Transcript
®
Release Notes: Junos OS Release 15.1X49-D20 for the SRX Series Release 15.1X49-D20 17 March 2016 Revision 4
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . 5 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . 5 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 vSRX (formerly Firefly Perimeter) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Attack Detection and Prevention (ADP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Copyright © 2016, Juniper Networks, Inc.
1
Junos OS 15.1X49 Release Notes
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Resolved Issues: Release 15.1X49-D20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 19 Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 20 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Resolved Issues: Release 15.1X49-D10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 22 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Layer 2 Bridging and Transparent Mode for Security Devices . . . . . . . . . . . . . 24 Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Upgrade for Layer 2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Upgrading an AppSecure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Upgrade and Downgrade Scripts for Address Book Configuration . . . . . . . . . 25 About Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Running Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . 27 Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Transceiver Compatibility for SRX Series Devices . . . . . . . . . . . . . . . . . . . . . . 29 Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2
Copyright © 2016, Juniper Networks, Inc.
Introduction
Introduction ®
Junos OS runs on the following Juniper Networks hardware: ACX Series, EX Series, M Series, MX Series, PTX Series, QFabric, QFX Series, SRX Series, and T Series. These release notes accompany Junos OS Release 15.1X49 for the SRX Series. They describe new and changed features, known behavior, and known and resolved problems in the hardware and software. You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/techpubs/software/junos/.
NOTE: Junos OS Release 15.1X49 now supports vSRX and SRX5400, SRX5600, and SRX5800 devices with host subsystems composed of either an SRX5K-RE-1800X4 (RE2) with an SRX5K-SCBE (SCB2), or an SRX5K-RE-1800X4 (RE2) with an SRX5K-SCB3 (SCB3). Use the Junos OS Release 15.1X49 Release Notes and all the documentation for vSRX and for SRX5000 line devices with these specific host subsystem configurations (RE2 with SCB2 or RE2 with SCB3). Junos OS Release 15.1X49 does not support SRX5400, SRX5600, or SRX5800 devices with the following cards: •
SRX5K-40GE-SFP I/O Card (IOC)
•
SRX5K-4XGE-XFP IOC
•
SRX5K-FPC-IOC Flex I/O card (Flex IOC)
•
SRX5K-RE-13-20 Routing Engine (RE1)
•
SRX5K-SCB Switch Control Board (SCB)
•
SRX5K-SPC-2-10-40 Services Processing Card (SPC)
Junos OS Release 15.1X49 does not support branch SRX Series devices or SRX1400, SRX3400, or SRX3600 devices. If you have any questions concerning this notification, please contact the Juniper Networks Technical Assistance Center (JTAC).
Copyright © 2016, Juniper Networks, Inc.
3
Junos OS 15.1X49 Release Notes
New and Changed Features This section describes the new features and enhancements to existing features in Junos OS Release 15.1X49-D10 for the SRX Series and in vSRX Release 15.1X49-D15. For descriptions and details of new features and enhancements to existing features in Junos OS Release 15.1X49 for vSRX, see the vSRX Release Notes.
Hardware Features Security •
Enhanced support for Switch Control Board and Modular Port Concentrators–Starting with Junos OS Release 15.1X49-D10, the SRX5400, SRX5600, and SRX5800 Services Gateways support the third-generation Switch Control Board SRX5K-SCB3 (SCB3) and the Modular Port Concentrator (IOC3): SRX5K-MPC3-40G10G and SRX5K-MPC3-100G10G. These cards provide superior carrier-grade network performance and chassis cluster features, and greater throughput, interface density, Application Layer performance, and scalability. The SCB3 provides higher capacity traffic support, greater link speeds and fabric capacity, and improved services. The IOC3s enable faster processing and provide line rates of up to 240 Gbps per slot. [See Switch Control Board SRX5K-SCB3, SRX5K-MPC3-40G10G, and SRX5K-MPC3-100G10G.]
4
Copyright © 2016, Juniper Networks, Inc.
New and Changed Features
Software Features Dynamic Host Configuration Protocol (DHCP) •
DHCP Relay on VRF Support (vSRX)—Starting with vSRX Release 15.1X49-D15, DHCP Relay is supported in routing-instances of type VPN routing and forwarding (VRF). VRF is used for Layer 3 VPN implementations. The VRF routing instance type has a VPN routing and forwarding table and a VPN forwarding table. Hence, there is a one-to-one mapping between an interface and a VRF instance. [See Administration Guide for Security Devices.]
•
DHCP Relay support for IPv6 (vSRX)—Starting with vSRX Release 15.1X49-D15, vSRX supports DHCP Relay for IPv6. DHCP relay agent forwards incoming requests from BOOTP and DHCP clients to a specified BOOTP or DHCP server. Client requests can pass through virtual private network (VPN) tunnels. You cannot configure a single device interface to operate as both a DHCP client and a DHCP relay. [See Administration Guide for Security Devices.]
Flow-Based and Packet-Based Processing •
Express Path (formerly known as services offloading) on the SRX5000 line IOC3—Starting with Junos OS Release 15.1X49-D10, the SRX5K-MPC3-100G10G (IOC3) and the SRX5K-MPC3-40G10G (IOC3) support Express Path. Express Path is a mechanism for processing fast-path packets in the Trio chipset instead of in the SPU. This method reduces the long packet-processing latency that arises when packets are forwarded from network processors to SPUs for processing and back to IOCs for transmission. To achieve the best latency result, both the ingress port and egress port of a traffic flow need to be on the same XM chip of the IOC3.
NOTE: XL chip flow table lookup occurs only in ingress. Egress datapath packet handling is the same as supported in the previous release.
NOTE: The services offloading feature is renamed to Express Path starting in Junos OS Release 12.3X48-D10. Currently, the documents still use the term services offloading.
