What's Changed

Application Signatures Package (SRX Series Firewalls and vSRX)—The show services application-identification status command output displayed incorrect date for application package version release date. The command output displays the release date of the initial installed application signature package. Subsequent installations of newer versions do not update the release date of the signature package. The release date is only updated correctly when installing a signature package that has changes in PB version/Engine version compared to the currently installed ones.

Starting in Junos OS Release 24.2 onwards, the command output shows the correct date.

See show services application-identification status.

• RSA-3DES-EDE-CBC-SHA
• ECDHE-ECDSA-3DES-EDE-CBC-SHA

The options to configure these ciphers are not available at the [edit system services ssh] hierarchy.

Starting from Junos 21.4R1 platforms with the following Routing Engines which have Intel CPUs with microcode version 0x35 observe the error warning, "000: Firmware Bug: TSC_DEADLINE disabled due to Errata; please update microcode to version: 0x3a (or later)" on the console. RE-S-X6-64G RE-S-X6-128G REMX2K-X8-64G RE-PTX-X8-64G RE-MX2008-X8-64G RE-MX2008-X8-128G.

ChaCha20-Poly1305 algorithm deprecation for SSH cipher option—The ChaCha20-Poly1305 authenticated encryption algorithm is deprecated for SSH cipher option. Configure aes-128-gcm and aes-256-gcm as the encryption algorithm for SSH Cipher option.

[See ssh (System Services).]

Limit on number of IP address associations per MAC address per bridge domain in EVPN MAC-IP database—By default, devices can associate a maximum of 200 IP addresses with a single MAC address per bridge domain. We provide a new CLI statement to customize this limit, mac-ip-limit statement at the [edit protocols evpn] hierarchy level. In most use cases, you don't need to change the default limit. If you want to change the default limit, we recommend that you don't set this limit to more than 300 IP addresses per MAC address per bridge domain. Otherwise, you might see very high CPU usage on the device, which can degrade system performance.

[See mac-ip-limit.]

Starting in Junos OS Release 24.2R1, when you run the run show lldp local-information interface <interface-name> | display xml command, the output is displayed under the lldp-local-info root tag and in the lldp-local-interface-info container tag. When you run the run show lldp local-information interface | display xml command, the lldp-tlv-filter and lldp-tlv-select information are displayed under the lldp-local-interface-info container tag in the output.

Disable keyword removal (SRX300, SRX320, SERX340, SRX345, SRX380, SRX550, SRX550M)–The watchdog disable option has been removed from the set system processes command. You cannot configure watchdog disable anymore.

Increased limit for number of concurrent probes for real-time performance monitoring (SRX1500, SRX1600, and SRX2300, and SRX4300)–We have increased the number of concurrent probes allowed for real-time performance monitoring (RPM) to 2000 from the previous limit of 500. [See probe-limit.]

Changes to the XML output for ping RPCs (MX480)—We've updated the junos-rpc-ping YANG module and the corresponding Junos XML RPCs to ensure that the RPC XML output conforms to the YANG schema. As a result, we changed the XML output for the following ping RPCs:

• <ping>—The XML output emits <ping-error-message> and <ping-warning-message> tags instead of <xnm:error> and <xnm:warning> tags.

• <request-ping-ce-ip>—The XML output is enclosed in an <lsping-results> root element.

• <request-ping-ethernet>—

  • The <ethping-results> root tag includes a <cfm-loopback-reply-entry> or <cfm-loopback-reply-entry-rapid> tag for each received response. In earlier releases, a single tag enclosed all responses.

  • The XML output includes only application specific error tags and omits <xnm:error> tags.

  • The <cfm-loopback-reply-entry-rapid> tag is now reflected in the YANG schema.

• <request-ping-overlay>—The <ping-overlay-results> element includes a new child tag <hash-udp-src-port>.

Configuration database maximum size increased (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—We've enhanced the extend-size statement at the [edit system configuration-database] hierarchy level to increase the maximum database size. On devices with a default configuration database size of ~400 MB, extend-size increases the maximum database size to ~2 GB. On devices with a default configuration database size of ~660 MB, extend-size increases the maximum database size to ~2.2 GB.

