offline and then power off the system.
Bring FPC offline and then reboot the system.
CLI Command show pppoe interfaces request pppoe disconnect
• On all branch SRX Series and J Series devices, the following commands are now supported:
Description
List all Point-to-Point Protocol over Ethernet (PPPoE) sessions.
Connect to all sessions that are down.
request pppoe connect request pppoe connect pppoe interface name Connect only to the specified session.
Disconnect all sessions that are up.
29
Junos OS 12.1X44 Release Notes
CLI Command Description request pppoe disconnect session id or pppoe interface name Disconnect only the specified session, identified by either a session
ID or a PPPoE interface name.
download-timeout
• On all branch SRX Series devices, the show security flow session extensive command has been updated to show the predefined application name.
Deprecated Items for Security Hierarchy
lists deprecated items (such as CLI statements, commands, options, and interfaces).
CLI statements and commands are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration. We strongly recommend that you phase out deprecated items and replace them with supported alternatives.
Table 4: Items Deprecated in Release 12.1
Deprecated Item Replacement
Hierarchy Level or
Command Syntax Additional Information
download-timeout timeout node request security idp security-package download
On all branch SRX Series devices, the download-timeout command is deprecated. If the configuration is present, then that configuration will be ignored. The idpd daemon internally triggers the security package to install when an automatic download is completed. There is no need to configure any download timeout.
On all branch SRX Series devices operating in a chassis cluster, the request security idp security-package download command with the node option is not supported: request security idp security-package download node primary request security idp security-package download node local request security idp security-package download node all
30
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Compatibility
• Version Compatibility for Junos SDK—Beginning with Junos OS Release 12.1X44-D10,
Junos OS applications will install on the Junos OS only if the application is built with the same release as the Junos OS Release on which the application is being installed.
For example, an application built with Junos OS Release 12.1R2 will only install on Junos
OS Release 12.1R2 and will not install on Junos OS Release 12.1R1 or Junos OS Release
12.1R3.
Dynamic Host Configuration Protocol (DHCP)
•
On all branch SRX Series devices and J Series devices, the set system services dhcp-local-server overrides command is enabled.
Flow and Processing
• The minimum value you can configure for TCP session initialization is 4 seconds. The default value is 20 seconds; if required you can set the TCP session initialization value to less than 20 seconds.
•
On all branch SRX Series devices, the default value of Type of Service (ToS) for IKE packets is changed from 0x00 to 0xc0.
Hardware
•
On SRX550 devices, the mini-USB console cable provides a “break” message to the
Windows application whenever the console cable is unplugged and re-plugged. If you have configured “debugger-on-break”, the system goes to the db> prompt because the system receives a break character. This behavior is specific to the mini-USB console.
Interfaces and Routing
•
On SRX240 and SRX650 devices, for the Layer 2 link aggregation group (LAG) interface, the hash algorithm for load balancing is now based on source IP address and destination
IP address instead of source MAC address and destination MAC address.
Intrusion Detection and Prevention (IDP)
•
A system log message is generated when an IDP signature database update or policy compilation fails with an empty dynamic group. The system-generated log message is Dynamic Attack group [dyn_group_1] has no matching members found. Group is empty.
• New sensor configuration options have been added to log run conditions as IDP session capacity and memory limits are approached, and to analyze traffic dropped by IDP and application identification due to exceeding these limitations.
•
At start up, traffic is ignored by IDP by default if the IDP policy is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that all sessions are dropped before the IDP policy is loaded.
Use the following configuration command to drop traffic before the IDP policy is loaded:
31
Junos OS 12.1X44 Release Notes set security idp sensor-configuration flow drop-if-no-policy-loaded
The following new counters have been added to the show security idp counters flow command output to analyze dropped traffic due to the drop-if-no-policy-loaded option:
Sessions dropped due to no policy 0
•
By default, IDP ignores failover sessions in an SRX chassis cluster deployment. The drop-on-failover option changes this behavior and automatically drops sessions that are in the process of being inspected on the primary node when a failover to the secondary node occurs.
Use the following configuration command to drop failover sessions: set security idp sensor-configuration flow drop-on-failover
The following new counter has been added to the show security idp counters flow command output to analyze dropped failover traffic due to the drop-on-failover option:
Fail-over sessions dropped 0
• By default, sessions are not dropped if the IDP session limit or resource limits are exceeded. In this case, IDP and other sessions are dropped only when the device’s session capacity or resources are depleted. The drop-on-limit option changes this behavior and drops sessions when resource limits are exceeded.
Use the following configuration commands to set or remove the drop-on-limit option: set security idp sensor-configuration flow drop-on-limit delete security idp sensor-configuration flow drop-on-limit
The following new counters have been added to the show security idp counters flow command output to analyze dropped IDP traffic due to the drop-on-limit option:
SM Sessions encountered memory failures 0
SM Packets on sessions with memory failures 0
SM Sessions dropped 0
Both directions flows ignored 0
IDP Stream Sessions dropped due to memory failure 0
IDP Stream Sessions ignored due to memory failure 0
IDP Stream Sessions closed due to memory failure 0
Number of times Sessions exceed high mark 0
Number of times Sessions drop below low mark 0
Memory of Sessions exceeds high mark 0
Memory of Sessions drops below low mark 0
The following counters have also been added to the show security idp counters application-identification command output to analyze dropped application identification traffic due to the drop-on-limit option:
AI-session dropped due to malloc failure before session create 0
AI-Sessions dropped due to malloc failure after create 0
32
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
AI-Packets received on sessions marked for drop due to malloc failure 0
The following options have been added to trigger informative log messages about current run conditions. When set, the log messages are triggered whether the drop-on-limit option is set or not.
• The max-sessions-offset option sets an offset for the maximum IDP session limit.
When the number of IDP sessions exceeds the maximum session limit, a warning is logged that conditions exist where IDP sessions could be dropped. When the number of IDP sessions drops below the maximum IDP session limit minus the offset value, a message is logged that conditions have returned to normal.
Jul 19 04:38:13 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374233893,
FPC 4 PIC 1 IDP total sessions pass through high mark 100000. IDP may drop
new sessions. Total sessions dropped 0.
Jul 19 04:38:21 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374233901,
FPC 4 PIC 1 IDP total sessions drop below low mark 99000. IDP working in normal mode. Total sessions dropped 24373.
Use the following configuration command to set the max-sessions-offset option: set security idp sensor-configuration flow max-sessions-offset offset-value
•
The min-objcache-limit-lt option sets a lower threshold for available cache memory.
The threshold value is expressed as a percentage of available IDP cache memory.
If the available cache memory drops below the lower threshold level, a message is logged stating that conditions exist where IDP sessions could be dropped because of memory allocation failures. For example, the following message shows that the IDP cache memory has dropped below the lower threshold and that a number of sessions have been dropped:
Jul 19 04:07:33 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374232053,
FPC 4 PIC 1 IDP total available objcache(used 4253368304, limit 7247757312)
drops below low mark 3986266515. IDP may drop new sessions. Total sessions
dropped 1002593.
Use the following configuration command to set the min-objcache-limit-lt option: set security idp sensor-configuration flow min-objcache-limit-lt
lower-threshold-value
• The min-objcache-limit-ut option sets an upper threshold for available cache memory. The threshold value is expressed as a percentage of available IDP cache memory. If available IDP cache memory returns to the upper threshold level, a message is logged stating that available cache memory has returned to normal.
For example, the following message shows that the available IDP cache memory has increased above the upper threshold and that it is now performing normally:
Jul 19 04:13:47 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374232428,
FPC 4 PIC 1 IDP total available objcache(used 2782950560, limit 7247757312)
increases above high mark 4348654380. IDP working in normal mode. Total sessions dropped 13424632.
33
Junos OS 12.1X44 Release Notes
NOTE: This message is triggered only if the lower threshold has been reached and the available memory has returned above the upper threshold. Fluctuations in available memory that dropped below the upper threshold but did not fall below the lower threshold would not trigger the message.
Use the following configuration commands to set the min-objcache-limit-ut option: set security idp sensor-configuration flow min-objcache-limit-ut
upper-threshold-value
•
By default, values for IDP reassembler packet memory and application identification packet memory used by IDP are established as percentages of all memory. In most cases, these default values are adequate.
•
If a deployment exhibits an excessive number of dropped TCP packets or retransmissions resulting in high IDP reassembly memory usage, use the following option:
The max-packet-mem-ratio option to reset the percentage of available IDP memory for IDP reassembly packet memory. Acceptable values are between 5% and 40%.
set security idp sensor-configuration re-assembler max-packet-mem-ratio
percentage-value
•
If a deployment exhibits an excessive number of ignored IDP sessions due to reassembler and application identification memory allocation failures, use the following options:
• The max-packet-memory-ratio option sets application identification packet memory limit as a percentage of available IDP memory. This memory is only used by IDP in cases where application identification delays identifying an application.
Acceptable values are between 5% and 40%.
set security idp sensor-configuration application-identification max-packet-memory-ratio percentage-value
• The max-reass-packet-memory-ratio option sets the reassembly packet memory limit for application identification as a percentage of available IDP memory.
Acceptable values are between 5% and 40%.
set security idp sensor-configuration application-identification max-reass-packet-memory-ratio percentage-value
NOTE: The max-packet-memory option has been deprecated and replaced by the new max-packet-memory-ratio and max-reass-packet-memory-ratio options.
• New sensor configuration options have been added to configure the IDP action when a TCP reassembly failure occurs, and to log TCP errors.
34
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
When certain TCP error packets (packets with anomalies) during or after the three-way handshake are forwarded to IDP for processing, IDP TCP reassembly stops the reassembly. Once the reassembly is stopped, IDP does not continue the stream-based attack detection and TCP error packets are not dropped. The action-on-reassembly-failure option changes this behavior so that you can configure the action to be initiated when a reassembly failure occurs.
• Use the following configuration command to drop the error packets when a reassembly failure occurs: set security idp sensor-configuration re-assembler action-on-reassembly-failure drop
Use the following configuration command to drop the session when a reassembly failure occurs: set security idp sensor-configuration re-assembler action-on-reassembly-failure drop-session
If you do not require any action to be taken, then use the following configuration command: set security idp sensor-configuration re-assembler action-on-reassembly-failure ignore
By default, action-on-reassembly-failure is set to drop.
•
The tcp-error-logging and no-tcp-error-logging options enable or disable TCP error logging. Use the following commands to enable or disable TCP error logging: set security idp sensor-configuration re-assembler tcp-error-logging set security idp sensor-configuration re-assembler no-tcp-error-logging
By default, TCP error logging is disabled.
• On all branch SRX Series devices with a single session, when IDP is activated, the upload and download speeds are slow when compared to the firewall performance numbers.
To overcome this issue, a new CLI command, set security idp sensor-configuration ips session-pkt-depth
, is introduced, for which the session-pkt-depth sensor-configuration value is global for any session.
The session-pkt-depth sensor-configuration value specifies the number of packets per session that are inspected by IDP. Any packets beyond the specified value are not inspected. For example, when session-pkt-depth sensor-configuration is configured as
“n”, the IDP inspection happens only for first (n-1) packets in that session. Packets from the nth packet onwards are ignored by IDP.
The default value of session-pkt-depth sensor-configuration is zero. When the default value of zero is used, the session-pkt-depth value is not addressed, and IDP performs a full inspection of the session.
35
Junos OS 12.1X44 Release Notes
Junos OS Federal Information Processing Standard (FIPS)
• On all SRX Series devices, the secure Junos OS software environment does not permit
DSA key pairs with modulus greater than 1024 bits.
Junos Pulse
•
On all branch SRX Series devices, the Junos Pulse client is updated from Release 2.0R3
to 4.0R2. If you are using an older version of Junos Pulse client then it will get upgraded automatically to the newer version during next login.
J-Web
•
On all branch SRX Series and J Series devices, the username field does not accept
HTML tags or the “<” and “>” characters. The following error message appears:
A username cannot include certain characters, including < and >
• On all SRX Series devices, on the Monitor > Events and Alarms > Security Events page, the Is global policy check box is introduced.
36
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Network Time Protocol
• When the NTP client or server is enabled in the edit system ntp hierarchy, the
REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within the NTP might allow remote attackers, causing a denial of service. To identify the attack, apply a firewall filter and configure the router's loopback address to allow only trusted addresses and networks.
Screen
• The TCP SYN flood counter for a SYN cookie or a SYN proxy attack incorrectly counted every second, thus incrementing the counter every second. This issue has been rectified so that every TCP SYN packet is counted for each SYN cookie or SYN proxy attack.
Now every time you receive a SYN packet that is greater than the threshold value, the counter is incremented.
Session Timeout for Reroute Failure
•
The route-change-timeout configuration statement at the [edit security flow] hierarchy level sets the timeout when a session is rerouted but there is a reroute failure (for example, the new route uses a different egress zone from the previous route). In previous releases, the route-change-timeout statement was disabled by default. In this release, the route-change-timeout configuration is enabled by default and the default timeout value is 6 seconds.
System Logs
On all branch SRX Series devices, the following system log messages have been updated to include the certificate ID in Junos OS Release 12.1X44-D10:
•
Starting from Junos OS Release 12.1X44-D25, on all SRX Series devices, the TCP synchronization flood alarm threshold value does not indicate the number of packets dropped, however the value does show the packet information after the alarm threshold has been reached.
The synchronization cookie or proxy never drops packets; therefore the alarm-without-drop
(not drop) action is shown in the system log.
•
PKID_PV_KEYPAIR_DEL
Existing message: Key-Pair deletion failed
New message: Key-Pair deletion failed for <cert-id>
• PKID_PV_CERT_DEL
Existing message: Certificate deletion has occurred
New message: Certificate deletion has occurred for <cert-id>
•
PKID_PV_CERT_LOAD
Existing message: Certificate has been successfully loaded
37
Junos OS 12.1X44 Release Notes
New message: Certificate <cert-id> has been successfully loaded
•
PKID_PV_KEYPAIR_GEN
Existing message: Key-Pair has been generated
New message: Key-Pair has been generated for <cert-id>
System Management
• During a load override, to enhance the memory for the commit script, make sure you load the configuration by applying the following commands before commit: set system scripts commit max-datasize 800000000 set system scripts op max-datasize 800000000
User Interface and Configuration
• You can configure only one rewrite rule for one logical interface. When you configure multiple rewrite rules for one logical interface, an error message is displayed and the commit fails.
Virtual Private Network (VPN)
• In previous Junos OS releases, the Pulse client could be automatically downloaded and installed when users logged into a branch SRX Series device that was configured for dynamic VPN. Starting with Junos OS Release 12.1X44-D45, Pulse client software is no longer available from dynamic VPN SRX Series devices and must be obtained from the Juniper Networks Download Software site at http://www.juniper.net/support/downloads/ .
• As of Junos OS Release 11.4, checks are performed to validate the IKE ID received from the VPN peer device. By default, SRX Series and J Series devices validate the IKE ID received from the peer with the IP address configured for the IKE gateway. In certain network setups, the IKE ID received from the peer (which can be an IPv4 or IPv6 address, fully qualified domain name, distinguished name, or e-mail address) does not match the IKE gateway configured on the SRX Series or J Series device. This can lead to a
Phase 1 validation failure.
To modify the configuration of the SRX Series or J Series device or the peer device for the IKE ID that is used:
• On the SRX Series or J Series device, configure the remote-identity statement at the
[edit security ike gateway gateway-name] hierarchy level to match the IKE ID that is received from the peer. Values can be an IPv4 or IPv6 address, fully qualified domain name, distinguished name, or e-mail address.
NOTE: If you do not configure remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the remote peer by default.
• On the peer device, ensure that the IKE ID is the same as the remote-identity configured on the SRX Series or J Series device. If the peer device is an SRX Series
38
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers or J Series device, configure the local-identity statement at the [edit security ike gateway gateway-name
] hierarchy level. Values can be an IPv4 or IPv6 address, fully qualified domain name, distinguished name, or e-mail address.
•
On all branch SRX Series devices, for Path Maximum Transmission Unit (PMTU) calculations, the IPsec authentication data length is fixed at 16 bytes. However, the authentication data length for packets going through the IPsec tunnel is in accordance with the authentication algorithm negotiated for that tunnel.
The authentication data lengths for the different algorithms are:
• hmac-md5-96 (12 bytes)
• hmac-sha-256-128 (16 bytes)
• hmac-sha1-96 (12 bytes)
•
The subject fields of a digital certificate can include Domain Component (DC), Common
Name (CN), Organization Unit (OU), Organization (O), Location (L), State (ST), and
Country (C).
In earlier releases, the show security pki ca-certificate and show security pki local-certificate CLI operational commands displayed only a single entry for each subject field, even if the certificate contained multiple entries for a field. For example, a certificate with two OU fields such as “OU=Shipping Department,OU=Priority Mail” displayed with only the first entry “OU=Shipping Department.” The show security pki ca-certificate and show security pki local-certificate CLI commands now display the entire contents of the subject field, including multiple field entries.
The commands also display a new subject string output field that shows the contents of the subject field as it appears in the certificate.
•
When a remote user launches newly installed client software, the link to close the Web browser window does not appear in the VPN client launch page. The user must close the browser window by clicking the browser’s close button.
• On all branch SRX Series devices, the secure Junos OS software environment does not permit DSA key pairs with modulus greater than 1024 bits.
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 6
•
•
•
•
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 105
•
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for
Branch SRX Series Services Gateways and J Series Services Routers on page 116
39
Junos OS 12.1X44 Release Notes
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J
Series Services Routers
Application Identification
• Configuration of a custom application with the ip-protocol-mapping or icmp-mapping option using the set services application-identification application application-name ip-protocol-mapping or icmp-mapping command does not work if the IP protocol (IP protocol mapping) and the type/code (ICMP mapping) options of the configured applications are the same as the predefined application.
AppSecure
•
J-Web pages for AppSecure are preliminary.
• When you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application matching priority of the application signature.
The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.
•
Custom application signatures and custom nested application signatures are not currently supported by J-Web.
• When ALG is enabled, application identification includes the ALG result to identify the application of the control sessions. Application firewall permits ALG data sessions whenever control sessions are permitted. If the control session is denied, there will be no data sessions. When ALG is disabled, application identification relies on its signatures to identify the application of the control and data sessions. If a signature match is not found, the application is considered unknown. Application firewall handles applications based on the application identification result.
AX411 Access Points
• On SRX210, SRX240, and SRX650 devices, you can configure and manage a maximum of four access points.
•
On all branch SRX Series devices, managing AX411 WLAN Access Points through a
Layer 3 aggregated Ethernet (ae) interface is not supported.
Chassis Cluster
• SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster limitations:
• Virtual Router Redundancy Protocol (VRRP) is not supported.
•
Unified in-service software upgrade (ISSU) is not supported.
40
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
The 3G dialer interface is not supported.
• On SRX Series device failover, access points on the Layer 2 switch reboot and all wireless clients lose connectivity for 4 to 6 minutes.
•
VDSL Mini-PIMs are not supported in chassis cluster.
•
Queuing on the aggregated Ethernet (ae) interface is not supported.
• Group VPN is not supported.
• Sampling features such as flow monitoring, packet capture, and port mirror on the redundant Ethernet (reth) interfaces are not supported.
•
Switching is not supported in chassis cluster mode for SRX100 Series devices.
• The Chassis Cluster MIB is not supported.
• Any packet-based services such as MPLS and CLNS are not supported.
•
On lsq-0/0/0 interface, Link services Multilink Point-to-Point Protocol (MLPPP),
Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol
(CRTP) are not supported.
• On lt-0/0/0 interface, CoS for real-time performance monitoring (RPM) is not supported.
•
The factory default configuration for SRX100 and SRX110 devices automatically enables
Layer 2 Ethernet switching. Layer 2 Ethernet switching is not supported in chassis cluster mode for SRX100 devices. If you use the factory default configuration, you must delete the Ethernet switching before you enable chassis clustering.
•
On all J Series devices, a Fast Ethernet port from a 4-port Ethernet PIM cannot be used as a fabric link port in a chassis cluster.
• On all branch SRX Series devices, redundant Ethernet (reth) interfaces or loopback interfaces are supported for IKE external interface configuration in IPsec VPN. Other interface types can be configured, but IPsec VPN might not work.
•
On all J Series devices, the ISDN feature on chassis cluster is not supported.
Command-Line Interface (CLI)
• On all branch SRX Series and all J Series devices, the clear services flow command is not supported.
•
On all J Series devices, RADIUS accounting is not supported.
•
On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the device by using the CLI. The number of users allowed to access the device is limited as follows:
• For SRX210 devices: four CLI users and three J-Web users
• For SRX240 devices: six CLI users and five J-Web users
• On J6350 devices, there is a difference in the power ratings provided by user documentation (J Series Services Routers Hardware Guide and PIM, uPIM, and ePIM
41
Junos OS 12.1X44 Release Notes
Power and Thermal Calculator) and the power ratings displayed by CLI ( by a unit of
1). The CLI display rounds off the value to a lower integer and the ratings provided in user documentation rounds off the value to the higher integer. As a workaround, follow the user documentation for accurate ratings.
•
On all branch SRX Series devices, the tunnel-queuing option is not supported in chassis cluster mode.
Connectivity Fault Management (CFM)
•
CFM is not supported on the following interfaces:
•
8-Port Gigabit Ethernet small form-factor pluggable (SFP) XPIM
• 2-Port 10-Gigabit Ethernet XPIM
• 1-Port SFP Mini-PIM
• CFM is supported only on interfaces with family Ethernet switching.
Dynamic Host Configuration Protocol (DHCP)
•
On all branch SRX Series and J Series devices, DHCPv6 client authentication is not supported.
• On all branch SRX Series and J Series devices, DHCP is not supported in a chassis cluster.
Flow and Processing
• On all branch SRX Series devices, GRE fragmentation is not supported in packet-based mode.
•
On all branch SRX Series and J Series devices, a mismatch between the Firewall Counter
Packet and Byte Statistics values, and between the Interface Packet and Byte Statistics values, might occur when the rate of traffic increases above certain rates of traffic.
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, due to a limit on the number of large packet buffers, Routing Engine based sampling might run out of buffers for packet sizes greater than or equal to 1500 bytes and hence those packets will not be sampled. The Routing Engine could run out of buffers when the rate of the traffic stream is high.
•
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the default authentication table capacity is 10,000; the administrator can increase the capacity to a maximum of 15,000.
• On all branch SRX Series and J Series devices, when devices are operating in flow mode, the Routing Engine side cannot detect the path maximum transmission unit (PMTU) of an IPv6 multicast address (with a large size packet).
• On all J Series devices, even when forwarding options are set to drop packets for the
ISO protocol family, the device forms End System-to-Intermediate System (ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2 terminating packets.
42
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
On all branch SRX Series and J Series devices, high CPU utilization triggered for reasons such as CPU intensive commands and SNMP walks causes the Bidirectional Forwarding
Detection (BFD) protocol to flap while processing large BGP updates.
•
On SRX210, SRX240, and J Series devices, broadcast TFTP is not supported when flow is enabled on the device.
• On all branch SRX Series devices, the maximum number of concurrent sessions for
SSH, Telnet, and Web is as follows:
Sessions SRX100 SRX210 SRX220 SRX240 SRX550 SRX650
SSH
Telnet
3
3
3
3
250
250
5
5
5
5
5
5
Web 7 7 7 7 7 7
NOTE: These defaults are provided for performance reasons.
•
On SRX210 and SRX240 devices, for optimized efficiency, we recommend that you limit use of CLI and J-Web to the numbers of sessions listed in the following table:
Device CLI J-Web Console
SRX210
SRX240
3
5
3
5
1
1
•
On SRX100 devices, Layer 3 control protocols (OSPF, using multicast destination MAC address) on the VLAN Layer 3 interface work only with access switch ports.
Group VPN Interoperability with Cisco’s GET VPN for Juniper Networks Security
Devices that Support Group VPN
Cisco’s implementation of the Group Domain of Interpretation (GDOI) is called Group
Encryption Transport (GET) VPN. While group VPN in Junos OS and Cisco’s GET VPN are both based on RFC 3547, The Group Domain of Interpretation, there are some implementation differences that you need to be aware of when deploying GDOI in a networking environment that includes both Juniper Networks security devices and Cisco routers. This topic discusses important items to note when using Cisco routers with GET
VPN and Juniper Networks security devices with group VPN.
Cisco GET VPN members and Juniper Group VPN members can interoperate as long as the server role is played by a Cisco GET VPN server, Juniper Networks security devices are group members.
The group VPN in Release 12.1 of Junos OS has been tested with Cisco GET VPN servers running Version 12.4(22)T and Version 12.4(24)T.
43
Junos OS 12.1X44 Release Notes
To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group includes a Juniper Networks security device. The Cisco GET VPN server implements a proprietary ACK for unicast rekey messages. If a group member does not respond to the unicast rekey messages, the group member is removed from the group and is not able to receive rekeys. An out-of-date key causes the remote peer to treat IPsec packets as bad security parameter indexes (SPIs). The Juniper Networks security device can recover from this situation by reregistering with the server and download the new key.
Antireplay must be disabled on the Cisco server when a VPN group of more than two members includes a Juniper Networks security device. The Cisco server supports time-based antireplay by default. A Juniper Networks security device will not interoperate with a Cisco group member if time-based antireplay is used because the timestamp in the IPsec packet is proprietary. Juniper Networks security devices are not able to synchronize time with the Cisco GET VPN server and Cisco GET VPN members because the sync payload is also proprietary. Counter-based antireplay can be enabled if there are only two group members.
According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds before a key expires, and the Cisco GET VPN member triggers rekeys 60 seconds before a key expires. When interacting with a Cisco GET VPN server, a Juniper Networks security device member needs to match Cisco behavior.
A Cisco GET VPN member accepts all keys downloaded from the GET VPN server. Policies associated with the keys are dynamically installed. A policy does not have to be configured on a Cisco GET VPN member locally, but a deny policy can optionally be configured to prevent certain traffic from passing through the security policies set by the server. For example, the server can set a policy to have traffic between subnet A and subnet B be encrypted by key 1. The member can set a deny policy to allow OSPF traffic between subnet A and subnet B not to be encrypted by key 1. However, the member cannot set a permit policy to allow more traffic to be protected by the key. The centralized security policy configuration does not apply to the Juniper Networks security device.
On a Juniper Networks security device, the ipsec-group-vpn configuration statement in the permit tunnel rule in a scope policy references the group VPN. This allows multiple policies referencing a VPN to share an SA. This configuration is required to interoperate with Cisco GET VPN servers.
Logical key hierarchy (LKH), a method for adding and removing group members, is not supported with group VPN on Juniper Networks security devices.
GET VPN members can be configured for cooperative key servers (COOP KSs), an ordered list of servers with which the member can register or reregister. Multiple group servers cannot be configured on group VPN members.
44
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Hardware
• On all branch SRX Series devices, a chassis cluster is only supported when both devices are the same model and have the same amount of memory. Thus, a chassis cluster is not supported if it combines SRX Series branch devices with 1-GB and 2-GB memory in the same cluster.
Interfaces and Routing
• On all branch SRX Series devices, the Link Layer Discovery Protocol (LLDP) is not supported on reth interfaces.
•
When using SRX Series devices in chassis cluster mode, we recommend that you do not configure any local interfaces (or combination of local interfaces) along with redundant Ethernet interfaces.
For example:
The following configuration of chassis cluster redundant Ethernet interfaces, in which interfaces are configured as local interfaces, is not recommended: ge-2/0/2 { unit 0 { family inet { address 1.1.1.1/24;
}
}
}
The following configuration of chassis cluster redundant Ethernet interfaces, in which interfaces are configured as part of redundant Ethernet interfaces, is recommended: interfaces { ge-2/0/2 { gigether-options { redundant-parent reth2;
}
} reth2 { redundant-ether-options { redundancy-group 1;
} unit 0 { family inet { address 1.1.1.1/24;
}
}
}
}
•
On all branch SRX Series devices, CLNS routing is not supported on aggregated Ethernet interfaces.
• On SRX100, SRX110, SRX210, and SRX220 devices, you cannot configure the same
VRRP group ID on different interfaces of a single device.
45
Junos OS 12.1X44 Release Notes
•
On all branch SRX Series devices, IPv6 traffic transiting over IPv4 based IP over IP tunnel (for example, IPv6-over-IPv4 using ip-x/x/x interface) is not supported.
• ATM interface takes more than 5 minutes to show up when CPE is configured in
ANSI-DMT mode and CO is configured in automode. This occurs only with ALU 7300
DSLAM, due to limitation in current firmware version running on the ADSL Mini-PIM.
• On SRX100 and J Series devices, dynamic VLAN assignments and guest VLANs are not supported.
•
On all branch SRX Series devices, the subnet directed broadcast feature is not supported.
• On SRX650 devices, Ethernet switching is not supported on Gigabit Ethernet interfaces
(ge-0/0/0 through ge-0/0/3 ports).
•
On SRX210, SRX220, SRX240, and SRX650 devices, when using stream mode security logging, security logs cannot be sent to NSM or another syslog server if the server is in the same subnet as interface fxp0. Stream mode syslog can only be routed through revenue ports and not through the fxp0 interface. This implies that you cannot configure the security log server in the same subnet as the fxp0 interface.
•
On all branch SRX Series devices, the number of child interfaces per node is restricted to 4 on the redundant Ethernet (reth) interface and the number of child interfaces per reth interface is restricted to 8.
•
On SRX240 High Memory devices, traffic might stop between the SRX240 device and the Cisco switch due to link mode mismatch. We recommend setting same value to the autonegotiation parameters on both ends.
• On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a workaround, run the restart fpc command and restart the FPC.
•
On SRX210 devices with VDLS2, ATM COS VBR-related functionality cannot be tested.
•
On SRX210 devices, Internet Group Management Protocol version 2 (IGMPv2) JOINS messages are dropped on an integrated routing and bridging (IRB) interface. As a workaround, enable IGMP snooping to use IGMP over IRB interfaces.
•
On all J Series devices, the DS3 interface does not have an option to configure multilink-frame-relay-uni-nni (MFR).
• On SRX210, SRX220, and SRX240 devices, every time the VDSL2 Mini-PIM is restarted in the asymmetric digital subscriber line (ADSL) mode, the first packet passing through the Mini-PIM is dropped.
•
On all branch SRX Series devices, the RPM server operation does not work when the probe is configured with the option destination-interface.
• On all J Series devices, Link Layer Discovery Protocol (LLDP) is not supported on routed ports.
•
In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper matching the ATM CoS rate must be configured to avoid congestion drops in segmentation and reassembly (SAR) as shown in following examples:
46
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Example: set interfaces at-5/0/0 unit 0 vci 1.110
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER
• On SRX210, SRX220, and SRX240 devices, 1-Port Gigabit Ethernet SFP Mini-PIM does not support switching.
•
On SRX650 devices, MAC pause frame and frame check sequence (FCS) error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.
• On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the reserved VLAN address range, and the user is not allowed any configured VLANs from this range.
•
On SRX650 devices, the last four ports of a 24-Gigabit Ethernet switch GPIM can be used either as RJ-45 or small form-factor pluggable transceiver (SFP) ports. If both are present and providing power, the SFP media is preferred. If the SFP media is removed or the link is brought down, then the interface will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED for the RJ-45 port might go on and off intermittently. Similarly, when the RJ-45 medium is active and a SFP link is brought up, the interface will transition to the SFP medium, and this transition could also take a few seconds.
•
On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps or above), keepalives do not get exchanged, and the interface goes down.
•
On SRX100, SRX210, SRX240, and SRX650 devices, on the Layer 3 aggregated Ethernet
(ae) interface, the following features are not supported:
• Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPoE)
• J-Web
•
10-Gigabit Ethernet
•
On SRX100 devices, the multicast data traffic is not supported on IRB interfaces.
•
On SRX240 High Memory devices, when the system login deny-sources statement is used to restrict the access, it blocks a remote copy (rcp) between nodes, which is used to copy the configuration during the commit routine. Use a firewall filter on the lo0.0
interface to restrict the Routing Engine access, However, if you choose to use the system login deny-sources statement, check the private addresses that were automatically on lo0.x and sp-0/0/0.x and exclude them from the denied list.
•
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, on
VLAN-tagged routed interfaces, LLDP is not supported.
• On SRX210 devices, the DOCSIS Mini-PIM delivers speeds up to a maximum of 100
Mbps throughput in each direction.
•
On SRX550 and SRX650 devices, the aggregate Ethernet (ae) interface with XE member interface cannot be configured with family Ethernet switching.
47
Junos OS 12.1X44 Release Notes
•
On all branch SRX Series and J Series devices, the Q-in-Q support on a Layer 3 interface has the following limitations:
• Double tagging is not supported on redundant Ethernet (reth) and aggregate Ethernet
(ae) interfaces.
•
Multitopology routing is not supported in flow mode and in chassis clusters.
• Dual tagged frames are not supported on encapsulations (such as CCC, TCC, VPLS, and PPPoE).
•
On Layer 3 logical interfaces, input-vlan-map, output-vlan-map, inner-range, and inner-list are not applicable
• Only TPIDS with 0x8100 are supported and the maximum number of tags is 2.
• Dual tagged frames are accepted only for logical interfaces with IPV4 and IPV6 families.
•
On SRX650 devices, Link Layer Discovery Protocol (LLDP) is not supported on the base ports of the device and on the 2-Port 10 Gigabit Ethernet XPIM.
• On SRX100, SRX110, SRX210, SRX220, SRX240, and SRX550 devices, Link Aggregation
Control Protocol (LACP) is not supported on the 1-Port Gigabit Ethernet Small
Form-Factor Pluggable (SFP) Mini-PIM.
•
On all branch SRX Series devices, IKEv2 does not include support for:
• Policy-based tunnels
• Dial-up tunnels
•
Network Address Translation-Traversal (NAT-T)
•
VPN monitoring
• Next-Hop Tunnel Binding (NHTB) for st0—Reusing the same tunnel interface for multiple tunnels
•
Extensible Authentication Protocol (EAP)
•
IPv6
• Multiple child SAs for the same traffic selectors for each QoS value
• Proposal enhancement features
•
Reuse of Diffie-Hellman (DH) exponentials
•
Configuration payloads
• IP Payload Compression Protocol (IPComp)
• Dynamic Endpoint (DEP)
Intrusion Detection and Prevention (IDP)
•
On all branch SRX Series devices, from Junos OS Release 11.2 and later, the IDP security package is based on the Berkeley database. Hence, when the Junos OS image is upgraded from Junos OS Release 11.1 or earlier to Junos OS 11.2 or later, a migration of
48
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
IDP security package files needs to be performed. This is done automatically on upgrade when the IDP daemon comes up. Similarly, when the image is downgraded, a migration
(secDb install) is automatically performed when the IDP daemon comes up, and previously installed database files are deleted.
However, migration is dependent on the XML files for the installed database present on the device. For first-time installation, completely updated XML files are required. If the last update on the device was an incremental update, migration might fail. In such a case, you have to manually download and install the IDP security package using the download or install CLI command before using the IDP configuration with predefined attacks or groups.
As a workaround, use the following CLI commands to manually download the individual components of the security package from the Juniper Security Engineering portal and install the full update:
• request security idp security-package download full-update
• request security idp security-package install
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the request services application-identification uninstall command will uninstall all predefined signatures.
• On all branch SRX Series devices, IDP does not allow header checks for nonpacket contexts.
•
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the maximum supported number of entries in the ASC table is 100,000 entries. Because the user land buffer has a fixed size of 1 MB as a limitation, the table displays a maximum of 38,837 cache entries.
•
On all branch SRX Series devices, with regard to serialization limits, the maximum number of IDP sessions supported is shown in
:
Table 5: Maximum Number of IDP Sessions
Branch SRX Series Device
SRX100 and SRX110
1-GB Memory
16,000
2-GB Memory
16,000
SRX210
SRX220
16,000
16,000
32,000
32,000
SRX240
SRX550
SRX650
32,000
32,000
32,000
64,000
64,000
64,000
• On all branch SRX Series devices, all IDP policy templates are supported except All
Attacks. There is a 100 MB policy size limit for integrated mode and a 150 MB policy size limit for dedicated mode. The current supported IDP policy templates are dynamic
49
Junos OS 12.1X44 Release Notes based on the attack signatures added. Therefore, be aware that supported templates might eventually grow past the policy size limit.
On all branch SRX Series devices, the following IDP policies are supported:
• DMZ_Services
• DNS_Service
•
File_Server
•
Getting_Started
• IDP_Default
• Recommended
•
Web_Server
•
On all branch SRX Series devices, IDP deployed in both active/active and active/passive chassis clusters has the following limitations:
• No inspection of sessions that failover or failback.
• The IP action table is not synchronized across nodes.
•
The Routing Engine on the secondary node might not be able to reach networks that are reachable only through a Packet Forwarding Engine.
• The SSL session ID cache is not synchronized across nodes. If an SSL session reuses a session ID and it happens to be processed on a node other than the one on which the session ID is cached, the SSL session cannot be decrypted and will be bypassed for IDP inspection.
•
On all branch SRX Series devices, IDP deployed in active/active chassis clusters has a limitation that for time-binding scope source traffic, if attacks from a source (with more than one destination) have active sessions distributed across nodes, then the attack might not be detected because time-binding counting has a local-node-only view. Detecting this sort of attack requires an RTO synchronization of the time-binding state that is not currently supported.
NOTE: On SRX100 devices, IDP chassis cluster is supported in active/backup mode.
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the IDP policies for each user logical system are compiled together and stored on the data plane memory. To estimate adequate data plane memory for a configuration, consider these two factors:
•
IDP policies applied to each user logical system are considered unique instances because the ID and zones for each user logical system are different. Estimates need to take into account the combined memory requirements for all user logical systems.
•
As the application database increases, compiled policies will require more memory.
Memory usage should be kept below the available data plane memory to accommodate increase in database size.
50
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
IPv6
• On all branch SRX Series devices, IPv6 flows are not supported in transparent mode.
Layer 2 Transparent Mode
•
On all branch SRX Series devices, configuring Layer 2 Ethernet switching family in
Transparent Mode for an interface is not supported.
• DHCP server propagation is not supported in Layer 2 transparent mode.
License
•
When you have Junos OS Release 12.1X45 or later with advanced license installed, if you downgrade to Junos OS Release 12.1X44 and delete the license, upgrading back to Junos OS Release 12.1X45 might lead to a decrease in the session capacity.
IPv6
•
NSM—Consult the Network and Security Manager (NSM) release notes for version compatibility, required schema updates, platform limitations, and other specific details regarding NSM support for IPv6 addressing on SRX Series and J Series devices.
J-Web
•
SRX Series and J Series browser compatibility
•
To access the J-Web interface, your management device requires the following software:
• Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version 3.0
•
Language support—English-version browsers
• Supported OS—Microsoft Windows XP Service Pack 3
• If the device is running the worldwide version of the Junos OS and you are using the
Microsoft Internet Explorer Web browser, you must disable the Use SSL 3.0 option in the Web browser to access the device.
•
To use the Chassis View, a recent version of Adobe Flash that supports ActionScript and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed by default on the Dashboard page. You can enable or disable it using options in the
Dashboard Preference dialog box, but clearing cookies in Internet Explorer also causes the Chassis View to be displayed.
•
On all branch SRX Series devices, in the J-Web interface, there is no support for changing the T1 interface to an E1 interface or vice versa. As a workaround, use the CLI to convert from T1 to E1 and vice versa.
•
On all branch SRX Series and J Series devices, users cannot differentiate between
Active and Inactive configurations on the System Identity, Management Access, User
Management, and Date & Time pages.
51
Junos OS 12.1X44 Release Notes
•
On SRX210 devices, there is no maximum length when the user commits the hostname in CLI mode; however, only 58 characters, maximum, are displayed in the J-Web System
Identification panel.
•
On all J Series devices, some J-Web pages for new features (for example, the Quick
Configuration page for the switching features on J Series devices) display content in one or more modal pop-up windows. In the modal pop-up windows, you can interact only with the content in the window and not with the rest of the J-Web page. As a result, online Help is not available when modal pop-up windows are displayed. You can access the online Help for a feature only by clicking the Help button on a J-Web page.
• On all branch SRX Series devices, you cannot use J-Web to configure a VLAN interface for an IKE gateway. VLAN interfaces are not currently supported for use as IKE external interfaces.
The PPPoE wizard has the following limitations:
•
While you use the load and save functionality, the port details are not saved in the client file.
• The Non Wizard connection option cannot be edited or deleted through the wizard.
Use the CLI to edit or delete the connections.
•
The PPPoE wizard cannot be launched if the backend file is corrupted.
•
The PPPoE wizard cannot be loaded from the client file if non-wizard connections share the same units.
• The PPPoE wizard cannot load the saved file from one platform to another platform.
•
There is no backward compatibility between PPPoE wizard Phase 2 to PPPoE wizard
Phase 1. As a result, the PPPoE connection from Phase 2 will not be shown in Phase 1 when you downgrade to an earlier release.
The New Setup wizard has the following limitations:
• The Existing Edit mode might not work as expected if you previously configured the device manually, without using the wizard.
•
Edit mode might overwrite outside configurations such as Custom Application, Policy
Name, and zone inbound services.
• In create new mode, when you commit your configuration changes, your changes will overwrite the existing configuration.
•
VPN and NAT wizards are not compatible with the New Setup wizard; therefore the
VPN or NAT wizard configuration will not be reflected in the New Setup wizard or vice versa.
• By default, 2 minutes are required to commit a configuration using the New Setup wizard.
•
On SRX650 devices, the default mode configures only the ge-0/0/1 interface under the internal zone.
52
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
You might encounter usability issues if you use Internet Explorer version 7 or 8 to launch the New Setup wizard.
• If you refresh your browser after you download the license, the factory mode wizard is not available.
•
When you commit the configuration, the underlying Web management interface changes, and you do not receive a response about the commit status.
• Webserver ports 80 (HTTP) and 443 (HTTPS) on the DMZ or internal zone are overshadowed if Web management is enabled on the Internet zone not configured for destination NAT. As a workaround, change the Webserver port numbers for HTTP and
HTTPS by editing the recommended policies on the Security policies page.
• Images, buttons, and spinner (applying configuration) on wizard screen does not render or appear for the first time when browser cache is cleared.
Multicast
• On SRX Series devices, PIM does not support upstream and downstream interfaces across different virtual routers in flow mode.
Network Address Translation (NAT)
•
Maximum capacities for source pools and IP addresses have been extended on SRX650 devices, as follows:
Devices
Source NAT
Pools
PAT
Maximum
Address
Capacity Pat Port Number
Source NAT rules number
SRX650 1024 1024 64M 1024
Increasing the capacity of source NAT pools consumes memory needed for port allocation. When source NAT pool and IP address limits are reached, port ranges should be reassigned. That is, the number of ports for each IP address should be decreased when the number of IP addresses and source NAT pools is increased. This ensures NAT does not consume too much memory. Use the port-range statement in configuration mode in the CLI to assign a new port range or the pool-default-port-range statement to override the specified default.
Configuring port overloading should also be done carefully when source NAT pools are increased.
For source pool with port address translation (PAT) in range (64,510 through 65,533), two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323, and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports
(64,512 through 65,535) for Application Layer Gateway (ALG) module use.
•
NAT rule capacity change—To support the use of large scale NAT (LSN) at the edge of the carrier network, the device-wide NAT rule capacity has been changed.
53
Junos OS 12.1X44 Release Notes
The number of destination and static NAT rules has been incremented as shown in
. The limitation on the number of destination-rule-set and static-rule-set has been increased.
provides the requirements per device to increase the configuration limitation as well as to scale the capacity for each device.
Table 6: Number of Rules on SRX Series and J Series Devices
NAT Rule Type SRX100 SRX210 SRX240 SRX650 J Series
Source NAT rule
Destination NAT rule
Static NAT rule
512
512
512
512
512
512
1024
1024
1024
1024
1024
6144
512
512
512
The restriction on the number of rules per rule set has been increased so that there is only a device-wide limitation on how many rules a device can support. This restriction is provided to help you better plan and configure the NAT rules for the device.
Power over Ethernet (PoE)
•
On SRX210-PoE devices, SDK packages might not work.
Security Policies
• J Series devices do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use order radius password or ldap password.
•
On all branch SRX Series and J Series devices, the limitation on the number of addresses in an address-set has been increased. The number of addresses in an address-set now depends on the device and is equal to the number of addresses supported by the policy.
Table 7: Number of Addresses in an address-set on SRX Series and J Series
Devices
Device address-set
Default 1024
SRX100 High Memory
SRX100 Low Memory
SRX210 High Memory
SRX210 Low Memory
SRX240 High Memory
1024
512
1024
512
1024
54
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Table 7: Number of Addresses in an address-set on SRX Series and J Series
Devices (continued)
Device address-set
SRX240 Low Memory
SRX650
J Series
512
1024
1024
Simple Network Management Protocol (SNMP)
•
On all J Series devices, the SNMP NAT related MIB is not supported.
Switching
• Layer 2 transparent mode support—On SRX100, SRX110, SRX210, SRX220, SRX240,
SRX550, and SRX650 devices, the following features are not supported for Layer 2 transparent mode:
•
Gateway-Address Resolution Protocol (G-ARP) on the Layer 2 interface
•
Spanning Tree Protocol (STP)
• IP address monitoring on any interface
• Transit traffic through integrated routing and bridging (IRB)
•
IRB interface in a routing instance
•
IRB interface handling of Layer 3 traffic
NOTE: The IRB interface is a pseudo interface and does not belong to the reth interface and redundancy group.
•
On SRX100, SRX210, SRX240, and SRX650 devices, change of authorization is not supported with 802.1x.
•
On SRX100, SRX110, SRX210, SRX240, SRX550, and SRX650 devices, on the routed
VLAN interface, the following features are not supported:
•
IPv6 (family inet6)
•
IS-IS (family ISO)
•
Class of service
• Encapsulations (Ether circuit cross-connect [CCC], VLAN CCC, VPLS, PPPoE, and so on) on VLAN interfaces
•
Connectionless network Service (CLNS)
•
Protocol Independent Multicast (PIM)
55
Junos OS 12.1X44 Release Notes
•
Distance Vector Multicast Routing Protocol (DVMRP)
• VLAN interface MAC change
• Gateway-Address Resolution Protocol (G-ARP)
•
Change VLAN-Id for VLAN interface
Syslog
•
Scheduler oinker messages—Scheduler oinker system log messages are generated on the system console with various combinations. Even though the scheduler oinker messages are undesirable, they do not indicate a malfunction or an issue with the device functionality.
Threads are tasks that are contained within a process. Multiple threads can exist within the same process and can share resources such as memory; however, different processes do not share the resources. The threads are designed to run for a maximum amount of time; the time varies for each thread. When the time of a thread expires, the thread must release itself from the memory and CPU resources. At times, the threads might not release, and hence scheduler oinker messages are generated. If scheduler oinker messages are displayed on your system console, you can safely ignore the messages.
Unified Threat Management (UTM)
• On SRX550 devices configured with Sophos Antivirus, certain files whose sizes are larger than the max-content-size might not go into fallback unlike other AV engines.
Instead, they end up being detected as clean file for few protocols which does not predeclare the content size.
•
On all J Series devices, UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only 512 MB of memory, you must upgrade the memory to 1 GB to run UTM.
• The quarantine action is supported only for UTM Enhanced Web Filtering or
Juniper-Enhanced type of Web Filtering.
Upgrade and Downgrade
• On all J Series devices, the Junos OS upgrade might fail due to insufficient disk space if the CompactFlash is smaller than 1 GB in size. We recommend using a 1GB compact flash for Junos OS Release 10.0 and later.
•
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, when you connect a client running Junos Pulse 1.0 to an SRX Series device that is a running a later version of Junos Pulse, the client will not be upgraded automatically to the later version. You must uninstall Junos Pulse 1.0 from the client and then download the later version of
Junos Pulse from the SRX Series device.
• On the SRX240B2 and SRX240H2 models, when you try to upgrade from Junos OS
Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade fails when attempting to validate the configuration. To resolve this, use the no-validate option.
56
Known Behavior in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
USB
• On all branch SRX Series devices, frequent plug and play of USB keys is not supported.
You must wait for the device node creation before removing the USB key.
•
On SRX550 device, the USB modem is not supported due to hardware limitation.
Virtual Private Network (VPN)
The IPv6 IPsec implementation has the following limitations:
•
Devices with IPv6 addressing do not perform fragmentation. IPv6 hosts should either perform path maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6 minimum MTU size of 1280 bytes.
•
Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are
32-bits long, IPv6 IPsec packet processing requires more resources. Therefore, a small performance degradation is observed.
• IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel scalability numbers might drop.
•
The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel throughput performance.
• The IPv6 IPsec VPN does not support the following functions:
•
4in6 and 6in4 policy-based site-to-site VPN, IKE
•
4in6 and 6in4 route-based site-to-site VPN, IKE
• 4in6 and 6in4 policy-based site-to-site VPN, Manual Key
• 4in6 and 6in4 route-based site-to-site VPN, Manual Key
•
4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE
•
4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key
• Remote Access—XAuth, config mode, and shared IKE identity with mandatory XAuth
• IKE authentication—public key infrastructure/digital signature algorithm (PKI/DSA)
•
IKE peer type—Dynamic IP
•
Chassis cluster for basic VPN features
• IKE authentication—PKI/RSA
• Network Address Translation-Traversal (NAT-T)
•
VPN monitoring
•
Hub-and-spoke VPNs
• Next Hop Tunnel Binding Table (NHTB)
• Dead Peer Detection (DPD)
•
Simple Network Management Protocol (SNMP) for IPsec VPN MIBs
57
Junos OS 12.1X44 Release Notes
•
Chassis cluster for advanced VPN features
• IPv6 link-local address
• On all branch SRX Series devices, configuring XAuth with AutoVPN secure tunnel (st0) interfaces in point-to-multipoint mode and dynamic IKE gateways is not supported.
•
RIP is not supported in point-to-multipoint (P2MP) VPN scenarios including AutoVPN deployments. We recommend OSPF or IBGP for dynamic routing when using P2MP
VPN tunnels.
• On all branch SRX Series devices, when you enable VPN, overlapping of the IP addresses across virtual routers is supported with following limitations:
•
An IKE external interface address cannot overlap with any other virtual router.
• An internal/trust interface address can overlap across virtual routers.
• An st0 interface address cannot overlap in route-based VPN in point-to-multipoint tunnels such as NHTB.
•
An st0 interface address can overlap in route-based VPN in point-to-point tunnels.
•
A secure tunnel (st0) interface supports only one IPv4 address and one IPv6 address at the same time. This applies to all route-based VPNs, including AutoVPNs.
SRX100, SRX210, and SRX240 devices have the following limitations:
• The IKE configuration for the Junos Pulse client does not support the hexadecimal preshared key.
•
The Junos Pulse client IPsec does not support the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol with NULL authentication.
• When you log in through the Web browser (instead of logging in through the Junos
Pulse client) and a new client is available, you are prompted for a client upgrade even if the force-upgrade option is configured. Conversely, if you log in using the Junos Pulse client with the force-upgrade option configured, the client upgrade occurs automatically
(without a prompt).
•
On all branch SRX Series devices, when you download the Pulse client using the Mozilla browser, the “Launching the VPN Client” page is displayed when Junos Pulse is still downloading. However, when you download the Pulse client using Internet Explorer,
“Launching the VPN Client” page is displayed after Junos Pulse has been downloaded and installed.
• On SRX100, SRX210, SRX240, and SRX650 devices, while configuring dynamic VPN using the Junos Pulse client, when you select the authentication-algorithm as sha-256 in the IKE proposal, the IPsec session might not get established.