[See Express Path Overview, Enabling and Disabling Express Path, services-offload, np-cache (Flexible PIC Concentrator), and Example: Configuring SRX5K-MPC3-100G10G (IOC3) and SRX5K-MPC3-40G10G (IOC3) on an SRX5000 Line Device to Support Express Path.] •
Fragmentation packet ordering using session cache—Starting with Junos OS Release 15.1X49-D10, the IOCs (SRX5K-MPC [IOC2], SRX5K-MPC3-100G10G [IOC3], and
Copyright © 2016, Juniper Networks, Inc.
5
Junos OS 15.1X49 Release Notes
SRX5K-MPC3-40G10G [IOC3]) on SRX5400, SRX5600, and SRX5800 devices support fragmentation packet ordering using the session cache. A session can consist of both normal and fragmented packets. With hash-based distribution, 5-tuple and 3-tuple keys can be used to distribute normal and fragmented packets to different SPUs. All the session packets are forwarded to the SPU. Due to latency, the SPU might not guarantee packet ordering. Session cache on the IOCs ensures fragmentation ordering. A session cache entry is allocated for normal packets of the session, and the 5-tuple key is used to find the fragmented packet. When the first fragmented packet is received, the IOC updates the session cache entry. The IOC forwards all subsequent packets to the SPU to ensure fragmentation packet ordering. To enable session cache on the IOC, you need to run the set chassis fpc
np-cache command. [See Understanding Session Cache and Express Path Overview.] •
Hash-based forwarding on the SRX5K-MPC3-40G10G (IOC3) and SRX5K-MPC3-100G10G (IOC3)—Starting with Junos OS Release 15.1X49-D10, hash-based datapath packet forwarding is supported on the IOC3 to interconnect with all existing IOC and SPC cards for SRX5400, SRX5600, and SRX5800 devices. The IOC3 XL chip uses a hash-based method to distribute ingress traffic to a pool of SPUs by default. Selection of hash keys depends on application protocols. On a high-end SRX Series device, a packet goes through a series of events involving different components from ingress to egress processing. With the datapath packet forwarding feature, you can obtain quick delivery of I/O traffic over the SRX5000 line of devices. [See Understanding Load Distribution in High-End SRX Series Devices, hash-based, show security flow statistics, and show security flow status.]
•
Session cache and selective installation of session cache—Starting with Junos OS Release 15.1X49-D10, the IOCs (SRX5K-MPC [IOC2], SRX5K-MPC3-100G10G [IOC3], and SRX5K-MPC3-40G10G [IOC3]) on SRX5400, SRX5600, and SRX5800 devices support session cache and selective installation of session cache. Session cache is used to cache a conversation between the network processor (NP) and the SPU on an IOC. A conversation could be a session, GTP-U tunnel traffic, IPsec VPN tunnel traffic, and so on. A conversation has two session cache entries, one for incoming traffic and the other for reverse traffic. The session cache table is extended to support the NP sessions as well. Express Path (formerly known as services offloading) traffic and the NP traffic share the same session cache table on the IOCs. The session cache on the IOC leverages the Express Path functionality. To optimize system resources and conserve session entries on IOCs, certain priority mechanisms are applied to both the flow module and the IOCs to selectively install the session cache. To enable session cache on the IOC, you need to run the set chassis fpc np-cache command.
6
Copyright © 2016, Juniper Networks, Inc.
New and Changed Features
[See Understanding Session Cache, Express Path Overview, and Understanding VPN Session Affinity.]
Interfaces and Chassis •
SRX5K-MPC3-40G10G (IOC3) and SRX5K-MPC3-100G10G (IOC3) —Starting with Junos OS Release 15.1X49-D10, the SRX5K-MPC3-40G10G (IOC3) and the SRX5K-MPC3-100G10G (IOC3) are introduced for SRX5400, SRX5600, and SRX5800 devices. These IOC3s provide the powerful SRX5000 line devices with superior networking and carrier grade chassis cluster features, interface density (scalable and upgradable), and high performance. Both IOC3s support up to an aggregated 240-Gbps IMIX throughput per slot, latency less than 10 microseconds, and higher Layer 7 (L7) performance. The two types of IOC3 MPCs, which have different built-in MICs, are the 24x10GE + 6x40GE MPC and the 2x100GE + 4x10GE MPC. The IOC3s do not support the following command to set a PIC to go offline or online: request chassis pic fpc-slot pic-slot CLI command.
All four PICs on the 24x10GE + 6x40GE cannot be powered on. A maximum of two PICs can be powered on at the same time. Use the set chassis fpc pic power off command to choose the PICs you want to power on.
NOTE: Fabric bandwidth increasing mode is not supported on the IOC3.
WARNING: On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when the PICs containing fabric links on the SRX5K-MPC3-40G10G (IOC3) are powered off to turn on alternate PICs, always ensure that: •
The new fabric links are configured on the PICs that are turned on. At least one fabric link must be present and online to ensure minimal RTO loss.
•
The chassis cluster is in active-backup mode to ensure minimal RTO loss, once alternate links are brought online.
•
If no alternate fabric links are configured on the PICs that are turned on, RTO synchronous communication between the two nodes stops and the chassis cluster session state will not back up, because the fabric link is missing. You can view the CLI output for this scenario indicating a bad chassis cluster state by using the show chassis cluster interfaces command.
[See show chassis hardware (View) and show chassis fpc (View).]
Copyright © 2016, Juniper Networks, Inc.
7
Junos OS 15.1X49 Release Notes
•
Switch Control Board SRX5K-SCB3 (SCB3) with enhanced midplanes—Starting with Junos OS Release 15.1X49-D10, the SRX5K-SCB3 (SCB3) with enhanced midplanes is introduced for SRX5400, SRX5600, and SRX5800 devices. The SCB3 provides the powerful SRX5000 line devices with superior networking and carrier grade chassis cluster features, interface density (scalable and upgradable), and high performance. The IOC3s support up to an aggregated 240-Gbps IMIX throughput per slot. To support this high throughput per slot, the SCB3 and enhanced midplanes are required to guarantee full-bandwidth connection. The SCB3 works only with the SRX5K-RE-1800X4(RE2), SRX5K-MPC (IOC2), the SRX5K-SPC-4-15-320 (SPC2), the SRX5K-MPC3-40G10G (IOC3), and the SRX5K-MPC3-100G10G (IOC3), with the standard midplanes and the enhanced midplanes. The SCB3 does not support mixed Routing Engines and SCBs, in-service software upgrade (ISSU), in-service hardware upgrade (ISHU), or fabric bandwidth increasing mode. To request that an SRX5K-SCB3 go online or offline, use the request chassis cb (offline | online) slot slot-number CLI command. [See show chassis hardware (View), show chassis environment cb, and request chassis cb.]
