Release Notes 12.1X47-D20

®
Release Notes: Junos OS Release
12.1X47-D20 for the SRX Series
Release 12.1X47-D20
24 March 2015
Revision 2
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Release 12.1X47-D20 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Release 12.1X47-D20 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Release 12.1X47-D15 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Release 12.1X47-D15 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Authentication, Authorization and Accounting (AAA) . . . . . . . . . . . . . . . . 7
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . 8
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Release 12.1X47-D10 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Release 12.1X47-D10 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . 16
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 16
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Copyright © 2015, Juniper Networks, Inc.
1
Junos OS 12.1X47 Release Notes
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Intrusion Detection Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
CLI and J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 34
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Integrated User Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Layer 2 Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
TCP-Based DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 39
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2
Copyright © 2015, Juniper Networks, Inc.
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Resolved Issues 12.1X47-D20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 45
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 45
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . 47
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Resolved Issues 12.1X47-D15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Certificate Authority (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 50
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 52
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . 52
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Resolved Issues 12.1X47-D10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 60
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 60
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 64
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Copyright © 2015, Juniper Networks, Inc.
3
Junos OS 12.1X47 Release Notes
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Documentation Updates for the Junos OS Software Documentation . . . . . . 71
IDP Policies Feature Guide for Security Devices . . . . . . . . . . . . . . . . . . . . 71
Multicast Feature Guide for Security Devices . . . . . . . . . . . . . . . . . . . . . . 72
Various Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . 74
End-of-Life Announcement for J Series devices and the low-Memory
Versions of SRX100 and SRX200 Lines . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Upgrading and Downgrading Among Junos OS Releases . . . . . . . . . . . . . . . . 75
Upgrading an AppSecure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Network and Security Manager Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Upgrade and Downgrade Scripts for Address Book Configuration . . . . . . . . . 77
About Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Running Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . 78
Upgrade and Downgrade Support Policy for Junos OS Releases and
Extended End-Of-Life Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Transceiver Compatibility for SRX Series Devices . . . . . . . . . . . . . . . . . . 79
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4
Copyright © 2015, Juniper Networks, Inc.
Introduction
Introduction
®
Junos OS runs on the following Juniper Networks hardware: ACX Series, EX Series, M
Series, MX Series, PTX Series, QFabric, QFX Series, SRX Series, and T Series.
These release notes accompany Junos OS Release 12.1X47 for the SRX Series. They
describe new and changed features, known behavior, and known and resolved problems
in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at https://www.juniper.net/techpubs/software/junos/.
Copyright © 2015, Juniper Networks, Inc.
5
Junos OS 12.1X47 Release Notes
New and Changed Features
This section describes the new features and enhancements to existing features in Junos
OS Release 12.1X47 for the SRX Series.
Release 12.1X47-D20 Hardware Features
Interfaces and Chassis
•
Air deflector kits for SRX3600 and SRX5400 Services Gateways—The SRX3600
and SRX5400 Services Gateways support the new air deflector kits that let you install
the devices in a ventilation environment with designated hot and cold aisles. These
kits are optional, converting the services gateway from side-to-side ventilation to
front-to-back ventilation by directing the ventilation with cold air entering from the
front and warm exhaust exiting from the back.
NOTE: The SRX3400 and SRX5600 Services Gateways support the earlier
air deflector kits. See SRX3400 and SRX5600 Services Gateways Air Deflector
Kits.
[See the Air Deflector Kit Installation Guide for SRX3600 and SRX5400 Services
Gateways.]
Release 12.1X47-D20 Software Features
System Logging
•
TCP/TLS support for real-time logging for SRX Series devices—Starting in Junos OS
Release 12.1X47-D20, a secure mechanism, enabled through a plug-in during system
initialization, encrypts and transports dataplane syslog messages to TLS-capable
syslog receivers (such as the Juniper Networks STRM or a standards-based third-party
device) over TCP on all branch SRX Series devices in addition to high-end SRX Series
devices. The SPU generates the log data. By default, port 514 is used for TCP logging
and port 6514 is used for TLS logging. As a log client, a TCP/TLS connection is initiated
to the log server.
[See the “Syslog Messages” section in the Junos OS 12.1X47-D20 Release Feature
Guide.]
6
Copyright © 2015, Juniper Networks, Inc.
New and Changed Features
Release 12.1X47-D15 Hardware Features
Interfaces and Chassis
•
Enhanced support for Switch Control Board and Routing Engine–Starting with Junos
OS Release 12.1X47-D15, the SRX5400, SRX5600, and SRX5800 support the
next-generation SCB (SRX5K-SCBE) and Routing Engine (SRX5K-RE-1800X4),
providing a 120-Gbps per slot line rate, faster configuration processing, route
convergence, and policy compilation, in addition to greater scalability and performance.
The SRX5K-SCBE provides higher capacity traffic support, greater interface density,
and improved services. The SRX5K-RE-1800X4 provides the interface for user access
and system management, in addition to managing routing tables, routing protocols,
device interfaces, and chassis components. The Routing Engine also has secondary
storage through a 128-GB solid-state drive providing additional storage for Junos
images.
[See Switch Control Board SRX5K-SCBE and Routing Engine SRX5K-RE-1800X4.]
Release 12.1X47-D15 Software Features
Application Identification and Tracking
•
SSL proxy support for SRX240, SRX550, and SRX650 devices—Starting with Junos
OS Release 12.1X47-D15, SRX240, SRX550, and SRX650 devices can decrypt and
inspect SSL encrypted traffic for features such as AppSecure and IDP. SSL proxy
ensures the secure transmission of data between a client and a server through a
combination of privacy, authentication, confidentiality, and data integrity.
[See SSL Proxy Overview.]
Authentication, Authorization and Accounting (AAA)
•
RADIUS functionality over IPv6 for system AAA for SRX1400, SRX3400, SRX3600,
SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release
12.1X47-D15, RADIUS functionality supports IPv6 for system authentication,
authorization, and accounting (AAA) in addition to the existing RADIUS functionality
over IPv4 for system AAA. With this feature, Junos OS users can log in to the device
authenticated through RADIUS over an IPv6 network. Thus, Junos OS users can now
configure both IPv4 and IPv6 RADIUS servers for AAA.
[See the “Authentication, Authorization, and Accounting” section in the Junos OS
12.1X47-D15 Feature Guide.]
Copyright © 2015, Juniper Networks, Inc.
7
Junos OS 12.1X47 Release Notes
Chassis Cluster
•
Encrypted control link [High-end SRX Series] — The existing control link access is
enhanced to prevent hackers from logging to the system without authentication via
the control link as Telnet access is disabled. Chassis cluster control link supports an
optional encrypted security feature that you can configure and activate. Using IPsec
for internal communication between devices, the configuration information that passes
through the chassis cluster link from the primary node to the secondary node is
encrypted. Without the internal IPsec key, an attacker cannot gain privilege access or
observe traffic. To configure this feature, use the set security ipsec internal
security-association manual encryption ike-ha-link-encryption enable configuration
command. To enable this feature, use the request security internal-security-association
refresh command at the console.
[See Understanding Chassis Cluster Control Links.]
Flow-Based and Packet-Based Processing
•
Data path debugging on the SRX5000 line MPC for SRX5400, SRX5600,
SRX5800—Starting with Junos OS Release 12.1X47-D15, data path debugging provides
tracing and debugging at multiple processing units along the packet-processing path.
The packet filter can be executed with minimal impact to the production system.
On a high-end SRX Series device, a packet goes through a series of events involving
different components from ingress to egress processing. With the data path debugging
feature, you can trace and debug (capture packets) at different data points along the
processing path. At each event, you can specify an action (count, packet dump, packet
summary, and trace) and set filters to define what packets to capture.
[See "Understanding Data Path Debugging for SRX Series Devices" and "Example:
Configuring End-to-End Debugging on a High-End SRX Series Device" in the Junos OS
Release 12.1X47-D15 Feature Guide].
General Routing
•
SRX5K-RE-1800X4 for SRX5400, SRX5600, and SRX5800 devices—Starting with
Junos OS Release 12.1X47-D15, the SRX5K-RE-1800X4 Routing Engine is introduced.
The SRX5K-RE-1800X4 has an Intel Quad core Xeon processor, 16 GB of DRAM, and
a 128-GB solid-state drive (SSD).
The number 1800 refers to the speed of the processor (1.8 GHz). The maximum required
power for this Routing Engine is 90W.
The SRX5K-RE-1800X4 has the following features:
•
Increased CPU power provides higher control plane scalability.
NOTE: The SRX5K-RE-1800X4 provides significantly better performance
than the previously used Routing Engine, even with a single core.
8
Copyright © 2015, Juniper Networks, Inc.
New and Changed Features
•
Memory address space is increased from 2 GB to 4 GB.
•
The SSD provides superior reliability.
The part number and model number for the SRX5K-RE-1800X4 can be viewed using
the following CLI commands:
•
show chassis hardware
•
show chassis hardware models
Copyright © 2015, Juniper Networks, Inc.
9
Junos OS 12.1X47 Release Notes
Interfaces and Chassis
•
Switch Control Board II for SRX5400, SRX5600, and SRX5800 — Starting with Junos
OS Release 12.1X47-D15, the Switch Control Board (SCB) II (SRX5K-SCBE) is introduced.
SCB II (SRX5K-SCBE) has the following features:
•
Used in the SCB slot.
•
Supports 160-Gbps redundant raw fabric throughput per FPC slot. The SCB I
(SRX5K-SCB) supports 80 Gbps. This new fabric capability enables the IOC II
(SRX5K-MPC) to reach its maximum throughput of 120 Gbps and to achieve a line
rate of 100-Gbps interfaces.
•
In-service hardware upgrade (ISHU) from SRX5K-SCB to SRX5K-SCBE is supported
in chassis cluster mode.
•
The SRX5K-SCBE uses serializer/deserializer (SerDes) link speed of 6.22 Gbps
between an SRX5K-MPC and the SRX5K-SCBE. The fabric interface has enough
bandwidth to support a line speed of 100-Gbps Ethernet interfaces.
NOTE: Fabric Bandwidth Increasing Mode, which is supported in
SRX5K-SCB alignment with the SPC II (SRX5K-SPC-4-15-320), is not
supported.
•
The SRX5K-SPC-4-15-320 fabric interface runs at 3.11-Gbps SerDes link speed (same
as the SPC I).
•
If an IOC I and an SPC I are plugged into a chassis with an SRX5K-SCBE, those cards
will remain offline. Both an SRX5K-MPC and an SRX5K-SPC-4-15-320 are required
to operate with an SRX5K-SCBE.
To display new SRX5K-SCBE information, use the following CLI commands:
10
•
show chassis hardware
•
show chassis environment cb
Copyright © 2015, Juniper Networks, Inc.
New and Changed Features
To request that an SCB II go online or offline, use the request chassis cb (offline | online)
slot slot-number CLI command.
Third SCB Supported in SRX5800
There are three SCB slots in SRX5800 devices. The third slot can be used for an SCB
or an FPC. When an SRX5K-SCBE is used with an SRX5K-SCB, the third SCB slot can
only be used as an FPC slot (FPC 6). SCB redundancy is provided in chassis cluster
mode.
With an SRX5K-SCBE, a third SCB is supported. If a third SCB is plugged in, it provides
intra-chassis fabric redundancy.
If chassis cluster is enabled and a third SCB is also plugged in, both intra-chassis
redundancy and inter-chassis redundancy are provided. If a fabric plane fails or a link
error occurs on the active SCB, intra-chassis redundancy occurs first.
If no redundant plane is available in the chassis cluster, inter-chassis redundancy is
triggered and all data plane redundancy groups fail over to the other chassis cluster
node.
Control Plane
The Ethernet switch in the SRX5K-SCBE provides the Ethernet connectivity among all
the FPCs and the Routing Engine. The Routing Engine uses this connectivity to distribute
forwarding and routing tables to the FPCs. The FPCs use this connectivity to send
exception packets to the Routing Engine.
The Ethernet switch used in the SRX5K-SCBE is Broadcom’s BCM56680. BCM56680
is a Layer 2 and Layer 3 switch-on-a-chip solution. It provides 1-Gbps ports with
autonegotiation as well as four 10-Gbps ports.
The Routing Engine also connects to the Ethernet switch through Peripheral Component
Interconnect (PCI) for control. The BCM56680’s address space is mapped into PCI
address space.
To display control plane details, use the following commands:
•
show chassis ethernet-switch
•
show chassis ethernet-switch counters
Fabric Function
Fabric connects all FPCs in the data plane. The Fabric Manager executes on the Routing
Engine and controls the fabric system in the chassis. Packet Forwarding Engines on
the FPC and fabric planes on the SCB are connected through HSL2 channels.
HSL2 can be configured in different modes and different link speeds on each slot.
SCB II supports HSL2 with both 3.11-Gbps and 6.22-Gbps (SerDes) link speed and
various HSL2 modes. When an FPC is brought online, the link speed and HSL2 mode
are determined by the type of FPC.
Copyright © 2015, Juniper Networks, Inc.
11
Junos OS 12.1X47 Release Notes
To display fabric state, use the following CLI commands:
•
show chassis fabric [summary | map | fpcs | plane | plane-location]
•
request chassis fabric plane plane-number [offline | online]
IPv6
•
IPv6 support for outbound SSH for all high-end SRX Series devices— Starting with
Junos OS Release 12.1X47-D15, high-end SRX Series devices configured with IPv6
addresses support outbound SSH connections.
Network Address Translation (NAT)
•
NAT64 IPv6 Prefix to IPv4 Address Persistent Translation for SRX Series
devices—Starting with Junos OS Release 12.1X46-D15, this feature, which is targeted
at IPv6 mobile networks, is used with the dual-translation mechanism, 464XLAT, to
enable IPv4 services to work over IPv6-only networks. It augments the existing NAT64
mechanism, which enables IPv6 clients to contact IPv4 servers by translating IPv6
addresses to IPv4 addresses (and vice versa). However, the existing NAT64 mechanism
does not ensure a sticky mapping relationship for one unique end user. By configuring
the new address-persistent option with a specific IPv6 prefix length for NAT64
translations in an IPv4 source NAT pool, a sticky mapping relationship is ensured
between one specific IPv6 prefix and one translated IPv4 address.
[See the “Network Address Translation” section in the Junos OS 12.1X47-D15 Feature
Guide.]
Network Management and Monitoring
•
Collect vital data on MIB OIDs for all SRX Series devices [SRX Series]—Starting in
Junos OS Release 12.1X47-D15, you can collect and configure MIB OID data for later
use in reports. You can configure data collection duration (default is 3 days), dump
file size limitation (default is 5 Mbytes for branch SRX Series and 10 Mbytes for high-end
SRX Series), and disk storage limitation (default is 80%). If an issue should arise, then
the collected data is examined to help identify its cause. Once you enable a predefined
group, the vital data of all OIDs in the group are periodically collected and analyzed.
Only critical data is collected when CPU utilization exceeds 60% but is within 80%.
You can also collect raw MIB OID data.
[See the “Network Management and Monitoring” section in the Junos OS 12.1X47-D15
Release Feature Guide.]
Release 12.1X47-D10 Hardware Features
Interfaces and Chassis
•
12
MIC with twenty 1-Gigabit Ethernet SFP ports (SRX-MIC-20GE-SFP) [SRX5400,
SRX5600, SRX5800]—MICs install into MPCs to add different combinations of Ethernet
interfaces to your services gateway to suit the specific needs of your network.
Copyright © 2015, Juniper Networks, Inc.
New and Changed Features
The SRX-MIC-20GE-SFP can be installed in an MPC to add twenty 1-Gigabit Ethernet
small form-factor pluggable (SFP) Ethernet ports.
You can install up to two MICs in the slots in each MPC. The SRX-MIC-20GE-SFP is
hot-pluggable. You can remove and replace the MIC without powering off the services
gateway, but the routing functions of the system are interrupted when the MIC is
removed.
[See MIC with 20x1GE SFP Interfaces (SRX-MIC-20GE-SFP.]
•
Support for SFP+ 10-Gigabit and QSFP+ 40-Gigabit Ethernet transceivers [SRX5400,
SRX5600, SRX5800]—The following transceivers are supported:
Transceiver Model
Description
Supported Card Model
SRX-SFPP-10G-LR
SFP+ 10GBASE-LR Gigabit Ethernet optic
module, 1310 nm for up to 10 km transmission
on single mode fiber (SMF) cable
SRX-MIC-10XG-SFPP
SRX-QSFP-40G-LR4
QSFP+ 40GBASE-LR4 Gigabit Ethernet
single-mode optic module, 1310 nm for up to
10 km transmission on single mode fiber
(SMF) cable
SRX-MIC-2X40G-QSFP
Release 12.1X47-D10 Software Features
Application Identification and Tracking
•
Application-level distributed denial of service [SRX Series]—As announced in Junos
OS Release 12.1X46-D10, application-level distributed denial of service is being
deprecated in Junos OS Release 12.1X47-D10. This feature will be removed in a future
release per the Juniper Networks deprecation process. As a replacement product for
this feature, we recommend that you migrate to the Juniper Networks DDoS Secure
product line. For more details, contact your sales engineer.
•
Default trusted CA certificates for SSL forward proxy [High-end SRX Series]—SSL
forward proxy uses trusted CA certificates for server authentication. Junos OS provides
a default list of trusted CA certificates that you can easily load on to your system using
a default command option. Alternatively, you can continue to use the CA profile feature
to define your own list of trusted CA certificates and import them on to your system.
[See Services Offloading Overview.]
•
Next-generation application identification [SRX100H2, SRX110H2-VA, SRX110H2-VB,
SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550,
SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and
SRX5800]—Next-generation application identification recognizes Web-based and
other applications and protocols at different network layers using characteristics other
than port number.
With next-generation application identification, applications are identified by using a
downloadable protocol bundle containing application signatures and parsing
information. Here, identification is based on protocol behavior and session management.
Copyright © 2015, Juniper Networks, Inc.
13
Junos OS 12.1X47 Release Notes
Next-generation application identification builds on the legacy application identification
functionality and provides more effective detection capabilities for evasive applications
such as Skype, BitTorrent, and Tor. It improves the accuracy of existing applications,
enables dynamic update of the detector engine without requiring Junos OS code
upgrade, and increases the application count to around 2900.
[See Application Identification Feature Guide for Security Devices.]
•
Next-generation application identification predefined signatures [SRX100H2,
SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2,
SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600,
SRX5400, SRX5600, and SRX5800]—Next-generation application identification
eliminates previously implemented pattern-based matching technology and particular
signature constructs for each application. The new detection mechanism has its own
data feed and constructs to identify applications. Next-generation application
identification eliminates the generation of nested application and treats nested
application as normal applications.