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 6
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series
Services Gateways and J Series Services Routers on page 25
58
Known Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
•
•
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 105
•
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for
Branch SRX Series Services Gateways and J Series Services Routers on page 116
Known Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J
Series Services Routers
The following problems currently exist in Juniper Networks branch SRX Series Services
Gateways and J Series Services Routers. The identifier following the description is the tracking number in the Juniper Networks Problem Report (PR) tracking system.
For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at http://www.juniper.net/prsearch
.
NOTE: If there is no device listed in the PR description, then that issue applies to all branch SRX Series and J Series devices.
Known Issues in Junos OS Release 12.1X44-D50 for Branch SRX Series Services
Gateways and J Series Services Routers
Flow-Based and Packet-Based Processing
• When an active route changes from multiple-next-hop to single-next-hop, one of the internal structure is incorrectly updated. This results in route lookup failure and causes traffic drops even though the new active routes are correctly displayed in both the routing and forwarding tables.
As a workaround, avoid situations where multiple-next-hop routes (like ECMP or BGP multipath) are backed up by single-next-hop routes.
PR879726
•
On all branch SRX Series devices, if traffic-selectors are used, IPsec tunnel reconnection might cause a memory leak.
As a workaround, upgrade to Junos OS Release 12.1X46-D35 and reduce the number of IPsec tunnel reconnections.
PR1002738
Interfaces and Routing
•
On all branch SRX Series devices, the clear security dns-cache command is extended to resolve all DNS entries immediately. Similarly, the security policies containing DNS names are updated immediately to use the refreshed IP addresses after the FQDN addresses are resolved.
PR970235
59
Junos OS 12.1X44 Release Notes
•
On SRX100H2 and SRX220H2 devices, when you enable vlan tagging on interfaces and commit the configuration, the interface speed and duplex mode might cause the interface to stop processing traffic.
As a workaround, deactivate and then activate the affected interface.
PR1003423
•
On SRX240, SRX550, and SRX650 devices, a delay of several seconds (maximum 4 seconds) might occur to detect that the link is down.
PR1008324
Intrusion Detection and Prevention (IDP)
• On all branch SRX Series devices, an active IDP session might not be fetched by the show security flow session idp and show security flow session summary idp commands.
This issue occurs only when both IDP and AppID are enabled.
PR1045587
Platform and Infrastructure
•
On all branch SRX Series devices, every time a user logs in with SSH, a veriexec: fingerprint mismatch message is reported in the log.
PR929612
•
On SRX100 devices, when you run the show snmp mib walk jnxMibs command, the chassisd log repeatedly generates the fru is present: out of range slot -1 for FAN message.
PR1062406
•
On SRX100 devices, when the device is configured as an authentication enforcer of
802.1x, authentication from certain special supplicants might fail. This is because the software engine that processes the next-hops in the device incorrectly processes the packet coming from the supplicant with a special source MAC address. As a result, the packets are dropped.
PR1067588
Virtual Private Networks (VPNs)
• On all branch SRX Series devices with IPsec VPN configured using IKE version 1, the device can hold only two pairs of IPsec security associations (SAs) per tunnel. When the third IPsec SA rekey occurs, the oldest IPsec SA is deleted. Due to this mechanism, a looping of IPsec SA rekey might occur. For example, when a VPN peer contains incorrect configuration that has more than two proxy IDs matching only one proxy ID on a device, the rekey looping issue might cause the flowd process to crash on multiple thread-based SRX Series platforms (SRX240 devices and higher).
As a workaround, correct the configuration, if this issue is caused due to incorrect configuration on the VPN peer. This issue should not recur after correcting the configuration and can be avoided by using IKE version 2 instead of IKE version 1.
PR996429
•
On all branch SRX Series devices, when IPsec VPN is enabled using IKE version 2 and a distinguished name is used to verify the IKE version 2 Phase 1 remote identity, a remote peer initiates IKE version 2 Phase 1 security association (SA) renegotiation (SRX Series devices work as responders), the new negotiated VPN tunnel might stay in “inactive” state on the data plane, causing IPsec VPN traffic loss.
As a workaround, clear Phase 2 SA on both the VPN peers to renegotiate the Phase 2
SA. To avoid this issue, use IKE version 1.
PR1028949
60
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 6
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series
Services Gateways and J Series Services Routers on page 25
•
•
•
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 105
•
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for
Branch SRX Series Services Gateways and J Series Services Routers on page 116
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J
Series Services Routers
The following are the issues that have been resolved in Junos OS Release 12.1X44 for
Juniper Networks SRX Series Services Gateways. The identifier following the description is the tracking number in the Juniper Networks Problem Report (PR) tracking system.
For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at http://www.juniper.net/prsearch
.
NOTE: If there is no device listed in the PR description, then that issue applies to all branch SRX Series and J Series devices.
61
Junos OS 12.1X44 Release Notes
Resolved Issues in Junos OS Release 12.1X44-D50 for Branch SRX Series Services
Gateways
Application Identification
• On all branch SRX Series devices running Junos OS Release 12.1X46 and earlier, if application identification (AppID) is enabled, performance degradation is seen in comparison with devices running Junos OS Release 12.1X47-D10 and later. This is because the AppID function does not ignore the related sessions when AppID has reached the terminal state, and continues with the serialization processing for those sessions. It is important to note that Junos OS Release 12.1X47 and later releases use advanced AppID.
PR1046509
Application Layer Gateways (ALGs)
• On all branch SRX Series devices, the DNS ALG does not terminate the session when a truncated DNS reply is received, so the session remains active until high timeout of
10~50 is reached.
PR1038800
•
On all branch SRX Series devices, SIP ALG code has been enhanced to support RFC
4566 regarding the SDP lines order and to avoid issues of no NAT in owner filed (O line) in some circumstances.
PR1049469
• On all branch SRX Series devices, if the SUN RPC traffic has the same IP address, port number, and program ID but is coming from different source zones other than the session, the traffic is dropped by the SUN RPC ALG.
PR1050339
•
On all branch SRX Series devices, when the callee presses the Hold button, the SIP message does not translate the c line of the INVITE packet sent to the caller.
PR1066633
•
On all branch SRX Series devices with the MS-RPC ALG enabled, the flowd process might crash due to incorrect MS-RPC ALG parsing for the ISystemActivator
RemoteCreateInstance Response packets.
PR1066697
Authentication
• On all branch SRX Series devices with firewall authentication enabled, when a firewall authentication from an authenticated IP address for a new authentication fails, and then a pass-through firewall authentication tries this entry, the firewall authentication function accesses a freed memory, which results in a flowd process crash.
PR1040214
Chassis Cluster
• On all branch SRX Series devices in chassis cluster mode, during control plane RG0 failover, a policy resynchronisation operation compares the policy message between the Routing Engine and the Packet Forwarding Engine. However, some fields in the security policy data message are not processed. Data for unprocessed fields might be treated differently and cause the flowd process to crash.
PR1040819
•
On all branch SRX Series devices in a chassis cluster, if the switching fabric (swfab) interface is configured, the swfab interface incorrectly updates the state of the fabric
(fab) interface. As a result, the fab interface might be stuck in the down state.
PR1064005
62
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Command-Line Interface
• On all branch SRX Series devices, the configurations of group junos-defaults are lost after a configuration rollback. As a result, the commit command fails.
PR1052925
Dynamic Host Configuration Protocol (DHCP)
•
On all branch SRX Series devices configured as a DHCP server (using the jdhcpd process), when the DHCP server gets a new request from a client and applies an IP address from the authentication process (authd), the jdhcpd process communicates with authd twice as expected (once for the DHCP discovery message and once for the
DHCP request message). If the authentication fails in the first message, the authd process will indefinitely wait for the second authentication request. However, the jdhcpd process never sends the second request, because the process detects that the first authentication did not occur. This causes memory leak on the authd process, and the memory might get exhausted, generating a core file and preventing DHCP server service. High CPU usage on the Routing Engine might also be observed.
PR1042818
•
On all branch SRX Series devices configured as a DHCP client, the default route received through the external DHCP server might get removed from the routing table when you modify the DHCP configurations under the access address-assignment hierarchy.
PR1058821
Flow-Based and Packet-Based Processing
•
On all branch SRX Series devices, if GRE tunnel configuration is committed without a correct route to the tunnel destination, the GRE tunnel session will bind the wrong anchor interface (the GRE tunnel outgoing interface) by route lookup. This anchor interface will not be updated even after the route is corrected when you commit the subsequent configuration.
PR933591
•
On all branch SRX Series devices, the GRE tunnel does not change the outbound interface when the route changes.
PR965890
•
On all branch SRX Series devices with IDP configured, in rare cases, where the device runs out of memory, the flowd process might crash if shell code detection occurs.
PR985139
• On all branch SRX Series devices with GRE tunnel configured, the carrier interface of
GRE tunnel is not updated when a more accurate and new route to the tunnel destination address is added, which might cause traffic loss in some scenarios.
PR1040666
• On all branch SRX Series devices, after IDP drop action is performed on a TCP session, the TCP session timeout is not accurate.
PR1052744
• On all branch SRX Series devices with IP-in-IP tunnel configured, due to incorrect configuration (routing loop caused by route change and so on), packets might be encapsulated by the IP-in-IP tunnel several times. As a result, packets are corrupted and the flowd process might crash.
PR1055492
63
Junos OS 12.1X44 Release Notes
•
On SRX240, SRX550, and SRX650 devices, in a rare condition, the session might be doubly released by multiple threads during internal processing by the NAT module. As a result, the flowd process crashes.
PR1058711
• On SRX550 devices, traffic processed by the serialization process is dropped when the maximum limit of serialization sessions (32,000) is exceeded. As a result, advanced services such as IDP, ALG, and AppSecure are impacted.
PR1061524
Hardware
• On all branch SRX Series devices, the message twsi0: Device timeout on unit 1 fills the console on soft reboot.
PR1050215
Interfaces and Routing
• On all branch SRX Series devices configured as a CHAP authentication client, in a
PPPoE over ATM LLC encapsulation scenario, the connection might not be established because of an incorrect sequence of messages being exchanged with the second LNS.
PR1027305
• On all branch SRX Series devices, the commit synchronize command fails because the kernel socket gets stuck.
PR1027898
• On SRX550 and SRX650 devices, 20 to 40 percent traffic loss is seen on the port of the SRX-GP-2XE-SFP-PTX after changing the speed from 10 GB to 1 GB. This issue is seen in both fiber and copper mode. When you switch between fiber and copper mode on the port of the SRX-GP-2XE-SFP-PTX, the speed might vary within the configuration.
PR1033369
• On all branch SRX Series devices, after enabling IEEE 802.1X, the connected devices on some ports might fail to be authenticated due to MAC authentication requests held on the eswd process. This issue might be seen on certain random ports, but not all the ports.
PR1042294
• On all branch SRX Series devices in a chassis cluster with PPPoE configured on a redundant Ethernet (reth) interface, when both nodes reboot, the PPPoE interface
(pp0.x) sometimes is not prepared, despite the PPPoE session being up.
PR1050264
•
On all branch SRX Series devices with PPPoE configured, when PPPoE fails to authenticate, the software next-hop entry will leak in the data plane, gradually consuming all 64,000 software next-hop entries. When the software next-hop table is full, the following next-hop error pops up: RT_PFE: NH IPC op 2 (CHANGE NEXTHOP) failed, err 6 (No Memory) peer_class 0, peer_index 0 peer_type 10 .
PR1055882
J-Web
•
On all branch SRX Series devices, J-Web sets a limitation on the size of the configuration fetched from a device to avoid memory exhaustion. When the configuration size exceeds this limitation, J-Web fails to load the configuration on Junos OS Release 12.3X48-D10.
PR1037073
• On all branch SRX Series devices, J-Web does not display all the member link interfaces for aggregate Ethernet (ae) interface.
PR1038850
64
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
On all branch SRX Series devices, security policy log or security policy count is not displayed when the match condition is RT_FLOW_SESSION.
PR1056947
• On all branch SRX Series devices, when you use a configuration encryption, the missing rescue configuration alarm is set even when there is a saved rescue configuration.
PR1057473
• On all branch SRX Series devices, if a security policy contains a tcp-options statement, modifying this security policy by using J-Web results in the loss of the tcp-options statement. This is because the tcp-options configuration is missing in the J-Web security policy configuration.
PR1063593
Network Address Translation (NAT)
•
On all branch SRX Series devices with persistent NAT enabled, if an invalid flow with the protocol value 0 creates a persistent NAT entry, then this persistent NAT entry is not cleared even when the invalid session is cleared.
PR935325
• On all branch SRX Series devices with source NAT configured, a memory leak might occur in the nsd process when SNMP queries the source NAT rule hit information.
PR1036882
Platform and Infrastructure
•
On all branch SRX Series devices, the log displays the message log: /kernel: veriexec: fingerprint for dev
. This is a cosmetic issue.
PR1064166
Unified Access Control (UAC)
• On all branch SRX Series devices that are configured as enforcer in Unified Access
Control (UAC) network scenario, because there is no protection for NULL return in memory allocation in UAC authentication table, the flowd process might crash. This occurs in rare cases, where the device runs into memory outage situation and then tries to allocate memory for the request of UAC authentication.
PR1055379
Virtual Private Networks (VPNs)
• On all branch SRX Series devices, in a hub-and-spoke IPsec VPN scenario, on the hub site, when committing the static NHTBs on the multipoint secure tunnel (st0) interface, the VPN routes might become active even though the VPN tunnel is down. This issue also occurs when the system reboots with static NHTBs and the related static routes configured.
PR1007235
• On all branch SRX Series devices, when a primary IP address of an interface changes, some IPsec tunnels terminated on that interface might go down.
PR1044620
•
On all branch SRX Series devices with large number of IPsec VPN tunnels configured, in a very rare condition, if VPN monitoring is enabled, the kmd process might crash when you delete the partial VPN tunnels.
PR1044660
65
Junos OS 12.1X44 Release Notes
Resolved Issues in Junos OS Release 12.1X44-D45 for Branch SRX Series Services
Gateways
Application Layer Gateways (ALGs)
• On all branch SRX Series devices, LAG interface gratuitous ARP is neither generated nor sent out on the link when gratuitous-arp-on-ifup is configured.
PR889851
•
On all branch SRX Series devices with MS-RPC ALG enabled, occasionally, when more than one IP and port pair exist in the MS RPC response packet, and if these IP and port pair are same, the ALG group might leak. This issue might occur even in a Sun RPC scenario.
PR1010499
• On all branch SRX Series devices with SIP ALG enabled, when either retain-hold-resource and NAT are configured or retransmission of 183 session progress messages with SDP occurs (the first transmission did not have SDP), the SIP ALG incorrectly changes the IP address that is embedded inside the media payload to zero, causing a call failure.
PR1016969
• On all branch SRX Series devices, in certain situations, the H.323 ALG incorrectly handles translation because the stored position is not initialized properly. As a result, H.323
endpoints registration failure and call failure occur.
PR1023528
•
On all branch SRX Series devices with the SIP ALG and NAT enabled, if you place a call on hold or off hold many times, each time with different media ports, the resource in the call is used, resulting in one-way audio. Tearing down the call clears the resource, and following call are not affected.
PR1032528
•
On all branch SRX Series devices with the SIP ALG and NAT enabled, the SIP ALG does not execute IP translation for the retransmitted 183 session progress messages. This leads to SIP call failure when the device receives the first 183 session progress message without SDP information, but the retransmitted 183 session progress messages contain
SDP information.
PR1036650
Chassis Cluster
•
On all branch SRX Series devices with low memory (512 MB or 1 GB memory), the idpd process might crash when you install the IDP policy after you update the signature.
This issue occurs when you execute the system call command when the device is in a low memory condition.
PR852661
• On all branch SRX Series devices configured in a chassis cluster, VLAN interfaces on the primary node might flap or become down.
PR1001162
•
On all branch SRX Series devices in a chassis cluster, after you reboot the device, wait till the node becomes secondary and then disable or unplug the fabric link. This might not lead the secondary node to go into disable state.
PR1032314
66
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Command-Line Interface (CLI)
• On all branch SRX Series devices in configure private mode, when multiple users try to perform set, delete, or commit in parallel, the management process (mgd) might crash.
PR737642
• On all branch SRX Series devices, the allow-configuration-regexps statement at the
[edit system login class] hierarchy level does not work exactly the same way as the deprecated allow-configuration statement at the same hierarchy level.
PR931415
• On all branch SRX Series devices, CLI auto-complete does not work for any keywords after you run the set system login class <name> permissions command.
PR1032498
•
On all branch SRX Series devices, the configurations of group junos-defaults are lost after a configuration rollback. As a result, the commit command fails.
PR1052925
Dynamic Host Configuration Protocol (DHCP)
• On all branch SRX Series devices, in DHCP requests, the IP TTL value is set to 1 and the DHCP option 12 is missing.
PR1011406
• On all branch SRX Series devices configured as a DHCP server (using JDHCP), even though the next-server (siaddr) and tftp boot-server options are configured, the siaddr and tftp boot servers are set with the IP address as 0.0.0.0 in DHCP reply packets.
PR1034735
Flow-Based and Packet-Based Processing
• On all branch SRX Series devices, when you run the clear security flow session command with a prefix or port filter, some of the sessions are not matched with the filter, causing a traffic drop or delay.
PR925369
•
On SRX240, SRX550, and SRX650 devices, in certain circumstances, packets might go out of order or be dropped by the device. This issue affects multithreaded branch
SRX Series devices and typically occurs in mixed traffic (TCP or UDP) environments.
PR977614
•
On all branch SRX Series devices, when the packet-capture option is configured on the egress interface and a multicast stream is sent through the device, the multicast traffic might not be captured.
PR1005116
• On SRX240H2, SRX240H2-POE, and SRX240H2-DC devices, the IDP cannot process any traffic due to incorrect setting of flow sessions.
PR1011057
• On all branch SRX Series devices, the flowd process might crash while applying a CoS filter for the host outbound traffic.
PR1021150
•
On all branch SRX Series devices in Layer 2 transparent mode, the flowd process might crash when two packets with the same connections are received in a short time before the flow session is created, and the destination MAC address lookup succeeds for these two packets.
PR1025983
• On all branch SRX Series devices in a chassis cluster Z mode, if static NAT or destination
NAT is configured, and in the NAT rule, the IP address of the incoming interface is used as a matching condition of the destination address (for example, set security nat static
67
Junos OS 12.1X44 Release Notes
<rule-set-name> rule <rule-name> match destination-address <use the IP address of incoming interface>
), then the traffic matching the NAT rule is discarded.
PR1040185
Interfaces and Routing
• On all branch SRX Series devices, when a router is acting as an NTP broadcast server, broadcast addresses must be in the default routing instance. NTP messages are not broadcasted when the address is configured in a VPN virtual routing and forwarding
(VRF) instance.
PR887646
•
On all branch SRX Series devices, CoS buffer sizes are not recalculated after you delete the interface units. This might result in suboptimal CoS behavior.
As a workaround, do the following:
1.
Deactivate the physical interface and commit the configuration.
2.
Delete the interface units.
3.
Activate the physical interface and commit the configuration.
PR953924
• On SRX650 devices, the VLAN interface is down after a reboot.
PR969079
• On SRX240, SRX550, and SRX650 devices, when IP monitoring is configured to trigger ae interfaces to be disabled or enabled, the STP state will not be changed on the ae interfaces.
PR1007637
•
On all branch SRX Series devices with First Hop Router (FHR) in multicast scenario, after the device reboots, the PIM tunnel selects loopback0.0 as the outgoing interface due to a timing issue where the route is not ready. If the loopback0.0 and the downstream interface are not in the same security zone, the PIM register packets will be dropped because of reroute failure.
PR1031185
•
On all branch SRX Series devices, multiple CoS rewrite rules are applied to a single interface where only one rewrite rule is allowed.
PR1034173
Intrusion Detection and Prevention (IDP)
• On SRX210 and SRX220 devices, due to memory constraints, the combination of large
IDP policies (that is, IDP_Default) along with express antivirus (EAV) might not compile successfully.
PR974851
• On all branch SRX Series devices, severity for the IDP report changes from log severity to threat severity.
PR1019401
J-Web
•
On all branch SRX Series devices (except SRX110) in chassis cluster, when the switch to Layer 2 mode button is pressed in J-Web, it does not ask for any confirmation and converts to transparent mode immediately and reboots the device.
PR1007740
• On all branch SRX Series devices, the PKI certificate issued by J-Web GUI HTTPs will not be used when DVPN is configured in the same device. This is because the device
68
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers will use the self-signed PKI certificate for both J-Web GUI HTTPs and DVPN URL access.
PR1017747
• On all branch SRX Series devices, the J-Web Dashboard does not show correct LED color for alarm status.
PR1026883
Platform and Infrastructure
•
On all branch SRX Series devices, when the device receives a DNS response with less than 60 seconds Time To Live (TTL) setting, the device is reset to 60 seconds. When you configure a security policy using the DNS name in the address book, the inconsistent setting between the SRX Series device and the DNS server might cause connection issues with some nested applications in Web services.
PR913721
•
On all branch SRX Series devices, due to a communication error between the master agent (snmpd process) and the subagent (mib2d process), the device fails to register some MIBs. For example, the following commands do not display any output when you run the command: user@hostname>show snmp mib walk ifTable user@hostname:~$ snmpwalk -v 2c -c snmp@exp X.X.X.X ifAlias
The following message is displayed: IF-MIB::ifAlias= No Such Object available on this agent at this OID.
This means the OID is not registered.
PR978535
•
On SRX100, SRX110, and SRX210 devices, no events are displayed when the temperature of the chassis exceeds the thermal threshold value.
PR999888
• On all branch SRX Series devices, when a new user is created, the home directory for the user is not created.
PR1015156
• On all branch SRX Series devices, when flexible-vlan-tagging option is enabled, the return traffic might be dropped on the tagged interface with the message packet dropped, pak dropped due to invalid l2 broadcast/multicast addr .
PR1034602
69
Junos OS 12.1X44 Release Notes
Security
• OpenSSL released a Security Advisory that included CVE-2014-3566 known as the
"POODLE" vulnerability. The SSL protocol 3.0 (SSLv3) uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data through a padding oracle attack. OpenSSL is upgraded to support for SSL 3.0
fallback protection (TLS_FALLBACK_SCSV). Refer to JSA10656 for more information.
PR1033938
Security Policy
•
On all branch SRX Series devices, when you swap the sequence of security policies or when security policies are disabled by a scheduler, the applications configured in these security policies might be added to other enabled security policies. This might cause unexpected applications to be evaluated by other security policies, and traffic to be permitted or denied unexpectedly.
PR1033275
Simple Network Management Protocol (SNMP)
•
On all branch SRX Series devices, there are compilation problems with the following
MIBs:
• mib-jnx-license
• mib-jnx-sp-nat
• mib-jnx-subscriber
These three objects are defined in Junos OS Release 11.2 version of the JUNIPER-SMI, but they are missing in Junos OS Release 12.1.
PR794327
System Logging
•
On all branch SRX Series devices, if the stream mode logging has incomplete configuration for multiple streams, after reboot the system might not send out stream logs to the properly configured streams.
PR988798
Unified Threat Management (UTM)
• On all branch SRX Series devices with UTM content filtering enabled, when the filename extension value is set to .com to block the URLs, the content filtering feature incorrectly treats the <searchpart> as a path and blocks the URLs ends with .com.
PR1008108
•
On all branch SRX Series devices, on the Dashboard page, the serial number and the system uptime are not displayed.
PR1009371
• On all branch SRX Series devices when WebTrends Enhanced Log File (WELF) format is configured for the security log, the device generates very long WELF-formatted logs
(for example, logs more than 1000 bytes). When the log is truncated on the Packet
Forwarding Engine and sent to the Routing Engine, memory corruption occurs, causing the flowd process to crash. This issue generally occurs when UTM Web Filtering is configured.
PR1038319
70
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Virtual Private Networks (VPN)
• On all branch SRX Series devices deployed in a hub-and-spoke VPN scenario as a hub point with dynamic endpoint VPN (DEP VPN) spokes, if and manual NHTBs are configured, changing (adding or deleting) NHTBs might cause other NHTBs to be deleted and existing tunnels to go down.
PR1001692
•
On all branch SRX Series devices in a group VPN setup, all the registered members might suddenly disappear from the key server due to memory leak.
PR1023940
• On all branch SRX Series devices in a dynamic end point (DEP) VPN scenario, the VPN tunnel might stay in down state after the user-at-hostname value is changed.
PR1029687
• On all branch SRX Series devices, in AutoVPN configuration after reboot, the VPN tunnel might not come up and an error with the private key is reported.
PR1032840
Resolved Issues in Junos OS Release 12.1X44-D40 for Branch SRX Series Services
Gateways
Application Layer Gateways (ALGs)
• On all branch SRX Series devices, when RTSP ALG traffic passes through the routing instance type virtual router, under some conditions the traffic is dropped.
PR979899
• On all branch SRX Series devices, when there is heavy SIP traffic through the device, high CPU usage is seen on one or more SPUs. This issue occurs due to a certain type of SIP-handling logic, which dumps payload packets to the internal buffer. This logic has been optimized to reduce load on the SPU.
PR985932
• On all branch SRX Series devices in a chassis cluster with the PPTP ALG enabled and the PPTP session closed, a memory corruption might occur on the secondary node, which causes the flowd process to crash.
PR993447
Chassis Cluster
•
On all branch SRX Series devices, the G-ARP replies do not update the existing MAC address entry. When the MAC address timer expires, a new MAC address is updated.
PR953879
• On all branch SRX Series devices, in dual fabric link chassis clusters, when the control link and one fabric link go down, the chassis cluster goes into a “split brain” condition in which both nodes become primary. With one fabric link up, the secondary node of the chassis cluster goes into an ineligible state and then into the disabled state.
PR989548
71
Junos OS 12.1X44 Release Notes
Dynamic Host Configuration Protocol (DHCP)
• On all branch SRX Series devices, when the DHCP client (a windows PC) only sends one DISCOVER packet, the DHCP server (an SRX Series device) receives two DISCOVER packets and replies with two OFFER packets. However, it is not a problem to allocate the IP address of the DHCP client.
PR894760
Flow-Based and Packet-Based Processing
• On J Series devices, multicast traffic is not forwarded if source NAT is used on the traffic.
PR782159
• On all branch SRX Series devices, under certain conditions, creation of a multicast leaf session might result in an invalid multicast next hop. This causes the flowd module to crash.
PR921438
•
On all branch SRX Series devices, multicast traffic might cause memory leak on the data plane.
PR947894
• On all branch SRX Series devices, when you reboot the passive node, the CPU usage increases on flow SPUs of the primary node and this lasts for a few seconds when the traffic latency is increased.
PR962401
•
On all branch SRX Series devices deployed in a multicast scenario, a memory leak on the fwdd process might occur when the multicast routes change.
PR963116
•
On all branch SRX Series devices, in certain situations when the device has more than one IKE Security Association (SA) installed for the same peer device and DPD is triggered, the messages are not sent out from the device to the peer device, causing the IKE SA to be installed on the device until the IKE SA expires.
PR967769
•
On all branch SRX Series devices with selective stateless packet-based services configured, self-traffic generated on custom routing instances will be dropped if it is forwarded in packet-based mode.
PR968631
• On SRX550 devices, the maximum flow sessions are listed incorrectly. The devices have larger session capacities than the listed session values.
PR977169
•
On all branch SRX Series devices, for IDP, AppSecure, ALG, GTP, or SCTP, the flow serialization impacts session performance. This flow serialization continues even after
Layer 7 processing is completed.
PR986326
• On all branch SRX Series devices, due to an indirect next-hop change, memory corruption occurs in the flow route lookup table, which causes the flowd process to crash.
PR988659
Interfaces and Routing
•
On all branch SRX Series devices with 3G wireless modems, the 3G dialer interface dl0.0 might get stuck in the down link state.
PR855897
Intrusion Detection and Prevention (IDP)
• On all branch SRX Series devices, when the IDP security package update contains a detector version change, the configured detector kconst values are not pushed from
72
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers the idpd process to the Packet Forwarding Engine. Hence, the newly loaded detector takes default values.
PR971010
• On all branch SRX Series devices, when you configure an automatic security package update without configuring the schedule interval and start time, high CPU usage on the idpd process is seen.
PR973758
J-Web
•
On all branch SRX Series devices, when you open several connections to J-Web from the same IP address, the HTTP process might hang and J-Web becomes unresponsive.
PR974042
Platform and Infrastructure
•
On SRX220 and SRX550 devices, you can configure a maximum of 250 connections as connection-limit. However, 250 connections cannot be established. To set the maximum-connection-limit, use the CLI set system services telnet connection-limit.
PR976318
Unified Threat Management (UTM)
• On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option enabled, the chunked HTTP traffic might be terminated unexpectedly by the client due to incorrect content sent by the SRX Series devices. As a result, the whole page or partial content is not displayed in the client browser.
PR971895
Virtual Private Networks (VPN)
• File Descriptor leak occurs during the network-security-trace process when commit configuration changes are made in the [edit security ike] configuration. Eventually, the system reaches the maximum file limit, which results in a system-unmanageable condition.
PR893017
•
On all branch SRX Series devices, in a hub-and-spoke IPsec VPN scenario, on the hub site, when you commit the static NHTBs on the multipoint secure tunnel (st0) interface, the VPN routes might become active even though the VPN tunnel is down. This issue also occurs when you reboot the system with static NHTBs and the related static routes configured.
PR947149
• On all branch SRX Series devices, IPsec VPN tunnels could not come up due to unavailability of buffer space.
PR985494
• On all branch SRX Series devices, dynamic VPN user groups are not able to access certain remote resources. However, you can log in to dynamic VPN and assign an IP address.
PR988263
Resolved Issues in Junos OS Release 12.1X44-D35 for Branch SRX Series Services
Gateways
Application Layer Gateways (ALG)
• On SRX Series devices, the REAL ALG is not supported, but you can configure it from both the CLI and J-Web.
PR943123
73
Junos OS 12.1X44 Release Notes
•
On all branch SRX Series devices, a flowd core file is generated because of a malformed
SIP packet.
PR956157
AppQoS
• When GRE is enabled, AppQoS classification, marking, or rate limit does not work for fragmented packets in the client-to-server direction.
PR924932
Chassis Cluster
•
On all branch SRX Series devices in a chassis cluster, if an identical address is found on the private and public interfaces, a kernel panic occurs after rg0 failover.
PR937438
• On all branch SRX Series devices in a chassis cluster, the counter for incoming traffic on a fabric interface always shows zero (0).
PR949962
• On all SRX Series devices (except the SRX 110) in an asymmetric chassis cluster scenario, the secondary node (for example, node 1) uses a local interface to back up the interface in the primary node (for example, node 0). If there is a route change, then the traffic is sent to the egress from the backup interface, which is the local interface of node 1. After the route resumes, the traffic is sent back to the egress from the primary interface, which is the local interface of node 0. The session related to the route change is in active state on both the nodes. Traffic might be interrupted when the session times out on the backup node and the session on the primary node is deleted.
PR951607
Command-Line Interface (CLI)
• On SRX210 devices, you could not configure 0.0.0.0/0 in the dialer-options watch-list.
The set interfaces dl0 unit 0 dialer-options watch-list 0.0.0.0/0 command failed.
PR841371
Dynamic Host Configuration Protocol (DHCP)
•
On all high-end SRX Series devices, the DHCP server on the device gives the same IP address to two different hosts and both hosts are active in the MAC binding table, causing a connectivity issue. This issue might occur if the DHCP server receives a DHCP
INFORM packet from a binding client and a DHCP RELEASE packet from the same client.
PR969929
Flow-Based and Packet-Based Processing
• On SRX240, SRX550, and SRX650 devices, when the device receives out-of-order packets while transferring large TCP files, the throughput might be heavily impacted.
PR881761
•
On SRX240, SRX550, and SRX650 devices, if IDP, AppSecure, ALG, GTP, or SCTP with the serialization flow processing is enabled, the flowd process might crash when the next-hop change occurs.
PR883187
• On SRX210 devices running in packet mode, when DSCP marking (32 - 63) is on and the destination MAC in the packet header is present in the SRX ARP table, the devices reply to packets that are not destined to them. On devices in a chassis cluster, you must ensure that packets not destined to the SRX210 do not reach the device.
PR950486
74
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
On SRX240, SRX550, and SRX650 devices, when the device receives a TCP rest (RST) and a FIN (the second FIN of the session) at the same time for a session, the RST and the FIN packet might get processed by different threads, causing an incorrect session timeout update, and the session remains on the session table for 150 seconds.
PR950799
•
On SRX240, SRX550 and SRX650 devices, in certain situations, flow sessions time out and get corrupted. This leads to the flow sessions being set to an abnormally high value, which eventually leads to the session table becoming full.
PR955630
• On all branch SRX Series devices in a site-to-site VPN scenario, when the device is configured as an IPsec initiator, the flow session timeout is refreshed by the reroute packet. This causes an old session to remain in the session table, the VPN connection not to recover, and packet drops to occur.
PR959559
• On all branch SRX Series devices with the IP spoofing screen enabled, the routing table search fails when it is locked by the system. As a result, false positives occur on IP spoofing detection.
PR967406
Hardware
•
On SRX550 and SRX650 devices, the SRX-GP-DUAL/QUAD-T1-E1 GPIM might have interoperability issues with the remote CSU using the national standard feature due to the violation of ITU-T recommendation G.704.
PR939944
Interfaces and Routing
•
On SRX550 devices, the VRRP does not work when it is connected through IRB.
PR834766
•
On SRX550 devices, the T1/E1 or T3/E3 FPC goes offline after provisioning a switched port on ge-0/0/0 interface.
PR919617
• On SRX Series devices with the 3G USB wireless modem, when the signal is low, the
3G cellular modem interface (cl-0/0/*) displays the status as Connected even though there is no signal or there is a low signal with no network connection. This is because there is no mechanism for the wireless WAN process to notify the Routing Engine status change even though the Packet Forwarding Engine is notified. After the signal recovers, the 3G cellular modem interface is not able to dial again.
PR923056
• On all branch SRX Series devices, because of a timing issue, the VLAN interface might fail to add security zone information after the RG0 failover.
PR944017
•
On all SRX Series devices, modifying a policy element that is deactivated by the policy scheduler leads to problems in searching the policy tree in memory. An incorrect policy match occurs after the policy is reactivated by the scheduler.
PR944215
• On all branch SRX Series devices with interfaces encapsulated with ethernet-ccc, when you connect to an aggregated Ethernet interface with LACP enabled, the LACP packets do not pass through the ethernet-ccc encapsulated interface.
PR945004
•
On all branch SRX Series devices, when RG0 failover is triggered, the old RG0 primary device reboots or reboot occurs on both the devices.
PR953723
75
Junos OS 12.1X44 Release Notes
•
On SRX100B2, SRX100H2, SRX210B, SRX210HE2, SRX210HE2POE, SRX220H2,
SRX220H2POE, SRX240B, SRX240B2, SRX240H2, and SRX240H2POE devices, the
PPPoE feature session is disconnected or the connection is not available.
PR956307
• When you configure an ICMP probe-server option under the [services rpm] hierarchy for a specific interface (for example, ge-0/0/0), the device does not respond to ICMP requests from this interface. Other interfaces are not affected and continue to respond to ICMP requests.
PR960932
Intrusion Detection and Prevention (IDP)
• When you disable the option idp policy-optimizer using the set security idp sensor-configuration no-policy-optimizer command, the policy fails to load after reboot.
PR883258
• On all branch SRX Series devices with IDP enabled, when you use the hardware
Deterministic Finite Automation (DFA), which is enabled by default on all branch SRX
Series devices except SRX100 and SRX110 in Junos OS Release 11.4, a false positive might occur for the signature APP:RDP-BRUTE-FORCE.
PR911994
•
On all branch SRX Series devices, the IDP process crashes unexpectedly when the device memory is low.
PR919790
• On all SRX Series devices, the new entry or flag representing an alert notification is seen in the syslog message. If the alert is configured in the IDP rules, the flag is set to yes
; otherwise, it is set to no.
PR948401
IPv6
• When you use IS-IS for forwarding only IPv6 traffic without configuring IPv4 routing, if you perform SNMP get or walk operation on an IS-IS routing database table, the routing protocol process (rpd) might crash and restart, causing a momentary traffic drop.
The same crash might occur when IPv4 and IPv6 routing have been enabled under different IS-IS SPF topology (using topologies ipv6-unicast).
PR753936
J-Web
• On all branch SRX Series devices, J-Web does not display the log sessions.
PR962892
• In J-Web, the App-FW page does not show the counter information.
PR972473
Platform and Infrastructure
•
On all branch SRX Series devices, when using JDHCP, the server does not respond to the client with the DHCPOFFER packet when it receives the DHCPDISCOVER packet from the client. This causes the authd process to consume a large amount of CPU usage and increases the /mfs partition storage capacity.
PR925111
• On all SRX Series devices, SSH connection is not possible between Cisco devices running IOS version 15 or later and SRX Series devices running Junos OS Release 11.2
or later.
PR957483
•
On J Series devices, kernel warnings about kern.maxproc nearing the limit value might appear in the log.
PR958358
76
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Screens
• On all branch SRX Series devices, when you use the screen ids-option limit-session destination-ip-based command, the session synchronization is not correct.
PR940029
Unified Threat Management (UTM)
• On all branch SRX Series devices, when the category action is permit, the result is the category site-reputation-action, and when the category reputation action is not defined, then the results are the global site-reputation action and the default action. This confusion occurs because the explicit permit action is not taken under the specific category. To resolve this problem, you can directly take the configuration-explicit action on the category. If you do not configure any action, then the next global site-reputation action is the result. The category reputation is not used in enhanced Web filtering.
PR939352
•
On all branch SRX Series devices, the test security utm anti-virus command for the antivirus feature does not work due to an Invalid argument error message.
PR951124
• On all branch SRX Series devices, when the KAV license expires and a new license is installed, deleting the old license file causes the KAV engine status to change to Not
Ready. The deleting event triggers an AV license status update. The utmd process might recognize that the KAV license is not installed and the pattern database is unloaded.
PR954590
Virtual Private Networks (VPN)
• On all branch SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link increases.
PR941999
•
On all branch SRX Series devices configured as a route based IPsec Dynamic End Point
(DEP) VPN node, the VPN tunnel interface st0.X link incorrectly remains up when IPsec
Security Association (SA) is not established, even though VPN monitoring or establish-tunnels immediately is configured.
PR947552
•
On all SRX Series devices, in some situations, if the CRL server is not reachable, a memory leak might occur and show the message kern.maxfiles limit exceeded by uid
0 in the console mode. Hence, the device administrator is not able to log in to the device anymore.
PR959194
•
On all branch SRX Series devices, when dynamic VPN is configured, it is not possible to configure the local-certificate or pki-local-certificate options for Web management.
A commit error is displayed when these options are configured. Only the self-signed certificate option can be configured.
PR969672
• IPsec VPN tunnels could not come up due to unavailability of buffer space.
PR985494
77
Junos OS 12.1X44 Release Notes
Resolved Issues in Junos OS Release 12.1X44-D30 for Branch SRX Series Services
Gateways
Application Layer Gateway (ALG)
• On SRX Series devices with the SCCP ALG and NAT enabled, the xlate context of caller to Call Manager might be accidentally deleted when the SCCP calls between phones in the same subnet. Because of this, the payload of the StartMediaTransmission message might not be translated and the call fails.
PR936578
Access and Authentication
• Login process might crash due to abnormal disconnection behaviors during login.
PR802169
•
On SRX Series devices when Web authentication is enabled using SecurID authentication, the Web authentication fails if there is a change in the DNS server configuration. This issue occurs because the authd process still caches the old DNS server to send the DNS request.
PR885810
BGP
•
In some cases, when you configure MSS for a BGP session using the set protocol bgp tcp-mss <value> command, the configured MSS value is ignored and the MSS calculated from the outgoing MTU interface is used.
PR717763
•
Under specific time-sensitive circumstances, if BGP determines that an UPDATE is too big to be sent to a peer, and immediately attempts to send a withdraw message, the routing daemon (rpd) may crash. An example of an oversized BGP UPDATE is one where a very long AS_PATH would cause the packet to exceed the maximum BGP message size (4096 bytes). The use of a very large number of BGP Communities can also be used to exceed the maximum BGP message size.
Please refer to JSA10609 for additional information.
PR918734
Chassis Cluster
• If one or more Packet Forwarding Engine peers are slow in consuming ifstates, the secondary Routing Engine does not send a CP ACK to the master Routing Engine within the prescribed time. As a result, the secondary Routing Engine is assumed to be having a problem. Hence the connection for the secondary Routing Engine peer is reset to ensure that ksyncd can clean up the ifstates on the secondary Routing Engine and resynchronize with the master Routing Engine. If the secondary CP ACK does not arrive in the prescribed time, if any Packet Forwarding Engine is causing this delay, that information is logged and the CP ACK timer is reset. If no peers are found to be causing the delay of secondary CP ACK, the behavior is retained to reset the secondary Routing
Engine connection.
PR727344
•
On J Series devices in a chassis cluster, when you manually trigger the restart forwarding on the primary node, the secondary node might go to disabled status and cannot be recovered back to normal state without rebooting both the nodes.
PR895614
78
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
In some conditions, due to a memory operation issue, the chassisd process might crash.
PR920660
• On SRX240 devices (with H2 and B2 devices) running Junos OS Release 11.4R8 or
11.4R9, you cannot upgrade to Junos OS Release 11.4R10 or later. You can upgrade from
Junos OS Release 11.4R8 or 11.4R9 to Junos OS Release 12.1X44-D10, 12.1X45-D10, and
12.1X46-D10.
PR934393
Class of Service
• When you use a classifier based on EXP bits on a PE router, the CoS marked MPLS traffic is forwarded to the default egress queues instead of the custom configured queues.
PR920066
Command-Line Interface (CLI)
•
When you run the show system core-dump core-file-info command, the device might reboot. This is because the command uses the /tmp file and when the core files are uncompressed, the /tmp file system might be exhausted. The /tmp file in turn uses the swap device only. Memory File System (MFS) and the rest of Junos OS share the same swap space. Consuming more swap spaces might lead to out-of-memory and swap situations, which could eventually bring down the system.
PR808243
• After an upgrade, you cannot copy files between nodes in a cluster using the file copy command.
PR817228
•
Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow root access to the operating system. This may allow any user with permissions to run these CLI commands the ability to achieve elevated privileges and gain complete control of the device.
Please refer to JSA10608 for additional information.
PR912707
,
PR913328
,
PR913449
,
PR913831
,
PR915313
,
PR915957
,
PR915961
,
PR921219
,
PR921499
•
When xnm-ssl or xnm-clear-text is enabled within the [edit system services] hierarchy level of the Junos OS configuration, an unauthenticated, remote user could exploit the
XNM command processor to consume excessive amounts of memory. This, in turn, could lead to system instability or other performance issues.
PR925478
79
Junos OS 12.1X44 Release Notes
Dynamic Host Configuration Protocol (DHCP)
• On SRX Series devices that work as a DHCP client, when the connection with the primary DHCP server is lost, and the SRX Series device tries to renew the lease, the
SRX Series device drops the DHCP rebind acknowledgement from the secondary DHCP server that tries to assign the same IP to it.
PR911864
Forwarding and Sampling
• When the system archival feature is configured, the configuration is backed up at an archival site periodically. This might leave behind files in /var/tmp when the connection to the remote site fails.
PR778962
Flow-Based and Packet-Based Processing
•
On all branch SRX Series devices with the MS-RPC ALG enabled, when the junos-ms-rpc application is not configured in the security policy and if the MS RPC control session is permitted by the security policy that matched the application “any”, then the MS-RPC
ALG should not check the MS RPC data session and be permitted by the security policy.
If the MS RPC data session is configured to be processed by one or more other services such as IDP, UTM, AppID, or AppFW, then the MS-RPC ALG incorrectly checks the MS
RPC data session and discards the MS RPC data session.
PR904682
• On SRX100, SRX110, SRX210, and SRX220 devices with FTP ALG enabled, ICMP redirect might not work for FTP traffic.
PR904686
• On all branch SRX Series devices, the memory allocated for a multicast session might not release when multicast reroute occurs, leading to a memory leak.
PR905375
•
On all branch SRX Series devices, when you delete a large number of interfaces and commit the configuration, and then add a large number of interfaces and commit the configuration again, the session scan fails. Because a session related to one of the deleted interfaces might still be active, if subsequent traffic matches the session, the traffic is dropped. This scenario occurs when you delete an interface and then add it again with the immediately add action while the remote host is still generating traffic that matches the original session. During flow checking, the session interface, having previously been deleted, is reported as invalid.
PR915422
• On SRX100H2 devices, the device reboots unexpectedly and multiple core files are generated due to a DDR2 memory timing issue between DRAM and CPU. The symptoms include flowd core files, core files from other processes (for example, snmpd, ntpd, and rtlogd), and silent reboot without core file and system freeze. These core files are related to random memory access (for example, pointer corruption in session ager ring entry) and there are no consistent circumstances that cause these core files to be generated.
PR923364
General Routing
• When you execute the show route community-name command with an empty string as show route community-name “ “, the RPD might crash and a core file is generated.
PR776542
80
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
On VLAN tagged Ethernet frames (802.1p), you cannot modify the VDSL priority bits.
PR817939
• In a setup where virtual router routing instances are connected with a looped cable and at least one of the interfaces is VLAN, unicast communication is unsuccessful.
PR909190
Interfaces and Chassis
•
On J Series devices, a Layer 2 loop might occur for a short time when the request system power-off
, request system reboot, or request system halt command is performed.
PR856457
•
When the SHDSL Mini-PIM is configured in two-wire AT mode with the regional annex as B or G, a display mismatch of the annex is seen in one of the physical interfaces, but this issue does not affect the feature functionality.
PR874249
• A checksum error is seen on the ICMP reply when the sequence, data field in the request is set to zero.
PR898487
•
If branch SRX Series devices participating in a chassis cluster have many route entries, when the secondary node reboots, the “power on” command from the Routing Engine to the secondary node’s FPC might be lost, preventing the FPC on the secondary node from coming up. This issue occurs for software reboot or power cycle.
PR907341
• On SRX550 devices with DS3/E3 interfaces, the external clocking option is disabled to overcome the limitation present in the hardware to support this clocking option.
With the revised version of hardware, the external clocking limitation has been fixed.
Hence the external clocking option is reenabled.
PR936356
Intrusion Detection and Prevention (IDP)
•
On SRX Series devices with a large number of AppID application-system-cache entries
(for example, more than 100,000 entries on SRX3400), the flowd process might crash while listing these entries by using the show services application-identification application-system-cache command.
PR886173
IPv4
• In some cases, ARP response is not accepted when the frame size is above the common value (for example, when the frame was padded by intermediate Layer 2 devices).
PR927387
IPv6
• Logical interface inet6 protocol might be stuck at down state because of either external loopback or detection of a duplicate inet6 address. Duplicate Address Detection (DAD) will not run after this inet6 protocol-down event.
PR834027
J-Web
•
On the SRX Series and J Series devices, the J-Web interfaces will not be available on port 32768 or greater, even after configuration.
PR462624
81
Junos OS 12.1X44 Release Notes
•
J-Web fails to show all policies under the from or to zone if one of them has the “##” string in the description field.
PR917136
Platform and Infrastructure
• When there are three or more of the same destination routes pointing to a different interface, deleting and again adding one of the logical interfaces might trigger a kernel crash, due to a timing issue with route deletion. This crash is triggered in specific topologies, such as an OSPF3 next-hop that is connected to a different vendor device.
PR753849
• Processing of a neighbor advertisement can get into an infinite loop in the kernel, given a special set of events with respect to the neighbor cache entry state and the incoming neighbor advertisement.
PR756656
•
In a DHCP-relay subscriber management environment with an output firewall filter configured on an IRB interface to discard the DHCP offer packets, while DHCP-relay subscribers log in, the Junos OS kernel tries to free an already freed memory buffer, which causes the kernel to crash and generate core files.
PR824470
•
On SRX210HE devices, fan speed versus temperature behavior changed after upgrading to Junos OS Release 12.1X44-D30.
PR910977
Routing Policy and Firewall Filters
• In some scenarios with multiple routing instances defined, DNS names in the address book entries might not get resolved, making the corresponding security policies nonoperational.
PR919810
Routing Protocols
•
On broadcast networks running IS-IS, a RPD restart event on one IS-IS router could result in the loss of IS-IS routes on another router, which will remain in this state until the adjacency is cleared. This issue does not occur on IS-IS point-to-point networks.
PR734158
Security
•
The glob implementation in libc allows authenticated remote users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames. This vulnerability can be exploited against a device running
Junos OS with FTP services enabled to launch a high CPU utilization partial denial of service attack.
Please refer to JSA10598 for additional information.
PR558494
• If Proxy ARP is enabled on an unnumbered interface, an attacker can poison the ARP cache and create a bogus forwarding table entry for an IP address, effectively creating a denial of service for that subscriber or interface. When Proxy ARP is enabled on an unnumbered interface, the router will answer any ARP message from any IP address which could lead to exploitable information disclosure.
Please refer to JSA10595 for additional information.
PR842092
82
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
System Logs
• Memory leak is observed with periodic packet management process (ppmd), and the following log is generated:
/kernel: Process (1413,ppmd) has exceeded 85% of RLIMIT_DATA: used 115596 KB Max
131072 KB
PR747002
•
In an IS-IS scenario, with trace option enabled and the system log level set to debug routing options, if the router has two IS-IS neighbors with the same router ID, after you configure the same ISO system ID on these two IS-IS neighbors, RPD on the router crashes and generates core files.
PR912812
Unified Threat Management (UTM)
•
Invalid notification options are displayed in the antivirus fallback-block notification.
PR787063
•
On all branch SRX Series devices with Unified Threat Management (UTM) content filtering configured, a long filename encoded with the ISO-2022 might not match the content filtering extension blocking policy even if the extension blocking list does not contain the type of file extension. As a result, the file is dropped.
PR865607
•
On all branch SRX Series devices, when Websense ThreatSeeker Cloud (TSC) server upgrades to version 1.2.4 and above, the Enhanced Web filtering feature works improperly, the HTTP requests time out, and the timeout fallback setting is applied.
PR931345
• Before the HTTP 200 OK with chunk-size passes an antivirus engine, it is recognized as an invalid data packet.
PR937539
Virtual Private Network (VPN)
•
If the VPN external interface configuration changes from static IP address assignment to DHCP-based dynamic address assignment, along with any VPN configuration change in the same commit, the IPsec Key management process might restart. As a workaround, change the external interface configuration (from static IP to DHCP based) and perform the VPN configuration change in two different commits.
PR837943
• On all branch SRX Series devices, a memory leak occurs on the data plane during continuous interface flapping, such as when interfaces are continuously added or deleted.
PR898731
•
For IKEv2, if an SRX Series device running Junos OS Release 12.1X46-D10 is in negotiation with a peer SRX Series device running Junos OS Release 11.4 or 12.1X44, a kmd core file might be generated on the peer device during IPsec child SA rekey. This does not impact any IKEv1 scenarios.
PR915376
• On SRX Series devices, NAT-T keepalive messages are not sent out if the IPsec VPN tunnel is established from the routing instance. This causes NAT session timeout in the intermediate NAT device. Note that NAT-T is enabled by default on all SRX Series devices.
PR918889
83
Junos OS 12.1X44 Release Notes
•
On all branch SRX Series devices configured with group VPN, the flowd process might crash when group VPN Security Association (SA) rekeys and swaps to the new VPN tunnel.
PR925107
• Upon RG0 failover, new IPsec security associations are created along with the old one.
PR941274
•
On all SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link increases.