[See configuration-database.]

Enhancements to fix the digest option functionality for key pair generated with DSA and ECDSA (SRX Series and vSRX 3.0)--In earlier releases, when you generated local self-signed certificates using sha-256 digest and DSA or ECDSA encryption using request security pki generate-key-pair certificate-id certificate-id-name size size type (dsa | ecdsa) and request security pki local-certificate generate-self-signed certificate-id certificate-id-name digest sha-256 domain-name domain-name subject subject-distinguished-name commands, the generated signature always used sha1 digest. Starting this release, the specified digest, sha-256, is used for the signature digest. You can verify using show security pki local-certificate certificate-id certificate-id-name detail

Enhancements to address error in generating RSA key pair with bigger key size (SRX Series)–In earlier Junos OS releases, when you generate RSA key pair of size 4096 or greater, the command request security pki generate-key-pair certificate-id name type rsa size 4096, displays the error message error: timeout communicating with pki-service daemon sometimes when PKID takes more time to respond. Starting in Junos OS release 23.4R1, the command runs successfully without this error message.

Enhancements to the IKE configuration management commands in chassis cluster (SRX Series)--In earlier Junos OS releases, in a chassis cluster mode, the following commands failed with the error message error: IKE-Config-Management not responding to management requests on the secondary node:

• show security ike statistics

• show security ike sa ha-link-encryption

• show security ipsec sa ha-link-encryption

• show security ipsec inactive-tunnels ha-link-encryption

• clear security ike sa ha-link-encryption

• clear security ipsec sa ha-link-encryption

You should run these commands only on the primary node rather than the secondary node. Starting in Junos OS Release 23.4R1, you'll not see the error message as the secondary node has no output to display.

Enhancements to the help string description for the threshold and interval options for VPN monitoring options (SRX Series and vSRX 3.0)–We've enhanced the help string description of the threshold and interval options available in the configuration statement [set security ipsec vpn-monitor-options] to include the default values. You'll see the following description with the default values:

[See ipsec (Security).]

Enhancements to the output of show security ipsec security-associations detail command (SRX Series and vSRX 3.0)–We've enhanced the output of show security ipsec security-associations detail when you enable vpn-monitor at the [edit security ipsec vpn vpn-name] hierarchy level, when your firewall runs IPsec VPN services with the new iked process. The output displays threshold and interval values in the command output. Starting in Junos OS Release 23.4R1, you'll notice these changes.

[See show security ipsec security-associations.]

Enhancements to address certificate validation failures after RG0 failover (SRX Series)–Following RG0 failover in the chassis cluster, you may notice that the output of the command show services advanced-anti-malware status displays Requesting server certificate validation status due to CRL download failure on the secondary node before the failover. We've made enhancements to address the issue and you'll see the following changes:

• If there's a repeated failure to download the CRL even after multiple retry attempts, you will notice the error message PKID_CRL_DOWNLOAD_RETRY_FAILED: CRL download for the CA failed even after multiple retry attempts, Check CRL server connection until the CRL downloads successfully.

• When the cluster performs a failover from the secondary to the primary node, the PKI triggers a fresh CRL download on the new primary node, resulting in successful certificate verification.

Reauthentication frequency recommendation for IPsec VPN with PPK (SRX Series and vSRX 3.0)—For IPsec VPN, including the Auto Discovery VPN (ADVPN), with post-quantum pre-shared key (PPK) encryption, when the IKE security association is negotiated with the quantum keys, the iked process performs rekeying after 4 seconds to secure the channel. If you set the reauthentication frequency to 1, rekeying doesn't happen after 4 seconds. So we recommend you to set the reauthentication frequency to more than 1 as the first reauthentication count is used by the PPK default rekey.

[See Quantum Safe IPsec VPN.]

Change in use of RSA signatures with SHA-1 hash algorithm—Starting in Junos OS Release 24.2R1, there is a behavioural change by OpenSSH 8.8/8.8p1. OpenSSH 8.8/8.8p1 disables the use of RSA signatures with SHA-1 hash algorithm by default. You can use RSA signatures with SHA-256 or SHA-512 hash algorithm.