[See Application Identification Feature Guide for Security Devices.]
Chassis Cluster
•
Autorecovery of fabric link [SRX Series]—The fabric link feature supports autorecovery,
which includes the following enhancements:
•
Fabric monitoring feature is enabled by default on high-end SRX Series, and hence
recovery of fabric link and synchronization takes place automatically.
•
If the fabric link goes down, RG1+ becomes ineligible on either the secondary node
or the node with failures, by default. The node remains in this state until the fabric
link comes up or the other node goes away.
•
If the fabric link goes down followed by the control link, then after approximately 66
seconds the secondary node (or the node with failures) assumes that the remote
node is dead and takes over as the primary node.
[See Understanding Chassis Cluster Fabric Links.]
•
14
Enhanced debugging support for chassis cluster [SRX Series]—The chassis cluster
debugging functionality has the following enhancements:
•
The show chassis cluster status command output includes failure reasons (acronyms
and their expansions) when the redundancy group's priority is zero.
•
Cleaner jsrpd process includes removing unwanted logs and moving the debug log
message from level LOG_INFO to LOG_DEBUG.
•
The show chassis cluster information command output displays redundancy group,
LED, and monitored failure details.
•
SNMP traps send messages when a node's weight goes down and also when it
recovers.
Copyright © 2015, Juniper Networks, Inc.
New and Changed Features
•
The show chassis cluster ip-monitoring command output displays both the global
threshold and the current threshold of each node and displays the weight of each
monitored IP address.
•
A system log message appears when the control link goes down.
[See show chassis cluster ip-monitoring status.]
•
In-service software upgrade (ISSU) progress display [High-end SRX Series]—ISSU
supports a progress indicator. During an upgrade, you can see the progress of an ISSU
and the time expected to complete a process. To enable this feature use the show
chassis cluster information issu command at the console. In addition, you can monitor
real-time ISSU progress through a new session to collect, report, and display cold
synchronization status on SPUs.
[See Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster.]
•
NTP time synchronization in chassis cluster [SRX Series]—Network Time Protocol
(NTP) is used to synchronize the time between the Packet Forwarding Engine and the
Routing Engine in a standalone device and between two devices in a chassis cluster.
In standalone device and chassis cluster mode, the primary Routing Engine runs the
NTP process to get the time from the external NTP server. The secondary Routing
Engine uses NTP to get the time from the primary Routing Engine. On both standalone
devices and clusters, the Packet Forwarding Engine uses NTP to get the time from the
local Routing Engine.
[See Chassis Cluster Feature Guide for Security Devices.]
•
Sync backup node configuration from primary node [SRX Series]—Chassis cluster
supports automatic configuration synchronization. When a secondary node joins a
standalone primary node and a chassis cluster is formed, the primary node configuration
is copied and applied to the secondary node. This enhancement saves the user from
spending time on manual copying of the configuration on both nodes.
[See SRX Series Chassis Cluster Configuration Overview.]
•
TCP support for DNS [SRX Series]—Prior to Junos OS Release 12.1X47-D10, DNS
resolution was performed with UDP as a transport. Messages carried by UDP are
restricted to 512 bytes; longer messages are truncated and the traffic class (TC) bit is
set in the header. The maximum length of UDP DNS response messages is 512 bytes
and the maximum length of TCP DNS response message is 65,535 bytes. A DNS resolver
knows whether the response is complete if the TC bit when it is set in the header.
[See Reconnaissance Deterrence Feature Guide for Security Devices.]
Copyright © 2015, Juniper Networks, Inc.
15
Junos OS 12.1X47 Release Notes
Dynamic Host Configuration Protocol (DHCP)
•
DHCP server and DHCP client [SRX Series]—The DHCP server and DHCP client include
chassis cluster support for high-end SRX Series devices in addition to branch SRX
Series devices.
[See Administration Guide for Security Devices.]
Flow-Based and Packet-Based Processing
•
LAG support in services-offload mode [High-end SRX Series]—LAGs are supported
in services-offload mode. LAG combines links and provides increased bandwidth and
link availability. Services offloading reduces packet latency by processing and forwarding
packets in the network processor instead of in the SPU. Supporting aggregation of
links in the services-offload mode combines the benefits of both these features and
provides enhanced throughput, link redundancy, and reduced packet latency.
[See Services Offloading Overview.]
•
Services offloading [SRX5600 and SRX5800]—The following services offloading
features are supported:
•
Per-wing statistics counters
•
Services-offload traffic across different network processors
•
End-to-end debugging in services-offload mode
[See Services Offloading Overview and Example: Configuring an NPC on SRX3000 Line
Devices or SRX1400 Devices to Support Services Offloading.]
General Packet Radio Service (GPRS)
•
SCTP IPv6 support [High-end SRX Series]—The SCTP module allows you to configure
the SCTP profile with an IPv6 address and then process the IPv6 traffic. The SCTP
module checks every extension header until it finds the SCTP header and then processes
the SCTP header and ignores all the other headers.
An SCTP endpoint can be a multihomed host with either all IPv4 addresses or all IPv6
addresses. An SCTP endpoint also supports NAT-PT in two directions, from an IPv4
address format to an IPv6 address format, and vice versa.
[See General Packet Radio Service Feature Guide for Security Devices.]
•
SCTP multichunk inspection [High-end SRX Series]—The SCTP firewall checks all
chunks in a message and then permits or drops the packet based on the policy. You
can enable the SCTP multichunk inspection and disable the SCTP chunk inspection
to check only the first chunk. If a data chunk is not allowed to pass through the SCTP
profile because of protocol blocking or rate limiting, the SCTP firewall resets this chunk
to a null PDU and continues to check the next chunk. If all chunks in a packet are null
PDUs, the SCTP firewall drops the packet.
[See General Packet Radio Service Feature Guide for Security Devices.]
16
Copyright © 2015, Juniper Networks, Inc.
New and Changed Features
Interfaces and Chassis
•
Promiscuous mode support on the SRX5K-MPC [SRX5400, SRX5600,
SRX5800]—Promiscuous mode function is supported on the SRX5000 line MPC
(SRX5K-MPC) on 1-Gigabit, 10-Gigabit, 40-Gigabit, and 100-Gigabit Ethernet interfaces
on the MICs.
By default, an interface enables MAC filtering. You can configure promiscuous mode
on the interface to disable MAC filtering. When you delete the promiscuous mode
configuration, the interface will perform MAC filtering again. You can change the MAC
address of the interface even when the interface is operating in promiscuous mode.
When the interface is operating in normal mode again, the MAC filtering function on
MPC uses the new MAC address to filter packets.
[See Understanding Promiscuous Mode on Ethernet Interfaces.]
J-Web
•
Improved browser support for J-Web [SRX Series]—J-Web is enhanced to support
modern browsers like Microsoft Internet Explorer version 8.0, 9.0, and 10.0, Mozilla
Firefox version 23+, and Google Chrome version 28+ to provide cross-platform browser
compatibility.
The following tables shows the browser support for J-Web application.
Table 1: Browser Compatibility on SRX Series Devices
Device
Application
Supported Browsers
SRX100, SRX110, SRX210,
SRX220, SRX240, SRX550,
SRX650, SRX1400,
SRX3400, SRX3600,
SRX5400, SRX5600, and
SRX5800
J-Web
•
Microsoft Internet Explorer
version 8.0, 9.0, and 10.0
•
Mozilla Firefox version 23+
•
Google Chrome version
28+
Recommended
Browser
Mozilla Firefox
version 23+
•
J-Web support for chassis cluster wizard [SRX Series]—A new J-Web wizard is
introduced to support chassis clustering. J-Web provides a step-by-step wizard that
assists in setting up chassis cluster with a default basic configuration.
•
J-Web UI improvements [SRX Series]—The J-Web user interface is improved for better
usability.
The following navigational changes are made to the Configuration tab:
•
Additional filter options are enabled on the Interface Configuration page.
•
Layout of the Zones and Screens page is enhanced.
•
A few menu items are renamed for clarity.
•
New buttons are introduced for launching wizards.
•
Application tracking (previously on the Security Logging page) is moved to the
Application Tracking Configuration page.
Copyright © 2015, Juniper Networks, Inc.
17
Junos OS 12.1X47 Release Notes
The Dashboard tab includes a link for setting the rescue configuration.
Layer 2 Features
•
Layer 2 transparent mode support on the SRX5K-MPC [SRX5400, SRX5600,
SRX5800]—Layer 2 transparent mode is supported on the SRX5000 line MPC
(SRX5K-MPC).
When the SRX5K-MPC is operating in Layer 2 mode, you can configure all interfaces
on the SRX5K-MPC as Layer 2 bridging ports to support Layer 2 traffic.
The SPU supports all security services for Layer 2 bridging functions, and the MPC
delivers the ingress packets to the SPU and forwards the egress packets that are
encapsulated by the SPU to the outgoing interfaces.
[See Layer 2 Bridging and Transparent Mode Overview.]
Multicast
•
Layer 3 multicast functionality on the SRX5K-MPC [SRX5400, SRX5600, and
SRX5800]—Layer 3 multicast functionality is supported on the SRX5000 line MPC
(SRX5K-MPC).
The SRX5K-MPC collaborates with the Routing Engine, central point, and SPU to
support the following Layer 3 multicast functionality:
•
Supports IP multicast routing protocols for forwarding multicast traffic
•
Establishes and coordinates operations between multicast shared trees and
shortest-path tree (SPT)
•
Forwards and receives IP multicast traffic
[See Multicast Feature Guide for Security Devices.]
Network Address Translation (NAT)
•
Increased IP address pool limit [SRX5400, SRX5600, and SRX5800]—This feature
is only supported on SRX5000 line with the SPC II (SRX5K-SPC-4-15-320). This feature
increases the maximum number of IP addresses for NAT bindings to 1,000,000 from
12,000. When using more than 12,000 IP addresses, configure the twin port range to
limit the number of ports.
•
Port block allocation [High-end SRX Series]—This feature allocates ports to subscribers
in blocks and generates logs during block allocation or release. Deterministic port block
allocation allows the mapping of a subscriber’s IP address to an external address and
port number using predefined algorithms. This feature reduces excessive log generation.
To configure port block allocation, include the block-size, max-blocks-per-host,
block-active-timeout, and log statements at the [edit security nat pool pool-name port
block-allocation ] hierarchy level.
To configure deterministic port block allocation, include the block-size and host
statements at the [edit security source pool pool-name port deterministic ] hierarchy
level.
18
Copyright © 2015, Juniper Networks, Inc.
New and Changed Features
•
Source and destination NAT rule application [SRX Series]—The rule match criteria
for source and destination NAT includes a new application option. This option enables
you to configure up to 3072 application terms per rule. In addition, you can configure
up to 8 single destination ports or port ranges with the rule match destination-port
option. Previously, you could configure only a single port or port range.
[See match (Security Destination NAT) and match (Security Source NAT).]
•
Twin port configuration [SRX5400, SRX5600, and SRX5800]—This feature lets you
configure the twin port range for source NAT pools to avoid port overloading. The
maximum number of translation ports is 384 million. The default twin port range is
2048, which accommodates 12,000 IP addresses.
To set the global default twin port range for all source pools, use the set security nat
source pool-default-twin-port-range low to high statement.
To set the twin port range for a specific pool, use the set security nat source pool
pool-name port range twin-port low to high statement.
NOTE: If the twin port range is configured for a smaller range, then attackers
can more easily predict the translated port.
Network Management and Monitoring
•
IP monitoring of reth interface LAGs [High-end SRX Series]—In addition to the reth
interface, IP monitoring through a redundant LAG is supported to take advantage of
both throughput and redundancy.
IP monitoring checks the end-to-end connectivity of configured IP addresses and allows
a redundancy group to automatically fail over when the monitored IP address is not
reachable through the reth interface. Both the primary and secondary devices in the
chassis cluster monitor specific IP addresses to determine whether an upstream device
in the network is reachable.
[See IP Monitoring Overview.]
•
IP monitoring with interface as next-hop option [SRX Series]—IP monitoring enables
you to configure a static route with a P2P interface as a next-hop action when IP
monitoring has failed.
The following added functions support the track-ip option:
•
Next-hop type checking: IP address or interface.
•
Interface type checking for next-hop. Only a P2P interface is supported; an error
message results when the configuration is committed.
•
You can use the interface as a next-hop to construct route parameters and call RPD
API to add a static route; log route addition results.
•
You can use existing code to delete the route when the primary route recovers.
[See show services ip-monitoring status.]
Copyright © 2015, Juniper Networks, Inc.
19
Junos OS 12.1X47 Release Notes
Port Security
•
UDP port scan protection [SRX Series]—The UDP port scanning feature is similar to
TCP port scanning in capabilities, user commands, and operational implementation.
The UDP port scanning option is disabled by default. The default threshold period
value is 5000 microseconds. You can manually set the threshold period value, which
ranges from 1000 to 1,000,000 microseconds. This feature protects against DDoS
attacks on some exposed public UDP services by allowing fewer than 10 new sessions
in the configured threshold period for each zone and source IP.
[See Understanding Port Scanning.]
Public Key Infrastructure (PKI)
•
Online Certificate Status Protocol (OCSP) [SRX Series]—OCSP, like CRL, checks the
revocation status of X509 certificates. Requests are sent to the OCSP server(s)
configured in a CA profile with the oscp url statement at the [edit security pki ca-profile
profile-name revocation-check] hierarchy level. The use-ocsp option must also be
configured. If there is no response from the OCSP server, the request is then sent to
the location specified in the certificate's AuthorityInfoAccess extension.
[See Understanding Online Certificate Status Protocol.]
Routing Protocols
•
OSPFv3 IPsec authentication and confidentiality [SRX Series]—OSPF for IPv6, also
known as OSPF version 3 (OSPFv3), does not have built-in authentication to ensure
that routing packets are not altered and re-sent to the router. IPsec can be used to
secure OSPFv3 interfaces and virtual links and provide encryption for OSPF packets.
To configure IPsec for OSPF/OSPFv3, define a security association (SA) with the
security-association sa-name configuration option at the [edit security ipsec] hierarchy
level. The configured SA is then applied it to the OSPF/OSPFv3 interface or virtual link
configuration.
[See Understanding OSPF and OSPFv3 Authentication on SRX Series Devices.]
Security Policy
•
Integrated user firewall [SRX Series]—This feature retrieves user-to-IP address
mappings from the Windows Active Directory to use as match criteria in firewall policies.
The SRX Series device polls the event log of the Active Directory Controller (ADC) to
determine who has logged on. The username and group are queried from the LDAP
service in the ADC. The SRX Series device uses the IP address, username, and group
information to generate authentication entries that the UserFW module uses to enforce
user-based and group-based policy control over traffic.
•
Multiple zones for policies [SRX Series]—This feature enables you to configure multiple
source zones and multiple destination zones in one global policy. Previously, you had
to create a separate policy for each from-zone/to-zone pair, even when other attributes,
such as source-address or destination-address were identical.
[See Global Policy Overview.]
20
Copyright © 2015, Juniper Networks, Inc.
New and Changed Features
Unified Threat Management (UTM)
•
Downloadable Kaspersky scan engine [Branch SRX Series]—The Kaspersky scan
engine is provided as a downloadable UTM module instead of a preinstalled, module
in UTM.
To use this feature, your SRX Series device must have an active UTM license. When
you install the KAV license the system automatically downloads the Kaspersky module
from the Juniper Networks server and runs it.
When you set the antivirus type to KAV, and if the SRX Series device had a preinstalled
Kaspersky engine, then the downloaded module replaces the original module on the
device. Regardless of the UTM license status, when the KAV license is deleted from
the device, the Kaspersky engine and all files associated with KAV are removed from
the system immediately.
[See Full Antivirus Protection Overview.]
•
UTM license enforcement [SRX Series]—License enforcement is supported for UTM
features, including Sophos antivirus, enhanced Web filtering, and antispam filtering
on all high-end SRX Series devices in addition to branch SRX Series devices. You can
add or remove UTM licenses on SRX Series devices. Each feature license is tied to
exactly one software feature and is valid for exactly one device.
Table 2 on page 21 lists the license modules and the license names.
Table 2: UTM License Information
UTM Module
License Name
SAV
av_key_sophos_engine
AS
anti_spam_key_sbl
EWF
wf_key_websense_ewf
[See License Enforcement.]
•
UTM on next-generation SPC [SRX5400, SRX5600, and SRX5800]—This feature
provides support for UTM features, including Sophos antivirus, content filtering,
antispam, and enhanced Web filtering on next-generation SPCs.
VPNs
•
HMAC-SHA-256-128 authentication [High-end SRX Series]—HMAC-SHA-256-128
authentication is supported for IPsec proposals and manual security associations on
high-end SRX Series devices. You can specify the hmac-sha-256-128 option at the [edit
security ipsec proposal proposal-name] and the [edit security ipsec vpn vpn-name manual]
hierarchy levels.
[See authentication (Security IPsec) and authentication-algorithm (Security IPsec).]
Copyright © 2015, Juniper Networks, Inc.
21
Junos OS 12.1X47 Release Notes
Related
Documentation
22
•
Changes in Behavior and Syntax on page 23
•
Known Behavior on page 30
•
Known Issues on page 39
•
Resolved Issues on page 44
•
Documentation Updates on page 71
•
Migration, Upgrade, and Downgrade Instructions on page 74
Copyright © 2015, Juniper Networks, Inc.
Changes in Behavior and Syntax
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax
of Junos OS statements and commands from Junos OS Release 12.1X47 for the SRX
Series.
Application Identification and Tracking
•
Next-generation application identification eliminates the generation of new nested
applications and treats existing nested applications as single applications. In addition,
next-generation application identification does not support custom applications or
custom application groups.
Existing configurations involving any nested applications, custom applications, or
custom application groups are ignored and the following warning messages are
displayed as system log messages:
APPID_CUSTOM_APP_UNSUPPORTED: Ignoring unsupported custom app configuration.
APPID_CUSTOM_NESTAPP_UNSUPPORTED: Ignoring unsupported custom nested app
configuration.
Though configurations commit successfully, related functionality will not be available.
For more information, see “Known Behavior” on page 30.
•
When you upgrade to Junos OS Release 12.1X47-D10, you might have problems with
application firewall and application QoS rules not being enforced for some applications
and IDP policy load failures.
Applications or application groups for which services are not enforced or applications
that can cause IDP policy load failures are indicated by the following system log
message:
APPID_APP_GRP_UNSUPPORTED
Example:
APPID_APP_GRP_UNSUPPORTED: Ignoring unsupported entry junos:JOOST in path [edit
class-of-service application-traffic-control rule-sets RS8 rule 1 match application
junos:JOOST] [edit security idp custom-attack cs2 attack-type signature protocol-binding
nested-application JOOST]
APPID_APP_GRP_UNSUPPORTED: Ignoring unsupported entry junos:PPLIVE in path [edit
security application-firewall rule-sets apptest rule 1 match dynamic-application
junos:PPLIVE] [edit class-of-service application-traffic-control rule-sets RS8 rule 1 match
application junos:PPLIVE]
To avoid these problems, we recommend that you upgrade to the latest signature
package.