PR941999
Resolved Issues in Junos OS Release 12.1X44-D25 for Branch SRX Series Services
Gateways
Application Layer Gateways (ALGs)
•
On SRX Series devices in a chassis cluster, the flowd process might crash when ALG is enabled and a security policy is configured with the log option for ALG traffic.
PR889097
• The Sun RPC ALG might not work properly when the Sun RPC server replies with a get-address packet to the client. This might wrongly truncate the server's address, which causes the Sun RPC connection to fail.
PR901205
Authentication and Access Control
•
On all branch SRX Series devices configured with firewall authentication, if a user has already been authenticated, and then a subsequent user initiates authentication using the same IP address as the first user, the subsequent user inherits the first authenticated user's access time remaining value.
PR843591
Certificate Authority (CA)
•
When the PKI certificate expires at a later date, the output of the show security PKI ca-certificate detail command incorrectly shows "Not after: time not determined UTC" under the Validity field.
PR878036
Chassis Cluster
• On devices in a chassis cluster, during a control link failure, if the secondary node is rebooted by control link failure recovery, the rebooted node will go into disable state even after startup.
PR828558
•
On SRX210, SRX220, and SRX240 devices, the maximum transmission unit (MTU) value on the SRX-MP-1SFP-GE Mini-PIM interface is 9010. If the Mini-PIM interface is configured as a chassis cluster fabric interface, the fabric interface automatically sets the MTU value to 9014 to support jumbo frames. Setting the MTU value fails on the
Mini-PIM interface configured as a chassis cluster fabric interface, and the Mini-PIM interface retained the default MTU setting (1514). The packets that were larger than the 1514-byte frame were dropped because the chassis cluster fabric interface did not support fragmentation.
84
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
NOTE: In Junos OS releases earlier than 11.4R1, the SFP interfaces on
Mini-PIMs are not yet supported to use as the fabric link in a chassis cluster.
PR865975
•
On J Series devices in a chassis cluster, when you manually trigger the restart forwarding on the primary node, the secondary node might go to disabled status and cannot be recovered back to normal state without rebooting both the nodes.
PR895614
Command-Line Interface (CLI)
• When the RPM probe-test fails, the RPM script is triggered twice.
PR869519
General Routing
•
On SRX Series devices, when there are multiple interfaces configured as DHCP clients, if one of the DHCP client interfaces moves from down state to up state, the IP address acquired by other DHCP client interfaces will be deleted unexpectedly and be added back after a while. There will be temporary traffic interruption until the deleted IP address is recovered automatically.
PR890124
•
Prior to Junos OS Release 11.4R9, DHCP option 125 cannot be configured for use as the byte-stream option. With Junos OS Release 11.4R9 and later releases, DHCP option
125 can be used for the byte-stream option.
PR895055
Flow-Based and Packet-Based Processing
• When DNS ALG was enabled, the rewrite rules applied on the egress interface might not work for DNS messages.
PR785099
•
After enabling IPv6 in flow mode, IPv6 routes are not active.
PR824563
Interfaces and Chassis
•
On J Series devices, E1 LCP links cannot be recovered after BERT tests.
PR600846
•
When a symmetric high-speed DSL (SHDSL) Mini-PIM is configured in 2-wire mode with annex mode as Annex B/G, one of the physical interfaces did not come up.
PR882035
•
When there is a configuration change in the VDSL profile from one to another, the VDSL line does not retrain and come up with the newly configured VDSL profile.
PR898775
85
Junos OS 12.1X44 Release Notes
Interfaces and Routing
• When the Flexible PIC Concentrator (FPC) is removed or made to go offline, the FPC status does not get detected.
PR818363
J-Web
•
The ASN.1 buffered I/O functions in OpenSSL before 0.9.8v do not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks and causes a denial of service (memory corruption). J-Web is explicitly not affected by this vulnerability, because J-Web is a server and this is a client-side vulnerability. However, many other functions in Junos OS use these buffered I/O routines and can trigger fetches of untrusted X.509 certificates. Refer to PSN-2012-07-645 for more information.
PR770702
• J-Web fails to display the member in the application set after adding it to the nested application set.
PR883391
• Although the policy is configured by using J-Web, the address set is seen as undefined in the Policy Wizard. But if a policy is created from Security>Policy> Apply policy, the address set can be seen.
PR892766
•
In J-Web, the configured maximum flow memory value key max-flow-mem is marked as deprecated and hidden. Therefore, the maximum flow memory value cannot be fetched or displayed in J-Web.
PR894787
Network Management and Monitoring
• Under certain conditions, a duplicate SNMP index might be assigned to different interfaces by the kernel to the mib2d (Management Information Base II process). This might cause mib2d and other processes such as lacpd (LACP process) to crash and generate core files.
PR836823
Platform and Infrastructure
• There is no specific CLI command to display the count of sessions allowed, denied, or terminated because of UAC enforcement.
PR733995
•
When you enable Change password every time the user logs out on the active directory, you cannot change your password.
PR740869
•
There is a mismatch between the version displayed in the show configuration and show version commands.
PR790714
•
In a DHCP-relay subscriber management environment with an output firewall filter configured on an Integrated Routing and Bridging (IRB) interface to discard the DHCP offer packets, while DHCP-relay subscribers login, the Junos kernel tries to free an already freed memory buffer, which causes the kernel to crash and generate core files.
PR824470
•
When Junos Space sends a query to an SRX Series device, the device sends back junos:changed-localtime instead of junos:commit-localtime.
PR839439
• On SRX240 devices, when a nonstandard HTTPS port is set, the Uniform Resource
Identifier (URI) changes to the IP address and port.
PR851741
86
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
After executing zeroize on SRX100H, the system will revert back to SRX100B due to the licenses being deleted.
NOTE: See KB27230 - How to restore mem-upg license for an SRX100H after executing request system zeroize at http://kb.juniper.net/KB27230
PR863962
•
On J Series devices, the self-originating outbound traffic always uses the first logical unit queue.
PR887283
• In certain conditions, SRX100B and SRX100H Series devices might experience unexpected system reboot or generate core files due to a DDR2 memory timing issue between DRAM and CPU. Generation of flowd core files and core files from other processes (For example. snmpd, ntpd, and rtlogd) can occur, as well as silent reboot without generation of a core file. The generation of core files is related to random memory access (for example, pointer corruption in session ager ring entry).
PR909069
Routing Policy and Firewall Filters
•
The Routing Engine control plane showed the HTTPS timeout value as 1800 seconds as opposed to the actual value of 300 seconds.
PR858621
•
In some scenarios with multiple routing instances defined, DNS names in the address-book entries might not get resolved, making the corresponding security policies nonoperational.
PR919810
Routing Protocols
•
RPD can crash soon after OSPF switches from primary path to secondary path when
LFA (loop free alternates) is enabled, along with LDP-SYNC: /kernel: BAD_PAGE_FAULT: pid 1472 (rpd), uid 0: pc 0x86ff81c got a read fault at 0x15, x86 fault flags = 0x4
. The corruption happens because of race condition, when OSPF does not completely free a memory location that is later reused by LDP.
PR737141
• The point-to-multipoint (P2MP) interface does not accept any multicast packets. This leads to interoperability issues with the SSG.
PR895090
Security Group
•
Multiple vulnerabilities are reported in earlier versions of OpenSSL in Junos OS.
PR853724
Unified Threat Management (UTM)
• When full file-based scanning of antivirus is enabled with Kaspersky scanning, some websites are not accessible.
PR853516
•
The flowd process might crash when traffic is processed by UTM.
PR854880
87
Junos OS 12.1X44 Release Notes
•
SRX Series devices try to resolve and connect to cpa.surfcpa.com and update.juniper-updates.net even if there are no licenses or configurations related to
UTM.
PR856128
• Webpages become unavailable and do not display any content when you enable
Sophos antivirus for HTTP traffic.
PR906534
User Interface and Configuration
•
If you use the Junos OS XML API to configure a password, the password was encrypted using an older algorithm instead of the algorithm used when configuring a password through the CLI. This older algorithm did not allow certain characters including commas.
Any characters entered after the disallowed characters were ignored.
PR744595
•
On devices in a chassis cluster, when you execute the clear system commit command, the command clears commit only from the local node.
PR821957
•
When a rollback operation is performed, the accounting log gets generated even for items that are not changed. This is because the rollback operation does a load update method where everything that is being rolled back is overlaid over the previous configuration as set items. The actual evaluation of what is really changed happens at a later point. But accounting of change-log items happens much before that. Hence, the interpretation is that all those items are really being set. For example,UI_CFG_AUDIT_SET_SECRET: User 'lab' set: [system root-authentication encrypted-password] UI_CFG_AUDIT_SET_SECRET: User 'lab' set: [system login user lab authentication encrypted-password] .
PR836384
VPN
• The SRX Series cluster is used as a VPN concentrator that is connected to remote VPN clients. The Internet key exchange process (process) tries to reuse the IP address that was previously assigned to an XAuth client. But the original Xauth attributes are overwritten when the Auth reply is received from Authd. This causes IKEd to assign a new IP address every time a Phase 1 Security Association (SA) is negotiated. As a result, multiple remote clients cannot connect through VPN.
PR854922
•
On all branch SRX Series devices, the Junos Pulse client has been updated from Release
2.0R3 to 4.0R2.
PR868101
• Network Address Translation-Traversal (NAT-T) might not work when the VPN is with
Cisco and if the VPN is initiated from a Cisco peer. The VPN negotiates using port UDP
500 instead of UDP 4500 when NAT is involved.
PR869458
•
For IKEv2, if an SRX Series device running Junos OS Release X45-D15 is in negotiation with a peer SRX Series device running Release 11.4 or 12.1X44, a kmd core file might be generated on the peer device during IPsec CHILD SA rekey. This does not impact any
IKEv1 scenarios. To avoid this, upgrade the peer SRX Series device to either Junos OS
Release 12.1X44-D25 or later or Junos OS Release 11.4R10 or later.
PR915376
88
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Resolved Issues in Junos OS Release 12.1X44-D20 for Branch SRX Series Services
Gateways
Application Layer Gateway (ALG)
• The TCP proxy module used by the ALG is deficient in handling a TCP stream with large packets. [
PR727649
]
Chassis Cluster
•
During an IP monitoring failover condition, the IP monitoring policy status changes to
INIT from FAIL and the interface and route actions are reset to MARKED-DOWN and
NOT-APPLIED. [ PR729022 ]
• On devices in a chassis cluster, when Layer 2 Ethernet switching is configured and the created session is related to the Layer 3 VLAN interface (the session's ingress or egress interface), the session is deleted on the primary node when the backup session times out on the backup node. [ PR839290 ]
• On devices in a chassis cluster, during cold synchronization, if the flow sessions are synchronized before the application identification configuration synchronization, then after the backup node is rebooted, the application identification module bypasses the flow sessions and the application names for those sessions are marked as unknown.
[ PR843742 ]
• On all branch SRX Series devices, when you use aggregated redundant Ethernet (chassis cluster redundant Ethernet interface with multiple link members per node), traffic loss is observed when the link member fails. [
PR858519
]
•
On devices in a chassis cluster, the security zone is not populated properly on the J-Web interface port configuration page. [
PR859200
]
Command-Line Interface (CLI)
• The show interface pp0.x command triggers memory leakage for interface statistics.
[ PR854658 .]
Dynamic Host Configuration Protocol (DHCP)
• Only the first three options present in the Request option of a DHCPv6 Solicit/Request was correctly populated from the dhcp-attributes specified within a local inet6 pool.
[
PR741823
]
Flow and Processing
• When a large number of logs are archived to a remote site, event core files are generated. [
PR771228
]
•
When you configure the nas-ip-address option using the command system radius-options attributes nas-ip-address and commit, the nas-ip-address is not correctly set unless you reboot the device. [
PR786467
]
•
Destination port information is missing for IPv6 packets when the firewall is in packet mode. [
PR805986
]
89
Junos OS 12.1X44 Release Notes
•
When a device forwards traffic, flowd core files are generated. [
PR831480
]
•
On devices with increased ALG or proxy traffic, memory leaks in global data plane memory are observed, and traffic (FTP, MS RPC, AppID, and so on) drops. [
PR859956
]
• If Virtual Router Redundancy Protocol (VRRP) is configured with the preempt option on an aggregated Ethernet link aggregation group (LAG) interface, the device might not send Gateway-Address Resolution Protocol (G-ARP). [
PR863549
]
•
When reverse path forwarding (RPF) is enabled along with real-time performance monitoring (RPM), the device changes to db prompt and loses the reach ability when you delete some configurations. [ PR869528 ]
• When an active route changes from multiple-next-hop to single-next-hop, one of the internal structure is incorrectly updated. This results in route lookup failure and causes traffic drops even though the new active routes are correctly displayed in both the routing and forwarding tables. [
PR879726
]
Infrastructure
• When you archive a file using the file-archive rpc option, the following error is displayed:
Operation allowed only from CLI
[ PR831865 ]
Interfaces and Routing
•
When a process generates a vmcore or core-tarball file, users with super-user class privileges cannot access or retrieve the file. [
PR772809
]
•
Configuring multicast addresses (inet6) on an interface results in the generation of
RPD core (mc_ssm_add) files. [ PR780751 ]
• When you attempt to create a dial backup interface, * and # symbols are not accepted.
[
PR834042
]
•
On the asymmetric digital subscriber line (ADSL) Mini-PIM, the Asynchronous Transfer
Mode (ATM) Operation, Administration, and Management (OAM) feature is not supported. [
PR835677
]
• When the signal to noise ratio on the DSL line is low, the DSL line drops and is retrained.
The DSL interface stops transmission after multiple line drop events. [ PR837557 ]
• In an invalid subnet configuration on a multicast group, when you performed a commit or commit check, the routing protocol process (rpd) crashed and generated core files.
[
PR856925
]
•
Even when optical interfaces on SRX-GP-24GE PIM are disabled, the laser remains turned on. This causes the link on the peer side to remain up and results in a unidirectional link. [ PR872916 ]
• When a symmetric high-speed DSL (SHDSL) Mini-PIM was configured in 2-wire mode with annex mode as Annex B/G, one of the physical interfaces did not come up.
[
PR882035
]
90
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Intrusion Detection and Prevention (IDP)
• You might not be able to configure the memory limit using the configuration statement security sensor-configuration global memory-limit-percent because an invalid range is expected. [ PR830467 ]
• IDP signature database update was not synchronized between node 0 and node 1.
[
PR859196
]
J-Web
•
In J-Web, you can configure content-size-limit to a maximum range of 20 to 20,000 on the Configure>Security>UTM>Antivirus>ADD page, but the maximum range is 20 to 40,000. [ PR725946 ]
• In J-Web, reboot does not work. [ PR741014 ]
• On SRX550 devices, the “External storage” option is not supported. Therefore do not select the "External storage" option from the list on the Maintain>reboot and snapshot page. [
PR741593
]
•
In J-Web, when more than one security policy is configured on a device, the first policy is not listed in the Apply-Policy section. [ PR837799 ]
• In J-Web, if the policy name is "0", the penultimate-hop popping (PHP) function treats it as empty, and traffic log output cannot be viewed. [ PR853093 ]
• In J-Web, you might not be able to specify the global address book object when configuring a security policy in an untrust zone. [
PR853325
]
•
In J-Web, if dynamic VPN is configured, when you log out, the following error message is displayed: “404 page not found error”. [
PR857419
]
• In J-Web, information on routes is not listed under the Configure > Routing > Static
Routing section. [ PR864324 ]
• In J-Web, when 200 or more users are listed under Access Profile, all the users are not displayed. [
PR872103
]
Logical Systems
•
In a logical system, you cannot use snmpwalk for Simple Network Management Protocol
(SNMP) polling. [
PR791859
]
Network Address Translation (NAT)
• On all branch SRX Series devices, NAT might not function as expected because the configuration changes to source NAT, destination NAT, or both are not properly pushed to the forwarding plane. [
PR744344
]
•
On devices enabled with static NAT and configured with multiple routing instances, reverse static NAT might not work when both the ingress interface and egress interface are in the root routing instance. [ PR834145 ]
91
Junos OS 12.1X44 Release Notes
Platform and Infrastructure
• Automatic recovery of the primary root—This feature is supported on all SRX Series devices. The corrupted primary root is repaired when the device reboots from the alternate root. The device accomplishes this repair by taking a snapshot of the alternate root and including it on the primary root automatically rather than manually from the
CLI.
PR793366
]
SNMP
• On all branch SRX Series and J Series devices, the SNMP jnxJsScreenCfgChange traps are rebooted even if there are no changes to the screen configuration. [
PR835290
]
Switching
•
On SRX650 devices, the dot1x:mode:Multiple:Supplicants are authenticated even after a disconnect message is sent from the RADIUS server. [ PR786731 ]
Unified Access Control (UAC)
• When a branch SRX Series device is deployed as a Unified Access Control (UAC) enforcer with session logging enabled for UAC enforced security policies in a UAC network, and the UAC authentication table contains users with many roles associated, traffic match for these policies generate flowd core files. [ PR849805 ]
Unified Threat Management (UTM)
• When antivirus is enabled on a system, Web search using search engines such as yahoo.co.jp fails, if the content size limit is set to 20. [
PR722652
]
•
When large numbers of UTM Enhanced Web filtering requests are pending, the CPU utilization is high on the utmd process. [
PR841047
]
•
A security policy configured with antivirus shows incorrect count of bytes and packets in the policy statistics. [ PR841923 ]
• On all branch SRX Series devices with UTM antivirus enabled, flowd core files are generated if files exceeding 1 GB are transferred using FTP. [ PR846655 ]
• On devices in a chassis cluster, the antivirus database is not synchronized on both the cluster nodes. [
PR863181
]
•
On all branch SRX Series device with Unified Threat Management (UTM) full antivirus
(Kaspersky lab engine) enabled, traffic might drop intermittently when there is heavy traffic load to antivirus. This is because the cache space of antivirus (MFS disk) is marked as full once it is filled and the full flag is never cleared later even though the cache space is 100 percent free. As a result, traffic to the antivirus engine is flagged as out-of-resource and the connection resets. [
PR864775
]
• On all branch SRX Series devices, new categories for Enhanced Web filtering have been added. [ PR866160 ]
92
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Virtual Private Network (VPN)
• Occasionally, devices configured with policy-based IPsec VPN might not allow traffic to the protected resources. [ PR718057 ]
• Network Address Translation-Traversal (NAT-T) might not work when the VPN is with
Cisco and if the VPN is initiated from a Cisco peer. The VPN negotiates using port UDP
500 instead of UDP 4500 when NAT is involved. [
PR869458
]
Resolved Issues in Junos OS Release 12.1X44-D15 for Branch SRX Series Services
Gateways
Chassis Cluster
• On a device in a chassis cluster, the primary node would go to db mode and generated vmcore file when you changed the configuration of the redundant Ethernet (reth) interface that caused the deletion of the logical interface of reth. [
PR850897
: This issue has been resolved.]
Command-Line Interface (CLI)
• When you upgrade an SRX Series device to Junos OS Release 11.4, NSM showed an error that a space in the full-name parameter of the set system login user test-name full-name test name command statement is not accepted. [ PR806750 : This issue has been resolved.]
•
On SRX550 devices, the request system firmware upgrade re bios command to upgrade bios was missing. [
PR809921
: This issue has been resolved.]
•
When you executed the request system zeroize command, the configuration was not deleted. As a result, the rescue configuration was loaded instead of the factory default configuration. [
PR835687
: This issue has been resolved.]
Flow and Processing
• Rewriting DiffServ code point (DSCP) bits for IPv6 neighbor advertisements was not supported. [
PR827740
: This issue has been resolved.]
•
When a device forwarded traffic, a flowd core file was generated. This was a generic issue and was not related to any specific feature [
PR831480
: This issue has been resolved.]
Interfaces and Routing
• The routing protocol process (rpd) was reinitialized when you committed a configuration change. When multiple reinitializations occurred while OSPF was running on the router, the periodic refresh of OSPF router link-state advertisements (LSAs) stopped. If the
LSAs were not refreshed, the router no longer participated in the OSPF routing domain.
You could issue the show ospf database router advertising-router router-id extensive | match timer" command to see evidence of the issue. In the error state, the output did not include the Gen timer field. [ PR744280 : This issue has been resolved.]
• When the Flexible PIC Concentrator (FPC) restarted after performing a master Routing
Engine switchover, the aggregate interface flag was set to down. Any traffic that entered
93
Junos OS 12.1X44 Release Notes this FPC and traversed the equal-cost multipath (ECMP) to the aggregate interface was dropped. [
PR809383
: This issue has been resolved.]
• On devices with a VDSL Mini-PIM or an integrated module, when you selected the
VDSL profile as auto and the address acquisition method as DHCP in pt mode, the physical interface link flapped. [
PR827144
: This issue has been resolved.]
Intrusion Detection Prevention (IDP)
•
The issue of false positives with negate attacks when using hardware DFA based pattern matching has been fixed. [ PR848659 : This issue has been resolved.]
J-Web
• On J Series devices, the initial setup tab was missing when you logged in to the device using the factory default setup method. [
PR823306
: This issue has been resolved.]
•
On a device in a chassis cluster, the message “Configuring chassis cluster in non-cluster mode is not allowed” was displayed when you accessed J-Web using Internet Explorer.
[PR825952: This issue has been resolved.]
• In J-Web, the value was set low in the “session expired when the idle-timeout” option.
[
PR830644
: This issue has been resolved.]
•
In J-Web, when more than one security policy was configured on a device, the first policy was not listed in the “Apply-Policy” section. [
PR837799
: This issue has been resolved.]
• In J-Web, custom-defined applications were presented as predefined. [ PR837820 : This issue has been resolved.]
• In J-Web, when you configured using the CLI or J-Web, you could not see the value of
POL0. [
PR839749
: This issue has been resolved.]
•
The New Setup wizard failed to commit the configuration because of a missing password for PAP/CHAP when the PPPoE wizard account contained "@" in it.
[ PR856746 : This issue has been resolved.]
• On a device in a chassis cluster, the “switch to L2 mode” button from J-Web interface is non-functional. [
PR857147
: This issue has been resolved.]
94
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Network Address Translation (NAT)
• NAT was not functioning as expected because the configuration changes to source
NAT, destination NAT, or both were not properly pushed to the forwarding plane.
[
PR744344
: This issue has been resolved.]
Switching
•
IGMP leave messages received on a port of an 8-Port Gigabit Ethernet small form-factor pluggable (SFP) XPIM that was configured with Ethernet switching family were not processed by the IGMP Snooping module. [ PR824557 : This issue has been resolved.]
Unified Access Control (UAC)
•
On a SRX device when captive portal is used along with UAC enforcement, the device ran into problems with authentication table state because of which IC-SRX connection broke continuously. [ PR847180 : This issue has been resolved.]
• On a device deployed as a Unified Access Control (UAC) enforcer in a UAC network, if session logging was enabled for UAC-enforced security policies and the UAC authentication table contained users that had many roles associated, traffic matched these policies and caused the flowd process to crash and to generate a core file.
[ PR849805 : This issue has been resolved.]
Unified Threat Management (UTM)
• When there were huge pending UTM enhanced Web filtering (EWF) requests, the CPU utilization was high on the utmd process. [
PR841047
: This issue has been resolved.]
•
A security policy configured with antivirus showed incorrect count of bytes and packets in the policy statistics. [
PR841923
: This issue has been resolved.]
Virtual Private Networks (VPNs)
• IKE SA failed to install the responder during Phase 2 rekey. [ PR809219 : This issue has been resolved.]
Resolved Issues in Junos OS Release 12.1X44-D10 for Branch SRX Series Services
Gateways
Application Layer Gateway (ALG)
•
The forwarding process crashed, resulting in generation of a core file due to abnormal
MGCP traffic. [ PR684653 : This issue has been resolved.]
• The EPRT command did not work with FTP ALGs on port 0, which were not valid.
[ PR769444 : This issue has been resolved.]
•
During ALG traffic processing, the device generated a core file. [
PR780007
: This issue has been resolved.]
95
Junos OS 12.1X44 Release Notes
•
When the TNS RESEND (type 11) was 8 bytes long, the SQL ALG did not work properly.
[
PR806893
: This issue has been resolved.]
• The MS-RPC ALG dropped some big packets under the Kerberos authentication environment, because the Kerberos ticket token size and the MS RPC bind packet were too large for ALG to handle. [
PR817453
: This issue has been resolved.]
Authentication
•
The Web authentication page was not displayed properly when you tried to reauthenticate after an idle time. [ PR741973 : This issue has been resolved.]
• When the local or radius user password contained a percent character (%), firewall authentication through the Web portal failed due to an issue in processing the percent sign. [
PR778891
: This issue has been resolved.]
Command-Line Interface (CLI)
•
The show interface at <> extensive command did not display the correct value when the at interface was up on the SHDSL Mini-PIM. [
PR738322
: This issue has been resolved.]
• On devices in a chassis cluster, the set chassis usb storage disable command did not work. [ PR793844 : This issue has been resolved.]
• On SRX220 PoE devices, the smtp-profile junos-as-defaults failed to load. [ PR791575 :
This issue has been resolved.]
•
The ssl-encryption option under the edit security application-firewall rulesets name rule
name
was irrelevant. [
PR817232
: This issue has been resolved.]
Dynamic Host Configuration Protocol (DHCP)
•
When the devices acted as DHCP servers and the DHCP requests were forwarded to the SRX Series devices by a DHCP relay, the devices sent responses to DHCP requests to an incorrect UDP destination port. [ PR774541 : This issue has been resolved.]
Flow and Processing
•
On SRX240 devices, when fragments with MTU value larger than 1514 were received, some of the fragments were dropped. [
PR595955
: This issue has been resolved.]
•
Changes in policer, filter, or sampling configuration caused a core file to be generated during receipt of multicast traffic. [ PR613782 : This issue has been resolved.]
• Activating and deactivating logical interfaces a number of times resulted in flowd core files. [ PR691907 : This issue has been resolved.]
• When the syn-cookie feature was enabled along with the syn-flood screen with a low timeout value, high-latency TCP sessions failed to establish successfully. The client sessions received unresponsive connections because the SRX Series device timed out the flow for the session. The device also dropped subsequent packets from the client due to the state not being found. [ PR692484 : This issue has been resolved.]
• The content filter for the SMTP block extension did not work when the name of the attached file was in Japanese. [
PR724960
: This issue has been resolved.]
96
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
When making configuration changes to delete virtual router instances that included multicast interfaces, the Routing Protocol process (RPD) crashed. [
PR727357
: This issue has been resolved.]
• The commands after STARTTLS were encrypted and could not be understood by the
SMTP parser. These commands caused the session to hang until the TCP session was closed and no packets were forwarded. [
PR750047
: This issue has been resolved.]
•
When the device sent a broadcast ARP to a Layer 3 VLAN interface that was restarting, it caused the forwarding to restart, resulting in traffic loss and generation of a flowd_octeon_hm core file. [ PR755204 : This issue has been resolved.]
• When SYN flooded packets per second (pps) over the screen attack-threshold, a SYN cookie was triggered by default. The SRX Series device sent SYN ACK to the client with
ISN, and once the correct ACK was received, the device sent SYN to the server. However, the ACK packet (from the client) created a session and forwarded it to the server.
Because the client received an ACK instead of a SYN packet, the server sent RST and
RST was forwarded to the client, and the connection was reset. [
PR755727
: This issue has been resolved.]
•
The httpd task was high. [
PR768952
: This issue has been resolved.]
•
The traffic shaping did not work correctly when the shaping rate was configured on virtual channels. [ PR769244 : This issue has been resolved.]
• The SYN proxy (Syn-I) held the jbuf before SYN-ACK was received from the server. If the server was unreachable, SYN-PROXY held the jbuf until the session timed out.
[
PR769828
: This issue has been resolved.]
•
When the device processed a large amount of traffic, performing an AppID security package update caused the flowd process to generate a core file. [
PR769832
: This issue has been resolved.]
• For IKEv2, when the device attempted a dpd exchange during an existing exchange, a core file was generated. [ PR771234 : This issue has been resolved.]
•
On a device in a chassis cluster, the forwarding module became unresponsive when the redundant Ethernet (reth) interface was deleted while traffic was flowing through the device. Sometimes flowd generated a core file. [
PR771273
: This issue has been resolved.]
• The routing protocol daemon (rpd) generated a core file while processing a malformed
RIP or RIP message from a neighbor during adjacency establishment. [
PR772601
: This issue has been resolved.]
•
When passing GVPN multicast traffic, flowd core files were generated when the GVPN packet was encapsulated in the PIM register message. [
PR774133
: This issue has been resolved.]
• ICMP redirect did not work for FTP traffic. [ PR776388 : This issue has been resolved.]
• On a device in a chassis cluster, flowd core files were generated with Layer 2
Transparent configuration when the system was being shut down. [
PR782579
: This issue has been resolved.]
97
Junos OS 12.1X44 Release Notes
•
The changes made to the VPI and VCI values of ADSL interfaces did not take effect until the chassis was rebooted. [
PR783992
: This issue has been resolved.]
• When the DNS ALG was enabled, the rewrite rules applied on the egress interface did not work for DNS messages. [ PR785099 : This issue has been resolved.]
• The session creation per second was always zero in the show security monitoring fpc
0 output. [ PR787343 : This issue has been resolved.]
• When the DHCP client was configured on a routing instance in JSRP setup, after failover, device remained in secondary hold indefinitely. [
PR790872
: This issue has been resolved.]
•
The flowd core files were generated during the IDP security-package update. [
PR793417
:
This issue has been resolved.]
• On a device in a chassis cluster, long pauses and timeouts were seen for SNMP walk/query. This was caused by a delay in querying the gr-0/0/0 (GRE) interface by the kernel. [
PR800735
: This issue has been resolved.]
•
The generation of a flowd core file was triggered by cache errors. [
PR805975
: This issue has been resolved.]
•
There was an unexpectedly lower bandwidth through a scheduler queue that was configured with a small buffer size on an interface faster than 2 Mbps. [ PR806745 :
This issue has been resolved.]
•
ARP requests on the link aggregation interface failed under certain conditions.
[
PR819816
: This issue has been resolved.]
•
On devices with an SFP port on PIM, IP monitoring failed. [
PR823643
: This issue has been resolved.]
• On J Series devices, IDP initialization failed and the policy did not load. As a result, IDP inspection did not work. [ PR833071 : This issue has been resolved.]
Infrastructure
•
The services ip-monitoring CLI command was not working. [
PR771344
: This issue has been resolved.]
Interfaces and Routing
• The egress queues were not supported on VLAN or IRB interfaces. [ PR510568 : This issue has been resolved.]
• For the VLAN-tagged redundant Ethernet interface, the Track IP (ipmon) feature was not supported. [
PR575754
: This issue has been resolved.]
•
On J Series devices, when you used ISDN connections, an error appeared stating that a BAD_PAGE_FAULT had occurred and the ISDN connection had stopped working.
[ PR669297 : This issue has been resolved.]
• On SRX550 devices, online insertion and removal of GPIMs or XPIMS was not supported.
[ PR719882 : This issue has been resolved.]
98
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
The service status of the 3G modem did not change from “Emergency calls only”.
[
PR746400
: This issue has been resolved.]
• You could not use the words “management” or its variants as the security zone name.
[ PR754585 : This issue has been resolved.]
• When interface VLAN was configured as a Layer 3 interface and redirected an IP packet, it did not reply with the ICMP redirect message. [
PR754616
: This issue has been resolved.]
•
When automatic installation was enabled, the interface-control (dcd) process stopped and interfaces could not be configured. [ PR773616 : This issue has been resolved.]
• When the DHCP client was configured with VLAN, the DHCP leases were not acquired by the client and unicast messages were dropped. [ PR776525 : This issue has been resolved.]
•
Interfaces with no cable connected and configured with the loopback option did not come up. [
PR788395
: This issue has been resolved.]
•
After reboot, sometimes the VLAN interface was down while its physical interface member was up. [ PR791610 : This issue has been resolved.]
Intrusion Detection and Prevention (IDP)
• When the device was in low-memory condition on the control plane, it rebooted suddenly during the IDP security-package update. [
PR776947
: This issue has been resolved.]
•
The detector was not updated in the control plane when the update-attack-database-only flag was used during security package installation.
[ PR778816 : This issue has been resolved.]
•
During IDP policy compile, the failure message “idp policy parser compile failed” was displayed due to a memory leak in the application identification configuration load.
[
PR787970
: This issue has been resolved.]
• IDP policy load failed though there was sufficient memory (heap) available. This issue occurred when there was not enough contiguous memory block available in kernel heap memory. [
PR789146
: This issue has been resolved.]
•
When you changed the configuration, the show security idp policy-commit-status command showed the message “Failed to add connection for dataplane”. [
PR789542
:
This issue has been resolved.]
•
The help and system logs on the terminal did not match. [
PR794743
: This issue has been resolved.]
• The policy push was not clearing SSL counters, and the SSL sessions-inspected counter kept increasing for every policy push. If the maximum SSL session limit configured was low, then SSL sessions were not inspected if the maximum limit was reached. [
PR831611
:
This issue has been resolved.]
•
The forwarding module crashed as a result of IDP processing. [
PR832608
: This issue has been resolved.]
99
Junos OS 12.1X44 Release Notes
J-Web
• In J-Web, policies configured under group global could not be edited or deleted in the
NAT and firewall wizards. [ PR552519 : This issue has been resolved.]
• The J-Web interface incorrectly displayed the Session Expired pop-up window whenever flash storage was full. [
PR569931
: This issue has been resolved.]
•
The PPPoE wizard support was not available in Junos OS Release 12.1X44-D10.
[
PR681083
: This issue has been resolved.]
•
In J-Web, you could not edit or delete the PPPoE connections set using the wizard.
[ PR688421 : This issue has been resolved.]
• While editing the radio settings for an AX411 Wireless LAN Access Point on Configure
>Wireless LAN > Setting, you could not edit the virtual access point, for which the security options configured were static-wep and dot1x. [
PR692195
: This issue has been resolved.]
•
Add and Update buttons were not available on the License page when the 30 days or
1 day trial license was installed. [ PR735174 : This issue has been resolved.]
• On a device in a chassis cluster, when you configured ANNEX details of the SHDSL interface through J-Web, the existing configuration was deleted. Editing the configuration of SHDSL and the T1 card was not possible if it involved pushing chassis information. [
PR737643
: This issue has been resolved.]
•
The Global options > Proxy screen was blank for the first time when you accessed it using Internet Explorer version 7.0. [ PR737675 : This issue has been resolved.]
• The EZ-Setup (J-Web Initialization setup) failed with the following error: “Fetching setup configuration....Please wait”. [ PR748173 : This issue has been resolved.]
•
On SRX210 devices, Junos OS failed to import node configurations when chassis cluster setup was configured using J-Web. [
PR753533
: This issue has been resolved.]
•
Using J-Web, when you clicked Enable Log on the Monitor > Security > IDP > Attacks page, the page was disabled and not accessible. [
PR768559
: This issue has been resolved.]
• When the httpd process restarted, the old httpd was deleted and the new httpd started.
In certain circumstances, however, the old httpd and the new httpd existed at the same time, causing high CPU usage. [
PR772701
: This issue has been resolved.]
•
J-Web displayed the following misleading error message when it reached memory limit when opening a large policy_session security log file: “The configuration on the
Switch is too large for J-Web to handle. Please use the CLI to manipulate the configuration”. [
PR777539
: This issue has been resolved.]
•
Logging in to J-Web resulted in the following error message: “JWEB is not supported on this platform”. [
PR781659
: This issue has been resolved.]
•
In J-Web, when the device was in cluster mode after RG failover the primary node was displayed as a secondary hold in the Dashboard > System-identification > Cluster details. This was due to an RPC get data error. [ PR786700 : This issue has been resolved.]
100
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
The Action > Compare in Dashboard page did not display output properly. [
PR790557
:
This issue has been resolved.]
• On all branch SRX Series devices, an httpd-gk core file was generated when DVPN was enabled with FTP traffic. [ PR791661 : This issue has been resolved.]
• The Help page was not available for the Configure >Interface > Ports page. [ PR792544 :
This issue has been resolved.]
•
When you ran the S2J tool to convert a configuration from ScreenOS to Junos OS, the
S2J tool automatically added annotations in the Junos OS configurations. J-Web had issues with creating or managing security policies when these annotations were in the
Junos OS configuration. [ PR793159 : This issue has been resolved.]
• The default radio buttons did not work after you configured the Configure > Security
> UTM > Web Filtering > Add profile > Fallback options. [
PR794441
: This issue has been resolved.]
•
The Help page was not available for the Troubleshoot > CLI terminal page. [
PR806027
:
This issue has been resolved.]
• The J-Web security logging tab was not working. [ PR806442 : This issue has been resolved.]
• The httpd task was high. [ PR809061 : This issue has been resolved.]
• Sometime the firewall policy wizard would not run. [ PR816393 : This issue has been resolved.]
•
When you upgraded using the Partition command, if the Junos OS image was corrupted, the system rebooted with no available Junos OS image. [
PR819505
: This issue has been resolved.]
• The dashboard refresh rate changed. Refresh rates of 15, 30, and 60 seconds were removed. The minimum refresh rate available was 2 minutes. [
PR826053
: This issue has been resolved.]
License
• Erroneous messages were printed from liblicense during commit. [
PR826158
: This issue has been resolved.]
Network Address Translation (NAT)
•
The commit of static NAT rules failed when logical system interfaces, security zone, and NAT were committed at the same time. Similarly, there were problems with committing static rules when you committed security zone and NAT at the same time.
[ PR756240 : This issue has been resolved.]
• Static NAT rules were not being enforced when Ethernet switching family was used.
[
PR785106
: This issue has been resolved.]
Security
•
The captive portal redirect did not work with the strict SYN checking option enabled in the firewall. [ PR743466 : This issue has been resolved.]
101
Junos OS 12.1X44 Release Notes
•
The configuration control link between the control and data planes was not reliable.
In some conditions, the connection to the secondary node broke, in which case the application firewall rule could not be pushed to the secondary node. [ PR810946 : This issue has been resolved.]
SNMP
•
When a default IP address was used as SNMP engine ID, after the device was rebooted or power cycled, the SNMP local engine ID was incorrectly set to 80 00 0a 4c 01 00
00 00 00. [ PR613625 : This issue has been resolved.]
SNMP MIBs
•
The value for mib jnxJsIdp LastSignatureUpdateTime.0 always had the same value.
[
PR691785
: This issue has been resolved.]
•
SNMP OID jnxOperatingCPU.9 (Routing Engine CPU usage) always returned 100, although Routing Engine CPU usage was not 100 percent. [ PR739591 : This issue has been resolved.]
System Logs
•
When an idle session is closed based on timeout expiration, the close reason shown in logs displayed "idle Timeout", instead of "unset" as it appeared before. [
PR746572
:
This issue has been resolved.]
Unified Access Control (UAC)
• The device acted as a Unified Access Control (UAC) enforcer in a UAC network to ensure only qualified end users could access protected resources scenarios. However, when there were many users requiring authentication, users were redirected to the login portal and the IC server reported redirect loops. [ PR817764 : This issue has been resolved.]
Unified Threat Management (UTM)
•
When Express AV (antivirus) was enabled, traffic from the server and client was buffered at the device. Sometimes the buffer resource ran out because the traffic arrived faster than the buffer resources were released, and the device detected an out-of-resource condition and took a fallback action. [ PR556309 : This issue has been resolved.]
•
In the UTM feature “Content filter for SMTP Block Extension List,” the notify e-mail was not sent to the sender. [
PR732182
: This issue has been resolved.]
•
The SMTP session was suspended, and the AV counters showed incorrect increments when a 20-MB file was transferred. [ PR792518 : This issue has been resolved.]
• UTM mbuf leaks were observed after several hours of traffic load. [ PR795681 : This issue has been resolved.]
•
The traffic processed by a UTM antivirus that was configured with trickling caused
JBUFs (MBUFs) memory leak and resulted in traffic outage. [
PR799859
: This issue has been resolved.]
102
Resolved Issues in Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
On the devices, there used to be a requirement for the support of both “STARTTLS” and “X-ANONYMOUSTLS” cases for the SMTP parser. [
PR824027
: This issue has been resolved.]
• The Juniper enhanced Web filtering feature experienced default, timeout, and connectivity fallback actions under sustained bursts of high traffic. [
PR833768
: This issue has been resolved.]
Virtual Private Network (VPN)
• Dynamic VPN users were unable to connect because the previous dynamic VPN user license had not been removed. [ PR710519 : This issue has been resolved.]
• When there were many IKE SAs, the SNMP MIB “jnxIpSecFlowMonPhaseOne” returned only the first IKE SA. [
PR734797
: This issue has been resolved.]
•
The dynamic VPN license was not getting released when old dynamic VPN connections were terminated. [
PR735615
,
PR774877
: This issue has been resolved.]
•
The error “Failed to connect to server” was displayed when multiple clients were connected to the device through dynamic VPN and when some configurations related to IKE negotiation changed on the device. [ PR737787 : This issue has been resolved.]
• IKE Phase 1 and Phase 2 logs erroneously reported that the renegotiation retry limit had been reached, even though the VPN build succeeded. [
PR741751
: This issue has been resolved.]
•
When using IPsec VPN, the “IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached?” message was logged even though no failure had actually occurred.
[ PR768466 : This issue has been resolved.]
• If the version 2 IKE SA lifetime was more than 65,535 seconds, the IKE SA never rekeyed.
It expired, and the corresponding tunnel flapped, causing traffic outage. [
PR775595
:
This issue has been resolved.]
• When using SIP on a dynamic VPN client, the voice stream did not reach the client.
[ PR776883 : This issue has been resolved.]
• The maximum number of custom categories should be 50 and maximum number of
URL lists per custom category should be 30. [
PR789538
: This issue has been resolved.]
•
The IPsec Phase 2 negotiation failed when you used authentication-algorithm hmac-sha-256-128. [
PR793760
: This issue has been resolved.]
•
When you used hmac-sha-256-128 at the group VPN server for the IPsec authentication-algorithm, a gkmd core file was generated for the group VPN member.
[ PR800719 : This issue has been resolved.]
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 6
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series
Services Gateways and J Series Services Routers on page 25
•
103
Junos OS 12.1X44 Release Notes
•
•
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 105
•
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for
Branch SRX Series Services Gateways and J Series Services Routers on page 116
104
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
Errata for the Junos OS Software Documentation
This section lists outstanding issues with the software documentation.
BGP Feature Guide for Security Devices
• In “Example: Configuring Route Authentication for BGP,” the following configuration steps in the CLI quick configuration and in the step-by-step procedure sections are not supported on SRX Series devices: set security authentication-key-chains key-chain bgp-auth tolerance 30 set security authentication-key-chains key-chain bgp-auth key 0 secret this-is-the-secret-password set security authentication-key-chains key-chain bgp-auth key 0 start-time
2011-6-23.20:19:33-0700 set security authentication-key-chains key-chain bgp-auth key 1 secret this-is-another-secret-password set security authentication-key-chains key-chain bgp-auth key 1 start-time
2012-6-23.20:19:33-0700
Certificates and Public Key Cryptography for Security Devices
• In “Example: Using SCEP to Automatically Renew a Local Certificate,” the overview states that you can configure when the device is to send out the certificate renewal request as the number of days and minutes before the certificate's expiration date.
This is incorrect. The trigger for the device to send out a certificate renewal request is a specified percentage of the certificate's lifetime that remains before the certificate expires. For example, if the renewal request is to be sent when the certificate's remaining lifetime is 10%, then configure 10 for the reenrollment trigger.
Chassis Cluster Feature Guide for Security Devices
• In the “Chassis Cluster Overview” topic, the last item in the functionality list incorrectly states that IP-over-IP tunnels are supported. IP-over-IP tunnels are not supported.
The corrected information follows: Support for Generic Routing Encapsulation (GRE) tunnels used to route encapsulated IPv4/IPv6 traffic by means of an internal interface, gr-0/0/0. This interface is created by Junos OS at system boot up and is used only for processing GRE tunnels. See Junos OS Interfaces Configuration Guide for Security
Devices.
• Under the Configuration tab, in the Example: Configuring an SRX Series Services
Gateway for the Branch as a Chassis Cluster, there is a correction in Table 2: SRX Series
Services Gateways fxp0 and fxp1 Interfaces Mapping. For the SRX210 , the fxp0 Interface should not be ge-0/0/0; it should be fe-0/0/6.
Feature Support Reference for SRX Series and J Series Devices
• In this guide, in Table 14: DHCP Support, the “Dynamic Host Configuration Protocol” section incorrectly states that DHCPV6 relay agent is supported on SRX100, SRX110,
SRX210 SRX220, SRX240, and SRX650 devices. The DHCPV6 relay agent is not supported on Branch SRX Series devices.
105
Junos OS 12.1X44 Release Notes
•
The Chassis Cluster table incorrectly indicates that Layer 2 Ethernet switching capability in chassis cluster mode is supported on SRX100 devices. Layer 2 Ethernet switching capability in chassis cluster mode is not supported on SRX100 devices.
•
The “IPv6 Support“ table lists that IPv6 is supported only for TFTP ALG. The correct information is IPv6 is supported for DNS, FTP, and TFTP ALGs.
Interfaces Guide for Security Devices
• The “Example: Configuring a Serial Interface” of the “Modem Interfaces” guide provides the following incorrect output sample for the show interfaces se-1/0/0 command: encapsulation ppp; unit 0 { family inet { family inet;
}
}
The correct output sample is: encapsulation ppp; unit 0 { family inet { address 10.10.10.10/24;
}
}
IPsec VPNs for Security Devices
• In “Example: Configuring a Route-Based VPN with Only the Responder Behind a NAT
Device,” the “Configuring IPsec for the Initiator” section is missing the configuration to generate the encryption key using Perfect Forward Secrecy (PFS) Diffie-Hellman Group
2. The missing configuration is as follows:
[edit] user@host# set security ipsec policy ipsec_pol perfect-forward-secrecy keys group2
• In “Example: Configuring a Policy-Based VPN,” the “Verifying the IPsec Phase 2 Status” section contains a note that the proxy ID must be manually entered to match some third-party vendors. This note is incorrect. It is not possible to manually configure a proxy ID for policy-based VPNs. The proxy ID can only be derived from the policy.
106
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
J Series Services Router Advanced WAN Access Configuration Guide
• The example given in the “Configuring Full-Cone NAT” section in the guide available at http://www.juniper.net/techpubs/software/jseries/junos85/index.html
is incorrect.
The correct and updated example is given in the revised guide available at http://www.juniper.net/techpubs/software/jseries/junos90
) .
J2320, J2350, J4350, and J6350 Services Router Getting Started Guide
•
The “Connecting to the CLI Locally” section states that the required adapter type is
DB-9 female to DB-25 male. This is incorrect; the correct adapter type is DB-9 male to DB-25 male.
J-Web
•
J-Web Security Package Update Help page—This Help page does not contain information about the download status.
• J-Web pages for stateless firewall filters—There is no documentation describing the
J-Web pages for stateless firewall filters. To find these pages in J-Web, go to
Configure>Security>Firewall Filters
, and then select IPv4 Firewall Filters or IPv6 Firewall
Filters
. After configuring the filters, select Assign to Interfaces to assign your configured filters to interfaces.
• J-Web configuration Instructions— Because of ongoing J-Web interface enhancements, some of the J-Web configuration example instructions in the Junos administration and configuration guides became obsolete and thus were removed. For examples that are missing J-Web instructions, use the provided CLI instructions.
Junos OS CLI Reference
• In the “show security policies” topic, the “show security policies Output Fields” table includes the following incorrect information:
Applications ALG : If an ALG is associated with the session, the name of the ALG. Otherwise, 0.
The correct information is:
Applications ALG : If an ALG is explicitly associated with the policy, the name of the ALG is displayed. If application-protocol ignore is configured, ignore is displayed. Otherwise, 0 is displayed.
However, even if this command shows ALG: 0,
ALGs might be triggered for packets destined to well-known ports on which ALGs are listening, unless ALGs are explicitly disabled or when application-protocol ignore is not configured for custom applications.
• In this guide, the source-threshold statement incorrectly shows a default value of 1024 per second for number in the Options section. The correct default value is 4000 per second.
107
Junos OS 12.1X44 Release Notes
•
The edit applications application application-name term term-name hierarchy level for the alg (Applications) configuration statement is incorrect. The correct hierarchy level is edit applications application application-name<term term-name>.
Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices
• In this guide, the section “Configuring Layer 2 Bridging and Transparent Mode” includes an incorrect example, “Example: Configuring Layer 2 Trunk Interfaces with Multiple
Units.” The example is in error because the SRX Series devices do not support multiple units.
Junos OS Interfaces Configuration Guide for Security Devices
•
In this guide, Table 11, “MTU Values for the SRX Series Services Gateways PIMs,” does not specify the maximum MTU and default IPMTU values for the following PIMs:
• 2-Port 10 Gigabit Ethernet XPIM
• 16-Port Gigabit Ethernet XPIM
•
24-Port Gigabit Ethernet XPIM
The following table lists these values:
Table 8: MTU Values for the SRX Series Services Gateways PIMs
PIM
2-Port 10 Gigabit Ethernet XPIM
Default Media MTU
(Bytes)
1514
Maximum MTU (Bytes) Default IP MTU (Bytes)
9192 1500
16-Port Gigabit Ethernet XPIM
24-Port Gigabit Ethernet XPIM
1514
1514
9192
9192
1500
1500
Junos OS Security Basics
• The topic Understanding Policy Application Timeouts Contingencies under Security
Basics > Security Policy Applications for Security Devices > Policy Application Timeout , contains erroneous information. It should read as follows:
When setting timeouts, be aware of the following contingencies:
•
If an application contains several application rule entries, all rule entries share the same timeout. You need to define the application timeout only once. For example, if you create an application with two rules, the following commands will set the timeout to 20 seconds for both rules:
• user@host# set applications application test protocol tcp destination-port 1035-1035 inactivity-timeout 20 user@host# set applications application test term test protocol udp user@host# set applications application test term test source-port 1-65535 user@host# set applications application test term test destination-port 1111-1111
If multiple custom applications are configured with custom timeouts, then each application will have its own custom application timeout. For example:
108
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers user@host# set applications application ftp-1 protocol tcp source-port 0-65535 destination-port 2121-2121 inactivity-timeout 10 user@host# set applications application telnet-1 protocol tcp source-port 0-65535 destination-port 2300-2348 inactivity-timeout 20
With this configuration, Junos OS applies a 10-second timeout for destination port
2121 and a 20-second timeout for destination port 2300 in an application group.
Junos OS Security Configuration Guide
• In “Example: Configuring AppTrack,” of the Junos OS Security Configuration Guide for
Security Devices, the set security log mode stream statement was omitted from the log configuration statements. The updated log configuration should read: user@host# set security log mode stream user@host# set security log format sd-syslog user@host# set security log source-address 5.0.0.254
user@host# set security log stream app-track-logs host 5.0.0.1
•
In the “Understanding SIP ALGs and NAT” topic, information in the following sections is incorrect:
• Call Re-INVITE Messages
This section incorrectly states:
When one or more media sessions are removed from a call, pinholes are closed and bindings released just as with a BYE message.
The correct information is:
When all the media sessions or media pinholes are removed from a call, the call is removed when a BYE message is received.
• Call Session Timers
This section incorrectly states:
The SIP ALG uses the session-expires value to time out a session if a Re-INVITE or
UPDATE message is not received. The ALG receives the session-expires value, if present, from the 200 OK responses to the INVITE and uses this value for signaling timeout. If the ALG receives another INVITE before the session times out, the ALG resets all timeout values to this new INVITE or to default values, and the process is repeated. As a precautionary measure, the SIP ALG uses hard timeout values to set the maximum amount of time a call can exist.
The correct information is (The session-expires value is not supported on SRX Series devices):
As a precautionary measure, the SIP ALG uses hard timeout values to set the maximum amount of time a call can exist.
