If after the user is authenticated, the webauth-policy is deleted or changed and an entry exists in
the firewall authentication table, then an authentication entry created
as a result of webauth will be deleted only if a traffic
flow session exists for that entry. Otherwise, the webauth entry will not get deleted and will only age out. This behavior
will not cause a security breach. [PR/309534]
Chassis Clustering
Configuring an SRX-series device with set system process jsrp-service disable only on a primary node
of the cluster causes the cluster to go into an incorrect state. [PR/292411]
The device will crash if you use set
system processes chassis-control disable for 4 to 5 minutes and
then enable it. Do not use this command in chassis cluster mode. [PR/296022]
Firewall
On SRX 5600 and SRX 5800 devices, the firewall
filter applied on an interface to discard the packets does not display
the correct action symbol in the firewall log. [PR/399457]
Flow
On an SRX-series device, the show security
flow session command currently does not display aggregate session
information. Instead, it displays sessions on a per-SPU basis. [PR/264439]
On an SRX-series device, when traffic matches
a deny policy, sessions will not be created successfully. However,
sessions are still consumed, and the Unicast-sessions and Sessions-in-use fields shown by the show security flow session
summary command will reflect this. [PR/284299]
Configuring the flow filter with the all flag might result in traces that are not related to the
configured filter. As a workaround, use the flow trace flag basic with the command set security flow traceoptions flag. [PR/304083]
Hardware
On SRX 5600 and SRX 5800 devices, the LEDs
on the Routing Engine and PICs are not glowing in the Chassis View
in J-Web. [PR/297693]
Intrusion Detection and Prevention (IDP)
On an SRX-series device, during compilation
of especially large policies, the idp-policy subsystem may not respond
to management requests after creating a policy. [PR/279147]
On SRX 5600 and SRX 5800 devices, when the software image is
downgraded from 9.3R1 to 9.2, the IDP policy compilation fails, takes
an indefinite time to finish, or becomes slow due to IDP policy cache.
As a workaround, follow these steps:
Stop the idpd daemon by using the set system
processes idp-policy disable command and commit the configuration.
Delete all policy cache files in the /var/db/idpd/db
folder.
Log on to SRX device as root user, and use the following
UNIX command: rm –f /var/db/idpd/db/dfa* /var/db/idpd/db/pcre*
/var/db/idpd/db/cache.dbd .
Reboot the system.
Enable the idpd daemon by using the delete
system processes idp-policy command and commit the configuration.
Ensure that the cache files are regenerated and are located
in the /var/db/idpd/db folder. [PR/300428]
On SRX-series devices, when multiple applications
were specified under the edit security idp idp-policy policy-name rulebase-ips rule rule-number match application configuration, IDP will process only the
very first application in the configuration. To avoid false negatives,
configure only one application per rule in IDP policy. [PR/302304]]
On SRX 5600 and SRX 5800 devices, the IDP
status command show security idp status displays an error
message when the device is processing heavy data traffic. [PR/388048]
On SRX-series devices, when a large number
of keys are added, the Packet Forwarding Engine may not read SSL server
keys due to a memory allocation error. As a workaround, restart the
Packet Forwarding Engine. [PR/388102]
On SRX 5600 and SRX 5800 devices, the IDP
status command show security idp status may fail when processing
heavy traffic. As a result, IDP flow, session statistics, and packet
statistics does not match firewall statistics. [PR/389501]
On SRX 5600 and 5800 devices, the HTTPS sessions
with higher data transaction sizes fail due to heavy CPU usage, which
results in failure of new connections. [PR/390308]
J-Web
On SRX-series devices, J-Web does not support
the configuration and show commands of static NAT.[PR/396730]
Policies
When the firewall and IDP policy both enable diffServ marking with a different DSCP value for the same traffic, the firewall
DSCP value takes precedence and the traffic is marked using the firewall
DSCP value. [PR/297437]
VPN
On an SRX-series device, if the outgoing
interface and route-to-peer address is in the virtual router's routing
table, IKE negotiation will not be triggered and SA cannot be negotiated.
[PR/288501]
On an SRX-series device, the shared-IKE limit
for IKE users is not enforced in this release. More IKE users than
the configured shared-IKE limit can establish an IKE/IPsec tunnel.
[PR/288551]
On an SRX-series device, if the first two
servers are down, CRL download fails from the third alternate configured
URL. [PR/306514]
On SRX-series devices, configuring multiple
tunnels between the same gateways using NHTB is not supported. [PR/314558]
Resolved Issues
Virtual Private Network (VPN)
On SRX-series devices, because Jumbo
frames were not supported, packets (either pass-through or host-bound)
larger than 1500 bytes were dropped. [PR/313977: This issue has been
resolved.]