NOTE: If you are using any applications or application groups that are not
present in the latest signature package, you must remove them from
application firewall and application QoS rules and IDP policies for
installation to complete successfully.
Copyright © 2015, Juniper Networks, Inc.
23
Junos OS 12.1X47 Release Notes
Chassis Cluster
•
Starting in Junos OS Release 12.1X46-D20, for all branch SRX Series devices in chassis
cluster mode, there is a node option available for all show chassis CLI commands. The
node option displays status information for all FPCs or for the specified FPC on a specific
node (device) in the cluster.
Flow-Based and Packet-Based Processing
•
Prior to Junos OS Release 12.1X46-D10, the SRX Series devices did not decode SCTP
source and destination ports for IPv6 traffic but instead used a preset port 1 to create
flow sessions. These preset ports did not match corresponding security policies and
caused the system to drop SCTP IPv6 traffic.
Starting in Junos OS Release 12.1X47-D10, the actual SCTP source and destination
ports (instead of the preset port 1) will be used to create flow sessions for the SCTP
IPv6 traffic.
Intrusion Detection Prevention (IDP)
New sensor configuration options have been added to log run conditions as IDP session
capacity and memory limits are approached, and to analyze traffic dropped by IDP and
application identification due to exceeding these limitations.
•
drop-if-no-policy-loaded—At start up, traffic is ignored by IDP by default if the IDP policy
is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that
all sessions are dropped before the IDP policy is loaded.
•
drop-on-failover—By default, IDP ignores failover sessions in an SRX chassis cluster
deployment. The drop-on-failover option changes this behavior and automatically
drops sessions that are in the process of being inspected on the primary node when a
failover to the secondary node occurs.
•
drop-on-limit—By default, sessions are not dropped if the IDP session limit or resource
limits are exceeded. In this case, IDP and other sessions are dropped only when the
device’s session capacity or resources are depleted. The drop-on-limit option changes
this behavior and drops sessions when resource limits are exceeded.
•
max-sessions-offset—The max-sessions-offset option sets an offset for the maximum
IDP session limit. When the number of IDP sessions exceeds the maximum session
limit, a warning is logged that conditions exist where IDP sessions could be dropped.
When the number of IDP sessions drops below the maximum IDP session limit minus
the offset value, a message is logged that conditions have returned to normal.
•
min-objcache-limit-lt—The min-objcache-limit-lt option sets a lower threshold for
available cache memory. The threshold value is expressed as a percentage of available
IDP cache memory. If the available cache memory drops below the lower threshold
level, a message is logged stating that conditions exist where IDP sessions could be
dropped because of memory allocation failures.
•
min-objcache-limit-ut—The min-objcache-limit-ut option sets an upper threshold for
available cache memory. The threshold value is expressed as a percentage of available
24
Copyright © 2015, Juniper Networks, Inc.
Changes in Behavior and Syntax
IDP cache memory. If available IDP cache memory returns to the upper threshold level,
a message is logged stating that available cache memory has returned to normal. For
example, the following message shows that the available IDP cache memory has
increased above the upper threshold and that it is now performing normally:
•
On all SRX Series devices with a single session, when IDP is activated, the upload and
download speeds are slow when compared to the firewall performance numbers.
To overcome this issue, a new CLI command set security idp sensor-configuration ips
session-pkt-depth is introduced and this session-pkt-depth sensor-configuration is
global for any session.
The session-pkt-depth sensor-configuration CLI value specifies the number of packets
in a session the IDP inspection happens, beyond this value the IDP will not be inspecting
the packets in that session. For example, when the session-pkt-depth
sensor-configuration CLI value is configured as “n”, the IDP inspection happens only
for first (n-1) packets in that session. From the nth packet, the session is ignored by
IDP. The default value of session-pkt-depth sensor-configuration is “0” and when the
value is “0” the session-pkt-depth is not mentioned, and the IDP performs a full
inspection of the session.
•
A new attribute, max-synacks-queued, is added to IDP sensor configuration TCP
reassembler. This attribute defines the maximum syn/ack queued with different SEQ
numbers and takes the values 0 through 5. Also, a new counter, Duplicate Syn/Ack
with different SEQ, is added to the IDP TCP reassembler. This counter displays the
number of syn/ack packets with different SEQ numbers.
•
A system log message is generated when an IDP signature database update or policy
compilation fails with an empty dynamic group. The system-generated log message
is Dynamic Attack group [dyn_group_1] has no matching members found. Group is empty.
Copyright © 2015, Juniper Networks, Inc.
25
Junos OS 12.1X47 Release Notes
Network Time Protocol
•
On all SRX Series devices, when the NTP client or server is enabled in the edit system
ntp hierarchy, the REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages
supported by the monlist feature within the NTP might allow remote attackers, causing
a denial of service. To identify the attack, apply a firewall filter and configure the router's
loopback address to allow only trusted addresses and networks.
•
In Junos OS releases earlier than Junos OS Release 12.1X47-D20, when the session
based screen limit is hit from the same source to multiple destination IP address or
same destination to multiple source IP address every second, the firewall generated
flood of logs per second. For example, if we receive 100 session based screen attack
to the same source or same destination IP address in a given second, then 100 log
messages per second were sent to Syslog server.
Screens
Starting in Junos OS Release 12.1X47-D20, when multiple session based screen attack
is hit every second for the same source or same destination IP addresses, only one
syslog message every second is sent for a specific source or destination IP address. If
the session based screen is hit multiple times in a second for multiple source or multiple
destination addresses then multiple syslog messages for every unique source and
destination address is sent every second.
This behavior also applies to flood protection screens with TCP-Synflood-src-based,
TCP-Synflood-dst-based, and UDP flood protection.
Security
•
Starting in Junos OS Release 12.1X47-D10, on all branch SRX Series devices, the Routing
Engine memory is decreased to 960 MB when an advanced service such as
next-generation application identification, IDP, or UTM is enabled on the device.
•
The system log message UTMD_EWF_CAT_OBSOLETE is introduced in Junos OS Release
12.1X47-D15.
•
The system log message APPID_CUSTOM_APPGRP_UNSUPPORTED is deprecated in
Junos OS Release 12.1X47-D15.
•
During a load override, to enhance the memory for the commit script, make sure you
load the configuration by applying the following commands before commit:
System Logging
System Management
set system scripts commit max-datasize 800000000
set system scripts op max-datasize 800000000
•
26
On an SRX5800 device in transparent mode, if the device is not processing multicast
OSPFv3 hello packets, to fix this condition you must remove the “delete security flow
bridge no-packet-flooding” statement from the configuration.
Copyright © 2015, Juniper Networks, Inc.
Changes in Behavior and Syntax
NOTE: Packet flooding is enabled by default. If you have manually disabled
packet flooding with the “set security flow bridge no-packet-flooding”
statement, then use the configuration statement above to revert to the
default behavior, which will allow the device to process multicast OSPFv3
hello packets.
Unified Threat Management (UTM)
•
Starting in Junos OS Release 12.1X47-D15, enhanced Web filtering has the following
updates:
•
Addition of five new security categories
•
Modification of category names for eight security categories
Table 3: New categories
Category
ID
Category Name
Parent
ID
220
Compromised Websites
0
Sites that are vulnerable and known to host
an injected malicious code or unwanted
content.
221
Newly Registered
Websites
0
Sites whose domain names were registered
recently.
1529
Classifieds Posting
0
General function that enables a user to post
a classified advertisement.
1530
Blog Posting
0
General function that enables a user to post
a blog entry.
1531
Blog Commenting
0
General function that enables a user to post
a comment.
Description
Table 4: Updates to existing category names
Old Category Name
New Category Name
Racism and Hate
Intolerance
URL Translation Sites
Website Translation
MP3 and Audio Download Services
Media File Download
Non Traditional Religions and Occult and Folklore
Non Traditional Religions
Freeware and Software Download
Application and Software Download
Images Media
Web Infrastructure
Copyright © 2015, Juniper Networks, Inc.
27
Junos OS 12.1X47 Release Notes
Table 4: Updates to existing category names (continued)
•
Old Category Name
New Category Name
Image Servers
Web Images
Potentially Damaging Content
Suspicious Content
In Junos OS Release 12.1X47-D10 and earlier, the UTM default configuration on Junos
OS did not include junos-default-bypass-mime in the mime-whitelist. The user had to
manually configure the default bypass mime by using the following command:
user@host#set security utm feature-profile anti-virus mime-whitelist list
junos-default-bypass-mime
Starting in Junos OS Release 12.1X47-D15, the junos-default-bypass-mime is listed in
mime-whitelist as the UTM default configuration on Junos OS. The user need not
configure the CLI explicitly. To check the default mime-whitelist configuration, use the
following CLI operational commands:
[edit]
user@host> show configuration groups junos-defaults security utm custom-objects
mime-pattern junos-default-bypass-mime
value [ text/css audio/ video/ image/ ];
[edit]
user@host> show configuration groups junos-defaults security utm feature-profile
anti-virus mime-whitelist
list junos-default-bypass-mime;
•
Starting in Junos OS Release 12.1X47-D20, enhanced Web filtering has the following
updates:
•
Addition of seven new security categories. See Table 5 on page 28.
•
Modification of category name for a security category. See Table 6 on page 29.
Table 5: New categories
28
Category
ID
Category Name
Parent
ID
222
Collaboration Office
0
Category that is used to manage the office
domain.
223
Office Mail
222
Office function that enables a user to
collaborate through email and messaging.
224
Office Drive
222
Office function that enables a user to
collaborate through virtual storage.
225
Office Documents
222
Office function that enables a user to
collaborate through document applications.
226
Office Apps
222
Office function that enables a user to
collaborate through various applications.
Description
Copyright © 2015, Juniper Networks, Inc.
Changes in Behavior and Syntax
Table 5: New categories (continued)
Category
ID
Category Name
Parent
ID
227
Web Analytics
9
Sites that are associated with web traffic
analysis.
228
Web and Email
Marketing
9
Sites that are associated with online
marketing.
Description
Table 6: Updates to existing category names
Old Category Name
New Category Name
Supplements and Unregulated Compounds
Nutrition
VPNs
•
AutoVPN multicast deprecated—Support for multicast traffic in an AutoVPN
hub-and-spoke network is deprecated and will be removed in a future release.
AutoVPN hubs are supported on SRX240, SRX550, SRX650, SRX1400, SRX3400,
SRX5600, and SRX5800 devices. AutoVPN spokes are supported on SRX100, SRX210,
SRX220, SRX240, SRX550, SRX650, and SRX1400 devices.
Related
Documentation
•
In previous Junos OS releases, the Pulse client could be automatically downloaded
and installed when users logged into a branch SRX Series device that was configured
for dynamic VPN. Starting with Junos OS Release 12.1X47-D15, Pulse client software
is no longer available from dynamic VPN SRX Series devices and must be obtained
from the Juniper Networks Download Software site at
http://www.juniper.net/support/downloads/.
•
New and Changed Features on page 6
•
Known Behavior on page 30
•
Known Issues on page 39
•
Resolved Issues on page 44
•
Documentation Updates on page 71
•
Migration, Upgrade, and Downgrade Instructions on page 74
Copyright © 2015, Juniper Networks, Inc.
29
Junos OS 12.1X47 Release Notes
Known Behavior
This section contains the known behaviors, system maximums, and limitations in hardware
and software in Junos OS Release 12.1X47 for the SRX Series.
Application Identification and Tracking
•
In Junos OS Release 12.1X47-D10 with application identification enabled, an impact on
the application traffic throughput is observed compared to Junos OS Release 12.1X46
or earlier releases under the following scenarios:
•
Application system cache is disabled
•
Average session data length is very small (less than 44 KB)
•
Specific application traffic distributed extensively across non-standard random ports
•
Certain application traffic generator profiles are used (not in typical real-world
deployments)
You can use the new performance mode CLI command for improving application traffic
throughput by configuring the enable-performance-mode parameter.
•
Use the set services application-identification enable-performance-mode command
to set the deep packet inspection (DPI) in performance mode with default packet
inspection limit as two packets, including both client-to-server and server-to-client
directions.
•
Use the set services application-identification enable-performance-mode
max-packet-threshold value command to set the maximum packet threshold for DPI
performance mode based on your input, including both client-to-server and
server-to-client directions. Packet inspection limit can be changed with this CLI
command. Range for the max-packet-threshold value is 1 through 100.
•
Use the delete services application-identification enable-performance-mode command
to switch DPI to default accuracy mode and disable the performance mode.
NOTE: By default, DPI performance mode is not enabled on the SRX
Series device.
Use the show services application-identification status command to display detailed
information about application identification status.
In the following sample, the DPI Performance mode field displays whether the DPI
performance mode is enabled or not. This field is displayed in the CLI command output
only if the performance mode is enabled.
pic: 2/1
Application Identification
Status
Sessions under app detection
Engine Version
Max TCP session packet memory
30
Enabled
0
4.18.2-24.006 (build date Jul 30 2014)
30000
Copyright © 2015, Juniper Networks, Inc.
Known Behavior
Force packet plugin
Force stream plugin
DPI Performance mode:
Statistics collection interval
Disabled
Disabled
Enabled
1 (in minutes)
Application System Cache
Status
Negative cache status
Max Number of entries in cache
Cache timeout
Enabled
Disabled
262144
3600 (in seconds)
Protocol Bundle
Download Server
https://services.netscreen.com/cgi-bin/index.cgi
AutoUpdate
Disabled
Slot 1:
Application package version
2399
Status
Active
Version
1.40.0-26.006 (build date May 1 2014)
Sessions
0
Slot 2
Application package version
0
Status
Free
Version
Sessions
0
•
On all SRX Series devices, in next-generation application identification, the CLI
statements and commands listed in Table 7 on page 31 are deprecated—rather than
immediately removed—to provide backward compatibility and a chance to bring your
configuration into compliance with the new configuration.
Table 7: Items Deprecated in Junos OS Release 12.1X47-D10
Statement
Hierarchy
Additional Information
nested-application
[edit services
application-identification]
Configure a custom nested
application definition that will be
used by the system to identify the
nested application as it passes
through the device.
nested-application-settings
[edit services
application-identification]
Configure nested application
options for application
identification services.
enable-heuristics
[edit services
application-identification]
Enable encryption and P2P
detection.
max-checked-bytes
[edit services
application-identification]
Configure the maximum number
of bytes to be applied with the
application signatures.
Copyright © 2015, Juniper Networks, Inc.
31
Junos OS 12.1X47 Release Notes
Table 7: Items Deprecated in Junos OS Release 12.1X47-D10 (continued)
•
Statement
Hierarchy
Additional Information
nested-application
[edit security idp
custom-attack
attack-name attack-type
signature protocol-binding]
Specify the nested application
name during configuration of
custom attack objects to detect
known or unknown attacks.
[edit security idp
custom-attack
attack-name attack-type
chain protocol-binding]
NOTE: All nested applications that
used to be listed under this
statement are now listed under
application application-name
statement at [edit security idp
custom-attack attack-name
attack-type signature/chain
protocol-binding] hierarchies.
nested-application
[security
application-firewall]
Enable the nested application
dynamic lookup to match the
application firewall with an
application rule during application
firewall policy lookup, if there is no
explicit rule for nested application.
max-sessions
[edit services
application-identification]
Specify the maximum number of
sessions application identification
maintains. If the value reaches the
maximum, all new sessions are
dropped
request services
application-identification
application copy
predefined-application-name
NA
Copy a predefined application
signature from the database to the
configuration and change the
name.
show services
application-identification
counter
ssl-encrypted-sessions
NA
Display application identification
counters for SSL-encrypted traffic.
On all SRX Series devices, custom application signatures are not supported with this
version of application identification.
As a part of this change, the CLI statements used for configuring custom applications
as listed in Table 8 on page 32 are not supported in this release.
Table 8: Statements Not Supported in Junos OS Release 12.1X47-D10
32
Statement
Hierarchy
Additional Information
application
[edit services
application-identification]
Configure a custom application definition for
the desired application name that will be used
by the system to identify the application as it
passes through the device.
Copyright © 2015, Juniper Networks, Inc.
Known Behavior
Table 8: Statements Not Supported in Junos OS Release
12.1X47-D10 (continued)
•
Statement
Hierarchy
Additional Information
application-group
[edit services
application-identification]
Specify any number of associated predefined
applications, user-defined applications, and
other groups for ease of use in configuring
application-based policies.
On all SRX Series devices, application-level distributed denial of service is being
deprecated in Junos OS Release 12.1X47-D10. As a part of this change, the CLI
statements and commands listed in Table 9 on page 33 are deprecated—rather than
immediately removed—to provide backward compatibility and a chance to bring your
configuration into compliance with the new configuration.
Table 9: Items Deprecated in Junos OS Release 12.1X47-D10
Statement
Hierarchy
Additional Information
application-ddos
[edit security idp]
Configure application-level distributed
denial-of-service (DDoS) protection.
rulebase-ddos
[edit security idp
idp-policy
policy-name]
Configure the rulebase parameters for
application-level DDoS attacks.
application-ddos
[edit security idp
sensor-configuration]
Enables application-level DDoS statistics
collection.
clear security idp
application-ddos cache
–
Clear application-level distributed
denial-of-service (DDoS) state including
context, context value, and client
classification.
show security idp
application-ddos
application
–
Display basic statistics for the servers being
protected by the IDP application-level
DDoS feature.
show security idp counters
application-ddos
–
Display the status of all IDP
application-DDoS counter values.
clear security idp counters
application-ddos
–
Clear the status of all IDP
application-DDoS counter values.
We strongly recommend that you phase out deprecated items and replace them with
supported alternatives.
•
On all high-end SRX Series devices, application-level distributed denial-of-service
(application-level DDoS) detection does not work if two rules with different
application-level DDoS applications process traffic going to a single destination
application server. When setting up application-level DDoS rules, make sure that you
do not configure rulebase-ddos rules that have two different application-ddos objects
Copyright © 2015, Juniper Networks, Inc.
33
Junos OS 12.1X47 Release Notes
when the traffic destined to one application server can process more than one rule.
Essentially, for each protected application server, you have to configure the
application-level DDoS rules so that traffic destined for one protected server processes
only one application-level DDoS rule.
NOTE: Application-level DDoS rules are terminal, which means that once
traffic is processed by one rule, it will not be processed by other rules.