•
Table Requesting Messages with NAT Table
This table incorrectly states:
Outbound Request (from private to public
Route: Replace ALG address with local address
109
Junos OS 12.1X44 Release Notes
The correct information is:
Outbound Request (from private to public
Route: Replace local address with ALG address
• This guide incorrectly lists the following topics. These commands are not supported:
• disable-call-id-hiding
• show security alg sip transactions
Junos OS Security interfaces
• The "Example: Configuring Multilink Frame Relay FRF.16" topic provides the following incorrect configuration information:
Step: Set device R0 as a DCE device.
[edit interfaces lsq-0/0/0] user@host# set dce
The correct configuration information is
Step: Set device R0 as a DCE device.
[edit interfaces lsq-0/0/0:0] user@host# set dce
Junos OS Security Network Address Translation
•
In Example: Configuring NAT for Multiple ISPs under Network Address Translation for
Security Devices > Configuration > NAT for Multiple ISPs the statement set routing-options rib-groups isp import-rib inet.0
was omitted from the configuration. The updated configuration should read: set routing-options rib-groups isp import-rib inet.0
set routing-options rib-groups isp import-rib isp1.inet.0
set routing-options rib-groups isp import-rib isp2.inet.0
In addition, because zone based address-book for NAT rules is unsupported, you should not use the statements provided in the example; use global address book instead.
• The command show security nat source persistent-nat-table under Network Address
Translation > Administration > Source NAT Operational Commands is:
• Missing the option:summary—Display persistent NAT bindings summary.
• Contains incomplete sample output. The corrected sample output is as follows: user@host> show security nat source persistent–nat–table internal-ip 9.9.9.1 internal-port
60784
Internal Reflective Source Type
Left_time/ Curr_Sess_Num/ Source
In_IP In_Port I_Proto Ref_IP Ref_Port R_Proto NAT Pool
Conf_time Max_Sess_Num NAT Rule
9.9.9.1 60784 udp 66.66.66.68 60784 udp dynamic-customer-source any-remote-host 254/300 0/30 105
110
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers user@host> show security nat source persistent–nat–table all
Internal Reflective Source Type
Left_time/ Curr_Sess_Num/ Source
In_IP In_Port I_Proto Ref_IP Ref_Port R_Proto NAT Pool
Conf_time Max_Sess_Num NAT Rule
9.9.9.1 63893 tcp 66.66.66.68 63893 tcp dynamic-customer-source
any-remote-host 192/300 0/30 105
9.9.9.1 64014 udp 66.66.66.68 64014 udp dynamic-customer-source
any-remote-host 244/300 0/30 105
9.9.9.1 60784 udp 66.66.66.68 60784 udp dynamic-customer-source
any-remote-host 254/300 0/30 105
9.9.9.1 57022 udp 66.66.66.68 57022 udp dynamic-customer-source
any-remote-host 264/300 0/30 105
9.9.9.1 53009 udp 66.66.66.68 53009 udp dynamic-customer-source
any-remote-host 268/300 0/30 105
9.9.9.1 49225 udp 66.66.66.68 49225 udp dynamic-customer-source
any-remote-host 272/300 0/30 105
9.9.9.1 52150 udp 66.66.66.68 52150 udp dynamic-customer-source
any-remote-host 274/300 0/30 105
9.9.9.1 59770 udp 66.66.66.68 59770 udp dynamic-customer-source
any-remote-host 278/300 0/30 105
9.9.9.1 61497 udp 66.66.66.68 61497 udp dynamic-customer-source
any-remote-host 282/300 0/30 105
9.9.9.1 56843 udp 66.66.66.68 56843 udp dynamic-customer-source
any-remote-host -/300 1/30 105 user@host> show security nat source persistent-nat-table summary
Persistent NAT Table Statistics on FPC5 PIC0: binding total : 65536 binding in use : 0 enode total : 524288 enode in use : 0
111
Junos OS 12.1X44 Release Notes
Monitoring and Troubleshooting for Security Devices Guide
• The Troubleshooting for Security Devices guide is missing information about the edit services rpm probe owner test test-name configuration statement.
Multicast Feature Guide for Security Devices
• The “Configuring MSDP in a Routing Instance” topic incorrectly states the following:
“Multicast Source Discovery Protocol (MSDP) is supported on SRX Series devices in any type of custom routing instance." The following statement is correct: MSDP is not supported in any type of custom routing instance.
Routing Protocols Overview for Security Devices
•
The default route preference value in the “Understanding Route Preference Values” topic for Static and Static LSPs lists the values incorrectly. The correct values are as follows:
How Route Is Learned Default Preference
Static 5
Static LSPs 6
Security Zones and Interfaces for Security Devices
•
The section “Configuring the Device as a DNS Proxy” incorrectly states that when you set a default domain name, and specify global name servers, that an interface option needs to be configured on the forwarders. The step should be as follows:
Set a default domain name, and specify global name servers according to their IP addresses.
[edit system services] user@host# set dns dns-proxy default-domain * forwarders 172.17.28.100
User Role Firewall
• In Example: Configuring a User Role Firewall on an SRX Series Device and Acquiring User
Role Information from an Active Directory Authentication Server, the redirect-url option in step 2 of the redirection procedure is incorrect. The URL and variables should be enclosed in quotation marks.
[edit] user@host# set services unified-access-control captive-portal acs-device redirect-url “https://%ic-url%/?target=%dest-url%&enforcer=%enforcer-id%”
112
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
VPN for Security Devices
• In “Example: Configuring a Route-Based VPN,” the show security zones output for the
SRX Series device erroneously shows host-inbound-traffic configured for the vpn-chicago zone; this configuration is not included in the CLI Quick Configuration and the Step-by-Step Procedure.
Junos OS WLAN Configuration and Administration Guide
• This guide is missing information that the AX411 Access Point can be managed from
SRX100 and SRX110 devices.
•
This guide is missing the information that on all branch SRX devices, managing AX411
WLAN Access Points through a Layer 3 Aggregated Ethernet (ae) interface is not supported.
Various Guides
•
Some Junos OS user, reference, and configuration guides—for example the
Junos
Software Routing Protocols Configuration Guide
,
Junos OS CLI User Guide
, and
Junos OS
System Basics Configuration Guide
—mistakenly do not indicate SRX Series device support in the “Supported Platforms” list and other related support information; however, many of those documented Junos OS features are supported on SRX Series devices. For full, confirmed support information about SRX Series devices, please refer to the Junos OS Feature Support Reference for SRX Series and J Series Devices .
Errata for the Junos OS Hardware Documentation
This section lists outstanding issues with the hardware documentation.
J Series Services Routers Hardware Guide
•
The procedure “Installing a DRAM Module” omits the following condition:
All DRAM modules installed in the router must be the same size (in megabytes), type, and manufacturer. The router might not work properly when DRAM modules of different sizes, types, or manufacturer are installed.
•
This guide incorrectly states that only the J2350 Services Router complies with Network
Equipment Building System (NEBS) criteria. It should state that the J2350, J4350, and
J6350 routers comply with NEBS criteria.
• This guide is missing information about 100Base-LX connector support for 1-port and
6-port Gigabit Ethernet uPIMs.
SRX Series Services Gateways for the Branch Physical Interface Modules Hardware
Guide
• This guide incorrectly documents that slot 3 of the SRX550 Services Gateway can be used to install GPIMs. The correct information is:
•
In Table 10: “SRX Series Services Gateway Interface Port Number Examples”, for
2-Port 10 Gigabit Ethernet XPIM, you can install the XPIM only in slot 6 of the SRX550
Services Gateway.
113
Junos OS 12.1X44 Release Notes
•
In Table 44: “Slots for 20-Gigabit GPIMs, for 20-Gigabit GPIM slots”, you can install the GPIM only in slot 6 of the SRX550 Services Gateway.
SRX100 Services Gateway Hardware Guide
• In the “Connecting an SRX100 Services Gateway to the J-Web Interface” section, the following information is missing in the note:
NOTE: Microsoft Internet Explorer version 6.0 is also supported as backward compatible from Microsoft Internet Explorer version 7.0.
SRX210 Services Gateway Hardware Guide
•
In the “Connecting an SRX210 Services Gateway to the J-Web Interface” section, the following information is missing in the note:
NOTE: Microsoft Internet Explorer version 6.0 is also supported as backward compatible from Microsoft Internet Explorer version 7.0.
• The “SRX210 Services Gateway Specifications” table lists the values for chassis height, chassis width, chassis depth, chassis weight, and noise level incorrectly. The correct values are as follows:
•
Chassis height—1.73 in. (44 mm)
• Chassis width—11.02 in. (280 mm)
• Chassis depth—7.13 in. (181 mm)
•
Chassis weight:
•
3.46 lb (1.57 kg) for SRX210 Services Gateway without PoE (no interface modules)
• 3.55 lb (1.61 kg) for SRX210 Services Gateway with PoE (no interface modules)
• Noise level—29.1 dB per EN ISO 7779
SRX220 Services Gateway Hardware Guide
• The “SRX220 Services Gateway Specifications” table lists the values for chassis height, chassis width, chassis depth, chassis weight, and noise level incorrectly. The correct values are as follows:
• Chassis height—1.73 in. (44 mm)
• Chassis width—14.29 in. (363 mm)
•
Chassis depth—7.13 in. (181 mm)
•
Chassis weight:
• 4.52 lb (2.05 kg) for SRX220 models without PoE (no interface modules)
114
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services Routers
•
4.62 lb (2.10 kg) for SRX220 models with PoE (no interface modules)
•
Noise level—51.1 dB per EN ISO 7779
SRX240 Services Gateway Hardware Guide
• In the “Connecting the SRX240 Services Gateway to the J-Web Interface” section, the following information is missing in the note:
NOTE: Microsoft Internet Explorer version 6.0 is also supported as backward compatible from Microsoft Internet Explorer version 7.0.
SRX550 Services Gateway Hardware Guide
•
The “SRX550 Services Gateway Front Panel” section incorrectly states that the SanDisk
Micro Cruzer 2-GB to 32-GB USB storage devices are supported on SRX550 devices.
The SanDisk Micro Cruzer 2-GB to 32-GB USB storage devices are not supported on
SRX550 devices.
SRX650 Services Gateway Hardware Guide
•
The “Maintaining the SRX650 Services Gateway Power Supply” section incorrectly states that the status of the power supplies on the SRX650 Services Gateway can be checked by issuing the show chassis environment pem command. The show chassis environment pem command is not supported on the SRX650 Services Gateway.
SRX110 Services Gateway 3G USB Modem Quick Start
•
The SRX110 Services Gateway 3G USB Modem Quick Start has been updated with the
J-Web procedures, and it is available on the Juniper Networks website.
SRX210 Services Gateway 3G ExpressCard Quick Start
• Several tasks are listed in the wrong order. “Task 6: Connect the External Antenna” should appear before “Task 3: Check the 3G ExpressCard Status,” because the user needs to connect the antenna before checking the status of the 3G ExpressCard. The correct order of the tasks is as follows:
1.
Install the 3G ExpressCard
2.
Connect the External Antenna
3.
Check the 3G ExpressCard Status
4.
Configure the 3G ExpressCard
5.
Activate the 3G ExpressCard Options
• In “Task 6: Connect the External Antenna,” the following sentence is incorrect and redundant: “The antenna has a magnetic mount, so it must be placed far away from radio frequency noise sources including network components.”
• In the “Frequently Asked Questions” section, the answer to the following question contains an inaccurate and redundant statement:
115
Junos OS 12.1X44 Release Notes
Q: Is an antenna required? How much does it cost?
A: The required antenna is packaged with the ExpressCard in the SRX210 Services
Gateway 3G ExpressCard kit at no additional charge. The antenna will have a magnetic mount with ceiling and wall mount kits within the package.
In the answer, the sentence “The antenna will have a magnetic mount with ceiling and wall mount kits within the package” is incorrect and redundant.
SRX210 Services Gateway Quick Start Guide
•
The section on installing software packages is missing the following information:
On SRX210 devices, the /var hierarchy is hosted in a separate partition (instead of the
root partition). If Junos OS installation fails as a result of insufficient space:
1.
Use the request system storage cleanup command to delete temporary files.
2.
Delete any user-created files both in the root partition and under the /var hierarchy.
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 6
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series
Services Gateways and J Series Services Routers on page 25
•
•
•
•
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for
Branch SRX Series Services Gateways and J Series Services Routers on page 116
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for Branch SRX
Series Services Gateways and J Series Services Routers
This section includes the following topics:
•
Upgrading and Downgrading among Junos OS Releases on page 116
•
Upgrading an AppSecure Device on page 118
•
Upgrade and Downgrade Scripts for Address Book Configuration on page 119
•
Upgrading and Downgrading among Junos OS Releases
All Junos OS releases are listed in sequence on the JUNOS Software Dates & Milestones web page:
116
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services
Routers
Junos 10.3
Junos 10.2
Junos 10.1
Junos 10.0
1
Junos 9.6
Junos 9.5
Junos 9.4
Junos 9.3
1
Junos 9.2
Junos 9.1
Junos 9.0
Junos 8.5
1 http://www.juniper.net/support/eol/junos.html
To help in understanding the examples that are presented in this section, a portion of that table is replicated here. See
. Note that releases footnoted with a 1 are Extended End-of-Life (EEOL) releases.
Table 9: Junos Software Dates & Milestones
Product FRS Date
Junos 12.1X44
12
01/18/2013
Junos 12.1
Junos 11.4
1
Junos 11.3
Junos 11.2
Junos 11.1
Junos 10.4
1
03/28/2012
12/21/2011
08/15/2011
08/03/2011
03/29/2011
12/08/2010
08/15/2010
05/28/2010
02/15/2010
11/04/2009
08/06/2009
04/14/2009
02/11/2009
11/14/2008
08/12/2008
04/28/2008
02/15/2008 fwd-srns-context
You can directly upgrade or downgrade between any two Junos OS releases that are within three releases of each other.
117
Junos OS 12.1X44 Release Notes
•
Example: Direct release upgrade
Release 10.3
→ (bypassing Releases 10.4 and 11.1) Release 11.2
To upgrade or downgrade between Junos OS releases that are more than three releases apart, you can upgrade or downgrade first to an intermediate release that is within three releases of the desired release, and then upgrade or downgrade from that release to the desired release.
•
Example: Multistep release downgrade
Release 11.3
→ (bypassing Releases 11.2 and 11.1) Release 10.4 → Release 10.3
Juniper Networks has also provided an even more efficient method of upgrading and downgrading using the Junos OS EEOL releases. EEOL releases generally occur once a calendar year and can be more than three releases apart. For a list of, EEOL releases, go to http://www.juniper.net/support/eol/junos.html
You can directly upgrade or downgrade between any two Junos OS EEOL releases that are within three EEOL releases of each other.
•
Example: Direct EEOL release upgrade
Release 9.3 (EEOL)
→ (bypassing Releases 10.0 [EEOL] and 10.4 [EEOL]) Release 11.4
(EEOL)
To upgrade or downgrade between Junos OS EEOL releases that are more than three
EEOL releases apart, you can upgrade first to an intermediate EEOL release that is within three EEOL releases of the desired EEOL release, and then upgrade from that EEOL release to the desired EEOL release.
•
Example: Multistep release upgrade using intermediate EEOL release
Release 8.5 (EEOL)
→ (bypassing Releases 9.3 [EEOL] and 10.0 [EEOL]) Release 10.4
(EEOL)
→ Release 11.4 (EEOL)
You can even use a Junos OS EEOL release as an intermediate upgrade or downgrade step if your desired release is several releases later than your current release.
•
Example: Multistep release upgrade using intermediate EEOL release
Release 9.6
→ Release 10.0 (EEOL) → Release 10.2
For additional information about how to upgrade and downgrade, see the Junos OS
Installation and Upgrade Guide.
Upgrading an AppSecure Device
Use the no-validate option for AppSecure Devices.
For devices implementing AppSecure services, use the no-validate option when upgrading from Junos OS Release 11.2 or earlier to Junos OS 11.4R1 or later. The application signature package used with AppSecure services in previous releases has been moved from the configuration file to a signature database. This change in location can trigger an error
118
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services
Routers during the validation step and interrupt the Junos OS upgrade. The no-validate option bypasses this step.
Upgrade and Downgrade Scripts for Address Book Configuration
Beginning with Junos OS Release 12.1, you can configure address books under the [security] hierarchy and attach security zones to them (zone-attached configuration). In Junos OS
Release 11.1 and earlier, address books were defined under the [security zones] hierarchy
(zone-defined configuration).
You can either define all address books under the [security] hierarchy in a zone-attached configuration format or under the [security zones] hierarchy in a zone-defined configuration format; the CLI displays an error and fails to commit the configuration if you configure both configuration formats on one system.
Juniper Networks provides Junos operation scripts that allow you to work in either of the address book configuration formats (see
•
About Upgrade and Downgrade Scripts on page 119
•
Running Upgrade and Downgrade Scripts on page 120
•
Upgrade and Downgrade Support Policy for Junos OS Releases on page 121
About Upgrade and Downgrade Scripts
After downloading Junos OS Release 12.1, you have the following options for configuring the address book feature:
• Use the default address book configuration
—You can configure address books using the zone-defined configuration format, which is available by default. For information on how to configure zone-defined address books, see the Junos OS Release 11.1
documentation.
• Use the upgrade script —You can run the upgrade script available on the Juniper Networks support site to configure address books using the new zone-attached configuration format. When upgrading, the system uses the zone names to create address books.
For example, addresses in the trust zone are created in an address book named trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules remain unaffected.
After upgrading to the zone-attached address book configuration:
• You cannot configure address books using the zone-defined address book configuration format; the CLI displays an error and fails to commit.
•
You cannot configure address books using the J-Web interface.
For information on how to configure zone-attached address books, see the Junos OS
Release 12.1 documentation.
• Use the downgrade script —After upgrading to the zone-attached configuration, if you want to revert to the zone-defined configuration, use the downgrade script available on the Juniper Networks support site. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.
119
Junos OS 12.1X44 Release Notes
NOTE: Before running the downgrade script, make sure to revert any configuration that uses addresses from the global address book.
Figure 2: Upgrade and Downgrade Scripts for Address Books
Download Junos OS
Release 11.2 or later.
zone-defined address book
Run the upgrade script.
zone-attached address book configuration
- Global address book is available by default.
- Address book is defined under the security hierarchy.
- Zones need to be attached to address books.
Run the downgrade script.
Note: Make sure to revert any configuration that uses addresses from the global address book.
Running Upgrade and Downgrade Scripts
The following restrictions apply to the address book upgrade and downgrade scripts:
•
The scripts cannot run unless the configuration on your system has been committed.
Thus, if the zone-defined address book and zone-attached address book configurations are present on your system at the same time, the scripts will not run.
•
The scripts cannot run when the global address book exists on your system.
•
If you upgrade your device to Junos OS Release 12.1 and configure logical systems, the master logical system retains any previously-configured zone-defined address book configuration. The master administrator can run the address book upgrade script to convert the existing zone-defined configuration to the zone-attached configuration.
The upgrade script converts all zone-defined configurations in the master logical system and user logical systems.
NOTE: You cannot run the downgrade script on logical systems.
120
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services
Routers
For information about implementing and executing Junos operation scripts, see the Junos
OS Configuration and Operations Automation Guide.
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS
Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3
(a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS
Release 11.4 to Junos OS Release 10.3.
To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html
.
Hardware Requirements for Junos OS Release 12.1X44 for SRX Series Services
Gateways and J Series Services Routers
Transceiver Compatibility for SRX Series and J Series Devices
We strongly recommend that only transceivers provided by Juniper Networks be used on SRX Series and J Series interface modules. Different transceiver types (long-range, short-range, copper, and others) can be used together on multiport small form-factor pluggable (SFP) interface modules as long as they are provided by Juniper Networks.
We cannot guarantee that the interface module will operate correctly if third-party transceivers are used.
Please contact Juniper Networks for the correct transceiver part number for your device.
Power and Heat Dissipation Requirements for J Series PIMs
On J Series Services Routers, the system monitors the PIMs and verifies that the PIMs fall within the power and heat dissipation capacity of the chassis. If power management is enabled and the capacity is exceeded, the system prevents one or more of the PIMs from becoming active.
CAUTION: Disabling the power management can result in hardware damage if you overload the chassis capacities.
121
Junos OS 12.1X44 Release Notes
You can also use CLI commands to choose which PIMs are disabled. For details about calculating the power and heat dissipation capacity of each PIM and for troubleshooting procedures, see the J Series Services Routers Hardware Guide.
Supported Third-Party Hardware
The following third-party hardware is supported for use with J Series Services Routers running Junos OS.
• USB Modem
We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR 5637.
•
Storage Devices
The USB slots on J Series Services Routers accept a USB storage device or USB storage device adapter with a CompactFlash card installed, as defined in the CompactFlash
Specification published by the CompactFlash Association. When the USB device is installed and configured, it automatically acts as a secondary boot device if the primary
CompactFlash card fails on startup. Depending on the size of the USB storage device, you can also configure it to receive any core files generated during a router failure. The
USB device must have a storage capacity of at least 256 MB.
lists the USB and CompactFlash card devices supported for use with the J Series Services Routers.
Table 10: Supported Storage Devices on the J Series Services Routers
Manufacturer Storage Capacity Third-Party Part Number
SanDisk—Cruzer Mini 2.0
256 MB SDCZ2-256-A10
SanDisk
SanDisk
Kingston
Kingston
SanDisk—ImageMate USB 2.0
Reader/Writer for CompactFlash Type I and II
SanDisk CompactFlash
SanDisk CompactFlash
512 MB
1024 MB
512 MB
1024 MB
N/A
512 MB
1 GB
SDCZ3-512-A10
SDCZ7-1024-A10
DTI/512KR
DTI/1GBKR
SDDR-91-A15
SDCFB-512-455
SDCFB-1000.A10
J Series CompactFlash and Memory Requirements
lists the CompactFlash card and DRAM requirements for J Series
Services Routers.
122
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for Branch SRX Series Services Gateways and J Series Services
Routers
Table 11: J Series CompactFlash Card and DRAM Requirements
Model
Minimum CompactFlash
Card Required
Minimum DRAM
Required
Maximum DRAM
Supported
J2320
J2350
J4350
J6350
1 GB
1 GB
1 GB
1 GB
1 GB
1 GB
1 GB
1 GB
1 GB
1 GB
2 GB
2 GB
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 6
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for Branch SRX Series
Services Gateways and J Series Services Routers on page 25
•
•
•
•
Documentation Updates for Junos OS Release 12.1X44 for Branch SRX Series Services
Gateways and J Series Services Routers on page 105
123
Junos OS 12.1X44 Release Notes
Junos OS Release Notes for High-End SRX Series Services Gateways
Powered by Junos OS, Juniper Networks high-end SRX Series Services Gateways provide robust networking and security services. High-end SRX Series Services Gateways are designed to secure enterprise infrastructure, data centers, and server farms. The high-end
SRX Series Services Gateways include the SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
•
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series
•
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services
•
Known Issues in Junos OS Release 12.1X44 for High-End SRX Series Services
•
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services
•
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services
•
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for
High-End SRX Series Services Gateways on page 243
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services
Gateways
The following features have been added to Junos OS Release 12.1X44. Following the description is the title of the topics and pathway pages to consult for more information on the feature.
Release 12.1X44-D30 Software Features
Routing Protocols
• Beginning with Junos OS Release 12.1X44-D30, OSPFv2 interfaces are supported on non-broadcast multiaccess (NBMA) networks and point-to-point access networks on high-end SRX Series devices.
When you configure OSPFv2 on an NBMA network, OSPFv2 operates by default in point-to-multipoint mode. In this mode, OSPFv2 treats the network as a set of point-to-point links. Because there is no autodiscovery mechanism, you must configure each neighbor.
An NBMA interface behaves similarly to a point-to-multipoint interface but requires election and operation of a designated router and a backup designated router.
Use the following CLI commands to configure an OSPFv2 interface on an NBMA or a point-to-multipoint network:
124
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
• set protocols ospf area area-number interface interface-name neighbor
address-of-neighbor
• set protocols ospf area area-number interface interface-name interface-type
interface-type (nbma or p2mp)
Release 12.1X44-D20 Software Features
Application Layer Gateways (ALG)
• Transparent mode support for ALGs—This feature is supported on all high-end SRX
Series devices.
Beginning with Junos OS Release 12.1X44-D20, Avaya H.323, G-H323, IKE, MGCP, MS
RPC, PPTP, RSH, SUN RPC, SCCP, SIP, SQL, and TALK ALGs support layer 2 transparent mode. Transparent mode on SRX Series devices provides standard Layer 2 switching capabilities and full security services.
In transparent mode, the SRX Series device filters packets that traverse the device without modifying any of the source or destination information in the packet MAC headers. Transparent mode is useful for protecting servers that mainly receive traffic from untrusted sources because there is no need to reconfigure the IP settings of routers or protected servers.
NOTE: Transparent mode is supported on all data and VOIP ALGs.
A device operates in Layer 2 transparent mode when all physical interfaces on the device are configured as Layer 2 interfaces. There is no command to define or enable transparent mode on the device. The device operates in transparent mode when there are interfaces defined as Layer 2 interfaces. The device operates in route mode (the default mode) if there are no physical interfaces configured as Layer 2 interfaces.
•
[Layer 2 Bridging and Transparent Mode Overview]
•
[Layer 2 Bridging and Switching for Security Devices]
• [Layer 2 Bridging and Transparent Mode for Security Devices]
• [Transparent Mode]
Release 12.1X44-D15 Hardware Features
Chassis Grounding for SRX1400 Through SRX5800 Services Gateways
WARNING:
125
Junos OS 12.1X44 Release Notes
In order to meet safety and electromagnetic interference (EMI) requirements and to ensure proper operation, you must properly ground the services gateway chassis before connecting power. This requirement applies to the following services gateway models without exception:
•
SRX1400 Services Gateway
•
SRX3400 Services Gateway
• SRX3600 Services Gateway
• SRX5600 Services Gateway
•
SRX5800 Services Gateway
For all services gateway models, the accessory box shipped with the device includes one cable lug that attaches the grounding cable to the services gateway chassis. The cable lug is shown in
.
Figure 3: Grounding Cable Lug
2.25
End view
0.55
0.28
diameter each hole
6 AWG conductor
Crimp area
0.08
0.25
0.625
0.37
All measurements in inches
Before services gateway installation begins, a licensed electrician must attach the cable lug to the grounding cable that you supply. A cable with an incorrectly attached lug can damage the services gateway. The grounding cable must be no smaller than specified in
, or as required by local electrical codes:
Table 12: Grounding Cable Wire Specification
Services Gateway Type Grounding Cable Wire Specification
SRX1400 Services Gateway 14-AWG (2.1 mm
2
), minimum 60°C wire
SX3400 Services Gateway
SRX3600 Services Gateway
SRX5600 Services Gateway
SRX5800 Services Gateway
10-AWG (5.3 mm
2
), minimum 60°C wire
10-AWG (5.3 mm
2
), minimum 60°C wire
6-AWG (13.3 mm
2
), minimum 60°C wire
6-AWG (13.3 mm
2
), minimum 60°C wire
126
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
NOTE: For the SRX5800 services gateway models, we previously specified
10-AWG wire for the grounding cable. Where you have installed such grounding cables, you can safely leave them in service. However, all new installations of SRX5800 Services Gateways must have grounding cables sized according to
If you have lost the grounding cable lug supplied with the services gateway, contact your
Juniper Networks representative to obtain a replacement.
through
show the locations of the chassis grounding points on the listed SRX Series Services Gateway models. We recommend that you confirm that your services gateway chassis is properly grounded as soon as practical. For full instructions on grounding the services gateway chassis, see the hardware documentation for your services gateway.
Figure 4: Connecting the Grounding Cable, SRX1400 Services Gateway
127
Junos OS 12.1X44 Release Notes
Figure 5: Connecting the Grounding Cable, SRX3400 Services Gateway
Figure 6: Connecting the Grounding Cable, SRX3600 Services Gateway
128
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Figure 7: Connecting the Grounding Cable, SRX5600 Services Gateway
Figure 8: Connecting the Grounding Cable, SRX5800 Services Gateway
M6 (Metric)
Grounding Point
1/4-20 Grounding Point
Release 12.1X44-D15 Software Features
The following features are supported on next-generation SPCs on SRX5600 and
SRX5800 devices:
•
Intrusion detection and prevention (IDP)—Next-generation SPCs support IDP and
AppSecure functionality.
129
Junos OS 12.1X44 Release Notes
•
Application firewall and user firewall—Support for application firewall rule sets and rules and user firewall policies have been increased as follows:
Maximum AppFW Rules Maximum Network Policies
56,000 112,000 80,000
64,000
Maximum Network Policies
80,000
Release 12.1X44-D10 Hardware Features
•
Chassis cluster SPC insert—For services gateways from the SRX3000 line or the
SRX5000 line configured in a chassis cluster, you can install additional Services
Processing Cards (SPCs) in the services gateways in the cluster without incurring downtime on your network.
To perform such an installation, your devices must meet the following conditions:
•
If the chassis cluster is in active/active mode, you must transition it to active/passive mode before using this procedure. You transition the cluster to active/passive mode by making one node primary for all redundancy groups.
• Both of the services gateways in the cluster must be running Junos OS Release
11.4R2-S1, 12.1X44-D10, or later.
•
You must install SPCs of the same type in both of the services gateways in the cluster.
• You must install the SPCs in the same slots in each chassis.
• You must install the SPCs so that they are not the SPCs with the lowest-numbered slots in the chassis. For example, if the chassis already has two SPCs with one SPC each in slots 2 and 3, you cannot install additional SPCs in slots 0 or 1 using this procedure.
NOTE: During this installation procedure, you must shut down both devices one at a time. During the period when one device is shut down, the remaining device is operating without a backup. If that remaining device fails for any reason, you incur network downtime until you restart at least one of the devices.
[SRX3400 Services Gateway Hardware Guide]
[SRX3600 Services Gateway Hardware Guide]
[SRX5600 Services Gateway Hardware Guide]
130
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
[SRX5800 Services Gateway Hardware Guide]
• Second Services Processing Card in SRX1400 Services Gateway—When running
Junos OS Release 12.1X44-D10 or later, the SRX1400 Services Gateway supports a
Services Processing Card (SPC) installed in the front panel slot labeled 2, which acts as the central point (CP). Installing an SPC in slot 2 improves the services gateway performance and increases the session capacity from 500,000 to 1,500,000.
[Understanding Chassis Cluster Control Links]
[Understanding Chassis Cluster Formation]
[Understanding Chassis Cluster Redundancy Group IP Address Monitoring]
[Connecting Dual Control Links for SRX Series Devices in a Chassis Cluster]
[show chassis fpc (View)]
[SRX1400 Services Gateway Hardware Guide]
•
Network Processing I/O Card SRX1K3K-NP-2XGE-SFPP for SRX1400, SRX3400, and SRX3600 Services Gateways—Junos OS Release 12.1X44-D10 supports the new
Network Processing I/O card (NP-IOC) SRX1K3K-NP-2XGE-SFPP ( Figure 9 on page 131
).
The NP-IOC is an IOC that includes its own Network Processing Unit (NPU), so that traffic traversing the NP-IOC does not have to also traverse the services gateway bus to a remote NPC. This feature makes the NP-IOC well-suited to low-latency applications. The NP-IOC is inserted horizontally into the midplane of the services gateway to communicate with the Switch Fabric Board (SFB) and to receive power.
To use fiber interface media, install enhanced small form-factor pluggable plus (SFP+) transceivers on the desired ports. LEDs on the faceplate of the NP-IOC indicate port status and connectivity. The SFP+ ports are numbered 0 through 1 from left to right.
Figure 9: NP-IOC SRX1K3K-NP-2XGE-SFPP
The NP-IOC is supported in the following slots in the SRX1400, SRX3400, and SRX3600
Services Gateways:
• SRX1400: Front slot labeled 2
•
SRX3400: Front slots labeled 1-4 and rear slots labeled 5-7.
•
SRX3600: Front slots labeled 1-6 and rear slots labeled 7-12.
NOTE: You can install NP-IOCs instead of NPCs and IOCs in the SRX3400 or SRX3600 Services Gateway. However, if no NPCs are present, the
Ethernet ports on the SFB are not functional.
131
Junos OS 12.1X44 Release Notes
•
SRX5600 Services Gateway high-capacity power supplies and fan tray—With Junos
OS Release 12.1X44-D10, the SRX5600 Services Gateway supports new high-capacity
AC and DC power supplies, and also a new high-capacity fan tray. These components increase the power and cooling capacity so that the services gateway can support high-performance cards such as the SRX5K-SPC-4-15-320 next-generation SPC.
The high-capacity AC power supply and the high-capacity fan tray are similar in appearance to their standard-capacity counterparts. The high-capacity DC power supply has an added DIP switch on its faceplate that lets you configure the device for either 60 A or 70 A maximum input current. See
.
Figure 10: DC High-Capacity Power Supply Input Mode Switch
• SRX5800 Services Gateway high-capacity DC power supply—Starting with Junos
OS Release 10.4, the SRX5800 Services Gateway supported high-capacity AC power supplies and also high-capacity fan trays and air filters. With Junos OS Release
12.1X44-D10, the services gateway also supports high-capacity DC power supplies
(
). These components increase the power and cooling capacity of the services gateway so that it can support high-performance cards such as the
SRX5K-SPC-4-15-320 next-generation SPC.
High-capacity DC power supplies provide a maximum power of 4100 W. Two high-capacity DC power supplies are required, and you can install four high-capacity
DC power supplies for redundancy. Each high-capacity DC power supply has inlets for two DC power feeds. The four power connectors (-48V and RTN for each of the two inlets) are located behind a clear plastic cover near the bottom of the power supply.
Each DC power inlet you use requires a dedicated DC power feed and a dedicated 15
A (250 VAC) circuit breaker.
132
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Figure 11: SRX5800 Services Gateway High-Capacity DC Power Supply
•
NOTE:
The services gateway cannot be powered from standard-capacity and high-capacity DC power supplies simultaneously. The one exception is during the process of replacing standard-capacity DC power supplies with high- capacity DC power supplies, when it is permissible to have both types installed briefly.
• The high-capacity DC power supply will operate with only one of its two
DC inlets connected to a DC power feed. However, the DC output will be limited to a maximum of 1700 W. We recommend that you connect two
DC power feeds to each high-capacity DC power supply.
Release 12.1X44-D10 Software Features
Application Layer Gateways (ALGs)
• Real-Time Streaming Protocol (RTSP) interleave mode—This feature is supported on all high-end SRX Series devices.
This feature is an enhancement to the current RTSP ALG. In most use cases the network carries UDP media streams based on an RTSP TCP connection, but there has been an increase in demand for the use of interleaving mode in which both media and control
133
Junos OS 12.1X44 Release Notes share the same TCP connection. The key reason to use interleaving is the ability to traverse firewalls. Because of the lower security restrictions around TCP port 80 to support Web traffic, RTSP makes use of interleaving mode for including media in the same connection to traverse firewalls.
[Understanding ALG Types]
• On SRX3600 devices, the new application junos-sun-rpc-any has been added. This
CLI provides you a simple way to enable all the Sun RPC applications. You do not have to configure any specific Sun RPC applications.
[Understanding Sun RPC ALGs]
AppSecure
• AppFW rule set features expanded—This feature is supported on all high-end SRX
Series devices.
AppFW has been enhanced to broaden the rule set options for defining an application-aware firewall. With the new enhancements you can:
• Choose to close a TCP connection when matching traffic is rejected.
• Define explicit, coexisting permit rules and deny rules in a single rule set.
•
Control SSL traffic more effectively with cleartext or encrypted options in AppFW rules.
• Display session logs to view new session create, deny, and close messages that describe the AppFW actions that have been taken.
•
Display AppFW rules that are shadowed by others in the same rule set so that you can remove redundancy and avoid errors.
[Application Firewall]
• Application identification at Layer 3 and Layer 4—This feature is supported on all high-end SRX Series devices.
New services application-identification configuration options allow the ICMP type or code, the IP protocol, and the source or destination addresses that are available at
Layer 3 or Layer 4 to be mapped to an application. When implementing AppSecure services, such as AppFW, AppTrack, or AppQoS, you can apply Layer 3 or Layer 4 mapping techniques to bypass Layer 7 signature-based mapping whenever applicable and improve the efficiency of the network. The mapping techniques work as follows:
• Address mapping associates traffic to or from particular addresses with a known application.
•
ICMP mapping associates the type or code of ICMP messages with a known application.
• IP protocol mapping applies to IP traffic only and associates a particular IP protocol with a known application.
[Application Identification for Security Devices]
134
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
Session resumption and renegotiation with SSL proxy—This feature is supported on all high-end SRX Series devices.
The computational overhead for a complete SSL handshake and master key generation can be considerable. To reduce overhead, you can use session resumption with SSL proxy to cache session parameters such as the pre-master secret key, selected ciphers, and so forth. When a subsequent connection is attempted, the client and server can resume the previous session by specifying its session ID.
With session renegotiation, you can modify SSL parameters for a connection. Session renegotiation can be used to refresh cipher keys for a prolonged SSL session.
[SSL Proxy Overview]
Chassis Cluster
•
Logical interface scaling—On all high-end SRX Series devices, chassis cluster failover performance has been optimized to scale with more logical interfaces.
During redundancy group failover, Generic Attribute Registration Protocol (GARP) is sent on each logical interface to steer the traffic to the appropriate node. GARP was sent by the Juniper Services Redundancy Protocol (jsrpd) process running in the Routing
Engine in the previous release of Junos OS.
With logical interface scaling, the Routing Engine becomes the checkpoint and GARP is directly sent from the Services Processing Unit (SPU).
[Understanding Chassis Cluster Redundancy Group Failover]
Flow and Processing
• Network processor offloading—This feature is supported on SRX3400, SRX3600,
SRX5600, and SRX5800 devices.
With this feature, when a network processor fails to identify a session for a packet, it sends the packet to a selected SPU instead of forwarding the packet to a central point.
The network processor forwards packets to SPUs based on certain algorithms. This approach avoids overloading of the central point. To enable network processor offloading, use the set security forwarding-process application-services session-distribution-mode hash-based command.
•
NOTE:
You must reboot the device for the configuration to take effect.
• Currently network processor offloading is supported only on IPv4 traffic.
[SRX5600 and SRX5800 Services Gateways Processing Overview]
[Junos OS CLI Reference]
•
Transparent mode support for IPv6 flows—This feature is supported on all high-end
SRX Series devices.
In transparent mode, the SRX Series device filters packets that traverse the device without modifying any of the source or destination information in the packet MAC
135
Junos OS 12.1X44 Release Notes headers. Transparent mode is useful for protecting servers that mainly receive traffic from untrusted sources because there is no need to reconfigure the IP settings of routers or protected servers. In Junos OS Release 12.1X44-D10, IPv6 traffic is supported for transparent mode on the specified SRX Series devices.
A device operates in Layer 2 transparent mode when all physical interfaces on the device are configured as Layer 2 interfaces. There is no command to define or enable transparent mode on the device. The device operates in transparent mode when there are interfaces defined as Layer 2 interfaces. The device operates in route mode (the default mode) if there are no physical interfaces configured as Layer 2 interfaces.
By default, IPv6 flows are dropped on security devices. To enable processing by security features such as zones, screens, and firewall policies, you must enable flow-based forwarding for IPv6 traffic with the mode flow-based configuration option at the [edit security forwarding-options family inet6
] hierarchy level. A device reboot is required when you change the mode.
Configuring bridge domains and Layer 2 logical interfaces for IPv6 flows is the same as configuring bridge domains and Layer 2 logical interfaces for IPv4 flows. You can optionally configure an integrated routing and bridging (IRB) interface for management traffic in a bridge domain. The IRB interface is the only Layer 3 interface allowed in transparent mode. The IRB interface on the SRX Series device does not support traffic forwarding or routing. The IRB interface can be configured with both IPv4 and IPv6 addresses.
[Understanding IPv6 Flows in Transparent Mode]
•
64-bit support for Junos OS security features—This feature is supported on all high-end
SRX Series devices.
The 64-bit support increases the session scalability for both the SPC and the central point. The exact increase in the session scalability also depends on whether IDP is enabled or not for the application and on the configuration such as combo Services
Processing Unit (SPU). The 64-bit support also increases the capacity for various services such as NAT, ALG, GTP, and so on.
General Packet Radio Service (GPRS)
•
This feature is supported on all high-end SRX Series devices.
A GPRS support node (GSN) identifies a Mobile Station (MS) by its International Mobile
Subscriber Identity (IMSI). An IMSI consists of three elements: the mobile country code
(MCC), the mobile network code (MNC), and the Mobile Subscriber Identification
Number (MSIN). The MCC and MNC combined constitute the IMSI prefix and identify the mobile subscriber’s home network, or public land mobile network (PLMN).
By setting IMSI prefixes, you can configure the device to deny GPRS tunneling protocol
(GTP) traffic coming from nonroaming partners. By default, a device does not perform
IMSI prefix filtering on GTP packets.
This feature extends the length of the IMSI filter length from 5 or 6 digits to 15 digits, which is the full length for the IMSI filter. You can set the IMSI prefix as a wildcard character (*) or enter any digit from 0 to 9.
136
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
NOTE: If the IMSI prefix string is less than 15 digits, then the wildcard character (*) automatically appends to the string. For example, if you enter
12345*, then the device displays an invalid entry.
•
GTP APN filtering—A device can filter GTP packets based on the combination of an
IMSI prefix and an access point name (APN). When you filter GTP packets based on an IMSI prefix, you must also specify an APN.
An APN string is case-insensitive. For instance, in the following example you set two
APN strings, WWW.SINA.COM.CN and www.sina.com.cn, with the same IMSI prefix value, the lowercase string will display after the uppercase string, and the packet will be dropped.
user@host# edit security gprs gtp profile test apn WWW.SINA.COM.CN imsi-prefix * action pass user@host# edit security gprs gtp profile test apn www.sina.com.cn imsi-prefix * action drop
To view the output, use the following command: user@host> show configuration security gprs gtp profile test
If an APN is configured with two IMSI prefix entries, then the IMSI prefix with the longest match takes priority. For example, see the following configuration: user@host# edit security gprs gtp profile test apn WWW.SINA.COM.CN imsi-prefix
12345678 action pass user@host# edit security gprs gtp profile test apn www.sina.com.cn imsi-prefix 12345 action drop
To view the output, use the following command: user@host> show configuration security gprs gtp profile test
If an incoming packet value matches the IMSI prefix value 12345678, then the packet will pass. The IMSI prefix value 12345678 takes precedence over the IMSI prefix value
12345, because the longest matched IMSI prefix takes priority.
[General Packet Radio Service for Security Devices]
•
SCTP optimization for carriers (packet drop and stability)—This feature is supported on all high-end SRX Series devices.
Stream Control Transmission Protocol (SCTP) is used in carrier networks for the transport of telephony (Signaling System 7) protocols over IP addresses, with the goal of duplicating some of the reliability attributes of the SS7 signaling network in IP addresses.
SCTP optimization is done to:
•
Avoid the multithread infrastructure problems, when the traffic is high
• Improve the SCTP association searching rate (association lookup process speed is increased) by SCTP hash table optimization on the SPU
•
Improve finite state machine (FSM) for retransmission cases
137
Junos OS 12.1X44 Release Notes
NOTE: Because there is no dynamic policy for SCTP, you must configure all policies for the required SCTP sessions.
To view the SCTP associations, use the show security gprs sctp association command.
[Understanding Stream Control Transmission Protocol ]
[show security gprs sctp association]
[Junos OS CLI Reference]
• SGSN roaming in GGSN pooling scenarios—This feature is supported on all high-end
SRX Series devices.
This feature allows the General Packet Radio Service (GPRS) tunneling protocol (GTP) to support different Gateway GPRS Support Node (GGSN) IP addresses when creating tunnels.
This feature supports the following two pooling scenarios:
Scenario 1:
GGSN uses a response packet’s source IP address that is different from the request packet’s destination IP address to send a response message to the Serving
GPRS Support Node (SGSN).
Scenario 2: SGSN or GGSN uses a response packet’s source IP address that is different from the payload GSN IP address for the GGSN tunneling protocol, control (GTP-C) and GGSN tunneling protocol, user plane (GTP-U) tunnel creation procedures.
[General Packet Radio Service ]
[General Packet Radio Service for Security Devices]
Services Processing Card SRX5K-SPC-4-15-320 Features
•
Next-generation Services Processing Card (SPC)—Junos OS Release 12.1X44-D10 supports a next-generation Services Processing Card (SPC) (SRX5K-SPC-4-15-320) on SRX5600 and SRX5800 devices.
The next-generation SPC uses a high-performance, multicore and multithreaded processor to enhance firewall, IPsec, and IDP services to scale in capacity and performance.
The SRX5K-SPC-4-15-320 is a next-generation Services Processing Card (SPC). It contains four Services Processing Units (SPUs), as opposed to the two SPUs of the earlier SRX5K-SPC-2-10-40 SPC. It also offers higher per-SPU performance than the older SPC.
If your services gateway contains a mix of SRX5K-SPC-4-15-320 SPCs and
SRX5K-SPC-2-10-40 SPCs, an SRX5K-SPC-4-15-320 SPC must occupy the lowest-numbered slot of any SPC in the chassis. This configuration ensures that the central point (CP) function is performed by the faster and higher-performance SPC type.
138
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
NOTE:
You must have high-capacity power supplies (either AC or DC) and high-capacity fan trays installed in the services gateway in order to install and use SRX5K-SPC-4-15-320 SPCs. On the SRX5800 Services Gateway, you must also install the high-capacity air filter. If you do not have high-capacity power supplies and fan trays installed, the services gateway will log an alarm condition when it recognizes the SRX5K-SPC-4-15-320
SPCs.
• On SRX5600 Services Gateways with AC power supplies, we recommend that you use high-line (220v) input power to ensure the device has adequate power to support SRX5K-SPC-4-15-320 SPCs.
SPCs are common form-factor module (CFM) cards that provide the processing power to run integrated services such as firewall, IPsec, and IDP. All traffic traversing the services gateway is passed to an SPC to have services processing applied to it. Traffic is intelligently distributed by Network Processing Cards (NPCs) to SPCs for services processing, including session setup based on policies, fast-packet processing for packets that match a session, encryption and decryption, and IKE negotiation.
Note the following specifics about next-generation SPCs:
•
Next-generation SPCs have four SPUs per card. The central point (CP) and Services
Processing Unit (SPU) combo mode is not supported.
• Next-generation SPCs must always be plugged into the lowest-numbered slot of the SRX-series device.
•
Combination of next-generation SPC and existing SPCs is supported. Make sure that the first SPC in the lowest slot of the chassis should be a next-generation SPC. This could be followed by existing SPCs or other next-generation SPCs in any order.
Next-generation SPCs support all the existing chassis cluster functionality. If your
SRX5600 or SRX5800 device is part of a chassis cluster:
• Junos OS software upgrade cannot be done at the same time as SPC hardware upgrade. If both software and hardware need to be upgraded, the software update must be done first before proceeding to the hardware upgrade.
• Installing additional NG-SPC on the devices in the cluster without incurring downtime on the network is supported. However, during this installation procedure, you must shut down both nodes, one at a time.
•
Replacing a next-generation SPC with an earlier SPC is not supported.
• Removal of any type of SPC from a chassis cluster setup is not supported without traffic disruption.
•
SPC expansion should be added to a slot that has a higher number than the central point slot.
139
Junos OS 12.1X44 Release Notes
The following features are enhanced on SRX5600 and SRX5800 devices with the introduction of the next-generation SPC:
•
Enhanced performance and increased scaling capacity
• Support for dynamic tunnel distribution scheme
• Enhanced NAT scaling capacity as follows:
•
NAT rule set and rule:
Table 13: NAT Rule Set and Rule
Objects Scaling Capacity
Total NAT rule sets per system
Total NAT rules per rule set
30,720
30,720
•
Persistent NAT binding capacity:
Table 14: Persistent NAT Binding Capacity
Objects Scaling Capacity
CP bindings on CP
SPU bindings on SPU
2,097,152
524,288
• Increase in maximum number of supported security policies (up to 80,000), address-books (up to 2000 for SRX5600 and up to 4000 for SRX5800) and zones
(up to 2000 for SRX5600 and up to 4000 for SRX5800).
•
Increase in maximum number of allowed firewall authentication entries to 50,000
• Increased ALGs session capacity as follows:
Table 15: Increased ALGs Session Capacity
ALGs Maximum Supported Sessions
FTP/TFTP Layer 2 and Layer 3 for ALG per SPU 50,000
RTSP Layer 2 Mode for ALG per SPU
RTSP Layer 3 Mode for ALG per SPU
50,000
50,000
• In-service software upgrade (ISSU) support
• J-Web support
You can use the show chassis hardware and show chassis fpc commands to display the information about NG-SPC.
[SRX5600 Services Gateway Hardware Guide]
140
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
[SRX5800 Services Gateway Hardware Guide]
J-Web
• J-Web webserver upgrade to 3.2—This feature is supported on all high-end SRX Series devices.
The internal J-Web webserver version is upgraded, providing both security and performance improvements.
Logical Systems
•
Display and clear the DNS cache in the master logical system—This feature is supported on all high-end SRX Series devices.
The master administrator can use the CLI operational command show security dns-cache to display all DNS cache information or to display DNS cache information for a specific name. The master administrator can use the clear security dns-cache command to clear all DNS cache information or clear DNS cache information for a specific name. The master administrator can use these commands to verify the resolved
IP address of a DNS name and invalidate the addresses if needed.
NOTE: These commands are not available in user logical systems or on devices that are not configured for logical systems.
[Junos OS CLI Reference]
Network Address Translation (NAT)
• Increase in the maximum sessions allowed for a persistent NAT binding—This feature is supported on all high-end SRX Series devices.
Previously, the maximum number of sessions allowed for a persistent NAT binding was 100. This limit is now 65,536. You can now configure the maximum number of sessions ranging from 8 through 65,536.
[max-session-number]
[Junos OS CLI Reference]
•
Scalability improvements to persistent NAT—This feature is supported on all high-end
SRX Series devices.
Users can now increase the persistent NAT binding capacity to a maximum of 2 million on the central point and 275,000 per SPU on the SRX5800 device.
To maximize the persistent NAT binding capacity, use the set security forwarding-process application-services maximize-persistent-nat-capacity command.
If you want to achieve maximum value of 2 million binding capacity, then you need to enable central point session maximum using the set security forwarding-process application-services maximize-cp-session command.
To restore the persistent NAT binding capacity to default value, use the delete security forwarding-process application-services maximize-persistent-nat-capacity command.
141
Junos OS 12.1X44 Release Notes
You must reboot the device for the configuration to take effect. Using this optimization technique reduces the number of flow sessions on both the central point and the SPU.
[Example: Setting Maximum Persistent NAT Bindings]
[Junos OS CLI Reference]
•
Static NAT support for port mapping—This feature is supported on all high-end SRX
Series devices.
Static NAT defines a one-to-one mapping from one IP subnet to another IP subnet.
The existing static NAT functionality is enhanced to support the following types of translation:
• To map multiple IP addresses and specified ranges of ports to the same IP address and a different range of ports
•
To map a specific IP address and port to a different IP address and port
The new CLI statements destination-port low to high and mapped-port low to high are introduced as part of this enhancement.
[Example: Configuring Static NAT for Port Mapping]
Security Policies
•
Firewall authentication support for HTTPS traffic—This feature is supported on all high-end SRX Series devices.
Firewall authentication now supports the HTTPS protocol along with FTP, HTTP, and
Telnet. This feature enhances HTTPS support for Web authentication. Unauthenticated
HTTPS traffic is redirected to the Web authentication IP addresses of the incoming interfaces.