IPv6 •
Support for RPM probes with IPv6 sources and destinations (vSRX)—Starting with vSRX Release 15.1X49-D15, vSRX supports IPv6 for Route Engine-based real-time performance monitoring (RE-based RPM). RPM is a mechanism that enables you to monitor network performance in real time and to assess and analyze network efficiency. RPM can now send and receive IPv6 probe packets to monitor performance on IPv6 networks. To specify the destination IPv6 address used for the probes, include the target (url ipv6-url | address ipv6-address) statement at the [edit services rpm probe owner test test-name] hierarchy level. To specify the source IPv6 address of the client from which the RPM probes are sent, include the inet6-options source-address ipv6-address statement at the [edit services rpm probe owner test test-name] hierarchy level. [See IPv6 RPM Probes, Guidelines for Configuring RPM Probes for IPv6, and Configuring IPv6 RPM Probes.]
•
TACACS+ IPv6 Support (vSRX) — Starting with Junos OS Release 15.1X49-D15 for vSRX, vSRX and high-end SRX Series devices [SRX5400, SRX5600, and SRX5800 devices with host subsystems comprising an SRX5K-RE-1800X4 (RE2) with an SRX5K-SCBE (SCB2)] support Terminal Access Controller Access Control System Plus (TACACS+) on the IPv6 protocol. TACACS+ is a protocol that allows a remote access server to communicate with an authentication server to determine if a user has access to the network. TACACS+ handles authentication, authorization, and accounting (AAA) services. [See Administration Guide for Security Devices.]
8
Copyright © 2016, Juniper Networks, Inc.
New and Changed Features
Layer 2 Features •
Enhanced Layer 2 CLI—Starting with Junos OS Release 15.1X49-D10, enhanced Layer 2 CLI configurations are supported on SRX5400, SRX5600, and SRX5800 devices. Legacy Layer 2 transparent mode (Ethernet switching) configuration statements and operational commands are not supported. Use the SRX L2 Conversion Tool to convert Layer 2 CLI configurations to enhanced Layer 2 CLI configurations. The SRX L2 Conversion Tool is available for registered customers to help them become familiar with the enhanced Layer 2 CLI and to quickly convert existing switch-based CLI configurations to transparent mode CLI configurations. The SRX L2 Conversion Tool is available at http://www.juniper.net/support/downloads/?p=srx5400#sw .
For more information, refer to the Knowledge Base article at http://kb.juniper.net . [See Enhanced Layer 2 CLI Configuration Statement and Command Changes.]
VPNs •
IPsec VPN session affinity—Starting with Junos OS Release 15.1X49-D10, the IOCs (SRX5K-MPC [IOC2], SRX5K-MPC3-100G10G [IOC3], and SRX5K-MPC3-40G10G [IOC3]) on SRX5400, SRX5600, and SRX5800 devices support IPsec session affinity for IPsec tunnel-based traffic. With the IOC, the flow module creates sessions for IPsec tunnel-based traffic before encryption and after decryption on its tunnel-anchored SPU and installs the session cache for the sessions so that the IOC can redirect the packets to the same SPU to minimize packet forwarding overhead.
NOTE: To enable session cache on the IOC, you need to run the set chassis fpc np-cache command.
To enable IPsec VPN affinity, use the set security flow load-distribution session-affinity ipsec command. [See Understanding VPN Session Affinity, Enabling VPN Session Affinity, and session-affinity.]
vSRX (formerly Firefly Perimeter) •
Enhancements to vSRX—Starting with vSRX Release 15.1X49-D15, vSRX includes a new architecture based on Linux and Junos OS for performance and flexibility, DPDK packet I/O support for higher throughput, and SR-IOV vNIC and VMXNET 3 vNIC support for greater performance and hypervisor compatibility. SCSI virtual disk support has been added to existing IDE support. Other vSRX changes include:
Copyright © 2016, Juniper Networks, Inc.
9
Junos OS 15.1X49 Release Notes
Related Documentation
•
vSRX interfaces of 1 Gbps have a Class of Service (CoS) default delay buffer time of 1 second, a maximum buffer time of 32 seconds, and a maximum buffer size of 128 MB.
•
On a logical vSRX interface, the sum of the guaranteed delay buffer sizes acts as a pool that can be shared among the queues that do not have a specific shaping rate.
•
Changes in Behavior and Syntax on page 10
•
Known Behavior on page 14
•
Known Issues on page 16
•
Resolved Issues on page 18
•
Documentation Updates on page 24
•
Migration, Upgrade, and Downgrade Instructions on page 25
Changes in Behavior and Syntax This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 15.1X49.
Application Identification and Tracking •
On SRX Series devices, the following CLI statements are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration: edit services ssl termination profile profile-name protocol-version ssl3 edit services ssl initiation profile profile-name protocol-version ssl3
Chassis Cluster
10
•
When an SRX Series device is operating in chassis cluster mode and encounters any IA-chip access issue in an SPC or an I/O Card (IOC), a minor FPC alarm will be activated to trigger redundancy group failover.
•
Starting in Junos OS Release 15.1X49-D20, for all SRX Series devices, reth interface supports proxy ARP.
Copyright © 2016, Juniper Networks, Inc.