The following configuration options can be committed, but they will not work properly:
•
source-zone
destination-zone
destination-ip
service
application-ddos
Application
Server
source-zone-1
dst-1
any
http
http-appddos1
1.1.1.1:80
source-zone-2
dst-1
any
http
http-appddos2
1.1.1.1:80
On all high-end SRX Series devices, application-level DDoS rule base (rulebase-ddos)
does not support port mapping. If you configure an application other than default, and
if the application is from either predefined Junos OS applications or a custom application
that maps an application service to a nonstandard port, application-level DDoS
detection will not work.
When you configure the application setting as default, IDP uses application identification
to detect applications running on standard and nonstandard ports; thus, the
application-level DDoS detection would work properly.
CLI and J-Web
•
In CLI and J-Web, the number of users allowed to access the device is limited as follows:
Devices
SXR100
SRX110
SRX210
SRX220
SRX240
SRX550
SRX650
CLI Users
6
6
4
9
6
11
11
J-Web Users
3
3
3
5
5
5
5
Dynamic Host Configuration Protocol (DHCP)
34
•
On all SRX Series devices, DHCPv4 is supported only in Layer 3 mode; the DHCP server
and DHCP client are not supported in Layer 2 transparent mode.
•
On all SRX Series devices, DHCPv6 client authentication is not supported.
•
On all SRX Series devices, logical systems and routing instances are not supported for
DHCP client in chassis cluster mode.
Copyright © 2015, Juniper Networks, Inc.
Known Behavior
Flow-Based and Packet-Based Processing
•
On all branch SRX Series devices, GRE fragmentation is not supported in packet-based
mode.
General Packet Radio Service (GPRS)
•
On all high-end SRX Series devices, only a unified ISSU to an immediate Junos OS
release is supported. For example, Unified ISSU from Junos OS release 12.1X44 to Junos
OS release 12.1X45 is supported.
•
SRX5800 devices does not support a redundant SCB card (third SCB) if an SRX5k
SPC II (FRU model number: SRX5K-SPC-4-15-320) is installed on the device. If you
have installed an SRX5K SPC II on an SRX5800 device with a redundant SCB card,
make sure to remove the redundant SCB card.
•
On SRX100, SRX110, SRX210, and SRX220 devices, DRAM memory is not supported.
However, chassis cluster is supported when two devices have the same 1 GB or 2 GB
of memory.
•
On SRX5400, SRX5600, and SRX5800 devices, Services offloading is not supported
on Modular Port Concentrator (SRX5K-MPCs)/Modular Interface Cards (MICs).
Hardware
Interfaces and Chassis
•
On all branch SRX Series devices, the CLNS routing is not supported on aggregated
Ethernet interfaces.
•
On all SRX Series devices, the Link Layer Discovery Protocol (LLDP) is not supported
on reth interfaces.
Integrated User Firewall
•
On SRX Series devices, Integrated User Firewall has the following limitations:
•
IPv6 addresses are not supported.
•
Logical systems are not supported.
Copyright © 2015, Juniper Networks, Inc.
35
Junos OS 12.1X47 Release Notes
•
The WMIC does not support multiple users logged onto the same PC.
•
Domain controllers and domain PCs must be running Windows OS. The minimum
support for a windows client is Windows XP. The minimum support for a server is
Windows server 2003.
Intrusion Detection and Prevention (IDP)
•
On all high-end SRX Series devices, in sniffer mode, ingress and egress interfaces work
with flow showing both source and destination interfaces as the egress interface.
As a workaround, in sniffer mode, use the tagged interfaces. Hence, the same interface
names are displayed in the logs. For example, ge-0/0/2.0 as ingress interface (sniff)
and ge-0/0/2.100 as egress interface are displayed in the logs to show the source
interface as ge-0/0/2.100.
set interfaces ge-0/0/2 promiscuous-mode
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 0 vlan-id 0
set interfaces ge-0/0/2 unit 100 vlan-id 100
NOTE: On all branch SRX Series devices, the sniffer mode is not supported.
IP Monitoring
36
•
On SRX5400, SRX5600, and SRX5800 devices, in each PIC on the 40x1GE IOC cards
only 2 of the 10 ports can be enabled with IP monitoring on both the primary and
secondary sides. If more than two ports on the same PIC are enabled with IP monitoring,
the behavior of IP monitoring through reth or RLAG on the secondary side might be
abnormal.
•
On SRX5400, SRX5600, and SRX5800 devices, the maximum number of IP addresses
that can be configured for monitoring is limited to 64.
•
On SRX1400, SRX3400, and SRX3600 devices, the maximum number of IP addresses
that can be configured for monitoring is limited to 32.
•
On all high-end SRX Series devices, the default configuration and minimum interval
of IP monitoring is 1 second, and the maximum interval is 30 seconds.
•
On all high-end SRX Series devices, the default and minimum threshold of IP monitoring
is 5, and the maximum threshold is 15.
•
When IP monitoring is enabled on a different subnet than the reth IP address, then you
must configure the proxy-arp unrestricted option on the upstream router.
Copyright © 2015, Juniper Networks, Inc.
Known Behavior
IPv6
•
On all branch SRX Series devices, IPv6 flows are not supported in transparent mode.
Layer 2 Transparent Mode
•
On all branch SRX Series devices, configuring Layer 2 Ethernet switching family in
Transparent Mode for an interface is not supported.
Network Address Translation (NAT)
•
On high-end SRX Series devices, the number of IP addresses for NAT with port
translation has been increased to 1M addresses.
The SRX5000 line, however, supports a maximum of 384M translation ports and
cannot be increased. To use 1M IP addresses, you must confirm that the port number
is less than 384. The following CLI commands enable you to configure the twin port
range and limit the twin port number:
•
set security nat source pool-default-twin-port-range <low> to <high>
•
set security nat source pool sp1 port range twin-port <low> to <high>
TCP-Based DNS
•
On all SRX Series devices, the Routing Engine policy supports a maximum of 1024 IPv4
address prefixes and 256 IPv6 address prefixes that can be sent to the Packet
Forwarding Engine. If the maximum number of IPv4 or IPv6 address prefixes exceeds
the limits, the addresses over the limitations will not be sent to the Packet Forwarding
Engine and a system log message is generated. The maximum number of addresses
in a TCP DNS response is 4094 for IPv4 addresses and 2340 for IPv6 addresses, but
only 1024 IPv4 addresses and 256 IPv6 addresses are loaded to the Packet Forwarding
Engine.
Upgrade and Downgrade
•
On the SRX240B2 and SRX240H2 models, when you try to upgrade from Junos OS
Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade fails
when attempting to validate the configuration. To resolve this, use the no-validate
option.
•
RIP is not supported in point-to-multipoint (P2MP) VPN scenarios including AutoVPN
deployments. We recommend OSPF or IBGP for dynamic routing when using P2MP
VPN tunnels.
•
New and Changed Features on page 6
•
Changes in Behavior and Syntax on page 23
VPNs
Related
Documentation
Copyright © 2015, Juniper Networks, Inc.
37
Junos OS 12.1X47 Release Notes
38
•
Known Issues on page 39
•
Resolved Issues on page 44
•
Documentation Updates on page 71
•
Migration, Upgrade, and Downgrade Instructions on page 74
Copyright © 2015, Juniper Networks, Inc.
Known Issues
Known Issues
This section lists the known issues in hardware and software in Junos OS Release
12.1X47-D20 for the SRX Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
Application Identification and Tracking
•
On all SRX Series devices, the Layer 3 and Layer 4 signatures (IP and ICMP protocols)
are not supported in AppID 2.0. PR986058
•
On all SRX Series devices, when you upgrade Junos OS Release from 12.1X46-D10 to
12.1X47-D20, the appcache and session state synchronization is not supported because
of incompatible changes in the AppID engine. PR986569
Application Layer Gateways (ALGs)
•
On all SRX Series devices with MS-RPC ALG enabled, occasionally, when more than
one IP and port pair exist in the MS RPC response packet, and if these IP and port pair
are same, the ALG group might leak. This issue might occur even in a Sun RPC scenario.
PR1010499
Chassis Cluster
•
On all high-end SRX Series devices, it is strongly recommended that the device is
running below 50 percent of CPU at control plane and data plane before starting ISSU.
If the primary device is running more than 70 percent CPU, ISSU will fail in most cases
because of cold synchronize failures. Use the show chassis routing-engine RE CPU) and
show security monitoring (SPC CPU) commands to check CPU utilization.
If the device is running in high CPU, it is strongly recommend to disable the traceoptions
or only allow critical level logging using set deactivate chassis cluster traceoptions and
security policy log with <deactivate security policies from-zone untrust to-zone trust
policy default-deny then log session-close/session-init> commands. If high CPU is
because of heavy traffic, redirect the traffic to other security device or wait till the traffic
cools down. PR1016437
•
On all high-end SRX Series devices in a chassis cluster, when both the nodes are
rebooted simultaneously, the chassis cluster environment might show interface
monitoring failure even though the monitored interface is up. This causes unnecessary
failover on the redundancy group. PR1032711
Dynamic Host Configuration Protocol (DHCP)
•
On all high-end SRX Series devices, the sub object identifier (OID) values displayed
under jnxJdhcpLocalServerBindings are incorrect. PR946036
•
On all high-end SRX Series devices, after you delete the DHCP server binding, the IP
addresses assigned to the ARP and host route still exist in the device. PR947601
Copyright © 2015, Juniper Networks, Inc.
39
Junos OS 12.1X47 Release Notes
•
On all high-end SRX Series devices, the DHCP relay does not work when you configure
the DHCP relay point to the local server cross-routing instance. PR964710
Flow-Based and Packet-Based Processing
•
On all multiple thread-based SRX Series devices (SRX240 and above), if IDP,
AppSecure, ALG, GTP, or the SCTP feature, which is required for serialization flow
processing is enabled, the device might encounter an issue where two flow threads
work on the same session at the same time for the serialization flow processing. This
issue might cause memory corruption, and then result in a flowd process crash.
PR1026692
•
On all high-end SRX Series devices, when the SPU works in high stress mode, the
internal event queue can be full, and an event can be lost. There is no retransmission
mechanism for this internal event, and the connection enters a “session stuck” state.
The session that is stuck is recovered by the upper layer applications. For example,
when the TCP session log module is stuck, you cannot send any log messages. After
30 seconds, the log module detects this condition and restarts the new connection to
send the log message. However, if the UDP session log module is stuck, you can still
send the log message.
As a workaround, for SPC II cards, the maximum number of concurrent sessions that
need Layer 7 processing is 3000 per SPU. For other devices, the maximum number of
concurrent sessions that need Layer 7 processing is 2500 per SPU. PR1060529
Interfaces and Routing
•
On all high-end SRX Series devices, during the ISSU process, the Packet Forwarding
Engine connects and sometimes disconnects the Routine Engine. Hence, the IP resolve
events sent to the Packet Forwarding Engine are ignored. When you configure multiple
DNS policies after the ISSU process, some of the policies will not have IP addresses in
the Packet Forwarding Engine.
As a workaround, use the request security policies resync command. PR985731
•
On SRX100H2 and SRX220H2 devices, when you enable vlan tagging on interfaces
and commit the configuration, the interface speed and duplex mode might cause the
interface to stop processing traffic.
As a workaround, deactivate and then activate the affected interface. PR1003423
•
40
On SRX210 and SRX220 devices, broadcast packets might not be sent to the Routing
Engine following system initialization. PR1029424
Copyright © 2015, Juniper Networks, Inc.
Known Issues
Intrusion Detection and Prevention (IDP)
•
On all branch SRX Series devices, severity for the IDP report changes from log severity
to threat severity. PR1019401
•
On all SRX Series devices in J-Web, policies configured using the Firewall wizard are
not reflected on the Configure> Security > Policy> firewall policy page. PR933053
•
On all SRX Series devices, the feature session limit is based on the managed session
entries, but in modern browsers, the session is shared among multiple tabs and
windows. Hence, the feature can only work with windows opened in different modern
browsers. PR1000332
•
On all branch SRX Series devices, the J-Web Dashboard does not show correct LED
color for alarm status. PR1026883
•
On all branch SRX Series devices, when you configure the J-Web setup wizard while
creating a new configuration and apply the configuration, the changes are not reflected
on all devices, As a result, the device displays the configuration change alert and sends
a message for you to commit the configuration.
J-Web
As a workaround, when you configure the J-Web setup wizard while creating a new
configuration, you must perform a commit operation after applying the configuration.
PR1058434
Network Address Translation (NAT)
•
On all high-end SRX Series devices in a chassis cluster, some persistent NAT table
entries cannot be removed on the SPU when the device is under heavy traffic with
multiple failovers. PR834823
•
On all SRX Series devices, when persistent NAT is enabled, allocation of resource (port)
for an incoming session failed. The session reference count for that binding increases
constantly even if no more sessions are associated with it. This results in stale entries
in the persistent NAT binding table, which causes persistent NAT table exhaustion.
PR1036020
•
On SRX5400, SRX5600, and SRX5800 Series devices with the SPC II
(SRX5K-SPC-4-15-320) installed, if a NAT IP address pool is configured with a large
number of IP addresses (more than 56, 000), executing the show snmp mib walk
jnxJsNatSrcNumPortInuse command causes the flowd process to crash. PR1052154
Copyright © 2015, Juniper Networks, Inc.
41
Junos OS 12.1X47 Release Notes
Platform and Infrastructure
•
On all SRX Series devices, when you connect to the device through wireless AP the
secure access port incorrectly allows access to the MAC addresses that are not in the
list of allowed MAC addresses. PR587163
•
On all high-end SRX Series devices, when you try to reload a kernel module that is
already linked to the kernel, an error message is displayed because the module is
already present. No functionality is impacted by the error message. PR817861
•
On all SRX Series devices, when you upgrade a Junos OS release from one version to
another, the following error messages are displayed:
Network security daemon: rtslib: ERROR kernel does not support all messages: expected
102 got 98,a reboot or software upgrade may be required
Network security daemon: rtslib: WARNING version mismatch for msg unknown: expected
98 got 0,a reboot or software upgrade may be required
These error messages are harmless and are generated during image checking, and the
messages do not impact the ISSU. PR926661
•
On all high-end SRX Series devices, when use multicast and there are more than 600
copies of a multicast packet for a multicast group, the flowd process might crash while
committing a change of multicast configuration. PR986592
•
On all SRX Series devices, the \x22 \x27 parsing fails because of the escape sequences
in C.
As a workaround, insert x/22 between the escape sequences. For example, insert
\x\x2222\x\x2227 between the escape sequences. PR992606
42
•
On all branch SRX Series devices, after enabling IEEE 802.1X, the connected devices
on some ports might fail to be authenticated. This is because MAC authentication
requests might get stuck on the eswd process, therefore this issue might be seen on
certain random ports, not all ports. PR1042294
•
On all branch SRX Series devices, the message twsi0: Device timeout on unit 1 fills the
console on soft reboot. PR1050215
•
On all branch SRX Series devices, the configurations of group junos-defaults are lost
after a configuration rollback. As a result, the commit command fails. PR1052925
Copyright © 2015, Juniper Networks, Inc.
Known Issues
Security Policy
•
On SRX3400 and SRX3600 devices, logical systems with policy count option displayed
the statistics after a while following a show command, or the counters stopped to
increment if both redundant groups were not on same node as a result of failover.
PR782546
System Logging
•
On all branch SRX Series devices, when you configure the TCP connections of the
system log stream with more than one TCP connection (for example, three), redundancy
group failover occurs.
As a workaround, clear the log connections and re-create the TCP log connections.
The TCP connections will be reduced to two. PR1038113
•
On all high-end SRX Series devices, the network processor offloading and UTM cannot
coexist at the same time. The network processor offloading is disabled automatically
if UTM is enabled. This is due to a memory capacity limitation. PR1059527
•
On all SRX Series devices, the block size for Advanced Encryption Standard (AES) in
Galois/Counter Mode (GCM) has been reduced from 8 to 4. Block size 8 is used for
connecting to other SRX Series devices, and block size 4 is interoperable with systems
from Cisco, strongSwan, and other companies. When you set the correct block size 4
for AES-GCM, it causes a problem when connecting to previous releases of Junos OS
for SRX Series devices. The problem affects certain packet sizes, so it might appear
to work for some traffic, such as ping, but not for other traffic. In a hub-and-spoke
configuration, the upgrade causes problems with tunnels to all spokes until they are
upgraded.
VPN
As a workaround, for a hub-and-spoke topology, first change the tunnel to an algorithm
other than AES-GCM. Next, upgrade each spoke. After you have upgraded all spokes
(and therefore AES-GCM is not being used), upgrade the hub. Finally, change each
tunnel back so that it uses AES-GCM again.
For other network topologies, you must change each AES-GCM tunnel to another
algorithm, upgrade the devices, and then change the configurations back to AES-GCM.
PR1037432
Related
Documentation
•
New and Changed Features on page 6
•
Changes in Behavior and Syntax on page 23
•
Known Behavior on page 30
•
Resolved Issues on page 44
•
Documentation Updates on page 71
•
Migration, Upgrade, and Downgrade Instructions on page 74
Copyright © 2015, Juniper Networks, Inc.
43
Junos OS 12.1X47 Release Notes
Resolved Issues
This section lists the issues fixed in the Junos OS main release and the maintenance
releases.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
Resolved Issues 12.1X47-D20
Application Layer Gateways (ALGs)
•
On all high-end SRX Series devices, the SCTP traffic sessions are established on an
SPU that is selected by the port’s hash algorithm. This means that the session affinity
does not take effect for SCTP traffic even if the SCTP ALG is disabled.
However, since the SCTP and session affinity conflict occurs naturally, the session
affinity does not support SCTP traffic when the SCTP ALG is enabled. PR1019859
•
On all SRX Series devices with the SIP ALG and NAT enabled, the SIP ALG does not
execute IP translation for the retransmitted 183 session progress messages. In this
scenario, the SIP call will fail when the device receives the first 183 session progress
messages without SDP information, but the retransmitted 183 session progress
messages contains SDP information. PR1036650
•
On all SRX Series devices, the DNS ALG does not terminate the session when a
truncated DNS reply is received. Hence, the session remains up until high timeout
(10~50) is reached. PR1038800
•
On all SRX Series devices, if the SUN RPC traffic has the same IP address, port number,
and program ID but is coming from different source zones other than the session, the
traffic is dropped by the SUN RPC ALG. PR1050339
Chassis Cluster
•
On SRX5400, SRX5600, and SRX5800 devices with SPC II cards installed, when IP
spoofing is enabled, after the device under test (DUT) is rebooted, the address books
in the Packet Forwarding Engine will be removed and not pushed back into the Packet
Forwarding Engine. Due to this issue, the IP spoofing does not work after reboot.