The following new CLI statements are part of this feature:
• ssl-termination-profile —Specify the name of the SSL termination profile used for
SSL offloading.
• web-redirect-to-https
—Redirect unauthenticated HTTP requests to the device’s internal HTTPS webserver. If web-redirect-to-https is configured, the firewall redirects the unauthenticated HTTP traffic to the HTTPS Web authentication server’s incoming interface .
• https —Enable authentication through HTTPS. If https is selected, the system allows
Web authentication for HTTPS traffic.
• redirect-to-https —Redirect the HTTP Web authentication traffic to the HTTPS Web authentication service.
[Firewall User Authentication for Security Devices]
•
New match criteria for user role firewall policies—This feature is supported on all high-end SRX Series devices.
User role firewall policies can now specify the username as match criteria in the source-identity field. In the previous release, roles were the only valid input for the source-identity field. Roles are now considered optional.
142
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Two additional show commands display the users and the combined users and roles that are specified in the user identification tables (UITs) and available for user and role provisioning:
• show security user-identification user-provision all
• show security user-identification source-identity-provision all
In addition, the connection setup rate has been improved when a user role firewall is enabled.
[Understanding User Role Firewalls]
• Shadow policy check—This feature is supported on all high-end SRX Series devices.
You can now check if there is any policy shadowing in the policy list using the following
CLI commands:
•
For logical systems, run the show security shadow-policies logical-system lsys-name from-zone from-zone-name to-zone to-zone-name policy policy-name reverse command.
•
For global policies, run the show security shadow-policies logical-system lsys-name global policy policy-name reverse command.
The CLI commands can be used to display:
• All shadow policies within a context
•
If a given policy shadows one or more policies
•
If a given policy is shadowed by one or more policies
[Understanding Security Policy Ordering]
[Verifying Shadow Policies]
[show security shadow-policies logical-system]
[Junos OS CLI Reference]
Services Offloading
This feature is supported on SRX1400, SRX3400, and SRX3600 devices.
Services offloading now supports the following:
•
Per-wing statistics counters—The network processor in services-offload mode provides the option for each flow entry to keep a per-wing bytes counter. The counter captures the number of bytes that the network processor sends out over the wing. You can configure the statistics counter feature for each PIC.
•
Services-offload traffic across different network processors—Services offloading now provides additional cross-network-processor support; therefore, it is not restricted to the ports of the same network processor.
• NP-IOC support—The NP-IOC is a new type of card that integrates an existing IOC with a Network Processing Card (NPC) in one card with simplified Layer 2 functions in the hardware.
143
Junos OS 12.1X44 Release Notes
•
Session scale up for NP-IOC in services-offload mode—The NP-IOC has a larger static
RAM (SRAM) to accommodate session resources, thus hosting more sessions per PIC.
• End-to-end debugging in services-offload mode—For regular flow packets, end-to-end debugging functions are the same as in the non-services-offload mode; packet filter and action items are supported in this flow mode. For traffic that matches services-offload sessions, the end-to-end debugging function supports one packet copy to host CPU when the filter and the action are both affirmative in the end-to-end search results.
System Logs
The following system logs are introduced in Junos OS Release 12.1X44-D10:
•
PKID_CERT_BASIC_CNSTRS_MISSING—Certificate does not have the basic constraints field.
• PKID_CERT_BASIC_CNSTRS_INV_CA—Certificate does not have a valid CA flag.
•
ERRMSG(PKID_CERT_BASIC_CNSTRS_MISSING, LOG_ERR—Basic constraints field is missing for the CA certificate <certificate-subject>.
• ERRMSG(PKID_CERT_BASIC_CNSTRS_INV_CA, LOG_ERR—Basic constraints field contains an invalid CA flag for the CA certificate <certificate-subject>.
•
PKID_CERT_NOT_BEFORE_FAIL—Certificate
/C=US/DC=juniper/ST=CA/L=Sunnyvale/O=PKI/OU=SSD/CN=bubba is not valid until 06-12-2012 21:44.
• PKID_CERT_NOT_AFTER_FAIL—Certificate
/C=US/DC=juniper/ST=CA/L=Sunnyvale/O=PKI/OU=SSD/CN=bubba has expired, not valid after 06-12-2014 .21:44
• PKID_CERT_ID_LOOKUP_FAIL—Certificate chain does not contain certificate with ID
30.1.1.31 and Type IPSEC_ID_IPV4_ADDR.
•
PKID_CERT_ID_LOOKUP_FAIL—Certificate chain does not contain certificate with ID
/C=US/DC=juniper/ST=CA/L=Sunnyvale/O=PKI/OU=SSD/CN=bubba and Type
IPSEC_ID_DER_ASN1_DN.
• PKID_CERT_ID_LOOKUP_FAIL—Certificate chain does not contain certificate with ID [email protected] and Type IPSEC_ID_USER_FQDN.
•
PKID_CERT_ID_LOOKUP_FAIL—Certificate chain does not contain certificate with ID bubba.juniper.net and Type IPSEC_ID_FQDN.
144
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Virtual Private Network (VPN)
• AutoVPN—AutoVPN hubs are supported on all high-end SRX Series devices. AutoVPN spokes are supported on SRX1400 devices.
AutoVPN allows network administrators to configure the hub in a hub-and-spoke IPsec
VPN topology for current and future client device connections. Configuration changes are not required on the hub when spoke devices are added or deleted, thus allowing administrators flexibility in managing large-scale network deployments.
AutoVPN is supported on route-based IPsec VPNs. AutoVPN traffic must be IPv4.
Dynamic routing protocols are supported to forward packets through the VPN tunnels.
NOTE: The RIP dynamic routing protocol is not supported with AutoVPN.
The supported authentication for AutoVPN hubs and spokes is X.509 public key infrastructure (PKI) certificates. The group IKE user type configured on the hub allows strings to be specified to match the alternate subject field in spoke certificates. Partial matches for the subject fields in spoke certificates can also be specified.
AutoVPN is configured and managed on SRX Series devices using the CLI. Multiple
AutoVPN hubs can be configured on a single SRX Series device. The maximum number of spokes supported by a configured hub is specific to the model of the SRX Series device. AutoVPN supports VPN monitoring and dead peer detection.
[AutoVPNs for Security Devices]
•
Improvements in VPN debugging capabilities—This feature is supported on all high-end SRX Series devices.
The following enhancements are now available to improve the VPN debugging capabilities:
•
The debugging of tunnels was limited to the policy manager previously, is now extended to include QuickSec software stacks.
• The show security ipsec security-associations detail command is enhanced to provide information such as VPN name, tunnel ID, and bind interface in the security associations (SAs) output.
•
The show security ike security-associations detail command is enhanced to provide gateway name and Diffie-Hellman (DH) group information in the SA output.
• The show security ipsec security-associations vpn-name vpn-name command displays the IPsec SA based on the VPN name. For policy-based VPNs and dial-up VPNs, the output displays multiple SAs because VPN names are shared.
•
The new show security ipsec inactive-tunnels command displays security information about the inactive tunnels.
•
The new request security ike (debug-enable | debug-disable) command enables IKE debugging through operational mode commands.
• The common log location for all SRX Series devices is now /var/log/log-filename.
145
Junos OS 12.1X44 Release Notes
NOTE: If you do not specify the log filename for the log-filename field, then all logs are written to the kmd log.
[Junos OS CLI Reference]
•
VPN session affinity—This feature is supported on all high-end SRX Series devices.
VPN session affinity occurs when a cleartext session is located in a Services Processing
Unit (SPU) that is different from the SPU where the IPsec tunnel session is located.
The goal of VPN session affinity is to locate the cleartext and IPsec tunnel session in the same SPU.
Without VPN session affinity, a cleartext session created by a flow might be located in one SPU and the tunnel session created by IPsec might be located in another SPU.
An SPU to SPU forward or hop is needed to route cleartext packets to the IPsec tunnel.
By default, VPN session affinity is disabled on SRX Series devices. When VPN session affinity is enabled, a new cleartext session is placed on the same SPU as the IPsec tunnel session. Existing cleartext sessions are not affected.
Enabling VPN session affinity can improve VPN throughput under the following traffic conditions:
•
A number of IPsec tunnels are needed and the tunnels are distributed evenly among
SPUs. If IPsec tunnels are already concentrated on several SPUs, then enabling VPN session affinity allows all cleartext SPUs to also use those SPUs. This can cause those SPUs to be overutilized while other SPUs might be underutilized.
To display active tunnel sessions on SPUs, use the show security ipsec security-association command and specify the Flexible PIC Concentrator (FPC) and
Physical Interface Card (PIC) slots that contain the SPU.
•
Cleartext sessions passing through the tunnels should be at the highest volume for the longest periods of time as possible. Applying VPN session affinity to cleartext sessions of small volumes and short periods (for example, DNS sessions) will decrease the effect of session affinity and might even have a negative impact on
VPN throughput under certain conditions.
[IPsec VPNs for Security Devices]
• VPN support for inserting Services Processing Cards—This feature is supported on
SRX3400, SRX3600, SRX5600, and SRX5800 devices.
These high-end SRX Series devices have a chassis-based distributed processor architecture. The flow processing power is shared and is based on the number of
Services Processing Cards (SPCs). You can scale the processing power of the device by installing a new SPC. Previously, whenever you installed a new SPC on a device either in standalone mode or in chassis cluster mode, the distributed VPNs on the device were disrupted.
This feature enables you to insert an SPC on a device in a chassis cluster without disrupting the traffic on the existing VPN tunnels created by the IKE and IPsec workload.
146
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Now when you insert a new SPC in each chassis of the cluster, the existing tunnels are not affected and traffic continues to flow over them without any disruption.
However, existing tunnels cannot use the processing power of the new SPC and redistribute it to the new SPC. The newly inserted SPC can anchor the newly configured site-to-site tunnels and dynamic tunnels. The newly configured tunnels are not guaranteed to be anchored on the new SPC.
Site-to-site tunnels are anchored on different SPCs based on a load-balancing algorithm. For site-to-site tunnels, the least-loaded SPC is chosen as the anchor SPC.
If multiple SPCs have the same smallest load, then any SPC can be chosen as the anchor SPC. The newly configured site-to-site tunnels are guaranteed as primary on the new SPC only if the load of the old SPCs is all greater than 0. The load corresponds to the number of site-to-site gateways or manual VPN tunnels anchored on an SPC.
Dynamic tunnels are anchored on different SPCs based on a round-robin algorithm.
The newly configured dynamic tunnels are not guaranteed to be anchored on the new
SPC.
After inserting the SPC in a chassis cluster, you can view the tunnel mapping on different
Services Processing Units (SPUs) using the show security ike tunnel-map command.
You can only display the primary information of site-to-site VPN tunnels and manual
VPN tunnels with this command.
After the dynamic tunnel is established, you can display the primary information of dynamic tunnels using the show security ike sa detail command.
[VPN for Security Devices]
• Loopback interface for chassis cluster VPN—This feature is supported on all high-end
SRX Series devices.
An Internet Key Exchange (IKE) gateway needs an external interface to communicate with a peer device. In a chassis cluster setup, the node on which the external interface is active selects a Services Processing Unit (SPU) to support the VPN tunnel. IKE and
IPsec packets are processed on that SPU. Therefore, the active external interface determines the anchor SPU.
In a chassis cluster setup, this external interface can be the redundant Ethernet interface or a standalone interface. These interfaces can go down when the physical interfaces are down. Therefore, loopback interfaces can be used to reach the peer gateway because the loopback interfaces are alternate physical interfaces.
This feature allows the loopback interface to be configured for any redundancy group.
This redundancy group configuration is only checked for VPN packets, because only
VPN packets must find the anchor SPU through the active interface.
On high-end SRX Series devices, the lo0 pseudo interface cannot be configured in RG0 when it is used as an IKE gateway external interface. Because a VPN is only supported in an active/passive chassis cluster environment on high-end SRX Series devices, the lo0 pseudo interface can be configured in such a setup for RG1. In a chassis cluster setup, the node on which the external interface is active selects an SPU to anchor the
VPN tunnel. IKE and IPsec packets are processed on that SPU. Thus an active external interface determines the anchor SPU.
147
Junos OS 12.1X44 Release Notes
You can use the show chassis cluster interfaces command to view the redundant pseudo interface information.
[VPN for Security Devices]
Related
Documentation
•
Known Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways on page 184
•
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways on page 186
•
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series
•
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services
148
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services
Gateways
The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the Junos OS documentation:
149
Junos OS 12.1X44 Release Notes
Application Firewall
• Prior to Junos OS release 11.4R6, when a rule specifies dynamic-application junos:HTTP without specifying any other nested application, the rule matches all HTTP traffic whether the traffic contains a nested application or not.
In Junos OS release 11.4R6 and later, that functionality has changed. When a rule specifies dynamic-application junos:HTTP, only HTTP traffic with no nested members is matched.
Consider the following application firewall ruleset: rule-sets http-ruleset { rule rule1 { match { dynamic-application [junos:FACEBOOK];
} then { deny;
}
} rule rule2 { match { dynamic-application [junos:HTTP];
} then { permit;
}
} default-rule { deny;
}
}
Prior to Junos OS release 11.4R6, the sample rules would be applied to traffic as shown in the following list:
• HTTP traffic with junos:FACEBOOK as a nested application would be denied by rule1.
•
HTTP traffic with no nested application would be permitted by rule2.
•
HTTP traffic with a nested application other than junos:FACEBOOK, such as junos:TWITTER, would be permitted by rule2 because it is HTTP traffic that does not match any previous rule.
After Junos OS release 11.4R6, the dynamic application junos:HTTP matches only the traffic that does not contain a recognizable nested application. The sample rules would now be applied differently:
• HTTP traffic with junos:FACEBOOK as a nested application would be denied by rule1.
•
HTTP traffic with no nested application would be permitted by rule2.
•
However, HTTP traffic with a nested application other than junos:FACEBOOK, such as junos:TWITTER, would no longer match rule2. Instead, the traffic would be denied by the default rule.
150
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
AppSecure
• The following new counters have been added to the show services application-identification counter command output:
• Application Identification Module Statistics
Sessions that triggered interest callback
Sessions that triggered create callback
Sessions that triggered packet process callback
Sessions that triggered session close callback
Client-to-server flows ignored
Server-to-client flows ignored
Negative cache hits
Cache inserted
Cache expired
Session ignored due to disabled AppId
Session ignored due to unsupported protocol
Session ignored due to no active signature set
Session ignored due to max concurrent session reached
•
Application Identification TCP Reordering Statistics
Stream constructed
Stream destructed
Segment allocated
Segment freed
Packet cloned
Packet freed
Fast path segment
Segment case 1
Segment case 2
Segment case 3
Segment case 4
Segment case 5
Segment case 6
• Application Identification Decoder Statistics
Session state constructed
151
Junos OS 12.1X44 Release Notes
Session state destructed
Packet decoded
HTTP session state constructed
HTTP session state destructed
HTTP packet decoded
•
Application Identification Heuristics Statistics
Unspecified encrypted sessions called
Encrypted P2P sessions called
AppSecure Application Package Upgrade Changes
• Application signatures removed after upgrading to Junos OS Release 11.4—This change applies to all high-end SRX Series devices that use the application identification signature package.
As of Junos OS Release 11.4, the application signature package is downloaded and installed in a separate database, not in the Junos OS configuration file as in previous
Junos OS releases.
When you upgrade an SRX Series device from Junos OS Release 11.2 to Junos OS
Release 11.4 or later, any predefined application signatures and signature groups from the Junos OS Release 11.2 configuration will be removed when you install the latest predefined signatures and signature groups by using the request services application-identification install command. However, the upgrade will not remove custom signatures and signature groups from the Junos OS configuration.
For information about using the request services application-identification download and request services application-identification install commands, see the Junos OS
CLI Reference.
Chassis Cluster
• In Junos OS Release 12.1X44-D30 and earlier, in a chassis cluster mode, when a secondary node failed, no notification was sent to report the secondary node failure.
Starting in Junos OS Release 12.1X44-D35, in a chassis cluster mode, the primary node sends the SNMP generic event trap to report failures on primary node and secondary node.
Sample SNMP trap sent when the monitored interface failed on the secondary node:
2014-02-18 17:36:56 10.157.83.10(via 10.157.84.10 [10.157.84.10]) TRAP, SNMP v1, community ntrap .iso.3.6.1.4.1.2636.3.39.1.14.1 Enterprise Specific
Trap (1) Uptime: 1:29:31.53 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0 =
"1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "100"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "0"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority is set to 0, Monitoring objects are down"
152
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
2014-02-18 17:36:56 10.157.84.10 [10.157.84.10]: .iso.3.6.1.2.1.1.3.0
= Timeticks: (537153) 1:29:31.53 .iso.3.6.1.6.3.1.1.4.1.0 = OID:
.iso.3.6.1.4.1.2636.3.39.1.14.1.0.1 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0
= "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "100"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "0"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority is set to 0, Monitoring objects are down" .iso.3.6.1.6.3.1.1.4.3.0 = OID:
.iso.3.6.1.4.1.2636.1.1.1.2.28
Sample SNMP trap sent when the failed interface is restored on the secondary node:
2014-02-18 17:38:46 10.157.83.10(via 10.157.84.10 [10.157.84.10]) TRAP, SNMP v1, community ntrap .iso.3.6.1.4.1.2636.3.39.1.14.1 Enterprise Specific
Trap (1) Uptime: 1:31:20.64 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0 =
"1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "0"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "100"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority restored, Monitoring object
failures are cleared"
2014-02-18 17:38:46 10.157.84.10 [10.157.84.10]: .iso.3.6.1.2.1.1.3.0
= Timeticks: (548064) 1:31:20.64 .iso.3.6.1.6.3.1.1.4.1.0 = OID:
.iso.3.6.1.4.1.2636.3.39.1.14.1.0.1 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0
= "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "0"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "100"
.iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority restored, Monitoring object
failures are cleared" .iso.3.6.1.6.3.1.1.4.3.0 = OID:
.iso.3.6.1.4.1.2636.1.1.1.2.28
153
Junos OS 12.1X44 Release Notes
Chassis Cluster Redundancy Group Manual Failover
• Prior to Junos OS Release 12.1X44-D25, for redundancy groups x, it is possible to do a manual failover on a node that has 0 priority. We recommend that you use the show chassis cluster status command to check the redundancy group node priorities before doing the manual failover. However, in Junos OS Release 12.1X44-D25 and later, the readiness check mechanism for manual failover is enhanced to be more restrictive, so that you cannot set manual failover to a node in a redundancy group that has 0 priority.
This enhancement prevents traffic from being dropped unexpectedly due to a failover attempt to a 0 priority node, which is not ready to accept traffic.
Command-Line Interface (CLI)
New or Changed CLI
• In Junos OS releases earlier than Junos OS Release 12.1X44-D30, TACACS+ options for authentication and accounting did not include an option for configuring a timestamp and time zone.
In Junos OS Release 12.1X44-D30 and later releases, you can use the timestamp-and-timezone option at the [edit system tacplus-options] hierarchy to include start time, stop time, and time zone attributes in start/stop accounting records.
[See tacplus-options.]
•
The client-match match-name option under security hierarchy [edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit firewall-authentication
] now supports a maximum of 64 users or user groups in the policy.
•
On all high-end SRX Series devices, the show interface interface-name statistics detail command was showing incorrect FCS statistics. Additional 4 bytes in the FCS were counted in input statistics but not counted in output statistics. Now the FCS is included in both input and output Ethernet statistics and the show interface interface-name statistics detail command displays correct output.
•
On all high-end SRX Series devices, a new command, clear security flow statistics, has been introduced to clear the flow-related system statistics.
•
On all branch SRX Series devices, the show security flow session extensive command has been updated to show the predefined application name.
• On all high-end SRX Series devices, on Services Processing Cards (SPC) and next-generation SPCs, IDP dedicated modes are supported only with the inline-tap option. In the inline-tap mode option, the weight equal option is not supported.
Other IDP dedicated mode configurations such as dedicated weight IDP, dedicated firewall, and dedicated equal are not supported.
The following IDP dedicated mode configuration statements are not supported:
154
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways download-timeout
-
• set security forwarding-process application-services maximize-idp-sessions weight firewall
• set security forwarding-process application-services maximize-idp-sessions weight idp
• set security forwarding-process application-services maximize-idp-sessions weight equal
• set security forwarding-process application-services maximize-idp-sessions inline-tap weight equal
•
The following configuration statements are supported:
• set security forwarding-process application-services maximize-idp-sessions inline-tap weight firewall
• set security forwarding-process application-services maximize-idp-sessions inline-tap weight idp
•
Starting in Junos OS Release 12.1X44-D30, on SRX3400 and SRX3600 devices, the value for licenses used in the output of the show system license command correctly displays a 1 in the full-cp-key field. Prior to this release, the output displayed a 0.
Deprecated Items for High-End SRX Series Services Gateways
lists deprecated items (such as CLI statements, commands, options, and interfaces).
CLI statements and commands are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration. We strongly recommend that you phase out deprecated items and replace them with supported alternatives.
Table 16: Items Deprecated in Release 12.1
Deprecated Item Replacement
Hierarchy Level or Command
Syntax Additional Information download-timeout timeout
On all high-end SRX Series devices, the download-timeout command is deprecated. If the configuration is present, then the configuration is ignored. The idpd daemon internally triggers the security package to install when an automatic download is completed. There is no need to configure any download timeout.
155
Junos OS 12.1X44 Release Notes
Table 16: Items Deprecated in Release 12.1 (continued)
Deprecated Item Replacement
Hierarchy Level or Command
Syntax node request security idp security-package download
Additional Information
On all high-end SRX Series devices operating in a chassis cluster, the following request security idp security-package download commands with the node option are not supported:
•
•
• request security idp security-package download node primary request security idp security-package download node local request security idp security-package download node all
Table 17: Items Deprecated in Junos OS Release 12.1X44-D10
Deprecated Item Replacement
Hierarchy Level or
Command Syntax mcc-mnc imsi-prefix edit security gprs gtp profile profile-name apn pattern-string
Additional Information
On all high-end SRX Series devices, the mcc-mnc command is not supported.
Compatibility
•
Version Compatibility for Junos SDK—Beginning with Junos OS Release 12.1X44-D10,
Junos OS applications will install on the Junos OS only if the application is built with the same release as the Junos OS Release on which the application is being installed.
For example, an application built with Junos OS Release 12.1R2 will only install on Junos
OS Release 12.1R2 and will not install on Junos OS Release 12.1R1 or Junos OS Release
12.1R3.
Flow and Processing
SPU software changes for the SPC—The following changes apply to all high-end SRX
Series devices:
•
Each SPU runs a 64-bit FreeBSD kernel instead of the 32-bit FreeBSD kernel.
•
Each SPU runs a 64-bit flowd instead of the 32-bit version for increased scalability.
• With the 64-bit OS, ksynd and ifstates on the SPU run in 64-bit mode.
• TCP initial timeout enhancement–The minimum value you can configure for TCP session initialization is 4 seconds. The default value is 20 seconds; if required you can set the TCP session initialization value to less than 20 seconds.
• On SRX Series and J Series devices, you can configure the TCP session timeout in a half-closed state by using the apply-to-half-close-state statement at the [edit security
156
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways flow tcp-session time-wait-state] hierarchy level. This enables the system to apply the configured session timeout on receiving only one FIN packet (either client-to-server or server-to-client). When this statement is not configured, the default behavior takes effect, which is to apply the configured session timeout on receiving both the FIN packets. The default TCP session timeout remains 150 seconds.
Intrusion Detection Prevention (IDP)
• A system log message is generated when an IDP signature database update or policy compilation fails with an empty dynamic group. The system-generated log message is Dynamic Attack group [dyn_group_1] has no matching members found. Group is empty.
•
New sensor configuration options have been added to configure the IDP action when a TCP reassembly failure occurs, and to log TCP errors.
When certain TCP error packets (packets with anomalies) during or after the three-way handshake are forwarded to IDP for processing, IDP TCP reassembly stops the reassembly. Once the reassembly is stopped, IDP does not continue the stream-based attack detection and TCP error packets are not dropped. The action-on-reassembly-failure option changes this behavior so that you can configure the action to be initiated when a reassembly failure occurs.
Use the following configuration command to drop the error packets when a reassembly failure occurs: set security idp sensor-configuration re-assembler action-on-reassembly-failure drop
Use the following configuration command to drop the session when a reassembly failure occurs: set security idp sensor-configuration re-assembler action-on-reassembly-failure drop-session
If you do not require any action to be taken, then use the following configuration command: set security idp sensor-configuration re-assembler action-on-reassembly-failure ignore
By default, action-on-reassembly-failure is set to drop.
The tcp-error-logging and no-tcp-error-logging options enable or disable TCP error logging.
Use the following commands to enable or disable TCP error logging: set security idp sensor-configuration re-assembler tcp-error-logging set security idp sensor-configuration re-assembler no-tcp-error-logging
By default, TCP error logging is disabled.
•
On all high-end SRX Series devices, unsupported IDP dedicated mode commands, which are supported in releases earlier than Junos OS Release 12.1X44, allow a blank password for Telnet, J-Web, or Console access connections; and accept any random password for SSH connection after upgrading to Junos OS Release 12.1X44-D10 or
12.1X44-D11.
157
Junos OS 12.1X44 Release Notes
As a workaround:
• Before upgrading to Junos OS Release 12.1X44-D10, remove the unsupported IDP dedicated mode commands and then upgrade the release to Junos OS Release
12.1X44-D10.
•
Check the configuration compatibility between releases earlier than Junos OS Release
12.1X44 and Junos OS Release 12.1X44-D10 using the request system software validate
<12.1X44-install-package> command.
• Remove the unsupported IDP dedicated mode commands or change the IDP mode from dedicated mode to in-line tap mode.
•
Upgrade to Junos OS Release 12.1X44 using the request system software add no-copy junos-srx1k3k-12.1X44-D11.5-domestic.tgz reboot command.
• New sensor configuration options have been added to log run conditions as IDP session capacity and memory limits are approached, and to analyze traffic dropped by IDP and application identification due to exceeding these limitations.
• At start up, traffic is ignored by IDP by default if the IDP policy is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that all sessions are dropped before the IDP policy is loaded.
Use the following configuration command to drop traffic before the IDP policy is loaded: set security idp sensor-configuration flow drop-if-no-policy-loaded
The following new counters have been added to the show security idp counters flow command output to analyze dropped traffic due to the drop-if-no-policy-loaded option:
Sessions dropped due to no policy 0
•
By default, IDP ignores failover sessions in an SRX chassis cluster deployment. The drop-on-failover option changes this behavior and automatically drops sessions that are in the process of being inspected on the primary node when a failover to the secondary node occurs.
Use the following configuration command to drop failover sessions: set security idp sensor-configuration flow drop-on-failover
The following new counter has been added to the show security idp counters flow command output to analyze dropped failover traffic due to the drop-on-failover option:
Fail-over sessions dropped 0
•
By default, sessions are not dropped if the IDP session limit or resource limits are exceeded. In this case, IDP and other sessions are dropped only when the device’s session capacity or resources are depleted. The drop-on-limit option changes this behavior and drops sessions when resource limits are exceeded.
Use the following configuration commands to set or remove the drop-on-limit option: set security idp sensor-configuration flow drop-on-limit delete security idp sensor-configuration flow drop-on-limit
158
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
The following new counters have been added to the show security idp counters flow command output to analyze dropped IDP traffic due to the drop-on-limit option:
SM Sessions encountered memory failures 0
SM Packets on sessions with memory failures 0
SM Sessions dropped 0
Both directions flows ignored 0
IDP Stream Sessions dropped due to memory failure 0
IDP Stream Sessions ignored due to memory failure 0
IDP Stream Sessions closed due to memory failure 0
Number of times Sessions exceed high mark 0
Number of times Sessions drop below low mark 0
Memory of Sessions exceeds high mark 0
Memory of Sessions drops below low mark 0
The following counters have also been added to the show security idp counters application-identification command output to analyze dropped application identification traffic due to the drop-on-limit option:
AI-session dropped due to malloc failure before session create 0
AI-Sessions dropped due to malloc failure after create 0
AI-Packets received on sessions marked for drop due to malloc failure 0
The following options have been added to trigger informative log messages about current run conditions. When set, the log messages are triggered whether the drop-on-limit option is set or not.
• The max-sessions-offset option sets an offset for the maximum IDP session limit.
When the number of IDP sessions exceeds the maximum session limit, a warning is logged that conditions exist where IDP sessions could be dropped. When the number of IDP sessions drops below the maximum IDP session limit minus the offset value, a message is logged that conditions have returned to normal.
Jul 19 04:38:13 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374233893,
FPC 4 PIC 1 IDP total sessions pass through high mark 100000. IDP may drop
new sessions. Total sessions dropped 0.
Jul 19 04:38:21 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374233901,
FPC 4 PIC 1 IDP total sessions drop below low mark 99000. IDP working in normal mode. Total sessions dropped 24373.
Use the following configuration command to set the max-sessions-offset option: set security idp sensor-configuration flow max-sessions-offset offset-value
•
The min-objcache-limit-lt option sets a lower threshold for available cache memory.
The threshold value is expressed as a percentage of available IDP cache memory.
If the available cache memory drops below the lower threshold level, a message is logged stating that conditions exist where IDP sessions could be dropped because of memory allocation failures. For example, the following message shows that the IDP cache memory has dropped below the lower threshold and that a number of sessions have been dropped:
159
Junos OS 12.1X44 Release Notes
Jul 19 04:07:33 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374232053,
FPC 4 PIC 1 IDP total available objcache(used 4253368304, limit 7247757312)
drops below low mark 3986266515. IDP may drop new sessions. Total sessions
dropped 1002593.
Use the following configuration command to set the min-objcache-limit-lt option: set security idp sensor-configuration flow min-objcache-limit-lt
lower-threshold-value
•
The min-objcache-limit-ut option sets an upper threshold for available cache memory. The threshold value is expressed as a percentage of available IDP cache memory. If available IDP cache memory returns to the upper threshold level, a message is logged stating that available cache memory has returned to normal.
For example, the following message shows that the available IDP cache memory has increased above the upper threshold and that it is now performing normally:
Jul 19 04:13:47 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374232428,
FPC 4 PIC 1 IDP total available objcache(used 2782950560, limit 7247757312)
increases above high mark 4348654380. IDP working in normal mode. Total sessions dropped 13424632.
NOTE: This message is triggered only if the lower threshold has been reached and the available memory has returned above the upper threshold. Fluctuations in available memory that dropped below the upper threshold but did not fall below the lower threshold would not trigger the message.
Use the following configuration commands to set the min-objcache-limit-ut option: set security idp sensor-configuration flow min-objcache-limit-ut
upper-threshold-value
• By default, values for IDP reassembler packet memory and application identification packet memory used by IDP are established as percentages of all memory. In most cases, these default values are adequate.
•
If a deployment exhibits an excessive number of dropped TCP packets or retransmissions resulting in high IDP reassembly memory usage, use the following option:
The max-packet-mem-ratio option to reset the percentage of available IDP memory for IDP reassembly packet memory. Acceptable values are between 5% and 40%.
set security idp sensor-configuration re-assembler max-packet-mem-ratio
percentage-value
•
If a deployment exhibits an excessive number of ignored IDP sessions due to reassembler and application identification memory allocation failures, use the following options:
•
The max-packet-memory-ratio option sets application identification packet memory limit as a percentage of available IDP memory. This memory is only used by IDP in cases where application identification delays identifying an application.
Acceptable values are between 5% and 40%.
160
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways set security idp sensor-configuration application-identification max-packet-memory-ratio percentage-value
•
The max-reass-packet-memory-ratio option sets the reassembly packet memory limit for application identification as a percentage of available IDP memory.
Acceptable values are between 5% and 40%.
set security idp sensor-configuration application-identification max-reass-packet-memory-ratio percentage-value
NOTE: The max-packet-memory option has been deprecated and replaced by the new max-packet-memory-ratio and max-reass-packet-memory-ratio options.
• On all high-end SRX Series devices with a single session, when IDP is activated, the upload and download speeds are slow when compared to the firewall performance numbers.
To overcome this issue, a new CLI command, set security idp sensor-configuration ips session-pkt-depth
, is introduced, for which the session-pkt-depth sensor-configuration value is global for any session.
The session-pkt-depth sensor-configuration value specifies the number of packets per session that are inspected by IDP. Any packets beyond the specified value are not inspected. For example, when session-pkt-depth sensor-configuration is configured as
“n”, the IDP inspection happens only for first (n-1) packets in that session. Packets from the nth packet onwards are ignored by IDP.
The default value of session-pkt-depth sensor-configuration is zero. When the default value of zero is used, the session-pkt-depth value is not addressed, and IDP performs a full inspection of the session.
161
Junos OS 12.1X44 Release Notes
Junos OS Federal Information Processing Standard (FIPS)
• On all SRX Series devices, the secure Junos OS software environment does not permit
DSA key pairs with modulus greater than 1024 bits.
J-Web
•
On all SRX Series devices, on the Monitor > Events and Alarms > Security Events page, the Is global policy check box is introduced.
Logical Systems
•
The logical-systems all option can now be specified for the show security screen statistics operational command.
Management Information Base (MIB)
• On all high-end SRX Series devices in a chassis cluster, the calculation of the primary and secondary node sessions in the JnxJsSPUMonitoringObjectsTable object of the
SPU monitoring MIB is incorrect. The MIB jnxJsSPUMonitoringCurrentTotalSession incorrectly displays total sessions.
A doubled session count is displayed because the active and backup nodes are treated as separate sessions, although these nodes are not separate sessions.
Count only the session numbers on the local node, thereby avoiding a double count, and local total sessions are displayed.
The SPUMonitoringCurrentTotalSession object of the MIB adds information per each
SPU from the local node.
[MIB Reference for SRX1400, SRX3400, and SRX3600 Services Gateways]
[MIB Reference for SRX5600 and SRX5800 Services Gateways]
Network Time Protocol
• When the NTP client or server is enabled in the edit system ntp hierarchy, the
REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within the NTP might allow remote attackers, causing a denial of service. To identify the attack, apply a firewall filter and configure the router's loopback address to allow only trusted addresses and networks.
Screen
•
The TCP SYN flood counter for a SYN cookie or a SYN proxy attack incorrectly counted every second, thus incrementing the counter every second. This issue has been rectified so that every TCP SYN packet is counted for each SYN cookie or SYN proxy attack.
Now every time you receive a SYN packet that is greater than the threshold value, the counter is incremented.
Security Policies
162
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
Security policies are stored in both the Routing Engine and the Packet Forwarding
Engine. When you modify the policies on the Routing Engine side, the policies are synchronized to the Packet Forwarding Engine side when you commit the configuration.
The policies in the Routing Engine and Packet Forwarding Engine must always be in synchronization for the configuration to commit successfully. Under certain circumstances, policies in the Routing Engine and the Packet Forwarding Engine might be out of sync resulting in generation of system core files upon commit completion.
Starting in Junos OS Release 12.1X44-D10, the synchronization mechanism of security policies between the Routing Engine and the Packet Forwarding Engine is improved.
These improvements significantly lower the probability of security policies becoming out of sync between the Routing Engine and the Packet Forwarding Engine.
However, if an out-of-sync condition occurs, the following error message will be displayed when you attempt to commit a configuration:
Policy is out of sync between RE and PFE <SPU-name(s)>. Please resync before commit.
error: configuration check-out failed
To re-synchronize policies between the Routing Engine and the Packet Forwarding
Engine, you must:
• Reboot the device (device in standalone mode)
• Reboot both devices (devices in a chassis cluster mode)
Session Timeout for Reroute Failure
•
The route-change-timeout configuration statement at the [edit security flow] hierarchy level sets the timeout when a session is rerouted but there is a reroute failure (for example, the new route uses a different egress zone from the previous route). In previous releases, the route-change-timeout statement was disabled by default. In this release, the route-change-timeout configuration is enabled by default and the default timeout value is 6 seconds.
SNMP
•
Prior to Junos OS Release 12.1X44-D35, the fault management system did not display the SPUs of next-generation SPCs because the XLP PICs were not defined in the MIB files. The Juniper MIBS jnxContentsType did not return the correct OID for next-generation SPCs.
Starting in Junos OS Release 12.1X44-D35, the mib-jnx-chas-defines.txt MIB file is updated with the jnxPicType1ASPCXLP XLP PIC. Use the show snmp mib walk jnxContentsType command to display the details for the XLP PIC.
Sample output displaying the incorrect OID: root@host> show snmp mib walk jnxContentsType
… jnxContentsType.8.4.1.0 = 0.0
jnxContentsType.8.4.2.0 = 0.0
163
Junos OS 12.1X44 Release Notes jnxContentsType.8.4.3.0 = 0.0
jnxContentsType.8.4.4.0 = 0.0
…
For brevity, the show command output includes only the output that is relevant. Any other output on the system has been replaced with ellipses(...).
Sample output displaying the correct OID: root@host> show snmp mib walk jnxContentsType
… jnxContentsType.8.4.1.0 = jnxPicType1ASPCXLP jnxContentsType.8.4.2.0 = jnxPicType2ASPCXLP jnxContentsType.8.4.3.0 = jnxPicType2ASPCXLP jnxContentsType.8.4.4.0 = jnxPicType2ASPCXLP
…
System Logs
•
In Junos OS Release 12.1X44-D30 and earlier, the session-ID-32 in application volume tracing (AVT) logs were not prefixed with the spu-ID, whereas the flow logs were prefixed with the spu-ID.
Starting in Junos OS Release 12.1X44-D30 and later, that functionality has changed.
The AVT logs are now prefixed with the spu-ID, so that the session-ids in AVT logs are consistent with the flow logs and unique across the system.
The following example shows session-ID-32 logging before Junos OS Release
12.1X44-D30:
Oct 4 09:13:14 bournville RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed idle
Timeout: 4.0.0.1/9->5.0.0.1/33631 icmp 4.0.0.1/9->5.0.0.1/33631 None None 1 1
untrust trust 180000308 1(84) 0(0) 59 ICMP-ECHO UNKNOWN N/A(N/A) ge-0/0/0.0
UNKNOWN
Oct 4 09:13:14 bournville RT_FLOW: APPTRACK_SESSION_CLOSE: AppTrack session closed idle Timeout: 4.0.0.1/9->5.0.0.1/33631 icmp ICMP-ECHO UNKNOWN
4.0.0.1/9->5.0.0.1/33631 None None 1 1 untrust trust 308 1(84) 0(0) 59 N/A N/A
No
The following example shows session-ID-32 logging in Junos OS Release 12.1X44-D30, indicating the fix in the flow and AVT logs:
Oct 4 13:57:38 bournville RT_FLOW: RT_FLOW_SESSION_CREATE: session created
4.0.0.1/58565->5.0.0.1/21 junos-ftp 4.0.0.1/58565->5.0.0.1/21 None None 6 1 untrust trust 180000001 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN
Oct 4 13:57:38 bournville RT_FLOW: APPTRACK_SESSION_CREATE: AppTrack session
created 4.0.0.1/58565->5.0.0.1/21 junos-ftp UNKNOWN UNKNOWN
4.0.0.1/58565->5.0.0.1/21 None None 6 1 untrust trust 180000001 N/A N/A UNKNOWN
• Starting from Junos OS Release 12.1X44-D25, on all SRX Series devices, the TCP synchronization flood alarm threshold value does not indicate the number of packets dropped, however the value does show the packet information after the alarm threshold has been reached.
The synchronization cookie or proxy never drops packets; therefore the alarm-without-drop (not drop) action is shown in the system log.
164
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
On all high-end SRX Series devices, the attribute type of packets-from-client and packets-from-server options in the system logs of the following modules have been changed from uint to string:
• App Track module— APPTRACK_SESSION_APP_UPDATE,
APPTRACK_SESSION_APP_UPDATE_LS, APPTRACK_SESSION_CLOSE,
APPTRACK_SESSION_CLOSE_LS, APPTRACK_SESSION_VOL_UPDATE and
APPTRACK_SESSION_VOL_UPDATE_LS
• Session module—RT_FLOW_SESSION_CLOSE and RT_FLOW_SESSION_CLOSE_LS
On all high-end SRX Series devices, the following system log messages have been updated to include the certificate ID in Junos OS Release 12.1X44-D10:
•
PKID_PV_KEYPAIR_DEL
Existing message: Key-Pair deletion failed
New message: Key-Pair deletion failed for <cert-id>
• PKID_PV_CERT_DEL
Existing message: Certificate deletion has occurred
New message: Certificate deletion has occurred for <cert-id>
• PKID_PV_CERT_LOAD
Existing message: Certificate has been successfully loaded
New message: Certificate <cert-id> has been successfully loaded
•
PKID_PV_KEYPAIR_GEN
Existing message: Key-Pair has been generated
New message: Key-Pair has been generated for <cert-id>
System Management
• On an SRX5800 device in transparent mode, if the device is not processing multicast
OSPFv3 hello packets, to fix this condition you must remove the “delete security flow bridge no-packet-flooding” statement from the configuration.
NOTE: Packet flooding is enabled by default. If you have manually disabled packet flooding with the “set security flow bridge no-packet-flooding” statement, then use the configuration statement above to revert to the default behavior, which will allow the device to process multicast OSPFv3 hello packets.
Unified In-Service Software Upgrade (ISSU)
On all high-end SRX Series devices, at the beginning of a chassis cluster unified ISSU, the system automatically fails over all RG-1+ redundancy groups that are not primary on the node from which you start the ISSU. This action ensures that the redundancy groups
165
Junos OS 12.1X44 Release Notes are all active on only the RG-0 primary node. You no longer need to fail over redundancy groups manually.
After the system fails over all RG-1+ redundancy groups, the system sets the manual failover bit and changes all RG-1+ primary node priorities to 255, regardless of whether the redundancy group failed over to the RG-0 primary node.
Virtual Private Network (VPN)
•
As of Junos OS Release 11.4, checks are performed to validate the IKE ID received from the VPN peer device. By default, SRX Series and J Series devices validate the IKE ID received from the peer with the IP address configured for the IKE gateway. In certain network setups, the IKE ID received from the peer (which can be an IPv4 or IPv6 address, fully qualified domain name, distinguished name, or e-mail address) does not match the IKE gateway configured on the SRX Series or J Series device. This can lead to a
Phase 1 validation failure.
To modify the configuration of the SRX Series or J Series device or the peer device for the IKE ID that is used:
•
On the SRX Series or J Series device, configure the remote-identity statement at the
[edit security ike gateway gateway-name] hierarchy level to match the IKE ID that is received from the peer. Values can be an IPv4 or IPv6 address, fully qualified domain name, distinguished name, or e-mail address.
NOTE: If you do not configure remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the remote peer by default.
•
On the peer device, ensure that the IKE ID is the same as the remote-identity configured on the SRX Series or J Series device. If the peer device is an SRX Series or J Series device, configure the local-identity statement at the [edit security ike gateway gateway-name
] hierarchy level. Values can be an IPv4 or IPv6 address, fully qualified domain name, distinguished name, or e-mail address.
•
On all high-end SRX Series devices, the subject fields of a digital certificate can include
Domain Component (DC), Common Name (CN), Organization Unit (OU), Organization
(O), Location (L), State (ST), and Country (C).
In earlier releases, the show security pki ca-certificate and show security pki local-certificate
CLI operational commands displayed only a single entry for each subject field, even if the certificate contained multiple entries for a field.
For example, a certificate with two OU fields such as “OU=Shipping
Department,OU=Priority Mail” displayed with only the first entry “OU=Shipping
Department.” The show security pki ca-certificate and show security pki local-certificate
CLI commands now display the entire contents of the subject field, including multiple field entries. The commands also display a new subject string output field that shows the contents of the subject field as it appears in the certificate.
• Public key infrastructure (PKI) objects include certificates, key pairs, and certificate revocation lists (CRLs). PKI objects are read from the PKI database when the PKI
166
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Daemon starts. The PKI Daemon database loads all certificates into memory at boot time.
When an object is read into memory from the PKI database, the following new log message is created:
PKID_PV_OBJECT_READ: A PKI object was read into memory from <location>
•
On all high-end SRX Series devices, the secure Junos OS software environment does not permit DSA key pairs with modulus greater than 1024 bits.
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series
•
Known Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways on page 184
•
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways on page 186
•
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services
•
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services
167
Junos OS 12.1X44 Release Notes
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Application Identification
• Configuration of a custom application with the ip-protocol-mapping or icmp-mapping option using the set services application-identification application application-name ip-protocol-mapping or icmp-mapping command does not work if the IP protocol (IP protocol mapping) and the type/code (ICMP mapping) options of the configured applications are the same as the predefined application.
AppSecure
•
J-Web pages for AppSecure are preliminary.
• Custom application signatures and custom nested application signatures are not currently supported by J-Web.
•
When ALG is enabled, application identification includes the ALG result to identify the application of the control sessions. Application firewall permits ALG data sessions whenever control sessions are permitted. If the control session is denied, there are no data sessions.
When ALG is disabled, application identification relies on its signatures to identify the application of the control and data sessions. If a signature match is not found, the application is considered unknown. Application firewall handles applications based on the application identification result.
Chassis Cluster
•
On all high-end SRX Series devices, IPsec VPN is not supported in active/active chassis cluster configuration (that is, when there are multiple RG1+ redundancy groups).
The following list describes the limitations for inserting an SPC on SRX3400, SRX3600,
SRX5600, and SRX5800 devices in chassis cluster mode:
• The chassis cluster must be in active/passive mode before and during the SPC insert procedure.
•
A different number of SPCs cannot be inserted in two different nodes.
• A new SPC must be inserted in a slot that is higher than the central point slot.
NOTE: The existing combo central point cannot be changed to a full central point after the new SPC is inserted.
• During an SPC insert procedure, the IKE and IPsec configurations cannot be modified.
• Users cannot specify the SPU and the IKE instance to anchor a tunnel.
•
After a new SPC is inserted, the existing tunnels cannot use the processing power of the new SPC and redistribute it to the new SPC.
• Dynamic tunnels cannot load-balance across different SPCs.
168
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
The manual VPN name and the site-to-site gateway name cannot be the same.
• In a chassis cluster scaling environment, the heartbeat-threshold must always be set to 8.
•
An APN or an IMSI filter must be limited to 600 for each GTP profile. The number of filters is directly proportional to the number of IMSI prefix entries. For example, if one
APN is configured with two IMSI prefix entries, then the number of filters is two.
• Eight QoS queues are supported per aggregated Ethernet (ae) interface.
•
The first recommended unified ISSU from release is Junos OS Release 10.4R4. If you intend to upgrade from a release earlier than Junos OS Release 10.4R4, see the release notes for the release that you are upgrading from for information about limitations and issues related to upgrading.
•
ISSUs do not support the following features:
•
DHCP
• GPRS, GTP, and SCTP
• Flow monitoring
For the latest unified ISSU support status, go to the Juniper Networks Knowledge Base
(KB): http://kb.juniper.net/ and search for KB17946.
•
In large chassis cluster configurations on SRX3400 or SRX3600 devices, you need to increase the wait time before triggering failover. In a full-capacity implementation, we recommend increasing the wait to 8 seconds by modifying heartbeat-threshold and heartbeat-interval values in the [edit chassis cluster] hierarchy.
The product of the heartbeat-threshold and heartbeat-interval values defines the time before failover. The default values (heartbeat-threshold of 3 beats and heartbeat-interval of 1000 milliseconds) produce a wait time of 3 seconds.
To change the wait time, modify the option values so that the product equals the desired setting. For example, setting the heartbeat-threshold to 8 and maintaining the default value for the heartbeat-interval (1000 milliseconds) yields a wait time of
8 seconds. Likewise, setting the heartbeat-threshold to 4 and the heartbeat-interval to
2000 milliseconds also yields a wait time of 8 seconds.
• Packet-based forwarding for MPLS and International Organization for Standardization
(ISO) protocol families is not supported.
•
On SRX5600 and SRX5800 devices, only two of the 10 ports on each PIC of 40-port
1-Gigabit Ethernet I/O cards (IOCs) can simultaneously enable IP address monitoring.
Because there are four PICs per IOC, this permits a total of eight ports per IOC to be monitored. If more than two ports per PIC on 40-port 1-Gigabit Ethernet IOCs are configured for IP address monitoring, the commit will succeed but a log entry will be generated, and the accuracy and stability of IP address monitoring cannot be ensured.
This limitation does not apply to any other IOCs or devices.
• IP address monitoring is not supported on redundant Ethernet interface link aggregation groups (LAGs) or on child interfaces of redundant Ethernet interface LAGs.
•
Screen statistics data can be gathered on the primary device only.
169
Junos OS 12.1X44 Release Notes
•
Unified ISSU does not support version downgrading.
• Only redundant Ethernet (reth) interfaces or loopback interfaces are supported for
IKE external interface configuration in IPsec VPN. Other interface types can be configured, but IPsec VPN might not work.
Dynamic Host Configuration Protocol (DHCP)
• On all high-end SRX Series devices, DHCPv6 client authentication is not supported.
• On all high-end SRX Series devices, DHCP is not supported in a chassis cluster.
Flow and Processing
•
On all high-end SRX Series devices, when packet-logging functionality is configured with an improved pre-attack configuration parameter value, the resource usage increases proportionally and might affect the performance.
•
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the default authentication table capacity is 45,000; the administrator can increase the capacity to a maximum of 50,000.
On SRX1400 devices, the default authentication table capacity is 10,000; the administrator can increase the capacity to a maximum of 15,000.
•
On all high-end SRX Series devices, when devices are operating in flow mode, the
Routing Engine side cannot detect the path maximum transmission unit (PMTU) of an IPv6 multicast address (with a large size packet).
•
On all high-end SRX Series devices, high CPU utilization triggered for reasons such as
CPU intensive commands and SNMP walks causes the Bidirectional Forwarding
Detection (BFD) protocol to flap while processing large BGP updates.
• On all high-end SRX Series devices, downgrading is not supported in low-impact unified
ISSU chassis cluster upgrades (LICU).
•
On SRX5800 devices, network processing bundling is not supported in Layer 2 transparent mode.
• On all high-end SRX Series devices, the maximum number of concurrent sessions is
250 for SSH and Telnet, and 1024 for the Web.
General Packet Radio Service (GPRS)
The following Gateway GPRS Support Node (GGSN) and Packet Data Network Gateway
(PGW) limitations are applicable for all high-end SRX Series devices.
• GGSN and PGW traffic must pass through the GPRS tunneling protocol (GTP) framework; otherwise, the tunnel status is updated incorrectly.
•
The central point distributes all GTP packets to Services Processing Units (SPUs) according to upstream endpoints for GGSN or PGW (one GGSN or PGW is the upstream endpoint of the GTP tunnels). Information is checked on the upstream endpoint IP and
GTP packets in the GGSN pool network in the following way:
170
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
If the upstream endpoint source IP address in the Create-PDP-Context-Response or Create-Session-Response message is different from the upstream endpoint destination IP address in the Create-PDP-Context-Request/Create-Session-Request message, tunnels are not created. The related source and destination IP addresses are distributed to two Services Processing Units (SPUs).
• If the upstream endpoint source IP address in the Create-PDP-Context-Response or Create-Session-Response message is different from the IP address of the upstream endpoint, tunnels are created on one SPU. According to the IP address of the upstream endpoint for GGSN or PGW, an incoming GTP tunnel message is moved to a second SPU, and the GTP packets are dropped because no tunnel is found.
NOTE: In the GGSN pool scenario, GGSN can reply with a
Create-PDP-Context-Request or Create-Session-Request message using another IP address that differs from the one received. Therefore the request and the response can run on two different flow sessions, and these two flow sessions can be distributed to different SPUs.