Changes in Behavior and Syntax
Intrusion Detection and Prevention (IDP) •
Junos OS allows you to configure multiple IDP policies, but a device can have only one active IDP policy at a time. Starting with Junos OS Release 15.1X49-D20, validation of configurations is done for the IDP policy that is configured as an active policy. You can install the same IDP policy on multiple devices, or you can install a unique IDP policy on each device in your network. A single policy can contain only one instance of any type of rule base.
•
Enhanced Layer 2 CLI—Starting with Junos OS Release 15.1X49-D10, enhanced Layer 2 CLI configurations are supported on SRX5400, SRX5600, and SRX5800 devices. Legacy Layer 2 transparent mode configuration statements and operational commands are not supported. If you enter legacy configurations in the CLI, the system displays an error and fails to commit the configurations.
Layer 2 Features
For example, the following configurations are no longer supported: •
set bridge-domain
•
set interfaces ge-1/0/0 unit 0 family bridge
•
set vlans vlan-1 routing-interface
Use the SRX L2 Conversion Tool to convert Layer 2 CLI configurations to enhanced Layer 2 CLI configurations. The SRX L2 Conversion Tool is available at http://www.juniper.net/support/downloads/?p=srx5400#sw .
For more information, refer to the Knowledge Base article at http://kb.juniper.net .
Copyright © 2016, Juniper Networks, Inc.
11
Junos OS 15.1X49 Release Notes
[See Enhanced Layer 2 CLI Configuration Statement and Command Changes.]
Network Time Protocol •
Starting in Junos OS Release 15.1X49-D10, on all SRX Series devices, when the NTP client or server is enabled in the [edit system ntp] hierarchy, the REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within the NTP client or server might allow remote attackers, causing a denial of service. To identify the attack, apply a firewall filter and configure the router's loopback address to allow only trusted addresses and networks.
•
In Junos OS releases earlier than Junos OS Release 15.1X49-D20, the firewall generates a log for every packet that exceeds the source-ip-based or destination-ip-based threshold and triggers the source or destination session limit. This can lead to a flood of logs if a large number of packets is received every second after the threshold has been reached. For example, if the source or destination session limit has been reached and 100 additional packets arrive in the next second, 100 log messages are sent to the system log server.
Screen
Starting in Junos OS Release 15.1X49-D20, the firewall generates only one log message every second irrespective of the number of packets that trigger the source or destination session limit. This behavior also applies to flood protection screens with TCP-Synflood-src-based, TCP-Synflood-dst-based, and UDP flood protection.
System Management •
During a load override, to enhance the memory for the commit script, you must load the configuration by applying the following commands before the commit step: set system scripts commit max-datasize 800000000 set system scripts op max-datasize 800000000
•
On all SRX Series devices in transparent mode, packet flooding is enabled by default. If you have manually disabled packet flooding with the set security flow bridge no-packet-flooding command, then multicast packets such as OSPFv3 hello packets are dropped.
User Interface and Configuration
Related Documentation
12
•
You can configure only one rewrite rule for one logical interface. When you configure multiple rewrite rules for one logical interface, an error message is displayed and the commit fails.
•
New and Changed Features on page 4
•
Known Behavior on page 14
•
Known Issues on page 16
Copyright © 2016, Juniper Networks, Inc.
Changes in Behavior and Syntax
•
Resolved Issues on page 18
•
Documentation Updates on page 24
•
Migration, Upgrade, and Downgrade Instructions on page 25
Copyright © 2016, Juniper Networks, Inc.
13
Junos OS 15.1X49 Release Notes
Known Behavior This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 15.1X49.
Application Identification and Tracking •
The application quality of service (AppQoS) feature is supported SRX5K-40GE-SFP I/O Card (IOC) and not supported on SRX5K-MPC (IOC2), SRX5K-MPC3-100G10G (IOC3), and SRX5K-MPC3-40G10G (IOC3).
•
On SRX Series devices, when you change the timeout value for the application system cache entries using the command set services application-identification application-system-cache-timeout, the cache entries need to be cleared to avoid inconsistency in timeout values of existing entries.
Attack Detection and Prevention (ADP) •
On all branch SRX Series devices, the fast path bad-inner-header screen is always performed first, followed by the first path signature screen.
•
On all high-end SRX Series devices, the first path signature screen is performed first, followed by the fast path bad-inner-header screen.
•
On all SRX Series devices, when a packet allow or drop session is established, the bad-inner-header screen is performed on every packet, because this screen is a fast path screen.
•
On SRX5000 line devices, the following CLI statement is deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration:
CLI
set chassis fpc services offload
The following new CLI statement replaces the deprecated CLI statement: set chassis fpc np-cache
Layer 2 Features •
On all branch SRX Series devices, configuring the Layer 2 Ethernet switching family in transparent mode for an interface is not supported.
•
Layer 2 Bridging and Transparent Mode— On all SRX Series devices, bridging and transparent mode are not supported on Mini-Physical Interface Modules (Mini-PIMs).
Network Address Translation (NAT) •
14
On high-end SRX Series devices, the number of IP addresses for NAT with port translation has been increased to 1M addresses since Junos OS Release 12.1X47-D10.
Copyright © 2016, Juniper Networks, Inc.
Known Behavior
The SRX5000 line, however, supports a maximum of 384M translation ports and cannot be increased. To use 1M IP addresses, you must confirm that the port number is less than 384. The following CLI commands enable you to configure the twin port range and limit the twin port number: •
set security nat source pool-default-twin-port-range to
•
set security nat source pool sp1 port range twin-port to
Software Installation and Upgrade •
On all SRX Series devices, In-Service Software Upgrade (ISSU) is not supported for upgrading from earlier Junos OS releases to Junos OS Release 15.1X49. ISSU is supported for upgrading to successive Junos OS Release 15.1X49 releases and to major Junos OS releases.
•
On a high-end SRX Series device, VPN monitoring of an externally connected device (such as a PC) is not supported. The destination IP address for VPN monitoring must be a local interface on the high-end SRX Series device.
•
On SRX Series devices, configuring RIP demand circuits over VPN interfaces is not supported.