PR920216
•
On all SRX Series devices configured in a chassis cluster, VLAN interfaces on the primary
node might flap or become down. PR1001162
•
On all high-end SRX Series devices in a chassis cluster, when you perform an ISSU
upgrade on a chassis cluster containing an IDP detector configuration, the FPCs on
one node might remain in the offline state. PR1025203
CLI
•
44
On all high-end SRX Series devices, system commit synchronize is not supported. Hence,
when you configure it, it will not be committed due to a configuration lock. PR1012692
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
•
On all SRX Series devices, CLI auto-complete does not work for any keywords after
you run the set system login class <name> permissions command. PR1032498
Dynamic Host Configuration Protocol (DHCP)
•
On all high-end SRX Series devices, the DHCP server option-82 does not work. PR949717
•
On all branch SRX Series devices, in DHCP requests, the IP TTL value is set to 1 and
the DHCP option 12 is missing. PR1011406
•
On all branch SRX Series devices configured as a DHCP server (using JDHCP), even
though the next-server (siaddr) and tftp boot-server options are configured, the siaddr
and tftp boot servers are set with the IP address as 0.0.0.0 in DHCP reply packets.
PR1034735
•
On all SRX Series devices configured as a DHCP server (using the jdhcpd process),
when the DHCP server gets a new request from a client and applies an IP address from
the authentication process (authd), the jdhcpd process communicates with authd
process twice as expected (once for the DHCP discovery message and once for the
DHCP request message). If the authentication fails in the first message, the authd
process will indefinitely wait for the second authentication request. However, the
jdhcpd process never sends the second request, because the process detects that the
first authentication did not occur. This causes memory leak on the authd process, and
the memory might get exhausted, generating a core file and preventing DHCP server
service. High CPU usage on the Routing Engine might also be observed. PR1042818
Flow-Based and Packet-Based Processing
•
On all high-end SRX Series devices, after a failover, there is a reroute process for each
existing session on the newly active device. The reroute is delayed and is triggered by
the first packet hitting an existing session. If multiple packets of the same session come
in at once, and are picked up by different threads for processing, only one thread will
run the reroute, while the other threads have to wait for the result before forwarding
the packet. This waiting period penalizes traffic for other sessions and affects the
overall throughput. Therefore, such packets will be dropped instead of waiting in order
to optimize the overall system fairness and throughput. This drop does not affect newly
created sessions, because that is a different data path. PR890785
•
On all high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply
the rate limiter for egress traffic. PR918942
•
On all branch SRX Series devices, the temporary flowd process crashes while you run
the get-software-information level=detail command using a NETCONF client. This type
of flowd crash is harmless. PR937450
•
On SRX1400 devices, in a rare condition, SPUs might run into dead loop situation. High
CPU usage on SPUs will be seen, and the flowd process will crash in the end. PR1017665
•
On all branch SRX Series devices in Layer 2 transparent mode, the flowd process might
generate a core file when two packets of the same connection are received in a short
time before the flow session is created, and destination MAC address lookup succeeds
for these two packets. PR1025983
Copyright © 2015, Juniper Networks, Inc.
45
Junos OS 12.1X47 Release Notes
•
On all high-end SRX Series devices, when a device forwards traffic, a flowd core file is
generated. This is a generic issue issue and does not impact any feature. PR1027306
•
On SRX5400, SRX5600, and SRX5800 devices with an SRX5K IOC II, configuring a
sampling feature (flow monitoring) might cause high kernel heap memory usage.
PR1033359
•
On all SRX Series devices, when WebTrends Enhanced Log File (WELF) format is
configured for the security log, the device generates very long WELF-formatted logs
(for example, logs more than 1000 bytes). When the log is truncated on the Packet
Forwarding Engine and sent to the Routing Engine, memory corruption occurs, causing
the flowd process to crash. This issue generally occurs when UTM Web filtering is
configured. PR1038319
•
On all branch SRX Series devices in a chassis cluster Z mode, if static NAT or destination
NAT is configured, and in the NAT rule, the IP address of the incoming interface is used
as a matching condition of the destination address (for example, set security nat static
<rule-set-name> rule <rule-name> match destination-address <use the IP address of
incoming interface>), then the traffic matching the NAT rule is discarded. PR1040185
Interfaces and Routing
•
On all high-end SRX Series devices, when a router is acting as an NTP broadcast server,
broadcast addresses must be in the default routing instance. NTP messages are not
broadcasted when the address is configured in a VPN virtual routing and forwarding
(VRF) instance. PR887646
•
On all high-end SRX Series devices, LAG interface gratuitous ARP is neither generated
nor sent out on the link when gratuitous-arp-on-ifup is configured. PR889851
•
On SRX240, SRX550, and SRX650 devices, a delay of several seconds (maximum 4
seconds) might occur to detect that the link is down. PR1008324
•
On all branch SRX Series devices, in a rare condition, during a failure of routing update,
a free memory might be accessed again, which results in the flowd process crash.
PR1017148
•
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if reth LAG is configured
and child interfaces are associated with different network processing units (NPUs),
when the device undergoes high-speed session creation (for example, 360,000
connections per second (CPS) on an SRX5800 device), the central point CPU might
be stuck at 99 percent utilization after a data plane redundancy group failover.
PR1030913
46
•
On all branch SRX Series devices with First Hop Router (FHR) in multicast scenario,
after the device reboots, the PIM tunnel selects loopback0.0 as the outgoing interface
due to a timing issue where the route is not ready. If the loopback0.0 and the
downstream interface are not in the same security zone, the PIM register packets will
be dropped because of reroute failure. PR1031185
•
On all branch SRX Series devices, multiple CoS rewrite rules are applied to a single
interface where only one rewrite rule is allowed. PR1034173
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
•
On all high-end SRX Series devices, in each node, there is only one Routing Engine. The
RE 0 in the master node is the master Routing Engine and the RE 0 in the secondary
node is the backup Routing Engine. The request system power-off both-routing-engines
command powers off both the master and the backup Routing Engines simultaneously.
PR1039758
•
On all high-end SRX Series devices, the request system power-off both-routing-engines
command powers off both the nodes. PR1047349
Intrusion Detection and Prevention (IDP)
•
On SRX210 and SRX220 devices, due to memory constraints, the combination of large
IDP policies (that is, IDP_Default) along with express antivirus (EAV) might not compile
successfully. PR974851
J-Web
•
On all SRX Series devices, when you go to the Monitor>NAT>Source NAT page and
click the Resource Usage tab, all Pool type values in the grid are displayed as PAT.
J-Web fails to recognize the Non-PAT pool. PR1036621
•
On all branch SRX Series devices, J-Web does not display all the member link interfaces
for aggregate Ethernet (ae) interface. PR1038850
Platform and Infrastructure
•
On all high-end SRX Series devices, when composite next hop is used, the RSVP session
flap might cause if state mismatch between the master Routing Engine and the backup
Routine Engine, which eventually leads to a kernel crash on the master Routine Engine.
PR905317
•
On all branch SRX Series devices, when flexible-vlan-tagging option is enabled, the
return traffic might be dropped on the tagged interface with the message packet
dropped, pak dropped due to invalid l2 broadcast/multicast addr. PR1034602
Security Policy
•
On all branch SRX Series devices, when you swap the sequence of security policies or
when security policies are disabled by a scheduler, the applications configured in these
security policies might be added to other enabled security policies. This might cause
unexpected applications to be evaluated by other security policies, and traffic to be
permitted or denied unexpectedly. PR1033275
•
On all SRX Series devices, when there are more than 32 policies configured in a global
security policy, and if there is a zone-based global security policy whose sequence
number is greater than 32, then a policy mismatch error might occur, causing incorrect
traffic evaluation. PR1057215
Copyright © 2015, Juniper Networks, Inc.
47
Junos OS 12.1X47 Release Notes
System Logging
•
On all SRX Series devices, if the stream mode logging has incomplete configuration
for multiple streams, after reboot the system might not send out stream logs to the
properly configured streams. PR988798
•
On all high-end SRX Series devices, RT_PFE errors might be generated due to reroute
failure when a more specific route entry is added or deleted. PR1009947
•
On all branch SRX Series devices, flowd_octeon_hm: pconn_client_connect: Failed to
connect to the server after 0 retries messages are repeated in the log file. PR1035936
Unified Threat Management (UTM)
•
On all high-end SRX Series devices, due to a memory leak issue in the utmd process,
the utmd process might cause control plane CPU utilization that is higher than expected
even when the Unified Threat Management (UTM) feature is not enabled. The memory
leak can only be triggered if there is a UTM license installed on the system. PR1027986
VPN
48
•
On all branch SRX Series devices, IPsec tunnel reconnection might cause a memory
leak. PR1002738
•
On all branch SRX Series devices, in group VPN setups, all the already registered
members might suddenly disappear from the key server due to memory leak. PR1023940
•
On all branch SRX Series devices, if IPsec VPN is enabled using IKE version 2 (IKEv2),
and a distinguished name is used to verify the IKEv2 phase 1 remote identity, then a
remote peer initiates IKEv2 phase 1 Security Association (SA) renegotiation (SRX Series
devices work as a responder), the new negotiated VPN tunnel might stay in an inactive
state on the data plane, causing IPsec VPN traffic loss. PR1028949
•
On all branch SRX Series devices in a dynamic end point (DEP) VPN scenario, the VPN
tunnel might stay in down state after the user-at-hostname value is changed. PR1029687
•
On all high-end SRX Series devices with IPsec VPN configuration, because of a rare
timing issue, the IPsec VPN traffic might be dropped due to a "bad SPI" message on
the traffic-receiving side during IPsec Security Association (SA) rekey. PR1031890
•
On all SRX Series devices, in AutoVPN configuration after reboot, the VPN tunnel might
not come up and an error with the private key is reported. PR1032840
•
On all high-end SRX Series devices with policy-based IPsec VPN configured, deleting
security policies that are associated with a VPN tunnel might result in a stale VPN
tunnel remaining. In addition, the tunnel might be associated with the newly added
security policies. PR1034049
•
On all SRX Series devices, when a primary IP address of an interface changes, some
IPsec tunnels terminated on that interface might go down. PR1044620
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
Resolved Issues 12.1X47-D15
Application Layer Gateways (ALGs)
•
On all SRX Series devices, when there is heavy SIP traffic through the device, high CPU
usage is seen on one or more SPUs. This issue occurs due to a certain type of
SIP-handling logic, which dumps payload packets to the internal buffer. This logic has
been optimized to reduce load on the SPU. PR985932
•
On all SRX Series devices, when ALG processes the SIP traffic, a memory corruption
issue might occur and crash the flowd process. PR992478
•
On all SRX Series devices in a chassis cluster with the PPTP ALG enabled and the PPTP
session closed, a memory corruption might occur on the secondary node, which causes
the flowd process to crash. PR993447
•
On all SRX Series devices, If the Sun RPC trace is enabled, a core file is generated on
the secondary node when you upgrade through ISSU. PR998245
•
On all SRX Series devices with MS-RPC ALG enabled, occasionally, when more than
one IP and port pair exist in the MS RPC response packet, and if these IP and port pair
are same, the ALG group might leak. This issue might occur even in a Sun RPC scenario.
PR1010499
•
On all SRX Series devices with SIP ALG enabled, when either retain-hold-resource and
NAT are configured or retransmission of 183 session progress messages with SDP
occurs (the first transmission did not have SDP), the SIP ALG incorrectly changes the
IP address that is embedded inside the media payload to zero, causing a call failure.
PR1016969
•
On all SRX Series devices, in certain situations, the H.323 ALG incorrectly handles
translation because the stored position is not initialized properly. As a result, H.323
endpoints registration failure and call failure occur. PR1023528
Certificate Authority (CA)
•
When the PKI certificate expires at a later date, the output of the show security PKI
ca-certificate detail command incorrectly shows "Not after: time not determined UTC"
under the Validity field. PR878036
Chassis Cluster
•
On all branch SRX Series devices, in dual fabric link chassis clusters, when the control
link and one fabric link go down, the chassis cluster goes into a "split brain" condition
in which both nodes become primary. With one fabric link up, the secondary node of
the chassis cluster goes into an ineligible state and then into the disabled state.
PR989548
•
On all high-end SRX Series devices, when you use the maximize-cp-sessions option, it
decreases the amount of memory available for other functions. Therefore, the SPUs
might not reach the published maximum number of supported VPN tunnels when the
maximize-cp-sessions option is configured. PR1027761
Copyright © 2015, Juniper Networks, Inc.
49
Junos OS 12.1X47 Release Notes
Flow-Based and Packet-Based Processing
•
On all high-end SRX Series devices, the name of the ICMP6 big packet is changed to
junos-icmp6-packet-too-big instead of junos-icmp6-packet-to-big. PR917007
•
On all high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply
the rate limiter for egress traffic. PR918942
•
On all SRX Series devices, under certain conditions, the creation of a multicast leaf
session might result in an invalid multicast next hop, which crashes the flow module.
PR921438
•
On all branch SRX Series devices, multicast traffic might cause memory leak on the
data plane. PR947894
•
On all SRX Series devices, CoS buffer sizes are not recalculated after you delete the
interface units, and this might result in suboptimal CoS behavior. PR953924
•
On all high-end SRX Series devices, the IPv6 traffic is reordered during the encryption
of IPsec VPN because the fragment order is not maintained for the IPv6 traffic.
PR962600
•
On all high-end SRX Series devices in a chassis cluster, the CPU loading of the SPC’s
new backup node might go higher after a data plane failover because of packets in an
infinite loop between the nodes. PR963033
•
On all branch SRX Series devices with selective stateless packet-based services
configured, self-traffic generated on custom routing instances will be dropped if it is
forwarded in packet-based mode. PR968631
•
On SRX5400, SRX5600, and SRX5800 devices configured with SPC II cards, memory
leak might occur on the SPC II Control Plane Processor (CPP), causing the SPC II CPP
to reboot. PR975345
•
On all SRX Series devices (except the SRX110) in a chassis cluster, the flowd process
might crash when it receives corrupted real-time objects (RTOs). PR981301
•
On SRX240, SRX550, and SRX650 devices, in certain circumstances, packets might
go out of order or be dropped by the device. This issue affects multithreaded branch
SRX Series devices and typically occurs in mixed traffic (TCP or UDP) environments.
PR977614
•
On all SRX Series devices in a chassis cluster, when you terminate the GRE tunnel over
IPsec VPN, sessions through the GRE tunnel are deleted unexpectedly when the session
that is installed on the backup node times out, which is normally at eight times the
session timeout. PR982880
•
On all SRX Series devices, the flow serialization impacts session performance for IDP,
AppSecure, ALG, GTP, or SCTP, and it continues even after Layer 7 processing is
completed. PR986326
•
On all branch SRX Series devices, due to an indirect next-hop change, memory
corruption occurs in the flow route lookup table, causing the flowd process to crash.
PR988659
50
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
•
On all high-end SRX Series devices, when fragmented packets are processed, the first
fragment (the fragment contains Layer 4 information) is used to create the session,
and the subsequent fragments are queued on a memory block. During session creation,
the queued fragments might be processed for flow processing even though the session
is still in pending state. As a result, order information is lost and the fragmented packets
are forwarded out of order. PR993925
•
On all SRX Series devices, the logical tunnel interface encapsulated Frame Relay is
not supported. When you configure logical tunnel interface encapsulated Frame Relay,
the flowd process crashes. PR996072
•
On all SRX Series devices with integrated user firewall feature enabled, when there
are 100,000 or more authentication entries, deactivating the useridd process might
cause the flowd process to crash. PR996159
•
On all high-end SRX Series devices, when an equal-cost multipath (ECMP) route is
installed in the forwarding table and is used by the flow module, and if a better route
is available for the flow module or a subset of the ECMP route is pointing to the flow
module, the flow module does not reroute to use the better route for existing sessions.
PR996729
•
On all SRX Series devices, when functions using TCP proxy are enabled (for example,
TCP- based ALGs FTP, H323, MGCP, MS RPC, PPTP, RSH, RTSP, SCCP, SIP, SQL, SUN
RPC, and TALK; UTMs and TCP proxy screens such as SYS-ACK-ACK proxy flood and
SYN flood), the TCP packets might be held for a long time in mbuf for TCP proxy
processing. The system treats this situation as a memory leak, which causes the flowd
process to crash. PR999416
•
On all branch SRX Series devices, when the classifier is set based on EXP bits and the
ingress logical interface is a VLAN tagged interface and not unit 0, the classifier uses
the default logical unit 0's classifier instead of the configured classifier queues, which
forwards the MPLS traffic to the unintended egress queues. PR1002325
•
On all SRX Series devices, when the packet-capture option is configured on the egress
interface and a multicast stream is sent through the device, the multicast traffic might
not be captured. PR1005116
•
On all high-end SRX Series devices, the flowd process crashes due to a cache error.
PR1005195
•
On SRX240H2, SRX240H2-POE, and SRX240H2-DC devices, the IDP cannot process
any traffic due to incorrect setting of flow sessions. PR1011057
•
On all high-end SRX Series devices (except SRX1400), fragmented IPsec packets
might be out of order after decryption, causing a TCP packet retransmission and
performance degradation. PR1013223
•
On all high-end SRX Series devices, when the central point runs in combo mode on an
SPC I card and enable-utm-memory and in-line-tap IDP mode are enabled concurrently,
the flowd process crashes continuously. PR1019568
•
On all high-end SRX Series devices, in some scenarios, the flowd process might generate
core files due to stack overflow while running a log collection script (for example, the
shell script which sends various CLI and VTY commands) on the device. PR1020739
Copyright © 2015, Juniper Networks, Inc.
51
Junos OS 12.1X47 Release Notes
•
On all SRX Series devices, the flowd process might crash while applying a CoS filter
for the host outbound traffic. PR1021150
•
On SRX5400, SRX5600, and SRX5800 devices with SRX5K IOC II, configuring a
sampling feature (flow monitoring) might cause a high kernel heap memory usage.
PR1033359
Dynamic Host Configuration Protocol (DHCP)
•
On all high-end SRX Series devices, you cannot get the DHCP relay information through
SNMP if DHCP relay is configured under the logical system.