The following GTP firewall limitations are applicable on all high-end SRX Series devices.
•
GGSN tunneling protocol, user plane (GTP-U) inspection is not supported.
•
GTP firewall does not support hot-insertable and hot-removable hardware.
• In-service software upgrade (ISSU) is not supported from an earlier release to the current release.
•
The GTP firewall needs to learn the network’s GSN table and install the table for the central point and the Services Processing Unit (SPU). Otherwise, some GTP traffic is blocked when the firewall is inserted in the network.
• Recovery might not clear tunnels in GGSN-pooling scenarios, because recovery broadcast between SPUs is not supported.
The following SCTP limitations are applicable on all high-end SRX Series devices:
•
Dynamic policy is not supported for SCTP. You must configure all policies for needed
SCTP sessions.
• SCTP modules only inspect IPv4 traffic. IPv6 traffic will be passed or dropped by flow-based or policy-based processing directly, and no SCTP module inspection will occur.
•
Only the first chunk in each SCTP packet is checked.
• For static NAT to work, the interfaces packets (from one side: client or server side) coming in must belong to the same zone.
•
For multihome cases, only IPv4 Address Parameter (5) in INIT or INI-ACK is supported.
•
Only static NAT is supported for SCTP.
171
Junos OS 12.1X44 Release Notes
•
SCTP enable or disable is controlled by whether there is a SCTP profile configured.
When you disable the SCTP feature, all associations are deleted and later SCTP packets will pass or drop according to the policy.
If you want to enable SCTP again, all the running SCTP communications will be dropped, because no associations exist. New SCTP communications can establish an association and perform the inspections.
Clear old SCTP sessions when SCTP is re-enabled, doing this will avoid any impact caused by the old SCTP sessions on the new SCTP communications.
•
Only established SCTP associations will be synced to peer node.
• A maximum of eight source IP addresses and eight destination IP addresses are allowed in an SCTP communication.
•
One SPU supports a maximum of 5000 associations and a maximum of 320, 000
SCTP sessions.
• The 4-way handshake process should be done in one node of a cluster. If the SCTP
4-way handshake process is handled on two nodes (for example, two sessions on two nodes in active/active mode) or the cluster is failover before the 4-way handshake is finished, the association cannot be established successfully.
• If you configure different policies for each session belonging to one association, there will be multiple policies related to one association. The SCTP packet management
(drop, rate limit, and so on) will use the profile attached to the handling SCTP session's policy.
The association's timeout will only use the profile attached to its INIT packet’s policy.
If the INIT packet’s policy changes the attached profile, the old profile is deleted, and the association will refresh the timeout configuration. However, if the INIT packet’s policy changes its attached profile without deleting the old profile, the association will not refresh the timeout configuration.
• Unified in-service software upgrade (ISSU) to earlier Junos OS releases is not supported.
•
In some cases, the associations might not be distributed to SPUs very evenly because the port’s hash result on the central point is uneven. For example, this event can occur when only two peers of ports are used, and one peer has 100 associations, but another peer has only one association. In this case, the associations cannot be distributed evenly on the firewall with more than one SPU.
•
SCTP sessions will not be deleted with associations, the sessions will time out in 30 minutes, which is the default value. If you need the session to time out soon, you can preconfigure the SCTP application timeout value.
•
M3UA or SCCP message parsing is checked , but the M3UA or SCCP stateful inspection is not checked.
• Only ITU-T Rec. Q.711-Q.714 (07 or 96) standard is supported. ANSI, ETSI, China, and other standards are not supported.
•
Only RFC 4960 is supported.
172
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Interfaces and Routing
This section covers filter and policing limitations.
•
On SRX1400, SRX3400, and SRX3600 devices, the following feature is not supported by a simple filter:
• Forwarding class as match condition
• The loopback (lo0) and redundant Ethernet (reth) interfaces are supported for an IKE external interface configuration in an IPsec VPN. Other interface types can be configured, but IPsec VPN might not work.
• On all high-end SRX Series devices, IPv6 traffic transiting over IPv4 based IP over IP tunnel (for example, IPv6-over-IPv4 using ip-x/x/x interface) is not supported.
•
On SRX1400, SRX3400 and SRX3600, devices, the following features are not supported by a policer or a three-color-policer:
• Color-aware mode of a three-color-policer
• Filter-specific policer
•
Forwarding class as action of a policer
•
Logical interface policer
• Logical interface three-color policer
• Logical interface bandwidth policer
•
Packet loss priority as action of a policer
•
Packet loss priority as action of a three-color-policer
•
On all high-end SRX Series devices, the following features are not supported by a firewall filter:
• Policer action
•
Egress filter-based forwarding (FBF)
•
Forwarding table filter (FTF)
•
SRX3400 and SRX3600 devices have the following limitations of a simple filter:
• Forwarding class as match condition
• In the packet processor on an IOC, up to 400 logical interfaces can be applied with simple filters.
•
In the packet processor on an IOC, the maximum number of terms of all simple filters is 2000.
• In the packet processor on an IOC, the maximum number of policers is 2000.
•
In the packet processor on an IOC, the maximum number of three-color-policers is
2000.
• The maximum burst size of a policer or three-color-policer is 16 MB.
173
Junos OS 12.1X44 Release Notes
•
On SRX3400 and SRX3600 devices, when you enable the monitor traffic option using the monitor traffic command to monitor the FXP interface traffic, interface bounce occurs. You must use the monitor traffic interface fxp0 no-promiscuous command to avoid the issue.
• On all high-end SRX Series devices, the set protocols bgp family inet flow and set routing-options flow CLI statements are no longer available, because BGP flow spec functionality is not supported on these devices.
•
On all high-end SRX Series devices, the Link Aggregation Control Protocol (LACP) is not supported on Layer 2 interfaces.
• On all high-end SRX Series devices, BGP-based virtual private LAN service (VPLS) works on child ports and physical interfaces, but not over aggregated Ethernet (ae) interfaces.
Intrusion Detection and Prevention (IDP)
• On all high-end SRX Series devices, from Junos OS Release 11.2 and later, the IDP security package is based on the Berkeley database. Hence, when the Junos OS image is upgraded from Junos OS Release 11.1 or earlier to Junos OS 11.2 or later, a migration of IDP security package files needs to be performed. This is done automatically on upgrade when the IDP daemon comes up. Similarly, when the image is downgraded, a migration (secDb install) is automatically performed when the IDP daemon comes up, and previously installed database files are deleted.
However, migration is dependent on the XML files for the installed database present on the device. For first-time installation, completely updated XML files are required. If the last update on the device was an incremental update, migration might fail. In such a case, you have to manually download and install the IDP security package using the download or install CLI commands before using the IDP configuration with predefined attacks or groups.
As a workaround, use the following CLI commands to manually download the individual components of the security package from the Juniper Security Engineering portal and install the full update:
• request security idp security-package download full-update
• request security idp security-package install
• On all high-end SRX Series devices, the IDP policies for each user logical system are compiled together and stored on the data plane memory. To estimate adequate data plane memory for a configuration, consider these two factors:
•
IDP policies applied to each user logical system are considered unique instances because the ID and zones for each user logical system are different. Estimates need to consider the combined memory requirements for all user logical systems.
•
As the application database increases, compiled policies require more memory.
Memory usage should be kept below the available data plane memory to allow for database increases.
174
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
On all high-end SRX Series devices, ingress as ge-0/0/2 and egress as ge-0/0/2.100
works with flow showing both source and destination interface as ge-0/0/2.100.
• IDP does not allow header checks for nonpacket contexts.
•
On all high-end SRX Series devices, application-level distributed denial-of-service
(application-level DDoS) detection does not work if two rules with different application-level DDoS applications process traffic going to a single destination application server. When setting up application-level DDoS rules, make sure that you do not configure rulebase-ddos rules that have two different application-ddos objects when the traffic destined to one application server can process more than one rule.
Essentially, for each protected application server, you have to configure the application-level DDoS rules so that traffic destined for one protected server processes only one application-level DDoS rule.
NOTE: Application-level DDoS rules are terminal, which means that once traffic is processed by one rule, it will not be processed by other rules.
The following configuration options can be committed, but they will not work properly: source-zone destination-zone destination-ip service application-ddos
Application
Server source-zone-1 dst-1 source-zone-2 dst-1 any any http http http-appddos1 http-appddos2
1.1.1.1:80
1.1.1.1:80
• On all high-end SRX Series devices, application-level DDoS rule base (rulebase-ddos) does not support port mapping. If you configure an application other than default, and if the application is from either predefined Junos OS applications or a custom application that maps an application service to a nonstandard port, application-level DDoS detection will not work.
When you configure the application setting as default, IDP uses application identification to detect applications running on standard and nonstandard ports; thus, the application-level DDoS detection would work properly.
• On all high-end SRX Series devices, all IDP policy templates are supported except All
Attacks. There is a 100 MB policy size limit for integrated mode and a 150 MB policy size limit for dedicated mode. The current IDP policy templates supported are dynamic, based on the attack signatures being added. Therefore, be aware that supported templates might eventually grow past the policy size limit.
On all high-end SRX Series devices, the following IDP policies are supported:
• DMZ_Services
• DNS_Service
•
File_Server
•
Getting_Started
175
Junos OS 12.1X44 Release Notes
•
IDP_Default
• Recommended
• Web_Server
• IDP deployed in both active/active and active/passive chassis clusters has the following limitations:
•
No inspection of sessions that failover or failback.
• The IP action table is not synchronized across nodes.
• The Routing Engine on the secondary node might not be able to reach networks that are reachable only through a Packet Forwarding Engine.
•
The SSL session ID cache is not synchronized across nodes. If an SSL session reuses a session ID and it happens to be processed on a node other than the one on which the session ID is cached, the SSL session cannot be decrypted and will be bypassed for IDP inspection.
•
IDP deployed in active/active chassis clusters has a limitation that for time-binding scope source traffic, if attacks from a source (with more than one destination) have active sessions distributed across nodes, then the attack might not be detected because time-binding counting has a local-node-only view. Detecting this sort of attack requires an RTO synchronization of the time-binding state that is not currently supported.
IP Monitoring
• When IP monitoring is enabled on a different subnet than the reth IP address, then you must configure the proxy-arp unrestricted option on the upstream router.
IPv6
IPv6 IPsec implementation has the following limitations:
• Devices with IPv6 addressing do not perform fragmentation. IPv6 hosts should either perform path maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6 minimum MTU size of 1280 bytes.
• Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are
32-bits long, IPv6 IPsec packet processing requires more resources. Therefore, a small performance degradation is observed.
•
IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel scalability numbers might drop.
• The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel throughput performance.
•
The IPv6 IPsec VPN does not support the following functions:
• 4in6 and 6in4 policy-based site-to-site VPN, IKE
• 4in6 and 6in4 route-based site-to-site VPN, IKE
•
4in6 and 6in4 policy-based site-to-site VPN, Manual Key
176
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
4in6 and 6in4 route-based site-to-site VPN, Manual Key
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key
•
Remote Access—XAuth, config mode, and shared IKE identity with mandatory XAuth
•
IKE authentication—public key infrastructure or digital signature algorithm (PKI or
DSA)
• IKE peer type—dynamic IP
•
Chassis cluster for basic VPN features
•
IKE authentication—PKI or RSA
• Network Address Translation-Traversal (NAT-T)
• VPN monitoring
•
Hub-and-spoke VPNs
•
Next Hop Tunnel Binding Table (NHTB)
• Dead Peer Detection (DPD)
• Simple Network Management Protocol (SNMP) for IPsec VPN MIBs
•
Chassis cluster for advanced VPN features
•
IPv6 link-local address
•
NSM—Consult the Network and Security Manager (NSM) release notes for version compatibility, required schema updates, platform limitations, and other specific details regarding NSM support for IPv6 addressing on all high-end SRX Series devices.
•
Security policy—Only IDP for IPv6 sessions is supported only for all high-end SRX
Series devices. UTM for IPv6 sessions is not supported. If your current security policy uses rules with the IP address wildcard any, and UTM features are enabled, you will encounter configuration commit errors because UTM features do not yet support IPv6 addresses. To resolve the errors, modify the rule returning the error so that the any-ipv4 wildcard is used; and create separate rules for IPv6 traffic that do not include UTM features.
J-Web
•
On all high-end SRX Series devices, if the device is running the worldwide version of the Junos OS and you are using the Microsoft Internet Explorer Web browser, you must disable the Use SSL 3.0 option in the Web browser to access the device.
• To use the Chassis View, a recent version of Adobe Flash that supports ActionScript and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed by default on the Dashboard page. You can enable or disable chassis view using options in the dashboard Preference dialog box, but clearing cookies in Internet Explorer also causes the Chassis View to be displayed.
177
Junos OS 12.1X44 Release Notes
•
On all high-end SRX Series devices, users cannot differentiate between Active and
Inactive configurations on the System Identity, Management Access, User Management, and Date & Time pages.
Logical Systems
•
The master logical system must not be bound to a security profile that is configured with a 0 percent reserved CPU quota because traffic loss could occur. When upgrading all high-end SRX Series devices from Junos OS Release 11.2, make sure that the reserved
CPU quota in the security profile that is bound to the master logical system is configured for 1 percent or more. After upgrading from Junos OS Release 11.2, the reserved CPU quota is added to the default security profile with a value of 1 percent.
• Starting with Junos OS Release 11.2, address books can be defined under the [security] hierarchy level instead of the [security zones] hierarchy level. This enhancement makes configuring your network simpler by allowing you to share IP addresses in address books when configuring features such as security policies and NAT. You can attach zones to address books—this is known as zone-attached configuration.
Junos OS Release 12.1 continues to support address book configuration under the
[security zones] hierarchy level—this is known as zone-defined configuration. However, we recommend that zone-attached address book configuration be used in the master logical system and user logical systems.
If you upgraded your high-end SRX Series devices to this Junos OS Release 12.1, and are configuring logical systems on the device, the master logical system retains any previously configured zone-defined address book configuration. The master administrator can run the address book upgrade script to convert zone-defined configuration to zone-attached configuration. The upgrade script converts all zone-defined configurations in the master logical system and user logical systems.
See the section, “Upgrade and Downgrade Scripts for Address Book Configuration” of
“Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for
High-End SRX Series Services Gateways” on page 243 .
• On all high-end SRX Series devices, the logical systems feature does not support ALGs for user logical systems because ALGs are configured globally. If you enable ALGs at the root master logical system level, they are also enabled for user logical systems in
Junos OS Release 12.1. In this case, user logical system traffic is processed by the ALGs, and corresponding ALG flow sessions are initiated under the user logical system. You can only enable and disable ALGs at the root master logical system level.
•
On all high-end SRX Series devices, quality-of-service (QoS) classification across interconnected logical systems does not work.
• On all high-end SRX Series devices, the number of logical system security profiles you can create is constrained by an internal limit on security profile IDs. The security profile
ID range is from 1 through 32 with ID 0 reserved for the internally configured default security profile. When the maximum number of security profiles is reached, if you want to add a new security profile, you must first delete one or more existing security profiles, commit the configuration, and then create the new security profile and commit it. You cannot add a new security profile and remove an existing one within a single configuration commit.
178
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
If you want to add more than one new security profile, the same rule is true. You must first delete the equivalent number of existing security profiles, commit the configuration, and then create the new security profiles and commit them.
•
User and administrator configuration for logical systems—Configuration for users for all logical systems and all user logical systems administrators must be done at the root level by the master administrator. A user logical system administrator cannot create other user logical system administrators or user accounts for their logical systems.
•
Name-space separation—The same name cannot be used in two logical systems. For example, if logical-system1 includes the username “Bob” then other logical systems on the device cannot include the username “Bob”.
•
Commit rollback—Commit rollback is supported at the root level only.
•
Trace and debug—Trace and debug are supported at the root level only.
• Class of service—You cannot configure class of service on logical tunnel (lt-0/0/0) interfaces.
•
ALGs—The master administrator can configure ALGs at the root level. The configuration is inherited by all user logical systems. It cannot be configured discretely for user logical systems.
Network Address Translation (NAT)
•
On all high-end SRX Series devices, in case of SSL proxy, sessions are whitelisted based on the actual IP address and not on the translated IP address. Because of this, in the whitelist configuration of the SSL proxy profile, the actual IP address should be provided and not the translated IP addresses.
Example:
Consider a destination NAT rule that translates destination IP address 20.20.20.20 to
5.0.0.1 using the following commands:
• set security nat destination pool d1 address 5.0.0.1/32
• set security nat destination rule-set dst-nat rule r1 match destination-address
20.20.20.20/32
• set security nat destination rule-set dst-nat rule r1 then destination-nat pool d1
In the above scenario, to exempt a session from SSL proxy inspection, the following
IP address should be added to the whitelist:
• set security address-book global address ssl-proxy-exempted-addr 20.20.20.20/32
• set services ssl proxy profile ssl-inspect-profile whitelist ssl-proxy-exempted-addr
179
Junos OS 12.1X44 Release Notes
•
Maximum capacities for source pools and IP addresses have been extended on all high-end SRX Series devices as follows:
Pool/PAT Maximum
Address Capacity SRX1400
SRX3400
SRX3600
SRX5600
SRX5800
Source NAT pools
IP addresses supporting port translation
8192
8192
8192
8192
12288
12288
PAT port number 256M 256M 384M
Increasing the capacity of source NAT pools consumes memory needed for port allocation. When source NAT pool and IP address limits are reached, port ranges should be reassigned. That is, the number of ports for each IP address should be decreased when the number of IP addresses and source NAT pools is increased. This ensures NAT does not consume too much memory. Use the port-range statement in configuration mode in the CLI to assign a new port range or the pool-default-port-range statement to override the specified default.
Configuring port overloading should also be done carefully when source NAT pools are increased.
For source pool with port address translation (PAT) in range (64,510 through 65,533), two ports are allocated at one time for RTP or RTCP applications, such as SIP, H.323, and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports
(64,512 through 65,535) for Application Layer Gateway (ALG) module use. On SRX5600 and SRX5800 devices, if all of the 4096 source pool is configured, a port allocation of 8,388,608 is reserved for twin port use.
•
NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edge of the carrier network, the device-wide NAT rule capacity has been changed.
The number of destination and static NAT rules has been incremented as shown in
. The limitation on the number of destination rule set and static rule set has been increased.
provides the requirements per device to increase the configuration limitation as well as to scale the capacity for each device.
Table 18: Number of Rules on all High-End SRX Series Devices
NAT Rule Type SRX1400
SRX3400
SRX3600
SRX5600
SRX5800
Source NAT rule
Destination NAT rule
Static NAT rule
8192
8192
8192
20480
20480
20480
30720
30720
30720
180
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
The restriction on the number of rules per rule set has been increased so that there is only a device-wide limitation on how many rules a device can support. This restriction is provided to help you better plan and configure the NAT rules for the device.
For memory consumption, there is no guarantee to support these numbers (maximum source rule or rule set + maximum destination rule or rule set + maximum static rule or rule-set) at the same time for SRX3400, SRX3600, SRX5600, and SRX5800.
The suggested total number of rules and rule sets is listed in following table:
Objects
SRX3400
SRX3600
SRX5600
SRX5800
Total NAT rule sets per system 20,000
Total NAT rules per rule set 20,000
30,000
30,000
Security Policies
• On all high-end SRX Series devices, the current SSL proxy implementation has the following connectivity limitations:
•
The SSLv2 protocol is not supported. SSL sessions using SSLv2 are dropped.
•
SSL sessions where client certificate authentication is mandatory are dropped.
• SSL sessions where renegotiation is requested are dropped.
• On all high-end SRX Series devices, for a particular session, the SSL proxy is only enabled if a relevant feature related to SSL traffic is also enabled. Features that are related to SSL traffic are Intrusion Detection and Prevention (IDP), application identification, application firewall, and application tracking. If none of the above listed features are active on a session, the SSL proxy bypasses the session and logs are not generated in this scenario.
•
On all high-end SRX Series devices, the limitation on the number of addresses in an address set has been increased to 1024. The default value of an address set is 1024.
The number of addresses in an address set, which depends on the device, is equal to the number of addresses supported by the policy.
Services Offloading
•
Services offloading has the following limitations:
• Transparent mode is not supported. If transparent mode is configured, a normal session is installed.
•
Link aggregation group (LAG) is not supported. If a LAG is configured, a normal session is installed.
• Only multicast sessions with one fan-out are supported. If a multicast session with more than one fan-out exists, a normal session is installed.
•
Only active/passive chassis cluster configuration is supported. Active/active chassis cluster configuration is not supported.
181
Junos OS 12.1X44 Release Notes
•
Fragmented packets are not supported. If fragmented packets exist, a normal session is installed.
• IP version 6 (IPv6) is not supported. If IPv6 is configured, a normal session is installed.
NOTE: A normal session forwards packets from the network processor to the Services Processing Unit (SPU) for fast-path processing. A services-offload session processes fast-path packets in the network processor and the packets exit out of the network processor itself.
•
For Non-Services-Offload Sessions:
• When services offloading is enabled, for normal sessions, the performance can drop by approximately 20 percent for connections per second (CPS) and 15 percent for packets per second (PPS) when compared with non-services-offload mode.
•
For Services-Offload Sessions
When services offloading is enabled, for fast-forward sessions, the performance can drop by approximately 13 percent for connections per second (CPS).
Simple Network Management Protocol (SNMP)
•
On all high-end SRX Series devices, the show snmp mib CLI command will not display the output for security related MIBs. We recommend that you use an SNMP client and prefix logical-system-name@ to the community name. For example, if the community is public, use default@public for default root logical system.
Unified Threat Management (UTM)
• On SRX5400 devices configured with Sophos Antivirus, certain files whose sizes are larger than the max-content-size might not go into fallback unlike other AV engines.
Instead, they end up being detected as clean file for few protocols which does not predeclare the content size.
Virtual Private Network (VPN)
On all high-end SRX Series devices, IKEv2 does not include support for:
•
Policy-based tunnels
• Dial-up tunnels
• Network Address Translation-Traversal (NAT-T)
•
VPN monitoring
•
Next-Hop Tunnel Binding (NHTP) for st0—Reusing the same tunnel interface for multiple tunnels
• Extensible Authentication Protocol (EAP)
•
IPv6
182
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
Multiple child SAs for the same traffic selectors for each QoS value
• Proposal enhancement features
• Reuse of Diffie-Hellman (DH) exponentials
•
Configuration payloads
•
IP Payload Compression Protocol (IPComp)
• Dynamic Endpoint (DEP)
• On all high-end SRX Series devices, configuring XAuth with AutoVPN secure tunnel
(st0) interfaces in point-to-multipoint mode and dynamic IKE gateways is not supported.
• On all high-end SRX Series devices, for auto VPN, the tunnel setup rate decreases with an increase in the number of SPCs in the device.
•
A secure tunnel (st0) interface supports only one IPv4 address and one IPv6 address at the same time. This applies to all route-based VPNs, including AutoVPNs.
• On all high-end SRX Series devices, lo0 logical interface cannot be configured with
RG0 if used as an IKE gateway external interface.
•
On all high-end SRX Series devices, DH-group 14 is not supported for dynamic VPN.
•
On all high-end SRX Series devices, when you enable VPN, overlapping of the IP addresses across virtual routers is supported with the following limitations:
• An IKE external interface address cannot overlap with any other virtual router.
•
An internal or trust interface address can overlap across any other virtual router.
•
An st0 interface address cannot overlap in route-based VPN in point-to-multipoint tunnels such as NHTB.
• An st0 interface address can overlap in route-based VPN in point-to-point tunnels.
• On all high-end SRX Series devices, the DF-bit configuration for VPN only works if the original packet size is smaller than the st0 interface MTU, and larger than the external interface-ipsec overhead
.
•
The local IP feature is not supported on the following:
• All SRX Series devices in chassis cluster configuration
•
All high-end SRX Series devices
•
On all high-end SRX Series devices, the IPsec NAT-T tunnel scaling and sustaining issues are as follows:
• For a given private IP address, the NAT device should translate both 500 and 4500 private ports to the same public IP address.
•
The total number of tunnels from a given public translated IP cannot exceed 1000 tunnels.
183
Junos OS 12.1X44 Release Notes
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series
•
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways on page 186
•
Known Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways on page 184
•
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series
Known Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
The following problems currently exist in Juniper Networks SRX Series Services Gateways.
The identifier following the descriptions is the tracking number in the Juniper Networks
Problem Report (PR) tracking system.
For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at http://www.juniper.net/prsearch
.
NOTE: If there is no device listed in the PR description, then that issue applies to all high-end SRX Series devices.
184
Known Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Known Issues in Junos OS Release 12.1X44-D50 for High-End SRX Series Services
Gateways
Flow-Based and Packet-Based Processing
• On all high-end SRX Series devices configured with chassis cluster and logical systems
(LSYS), when the session number is close to the configured LSYS session limit, sessions might not be successfully created on the secondary node. The sessions will be created on the backup flow SPUs, but not on the central point. As a result, the backup flow
SPUs will keep retrying until the SPUs are successful. When this situation continues, the session limit on the secondary node’s SPU will reach the maximum limit value and this will affect the new session creation.
NOTE: The number of sessions on the secondary node SPU is usually higher than on the primary node SPU.
As a workaround, either remove the session limit for LSYS or increase it to a higher value.
PR1061067
Interfaces and Routing
• On all high-end SRX Series devices, the clear security dns-cache command is extended to resolve all DNS entries immediately. Similarly, the security policies containing DNS names are updated immediately to use the refreshed IP addresses after the FQDN addresses are resolved.
PR970235
Intrusion Detection and Prevention (IDP)
• On all high-end SRX Series devices, an active IDP session might not be fetched by the show security flow session idp and show security flow session summary idp commands.
This issue occurs only when both IDP and AppID are enabled.
PR1045587
Network Address Translation (NAT)
•
On all high-end SRX Series devices configured in chassis cluster mode, when ALG traffic performs NAT translation, in a rare condition, invalid ALG binding entries might be created on the secondary node, which results in a flowd process crash on the secondary node.
PR1037617
Platform and Infrastructure
•
On all high-end SRX Series devices, every time a user logs in with SSH, a veriexec: fingerprint mismatch message is reported in the log.
PR929612
Routing and Infrastructure
185
Junos OS 12.1X44 Release Notes
•
On all high-end SRX Series devices, if there are two routing instances of instance type default and virtual router, when you change the instance type of one routing instance from default to virtual router after the routing policy is configured, the route is missing from the second routing instance.
As a workaround, deactivate the first routing instance and the routing policy, and then activate the first routing instance to correct the issue.
PR969944
Virtual Private Networks (VPNs)
• On all high-end SRX Series devices with IPsec VPN configured using IKE version 1, the device can hold only two pairs of IPsec security associations (SAs) per tunnel. When the third IPsec SA rekey occurs, the oldest IPsec SA is deleted. Due to this mechanism, a looping of IPsec SA rekey might occur. For example, when a VPN peer contains incorrect configuration that has more than two proxy IDs matching only one proxy ID on a device, the rekey looping issue might cause the flowd process to crash on multiple thread-based SRX Series platforms (SRX240 devices and higher).
As a workaround, correct the configuration, if this issue is caused due to incorrect configuration on the VPN peer. This issue should not recur after correcting the configuration and can be avoided by using IKE version 2 instead of IKE version 1.
PR996429
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
The following are the issues that have been resolved in Junos OS Release 12.1X44 for
Juniper Networks SRX Series Services Gateways. The identifier following the description is the tracking number in the Juniper Networks Problem Report (PR) tracking system.
For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at http://www.juniper.net/prsearch
.
NOTE: If there is no device listed in the PR description, then that issue applies to all high-end SRX Series devices.
186
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Resolved Issues in Junos OS Release 12.1X44-D50 for High-End SRX Series Services
Gateways
Application Identification
• On all high-end SRX Series devices running Junos OS Release 12.1X46 and earlier, if application identification (AppID) is enabled, performance degradation is seen in comparison with devices running Junos OS Release 12.1X47-D10 and later. This is because the AppID function does not ignore the related sessions when AppID has reached the terminal state, and continues with the serialization processing for those sessions. It is important to note that Junos OS Release 12.1X47 and later releases use advanced AppID.
PR1046509
Application Layer Gateways (ALGs)
• On all high-end SRX Series devices, the DNS ALG does not terminate the session when a truncated DNS reply is received, so the session remains active until high timeout of
10~50 is reached.
PR1038800
•
On all high-end SRX Series devices, if the SUN RPC traffic has the same IP address, port number, and program ID but is coming from different source zones other than the session, the traffic is dropped by the SUN RPC ALG.
PR1050339
• On all high-end SRX Series devices, the SIP ALG decode packet error occurs in the system log when the unsupported blank packets are used as keepalive messages.
PR1057170
• On all high-end SRX Series devices, the current SIP parser does not parse the quotation marks in the mime boundary, and the message body of the SIP messages might be cut off.
PR1064869
•
On all high-end SRX Series devices, when the callee presses the Hold button, the SIP message does not translate the c line of the INVITE packet sent to the caller.
PR1066633
• On all high-end SRX Series devices with the MS-RPC ALG enabled, the flowd process might crash due to incorrect MS-RPC ALG parsing for the ISystemActivator
RemoteCreateInstance Response packets.
PR1066697
Authentication
•
On all high-end SRX Series devices with firewall authentication configured, an authentication entry leak on the data plane occurs when an authenticated user tries to re-authenticate. As a result, firewall authentication will not allow anymore authentication entries to be created.
PR969085
•
On all high-end SRX Series devices with firewall authentication enabled, when a firewall authentication from an authenticated IP address for a new authentication fails, and then a pass-through firewall authentication tries this entry, the firewall authentication function accesses a freed memory, which results in a flowd process crash.
PR1040214
• On all high-end SRX Series devices with firewall authentication enabled, in a rare timing condition, if there are many pending sessions in a firewall authentication entry with failed state, then a packet entering and matching this failed authentication entry might cause the flowd process to crash.
PR1048623
187
Junos OS 12.1X44 Release Notes
Command-Line Interface
• On all high-end SRX Series devices, the configurations of group junos-defaults are lost after a configuration rollback. As a result, the commit command fails.
PR1052925
Chassis Cluster
•
On all high-end SRX Series devices in chassis cluster mode, during control plane RG0 failover, a policy resynchronisation operation compares the policy message between the Routing Engine and the Packet Forwarding Engine. However, some fields in the security policy data message are not processed. Data for unprocessed fields might be treated differently and cause the flowd process to crash.
PR1040819
Dynamic Host Configuration Protocol (DHCP)
•
On all high-end SRX Series devices configured as a DHCP server (using the jdhcpd process), when the DHCP server gets a new request from a client and applies an IP address from the authentication process (authd), the jdhcpd process communicates with authd twice as expected (once for the DHCP discovery message and once for the
DHCP request message). If the authentication fails in the first message, the authd process will indefinitely wait for the second authentication request. However, the jdhcpd process never sends the second request, because the process detects that the first authentication did not occur. This causes memory leak on the authd process, and the memory might get exhausted, generating a core file and preventing DHCP server service. High CPU usage on the Routing Engine might also be observed.
PR1042818
• On all high-end SRX Series devices configured as a DHCP client, the default route received through the external DHCP server might get removed from the routing table when you modify the DHCP configurations under the access address-assignment hierarchy.
PR1058821
Flow-Based and Packet-Based Processing
•
On all high-end SRX Series devices with IDP configured, in rare cases, where the device runs out of memory, the flowd process might crash if shell code detection occurs.
PR985139
• On all high-end SRX Series devices with GRE tunnel configured, the carrier interface of GRE tunnel is not updated when a more accurate and new route to the tunnel destination address is added, which might cause traffic loss in some scenarios.
PR1040666
• On all high end SRX Series devices, when self-generated traffic is processed by IDP, the IDP function might trigger an unmatched flow lock operation, which leads to a dead lock condition, and eventually causes the flowd process to crash.
PR1046801
•
On all high-end SRX Series devices in transparent mode, when the PIM register-stop message passes through the device, the device cannot match the PIM session that is created by the register packet. The PIM register-stop message tries to create a new
188
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways session, and the session is dropped during the session creation process due to a session conflict.
PR1049946
• On all high-end SRX Series devices, in a rare condition, the session might be doubly released by multiple threads during internal processing by the NAT module. As a result, the flowd process crashes.
PR1058711
Interfaces and Routing
•
On all high-end SRX Series devices, during the ISSU process, the Packet Forwarding
Engine connects and sometimes disconnects the Routine Engine. Hence, the IP resolve events sent to the Packet Forwarding Engine are ignored. When you configure multiple
DNS policies after the ISSU process, some of the policies will not have IP addresses in the Packet Forwarding Engine.
PR985731
•
On all high-end SRX Series devices, the commit synchronize command fails because the kernel socket gets stuck.
PR1027898
•
On SRX1400, SRX3400, and SRX3600 devices, memory leak occurs on the Control
Plane Processor (CPP) logical interfaces are deleted and the interprocess communication messages are received by the CPP. High memory usage on the CPP might be seen in an interface flapping situation.
PR1059127
J-Web
•
On all high-end SRX Series devices, if a security policy contains a tcp-options statement, modifying this security policy by using J-Web results in the loss of the tcp-options statement. This is because the tcp-options configuration is missing in the J-Web security policy configuration.
PR1063593
Logical Systems
• On all high-end SRX Series devices, BGP neighbors in IPv6 mode are not established with logical systems in configuration mode.
PR1042205
Network Address Translation (NAT)
•
On all high-end SRX Series devices with persistent NAT enabled, if an invalid flow with the protocol value 0 creates a persistent NAT entry, then this persistent NAT entry is not cleared even when the invalid session is cleared.
PR935325
• On all high-end SRX Series devices with source NAT configured, a memory leak might occur in the nsd process when SNMP queries the source NAT rule hit information.
PR1036882
189
Junos OS 12.1X44 Release Notes
Platform and Infrastructure
• On all high-end SRX Series devices, the packets per second (pps) and bits per second
(bps) counters are not reporting accurate values while checking the monitor traffic interface interface-name command or the show interface interface-name extensive command.
PR1033222
Unified Access Control (UAC)
•
On all high-end SRX Series devices that are configured as enforcer in Unified Access
Control (UAC) network scenario, because there is no protection for NULL return in memory allocation in UAC authentication table, the flowd process might crash. This occurs in rare cases, where the device runs into memory outage situation and then tries to allocate memory for the request of UAC authentication.
PR1055379
Virtual Private Networks (VPNs)
•
On all high-end SRX Series devices, in a hub-and-spoke IPsec VPN scenario, on the hub site, when committing the static NHTBs on the multipoint secure tunnel (st0) interface, the VPN routes might become active even though the VPN tunnel is down.
This issue also occurs when the system reboots with static NHTBs and the related static routes configured.
PR1007235
•
On all high-end SRX Series devices, when a primary IP address of an interface changes, some IPsec tunnels terminated on that interface might go down.
PR1044620
• On all high-end SRX Series devices with large number of IPsec VPN tunnels configured, in a very rare condition, if VPN monitoring is enabled, the kmd process might crash when you delete the partial VPN tunnels.
PR1044660
•
On all high-end SRX series devices, in a tunnel over route-based IPsec VPN, GRE or
IP-in-IP tunnel scenario, such as IPsec VPN over GRE tunnel, after the encapsulation of the first tunnel, the next-hop in internal processing might not be set properly to point to the second tunnel, which results in packet loss.
PR1051541
Resolved Issues in Junos OS Release 12.1X44-D45 for High-End SRX Series Services
Gateways
Application Layer Gateways (ALGs)
•
On all high-end SRX Series devices, LAG interface gratuitous ARP is neither generated nor sent out on the link when gratuitous-arp-on-ifup is configured.
PR889851
• On all high-end SRX Series devices with MS-RPC ALG enabled, occasionally, when more than one IP and port pair exist in the MS RPC response packet, and if these IP and port pair are same, the ALG group might leak. This issue might occur even in a Sun
RPC scenario.
PR1010499
• On all high-end SRX Series devices with SIP ALG enabled, when either retain-hold-resource and NAT are configured or retransmission of 183 session progress messages with SDP occurs (the first transmission did not have SDP), the SIP ALG incorrectly changes the IP address that is embedded inside the media payload to zero, causing a call failure.
PR1016969
190
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
On all high-end SRX Series devices, the SCTP traffic sessions are established on an
SPU that is selected by the port’s hash algorithm. This means that the session affinity does not take effect for SCTP traffic even if the SCTP ALG is disabled.
However, since the SCTP and session affinity conflict occurs naturally, the session affinity does not support SCTP traffic when the SCTP ALG is enabled.
PR1019859
•
On all high-end SRX Series devices, in certain situations, the H.323 ALG incorrectly handles translation because the stored position is not initialized properly. As a result,
H.323 endpoints registration failure and call failure occur.
PR1023528
• On all high-end SRX Series devices with the SIP ALG and NAT enabled, if you place a call on hold or off hold many times, each time with different media ports, the resource in the call is used, resulting in one-way audio. Tearing down the call clears the resource, and following call are not affected.
PR1032528
• On all high-end SRX Series devices with the SIP ALG and NAT enabled, the SIP ALG does not execute IP translation for the retransmitted 183 session progress messages.
This leads to SIP call failure when the device receives the first 183 session progress message without SDP information, but the retransmitted 183 session progress messages contain SDP information.
PR1036650
Command-Line Interface
• On all high-end SRX Series devices, system commit synchronize is not supported. Hence, when you configure it, it will not be committed due to a configuration lock.
PR1012692
• On all high-end SRX Series devices, CLI auto-complete does not work for any keywords after you run the set system login class <name> permissions command.
PR1032498
•
On all high-end SRX Series devices, the configurations of group junos-defaults are lost after a configuration rollback. As a result, the commit command fails.
PR1052925
Flow-Based and Packet-Based Processing
• On all high-end SRX Series devices, when you run the clear security flow session command with a prefix or port filter, some of the sessions are not matched with the filter, causing a traffic drop or delay.
PR925369
•
On SRX5400, SRX5600, and SRX5800 devices configured with SPC II cards, memory leak might occur on the SPC II Control Plane Processor (CPP), causing the SPC II CPP to reboot.
PR975345
• On all high-end SRX Series devices, under certain rare conditions, certain IPv6 functions might not be uninitialized. As a result, some IPv4 packets are incorrectly treated as
IPv6 packets, which causes the flowd process to crash due to the anomalous packets for IPv6 processing.
PR992517
• On SRX1400 devices, datapath debugging does not capture the system-generated packets.
PR1004074
• On all high-end SRX Series devices, in certain conditions, corrupted memory exists in data plane. In such cases, executing the show xlr pkt_mbuf command (part of the request support information command) results in a flowd process crash.
PR1005067
191
Junos OS 12.1X44 Release Notes
•
On all high-end SRX Series devices, when the packet-capture option is configured on the egress interface and a multicast stream is sent through the device, the multicast traffic might not be captured.
PR1005116
• On SRX5400, SRX5600, and SRX5800 devices, the egress packets out of delay bandwidth in queue 4 to queue 7 might be dropped when traffic bursts.
PR1007778
•
On all high-end SRX Series devices (except SRX1400), fragmented IPsec packets might be out of order after decryption, causing a TCP packet retransmission and performance degradation.
PR1013223
• On SRX1400 devices, in a rare condition, SPUs might run into dead loop situation. High
CPU usage on SPUs will be seen, and the flowd process will crash in the end.
PR1017665
• On all high-end SRX Series devices, in some scenarios, the flowd process might generate core files due to stack overflow while running a log collection script (for example, the shell script which sends various CLI and VTY commands) on the device.
PR1020739
•
On all high-end SRX Series devices, the flowd process might crash while applying a
CoS filter for the host outbound traffic.
PR1021150
• On all high-end SRX Series devices, when a device forwards traffic, a flowd core file is generated. This is a generic issue and does not impact any feature.
PR1027306
• On all high-end SRX Series devices in a chassis cluster Z mode, if static NAT or destination NAT is configured, and in the NAT rule, the IP address of the incoming interface is used as a matching condition of the destination address (for example, set security nat static <rule-set-name> rule <rule-name> match destination-address <use the IP address of incoming interface>
), then the traffic matching the NAT rule is discarded.
PR1040185
Interfaces and Routing
• On all high-end SRX Series devices, when a router is acting as an NTP broadcast server, broadcast addresses must be in the default routing instance. NTP messages are not broadcasted when the address is configured in a VPN virtual routing and forwarding
(VRF) instance.
PR887646
• On all high-end SRX Series devices, CoS buffer sizes are not recalculated after you delete the interface units. This might result in suboptimal CoS behavior.
As a workaround, do the following:
1.
Deactivate the physical interface and commit the configuration.
2.
Delete the interface units.
3.
Activate the physical interface and commit the configuration.
PR953924
Intrusion Detection and Prevention (IDP)
•
On all high-end SRX Series devices, Duplicate FLOW_IP_ACTION logs are generated while sending traffic.
PR959512
192
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
On all high-end SRX Series devices, the idpd process might crash when you update the IDP security packages. This issue occurs because of the XML parsing failure.
PR1011610
J-Web
•
On all high-end SRX Series devices in a chassis cluster, when the switch to Layer 2 mode button is pressed in J-Web, it does not ask for any confirmation and converts to transparent mode immediately and reboots the device.
PR1007740
• On all high-end SRX Series devices, on the Dashboard page, the serial number and the system uptime are not displayed.
PR1009371
• On all high-end SRX Series devices, the PKI certificate issued by J-Web GUI HTTPs will not be used when DVPN is configured in the same device. This is because the device will use the self-signed PKI certificate for both J-Web GUI HTTPs and DVPN URL access.
PR1017747
Platform and Infrastructure
• On all high-end SRX Series devices, there is some buffer leak in Application Delivery
Controller (ADC) and Transparent Load Balancer (TLB) services due to the malfunction of atomic functions.
PR934768
•
On all high-end SRX Series devices, when you use dual control link and LACP and if the first control link goes down, the LACP goes down on the secondary node for redundancy group 0. The secondary node might be the primary node for a data plane redundancy group (1+) and carries the traffic. Hence, the traffic might be interrupted.
PR958841
•
On all high-end SRX Series devices, due to a communication error between the master agent (snmpd process) and the subagent (mib2d process), the device fails to register some MIBs. For example, the following commands do not display any output when you run the command: user@hostname>show snmp mib walk ifTable user@hostname:~$ snmpwalk -v 2c -c snmp@exp X.X.X.X ifAlias
The following message is displayed: IF-MIB::ifAlias= No Such Object available on this agent at this OID.
This means the OID is not registered.
PR978535
• On all high-end SRX Series devices in a chassis cluster, the backup node should not send SNMP traps.
PR982777
• On SRX3400 or SRX3600 devices in a chassis cluster, the FPC 0 Minor Errors alarm is raised because of the excessive invalid pkt type errors reported by the Network
Processing Card (component).
PR1008968
193
Junos OS 12.1X44 Release Notes
•
On SRX1400, SRX3400, and SRX3600 devices configured with firewall simple filters, if you change the simple filter terms, some terms might not be installed properly in the data plane. As a result, the simple filter might not work as expected.
PR1012606
• On all high-end SRX Series devices, when a new user is created, the home directory for the user is not created.
PR1015156
Security
•
OpenSSL released a Security Advisory that included CVE-2014-3566 known as the
"POODLE" vulnerability. The SSL protocol 3.0 (SSLv3) uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data through a padding oracle attack. OpenSSL is upgraded to support for SSL 3.0
fallback protection (TLS_FALLBACK_SCSV). Refer to JSA10656 for more information.
PR1033938
Security Policy
• On all high-end SRX Series devices, due to a problem with processing authorization attributes containing double quotation marks within the TACACS+ configuration, authenticated local users might be allowed to run commands that are denied to them by policy. This represents a privilege escalation risk. Refer to JSA10667 for more information.
PR989199
• On all high-end SRX Series devices, when you swap the sequence of security policies or when security policies are disabled by a scheduler, the applications configured in these security policies might be added to other enabled security policies. This might cause unexpected applications to be evaluated by other security policies, and traffic to be permitted or denied unexpectedly.
PR1033275
Simple Network Management Protocol (SNMP)
•
On all high-end SRX Series devices, there are compilation problems with the following
MIBs:
• mib-jnx-license
• mib-jnx-sp-nat
• mib-jnx-subscriber
These three objects are defined in Junos OS Release 11.2 version of the JUNIPER-SMI, but they are missing in Junos OS Release 12.1.
PR794327
System Logging
• On all high-end SRX Series devices, if the stream mode logging has incomplete configuration for multiple streams, after reboot the system might not send out stream logs to the properly configured streams.
PR988798
•
On all high-end SRX Series devices, RT_PFE errors might be generated due to reroute failure when a more specific route entry is added or deleted.
PR1009947
194
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Unified Access Control (UAC)
• On all high-end SRX Series devices that act as a Unified Access Control (UAC) enforcer, a memory corruption might occur in which running show arena or request support information triggers the flowd process to crash.
PR1033684
Unified Threat Management
•
On all high-end SRX Series devices with UTM content filtering enabled, when the filename extension value is set to .com to block the URLs, the content filtering feature incorrectly treats the <searchpart> as a path and blocks the URLs ends with .com.
PR1008108
Virtual Private Networks (VPN)
•
On all high end SRX Series devices, when the IKE ALG is disabled, the central point does not install a session for IPv6 IPsec VPN pass-through traffic.
PR905239
•
On all high-end SRX Series devices deployed in a hub-and-spoke VPN scenario as a hub point with dynamic endpoint VPN (DEP VPN) spokes, if and manual NHTBs are configured, changing (adding or deleting) NHTBs might cause other NHTBs to be deleted and existing tunnels to go down.
PR1001692
•
On all high-end SRX Series devices with IPsec VPN configuration, because of a rare timing issue, the IPsec VPN traffic might be dropped due to a "bad SPI" message on the traffic-receiving side during IPsec Security Association (SA) rekey.
PR1031890
• On all high-end SRX Series devices in AutoVPN configuration, after you reboot the device, the VPN tunnel might not come up due to an error with the private key.
PR1032840
•
On all high-end SRX Series devices with policy-based IPsec VPN configured, deleting security policies that are associated with a VPN tunnel might result in a stale VPN tunnel remaining. In addition, the tunnel might be associated with the newly added security policies.
PR1034049
Resolved Issues in Junos OS Release 12.1X44-D40 for High-End SRX Series
Services Gateways
Application Layer Gateways (ALGs)
•
On all high-end SRX Series devices, when RTSP ALG traffic passes through the routing instance type virtual router, under some conditions the traffic is dropped.
PR979899
• On all high-end SRX Series devices, when there is heavy SIP traffic through the device, high CPU usage is seen on one or more SPUs. This issue occurs due to a certain type of SIP-handling logic, which dumps payload packets to the internal buffer. This logic has been optimized to reduce load on the SPU.
PR985932
• On all high-end SRX Series devices in a chassis cluster with the PPTP ALG enabled and the PPTP session closed, a memory corruption might occur on the secondary node, which causes the flowd process to crash.
PR993447
195
Junos OS 12.1X44 Release Notes
Flow-Based and Packet-Based Processing
• On all high-end SRX Series devices with multicast configuration for chassis cluster,
Redundancy Group 0 (RG0) failover might cause too many memory fragments in the kernel, resulting in control operation failure due to lack of continuous memory.
PR944604
•
On all high-end SRX Series devices, when you reboot the passive node, the CPU usage increases on flow SPUs of the primary node and this lasts for a few seconds when the traffic latency is increased.
PR962401
• On all high-end SRX Series devices deployed in a multicast scenario, a memory leak on the fwdd process might occur when the multicast routes change.
PR963116
•
On all high-end SRX Series devices, in certain situations when the device has more than one IKE Security Association (SA) installed for the same peer device and DPD is triggered, the messages are not sent out from the device to the peer device, causing the IKE SA to be installed on the device until the IKE SA expires.
PR967769
• On SRX5400, SRX5600, and SRX5800 devices, incorrect counter information is displayed on reth interface.
PR978421
•
On all high-end SRX Series devices with multicast enabled, frequent multicast route changes might cause a JTree memory leak on the SPC. If the SPC runs out of JTree memory, routing information might not be updated on the Packet Forwarding Engine, causing traffic loss. When JTree memory is running, the log message node1.fpc7.pic0
RSMON: Resource Category:jtree Instance:jtree0-seg0 Type:free-pages Available:1 is less than LWM limit:1638, rsmon_syslog_limit() is reported.
PR979712
• On all high-end SRX Series devices, in rare cases, the device starts using sequential source ports for source NAT because of random function memory corruption.
PR982931
•
On all high-end SRX Series devices, for IDP, AppSecure, ALG, GTP, or SCTP, the flow serialization impacts session performance. This flow serialization continues even after
Layer 7 processing is completed.
PR986326
• On all high-end SRX Series devices, due to an indirect next-hop change, memory corruption occurs in the flow route lookup table, which causes the flowd process to crash.
PR988659
•
On SRX5400, SRX5600 and SRX5800 devices, after fabric reconnect, the fabric plane displays the Link error message after the fabric plane is online or offline.
PR990679
• On all high-end SRX Series devices, the session ager might get stuck due to a memory corruption, causing the maximum session limitation to be reached on SPUs.
PR991011
• On all high-end SRX Series devices, when fragmented packets are processed, the first fragment is used to create a session, and the subsequent fragments are queued on a memory block. When a session is created, the queued fragments might be processed for flow processing even though the session is still in pending state. As a result, order information is lost, and the fragmented packets are forwarded out of order.
PR993925
196
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Intrusion Detection and Prevention (IDP)
• On all high-end SRX Series devices, when the IDP security package update contains a detector version change, the configured detector kconst values are not pushed from the idpd process to the Packet Forwarding Engine. Hence, the newly loaded detector takes default values.
PR971010
•
On all high-end SRX Series devices, when you configure an automatic security package update without configuring the schedule interval and start time, high CPU usage on the idpd process is seen.
PR973758
J-Web
•
On all high-end SRX Series devices, when you open several connections to J-Web from the same IP address, the HTTP process might hang and J-Web becomes unresponsive.
PR974042
Screens
• On all high-end SRX Series devices with flooding type screens configured, if multiple logical interfaces on the same network processing unit (NPU) are configured in the same zone, then changing the flooding thresholds might cause each of these logical interfaces to have inconsistent thresholds. Sometimes a few logical interfaces might not have any screen flood protection.
PR972812
System Logging
•
On all high-end SRX Series devices, if there are multiple stream mode configurations set under the [security log] hierarchy and when one stream is set to “severity warning”, the system log traffic on the other streams is stopped.
PR1009428
Virtual Private Networks (VPN)
• File Descriptor leak occurs during the network-security-trace process when commit configuration changes are made in the [edit security ike] configuration. Eventually, the system reaches the maximum file limit, which results in a system-unmanageable condition.
PR893017
•
On all high-end SRX Series devices, in a hub-and-spoke IPsec VPN scenario, on the hub site, when you commit the static NHTBs on the multipoint secure tunnel (st0) interface, the VPN routes might become active even though the VPN tunnel is down.
This issue also occurs when you reboot the system with static NHTBs and the related static routes configured.
PR947149
•
On all high-end SRX Series devices, dynamic VPN user groups are not able to access certain remote resources. However, you can log in to dynamic VPN and assign an IP address.
PR988263
197
Junos OS 12.1X44 Release Notes
Resolved Issues in Junos OS Release 12.1X44-D35 for High-End SRX Series Services
Gateways
Application Layer Gateways (ALG)
• On SRX Series devices, the REAL ALG is not supported, but you can configure it from both the CLI and J-Web.
PR943123
•
On all high-end SRX Series devices, the Microsoft Active directory or Microsoft Outlook client might get disconnected from the server because the MS-RPC ALG incorrectly drops the data connections under heavy load.