•
New and Changed Features on page 4
•
Changes in Behavior and Syntax on page 10
•
Known Issues on page 16
•
Resolved Issues on page 18
•
Documentation Updates on page 24
•
Migration, Upgrade, and Downgrade Instructions on page 25
VPN
Related Documentation
Copyright © 2016, Juniper Networks, Inc.
15
Junos OS 15.1X49 Release Notes
Known Issues This section lists the known issues in hardware and software in Junos OS Release 15.1X49-D20. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Flow-Based and Packet-Based Processing
16
•
On SRX5400, SRX5600, and SRX5800 devices, fragmented IPsec packets might be out of order after decryption, causing a TCP packet retransmission and performance degradation. PR1013223
•
On SRX5400, SRX5600, and SRX5800 devices, the incorrect IP address information Unknown IP version: 0 is displayed in a few load-balancing thread (LBT) and packet-ordering thread (POT) logs triggered by fragmentation. PR1032647
Copyright © 2016, Juniper Networks, Inc.
Known Issues
Hardware •
On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you disable the member interface of a redundant Ethernet (reth) interface and if the interface disabling action causes redundancy group failover (for example, the only member interface under the reth interface on the primary node is disabled or the number of operating member interfaces under the reth LAGs interface on the primary node falls below the configured value of minimum-links), then the reth interface will flap. PR1111360
Platform and Infrastructure •
On SRX5400, SRX5600, and SRX5800 devices, when IP monitoring is configured and then disabled, the system might goes to the default vty prompt. As a workaround, do not disable IP monitoring once it is enabled. PR1109689
Routing Policy and Firewall Filters •
On SRX5400, SRX5600 and SRX5800 devices, the pre-defined application-sets can only be invoked in root Logical System (LSYS) and it cannot be invoked in custom LSYSs. As a workaround, define the application-sets manually for the custom LSYSs instead of using the pre-defined application-sets. PR1075409
VPNs •
On SRX5400, SRX5600, and SRX5800 devices, when the alarm-without-drop option is configured for the UDP Flood Protection screen, packets classified as attack packets might be sent out of order. This can result in performance degradation. As a workaround, when you use the alarm-without-drop option, ensure that the threshold for UDP Flood Protection screen is adjusted to the traffic pattern, so that you can avoid classifying too many legal packets as attacks. PR1090963
Related Documentation
•
New and Changed Features on page 4
•
Changes in Behavior and Syntax on page 10
•
Known Behavior on page 14
•
Resolved Issues on page 18
•
Documentation Updates on page 24
•
Migration, Upgrade, and Downgrade Instructions on page 25
Copyright © 2016, Juniper Networks, Inc.
17
Junos OS 15.1X49 Release Notes
Resolved Issues This section lists the issues fixed in the Junos OS main release and the maintenance releases. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: Release 15.1X49-D20 Application Identification and Tracking •
On SRX5400, SRX5600, and SRX5800 devices, when SSLFP is enabled in security policies and there are no data packets exchanged after initial session establishment until the AppTrack volume update time interval or session closes, the application name is reported as SSL in the AppTrack volume update or close message. PR1063920
Application Layer Gateways (ALGs) •
On SRX5400, SRX5600, and SRX5800 devices with NAT and SIP ALG enabled, the NOTIFY message might incorrectly arrive earlier than the 200 OK REGISTER message, which will disrupt the state machine of the REGISTER message. The subsequent 200 OK REGISTER messages are dropped and the persistent NAT entry is not refreshed, causing the persistent NAT entry to expire. As a result, the IP address in the payload of the SIP message is not translated and the SIP call fails. PR1064708
•
On SRX5400, SRX5600, and SRX5800 devices, if the RSH ALG is enabled, the device does not drop the packets that match the port range of the RSH ALG. PR1093558
Authentication and Access Control •
On SRX5400, SRX5600, and SRX5800 devices with firewall authentication configured, an authentication entry leak on the data plane occurs when an authenticated user tries to re-authenticate. As a result, firewall authentication will not allow anymore authentication entries to be created. PR969085
•
On SRX5400, SRX5600, and SRX5800 devices, when the device is configured as a Unified Access Control (UAC) enforcer and is connected to the Infranet Controller server, the connection that has a duplicate source IP address with different IDs from the Infranet Controller will be terminated. PR1093728
Chassis Cluster
18
•
On SRX5400, SRX5600, and SRX5800 devices with an SPC2 installed, after the control plane (RG0) failover, if the RG0 and data plane groups (RG1+) are active on different nodes, then the primary Routing Engine might drop the connection with the remote SPUs (the SPUs reside on an another node, which is the Routing Engine in a secondary state). As a result, traffic outage occurs. PR1059901
•
On SRX5600 and SRX5800 devices, traffic outage might occur with hardware errors (IA PIO errors). When the devices are configured in a chassis cluster, the hardware
Copyright © 2016, Juniper Networks, Inc.
Resolved Issues
errors (IA PIO errors) do not trigger RG1+ failover. This fix is used to raise an FPC minor alarm to trigger the RG1+ to switch over for a chassis cluster. PR1080116 •
On SRX5400, SRX5600, and SRX5800 devices, all interfaces of the RG0 secondary node go down when the connection between the kernel of the primary node and the ksyncd of the secondary node fail. This occurs because of the memory leak in the shared-memory process (shm-rtsdbd). PR1084660
Flow-Based and Packet-Based Processing •
On SRX5400, SRX5600, and SRX5800 devices, when the SPU works in high stress mode, the internal event queue can be full, and an event can be lost. There is no retransmission mechanism for this internal event, and the connection enters a “session stuck” state. The session that is stuck is recovered by the upper layer applications. For example, when the TCP session log module is stuck, you cannot send any log messages. After 30 seconds, the log module detects this condition and restarts the new connection to send the log message. However, if the UDP session log module is stuck, you can still send the log message. PR1060529
•
On SRX5400, SRX5600, and SRX5800 devices configured with chassis cluster and logical systems (LSYS), when the session number is close to the configured LSYS session limit, sessions might not be successfully created on the secondary node. The sessions will be created on the backup flow SPUs, but not on the central point. As a result, the backup flow SPUs will keep retrying until the SPUs are successful. When this situation continues, the session limit on the secondary node’s SPU will reach the maximum limit value, and this will affect the new session creation.