For example, bash-3.2# snmpwalk -c lsys1/default@junos -t 5 -v 1 -Os -Oq -Oe -Pu -m
/tmp/jnx-smi.mib:/tmp/jnx-jdhcp.mib 10.208.131.136 jnxJdhcpRelayStatistics PR909906
•
On all high-end SRX Series devices, the DHCP server option-82 does not work. PR949717
•
On all high-end SRX Series devices, the DHCP server SNMP information cannot be
displayed in the logical system. PR956597
•
On all branch SRX Series devices, if the DHCPv6 client is configured for the PPPoE
interface and the pp0 interface is disabled and enabled, the pp0 interface does not
acquire the IPv6 address from the DHCPv6 server. PR998712
General Packet Radio Service (GPRS)
•
On all high-end SRX Series devices with GTP enabled, some GTP traffic might be
dropped due to the reason message Reason zero TID/TEID. This is because some GTP
messages do not contain TEID value in the GTP message header (such as Identification
Response messages), and these messages are dropped incorrectly. PR999468
Interfaces and Routing
•
On SRX650 devices, the VLAN interface is down after a reboot. PR969079
•
On all SRX Series devices, the interface monitoring option causes an unexpected RG0
failover during the system reboot. This is because the interface monitoring option is
only applicable to the data-plane interface and it should not be associated with the
RG0, which represents control-plane redundancy. Enabling the interface monitoring
option under the RG0 is not supported on high-end SRX Series devices. PR970023
•
On SRX550 and SRX650 devices with WAN cards installed, if an interface is configured
for Ethernet switching mode and forwarding traffic, traffic processing might exhaust
the mbuf pool. As a result, an interprocess communication (IPC) issue can occur,
causing the WAN cards to go offline randomly. PR972332
Intrusion Detection and Prevention (IDP)
52
•
On all high-end SRX Series devices, Duplicate FLOW_IP_ACTION logs are generated
while sending traffic. PR959512
•
On all SRX Series devices, when you configure an automatic security package update
without configuring the schedule interval and start time, high CPU usage on the idpd
process is seen. PR973758
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
•
On all SRX Series devices, when you upgrade from any Junos OS release to Junos OS
Release 12.1X47-D15 with custom IDP attacks using custom nested applications, the
mgd process commit fails. PR999282
•
On all SRX Series devices, the custom dynamic group with the service TCP filter or the
service UDP filter does not include TCP or UDP port-bound attack signatures. The
following error message is displayed:
'dynamic-attack-group OTHER-PROTO-REC-CTS’
Attack TCP-PROTO-REC-CTS: No matching members found. Group is empty
error: configuration check-out failed
However, the group should not be empty, because of the configured queries of the
custom dynamic group. PR1002526
•
On all SRX Series devices, the Network Security Daemon (NSD) process might crash,
causing the show security match-policies command to generate multiple core files.
This is because the policy database does not synchronize between the Routine Engine
and the Packet Forwarding Engine. PR1003099
J-Web
•
On all SRX Series devices, when you open several connections to J-Web from the same
IP address, the HTTP process might hang and J-Web becomes unresponsive. PR974042
•
On all high-end SRX Series devices, no data is displayed for monitor-nat-source-resource
usage. PR995880
•
On all branch SRX Series devices, pagination does not work when more policies are
configured. PR996545
•
On all SRX Series devices, the serial number and the system uptime are not displayed
in the Dashboard. PR1009371
•
On all SRX Series devices, J-Web does not work with Firefox version 31. A blank screen
is displayed after you log in. PR1015430
Network Address Translation (NAT)
•
On all SRX Series devices, in rare cases, the device starts using sequential source ports
for source NAT because of random function memory corruption. PR982931
•
On all high-end SRX Series devices, when you add a /96 IPv6 address to the host
address of the deterministic NAT pool, an nsd core file is generated when you commit
the configuration. PR985511
•
On all SRX Series devices in a chassis cluster, when source NAT is configured with a
port no-translation pool and a port overflow pool with address persistent feature, the
port resource of the overflow NAT pool leaks on backup node when the translated IP
address creates conflict on the port no-translation pool. PR991649
Copyright © 2015, Juniper Networks, Inc.
53
Junos OS 12.1X47 Release Notes
Platform and Infrastructure
•
On SRX650 devices, when you execute the show security nat static rule all command
continuously, the following message is displayed:
kern.maxfiles limit exceeded by uid 0
PR721715
•
When devices were configured to use RADIUS authentication, if the user-permission
string sent from the RADIUS server was longer than 129 characters, the device failed
to process the user-permission string. This resulted in user permissions being set
incorrectly. PR736331
•
On all SRX Series devices, every time a user logs in with SSH, a veriexec: fingerprint
mismatch message is reported in the log. PR929612
•
On all high-end SRX Series devices, there is some buffer leak in Application Delivery
Controller (ADC) and Transparent Load Balancer (TLB) services due to the malfunction
of atomic functions. PR934768
•
On all SRX Series devices, when a PKI certificate is manually loaded without an absolute
path given for the filename, the system defaults to the /var/tmp directory instead of
the current working directory. PR954114
•
On all high-end SRX Series devices in a chassis cluster with IPsec over the reth interface,
the traffic from self to st0 interface might be dropped when the primary node of the
RG0 is in Packet Forwarding Engine restart processing. PR955999
•
On all high-end SRX Series devices, when you use dual control link and LACP and if
the first control link goes down, the LACP goes down on the secondary node for
redundancy group 0. The secondary node might be the primary node for a data plane
redundancy group (1+) and carries the traffic. Hence, the traffic might be interrupted.
PR958841
•
The SRX3400 device supports a maximum of two NPCs when multiple NPCs are
inserted. The NPC in slot 5 is not initialized completely, and only one NPC in either slot
6 or slot 7 is functional. PR963427
•
On all SRX Series devices, leading spaces are incorrectly added before the numerical
value of <time-to-expire> element in the show arp expiration-time | display command
output. PR974410
•
On SRX220 and SRX550 devices, you can configure a maximum of 250 connections
as connection-limit. However, 250 connections cannot be established. To set the
maximum-connection-limit, use the set system services telnet connection-limit
command. PR976318
•
On all SRX Series devices, due to a communication error between the master agent
(snmpd process) and the subagent (mib2d process), the device fails to register some
MIBs. For example, the following commands do not display any output when you run
the command:
user@hostname>show snmp mib walk ifTable
user@hostname:~$ snmpwalk -v 2c -c snmp@exp X.X.X.X ifAlias
54
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
The following message is displayed:
IF-MIB::ifAlias= No Such Object available on this agent at this OID.
This means the OID is not registered. PR978535
•
On all high-end SRX Series devices with multicast enabled, frequent multicast route
changes might cause a JTree memory leak on the SPC. If the SPC runs out of JTree
memory, routing information might not be updated on the Packet Forwarding Engine,
causing traffic loss. The following log message is displayed when JTree memory is
running on the device:
node1.fpc7.pic0 RSMON: Resource Category:jtree Instance:jtree0-seg0 Type:free-pages
Available:1 is less than LWM limit:1638, rsmon_syslog_limit(). PR979712
•
On all high-end SRX Series devices in a chassis cluster, the backup node should not
send SNMP traps. PR982777
•
On SRX5400, SRX5600 and SRX5800 devices, the authentication header packet is
dropped in SRX5K IOC II after the ID sanity check due to inner protocol processing.
PR986880
•
On SRX5400, SRX5600, and SRX5800 devices, after fabric reconnect, the fabric plane
displays the Link error message after the fabric plane is online or offline. PR990679
•
On all high-end SRX Series devices, session ager might gets stuck due to a memory
corruption, causing maximum session limitation to be reached on SPUs. PR991011
•
On all SRX Series devices, when you use netconf or Junos OS scripts to manage the
device, the management process gets stuck in a loop, causing high CPU usage. PR991616
•
On all SRX Series devices, when you upgrade the device using ISSU, the system displays
the following log messages:
•
May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0) : Cannot find service table entry ptr
xeth_get_scheduler_numbers
•
May 22 16:54:05 srx5k-1 node1.fpc11
XETH(11/0):xeth_get_ifd_member_rate_limit_stats(ge-23/0/0): No scheduler found
for ifl:81
•
May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0) : Cannot find service table entry ptr
xeth_get_scheduler_numbers
•
May 22 16:54:05 srx5k-1 node1.fpc11
XETH(11/0):xeth_get_ifd_member_rate_limit_stats(ge-23/0/0): No scheduler found
for ifl:81.
PR995928
•
On SRX100, SRX110, and SRX210 devices, no events are displayed when the temperature
of the chassis exceeds the thermal threshold value. PR999888
•
On all high-end SRX Series devices in a chassis cluster with interface monitoring
enabled, interfaces might be incorrectly monitored as down due to a memory allocation
issue. PR1006371
Copyright © 2015, Juniper Networks, Inc.
55
Junos OS 12.1X47 Release Notes
•
On SRX5400, SRX5600, and SRX5800 devices with an SRX5K IOC II, the SRX5K IOC
II might send packets out of order, causing end-to-end performance degradation.
PR1007455
•
On SRX3400 or SRX3600 devices in a chassis cluster, the FPC 0 Minor Errors alarm
is raised because of the excessive invalid pkt type errors reported by the Network
Processing Card (component). PR1008968
•
On SRX1400, SRX3400, and SRX3600 devices configured with firewall simple filters,
if you change the simple filter terms, some terms might not be installed properly in the
data plane. As a result, the simple filter might not work as expected. PR1012606
•
On all SRX Series devices, when a new user is created, the home directory for the user
is not created. PR1015156
Screens
•
On all high-end SRX Series devices with flooding type screens configured, if multiple
logical interfaces on the same network processing unit (NPU) have been configured
in the same zone, then changing the flooding thresholds might cause each of these
logical interfaces to have inconsistent thresholds, and sometimes some logical
interfaces might not have any screen flood protection at all. PR972812
System Logging
•
On all high-end SRX Series devices, when the syslog option is configured under the
[logical system] hierarchy, the system logs are not turned over correctly, some of the
files in the /var/log directory are not compressed, and some of the files are compressed
with only two lines. PR980061
•
On all high-end SRX Series devices, when you configure multiple stream mode under
the [security log] hierarchy and one of the stream modes is set to severity warning, the
system log traffic on the other streams is stopped. PR1009428
Unified Threat Management (UTM)
56
•
On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option
enabled, the chunked HTTP traffic might be terminated unexpectedly by the client
due to incorrect content sent by the branch SRX Series devices. As a result, the whole
page or partial content is not displayed in the client browser. PR971895
•
On all SRX Series devices with UTM content filtering enabled, when the filename
extension value is set to .com to block the URLs, the content filtering feature incorrectly
treats the <searchpart> as a path and blocks the URLs ends with .com. PR1008108
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
VPN
•
On all SRX Series devices, in certain situations when the device has more than one IKE
Security Association (SA) installed for the same peer device and Dead Peer Detection
(DPD) is triggered, the messages are not sent out from the device to the peer device,
causing the IKE SA to be installed on the device until the IKE SA expires. PR967769
•
On all SRX Series devices, when the device is configured with similarly named CA
profiles (for example, caprofile, caprofile_1, caprofile_3 and so on) and CA certificates
are loaded to these profiles, when first CA certificate is cleared other certificates which
has the CA profile that starts with the same keyword will be cleared as well. PR975125
•
On all SRX Series devices, dynamic VPN user groups are not able to access certain
remote resources. In this scenario, there are two policies referring to the same dynamic
VPN and one of the policy directions is not set. Hence, the lookup fails in the null policy
at the end. PR988263
•
On all SRX Series devices deployed in a hub-and-spoke VPN scenario as a hub point
with dynamic endpoint VPN (DEP VPN) spokes, if and manual NHTBs are configured,
changing (adding or deleting) NHTBs might cause other NHTBs to be deleted and
existing tunnels to go down. PR1001692
Copyright © 2015, Juniper Networks, Inc.
57
Junos OS 12.1X47 Release Notes
Resolved Issues 12.1X47-D10
Application Layer Gateways (ALGs)
•
On SRX Series devices with the VoIP-related ALG (either H.323 or SIP) and NAT enabled
for the VoIP traffic, the corresponding ALG creates persistent-nat-binding entries for
the reverse VoIP traffic (even though the persistent NAT feature is not configured in
the source NAT rule) when VoIP traffic is transmitted into a custom routing instance.
Hence, the system does not apply the custom routing instance information to the
persistent-nat-binding entries, and the reverse traffic that matches the
persistent-nat-binding entries is forwarded to the default routing instance instead of
to the custom routing instance. The reverse traffic is dropped or forwarded to the wrong
place. PR924553
•
On all SRX Series devices, the REAL ALG is not supported, but you can configure it from
both the CLI and J-Web. PR943123
•
On all SRX Series devices with the SCCP ALG enabled, the SCCP ALG drops packets
with unknown message identification. In a NAT scenario, the SCCP ALG performs NAT
for different SCCP messages with different NAT results, and data traffic is dropped.
PR952180
•
On all SRX Series devices, a flowd core file is generated because of a malformed SIP
packet. PR956157
•
On all SRX Series devices, the Microsoft Active directory or Microsoft Outlook client
might get disconnected from the server because the MS-RPC ALG incorrectly drops
the data connections under heavy load. PR958625
•
On all SRX Series devices, when the ALG receives IPv6 payload information for
processing and if the IPv6 flow mode is not enabled on the device, the flowd process
might crash. PR964817
•
On all SRX Series devices, when RTSP ALG traffic passes through the routing-instance
type virtual-router, traffic is dropped. PR979899
Authentication and Access Control
58
•
On all SRX Series devices, when Web authentication is enabled using the SecurID
authentication, it will fail if there is a change in the DNS server configuration. The authd
process causes the old DNS server to send the DNS request. PR885810
•
On SRX Series (except the SRX110) devices in a chassis cluster working as a Unified
Access Control (UAC) enforcer, when RG0 failover occurs, the Packet Forwarding
Engine might connect to the uac process before the uac process connects to the UAC
server. In this condition, the uac process conveys to the Packet Forwarding Engine that
the UAC server is disconnected. When the Packet Forwarding Engine receives this
information, it denies new traffic that matches the UAC policies. The traffic is resumed
after the connection of the uac process and UAC server is established. PR946655
•
On all SRX Series devices, the application firewall module might cause the Network
Security Daemon (NSD) to create up to 4 KB of memory leak when you commit each
configuration. PR969107
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
Chassis Cluster
•
On all SRX Series devices in a chassis cluster, the dcd process causes memory leak on
the Routing Engine when you configure a reth interface (that is, activate, deactivate,
delete, or add a reth interface). PR893759
•
On all SRX Series devices in a chassis cluster, when you download the IDP signature
database from the primary node, it is not synchronized to the secondary node. PR914987
•
On all high-end SRX Series devices in a chassis cluster, in certain IPv6 configurations,
the SPU sends out packets with an invalid header on the secondary node, which in turn
triggers a hardware monitoring failure on the secondary node. PR935874
•
On all branch SRX Series devices in a chassis cluster, an identical address found on
both private and public interfaces, and a kernel panic occurs after RG0 failover.
PR937438
•
On all SRX Series devices (except the SRX110) in a chassis cluster, in certain conditions,
the chassis cluster fabric link hello packet might be corrupted, causing the flowd process
to crash. PR939828
•
Due to logic problems with the next-generation SPC nvram component, sometimes
the central Packet Forwarding Engine processor tries to yield a thread during an
interrupt-disable scenario. This operation causes the central Packet Forwarding Engine
processor to hang, and the flexible PIC concentrator is marked as offline. As a result,
the chassisd detects the flexible PIC concentrator as being down and resets all flexible
PIC concentrators, causing failover in chassis clusters. PR940392
•
On all branch SRX Series devices, the counter for incoming traffic on a fabric interface
(used for chassis cluster) always shows zero (0). PR949962
•
In Junos OS Release 12.1X46-D10 and earlier, in a chassis cluster environment, when a
secondary node failed, no notification was sent to report the secondary node failure.
Starting in Junos OS Release 12.1X47-D10, in a chassis cluster mode, the primary node
sends the SNMP generic event trap to report failures on the primary node and the
secondary node. PR953639
•
On all SRX Series devices (except the SRX110) in an asymmetric chassis cluster scenario,
the secondary node (for example, node 1) uses a local interface to back up the interface
in the primary node (for example, node 0). If there is a route change, then the traffic is
sent to the egress from the backup interface, which is the local interface of node 1.
After the route resumes, the traffic is sent back to the egress from the primary interface,
which is the local interface of node 0. The session related to the route change is in
active state on both the nodes. Traffic might be interrupted when the session times
out on the backup node and the session on the primary node is deleted. PR951607
•
On all branch SRX Series devices, the G-ARP replies do not update the existing MAC
address entry. When the MAC address timer expires, a new MAC address is updated.
PR953879
•
On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, when the
secondary node becomes ineligible due to control link failure and it might still forward
Copyright © 2015, Juniper Networks, Inc.
59
Junos OS 12.1X47 Release Notes
the traffic. This causes the reth interface to flap and the related traffic to drop when
the secondary node is in ineligible state. PR959280
•
On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you disable
LACP on a reth interface, the related route's next hop remains in the hold state.
PR960994
•
On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, after the
primary node power cycle, the Flexible PIC Concentrators (FPCs) on both the nodes
might lose the connection to the new primary Routing Engine, causing the FPCs on
both the nodes to get stuck in present state. PR961351
•
On SRX3600 devices, the fabric-link becomes down when you execute manual failover
using the request chassis cluster failover redundancy-group 0 node 0 command.
PR965077
Dynamic Host Configuration Protocol (DHCP)
•
SRX100 devices send the same DHCP packets twice, but the SRX220 devices send
the DHCP packets only once. PR894760
•
On all SRX Series devices, you cannot get the DHCP relay information through SNMP
if DHCP relay is configured under the logical system. For example, bash-3.2# snmpwalk
-c lsys1/default@junos -t 5 -v 1 -Os -Oq -Oe -Pu -m /tmp/jnx-smi.mib:/tmp/jnx-jdhcp.mib
10.208.131.136 jnxJdhcpRelayStatistics bash-3.2#.