PR958625
AppSecure
• On all SRX Series devices, the application firewall module might cause the Network
Security Daemon (NSD) to create up to 4 KB of memory leak when you commit each configuration.
PR969107
Certificate Authority (CA) Profile
• When you run the show security pki *-certificate command, the result displays time without a time zone.
PR746785
Chassis Cluster
• On devices in a chassis cluster working as a Unified Access Control (UAC) enforcer, when RG0 failover occurs, the Packet Forwarding Engine might connect to the uac process before the uac process connects to the UAC server. In this condition, the uac process conveys to the Packet Forwarding Engine that the UAC server is disconnected.
When the Packet Forwarding Engine receives this information, it denies new traffic that matches the UAC policies. The traffic is resumed after the connection of the uac process and UAC server is established.
PR946655
•
In Junos OS Release 12.1X46-D10 and earlier, in a chassis cluster mode, when a secondary node failed, no notification was sent to report the secondary node failure.
Starting in Junos OS Release 12.1X44-D35, in a chassis cluster mode, the primary node sends the SNMP generic event trap to report failures on the primary node and the secondary node.
PR953639
•
On SRX Series devices in a chassis cluster, after the primary node power cycle, the FPC on both the nodes might lose the connection to the new primary Routing Engine, causing the FPC on both the nodes to get stuck in the present state.
PR961351
• On SRX3600 devices, the fabric link goes down when you execute manual failover using the request chassis cluster failover redundancy-group 0 node 0 command.
PR965077
•
On high-end SRX Series devices with next-generation SPCs installed, there is no message in the logs indicating that the control-link status changes to up or down.
PR970312
198
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Dynamic Host Configuration Protocol (DHCP)
• On all high-end SRX Series devices, the DHCP server on the device gives the same IP address to two different hosts and both hosts are active in the MAC binding table, causing a connectivity issue. This issue might occur if the DHCP server receives a DHCP
INFORM packet from a binding client and a DHCP RELEASE packet from the same client.
PR969929
Flow-Based and Packet-Based Processing
• On all high-end SRX Series devices, if IDP, AppSecure, ALG, GTP, or SCTP with the serialization flow processing is enabled, the flowd process might crash when the next-hop change occurs.
PR883187
•
On SRX Series devices configured in a chassis cluster, under certain conditions, the flowd process might crash during the cold synchronization process.
PR936014
• On all SRX Series devices, when IKE packets are received before Junos OS default applications are pushed to the Packet Forwarding Engine, the IKE sessions will be established without the IKE application having been marked. As a result, the fragmented
IKE packet cannot be sent to iked, because the IKE session has not used IKE applications.
PR942730
• On all high-end SRX Series devices, the flowd process might crash during the session installation.
PR956775
• On all SRX Series devices, filter-based forwarding (FBF) rules are ignored when existing sessions are rerouted.
PR962765
•
On all SRX Series devices, multiple flowd core files are generated because of the address range configured in the policy.
PR963613
Interfaces and Routing
• On SRX5600 and SRX5800 devices, if either GRE or multicast is configured, certain hardware configurations generate a core file on the master Routing Engine. This issue occurs if three SPC-II or seven SPC-I cards are installed in a clustered device or seven
SPC-II cards are installed in a standalone device.
PR752090
•
SRX5800 devices might log the Bottom Fan Tray Unable to Synch message.
PR833047
• On all SRX Series devices, modifying a policy element that is deactivated by the policy scheduler leads to problems in searching the policy tree in memory. An incorrect policy match occurs after the policy is reactivated by the scheduler.
PR944215
•
On SRX5600 and SRX5800 devices with an SRX5K-SPC-4-15-320 card
(next-generation-SPC) installed and active for approximately 49 days, a CPU timer rollover on the next-generation SPC card occurs. When the CPU rollover occurs, CPU scheduling of keepalives from the next-generation SPC to the Routing Engine might fail. The Routing Engine resets all FPCs on local nodes through chassisd due to loss of keepalives.
PR980650
199
Junos OS 12.1X44 Release Notes
Intrusion Detection and Prevention (IDP)
• On all high-end SRX Series devices with IDP enabled, high data plane CPU usage occurs in certain SPUs for a few seconds.
PR848485
• On SRX Series devices configured with IDP, for the AppSecure, ALG, GTP, or SCTP features that require the serialization flow processing, the memory buffer might leak, causing the flowd process to crash.
PR930728
•
On all SRX Series devices, when the LACP mode is fast and the IDP is configured in inline-tap mode, committing the configuration might cause LACP flap.
PR960487
• When you upgrade the detector version, the detector kconst value becomes a default value.
PR971010
IPv6
•
When you use IS-IS for forwarding only IPv6 traffic without configuring IPv4 routing, if you perform SNMP get or walk operation on an IS-IS routing database table, the routing protocol process (rpd) might crash and restart, causing a momentary traffic drop.
The same crash might occur when IPv4 and IPv6 routing have been enabled under different IS-IS SPF topology (using topologies ipv6-unicast).
PR753936
J-Web
•
When loading a configuration in private mode, the annotated message statement is truncated to 1024 characters.
PR930834
• When you make any changes in the J-Web page and try to commit or refresh the page, the operation might time out due to two Asynchronous JavaScript and XML (AJAX) requests being sent out at the same time. The second AJAX request is sent out when the first AJAX request does not receive a response.
PR935552
•
J-Web does not accept the address if the object name includes the word “any”.
PR944952
Platform and Infrastructure
• On all high-end SRX Series devices, when the management-ethernet link-down ignore command is configured under the chassis alarm hierarchy, the show chassis alarm command does not display the fxp0: Ethernet Link Down alarm message. However, the following messages might been seen in the logs: craftd[1163]: %DAEMON-3: attempt to delete alarm not in list alarmd[1162]: %DAEMON-4: Alarm cleared: RE color=IGNORE, class=CHASSIS, reason=Host 0 fxp0 : Ethernet Link Down
.
PR749954
• On all high-end SRX Series devices, if the NTP server is not a stratum 1 server, the NTP synchronization process cannot be completed. To confirm this issue is occurring, use the show ntp status command.
PR864223
•
On all high-end SRX Series devices, the nsd process might hold a buffer related to the
NAT proxy-arp process, and it does not release the buffer. This causes a memory leak on the nsd process when you commit a configuration.
PR931329
200
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
On SRX1400 devices, if the port ge-0/0/6 is plugged in with a SPF-T (part number
740-013111) transceiver, the port might be set to physically down after upgrading to
Junos OS Release.
PR933751
• On all high-end SRX Series devices, in certain circumstances, the high CPU consumption on the data plane and an eventual exhaustion of the internal system buffers might corrupt the forwarding table, which causes the traffic to drop partially.
PR938742
•
Due to logic problems with the next-generation SPC nvram component, sometimes the central Packet Forwarding Engine processor tries to yield a thread during an interrupt-disable scenario. This operation causes the central Packet Forwarding Engine processor to hang, and the flexible PIC concentrator is marked as offline. As a result, the chassisd detects the flexible PIC concentrator as being down and resets all flexible
PIC concentrators, causing failover in chassis clusters.
PR940392
• On SRX1400, SRX3400, and SRX3600 devices configured in a chassis cluster with a
SRX1K3K-NP-2XGE-SFPP card installed, the cold synchronization process might fail in certain SPC cards with the message No response from peer node afte.
PR941845
•
On all SRX Series devices containing a large number of next-hop entries, frequent interface flapping causes the Routing Engine to allocate the next-hop index incorrectly, which leads to traffic drop.
PR943388
• On SRX5600 and SRX5800 devices, during the LICU code upgrade for the control port, the FPCx (DPC) changes to any erroneous number and needs to use the non-IOC port (SPC, existing or not) on the chassis. Refer to KB17947 for additional information.
PR953029
•
When a PKI certificate is manually loaded without an absolute path given for the filename, the system defaults to the /var/tmp directory instead of the current working directory.
PR954114
• On SRX5400, SRX5600, and SRX5800 devices with a SRX5K-SPC-4-15-320
(next-generation SPC) installed, the hardware interrupt handler checks the link up or link down status for unused ports in the next-generation SPC internal. The next-generation SPC might cause the Control Plane Processor (CPP) to hang, causing all the Flexible PIC Concentrators (FPCs) to reset.
PR959655
Virtual Chassis
•
On SRX5600 virtual chassis, when you swap the members of a LAG, a vmcore or ksyncd core file might be generated on the backup Routing Engine.
PR711679
Virtual Private Networks (VPN)
• On all high-end SRX Series devices, when IPsec is used in a chassis cluster, after the
SPU or flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link increases.
PR941999
•
On SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, high CPU usage occurs after installing additional SPC cards without a full cluster reboot and IPsec tunnels carry the SCTP traffic anchored on the device.
PR945162
• SRX Series devices cannot proceed to automatic certificate reenrollment through
SCEP. The certificate validity period is incorrectly calculated during the autorenewal
201
Junos OS 12.1X44 Release Notes process. Also, when the CRL is downloaded through LDAP, it can be partially received from the CA server and the pkid process goes up.
PR946619
• On all SRX Series devices, any configuration changes to the st0.x interface might delete the NHTB entries for unrelated st0 interfaces.
PR958190
Resolved Issues in Junos OS Release 12.1X44-D30 for High-End SRX Series Services
Gateways
Application Layer Gateway (ALG)
•
On SRX Series devices with RPC ALG enabled, the RPC data traffic might get dropped by the ALG if RPC data traffic is only permitted by Universal Unique Identifier (UUID) policy.
PR920465
• On SRX Series devices with the SIP ALG enabled, in some cases, the SIP ALG parser might parse SIP messages incorrectly, preventing some SIP messages (such as 200-OK
SIP message) from passing through the device.
PR932745
AppSecure
• AppID uses order to selectively report nested applications matches with different transactions on the same session. This means that only nested applications with a higher order are reported. The expected behavior is that it should report nested applications when it detects them in the transaction.
PR914567
Access and Authentication
• Login process might crash due to abnormal disconnection behaviors during login.
PR802169
• On SRX Series devices when Web authentication is enabled using SecurID authentication, the Web authentication fails if there is a change in the DNS server configuration. This issue occurs because the authd process still caches the old DNS server to send the DNS request.
PR885810
BGP
• In some cases, when you configure MSS for a BGP session using the set protocol bgp tcp-mss <value> command, the configured MSS value is ignored and the MSS calculated from the outgoing MTU interface is used.
PR717763
•
Under specific time-sensitive circumstances, if BGP determines that an UPDATE is too big to be sent to a peer, and immediately attempts to send a withdraw message, the routing daemon (rpd) may crash. An example of an oversized BGP UPDATE is one where a very long AS_PATH would cause the packet to exceed the maximum BGP message size (4096 bytes). The use of a very large number of BGP Communities can also be used to exceed the maximum BGP message size.
Please refer to JSA10609 for additional information.
PR918734
202
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Chassis Cluster
• If one or more Packet Forwarding Engine peers are slow in consuming ifstates, the secondary Routing Engine does not send a CP ACK to the master Routing Engine within the prescribed time. As a result, the secondary Routing Engine is assumed to be having a problem. Hence the connection for the secondary Routing Engine peer is reset to ensure that ksyncd can clean up the ifstates on the secondary Routing Engine and resynchronize with the master Routing Engine. If the secondary CP ACK does not arrive in the prescribed time, if any Packet Forwarding Engine is causing this delay, that information is logged and the CP ACK timer is reset. If no peers are found to be causing the delay of secondary CP ACK, the behavior is retained to reset the secondary Routing
Engine connection.
PR727344
• On all high-end SRX Series devices, after the chassis-control process is restarted
(four-member setup), PPM adjacencies and transmission for LACP are not created.
As a result, the Flexible PIC Concentrator (FPC) or Routing Engine does not send out
LACP protocol data units (PDU) to any member. Hence, LAG on the peer boxes goes down permanently and the traffic is black-holed indefinitely.
PR734677
• On SRX5600 and SRX5800 devices, in a chassis cluster, when the next-generation
SPCs are in use, both nodes might report errors related to the PCA chip.
PR900821
•
The output of the chassisd log shows LCC: fru_is_present: out of range slot -1 for SCB.
PR926486
•
On SRX Series devices configured in a chassis cluster, if heavy multicast traffic arrives at the device and the multicast route cannot be resolved successfully (it might occur when the configuration is incorrect or traffic is denied by a security policy), it might cause high CPU usage (about 99 percent) on the backup central point.
PR929295
• On devices in a chassis cluster working as a Unified Access Control (UAC) enforcer, when RG0 failover occurs, the Packet Forwarding Engine might connect to the uac process before the uac process connects to the UAC server. In this condition, the uac process conveys to the Packet Forwarding Engine that the UAC server is disconnected.
When the Packet Forwarding Engine receives this information, it denies new traffic that matches the UAC policies. The traffic is resumed after the connection of the uac process and UAC server is established.
PR946655
Command-Line Interface (CLI)
• When you run the show system core-dump core-file-info command, the device might reboot. This is because the command uses the /tmp file and when the core files are uncompressed, the /tmp file system might be exhausted. The /tmp file in turn uses the swap device only. Memory File System (MFS) and the rest of Junos OS share the same swap space. Consuming more swap spaces might lead to out-of-memory and swap situations, which could eventually bring down the system.
PR808243
•
After an upgrade, you cannot copy files between nodes in a cluster using the file copy command.
PR817228
•
Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow root access to the operating system. This may
203
Junos OS 12.1X44 Release Notes allow any user with permissions to run these CLI commands the ability to achieve elevated privileges and gain complete control of the device.
Please refer to JSA10608 for additional information.
PR912707 , PR913328 , PR913449 ,
PR913831 , PR915313 , PR915957 , PR915961 , PR921219 , PR921499
• When xnm-ssl or xnm-clear-text is enabled within the [edit system services] hierarchy level of the Junos OS configuration, an unauthenticated, remote user could exploit the
XNM command processor to consume excessive amounts of memory. This, in turn, could lead to system instability or other performance issues.
PR925478
Flow-Based and Packet-Based Processing
• On SRX1400 devices, egress packets might be dropped, with the packet count increasing when traffic passes through the ports of the SRX1K-SYSIO card.
PR899184
• On all high-end SRX Series devices, the memory allocated for a multicast session might not release when multicast reroute occurs, leading to a memory leak.
PR905375
•
On all high-end SRX Series devices, when you delete a large number of interfaces and commit the configuration, and then add a large number of interfaces and commit the configuration again, the session scan fails. Because a session related to one of the deleted interfaces might still be active, if subsequent traffic matches the session, the traffic is dropped. This scenario occurs when you delete an interface and then add it again with the immediately add action while the remote host is still generating traffic that matches the original session. During flow checking, the session interface, having previously been deleted, is reported as invalid.
PR915422
• On SRX100H2 devices, the device reboots unexpectedly and multiple core files are generated due to a DDR2 memory timing issue between DRAM and CPU. The symptoms include flowd core files, core files from other processes (for example, snmpd, ntpd, and rtlogd), and silent reboot without core file and system freeze. These core files are related to random memory access (for example, pointer corruption in session ager ring entry), and there are no consistent circumstances that cause these core files to be generated.
PR923364
•
In traffic logs for SCTP IPv6 traffic, all source and destination ports are marked as port
1.
PR928916
Forwarding and Sampling
• When the configuration archiving FTP process stalls during file transfer, it can result in the PFED process stalling as well. After the master PFED process is restarted, it results in the inability to commit certain new configuration changes. Ensuring that the configuration archiving and FTP server are correctly configured and working avoids this problem.
PR528653
General Routing
•
In an SRX Series cluster, if a reth Layer 3 logical interface is disabled and the reth interface remains active, the direct route for this logical interface is not removed from the device forwarding table. All the traffic destined to the disable network still gets routed to the disabled reth interface. The result is cleared and the traffic is lost.
PR740856
204
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
When you execute the show route community-name command with an empty string as show route community-name “ “, the RPD might crash and a core file is generated.
PR776542
•
On VLAN tagged Ethernet frames (802.1p), you cannot modify the VDSL priority bits.
PR817939
Hardware
• When the device is rebooted, the next-generation SPC card might not boot up due to
I2C bus hang. Error messages related to “I2C” errors also appear in the log.
PR923255
Interfaces and Chassis
•
When the SHDSL Mini-PIM is configured in two-wire AT mode with the regional annex as B or G, a display mismatch of the annex is seen in one of the physical interfaces, but this issue does not affect the feature functionality.
PR874249
• In certain IPv6 configurations, the SPU sends out packets with an invalid meta header on the secondary node, which in turn triggers the hardware monitoring failure on the secondary node.
PR935874
Interfaces and Routing
• On the K2-Routing Engine (64-bit Routing Engine) when speed or link mode are statically configured on the device for the fxp0 interface, the driver for fxp0 accepts the configuration from the DCD process. The K2-Routing Engine does not propagate the setting to the hardware driver. Instead, the driver setting is forced to autonegotiate.
Thus, as the fxp0 interface is autonegotiating, and the far-end device is forced to
100/full, the autonegotiation on fxp0 will detect the speed but will not detect the duplex. Consequently that duplex defaults to half-duplex.
PR704740
Intrusion Detection and Prevention (IDP)
•
On XLP platforms, setting the max-sessions option in an application identification configuration does not impact the attack traffic.
PR809384
• On SRX Series devices with a large number of AppID application-system-cache entries
(for example, more than 100,000 entries on the SRX3400), the flowd process might crash while listing these entries by using the show services application-identification application-system-cache command.
PR886173
IPv6
•
Logical interface inet6 protocol might be stuck at down state because of either external loopback or detection of a duplicate inet6 address. Duplicate Address Detection (DAD) will not run after this inet6 protocol-down event.
PR834027
J-Web
•
The J-Web interfaces on the J Series and SRX Series devices will not be available on port 32768 or greater, despite the configuration.
PR462624
205
Junos OS 12.1X44 Release Notes
•
SRX Series devices fail to downgrade Junos OS from 12.1X44 by J-Web through Upload
Package of HTTP file upload.
PR918112
Network Management and Monitoring
• On SRX3400 and SRX3600 devices, the following system logs are seen in the messages file: sfchip_show_rates_pfe: Fchip Plane 0, dpc 0, pfe <1/2/3>: Invalid dpc.
These system logs do not affect the devices.
PR738199
Platform and Infrastructure
•
On SRX Series devices, superfluous accounts are present in Junos OS.
PR719750
•
When there are three or more of the same destination routes pointing to a different interface, deleting and again adding one of the logical interfaces might trigger a kernel crash, due to a timing issue with route deletion. This crash is triggered in specific topologies, such as an OSPF3 next-hop that is connected to a different vendor device.
PR753849
•
Processing of a neighbor advertisement can get into an infinite loop in the kernel, given a special set of events with respect to the neighbor cache entry state and the incoming neighbor advertisement.
PR756656
• When you change interface configurations, the interface is deleted from the Routing
Engine kernel and added back. Applications that are asynchronously listening to kernel state changes might receive delete requests and add out-of-order events. Some Layer
2 applications might not be able to handle these out-of-order events and applications might restart and resynchronize kernel states again.
PR771748
• On all high-end SRX Series devices, when fragmented jumbo frames are reassembled in the SPU (reassembling might be required by an IDP feature, an ALG feature, ESP/AH packets, and L2TP packets) and if the size of the reassembled packet becomes larger than 9712 bytes, the packet is dropped in the internal device, and the device reports
XLR egress packet corruption issues.
PR819621
• In a DHCP-relay subscriber management environment with an output firewall filter configured on an IRB interface to discard the DHCP offer packets, while DHCP-relay subscribers log in, the Junos OS kernel tries to free an already freed memory buffer, which causes the kernel to crash and generate core files.
PR824470
• A checksum error is seen on the ICMP reply when sequence, data field in the request is set to zero.
PR898487
• On SRX1400 device with a SYSIO-XGE IOC, the xe-0/0/9 interface might not come up when the cable is reconnected after upgrading to Junos OS Release 12.1X44-D30.
PR929276
•
Due to logic problems with the next-generation SPC nvram component, sometimes the central Packet Forwarding Engine processor tries to yield a thread during an interrupt-disable scenario. This operation causes the central Packet Forwarding Engine processor to hang, and the flexible PIC concentrator is marked as offline. As a result, the chassisd detects the flexible PIC concentrator as being down and resets all flexible
PIC concentrators, causing failover in chassis clusters.
PR940392
206
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Routing Protocols
• On broadcast networks running IS-IS, a RPD restart event on one IS-IS router could result in the loss of IS-IS routes on another router, which will remain in this state until the adjacency is cleared. This issue does not occur on IS-IS point-to-point networks.
PR734158
Screen
• On SRX Series devices with teardrop screen enabled, the teardrop attack traffic is not intermittently detected, and it is forwarded out of the device.
PR906811
• On SRX Series devices, security screen cannot be allocated to more than 165 zones due to memory limitation. If security screen is enabled for more than 165 zones, only
165 zones are actually enabled and the memory is exhausted by the screen allocation.
This might cause some unexpected issue, such as traffic interruption.
PR913052
Security
• The glob implementation in libc allows authenticated remote users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames. This vulnerability can be exploited against a device running
Junos OS with FTP services enabled to launch a high CPU utilization partial denial of service attack.
Please refer to JSA10598 for additional information.
PR558494
•
If Proxy ARP is enabled on an unnumbered interface, an attacker can poison the ARP cache and create a bogus forwarding table entry for an IP address, effectively creating a denial of service for that subscriber or interface. When Proxy ARP is enabled on an unnumbered interface, the router will answer any ARP message from any IP address which could lead to exploitable information disclosure.
Please refer to JSA10595 for additional information.
PR842092
System Logs
• Memory leak is observed with periodic packet management process (ppmd), and the following log is generated:
/kernel: Process (1413,ppmd) has exceeded 85% of RLIMIT_DATA: used 115596 KB Max
131072 KB
PR747002
•
The following error might appear in the log after committing address changes on an interface: ifp_ifa_add : ftrpc failed - ifl_index 74 log Err Status:7 from ifp for ifa_cmd op:1 for ifl:74
.
This is a cosmetic issue and the system logs this message as an error by mistake.
PR877757
• The following message appears in the messages log file:
SPC5_PIC0 kernel: exec_elf64_imgact: Running BTLB binary without the BTLB_FLAG env set
.
207
Junos OS 12.1X44 Release Notes
This warning message was introduced by the 64-bit port. One of the conditions will always be true in 64-bit mode when starting a normal none-BTLB program.
PR912397
• In an IS-IS scenario, with trace option enabled and the system log level set to debug routing options, if the router has two IS-IS neighbors with the same router ID, after you configure the same ISO system ID on these two IS-IS neighbors, RPD on the router crashes and generates core files.
PR912812
•
The session ID of apptrack logs did not include the SPU ID. Hence, there is a mismatch between the firewall log session ID and the apptrack log session ID of the same session.
The apptrack log now has the same session ID used in the firewall logs.
PR924941
Virtual Private Network (VPN)
•
If the VPN external interface configuration changes from static IP address assignment to DHCP-based dynamic address assignment, along with any VPN configuration change in the same commit, the IPsec Key management process might restart. As a workaround, change the external interface configuration (from static IP to DHCP based) and perform the VPN configuration change in two different commits.
PR837943
•
On SRX Series devices configured with IPsec VPN, high CPU usage on the Routing
Engine on the kmd process occurs when you run the show security ike pre-shared-key master-key * user-id * command.
PR895664
•
On all high-end SRX Series devices configured with group VPN, the flowd process might crash when group VPN Security Association (SA) rekeys and swaps to the new
VPN tunnel.
PR925107
• On all SRX Series devices configured with IPsec VPN and with VPN monitor enabled, the VPN monitor function triggers socket leak, and it might result in some critical issue, such as flow SPUs becoming unresponsive.
PR940093
•
Upon RG0 failover, new IPsec security associations are created along with the old one.
PR941274
• On all SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link increases.
PR941999
•
SRX Series devices cannot proceed to automatic certificate reenrollment through
SCEP. The certificate validity period is incorrectly calculated during the autorenewal process. Also, when the CRL is downloaded through LDAP, it can be partially received from the CA server and the pkid process goes up.
PR946619
208
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Resolved Issues in Junos OS Release 12.1X44-D25 for High-End SRX Series Services
Gateways
Application-Aware Quality of Service (AppQoS)
• AppQoS cannot display the right app-id name in the show class-of-service application-traffic-control statistics rate-limiter command.
PR751490
Application Layer Gateways (ALGs)
•
In certain circumstances, if the OPTIONS method is used to create a call, and the INVITE method is used to reuse the call, the SIP ALG would apply an incorrect state. As a result, the device might drop the ACK of 200-OK.
PR898956
• On devices enabled with the MS-RPC ALG, the flowd process might crash frequently when heavy MS RPC traffic is processed by the MS-RPC ALG.
PR907288
AppSecure
•
AppID is using order to selectively report nested applications matches with different transactions on the same session. This means that only nested applications with a higher order are reported. The expected behavior is that it should report nested applications when it detects them in the transaction.
PR914567
Authentication and Access Control
•
There is no specific CLI command to display the count of sessions allowed, denied, or terminated because of UAC enforcement.
PR733995
Chassis Cluster
• On devices in chassis cluster, during a control link failure, if the secondary node is rebooted by control link failure recovery, the rebooted node will go into disable state even after startup.
PR828558
•
During every failover of redundancy-group 0, the /etc/ssh and /var/db/certs directories are copied from primary node to secondary node. However, the directories are not copied correctly and nested directories such as /etc/ssh/ssh, /etc/ssh/ssh/ssh are created.
PR878436
• On devices in a chassis cluster, the chassisd log outputs are flooded with the following message: LCC: fru_is_present: out of range slot -1 for SCB.
PR889776
209
Junos OS 12.1X44 Release Notes
Dynamic Host Configuration Protocol (DHCP)
• On all high-end SRX Series devices, the DHCPv6 server did not create any server binding.
PR799829
Flow-Based and Packet-Based Processing
•
When DNS ALG was enabled, the rewrite rules applied on the egress interface might not work for DNS messages.
PR785099
•
Periodic multicast packets such as NTP do not refresh the route, and packets are dropped intermittently.
PR869291
• On SRX Series devices, during ARP floods of the data plane Packet Forwarding Engine, the CPU spikes might impact transit and host-bound traffic.
PR871704
• On devices in a chassis cluster, after data plane RG1 failover, the RTSP data packet is queued, and a duplicate RTSP data packet is processed by the device; the flowd process crashes and generates core files.
PR883397
•
When TCP SYN flood protection is enabled and triggered, and if the Window Scaling option is used between a TCP client and server, TCP communication is reset abnormally.
PR886204
• When an RTSP TCP segment cannot be processed because it is too small or incomplete, the RTSP ALG holds it and waits for the next segment. An RTSP endpoint does not receive an ACK for segments that are too small, so it retransmits the segment several times. Eventually, the RTSP endpoint resets the TCP connection.
PR887601
• On all high-end SRX Series devices, due to incorrect computation of central point IPv6 sessions, the output of the total central point sessions is incorrect for the show security monitoring fpc number command. This is only a display issue and does not affect actual central point sessions or the traffic passing through.
PR888890
•
When flow trace options are enabled, all the traffic that flows between logical systems through the logical-tunnel (lt-0/0/0) generates unexpected messages and floods the flow trace. These messages cannot be filtered and are difficult to read and use.
PR891689
• In rare cases, when ALG is used for flow processing and MSS (Maximum Segment
Size) with a value higher than 32120 in one direction in a TCP 3-way handshake, the next packets in the opposite direction get their window size value reduced to 0. To avoid this issue, disable ALG used for a particular application.
PR895498
• On devices in a chassis cluster, when a session created as the incoming interface is a
VPN secure tunnel interface (ST interface) and the outgoing interface is a logical tunnel interface (LT interface), this session is incorrectly marked as active on the secondary node. When this session expires on the secondary node, the sessions on both cluster nodes might get deleted and interrupt the traffic.
PR896299
210
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Interfaces and Chassis
• When a symmetric high-speed DSL (SHDSL) Mini-PIM is configured in 2-wire mode with annex mode as Annex B/G, one of the physical interfaces did not come up.
PR882035
Interfaces and Routing
•
Multicast stream is not redirected to other member links on the aggregated Ethernet interface or on the redundant Ethernet (reth) Link Aggregation Group (LAG) even when the link in use is disabled.
PR867529
Intrusion Detection and Prevention (IDP)
•
After the Junos OS image is upgraded, we recommend that you download a completely updated IDP security package and then perform the installation. Subsequent incremental updates (default) work fine. If a complete update is not performed, the device might end up adding only the new signatures downloaded in incremental order, leaving the device unprotected from a large set of signatures.
PR876764
•
On SRX Series devices with IDP enabled, if IDP exempt rule is configured, a change in
IDP rule configuration (such as change of source/destination address, action, or signature) might cause the flowd process to crash and core files are generated.
PR877865
• On all high-end SRX Series devices, maximize sessions inline-tap equal mode is not supported in Junos OS Release 12.1X44-D25. If the maximize sessions inline-tap equal mode is configured in releases earlier than Junos OS Release 12.1X44-D25, when you upgrade to Junos OS Release 12.1X44-D25, the configuration changes to maximize sessions inline-tap firewall mode.
PR889597
J-Web
•
The ASN.1 buffered I/O functions in OpenSSL before 0.9.8v do not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks and causes a denial of service (memory corruption). J-Web is explicitly not affected by this vulnerability, because J-Web is a server and this is a client-side vulnerability. However, many other functions in Junos OS use these buffered I/O routines and can trigger fetches of untrusted X.509 certificates. Refer to PSN-2012-07-645 for more information.
PR770702
• All fields in the edit policy window are empty in the logical systems.
PR900975
211
Junos OS 12.1X44 Release Notes
Multiprotocol Label Switching (MPLS)
• With RSVP disabled, when an SNMP get/get-next is received for RSVP MIB, a Path
State Block (PSB) search request is enqueued. This enqueue operation returns nothing, but the memory allocated for the search request is not freed and this results in a memory leak of RPD. The memory leak could be observed by the following commands: user@router> show task memory detail | match "rsvp psb lookup req" ------------------------
Allocator Memory Report ------------------------ Name Size Alloc DTP Alloc Alloc MaxAlloc
MaxAlloc Size Blocks Bytes Blocks Bytes RSVP PSB lookup req 176 180 T 110 19800 110
19800 user@router> show system processes extensive | match rpd PID USERNAME THR
PRI NICE SIZE RES STATE TIME WCPU COMMAND 1311 root 1 4 0 1529M 1479M kqread
75:25 0.44% rpd . When the memory usage of rpd process increases to around 85 percent of the system limit, the following logs could be seen: re0: /kernel:
%KER-5:Process (1859,rpd) has exceeded 85% of RLIMIT_DATA: used 1835088 KB Max
2097152 KB .
PR811951
Network Address Translation (NAT)
•
If an SRX Series device is configured as an IPv4 to IPv6 translator, it uses next header as the IPv6 fragment even for packets smaller than 1280 bytes.
PR754823
•
On SRX Series devices with Protocol-Independent Multicast (PIM) enabled, certain
PIM packets subject to NAT might cause the flow process (flowd) to crash.
PR842253
• On high-end SRX Series devices, sometimes the persistent NAT bindings are leaked on the central point.
PR910116
Network Management and Monitoring
•
When certain MIBs are used, SNMPD might crash, resulting in a core file.
PR704097
•
Under certain conditions, a duplicate SNMP index might be assigned to different interfaces by the kernel to the mib2d (Management Information Base II daemon). This might cause mib2d and other processes such as lacpd (LACP daemon) to crash and generate core files.
PR836823
• The SNMP query or walk on ipNetToMediaPhysAddress does not match the show arp command output.
PR850051
• On SRX1400, SRX3400, and SRX3600 Series devices, under certain conditions, the em0 (tsec1) detection and recovery mechanism is not working as expected. This might cause the chassis cluster to fail (“split-brain condition”) or all FPCs to be reset on the local node.
PR877604
NOTE: Do not use the security policy count and make sure trace options are disabled. Do not use the set security log mode event command; instead use mode stream (default mode).
212
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Platform and Infrastructure
• When you enable Change password every time the user logs out on the active directory, you cannot change your password.
PR740869
• Fetching ppX interface statistics leaks in pfestat_table are leading to pfestat_req_add: pfestat table out of ids error logs. When in this state, it is not possible to fetch any interface statistics. To recover from this issue, reload the Routing Engine.
PR751366
• When you change interface configurations, the interface is deleted from the Routing
Engine kernel and added back. Applications that are asynchronously listening to kernel state changes might receive delete requests and add out of order events. Some Layer
2 applications might not be able to handle these out of order events and applications might restart and resynchronize kernel states again.
PR771748
• There is a mismatch between the version displayed in the show configuration and show version commands.
PR790714
• When the byte order is reversed, policy log report shows incorrect source/destination port.
PR797927
•
In a DHCP-relay subscriber management environment, with an output firewall filter configured on an Integrated Routing and Bridging (IRB) interface to discard the DHCP offer packets, while DHCP-relay subscribers login, the Junos kernel tries to free an already freed memory buffer, which causes the kernel to crash and generate core files.
PR824470
•
When Junos Space sends a query to an SRX Series device, the device sends back junos:changed-localtime instead of junos:commit-localtime.
PR839439
•
LED is still linked up when SFP-T is inserted and the cable is not connected.
PR865899
•
Secondary control link (em1) is not up when node1 is added to the cluster, with em1 interface using SFP-T.
PR873253
• On devices in a chassis cluster, after control plane Redundancy Group (RG0) failover, occasionally, SPUs might have more if states than the new master Routing Engine.
This difference leads to sequence number mismatch and causes cold synchronization failure, and all FPCs might reboot. After the FPCs reboot, a “split brain” situation occurs in which both nodes become primary.
PR885889
• In certain conditions, SRX100B and SRX100H devices might experience unexpected system reboot or generate core files due to a DDR2 memory timing issue between
DRAM and CPU. Generation of flowd core files and core files from other daemons (For example, snmpd, ntpd,and rtlogd) can occur, as well as silent reboot without generation of a core file. The generation of core files is related to random memory access (For example, pointer corruption in session ager ring entry).
PR909069
• The CRL download fails for fragmented LDAP packets.
PR910947
Routing Policy and Firewall Filters
•
The Routing Engine control plane showed the HTTPS timeout value as 1800 seconds as opposed to the actual value of 300 seconds.
PR858621
213
Junos OS 12.1X44 Release Notes
•
If more than 10 virtual routers (routing instances) or logical systems (LSYS) are configured on a device, Domain Name System (DNS) fails to resolve addresses. A maximum of only 10 routing instances and LSYS can be configured per DNS name server.
PR896174
Screen
•
On SRX Series devices with IP spoofing Screen enabled, routing table search might fail. This occurs because the system locks the routing table, causing false positive results in IP spoofing detection.
PR901507
Security Group
•
Multiple vulnerabilities are reported in earlier versions of OpenSSL in Junos OS.
PR853724
Stream Control Transmission Protocol (SCTP)
• The SCTP module drops the SCCP packet when the received SCCP pointer goes out of order.
PR901584
System Logs
•
Occasionally, the following SPU message is displayed, causing the kernel system log buffer to overflow: Nexthop XXXX on ifl XXX. Ignoring.
PR726580
•
SRX5600 and SRX5800 devices with an SRX5K-SPC-4-15-320 (NG-SPC) might generate one of the following system logs in the messages file:
- spu_mac_get_linkstate:spu (<fpc#>/<pic#>)-phy link <link#> failed
- spu_mac_get_linkstate: %PFE-3: (<fpc#>/<pic#>)-MAC layer link failed
In this condition, the affected SPU cannot do any flow processing until the system is rebooted.
PR914736
Unified Threat Management (UTM)
•
When full file-based scanning of antivirus is enabled with Kaspersky scanning, some websites are not accessible.
PR853516
• SRX Series devices try to resolve and connect to cpa.surfcpa.com and update.juniper-updates.net even if there are no licenses or configurations related to
UTM.
PR856128
User Interface and Configuration
• If you use the Junos OS XML API to configure a password, the password was encrypted using an older algorithm instead of the algorithm used when configuring a password through the CLI. This older algorithm did not allow certain characters, including commas.
Any characters entered after the disallowed characters were ignored.
PR744595
•
On devices in a chassis cluster, when you execute the clear system commit command, it clears commit only from the local node.
PR821957
214
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
When a rollback operation is performed, the accounting log gets generated even for items that are not changed. This is because the rollback operation does a load update method where everything that is being rolled back is overlaid over the previous configuration as set items. The actual evaluation of what is really changed happens at a later point. But accounting of change-log items happens much before that. Hence, the interpretation is that all those items are really being set. For example,UI_CFG_AUDIT_SET_SECRET: User 'lab' set: [system root-authentication encrypted-password] UI_CFG_AUDIT_SET_SECRET: User 'lab' set: [system login user lab authentication encrypted-password] PR836384
Virtual Private Network (VPN)
•
On a high-scale RIP deployment, frequent flap of tunnels might cause a small number of RIP routes to be missed. These routes are eventually recovered.
PR802078
•
File Descriptor (FD) leak occurs during the network-security-trace process when commit configuration changes are made in the edit security ike configuration. Eventually, the system reaches the maximum file limit, which results in a system-unmanageable condition.
PR893017
•
In a site-to-site IPsec VPN deployments using IKEv2, when tunnels are removed through configuration change, the information is not propagated to the remote peer. Later, when the peer initiates a normal Phase-1 re-key process, the kmd process crashes and core files are generated.
PR898198
Resolved Issues in Junos OS Release 12.1X44-D20 for High-End SRX Series Services
Gateways
Application Identification
•
On all high-end SRX Series devices, when AI handles Secure Socket Layer (SSL) encrypted sessions with SSLFP are enabled, if the client sends a large amount of data to the server in a single transaction, core files are generated. [ PR859951 ]
Application Layer Gateway (ALG)
•
The TCP proxy module used by the ALG is deficient in handling a TCP stream with large packets. [
PR727649
]
•
On SRX3400 devices, the TCP proxy incorrectly acknowledges the SYN packet when the session is in close wait state for RSH ALG. The register suppression time (RST) packet creates a session with a timeout value of 1800 when RSH ALG is enabled.
[
PR742317
]
•
If the Microsoft Remote Procedure Call (MS RPC) or Sun Microsystems Remote
Procedure Call (SUN RPC) ALG is disabled when there are other open MS RPC or SUN
RPC gates, the traffic that hit the previously opened gates is dropped by ALG even after the ALG is completely disabled. This is because of an ALG behavior change introduced in Junos OS Release 11.4. [
PR865851
]
215
Junos OS 12.1X44 Release Notes
•
The b attribute (pertaining to bandwidth) in a Session Initiation Protocol (SIP) Session
Description Protocol (SDP) message is not carried forward after the SIP ALG processes the packet. [ PR875211 ]
• If a static route is configured and exported into OSPF, and if the static route has the same subnet as an OSPF interface address, then committing configuration changes
(even unrelated to OSPF, such as a device's hostname) results in the removal of the static route related to OSPF type-5 link-state advertisement (LSA) from the OSPF database. [ PR875481 ]
Authentication
•
On SRX Series devices configured with the user role firewall feature, if the length of the source-identity role name in the security policy is more than 64 bytes, the devices are unstable and flowd core files are generated. [ PR855386 ]
Chassis Cluster
• On all high-end SRX Series devices, operating in a chassis cluster, a maximum 8 queues per interface configuration is not reflected on the interface part of the cluster setup.
[
PR389451
]
•
On devices in a chassis cluster with the second control link connected, when CRM is installed, and the primary node is power-cycled, the primary node takes over RG-0 ownership when the primary node is rebooted. [ PR679634 ]
• On devices in a chassis cluster, the flowd process crashes if packets received on the chassis cluster data links are corrupted. The device drops these corrupted packets.
[
PR680209
]
•
Occasionally, during RG1 failover, the priority of node 1 stuck at zero (0). Attempts to fail over to node 1 are unsuccessful, and the cluster bounces back to node 0 because the priority of node 1 remains zero. [ PR750708 ]
• On devices in chassis cluster, to save the configuration on a remote file server, you have to specify the absolute/relative path for storing the file. If the path is not specified, the save operation fails. However, this issue might not affect devices operating in a stand-alone mode. [ PR752363 ]
• On devices in a chassis cluster, massive amounts of MAC addresses are generated on the fabric link switch port. [ PR833609 ]
•
On SRX3600 devices, in certain circumstances one of the Services Processing Cards
(SPCs) is stuck due to a hardware fault, and the following error message is displayed in the jsrpd log: “Jan 17 23:07:22 Index: 16 PFE Id: 16, Error_code: 0x01 - Loopback”.
[ PR851317 ]
• On all high-end SRX Series devices, when aggregated redundant Ethernet (chassis cluster redundant Ethernet interface with multiple link members per node) is used, traffic loss is observed when the link member fails. [
PR858519
]
•
On devices in a chassis cluster, Juniper Services Redundancy Protocol (jsrpd) process log messages are displayed even though the cluster is stable with no failover events.
[ PR861704 ]
216
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Command-Line Interface (CLI)
• On SRX3400 and SRX3600 devices, in standalone mode, when the device is rebooted using the request system reboot command, some of the interfaces are up during the reboot. This results in slow traffic failover in the static routing environment. [
PR732733
]
•
An escalation of privileges occurs when the load factory-default command fails in the exclusive edit mode. When the command fails, the user is not subjected to any command or configuration restrictions. The escalation is limited to authenticated users with the privilege to edit the configuration. The privilege bypass is specific to configured
CLI users with restrictions on commands such as allow-commands, deny-commands, and deny-configuration. [ PR743545 ]
• On all high-end SRX Series devices, running the show security screen statistics logical-system all zone X command generates core files, if the X zone does not have screens enabled and if it is part of a logical system. [ PR866559 ]
• The request chassis fabric plane offline/online command might not work as expected.
[ PR877776 ]
Dynamic Host Configuration Protocol (DHCP)
•
On all high-end SRX Series devices, the Dynamic Host Configuration Protocol version
6 (DCHPv6) server might not create any server binding. [
PR799829
]
Flow and Processing
• Special crafted kernel routes that are generated based on directly connected networks
(clone routes) introduce reference count inconsistencies when the link flaps, if the clone routes are rewired to a different interface. This occurs because the longest prefix match finds another destination for the IP address of the flapped interface. When the parent reference count is reduced to zero, the kernel crashes when deleting the remaining child routes. [
PR685941
]
•
On all high-end SRX Series devices, flowd core files are generated during the Layer 2 mode stress test. [
PR704482
]
•
On all high-end SRX Series devices, the graceful restart mechanism might not abort even if the link to the upstream neighbor is down. This leads to a higher routing protocol convergence time because the route might not fail over to an alternate path until the graceful restart timer expires. [
PR751640
]
•
When a large number of logs are archived to a remote site, event core files are generated. [
PR771228
]
•
An illegal pointer address generates eventd core files. [
PR784037
]
•
When a device forwards traffic, flowd core files are generated. [
PR831480
]
•
SYN packets are dropped if TCP ports are reused within 2 seconds. [
PR836554
]
•
When you configure a wildcard address and use it in more than seven security policies, the Services Processing Unit (SPU) crashes. [ PR847632 ]
217
Junos OS 12.1X44 Release Notes
•
In the output of the show security flow session extensive command, if the flow session references a custom application with the application-protocol ignore option configured, the application field is incorrectly set. [
PR852081
]
•
When you commit security policy changes, under certain load conditions (based on the Services Processing Unit (SPU) usage and number of active sessions) and in situations where policy rematch must be performed (either when policy rematch is configured or new policies are added, or the order is changed), SPU usage increase and partial packet drops are observed. [
PR854412
]
•
When a TCP server sends more bytes than the receiver’s window size, a TCP segment can pass the SRX Series TCP sequence check even if it exceeds the receiver's window size. This is because the current TCP sequence check does not consider the size of the
TCP segment when validating against the receiver's window size. However, the SRX
Series device drops the ACK on the other direction for this TCP segment. [
PR855056
]
•
On devices enabled with SYN cookie protection, after the SYN cookie function is triggered, the SYN cookie might not send ACK to the client to update the TCP window size after a handshake with the server. When the client sends ACK with a PSH flag to the device as the third TCP ACK during the TCP three-way hand shake, the device might not recognize the ACK. This results in TCP connection failure. [
PR859222
]
•
When TCP SYN flood protection is enabled and triggered, and if the Window Scaling option is used between a TCP client and server, TCP communication is reset abnormally.
[ PR886204 ]
General Packet Radio Service (GPRS)
•
On SRX1400 devices, the number of GPRS support node (GSN) entries is expanded from 6000 entries to 18,000 entries on each Services Processing Unit (SPU).
[ PR787028 ]
Infrastructure
• When you archive a file using the file-archive rpc option, the following error is displayed:
Operation allowed only from CLI
[
PR831865
]
•
When the backup Routing Engine kernel fails, some devices send a message to the master Routing Engine to generate a core file. This causes problems. [
PR854501
]
218
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Interfaces and Routing
• Configuring multicast addresses (inet6) on an interface results in the generation of
RPD core (mc_ssm_add) files. [ PR780751 ]
Intrusion Detection and Prevention (IDP)
•
Occasionally, when the Service Processing Units (SPUs) are not recovered completely and when the device handles messages related to Secure Sockets Layer (SSL), traffic drops and core files are generated. [
PR856132
].
• On all high-end SRX Series devices with IDP application-level distributed denial-of-service (DDoS) feature enabled, if the binary analysis report function is enabled, the device generating IDP application-level DDoS attack logs crashes the flowd process and core files are generated. [
PR865469
]
•
On SRX Series devices with IDP enabled, if IDP exempt rule is configured, a change of the IDP rule configuration (such as, change source/destination address or change action or change signature) might cause the flowd process to crash and core files are generated. [
PR877865
]
•
When the no-reset-on-policy option is set and there are two active policies in a dataplane, and only one session referred to the older policy; flowd core files are generated, if application identification indicates a change in application (from the default one, for example, FTP running on Telnet port), because of policy re-lookup.
[
PR880408
]
•
On all high-end SRX Series devices, maximize sessions inline-tap equal mode is not supported in Junos OS Release 12.1X44-D20. If the maximize sessions inline-tap equal mode is configured in releases earlier than Junos OS Release 12.1X44-D20, when you upgrade to Junos OS Release 12.1X44-D20, the configuration changes to maximize sessions inline-tap firewall mode. [
PR889597
]
J-Web
•
On all high-end SRX Series devices, when using the CLI you might not be able to configure only an AppQoS rule set without configuring any other diff-services. However, in J-Web, you can configure at least one diff-service for a new AppQoS rule set configuration. [
PR686462
]
•
In J-Web, if the policy name is "0", the penultimate-hop popping (PHP) function treats it as empty, and traffic log output cannot be viewed. [
PR853093
]
Logical Systems
• In a logical system, you cannot use snmpwalk for Simple Network Management Protocol
(SNMP) polling. [ PR791859 ]
•
On SRX1400 devices, commit on configuration with the lt-0/0/0 interface failed.
[
PR845837
]
219
Junos OS 12.1X44 Release Notes
Network Address Translation (NAT)
• On all high-end SRX Series devices, NAT might not function as expected because the configuration changes to source NAT, destination NAT, or both are not properly pushed to the forwarding plane. [
PR744344
]
•
On devices enabled with static NAT and configured with multiple routing instances, reverse static NAT might not work when both the ingress interface and egress interface are in the root routing instance. [
PR834145
]
• On devices in a chassis cluster, NAT proxy-ndp might not work as expected after a failover because the related multicast routes are deleted. [ PR841618 ]
• On devices enabled with the Protocol Independent Multicast (PIM) protocol, the flowd process crashed and generated core files, when there was a unicast PIM register message received with encapsulated multicast data; and if NAT process was involved in the session for the received PIM packet. This issue was observed on standalone high-end SRX Series devices, and on devices in a chassis cluster. In the case of devices in a chassis cluster, the flowd process crashed on both node 0 and node 1. [
PR842253
]
System Logs
•
On SRX5800 devices, when configuration messages exceed the interprocess communication message (IPC) maximum transmission unit (MTU), occasionally the following error message is displayed: ipc_msg_write: %PFE-3: IPC message type: 27, subtype: 2 exceeds MTU, mtu 3216, length 3504. [
PR612757
]
•
In certain configurations, the following message is displayed in the logs: []
PFEMAN: Sent Resync request to Master. [ PR802355 ]
Upgrade and Downgrade
• After you upgrade to Junos OS Release 11.4R2, RTSP ALG might not open a pinhole for
IXIA because "/r/n" characters are added to the packet. [
PR842470
]
Virtual Private Network (VPN)
•
Occasionally, devices configured with policy-based IPsec VPN might not allow traffic to the protected resources. [ PR718057 ]
• Manual (static) next-hop tunnel binding (NHTB) with DEP is not supported. [ PR725462 ]
• On a high-scale RIP deployment, frequent flap of tunnels leads to missing a small number of RIP routes. These routes eventually recover. [
PR802078
]
•
When traffic is fragmented over an IPsec tunnel, the first fragment is the smallest fragment. This is done because the first fragment has to be copied into a separate memory buffer and a smaller first fragment results in faster copying and a faster fragmentation process. [ PR807216 ]
• On devices in a chassis cluster, some VPN system log messages are not generated.
[
PR837983
]
220
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
Automatic enrollment of PKI certificates might not work as expected. [
PR860923
]
•
When an IPsec tunnel is established from a routing instance, the enable VPN session affinity (SA) features cause VPN traffic drop in the anchor Services Processing Unit
(SPU). If the clear-text session is located in a SPU that is different from the anchor
SPU, the routing instance ID is lost when the packet is forwarded from the central point to the anchor SPU in the first path processing, and causes the routing lookup to occur in the wrong routing table (inet.0 table). [
PR866220
]
Resolved Issues in Junos OS Release 12.1X44-D15 for High-End SRX Series Services
Gateways
Application Layer Gateways (ALG)
•
On SRX5600 and SRX5800 devices, if next-generation Services Processing Card
(NG-SPC) is used, under heavy traffic, Application Layer Gateways (ALGs) might receive duplicate Juniper Message Passing Interface (JMPI) messages. This causes the flowd process to crash and a core file is generated.
PR844041 : This issue has been resolved.]
NOTE: JMPI message is an internal message used for communications between internal components of the device.
• When the user firewall was enabled for ALG traffic, the system crashed when the user firewall tried to log in the session-close for the ALG data (child) session. [
PR845501
:
This issue has been resolved.]
Chassis Cluster
• On devices in a chassis cluster, the flowd process crashed if packets received on the chassis cluster data links were corrupted. The device dropped these corrupted packets.
[
PR680209
: This issue has been resolved.]
•
After multiple node failovers, the chassis cluster LEDs showed as unlit even if the cluster was stable. [
PR789190
: This issue has been resolved.]
•
On devices in a chassis cluster, when the kernel memory was exhausted because of dead if states, the recovery caused an outage. [ PR799831 : This issue has been resolved.]
• On SRX5600 devices in a chassis cluster, after rebooting the primary node, the connection for the user firewall or application firewall between the new primary Routing
Engine and new primary Packet Forwarding Engine was lost. The configuration for the user firewall or application firewall could not be pushed to the primary Packet
Forwarding Engine. [ PR816911 : This issue has been resolved.]
• On devices in a chassis cluster, some VPN system log messages were not generated.
[ PR837983 : This issue has been resolved.]
•
On a device in a chassis cluster, the primary node would go to db mode and generated a vmcore file when you changed the configuration of the redundant Ethernet (reth) interface that caused the deletion of logical interface of reth. [
PR850897
: This issue has been resolved.]