NOTE: The number of sessions on the secondary node SPU is usually higher than on the primary node SPU.
PR1061067 •
On SRX5400, SRX5600, and SRX5800 devices with source NAT configured, the ICMP error packets with 0 value of MTU might be generated on the egress interface when the packets fail to match the NAT rules. PR1079123
•
On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, if IP monitoring is enabled, the behavior of IP monitoring through reth or RLAG on the secondary node might be abnormal and thus generate a warning message for each configuration commit.
NOTE: Juniper Networks extended LACP and LAG on a redundant Ethernet interface is called RLAG.
PR1082396 •
On SRX5400, SRX5600, and SRX5800 devices, the flowd process might crash because of a 64-bit unaligned memory access. PR1085153
Copyright © 2016, Juniper Networks, Inc.
19
Junos OS 15.1X49 Release Notes
•
On SRX5400, SRX5600 and SRX5800 devices, if 1:1 sampling is configured for J-Flow and the device processes a high volume of traffic, a race condition of an infinite loop of J-Flow entry might get deleted. As a result, the flowd process crashes. PR1088476
•
On SRX5400, SRX5600, and SRX5800 devices, the inactivity-timeout value of predefined junos-defaults applications cannot be changed, even if it is configured with a value of 10,0000. PR1093629
•
On SRX5400, SRX5600, and SRX5800 devices with OSPFv3 configured, if the JSF DPI plugin (JDPI) enables session serialization (SZ), the device drops the OSPFv3 packets in transparent mode when the packets are reinjected. PR1094093
Intrusion Detection and Prevention (IDP) •
On SRX5400, SRX5600, and SRX5800 devices, the IDP exempt rule does not work when a source or destination zone is configured as a specific zone (instead of any), and if one or more IP addresses are configured to match the exempt rule and an attack traffic flow (destined to IP addresses that are configured to match the exempt rule) is for a standard application on a non-standard port (for example, HTTP ports other than 80). PR1070331
•
On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, you cannot update IDP signatures through J-Web. PR1084592
J-Web •
On SRX5400, SRX5600, and SRX5800 devices, you cannot create a new rule set of CoS for an existing security policy through J-Web. PR1095759
•
On SRX5400, SRX5600, and SRX5800 devices, when you log in to J-Web using the logical system through Internet Explorer, the Exception in data refresh error might be displayed in the J-Web Dashboard messages log. PR1096551
Logical Systems •
On SRX5400, SRX5600, and SRX5800 devices, you will not be able to configure a nested default application-set within a logical system. PR1075409
Network Address Translation (NAT)
20
•
On SRX5400, SRX5600, and SRX5800 devices, after ISSU, the configuration might not take effect and the NAT configuration remains ineffective. However, the non-NAT configuration will take effect when you run the commit full command. PR1071819
•
On SRX5400, SRX5600, and SRX5800 devices, the entry's timeout value of ALG is configured larger than the timer wheel's maximum timeout value (7200 seconds). However, this entry cannot be inserted into the timer wheel. As a result, an ALG persistent NAT binding leak occurs. PR1088539
Copyright © 2016, Juniper Networks, Inc.
Resolved Issues
Platform and Infrastructure •
On SRX5400, SRX5600, and SRX5800 devices, the oid ifSpeed of the interface that is polled by SNMP is displayed incorrectly when the speed of the interface is configured as auto-negotiated. PR967369
•
On SRX5400, SRX5600, and SRX5800 devices, when you use UTF-8 encoding to generate the certificate with the certificate authority (CA), certificate validation fails. PR1079429
•
On SRX5400, SRX5600, and SRX5800 devices, the kernel might crash when you run the automatic script. PR1090549
Routing Policy and Firewall Filters •
On SRX5400, SRX5600 and SRX5800 devices in a chassis cluster, the flowd process might crash after a reboot if the device is configured with IPv6 security policies. PR1089272
Security •
Junos OS Release 15.1X49-D10 uses newer versions of OpenSSL that have improved security features. These features consume higher amounts of memory per session. For example, when you use SSL forward proxy, the session scaling numbers are less compared to Junos OS Release 12.1X47 and Junos OS Release 12.3X48 session scaling numbers. PR1084348
System Logging •
On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you run the request system configuration rescue save command, the command fails to run on the device. PR1097154
VPNs •
On SRX5400, SRX5600, and SRX5800 devices with dynamic VPN configured, the key management process (KMD) might crash when an IKE payload with a different port number is received. PR1080326
•
On SRX5400, SRX5600, and SRX5800 devices with IPsec VPN configured, if the device is the initiator and the other peer device is from other vendors, the Internet Key Exchange (IKE) tunnel negotiation does not come up. PR1085657
•
On SRX5400, SRX5600, and SRX5800 devices, the output of the show system processes resource-limits process-name pki-service command cannot be seen correctly due to a missing file. PR1091233
•
On SRX5400, SRX5600 and SRX5800 devices, the active FTP data session fails if traffic selectors are configured for IPsec VPN. PR1103948
•
On SRX5400, SRX5600, and SRX5800 devices, the IPsec tunnel does not come up on the data plane if both the st0 interface and the IPsec VPN configuration (which is
Copyright © 2016, Juniper Networks, Inc.