PR909906
•
On all SRX Series devices, in the DHCPv6 client command description, the word stateful
was misspelled as statefull. It is changed to stateful in the description; however, the
keyword is retained as statefull to avoid incompatibility. PR924692
•
On all high-end SRX Series devices, after you configure DHCPv6 in IPv6 mode, the
dhcpv6 process crashes. PR940078
•
On all high-end SRX Series devices, DHCPv6 does not work in IPv6 mode. PR942246
•
On all high-end SRX Series devices, the DHCP server on the device gives the same IP
address to two different hosts and both hosts are active in the MAC binding table,
causing a connectivity issue. This issue might occur if the DHCP server receives a DHCP
INFORM packet from a binding client and a DHCP RELEASE packet from the same
client. PR969929
Flow-Based and Packet-Based Processing
60
•
On SRX220H2 devices, the TCP connection rate might drop by 15 percent. PR898217
•
On SRX100H2 devices, the device reboots unexpectedly and multiple core files are
generated due to a DDR2 memory timing issue between DRAM and the CPU. The
symptoms include flowd core files, core files from other processes (for example, snmpd,
ntpd, and rtlogd), and silent reboot without core files and system freeze. These core
files are related to RAM access (for example, pointer corruption in session ager ring
entry), and there are no consistent circumstances that cause these core files to be
generated. PR923364
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
•
On all SRX Series devices, when you run the clear security flow session command with
a prefix or port filter, some of the sessions are not matched with the filter, causing a
traffic drop or delay. This issue is triggered by any of the filters. PR925369
•
On all branch SRX Series devices, in some cases, the ARP response is not accepted
when the frame size is above the common value (for example, when the frame was
padded by intermediate Layer 2 devices). PR927387
•
On all SRX Series devices configured with IDP, for the AppSecure, ALG, GTP, or SCTP
features that require serialization flow processing, the memory buffer might leak,
causing the flowd process to crash. PR930728
•
On all SRX Series devices, when loading a configuration in private mode, the annotated
message statement is truncated to 1024 characters. PR930834
•
On all SRX Series devices, if GRE tunnel configuration is committed without a correct
route to the tunnel destination, the GRE tunnel session will bind the wrong anchor
interface (the GRE tunnel outgoing interface) by route lookup. This anchor interface
will not be updated even after the route is corrected when you commit the subsequent
configuration. PR933591
•
On all SRX Series devices, the indirect next hop for ECMP is not supported. PR935867
•
On all SRX Series devices (except the SRX110) configured in a chassis cluster, under
certain conditions, the flowd process might crash during the cold synchronization
process. PR936014
•
On all high-end SRX Series devices, in certain circumstances, high CPU consumption
on the data plane and eventual exhaustion of the internal system buffers might corrupt
the forwarding table, causing partial traffic drops. PR938742
•
On all SRX Series devices, when IKE packets are received before Junos OS default
applications are pushed to the Packet Forwarding Engine, the IKE sessions will be
established without the IKE application having been marked. As a result, the fragmented
IKE packet cannot be sent to iked, because the IKE session has not used IKE
applications. PR942730
•
On all SRX Series devices, if the first packets of a single session come from both
directions at the same time, the application information on the session is corrupted
during session installation and the flowd process crashes. PR942877
•
On all SRX Series devices, when the device is in packet mode, after you change an
interface configuration, the warning message warning: You have changed inet flow
mode; You must reboot the system for your change to take effect is displayed. The same
message is displayed on every commit until the next reboot. This message can be
safely ignored. PR949472
•
On SRX240, SRX550, and SRX650 devices, when the device receives a TCP rest (RST)
and a FIN (the second FIN of the session) at the same time for a session, the RST and
the FIN packet might get processed by different threads. As a result, the session time
out updates incorrectly, and the session remains on the session table for 150 seconds.
PR950799
Copyright © 2015, Juniper Networks, Inc.
61
Junos OS 12.1X47 Release Notes
•
On all SRX Series devices, the flowd process might crash when the system performs
persistent NAT function for ALG traffic. This is because of lack of memory to allocate
for persistent NAT bindings. PR951011
•
On all SRX Series devices, when RG0 failover is triggered, the old RG0 primary device
reboots or both devices reboot. PR953723
•
On SRX240, SRX550, and SRX650 devices, in certain situations, flow sessions time
out and get corrupted. This leads to the flow sessions being set to an abnormally high
value, which eventually leads to the session table becoming full. PR955630
•
On all high-end SRX Series devices, the flowd process might crash during the session
installation. PR956775
•
On all SRX Series devices, SSH connection is not possible between Cisco devices
running IOS version 15 or later and SRX Series devices running Junos OS Release 11.2
or later. PR957483
•
On all SRX Series devices, in a site to site VPN scenario, when the device is configured
as an IPsec initiator, the flow session time out is refreshed by the reroute packet. This
causes an old session to remain in the session table, the VPN connection not to recover,
and packet drops to occur. PR959559
•
On all branch SRX Series devices, when you configure an ICMP probe-server option
under the [services rpm] hierarchy for a specific interface (for example, ge-0/0/0),
the device does not respond to ICMP requests from this interface. Other interfaces are
not affected and can continue to respond to ICMP requests. PR960932
•
On all SRX Series devices, when you reboot the passive node, the CPU usage increases
on flow SPUs of the primary node and this lasts for a few seconds when the traffic
latency is increased. PR962401
•
On all SRX Series devices, filter-based forwarding (FBF) rules are ignored when existing
sessions are rerouted. PR962765
•
On all branch SRX Series devices with IP spoofing screen enabled, the routing table
search might fail due to the routing table being locked by the system, causing a false
positive to an IP spoofing detection. PR967406
•
On all high-end SRX Series devices, when you send SCTP packets to test the capacity,
the SCTP packet might generate a core file. PR968951
•
On all SRX Series devices, white spaces are not supported in the PKI certificate name.
PR975374
62
•
On SRX550 devices, the max flow sessions are configured incorrectly. The devices
have larger session capacities than the configured session values. PR977169
•
On all branch SRX Series devices, application traffic control rate limiters are
unsupported on model H2. PR979901
•
On all SRX Series devices, in rare cases, the device starts using sequential source ports
for source NAT because of random function memory corruption. PR982931
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
General Packet Radio Service (GPRS)
•
On all SRX Series devices, when you send the 4-way handshake control packets to
create associations for the capacity test, a core file is generated. PR980262
Hardware
•
On SRX550 and SRX650 devices, the SRX-GP-DUAL/QUAD-T1-E1 GPIM might have
interoperability issues with the remote CSU using the national standard feature due
to the violation of ITU-T recommendation G.704. PR939944
Interfaces and Routing
•
The counter for incoming traffic on a fabric interface (used for chassis cluster) always
shows zero (0). PR520962
•
On SRX5600 virtual chassis, when you swap the members of a LAG, a vmcore or ksyncd
core file might be generated on the backup Routing Engine. PR711679
•
On all SRX Series devices, when you configure and commit IPv6 addresses on a logical
interface, the output of the show interface terse command does not reflect the change
immediately. PR802229
•
SRX5800 devices might log the Bottom Fan Tray Unable to Synch message. However,
this message can be ignored. PR833047
•
On all branch SRX Series devices with 3G wireless modems, the 3G dialer interface
dl0.0 might get stuck in the down link state. PR855897
•
On SRX550 devices, the T3/E3 FPC goes offline after provisioning a switched port on
ge-0/0/0 interface. PR919617
•
On SRX Series devices with the 3G USB wireless modem, when the signal is low, the
3G cellular modem interface (cl-0/0/*) displays the status as Connected even though
there is no signal or there is a low signal with no network connection. This is because
there is no mechanism for the wireless WAN process to notify the Routing Engine of
the status change even though the Packet Forwarding Engine is notified. After the
signal recovers, the 3G cellular modem interface is not able to dial again. PR923056
•
On all high-end SRX Series devices, the show interface extensive command is cut short
with the error message error: route rpf stats get for interface. PR930630
•
When IS-IS is configured between the SRX Series device and some third-party devices,
after the SRX Series device is rebooted and the IS-IS adjacency is reestablished, the
routes advertised by the third-party devices might not install into the routing table in
some cases. PR935109
•
On SRX550 devices with DS3/E3 interfaces, the external clocking option is disabled
to overcome the limitation present in the hardware to support this clocking option.
With the revised version of hardware, the external clocking limitation has been fixed.
Hence the external clocking option is reenabled. PR936356
•
On all SRX Series devices, deactivating static routes can lead to deactivation of other
configuration sections. PR939712
Copyright © 2015, Juniper Networks, Inc.
63
Junos OS 12.1X47 Release Notes
•
On all SRX Series devices, modifying a policy element that is deactivated by the policy
scheduler leads to problems in searching the policy tree in memory. An incorrect policy
match occurs after the policy is reactivated by the scheduler. PR944215
•
On all branch SRX Series devices with interfaces encapsulated with ethernet-ccc,
when you connect to an ae interface with LACP enabled, the LACP packets do not
pass through the ethernet-ccc encapsulated interface. PR945004
•
On SRX100B2, SRX100H2, SRX210B, SRX210HE2, SRX210HE2POE, SRX220H2,
SRX220H2POE, SRX240B, SRX240B2, SRX240H2, and SRX240H2POE devices, the
Point-to-Point Protocol over Ethernet (PPPoE) feature session is disconnected or the
connection is not available. PR956307
•
On SRX210 and SRX220 devices, certain jumbo frames are dropped even though the
MTU is set correctly. PR963271
•
On all SRX Series devices, the clear security dns-cache command is extended to resolve
all DNS entries immediately. Similarly, the security policies containing DNS names are
updated immediately to use the refreshed IP addresses after the FQDN addresses are
resolved. PR970235
•
On all SRX Series devices, when the proxy-ndp feature is enabled on the interface, the
entries in the IPv6 neighbor table from the interface might flap. PR970281
•
On SRX5400, SRX5600, and SRX5800 devices, the counters displayed in the reth
interface are not correct. PR978421
Intrusion Detection and Prevention (IDP)
•
On SRX Series devices with IDP enabled, high data plane CPU usage occurs in certain
SPUs for a few seconds. PR848485
•
On all SRX Series devices, when you disable the option idp policy-optimizer using the
set security idp sensor-configuration no-policy-optimizer command, the policy fails to
load after reboot. PR883258
•
On branch SRX Series devices with IDP enabled, when you use the hardware
Deterministic Finite Automation (DFA), which is enabled by default on all devices
except SRX100 and SRX110 in Junos OS Release 11.4, a false positive might occur for
the signature APP:RDP-BRUTE-FORCE. PR911994
•
On all SRX Series devices, the new entry or flag representing an alert notification is
seen in the system log message. If the alert is configured in the IDP rules, the flag is set
to “yes”; otherwise, it is set to “no”. PR948401
•
On all high-end SRX Series devices, when the LACP mode is fast and the IDP is in
inline-tap mode, a LACP flap might occur when you commit the configuration.
PR960487
•
64
On all SRX Series devices, when you upgrade the detector version, the detector kconst
value becomes the default value. PR971010
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
J-Web
•
On all SRX Series devices, the httpd process generates a verbose log in the default
configuration. PR930723
•
On all SRX Series devices, when you make any changes on the J-Web page and try to
commit or refresh the page, the operation might time out due to two Asynchronous
JavaScript and XML (AJAX) requests being sent out at the same time. The second
AJAX request is sent out when the first AJAX request does not receive a response.
PR935552
•
When you change the password minimum-length characters from 6 to 8, J-Web shows
the error message minimum-length is 6. PR942219
•
On all SRX Series devices, J-Web does not accept the keyword “any” in the address-book
object name. PR944952
•
On all SRX Series devices, session logs generated by the global policies are not displayed
on the Monitor > Events and Alarms > Security events page or in the policy log window
on the Configure > Security > Policy page in J-Web. PR962892
•
On all branch SRX Series device, when dynamic VPN is configured, it is not possible to
configure the local-certificate or pki-local-certificate options for Web management. A
commit error is displayed when these options are configured. Only the self-signed
certificate option can be configured. PR969672
•
On J-Web, the App-FW page does not show the counter information. PR972473
Network Address Translation (NAT)
•
On all SRX Series devices, when NAT protocol translation from IPv4 to IPv6 is enabled,
a certain crafted packet might cause the flowd process to hang or crash. A hang or
repeated crash of the flowd process creates an extended denial-of-service condition
for the devices. PR954437
•
In Junos OS Release 12.1X46-D10 and earlier, the device could not send the SNMP trap
for the NAT pool with logical systems configured.
Starting with Junos OS Release 12.1X47-D10, the SNMP trap for the NAT pool with
logical systems configuration can be sent from the device. PR959219
•
On all high-end SRX Series devices, the source paired address table for the IPv6 PBA
pool is not released on the primary node after the session time out. PR975093
Copyright © 2015, Juniper Networks, Inc.
65
Junos OS 12.1X47 Release Notes
Platform and Infrastructure
•
On all high-end SRX Series devices, when the management-ethernet link-down ignore
command is configured under the chassis alarm hierarchy, the show chassis alarm
command does not display the fxp0: Ethernet Link Down alarm message. However, the
following messages might been seen in the logs:
craftd[1163]: %DAEMON-3: attempt to delete alarm not in list
alarmd[1162]%DAEMON-4: Alarm cleared: RE color=IGNORE, class=CHASSIS
reason=Host 0 fxp0: Ethernet Link Down
PR749954
•
On all SRX Series devices, when you log in to the device, the login process might crash
due to abnormal disconnection behaviors. PR802169
•
On SRX240, SRX550, and SRX650 devices, when the device receives out-of-order
packets while transferring large TCP files, the throughput might be heavily impacted.
PR881761
•
When GRE is enabled, AppQoS classification, marking, or rate limit does not work for
fragmented packets in the client-to-server direction. PR924932
•
On all SRX Series devices, when using JDHCP, the server does not respond to the client
with the DHCPOFFER packet when it receives the DHCPDISCOVER packet from the
client. This causes the authd process to consume a large amount of CPU usage and
increase the /mfs partition storage capacity. PR925111
•
On SRX5800 device in a chassis cluster, when the device is connected to the Nexus
switch, control plane failover occurs. This failover causes the LACP timer to change
from slow periodic to fast periodic. PR926019
•
On all SRX Series devices, for SCTP IPv6 traffic in traffic logs, all the source and
destination ports are marked as port 1. PR928916
•
On SRX1400 devices with a SYSIO-XGE IOC cards, the xe-0/0/9 interface might not
come up when the cable is reconnected after you upgrade to Junos OS Release
12.1X47-D10. PR929276
•
On all SRX Series devices, when the Network Security Daemon (NSD) holds a buffer
related to the NAT proxy-arp process, memory leak occurs. This issue occurs when
you commit the configuration. PR931329
•
On SRX1400 device, if the port ge-0/0/6 plugged in with a SPF-T (part number
740-013111) transceiver, the port might be set to physically down after upgrading to
Junos OS Release. PR933751
•
On SRX1400, SRX3400, and SRX3600 devices configured in a chassis cluster with a
SRX1K3K-NP-2XGE-SFPP card installed, the cold synchronization process might fail
in certain SPC cards with the message No response from peer node after 900 tries.
PR941845
66
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
•
On all SRX Series devices containing a large number of next-hop entries, and if the
interface flap happens frequently, it might cause the Routing Engine not to allocate
the next-hop index, causing the traffic to drop. PR943388
•
On all branch SRX Series devices, because of a timing issue, the VLAN interface might
fail to add security zone information after the RG0 failover. PR944017
•
On SRX5400, SRX5600, and SRX5800 devices with a SRX5K-SPC-4-15-320
(next-generation SPC) installed, the hardware interrupt handler checks the link up or
link down status for unused ports in the next-generation SPC internal. The
next-generation SPC might cause the Control Plane Processor (CPP) to hang, causing
all the Flexible PIC Concentrators (FPCs) to reset. PR959655
•
On SRX1400, SRX3400, and SRX3600 devices, high traffic on the fxp0 interface
destabilizes the control plane functions. PR962909
Switching
•
On SRX210 devices running in packet mode, when DSCP marking (32 - 63) is on and
the destination MAC in the packet header is present in the SRX ARP table, the devices
reply to packets that are not destined to them. On devices in a chassis cluster, you
must ensure that packets not destined to the SRX210 do not reach the device.
PR950486
System Logging
•
On SRX3400 and SRX3600 devices, the following system logs are seen in the messages
file:
sfchip_show_rates_pfe: Fchip Plane 0, dpc 0, pfe <1/2/3>: Invalid dpc
These system logs do not affect the device. PR738199
•
On SRX5400, SRX5600, and SRX5800 devices, when error-correcting code (ECC)
errors occur on IOC or FIOC cards, it is difficult to identify the issue because the error
is not being loaded in the device. PR900617
•
The error OpenSSL: error:14090086:lib(20):func(144):reason(134) means that server
certificate verification has failed. The certificate might be a self-signed certificate or
an expired certificate. PR932274
•
On all SRX Series devices, the following error message is displayed on system or event
logs after you upgrade to Junos OS Release 12.1X47-D10: Can't find ifa on e1-x/0/x.y.
This message is harmless and does not affect the E1 interfaces and can be ignored.
PR971503
•
The SNMP walk for the jnxPicType2ASPCXLP object might fail and shows the
jnxPicType2ASPCXLP (could not resolve 'jnxPicType2ASPCXLP' to an OID) error message
in the logs and fails to receive information from the device. PR974463
Copyright © 2015, Juniper Networks, Inc.
67
Junos OS 12.1X47 Release Notes
Unified Threat Management (UTM)
•
On all branch SRX Series devices, webpages become unavailable and do not display
any content when you enable Sophos antivirus for HTTP traffic. PR906534
•
On all high-end SRX Series devices, EWF logs are not marked with user role information.
PR936799
•
On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option
enabled, and the intelligent-prescreening option configured, the chunked packet that
only contains chunk-size data without any actual data is recognized as an invalid data
packet, and the packet is dropped before it passes to the KAV engine in the KAV HTTP
proxy processing. PR937539
•
On all branch SRX Series devices, when the category action is permit, the result is the
category site-reputation-action, and when the category reputation action is not defined,
then the results are the global site-reputation action and the default action. This
confusion occurs because the explicit permit action is not taken under the specific
category. To resolve this problem, you can directly take the configuration-explicit action
on the category. If you do not configure any action, then the next global site-reputation
action is the result. The category reputation is not used in enhanced Web filtering.
PR939352
•
On all high-end SRX Series devices, when you install a license, you might see the
message license not valid for this product add license failed. Even though the message
appears, the feature still functions normally. In addition, the show system license
command does not display the Sophos antivirus, antispam, or Web filtering licenses.