221
Junos OS 12.1X44 Release Notes
Command-Line Interface (CLI)
• When you upgraded an SRX Series device to Junos OS Release 11.4, NSM showed an error that a space in the full-name parameter of the set system login user test-name full-name test name command statement is not accepted. [ PR806750 : This issue has been resolved.]
Flow and Processing
•
When a device forwarded traffic, a flowd core file was generated. This was a generic issue and was not related to any specific feature. [ PR831480 : This issue has been resolved.]
• When you configured a security policy using the DNS name, traffic was dropped and the security policy did not function as expected. [
PR841682
: This issue has been resolved.]
•
When the data size was smaller than 128 bytes, the certificate revocation list (CRL) failed to install using the Lightweight Directory Access Protocol (LDAP) server.
[ PR847868 : This issue has been resolved.]
Hardware
•
On devices with next-generation SPCs, boot up delayed because of SPC boot ROM running into unknown state. This recovered by automatic power sequence but added additional delay of around 5 minutes for the next-generation-SPC to boot up.
[ PR833691 : This issue has been resolved.]
Infrastructure
•
On SRX3600 devices, a change bit was set for a gencfg client after the client closed.
A change bit was set on an ifstate before the client changed to the next state. The function rts_ifstate_client_close moved the client from the next location to the end of the chain and cleared all the bits. [ PR786080 : This issue has been resolved.]
Interfaces and Routing
• The routing protocol process (rpd) was reinitialized when you committed a configuration change. When multiple reinitializations occurred while OSPF was running on the router, the periodic refresh of OSPF router link-state advertisements (LSAs) stopped. If the
LSAs were not refreshed, the router no longer participated in the OSPF routing domain.
You could issue the show ospf database router advertising-router router-id extensive | match timer command to see evidence of the issue. In the error state, the output did not include the Gen timer field. [
PR744280
: This issue has been resolved.]
•
Transmit (Tx) and receive (Rx) lockup of the tsec1 (em0) controller caused the em0 interface to go down and all the field-replaceable units (FRUs) to go offline. [
PR820210
:
This issue has been resolved.]
222
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Intrusion Detection and Prevention (IDP)
• Occasionally, when the Service Processing Units (SPUs) were not recovered completely and when the device handled messages related to Secure Sockets Layer (SSL), traffic dropped and core files were generated. [
PR856132
: This issue has been resolved].
•
On all high-end SRX Series devices with the IDP application-level distributed denial-of-service (DDoS) feature enabled, if the binary analysis report function was enabled, the device generating IDP application-level DDoS attack logs crashed the flowd process and core files were generated. [ PR865469 : This issue has been resolved.]
J-Web
•
In J-Web, when you tried to commit for logical systems configurations, the following error was received even if configuration changes were made: “You have pending changes from previous commit”. [ PR812896 : This issue has been resolved.]
• In J-Web, there was no support for the XLP-based card. [ PR826605 : This issue has been resolved.]
• In J-Web, the value was set low in the “session expired when the idle-timeout” option.
[
PR830644
: This issue has been resolved.]
Network Address Translation (NAT)
•
NAT was not functioning as expected because the configuration changes to source
NAT, destination NAT, or both were not properly pushed to the forwarding plane.
[ PR744344 : This issue has been resolved.]
• On devices in chassis cluster Z mode, a flowd core file was generated while handling mass persistent NAT traffic. [
PR834821
: This issue has been resolved.]
Security Policies
•
During configuration and maintenance of a device, occasionally the security match policies did not synchronize between the Packet Forwarding Engine and the Routing
Engine. In most cases, an error message was displayed during the attempt to commit the configuration. [
PR836489
: This issue has been resolved.]
Upgrade and Downgrade
•
After you upgraded to Junos OS Release 11.4R2, RTSP ALG did not open a pinhole for
IXIA because "/r/n" characters were added to the packet. [ PR842470 : This issue has been resolved.]
Virtual Private Network (VPN)
•
If all the IPsec tunnels in a configuration used the predefined IKE proposal set, and no custom proposals were present in the configuration, the IPsec tunnels flapped when you committed any configuration changes under the IKE or IPsec hierarchy. [ PR812433 :
This issue has been resolved.]
•
If IPsec VPN was configured, vmcore files were generated on Services Processing Units
(SPUs). [
PR824931
: This issue has been resolved.]
223
Junos OS 12.1X44 Release Notes
•
Occasionally, you could commit an incomplete configuration, where a VPN object referenced a missing "st" interface under the bind-interface statement. The missing interface reference was detected when the configuration was displayed using the show security ipsec vpn command. However, it was still possible to commit the configuration in some cases because the commit check did not consistently detect configuration errors. [
PR834238
: This issue has been resolved.]
•
If the loopback interface was chosen as the external interface in the IKE gateway, the interface had to be in the same zone as the outgoing interface. Otherwise, packets were dropped because the packets could not be routed. [ PR840182 : This issue has been resolved.]
• Dynamic VPN on Windows 7, 64-bit operating system (OS) did not work in some environments. [
PR842607
: This issue has been resolved.]
•
When a certificate revocation list (CRL) file was loaded using the request security pki crl load ca-profile ca-profile filename filename command, the CRL checking worked as expected until a PKID Daemon restarted. Once a PKID Daemon was restarted, the CRL file needed to be reloaded manually for CRL checking to continue working. [
PR845459
:
This issue has been resolved.]
Resolved Issues in Junos OS Release 12.1X44-D10 for High-End SRX Series Services
Gateways
Application Layer Gateways (ALGs)
•
When the device was processing several thousands of transit IPsec sessions through ike-esp-nat ALG, occasionally, new sessions failed. [
PR671074
: This issue has been resolved.
• Abnormal SQL traffic caused the flowd process to crash when the SQL ALG was enabled. [
PR737468
: This issue has been resolved.]
•
The flowd process crashed and generated core files when processing NAT-translated
H.323 traffic using the H.323 ALG. [
PR737507
: This issue has been resolved.]
•
The ALG module did not initialize properly due to a last-minute regression, preventing protocols such as FTP, RTSP, SIP, and RPC from working properly. This caused traffic drop and affected all the ALG related features. [ PR749366 : This issue has been resolved.]
•
The fragmented packets with the DF bit set (do not fragment) might be dropped by the device when processed by ALG. This problem might occur when the fragmented packet was set to DF when it should not be fragmented anymore. [
PR754504
: This issue has been resolved.]
• ALG processing of traffic could result in generation of a core file. [ PR780007 : This issue has been resolved.]
•
SIP ALG dropped SIP acknowledgement messages when messages used the folding format. [
PR787879
: This issue has been resolved.]
224
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
When using the IKE-ESP-NAT ALG to pass through for the Cisco EZ-VPN client, the
IKE handshake might not be successful, because the IKE packet coming from the VPN server got dropped. [ PR791549 : This issue has been resolved.]
• At initialization one wing was updated with client IPs, and at INIT-ACK the other wing was updated with server IPs. However, abort occurred after initialization, so only one wing of the association was filled with IP information. Because the association strictly matched both the wings, it failed and returned the message “no association”.
[ PR822829 : This issue has been resolved.]
Chassis Cluster
•
On devices in a chassis cluster, some central point binding entries did not age out after stress test. [
PR611827
: This issue has been resolved.]
•
There was a timing error at the SYSIO interface, which connects to an IOC in slot 2.
[ PR680832 : This issue has been resolved.]
• The AI cache could not synchronize successfully for chassis cluster cold synchronization.
[ PR682090 : This issue has been resolved.]
• After the secondary node was upgraded, rebooted, and joined to the cluster, its priority node was restored before it completed cold synchronization. This was purely a cosmetic issue because the infrastructure actually waits until cold synchronization is completed before it proceeds further. [ PR693933 : This issue has been resolved.]
• On devices in a chassis cluster, if an equal-cost multipath (ECMP) route had both local and remote interfaces, then the local interface was favored for the next hop to avoid the performance-related issues that involved forwarding the traffic across the fabric link. [
PR718807
: This issue has been resolved.]
•
On devices in a chassis cluster, the system crashed while changing the MTU of the redundant Ethernet interface. [ PR720927 : This issue has been resolved.]
• On devices in a chassis cluster, when the secondary node was rebooted or shut down, there could be a transient traffic drop on the primary node. The amount of drop depended on the number of active sessions. After the route change and RTO cold synchronization was complete, the traffic returned to normal state and the drop time window might be a few seconds. [ PR734966 : This issue has been resolved.]
• Distributed BFD was enabled by default, which could cause BFD flaps in case of chassis cluster failover. [
PR747363
: This issue has been resolved.]
•
On devices in a chassis cluster, the forwarding module was not responsive when the redundant Ethernet interface was deleted while traffic was flowing through the device.
Sometimes flowd generated a core file. [
PR771273
: This issue has been resolved.]
• LACP failed due to problems with distributed PPM not working properly. [
PR781736
:
This issue has been resolved.]
• DHCP option 82 commit failed. The device generated a core file, and the configurations failed. [
PR794522
: This issue has been resolved.]
225
Junos OS 12.1X44 Release Notes
Command-Line Interface (CLI)
• For naming a security zone, usage of word management and its variants were not supported. [ PR754585 : This issue has been resolved.]
• The set chassis fpc pic services-offload command did not work. [ PR787526 : This issue has been resolved.]
Flow and Processing
•
The diagnostic script failed for recb_i2c_rep_clk_generator functionality. [
PR602621
:
This issue has been resolved.]
• Changes in policer, filter, or sampling configuration caused core files when multicast traffic was received. [ PR613782 : This issue has been resolved.]
• On SRX3400 and SRX3600 devices, CPU utilization was high at 75 to 85 percent on
FPCs when 4000 IFLs were configured on redundant Ethernet (reth) interfaces.
[
PR670925
: This issue has been resolved.]
•
The Link failure happened for DPC%d PFE%d log message displayed an incorrect
FPC number. [ PR683371 : This issue has been resolved.]
• When the syn-cookie feature was enabled along with syn-flood screen with a low timeout value, high-latency TCP sessions might fail to establish successfully. The client sessions received unresponsive connections because the SRX Series device timed out the flow for the session. The device also dropped subsequent packets from the client due to the state not being found. [ PR692484 : This issue has been resolved.]
• The content filter for the SMTP block extension did not work when the name of the attached file was in Japanese. [ PR724960 : This issue has been resolved.]
• High CPU use due to the mgd process might result when the run show config command was specified during configuration mode. In addition, the httpd process was high.
[
PR729617
: This issue has been resolved.]
•
The flow bytes counters tracked on a per-interface basis were incorrect for IPv6 flows, and flow output bytes statistics were reversed to the source or destination interfaces.
[ PR740911 : This issue has been resolved.
• After upgrading to Junos OS Release 12.1, if a commit was tried after a commit was confirmed, the following error message was displayed: error: problem checking file: No such file or directory.
[
PR741239
: This issue has been resolved.]
•
For the loopback interface traffic, if the traffic processed by IDP or ALGs that require serialized packet processing, traffic dropped due to serialization bit loss in session creation stage. [ PR741743 : This issue has been resolved.]
• The captive portal redirect did not work with the strict synchronization checking option enabled in the firewall. [
PR743466
: This issue has been resolved.]
•
The show security pki *-certificate command showed the time without the time zone.
[
PR746785
: This issue has been resolved.]
226
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
Commands after STARTTLS were encrypted, and could not be understood by the
SMTP parser. These commands caused the session to hang until the TCP session was closed, so packets were not forwarded. [ PR750047 : This issue has been resolved.]
• Inbound “to-self” SSH traffic was accepted by the device even though “ssh” was not explicitly included in the “host-inbound-traffic” configuration for the ingress interface within the security zone. [
PR754392
: This issue has been resolved.]
•
A timing issue in the ttymodem() internal I/O processing routine caused the Junos OS kernel to crash. The crash was triggered by simple remote access (for example, Telnet,
SSH) to the device. [ PR755448 : This issue has been resolved.]
• When SYN flood packets per second (pps) over the screen attack-threshold, a synchronization cookie was triggered by default. [
PR755727
: This issue has been resolved.]
•
When an FPC restart was performed, some of the PICs and IFDs were unable to be created by chassisd due to an EBUSY error returned by the kernel. The kernel was unable to process the new requests until the previous states of the same object (PIC,
IFD in one case) were consumed by all peers. [
PR769632
: This issue has been resolved.]
•
SYN-PROXY held the jbuf before SYN-ACK was received from the server. If the server was unreachable, SYN-PROXY held the jbuf until the session was timed out. In addition, firewall authentication generated a core file if a GET request that contained a long
Uniform Resource Identifier (URI) was received. [ PR769828 : This issue has been resolved.]
•
In certain cases, when the device was processing a large amount of traffic, performing an AppID security package update might cause the flowd process to generate a core file. [ PR769832 : This issue has been resolved.]
• When an RLAG was configured with an active LACP and the SRX Series high-end firewall cluster was upgraded through ISSU, there was traffic and session loss. The traffic drop time was dependent on the number of links per node for an RLAG, and also the type of active LACP used (that is, fast or slow).
[ PR770653 : This issue has been resolved.]
• For IKEv2 only, when the device attempted a dpd exchange when an existing exchange was in progress, a core file might have been generated. [ PR771234 : This issue has been resolved.]
•
The routing protocol daemon (rpd) generated a core file while processing a malformed
RIP or RIP message from a neighbor during adjacency establishment. [
PR772601
: This issue has been resolved.]
• When the HTTPD process restarted, the HTTPD process was deleted and new was started. In certain circumstances, however, the old and the new HTTPD processes existed at the same time, causing high CPU usage. [
PR772701
: This issue has been resolved.]
• When syn-flood and session limitation screen features were enabled, and when there were 16,000 or more source or destination IP addresses, the connections per second data might drop 50 percent. [
PR773162
: This issue has been resolved.]
227
Junos OS 12.1X44 Release Notes
•
If an IKEv2 SA lifetime was more than 65,535 seconds, the IKE SA would not rekey. It expired and the corresponding tunnel flapped, causing traffic outage. [
PR775595
: This issue has been resolved.]
• When there was heavy traffic, the FIOC interface did not respond. [ PR776179 : This issue has been resolved.]
•
The message log was too granular, indicating blower speed changes frequently from normal to intermediate speed. As a result, logs were overfilled, making it difficult to troubleshoot them. [ PR776254 : This issue has been resolved.]
• RPD memory leak occurred when SNMP polled BGP and BGP was not configured.
[ PR776637 : This issue has been resolved.]
• When data path debugging was configured, fragmented traffic was dropped. [ PR777381 :
This issue has been resolved.]
•
The session creation per second was always zero in the show security monitoring fpc
0 output. [
PR787343
: This issue has been resolved.]
•
After a Routing Engine switchover, LACP and MIB process (mib2d) core files were created. [
PR790966
: This issue has been resolved.]
•
When LACP was configured in fast mode, interface flapping might occur if the SPC’s central point CPU utilization was very high (over 90 percent). [ PR792513 : This issue has been resolved.]
•
If security policies were configured with a large number of applications using the same source and destination ports, then policy configuration updates might not work as expected. [
PR793151
: This issue has been resolved.]
• Core files might be generated when Stream Control Transmission Protocol (SCTP) packets were processed. [ PR793303 : This issue has been resolved.]
• When the SPU booted up (at the time of device start or after any other kind of SPU reset), the device logged messages on the Routing Engine with the wrong timestamp.
[
PR803286
: This issue has been resolved.]
•
When application QoS was configured, and if traffic did not match the configured
AppQoS rules, a flowd core was generated. [ PR805562 : This issue has been resolved.]
• The INET MTU on the secure tunnel interface did not return to the default value.
[ PR805883 : This issue has been resolved.]
• When you committed any changes under logical system configuration, the security policy failed to resolve the DNS objects that were in the security address book. As a result, the traffic hit other unexpected security policies, or default-deny instead, causing a traffic outage. [ PR810723 : This issue has been resolved.]
• The TCP sessions and the processing of FIN and RST packets did not work correctly.
[ PR814370 : This issue has been resolved.]
• If traffic was fragmented and had to be reassembled, and when the reassembled data was larger than the path maximum transmission unit (PMTU) of an IPv6 multicast address (with a large size packet), the “IPv6 Too Big” message was returned to the sender and traffic was dropped. [ PR818898 : This issue has been resolved.]
228
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
General Packet Radio Service (GPRS)
• When GTP inspection was globally enabled, the GTP sanity check was dropped, resulting in badly formatted GTP packets, even if GTP inspection had not been configured on the security policy. [
PR790143
: This issue has been resolved.]
Hardware
•
In Junos OS Release 11.2R7, CL73-AN was inadvertently enabled for ports 7, 8, and 9 on the 1 Gigabit Ethernet SYSIO card. As a result, links failed to come up on these ports.
[ PR787010 : This issue has been resolved.]
Installation and Upgrade
•
When you installed AI Scripts (part of the Service Now product) on a device with a very large configuration (more than 100,000 lines), the cscript daemon might crash, resulting in a core file. [ PR736138 : This issue has been resolved.]
Interfaces and Routing
• On devices in a chassis cluster, a maximum of 8 queues per interface configuration were not reflected on the interface part of the cluster setup. [
PR389451
: This issue has been resolved]
•
Egress queues were not supported on VLAN or IRB interfaces. [
PR510568
: This issue has been resolved.]
• The Track IP (ipmon) feature was not working for VLAN tagged redundant Ethernet interfaces. ( PR575754 : This issue has been resolved.]
• When a defective 16-Port SFP Gigabit Ethernet IOC was inserted on the device, all other SFP cards were no longer recognized. [
PR711461
: This issue has been resolved.]
•
The ICMP redirect did not work for redundant Ethernet interfaces. [
PR746374
: This issue has been resolved.]
•
The aggregated Ethernet interface might go down after users configured Active LACP on the back-to-back connected AE bundles. [ PR770998 : This issue has been resolved.]
• When multiple interfaces were bound to the same security zone, if the first fragmented packet and the second fragmented packet arrived in different interfaces, the second fragmented packet was dropped. [
PR777343
: This issue has been resolved.]
•
Interfaces without cable connected and configured with the loopback option were not coming up. [
PR788395
: This issue has been resolved.]
• After reboot, sometimes the interface VLAN was down when the member physical interface was up. [ PR795363 : This issue has been resolved.]
229
Junos OS 12.1X44 Release Notes
•
With a large number of tunnel routes added, memory utilization could become very high. [
PR797845
: This issue has been resolved.]
• After upgrading to Junos OS Release 11.4R5, if OSPF was enabled for any of the st0 interfaces, an internal processing error prevented the default route from being advertised out. [
PR822352
: This issue has been resolved.]
Intrusion Detection and Prevention (IDP)
•
The application groups statistics were shown as unassigned and unknown for the show services application-identification statistics application-groups command output without displaying the details. [
PR740014
: This issue has been resolved.]
•
After 24 hours of a slt4 stress run with a huge number of sessions generated, IDP sessions were not increasing along with flow sessions. [ PR742882 : This issue has been resolved.]
• The detector was not updated in the control plane when the update-attack-database-only flag was used during security package installation.
[
PR778816
: This issue has been resolved.]
•
A new filter was added in dynamic attack groups in the CLI. The two flags under filters are recommended (which means true) and not-recommended (which means false).
Only the recommended=true flag was supported. [ PR828494 : This issue has been resolved.]
IPv6
•
The NP hash feature did not work with IPv6 for the cross virtual router (VR) traffic.
[
PR738812
: This issue has been resolved.]
J-Web
• If multiple J-Web clients were connected to a single device, it caused high CPU utilization on the Routing Engine. [
PR741432
: This issue has been resolved.]
•
The source interface for IP monitoring must be a logical interface. However, the corresponding configuration screen on J-Web did not list logical interface and only listed physical interface. [
PR754523
: This issue has been resolved.]
• Users could not add custom applications that had the substring “any” in the name to a policy with other applications. [ PR755495 : This issue has been resolved.]
• If a configuration error was made on the J-Web CLI editor after the user had already committed changes in the same editor, the validation failed and previous committed changes would be lost in the editor. All previous changes had to be reentered in the
CLI editor to avoid an incorrect commit anytime the J-Web CLI editor was used.
[ PR771660 : This issue has been resolved.]
230
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
On devices with more than one SPC installed, in J-Web, you could only view the flow sessions from one SPC. Flow sessions on the other SPCs could not be displayed.
[ PR777520 : This issue has been resolved.]
• When you logged in to J-Web, the message, “J-WEB is not supported on this platforms” was displayed. [
PR781659
: This issue has been resolved.]
Logical Systems
•
The BFD session on routing protocols for logical systems was not working. [
PR671444
:
This issue has been resolved.]
• Fragmentation was affected when traffic passed through logical systems LT and/or
GRE interface in the routing instance. [ PR738449 : This issue has been resolved.]
• On devices running Junos OS Release 11.2, when a logical system feature was added, diagnostic information was sent to a specific file without rotation control, causing core files to be generated. [
PR721104
: This issue has been resolved.]
•
When two or more IDP policies were configured in the root logical system and one policy was active in the root logical system and a different policy was active in the custom logical system, the referenced logical system policy might not get compiled properly after a signature update. [
PR749126
: This issue has been resolved.]
•
The flowd process (the process responsible for traffic forwarding in SRX Series devices) might crash when running on a logical system. [
PR780019
: This issue has been resolved.]
Network Address Translation (NAT)
• On devices in a chassis cluster, some central point binding entries did not age out after a stress test. [ PR611827 : This issue has been resolved.]
• IDP SSL proxy AI displayed two AI cache entries with single SSL session when destination NAT was enabled on the device. [
PR687311
: This issue has been resolved.]
•
Flowd core files were generated when persistent NAT binding entries were cleared.
[
PR697856
: This issue has been resolved.]
• NAT resources (address and port) were not fully utilized when port range was specified.
[ PR754886 : This issue has been resolved.]
• It was possible to configure a security zone in the format a.b.c.d. However, when the same zone name was referenced while configuring NAT, a configuration error occurred.
[
PR748621
: This issue has been resolved.]
•
Commit of static NAT rules might fail when you committed interfaces, security zone, and NAT at same time in the root or logical system. In addition, the commit of static
NAT rules might fail when you committed for security zone and NAT at the same time.
[
PR756240
: This issue has been resolved.]
•
Sometimes cone-NAT binding was released extremely slowly when clear sessions and bindings had too many sessions and there were close to 65,536 bindings. [
PR747777
:
This issue has been resolved.]
231
Junos OS 12.1X44 Release Notes
•
Static NAT rules were not being enforced when the Ethernet switching family was used. [
PR785106
: This issue has been resolved.]
• Persistent NAT table entries could not be removed on the central point when the device was under heavy traffic. [ PR807524 , PR819603 : This issue has been resolved.]
Security Policies
•
Logical systems with policy count option displayed the statistics after a while following a show command, or the counters stopped to increment if both redundant groups were not on same node as a result of failover. [
PR782546
: This issue has been resolved.]
SNMP
• SNMP OID jnxOperatingCPU.9 (Routing Engine CPU usage) always returned 100, although Routing Engine CPU usage was not 100 percent. [ PR739591 : This issue has been resolved.]
•
On devices in a chassis cluster, long pauses and timeout were seen during SNMP walk or query of the device. A delay occurred in the kernel’s query of the gr-0/0/0 (GRE) interface. [ PR800735 : This issue has been resolved.]
• Routing Engine failover occurred due to possible out-of-sync information about already allocated SNMP interface index values, and duplicate SNMP interface index values might be allocated. As a result, the mib2d process might crash or the SNMP interface index value of zero might be allocated for newly created interfaces. [
PR806098
: This issue has been resolved.]
• SNMP query for maximum total session (jnxJsSPUMonitoringMaxTotalSession) was taking the maximum value, that is, max-cp-session value. [ PR838214 : This issue has been resolved.]
System Logs
•
When an idle session is closed based on timeout expiration, the close reason shown in logs displayed "idle Timeout", instead of "unset" as it appeared before. [ PR746572 :
This issue has been resolved.]
•
The performance monitor message format has been changed. The message format previously generated a rtlogd core file and rtlogd restarted automatically after 1 or 2 seconds. [
PR819700
: This issue has been resolved.]
• Session-close system log messages were not as expected. [
PR822509
: This issue has been resolved.]
Unified Threat Management (UTM)
•
On the devices, there used to be a requirement for the support of both “STARTTLS” and “X-ANONYMOUSTLS” cases for the SMTP parser. [
PR824027
: This issue has been resolved.]
232
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
The Juniper Networks enhanced Web filtering feature experienced default, timeout, and connectivity fallback actions under sustained bursts of high traffic. [
PR833768
:
This issue has been resolved.]
Virtual Private Network (VPN)
•
The dynamic VPN license was not released when the old dynamic VPN connections were terminated. [
PR735615
: This issue has been resolved.]
•
An error “Failed to connect to server” was displayed when multiple clients were connected to the device through dynamic VPN and when some configurations related to IKE negotiation changed on the device. [ PR737787 : This issue has been resolved.]
• IKE Phase 1 and Phase 2 logs erroneously reported that the renegotiation retry limit had been reached, even though the VPN build was successful. [
PR741751
: This issue has been resolved.]
•
In some IPsec VPN scenarios where RG1+ failover occurred consecutively and in short periods of time (less than 5 minutes), sometimes the ESP sequence number would not be synchronized on the other cluster node. As a consequence, after failover, traffic was sent inside the IPsec tunnel with an incorrect ESP sequence number. When antireplay functionality was enabled on the remote peer, traffic blocking occurred on the remote VPN. [ PR753683 : This issue has been resolved.]
• When load override was used to load a new VPN configuration, flow and IKE daemons might generate core files and VPN tunnels might not be established. [ PR773482 : This issue has been resolved.]
• The following IKE trace option messages were printed while debugging VPN tunnels:
Aug 2 09:27:03 srx-5800-1 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kmd[213]: IKE Phase-1
Failure: (null) [spi=75ffd1a8, src_ip=<none>, dst_ip=A.A.A.A]
Aug 2 09:27:06 srx-5800-1 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kmd[214]: IKE Phase-1
Failure: (null) [spi=75ffd1a8, src_ip=<none>, dst_ip=B.B>B>B]
The same SPI value was printed for two different peer IP addresses, which should not be the case. A memory address of SPI was printed instead of SPI address itself. Also, the invalid cookie reason was not printed due to this message. [ PR803294 : This issue has been resolved.]
•
When building a GRE over an IPsec VPN tunnel, the device did not use GRE protocol
47 in the proxy-id for IKE Phase 2 negotiation. [
PR806233
: This issue has been resolved.]
•
The tcp-proxy in flowd hangs while processing TCP RST packets with data padding.
This resulted in the mbuf pool getting filled up. [ PR806269 : This issue has been resolved.]
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series
•
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services
233
Junos OS 12.1X44 Release Notes
•
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services
Gateways
Errata for the Junos OS Software Documentation
This section lists outstanding issues with the software documentation.
BGP Feature Guide for Security Devices
•
In “Example: Configuring Route Authentication for BGP,” the following configuration steps in the CLI quick configuration and in the step-by-step procedure sections are not supported on SRX Series devices: set security authentication-key-chains key-chain bgp-auth tolerance 30 set security authentication-key-chains key-chain bgp-auth key 0 secret this-is-the-secret-password set security authentication-key-chains key-chain bgp-auth key 0 start-time
2011-6-23.20:19:33-0700 set security authentication-key-chains key-chain bgp-auth key 1 secret this-is-another-secret-password set security authentication-key-chains key-chain bgp-auth key 1 start-time
2012-6-23.20:19:33-0700
Certificates and Public Key Cryptography for Security Devices
•
In “Example: Using SCEP to Automatically Renew a Local Certificate,” the overview states that you can configure when the device is to send out the certificate renewal request as the number of days and minutes before the certificate's expiration date.
This is incorrect. The trigger for the device to send out a certificate renewal request is a specified percentage of the certificate's lifetime that remains before the certificate expires. For example, if the renewal request is to be sent when the certificate's remaining lifetime is 10%, then configure 10 for the reenrollment trigger.
Chassis Cluster for Security Devices
•
In Step 5 of “Upgrading the Second Routing Engine When Using Chassis Cluster Dual
Control Links on SRX5600 and SRX5800 Devices,” the bytes per second value is incorrectly shown as bs = 64k. The actual value is 1 m.
•
On the Overview tab, under Results of Enabling Chassis Cluster, in the topic entitled
“Node Interfaces on Active SRX Series Chassis Clusters,” Figure 5, Slot Numbering in an SRX Series Chassis Cluster (SRX550 Devices), needs two corrections. The labels for Slot 2 and Slot 3 should be switched with each other. The labels for Slot 11 and Slot
12 should be switched with each other.
•
In the “Chassis Cluster Overview” topic, the last item in the functionality list incorrectly states that IP-over-IP tunnels are supported. IP-over-IP tunnels are not supported.
The corrected information follows: Support for Generic Routing Encapsulation (GRE) tunnels used to route encapsulated IPv4/IPv6 traffic by means of an internal interface, gr-0/0/0. This interface is created by Junos OS at system boot up and is used only for
234
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services Gateways processing GRE tunnels. See Junos OS Interfaces Configuration Guide for Security
Devices.
Feature Support Reference for SRX Series and J Series Devices
•
The “IPv6 Support“ table lists that IPv6 is supported only for TFTP ALG. The correct information is IPv6 is supported for DNS, FTP, and TFTP ALGs.
Initial Configuration for Security Devices
From the Device Configuration section, from the Configuration tab, the “Minimum DHCP
Local Server Configuration” topic has been updated to replace the pool name and group name with more appropriate names. The text should read as follows:
Minimum DHCP Local Server Configuration
• The following sample output shows the minimum configuration you must use to configure an SRX Series device as a DHCP local server. In this output, the server group is named mobileusers, and the DHCP local server is enabled on interface ge-1/0/1.0
within the group.
[edit access] address-assignment { pool acmenetwork family inet { network 192.168.1.0/24;
}
} edit system services dhcp-local-server { group mobileusers { interface ge-1/0/1.0
}
} edit interfaces ge-1/0/1 unit 0 family { inet { address 192.168.1.1/24
}
}
IPsec VPNs for Security Devices
• In “Example: Configuring a Route-Based VPN with Only the Responder Behind a NAT
Device,” the “Configuring IPsec for the Initiator” section is missing the configuration to generate the encryption key using Perfect Forward Secrecy (PFS) Diffie-Hellman Group
2. The missing configuration is as follows:
[edit] user@host# set security ipsec policy ipsec_pol perfect-forward-secrecy keys group2
• In “Example: Configuring a Policy-Based VPN,” the “Verifying the IPsec Phase 2 Status” section contains a note that the proxy ID must be manually entered to match some third-party vendors. This note is incorrect. It is not possible to manually configure a proxy ID for policy-based VPNs. The proxy ID can only be derived from the policy.
235
Junos OS 12.1X44 Release Notes
J-Web
• J-Web pages for stateless firewall filters—There is no documentation describing the
J-Web pages for stateless firewall filters. To find these pages in J-Web, go to
Configure>Security>Firewall Filters
, and then select IPv4 Firewall Filters or IPv6 Firewall
Filters
. After configuring the filters, select Assign to Interfaces to assign your configured filters to interfaces.
Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices
• In this guide, the section “Configuring Layer 2 Bridging and Transparent Mode” includes an incorrect example, “Example: Configuring Layer 2 Trunk Interfaces with Multiple
Units.” SRX Series devices do not support multiple units.
Junos OS CLI Reference
• In the “show security policies” topic, the “show security policies Output Fields” table includes the following incorrect information:
Applications ALG
: If an ALG is associated with the session, the name of the ALG. Otherwise, 0.
The correct information is:
Applications ALG : If an ALG is explicitly associated with the policy, the name of the ALG is displayed. If application-protocol ignore is configured, ignore is displayed. Otherwise, 0 is displayed.
However, even if this command shows ALG: 0,
ALGs might be triggered for packets destined to well-known ports on which ALGs are listening, unless ALGs are explicitly disabled or when application-protocol ignore is not configured for custom applications.
•
In this guide, the source-threshold statement incorrectly shows a default value of 1024 per second for number in the Options section. The correct default value is 4000 per second.
• The edit applications application application-name term term-name hierarchy level for the alg (Applications) configuration statement is incorrect. The correct hierarchy level is edit applications application application-name<term term-name>.
Junos OS Security Basics
• The topic Understanding Policy Application Timeouts Contingencies under Security
Basics > Security Policy Applications for Security Devices > Policy Application Timeout
, contains erroneous information. It should read as follows:
When setting timeouts, be aware of the following contingencies:
•
If an application contains several application rule entries, all rule entries share the same timeout. You need to define the application timeout only once. For example,
236
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services Gateways if you create an application with two rules, the following commands will set the timeout to 20 seconds for both rules:
• user@host# set applications application test protocol tcp destination-port 1035-1035 inactivity-timeout 20 user@host# set applications application test term test protocol udp user@host# set applications application test term test source-port 1-65535 user@host# set applications application test term test destination-port 1111-1111
If multiple custom applications are configured with custom timeouts, then each application will have its own custom application timeout. For example: user@host# set applications application ftp-1 protocol tcp source-port 0-65535 destination-port 2121-2121 inactivity-timeout 10 user@host# set applications application telnet-1 protocol tcp source-port 0-65535 destination-port 2300-2348 inactivity-timeout 20
With this configuration, Junos OS applies a 10-second timeout for destination port
2121 and a 20-second timeout for destination port 2300 in an application group.
Junos OS Security Configuration Guide
•
In “Example: Configuring AppTrack,” of the Junos OS Security Configuration Guide for
Security Devices, the set security log mode stream statement was omitted from the log configuration statements. The updated log configuration should read: user@host# set security log mode stream user@host# set security log format sd-syslog user@host# set security log source-address 5.0.0.254
user@host# set security log stream app-track-logs host 5.0.0.1
• In the “Understanding SIP ALGs and NAT” topic, information in the following sections is incorrect:
•
Call Re-INVITE Messages
This section incorrectly states:
When one or more media sessions are removed from a call, pinholes are closed and bindings released just as with a BYE message.
The correct information is:
When all the media sessions or media pinholes are removed from a call, the call is removed when a BYE message is received.
•
Call Session Timers
This section incorrectly states:
The SIP ALG uses the session-expires value to time out a session if a Re-INVITE or
UPDATE message is not received. The ALG receives the session-expires value, if present, from the 200 OK responses to the INVITE and uses this value for signaling timeout. If the ALG receives another INVITE before the session times out, the ALG resets all timeout values to this new INVITE or to default values, and the process is repeated. As a precautionary measure, the SIP ALG uses hard timeout values to set the maximum amount of time a call can exist.
The correct information is (The session-expires value is not supported on SRX Series devices):
237
Junos OS 12.1X44 Release Notes
As a precautionary measure, the SIP ALG uses hard timeout values to set the maximum amount of time a call can exist.
• Table Requesting Messages with NAT Table
This table incorrectly states:
Outbound Request (from private to public
Route: Replace ALG address with local address
The correct information is:
Outbound Request (from private to public
Route: Replace local address with ALG address
• This guide incorrectly lists the following topics. These commands are not supported:
• disable-call-id-hiding
• show security alg sip transactions
Junos OS Security interfaces
•
The "Example: Configuring Multilink Frame Relay FRF.16" topic provides the following incorrect configuration information:
Step: Set device R0 as a DCE device.
[edit interfaces lsq-0/0/0] user@host# set dce
The correct configuration information is
Step: Set device R0 as a DCE device.
[edit interfaces lsq-0/0/0:0] user@host# set dce
Junos OS Security Network Address Translation
• In Example: Configuring NAT for Multiple ISPs under Network Address Translation for
Security Devices > Configuration > NAT for Multiple ISPs the statement set routing-options rib-groups isp import-rib inet.0
was omitted from the configuration. The updated configuration should read: set routing-options rib-groups isp import-rib inet.0
set routing-options rib-groups isp import-rib isp1.inet.0
set routing-options rib-groups isp import-rib isp2.inet.0
In addition, because zone based address-book for NAT rules is unsupported, you should not use the statements provided in the example; use global address book instead.
•
The command show security nat source persistent-nat-table under Network Address
Translation > Administration > Source NAT Operational Commands is:
•
Missing the option:summary—Display persistent NAT bindings summary.
•
Contains incomplete sample output. The corrected sample output is as follows:
238
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services Gateways user@host> show security nat source persistent–nat–table internal-ip 9.9.9.1 internal-port
60784
Internal Reflective Source Type
Left_time/ Curr_Sess_Num/ Source
In_IP In_Port I_Proto Ref_IP Ref_Port R_Proto NAT Pool
Conf_time Max_Sess_Num NAT Rule
9.9.9.1 60784 udp 66.66.66.68 60784 udp dynamic-customer-source any-remote-host 254/300 0/30 105 user@host> show security nat source persistent–nat–table all
Internal Reflective Source Type
Left_time/ Curr_Sess_Num/ Source
In_IP In_Port I_Proto Ref_IP Ref_Port R_Proto NAT Pool
Conf_time Max_Sess_Num NAT Rule
9.9.9.1 63893 tcp 66.66.66.68 63893 tcp dynamic-customer-source
any-remote-host 192/300 0/30 105
9.9.9.1 64014 udp 66.66.66.68 64014 udp dynamic-customer-source
any-remote-host 244/300 0/30 105
9.9.9.1 60784 udp 66.66.66.68 60784 udp dynamic-customer-source
any-remote-host 254/300 0/30 105
9.9.9.1 57022 udp 66.66.66.68 57022 udp dynamic-customer-source
any-remote-host 264/300 0/30 105
9.9.9.1 53009 udp 66.66.66.68 53009 udp dynamic-customer-source
any-remote-host 268/300 0/30 105
9.9.9.1 49225 udp 66.66.66.68 49225 udp dynamic-customer-source
any-remote-host 272/300 0/30 105
9.9.9.1 52150 udp 66.66.66.68 52150 udp dynamic-customer-source
any-remote-host 274/300 0/30 105
9.9.9.1 59770 udp 66.66.66.68 59770 udp dynamic-customer-source
any-remote-host 278/300 0/30 105
9.9.9.1 61497 udp 66.66.66.68 61497 udp dynamic-customer-source
any-remote-host 282/300 0/30 105
9.9.9.1 56843 udp 66.66.66.68 56843 udp dynamic-customer-source
any-remote-host -/300 1/30 105 user@host> show security nat source persistent-nat-table summary
Persistent NAT Table Statistics on FPC5 PIC0: binding total : 65536 binding in use : 0 enode total : 524288 enode in use : 0
Junos OS Security Policies
• The show security policies command output description is missing the definition for the following Policy statistics fields:
• Output packets —The total number of packets actually processed by the device.
• Session rate
—The total number of active and deleted sessions.
The “Best Practices for Defining Policies on High-End SRX Series Devices” topic states that the SRX Series devices support up to 1024 source and destination address objects.
239
Junos OS 12.1X44 Release Notes
NOTE: The number of source and destination address objects allowed per firewall rule is 1024. The systemwide maximum allowed is 32,000 address objects.
240
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Junos OS System Log Messages Reference
• The AV System Log Messages topic lists incorrect facilities for the systems logs.
On all SRX Series devices, antivirus (AV) system logs are generated with the facility
LOG_USER or LOG_DAEMON.
shows the correct facilities for the system logs.
Table 19: Antivirus System Logs
System Logs Incorrect Facility Correct Facility
AV_PATTERN_GET_FAILED LOG_FIREWALL
AV_PATTERN_KEY_EXPIRED LOG_FIREWALL
AV_PATTERN_KL_CHECK_FAILED LOG_FIREWALL
AV_PATTERN_TOO_BIG LOG_FIREWALL
LOG_DAEMON
LOG_DAEMON
LOG_DAEMON
LOG_DAEMON
AV_PATTERN_UPDATED
AV_SCANNER_READY
LOG_FIREWALL
AV_PATTERN_WRITE_FS_FAILED LOG_FIREWALL
LOG_FIREWALL
AV_VIRUS_DETECTED_MT LOG_PFE
LOG_DAEMON
LOG_DAEMON
LOG_DAEMON
LOG_USER
Monitoring and Troubleshooting for Security Devices
• The following note is added to Monitoring and Troubleshooting for Security Devices, the Configuration tab, in the Encrypting Configuration Files topic:
NOTE: The request system set-encryption-key command is not supported on high-end SRX series devices. Hence, this task does not apply to such devices.
Multicast Feature Guide for Security Devices
•
The “Configuring MSDP in a Routing Instance” topic incorrectly states the following:
“Multicast Source Discovery Protocol (MSDP) is supported on SRX Series devices in any type of custom routing instance." The following statement is correct: MSDP is not supported in any type of custom routing instance.
Routing Protocols Overview for Security Devices
241
Junos OS 12.1X44 Release Notes
•
The default route preference value in the “Understanding Route Preference Values” topic for Static and Static LSPs lists the values incorrectly. The correct values are as follows:
How Route Is Learned Default Preference
Static
Static LSPs
5
6
User Role Firewall
•
In Example: Configuring a User Role Firewall on an SRX Series Device and Acquiring User
Role Information from an Active Directory Authentication Server, the redirect-url option in step 2 of the redirection procedure is incorrect. The URL and variables should be enclosed in quotation marks.
[edit] user@host# set services unified-access-control captive-portal acs-device redirect-url “https://%ic-url%/?target=%dest-url%&enforcer=%enforcer-id%”
VPN for Security Devices
• In “Example: Configuring a Route-Based VPN,” the show security zones output for the
SRX Series device erroneously shows host-inbound-traffic configured for the vpn-chicago zone; this configuration is not included in the CLI Quick Configuration and the Step-by-Step Procedure.
Various Guides
• Some Junos OS user, reference, and configuration guides—for example the Junos
Software Routing Protocols Configuration Guide, Junos OS CLI User Guide, and Junos
OS System Basics Configuration Guide—mistakenly do not indicate SRX Series device support in the “Supported Platforms” list and other related support information; however, many of those documented Junos OS features are supported on SRX Series devices. For full, confirmed support information about SRX Series devices, please refer to the Junos OS Feature Support Reference for SRX Series and J Series Devices.
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series
•
Known Behavior in Junos OS Release 12.1X44 for High-End SRX Series Services
•
Known Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways on page 184
•
Resolved Issues in Junos OS Release 12.1X44 for High-End SRX Series Services Gateways on page 186
242
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for High-End
SRX Series Services Gateways
This section includes the following topics:
•
Upgrading and Downgrading among Junos OS Releases on page 243
•
Upgrading an AppSecure Device on page 245
•
Upgrade and Downgrade Scripts for Address Book Configuration on page 245
•
Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 248
•
Hardware Requirements for Junos OS Release 12.1X44 for High-End SRX Series Services
Upgrading and Downgrading among Junos OS Releases
All Junos OS releases are listed in sequence on the JUNOS Software Dates & Milestones webpage: http://www.juniper.net/support/eol/junos.html
To help in understanding the examples that are presented in this section, a portion of that table is replicated here. See
. Note that releases footnoted with a 1 are Extended End-of-Life (EEOL) releases.
Table 20: Junos Software Dates & Milestones
Product FRS Date
Junos 12.1X44
12
01/18/2013
Junos 12.1
Junos 11.4
1
Junos 11.3
Junos 11.2
Junos 11.1
Junos 10.4
1
Junos 10.3
Junos 10.2
Junos 10.1
Junos 10.0
1
Junos 9.6
03/28/2012
12/21/2011
08/15/2011
08/03/2011
03/29/2011
12/08/2010
08/15/2010
05/28/2010
02/15/2010
11/04/2009
08/06/2009
243
Junos OS 12.1X44 Release Notes
Table 20: Junos Software Dates & Milestones (continued)
Product FRS Date
Junos 9.5
Junos 9.4
Junos 9.3
1
04/14/2009
02/11/2009
11/14/2008
Junos 9.2
Junos 9.1
Junos 9.0
Junos 8.5
1
08/12/2008
04/28/2008
02/15/2008 fwd-srns-context
You can directly upgrade or downgrade between any two Junos OS releases that are within three releases of each other.
•
Example: Direct release upgrade
Release 10.3
→ (bypassing Releases 10.4 and 11.1) Release 11.2
To upgrade or downgrade between Junos OS releases that are more than three releases apart, you can upgrade or downgrade first to an intermediate release that is within three releases of the desired release, and then upgrade or downgrade from that release to the desired release.
•
Example: Multistep release downgrade
Release 11.3
→ (bypassing Releases 11.2 and 11.1) Release 10.4 → Release 10.3
Juniper Networks has also provided an even more efficient method of upgrading and downgrading using the Junos OS EEOL releases. EEOL releases generally occur once a calendar year and can be more than three releases apart. For a list of, EEOL releases, go to http://www.juniper.net/support/eol/junos.html
You can directly upgrade or downgrade between any two Junos OS EEOL releases that are within three EEOL releases of each other.
•
Example: Direct EEOL release upgrade
Release 9.3 (EEOL)
→ (bypassing Releases 10.0 [EEOL] and 10.4 [EEOL]) Release 11.4
(EEOL)
To upgrade or downgrade between Junos OS EEOL releases that are more than three
EEOL releases apart, you can upgrade first to an intermediate EEOL release that is within three EEOL releases of the desired EEOL release, and then upgrade from that EEOL release to the desired EEOL release.
244
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
•
Example: Multistep release upgrade using intermediate EEOL release
Release 8.5 (EEOL)
→ (bypassing Releases 9.3 [EEOL] and 10.0 [EEOL]) Release 10.4
(EEOL)
→ Release 11.4 (EEOL)
You can even use a Junos OS EEOL release as an intermediate upgrade or downgrade step if your desired release is several releases later than your current release.
•
Example: Multistep release upgrade using intermediate EEOL release
Release 9.6
→ Release 10.0 (EEOL) → Release 10.2
For additional information about how to upgrade and downgrade, see the Junos OS
Installation and Upgrade Guide.
Upgrading an AppSecure Device
Use the no-validate option for AppSecure Devices.
For devices implementing AppSecure services, use the no-validate option when upgrading from Junos OS Release 11.2 or earlier to Junos OS 11.4R1 or later. The application signature package used with AppSecure services in previous releases has been moved from the configuration file to a signature database. This change in location can trigger an error during the validation step and interrupt the Junos OS upgrade. The no-validate option bypasses this step.
Upgrade and Downgrade Scripts for Address Book Configuration
Beginning with Junos OS Release 11.4, you can configure address books under the [security] hierarchy and attach security zones to them (zone-attached configuration). In Junos OS
Release 11.1 and earlier, address books were defined under the [security zones] hierarchy
(zone-defined configuration).
You can either define all address books under the [security] hierarchy in a zone-attached configuration format or under the [security zones] hierarchy in a zone-defined configuration format; the CLI displays an error and fails to commit the configuration if you configure both configuration formats on one system.
Juniper Networks provides Junos operation scripts that allow you to work in either of the address book configuration formats (see
•
About Upgrade and Downgrade Scripts on page 245
•
Running Upgrade and Downgrade Scripts on page 247
About Upgrade and Downgrade Scripts
After downloading Junos OS Release 12.1, you have the following options for configuring the address book feature:
• Use the default address book configuration
—You can configure address books using the zone-defined configuration format, which is available by default. For information on how to configure zone-defined address books, see the Junos OS Release 11.1
documentation.
245
Junos OS 12.1X44 Release Notes
• Use the upgrade script
—You can run the upgrade script available on the Juniper Networks support site to configure address books using the new zone-attached configuration format. When upgrading, the system uses the zone names to create address books.
For example, addresses in the trust zone are created in an address book named trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules remain unaffected.
After upgrading to the zone-attached address book configuration:
•
You cannot configure address books using the zone-defined address book configuration format; the CLI displays an error and fails to commit.
• You cannot configure address books using the J-Web interface.
For information on how to configure zone-attached address books, see the Junos OS
Release 11.4 documentation.
• Use the downgrade script
—After upgrading to the zone-attached configuration, if you want to revert to the zone-defined configuration, use the downgrade script available on the Juniper Networks support site. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.
NOTE: Before running the downgrade script, make sure to revert any configuration that uses addresses from the global address book.
246
Migration, Upgrade and Downgrade Instructions for Junos OS Release 12.1X44 for High-End SRX Series Services Gateways
Figure 12: Upgrade and Downgrade Scripts for Address Books
Download Junos OS
Release 11.2 or later.
zone-defined address book
Run the upgrade script.
zone-attached address book configuration
- Global address book is available by default.
- Address book is defined under the security hierarchy.
- Zones need to be attached to address books.
Run the downgrade script.
Note: Make sure to revert any configuration that uses addresses from the global address book.
Running Upgrade and Downgrade Scripts
The following restrictions apply to the address book upgrade and downgrade scripts:
• The scripts cannot run unless the configuration on your system has been committed.
Thus, if the zone-defined address book and zone-attached address book configurations are present on your system at the same time, the scripts will not run.
•
The scripts cannot run when the global address book exists on your system.
• If you upgrade your device to Junos OS Release 11.4 or later and configure logical systems, the master logical system retains any previously configured zone-defined address book configuration. The master administrator can run the address book upgrade script to convert the existing zone-defined configuration to the zone-attached configuration. The upgrade script converts all zone-defined configurations in the master logical system and user logical systems.
NOTE: You cannot run the downgrade script on logical systems.
For information about implementing and executing Junos operation scripts, see the Junos
OS Configuration and Operations Automation Guide.
247
Junos OS 12.1X44 Release Notes
Upgrade Policy for Junos OS Extended End-Of-Life Releases
Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos
OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4.
However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind. For example, you cannot directly upgrade from Junos OS
Release 10.3 (a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from
Junos OS Release 11.4 to Junos OS Release 10.3.
To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.
For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html
.
Hardware Requirements for Junos OS Release 12.1X44 for High-End SRX Series
Services Gateways
Transceiver Compatibility for SRX Series Devices
We strongly recommend that only transceivers provided by Juniper Networks be used on high-end SRX Series Services Gateways interface modules. Different transceiver types
(long-range, short-range, copper, and others) can be used together on multiport SFP interface modules as long as they are provided by Juniper Networks. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used.
Please contact Juniper Networks for the correct transceiver part number for your device.
Related
Documentation
•
New and Changed Features in Junos OS Release 12.1X44 for High-End SRX Series
•
Documentation Updates for Junos OS Release 12.1X44 for High-End SRX Series Services
•
Changes in Behavior and Syntax in Junos OS Release 12.1X44 for High-End SRX Series
248
Junos OS Documentation and Release Notes
Junos OS Documentation and Release Notes
For a list of related Junos OS documentation, see http://www.juniper.net/techpubs/software/junos/
.
If the information in the latest release notes differs from the information in the documentation, follow the Junos OS Release Notes.
To obtain the most current version of all Juniper Networks
® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/
.
Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos
OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using Junos OS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at http://www.juniper.net/books .
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to [email protected]
, or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/
. If you are using e-mail, be sure to include the following information with your comments:
• Document name
•
Document part number
•
Page number
• Software release version
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/customers/support/downloads/710059.pdf
.
• Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/
.
249
Junos OS 12.1X44 Release Notes
•
JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/
•
Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/ .
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/
.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html
.
If you are reporting a hardware or software problem, issue the following command from the CLI before contacting support: user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to ftp.juniper.net/pub/incoming
. Then send the filename, along with software version information (the output of the show version command) and the configuration, to [email protected]
. For documentation issues, fill out the bug report form located at https://www.juniper.net/cgi-bin/docbugreport/
.
250
Requesting Technical Support
Revision History
16 July 2015—Revision 2, Junos OS 12.1X44-D50 – High End SRX Series, Branch SRX Series, and J Series.
11 May 2015—Revision 1, Junos OS 12.1X44-D50 – High End SRX Series, Branch SRX Series, and J Series.
Copyright © 2015, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
251
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project