21
Junos OS 15.1X49 Release Notes
configured in the [security ike] and [security ipsec] hierarchies) are committed in a single commit. PR1104466
Resolved Issues: Release 15.1X49-D10 Application Layer Gateways (ALGs) •
On SRX5400, SRX5600, and SRX5800 devices with H.323 ALG and NAT enabled to process H.323 traffic, if H.323 calls contain the same source IP address and port number but in different positions, then some of the unidirectional sessions of H.323 might be seen. As a result, calls related to the H.323 ALG fail. PR1069067
Chassis Cluster •
On SRX5400, SRX5600, and SRX5800 devices, traffic outage might occur with hardware errors (IA PIO errors). When the devices are configured in a chassis cluster, the hardware errors (IA PIO errors) do not trigger RG1+ failover. This fix is used to raise an FPC minor alarm to trigger the RG1+ to switch over for a chassis cluster. PR1080116
Class of Service (CoS) •
On SRX5400, SRX5600, and SRX5800 devices, the CoS rewrite rules do not work for VPN traffic if the rules are configured with loss priority high. This occurs when the packets are reinjected into the IPsec tunnel encapsulation process. PR1085654
General Packet Radio Service (GPRS) •
On SRX5400, SRX5600, and SRX5800 devices, when GPRS tunneling protocol version 2 (GTPv2) is configured, GTPv2 might fail to create control sessions. PR1029284
Flow-Based and Packet-Based Processing •
On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when RG0 resides on a different node, RG1+ traffic sent out by the Routing Engine (RG0 node) is dropped. PR1059901
•
On SRX5400, SRX5600, and SRX5800 devices, when the SPU works in high stress, the internal event queue becomes full and the event is lost. Because there is no retransmission mechanism for the internal event, this leads to a stuck session. The stuck session is recovered by up layer applications. For example, when the TCP session of the log module is stuck, the log message cannot be sent. After 30 seconds, the log module detects this and restarts the new connection to send the log message. PR1060529
22
•
On SRX5400, SRX5600, and SRX5800 devices, when you run the show security policies hit-count command, the Routing Engine memory is overwritten, resulting in an nsd process crash. This issue occurs when security policies are not synchronized between the Routing Engine and the data plane. PR1069371
•
On SRX5400, SRX5600, and SRX5800 devices, the flowd process might crash when the multicast traffic processes the route lookup failure. PR1075797
Copyright © 2016, Juniper Networks, Inc.
Resolved Issues
•
On SRX5400, SRX5600, and SRX5800 devices, if there are any configuration changes made to the interface (for example, when you add a new unit for an interface), an internal interface-related object will be freed and reallocated. However, in a rare condition, some packets queued in the system might refer to the freed object, causing the flowd process to crash. PR1082584
•
On SRX5400, SRX5600, and SRX5800 devices, the flowd process might crash because of a 64-bit unaligned memory access. PR1085153
Network Address Translation (NAT) •
On SRX5400, SRX5600, and SRX5800 devices, the entry's timeout value of ALG is configured larger than the timer wheel's maximum timeout value (7200 seconds). However, this entry cannot be inserted into the timer wheel. As a result, an ALG persistent NAT binding leak occurs. PR1088539
Unified Threat Management (UTM)
Related Documentation
•
On SRX5400, SRX5600, and SRX5800 devices running Junos OS Release 15.1X49-D10 or later releases with Enhanced Web Filtering (EWF) configured, if the UTM EWF category object updating the data plane fails, the UTM EWF category object will not be updated anymore. This issue occurs during the system initialization process of an SRX Series chassis cluster. PR1073198
•
New and Changed Features on page 4
•
Changes in Behavior and Syntax on page 10
•
Known Behavior on page 14
•
Known Issues on page 16
•
Documentation Updates on page 24
•
Migration, Upgrade, and Downgrade Instructions on page 25
Copyright © 2016, Juniper Networks, Inc.
23
Junos OS 15.1X49 Release Notes
Documentation Updates This section lists the errata and changes in the software documentation.
Layer 2 Bridging and Transparent Mode for Security Devices
Related Documentation
24
•
Starting in Junos OS Release 15.1X49-D10, the Layer 2 Bridging and Switching Feature Guide for Security Devices guide is retitled to Layer 2 Bridging and Transparent Mode for Security Devices.
•
Although Ethernet switching is not supported in Junos OS Release 15.1X49-D10, the Layer 2 Bridging and Transparent Mode for Security Devices guide retains content about Ethernet switching.
•
Starting in Junos OS Release 15.1X49-D10, the term bridge-domain is changed to VLAN. However, the documents still use the term bridge-domain in topics.
•
New and Changed Features on page 4
•
Changes in Behavior and Syntax on page 10
•
Known Behavior on page 14
•
Known Issues on page 16
•
Resolved Issues on page 18
•
Migration, Upgrade, and Downgrade Instructions on page 25
Copyright © 2016, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
Migration, Upgrade, and Downgrade Instructions This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. •
Upgrade for Layer 2 Configuration on page 25
•
Upgrading an AppSecure Device on page 25
•
Upgrade and Downgrade Scripts for Address Book Configuration on page 25
Upgrade for Layer 2 Configuration Starting with Junos OS Release 15.1X49-D10 and later, enhanced Layer 2 CLI configurations are supported. If your device was configured earlier for Layer 2 transparent mode, then you must convert the legacy configurations to enhanced Layer 2 CLI configurations. For details on how to migrate from Junos OS Release 12.3X48-D10 and earlier releases to Junos OS Release 15.1X49-D10 and later releases, refer to the Knowledge Base article at http://kb.juniper.net .
Upgrading an AppSecure Device For devices implementing AppSecure services, use the no-validate option when upgrading from Junos OS Release 11.2 or earlier to Junos OS 11.4R1 or later. The application signature package used with AppSecure services in previous releases has been moved from the configuration file to a signature database. This change in location can trigger an error during the validation step and interrupt the Junos OS upgrade. The no-validate option bypasses this step.
Upgrade and Downgrade Scripts for Address Book Configuration Beginning with Junos OS Release 12.1, you can configure address books under the [security] hierarchy and attach security zones to them (zone-attached configuration). In Junos OS Release 11.1 and earlier, address books were defined under the [security zones] hierarchy (zone-defined configuration). You can either define all address books under the [security] hierarchy in a zone-attached configuration format or under the [security zones] hierarchy in a zone-defined configuration format; the CLI displays an error and fails to commit the configuration if you configure both configuration formats on one system. Juniper Networks provides Junos operation scripts that allow you to work in either of the address book configuration formats (see Figure 1 on page 27). •
About Upgrade and Downgrade Scripts on page 26
•
Running Upgrade and Downgrade Scripts on page 27
•
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases on page 28
Copyright © 2016, Juniper Networks, Inc.