PR948347
•
On all branch SRX Series devices, the test security utm anti-virus command for the
antivirus feature does not work due to an Invalid argument error message. PR951124
•
On all branch SRX Series devices, when the KAV license expires and a new license is
installed, deleting the old license file causes the KAV engine status to change to Not
Ready. The deleting event triggers an AV license status update. The utmd process
might recognize that the KAV license is not installed and the pattern database is
unloaded. PR954590
•
On all SRX Series devices with UTM and Sophos antivirus (SAV) service enabled, if
source NAT for self-generated traffic is configured, the DNS queries from the UTM SAV
service fail as timeouts. PR963978
•
On all high-end SRX Series devices, UTM blacklists and whitelists should work without
an EWF license. PR970597
VPNs
68
•
On all SRX Series devices, when IPsec is enabled, AppQoS does not assign egress
traffic to the configured forwarding class. PR753762
•
On all SRX Series devices, in a site-to-site IPsec VPN deployments using IKEv2, when
tunnels are removed through configuration change, the information is not propagated
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
to the remote peer. Later, when the peer initiates a normal Phase-1 re-key process, the
kmd process crashes and core files are generated. PR898198
•
On all SRX Series devices, during VPN configuration change with an interface
configuration change at the same commit, or after rebooting the device with VPN and
interface configured together, the tunnel sessions created in flowd are missed. This
impacts the traffic flow on that tunnel. The invalid bind interface counter returns a
nonzero value when you run the show usp ipsec global-stat command. PR928945
•
Certificate-based authentication would fail when the RSA signature from the remote
peer used SHA-256 as the message digest algorithm. PR936141
•
On all SRX Series devices configured with IPsec VPN and with VPN monitor enabled,
the VPN monitor function triggers socket leak, and it might result in some critical issue,
such as flow SPUs becoming unresponsive. PR940093
•
On all SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or
flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link
increases. PR941999
•
On all SRX Series devices with multiple proxy-identity (MPID), dead routes are seen
while moving the st0 interface from one virtual router to another. PR943577
•
On all branch SRX Series devices configured in a chassis cluster with route based IPsec
VPN enabled, during RG0 failover to the new primary node, if a route-based VPN does
not have IPsec SAs associated with the tunnel, then the bind interface (st0) associated
with the tunnel is marked down. The interface remains in down state, causing the VPN
traffic to drop. PR944478
•
On all SRX Series devices, after traffic-selector configuration is deleted from the VPN
configuration object, the data traffic stops passing through the tunnel. PR944598
•
On SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, high CPU usage
occurs after installing the additional SPC cards without a full cluster reboot, and IPsec
tunnels carry the SCTP traffic anchored on the device. PR945162
•
SRX Series devices cannot proceed to automatic certificate reenrollment through
SCEP. The certificate validity period is incorrectly calculated during the autorenewal
process. Also, when the CRL is downloaded through LDAP, it can be partially received
from the CA server and the pkid process goes up. PR946619
•
On all SRX Series devices, when there are more than 100 traffic selectors configured
on a VPN configuration object along with configured, established, tunnels, if all IPsec
SAs for this VPN configuration object are cleared at the same time (because of a
configuration change on a peer or the use of the clear operational command), the
bind-interface associated with that VPN configuration object might be marked as
down. PR947103
•
On all SRX Series devices, in a hub-spoke IPsec VPN scenario, when you commit the
static NHTB configuration on the multipoint secure tunnel (st0) interface, the VPN
routes might become active even though the VPN tunnel is down. This issue also occurs
when you reboot the system with static NHTBs and the related static routes are
configured. PR947149
Copyright © 2015, Juniper Networks, Inc.
69
Junos OS 12.1X47 Release Notes
Related
Documentation
70
•
On SRX Series devices configured as a route-based IPsec Dynamic End Point (DEP)
VPN node, the VPN tunnel interface st0.x link incorrectly remains up when IPsec Security
Association (SA) is not established, even though VPN monitoring or establish-tunnels
immediately is configured. PR947552
•
On all SRX Series devices, IPsec VPN packets are dropped in a chassis cluster Z mode
when a fragmentation is required. PR956808
•
On all SRX Series devices, any configuration changes to the st0.x interface might delete
NHTB entries for unrelated st0 interfaces. PR958190
•
On all SRX Series devices, in some situations, if the CRL server is not reachable, a
memory leak might occur and show the kern.maxfiles limit exceeded by uid 0 message
in console mode. Hence, the device administrator is not able to log in to the device
anymore. PR959194
•
On all SRX Series devices, disabling anti-replay on a policy based VPN does not take
effect immediately but requires kmd process to restart. PR979846
•
On all SRX Series devices, IPsec VPN tunnels could not come up due to unavailability
of buffer space. PR985494
•
On all branch SRX Series devices, in group VPN member, the
KMD_PM_IKE_SERVER_NOT_FOUND message appears repeatedly in the kmd log file
after rekey.PR991306
•
New and Changed Features on page 6
•
Changes in Behavior and Syntax on page 23
•
Known Behavior on page 30
•
Known Issues on page 39
•
Documentation Updates on page 71
•
Migration, Upgrade, and Downgrade Instructions on page 74
Copyright © 2015, Juniper Networks, Inc.
Documentation Updates
Documentation Updates
This section lists the errata and changes in Junos OS Release 12.1X47-D10 documentation.
Documentation Updates for the Junos OS Software Documentation
This section lists the errata and changes in the software documentation.
IDP Policies Feature Guide for Security Devices
•
This guide is missing information about new policy templates.
Six new IDP Policy templates are added.
The new templates have the following features:
•
They are designed for ease of use and provide balanced performance and coverage.
•
The new templates include client protection, server protection, and client/server
protection.
•
Each of the new templates has two versions that are device specific, a 1-gigabyte
(GB) version and a 2-GB version.
NOTE: The 1-gigabyte versions labeled 1G should only be used for devices
that are limited to 1 GB of memory. If a 1-GB device loads anything other
than a 1-GB policy, the device might experience policy compilation errors
due to limited memory or limited coverage. If a 2-GB device loads anything
other than a 2-GB policy, the device might experience limited coverage.
Use these templates as a guideline for creating policies. We recommend that you
make a copy of these templates and use the copy (not the original) for the policy.
This approach allows you to make changes to the policy and to avoid future issues
due to changes in the policy templates.
The complete list of the new IDP policy templates is given in Table 10 on page 72
Copyright © 2015, Juniper Networks, Inc.
71
Junos OS 12.1X47 Release Notes
Table 10: New IDP Policy Templates
Previously Available Policy Templates
Updated/Currently Available Policy Templates
root@R1# set security idp active-policy ?
Possible completions:
<active-policy> set active policy
root@R1# set security idp active-policy ? Possible
completions:
<active-policy> set active policy
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Web_Server
Client-And-Server-Protection
Client-And-Server-Protection-1G
Client-Protection
Client-Protection-1G
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Web_Server
Descriptions of the new IDP policy templates are provided in Table 11 on page 72
Table 11: Descriptions of the New IDP Templates
Template
Description
Client-And-Server-Protection
Designed to protect both clients and servers. To be used on
high memory devices with 2 GB or more of memory.
Client-And-Server-Protection-1G
Designed to protect both clients and servers. To be used on
all devices, including low-memory branch devices.
Client-Protection
Designed to protect clients. To be used on high memory
devices with 2 GB or more of memory.
Client-Protection-1G
Designed to protect clients. To be used on all devices, including
low-memory branch devices.
Server-Protection
Designed to protect servers. To be used on high memory
devices with 2 GB or more of memory.
Server-Protection-1G
Designed to protect servers. To be used on all devices,
including low-memory branch devices.
Multicast Feature Guide for Security Devices
Multicast Source Discovery Protocol (MSDP) is not supported on SRX Series devices in
any type of custom routing instance.
72
Copyright © 2015, Juniper Networks, Inc.
Documentation Updates
Various Guides
•
Some Junos OS user, reference, and configuration guides—for example the Junos
Software Routing Protocols Configuration Guide, Junos OS CLI User Guide, and Junos OS
System Basics Configuration Guide—mistakenly do not indicate SRX Series device
support in the “Supported Platforms” list and other related support information;
however, many of those documented Junos OS features are supported on SRX Series
devices. For full, confirmed support information about SRX Series devices, please refer
to Feature Explorer:
http://pathfinder.juniper.net/feature-explorer/select-software.html?swName=Junos+OS&typ=1.
Copyright © 2015, Juniper Networks, Inc.
73
Junos OS 12.1X47 Release Notes
Related
Documentation
•
New and Changed Features on page 6
•
Changes in Behavior and Syntax on page 23
•
Known Behavior on page 30
•
Known Issues on page 39
•
Resolved Issues on page 44
•
Migration, Upgrade, and Downgrade Instructions on page 74
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS for the SRX Series. Upgrading
or downgrading Junos OS can take several hours, depending on the size and configuration
of the network.
•
End-of-Life Announcement for J Series devices and the low-Memory Versions of SRX100
and SRX200 Lines on page 74
•
Upgrading and Downgrading Among Junos OS Releases on page 75
•
Upgrading an AppSecure Device on page 76
•
Network and Security Manager Support on page 77
•
Upgrade and Downgrade Scripts for Address Book Configuration on page 77
•
Hardware Requirements on page 79
End-of-Life Announcement for J Series devices and the low-Memory Versions of SRX100 and
SRX200 Lines
Starting in Junos OS Release 12.1X47-D10, the J Series devices and the low-memory
versions of the SRX100 and SRX200 lines with less than 2GB memory are discontinued
and no longer supported.
NOTE: Upgrading to Junos OS Release 12.1X47-D10 or later is not supported
on the J Series devices or on the versions of the SRX100 and SRX200 lines
with less than 2GB memory. If you attempt to upgrade one of these devices
to Junos OS 12.1X47-D10, installation will be aborted with the following error
message:
ERROR: Unsupported platform <platform-name >for 12.1X47 and higher
For the model numbers of the discontinued products, the recommended replacement
products, and minimum software requirements for the replacements, see:
http://www.juniper.net/support/eol/
If you have any questions concerning this notification, please contact the Juniper Networks
Technical Assistance Center (JTAC).
74
Copyright © 2015, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
Upgrading and Downgrading Among Junos OS Releases
All Junos OS releases are listed in sequence on the JUNOS Software Dates & Milestones
webpage:
http://www.juniper.net/support/eol/junos.html
To help in understanding the examples that are presented in this section, a portion of
that table is replicated here. Note that releases footnoted with a 1 are Extended
End-of-Life (EEOL) releases.
You can directly upgrade or downgrade between any two Junos OS releases that are
within three releases of each other.
•
Example: Direct release upgrade
Release 10.3 → (bypassing Releases 10.4 and 11.1) Release 11.2
To upgrade or downgrade between Junos OS releases that are more than three releases
apart, you can upgrade or downgrade first to an intermediate release that is within three
Copyright © 2015, Juniper Networks, Inc.
75
Junos OS 12.1X47 Release Notes
releases of the desired release, and then upgrade or downgrade from that release to the
desired release.
•
Example: Multistep release downgrade
Release 11.3 → (bypassing Releases 11.2 and 11.1) Release 10.4 → Release 10.3
Juniper Networks has also provided an even more efficient method of upgrading and
downgrading using the Junos OS EEOL releases. EEOL releases generally occur once a
calendar year and can be more than three releases apart. For a list of, EEOL releases, go
to http://www.juniper.net/support/eol/junos.html
You can directly upgrade or downgrade between any two Junos OS EEOL releases that
are within three EEOL releases of each other.
•
Example: Direct EEOL release upgrade
Release 9.3 (EEOL) → (bypassing Releases 10.0 [EEOL] and 10.4 [EEOL]) Release 11.4
(EEOL)
To upgrade or downgrade between Junos OS EEOL releases that are more than three
EEOL releases apart, you can upgrade first to an intermediate EEOL release that is within
three EEOL releases of the desired EEOL release, and then upgrade from that EEOL
release to the desired EEOL release.
•
Example: Multistep release upgrade using intermediate EEOL release
Release 8.5 (EEOL) → (bypassing Releases 9.3 [EEOL] and 10.0 [EEOL]) Release 10.4
(EEOL) → Release 11.4 (EEOL)
You can even use a Junos OS EEOL release as an intermediate upgrade or downgrade
step if your desired release is several releases later than your current release.
•
Example: Multistep release upgrade using intermediate EEOL release
Release 9.6 → Release 10.0 (EEOL) → Release 10.2
For additional information about how to upgrade and downgrade, see the Junos OS
Installation and Upgrade Guide.
Upgrading an AppSecure Device
Use the no-validate Option for AppSecure Devices.
For devices implementing AppSecure services, use the no-validate option when upgrading
from Junos OS Release 11.2 or earlier to Junos OS 11.4R1 or later. The application signature
package used with AppSecure services in previous releases has been moved from the
configuration file to a signature database. This change in location can trigger an error
during the validation step and interrupt the Junos OS upgrade. The no-validate option
bypasses this step.
76
Copyright © 2015, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
Network and Security Manager Support
Network and Security Manager (NSM) support for SRX Series Services Gateways with
Junos OS 12.1X47-D10 is available only with NSM versions 2012.2R6 / 2012.1R10 and later.
For additional information, see Network and Security Manager documentation.
Upgrade and Downgrade Scripts for Address Book Configuration
Beginning with Junos OS Release 12.1, you can configure address books under the [security]
hierarchy and attach security zones to them (zone-attached configuration). In Junos OS
Release 11.1 and earlier, address books were defined under the [security zones] hierarchy
(zone-defined configuration).
You can either define all address books under the [security] hierarchy in a zone-attached
configuration format or under the [security zones] hierarchy in a zone-defined configuration
format; the CLI displays an error and fails to commit the configuration if you configure
both configuration formats on one system.
Juniper Networks provides Junos operation scripts that allow you to work in either of the
address book configuration formats (see Figure 1 on page 78).
•
About Upgrade and Downgrade Scripts on page 77
•
Running Upgrade and Downgrade Scripts on page 78
•
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended
End-Of-Life Releases on page 79
About Upgrade and Downgrade Scripts
After downloading Junos OS Release 12.1, you have the following options for configuring
the address book feature:
•
Use the default address book configuration—You can configure address books using
the zone-defined configuration format, which is available by default. For information
on how to configure zone-defined address books, see the Junos OS Release 11.1
documentation.
•
Use the upgrade script—You can run the upgrade script available on the Juniper Networks
support site to configure address books using the new zone-attached configuration
format. When upgrading, the system uses the zone names to create address books.
For example, addresses in the trust zone are created in an address book named
trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules
remain unaffected.
After upgrading to the zone-attached address book configuration:
•
You cannot configure address books using the zone-defined address book
configuration format; the CLI displays an error and fails to commit.
•
You cannot configure address books using the J-Web interface.
For information on how to configure zone-attached address books, see the Junos OS
Release 12.1 documentation.
Copyright © 2015, Juniper Networks, Inc.
77
Junos OS 12.1X47 Release Notes
•
Use the downgrade script—After upgrading to the zone-attached configuration, if you
want to revert to the zone-defined configuration, use the downgrade script available
on the Juniper Networks support site. For information on how to configure zone-defined
address books, see the Junos OS Release 11.1 documentation.
NOTE: Before running the downgrade script, make sure to revert any
configuration that uses addresses from the global address book.
Figure 1: Upgrade and Downgrade Scripts for Address Books
Download Junos OS
Release 11.2 or later.
zone-defined
address book
Run the upgrade script.
zone-attached
address book
configuration
- Global address book is
available by default.
- Address book is defined under
the security hierarchy.
- Zones need to be attached
to address books.
Note: Make sure to revert any
configuration that uses addresses
from the global address book.
g030699
Run the downgrade script.
Running Upgrade and Downgrade Scripts
The following restrictions apply to the address book upgrade and downgrade scripts:
78
•
The scripts cannot run unless the configuration on your system has been committed.
Thus, if the zone-defined address book and zone-attached address book configurations
are present on your system at the same time, the scripts will not run.
•
The scripts cannot run when the global address book exists on your system.
•
If you upgrade your device to Junos OS Release 12.1 and configure logical systems, the
master logical system retains any previously configured zone-defined address book
configuration. The master administrator can run the address book upgrade script to
convert the existing zone-defined configuration to the zone-attached configuration.
Copyright © 2015, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
The upgrade script converts all zone-defined configurations in the master logical system
and user logical systems.
NOTE: You cannot run the downgrade script on logical systems.
For information about implementing and executing Junos operation scripts, see the Junos
OS Configuration and Operations Automation Guide.
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended
End-Of-Life Releases
Support for upgrades and downgrades that span more than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS
Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4. However,
you cannot upgrade directly from a non-EEOL release that is more than three releases
ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3
(a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS
Release 11.4 to Junos OS Release 10.3.
To upgrade or downgrade from a non-EEOL release to a release more than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html .
Hardware Requirements
Transceiver Compatibility for SRX Series Devices
We strongly recommend that only transceivers provided by Juniper Networks be used
on SRX Series interface modules. Different transceiver types (long-range, short-range,
copper, and others) can be used together on multiport SFP interface modules as long
as they are provided by Juniper Networks. We cannot guarantee that the interface module
will operate correctly if third-party transceivers are used.
Please contact Juniper Networks for the correct transceiver part number for your device.
Related
Documentation
•
New and Changed Features on page 6
•
Changes in Behavior and Syntax on page 23
•
Known Behavior on page 30
•
Known Issues on page 39
Copyright © 2015, Juniper Networks, Inc.
79
Junos OS 12.1X47 Release Notes
•
Resolved Issues on page 44
•
Documentation Updates on page 71
Product Compatibility
•
Hardware Compatibility on page 80
Hardware Compatibility
To obtain information about the components that are supported on the device, and
special compatibility guidelines with the release, see the SRX Series Hardware Guide.
To determine the features supported on SRX Series devices in Junos OS Release
12.1X46-D10, use the Juniper Networks Feature Explorer, a Web-based application that
helps you to explore and compare Junos OS feature information to find the right software
release and hardware platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/.
Third-Party Components
This product includes third-party components. To obtain a complete list of third-party
components, see Copyright and Trademark Information.
Finding More Information
For the latest, most complete information about known and resolved issues with the
Junos OS, see the Juniper Networks Problem Report Search application at:
http://prsearch.juniper.net.
Juniper Networks Feature Explorer is a Web-based application that helps you to explore
and compare Junos OS feature information to find the correct software release and
hardware platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/.
Juniper Networks Content Explorer is a Web-based application that helps you explore
Juniper Networks technical documentation by product, task, and software release, and
download documentation in PDF format. Find Content Explorer at:
http://www.juniper.net/techpubs/content-applications/content-explorer/.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
80
Copyright © 2015, Juniper Networks, Inc.
Requesting Technical Support
•
Online feedback rating system—On any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, and use the pop-up form to provide us with information about
your experience. Alternately, you can use the online feedback form at
https://www.juniper.net/cgi-bin/docbugreport/.
•
E-mail—Send your comments to [email protected]. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need postsales technical support, you can access
our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Case with JTAC
Copyright © 2015, Juniper Networks, Inc.
81
Junos OS 12.1X47 Release Notes
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at
http://www.juniper.net/support/requesting-support.html.
If you are reporting a hardware or software problem, issue the following command from
the CLI before contacting support:
user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip
utility, rename the file to include your company name, and copy it to
ftp.juniper.net/pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
[email protected]. For documentation issues, fill out the bug report form located at
https://www.juniper.net/cgi-bin/docbugreport/.
82
Copyright © 2015, Juniper Networks, Inc.
Requesting Technical Support
Revision History
24 March 2015—Revision 2—Junos OS 12.1X47-D20 – SRX Series.
03 March 2015—Revision 1—Junos OS 12.1X47-D20 – SRX Series.
Copyright © 2015, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Copyright © 2015, Juniper Networks, Inc.
83