25
Junos OS 15.1X49 Release Notes
About Upgrade and Downgrade Scripts After downloading Junos OS Release 12.1, you have the following options for configuring the address book feature: •
Use the default address book configuration—You can configure address books using
the zone-defined configuration format, which is available by default. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation. •
Use the upgrade script—You can run the upgrade script available on the Juniper Networks
support site to configure address books using the new zone-attached configuration format. When upgrading, the system uses the zone names to create address books. For example, addresses in the trust zone are created in an address book named trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules remain unaffected. After upgrading to the zone-attached address book configuration: •
You cannot configure address books using the zone-defined address book configuration format; the CLI displays an error and fails to commit.
•
You cannot configure address books using the J-Web interface.
For information on how to configure zone-attached address books, see the Junos OS Release 12.1 documentation. •
Use the downgrade script—After upgrading to the zone-attached configuration, if you
want to revert to the zone-defined configuration, use the downgrade script available on the Juniper Networks support site. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.
NOTE: Before running the downgrade script, make sure to revert any configuration that uses addresses from the global address book.
26
Copyright © 2016, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
Figure 1: Upgrade and Downgrade Scripts for Address Books Download Junos OS Release 11.2 or later.
zone-defined address book
Run the upgrade script.
zone-attached address book configuration
- Global address book is available by default. - Address book is defined under the security hierarchy. - Zones need to be attached to address books.
Note: Make sure to revert any configuration that uses addresses from the global address book.
g030699
Run the downgrade script.
Running Upgrade and Downgrade Scripts The following restrictions apply to the address book upgrade and downgrade scripts: •
The scripts cannot run unless the configuration on your system has been committed. Thus, if the zone-defined address book and zone-attached address book configurations are present on your system at the same time, the scripts will not run.
•
The scripts cannot run when the global address book exists on your system.
•
If you upgrade your device to Junos OS Release 12.1 and configure logical systems, the master logical system retains any previously configured zone-defined address book configuration. The master administrator can run the address book upgrade script to convert the existing zone-defined configuration to the zone-attached configuration. The upgrade script converts all zone-defined configurations in the master logical system and user logical systems.
NOTE: You cannot run the downgrade script on logical systems.
For information about implementing and executing Junos operation scripts, see the Junos OS Configuration and Operations Automation Guide.
Copyright © 2016, Juniper Networks, Inc.
27
Junos OS 15.1X49 Release Notes
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases. You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3 (a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS Release 11.4 to Junos OS Release 10.3. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release. For more information about EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html. For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices. Related Documentation
•
New and Changed Features on page 4
•
Changes in Behavior and Syntax on page 10
•
Known Behavior on page 14
•
Known Issues on page 16
•
Resolved Issues on page 18
Product Compatibility •
Hardware Compatibility on page 28
•
Transceiver Compatibility for SRX Series Devices on page 29
Hardware Compatibility To obtain information about the components that are supported on the device, and special compatibility guidelines with the release, see the SRX Series Hardware Guide. To determine the features supported on SRX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware
28
Copyright © 2016, Juniper Networks, Inc.
Finding More Information
platform for your network. Find Feature Explorer at http://pathfinder.juniper.net/feature-explorer/.
Transceiver Compatibility for SRX Series Devices We strongly recommend that only transceivers provided by Juniper Networks be used on SRX Series interface modules. Different transceiver types (long-range, short-range, copper, and others) can be used together on multiport SFP interface modules as long as they are provided by Juniper Networks. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used. Please contact Juniper Networks for the correct transceiver part number for your device.
Finding More Information For the latest, most complete information about known and resolved issues with the Junos OS, see the Juniper Networks Problem Report Search application at http://prsearch.juniper.net. Juniper Networks Feature Explorer is a Web-based application that helps you to explore and compare Junos OS feature information to find the correct software release and hardware platform for your network. Find Feature Explorer at http://pathfinder.juniper.net/feature-explorer/. Juniper Networks Content Explorer is a Web-based application that helps you explore Juniper Networks technical documentation by product, task, and software release, and download documentation in PDF format. Find Content Explorer at http://www.juniper.net/techpubs/content-applications/content-explorer/.
Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to [email protected], fill out the documentation feedback form at http://www.juniper.net/techpubs/feedback/. If you are using e-mail, be sure to include the following information with your comments: •
Document or topic name
•
URL or page number
•
Software release version (if applicable)
Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
Copyright © 2016, Juniper Networks, Inc.
29
Junos OS 15.1X49 Release Notes
•
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/customers/support/downloads/710059.pdf.
•
Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/.
•
JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: •
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/
•
Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. •
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html. If you are reporting a hardware or software problem, issue the following command from the CLI before contacting support: user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to ftp.juniper.net/pub/incoming. Then send the filename, along with software version
30
Copyright © 2016, Juniper Networks, Inc.
Requesting Technical Support
information (the output of the show version command) and the configuration, to [email protected]. For documentation issues, fill out the bug report form located at http://www.juniper.net/techpubs/feedback/.
Copyright © 2016, Juniper Networks, Inc.
31
Junos OS 15.1X49 Release Notes
Revision History 17 March, 2016—Revision 4— Junos OS 15.1X49-D20 – SRX Series. 29 December, 2015—Revision 3— Junos OS 15.1X49-D20 – SRX Series. 09 November, 2015—Revision 2— Junos OS 15.1X49-D20 – SRX Series. 17 September, 2015—Revision 1— Junos OS 15.1X49-D20 – SRX Series.
Copyright © 2016, Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
32
Copyright © 2016, Juniper Networks, Inc.
