Issues in JUNOS Software Release 9.3 for SRX-series Services Gateways

• Outstanding Issues
• Resolved Issues

Outstanding Issues

Authentication

• If after the user is authenticated, the webauth-policy is deleted or changed and an entry exists in the firewall authentication table, then an authentication entry created as a result of webauth will be deleted only if a traffic flow session exists for that entry. Otherwise, the webauth entry will not get deleted and will only age out. This behavior will not cause a security breach. [PR/309534]

Chassis Clustering

• Configuring an SRX-series device with set system process jsrp-service disable only on a primary node of the cluster causes the cluster to go into an incorrect state. [PR/292411]
• The device will crash if you use set system processes chassis-control disable for 4 to 5 minutes and then enable it. Do not use this command in chassis cluster mode. [PR/296022]

Firewall

• On SRX 5600 and SRX 5800 devices, the firewall filter applied on an interface to discard the packets does not display the correct action symbol in the firewall log. [PR/399457]

Flow

• On an SRX-series device, the show security flow session command currently does not display aggregate session information. Instead, it displays sessions on a per-SPU basis. [PR/264439]
• On an SRX-series device, when traffic matches a deny policy, sessions will not be created successfully. However, sessions are still consumed, and the Unicast-sessions and Sessions-in-use fields shown by the show security flow session summary command will reflect this. [PR/284299]
• Configuring the flow filter with the all flag might result in traces that are not related to the configured filter. As a workaround, use the flow trace flag basic with the command set security flow traceoptions flag. [PR/304083]

Hardware

• On SRX 5600 and SRX 5800 devices, the LEDs on the Routing Engine and PICs are not glowing in the Chassis View in J-Web. [PR/297693]

Intrusion Detection and Prevention (IDP)

• On an SRX-series device, during compilation of especially large policies, the idp-policy subsystem may not respond to management requests after creating a policy. [PR/279147]
• On SRX 5600 and SRX 5800 devices, when the software image is downgraded from 9.3R1 to 9.2, the IDP policy compilation fails, takes an indefinite time to finish, or becomes slow due to IDP policy cache. As a workaround, follow these steps:
  • Stop the idpd daemon by using the set system processes idp-policy disable command and commit the configuration.
  • Delete all policy cache files in the /var/db/idpd/db folder.
  • Log on to SRX device as root user, and use the following UNIX command: rm –f /var/db/idpd/db/dfa* /var/db/idpd/db/pcre* /var/db/idpd/db/cache.dbd .
  • Reboot the system.
  • Enable the idpd daemon by using the delete system processes idp-policy command and commit the configuration.
  • Ensure that the cache files are regenerated and are located in the /var/db/idpd/db folder. [PR/300428]
• On SRX-series devices, when multiple applications were specified under the edit security idp idp-policy policy-name rulebase-ips rule rule-number match application configuration, IDP will process only the very first application in the configuration. To avoid false negatives, configure only one application per rule in IDP policy. [PR/302304]]
• On SRX 5600 and SRX 5800 devices, the IDP status command show security idp status displays an error message when the device is processing heavy data traffic. [PR/388048]
• On SRX-series devices, when a large number of keys are added, the Packet Forwarding Engine may not read SSL server keys due to a memory allocation error. As a workaround, restart the Packet Forwarding Engine. [PR/388102]
• On SRX 5600 and SRX 5800 devices, the IDP status command show security idp status may fail when processing heavy traffic. As a result, IDP flow, session statistics, and packet statistics does not match firewall statistics. [PR/389501]
• On SRX 5600 and 5800 devices, the HTTPS sessions with higher data transaction sizes fail due to heavy CPU usage, which results in failure of new connections. [PR/390308]

J-Web

• On SRX-series devices, J-Web does not support the configuration and show commands of static NAT.[PR/396730]

Policies

• When the firewall and IDP policy both enable diffServ marking with a different DSCP value for the same traffic, the firewall DSCP value takes precedence and the traffic is marked using the firewall DSCP value. [PR/297437]

VPN

• On an SRX-series device, if the outgoing interface and route-to-peer address is in the virtual router's routing table, IKE negotiation will not be triggered and SA cannot be negotiated. [PR/288501]
• On an SRX-series device, the shared-IKE limit for IKE users is not enforced in this release. More IKE users than the configured shared-IKE limit can establish an IKE/IPsec tunnel. [PR/288551]
• On an SRX-series device, if the first two servers are down, CRL download fails from the third alternate configured URL. [PR/306514]
• On SRX-series devices, configuring multiple tunnels between the same gateways using NHTB is not supported. [PR/314558]

Resolved Issues

Virtual Private Network (VPN)

• On SRX-series devices, because Jumbo frames were not supported, packets (either pass-through or host-bound) larger than 1500 bytes were dropped. [PR/313977: This issue has been resolved.]

Related Documentation

• New Features in JUNOS Software Release 9.3 for SRX-series Services Gateways
• Known Limitations in JUNOS Software Release 9.3 for SRX-series Services Gateways
• Errata in Documentation for JUNOS Software Release 9.3 for SRX-series Services Gateways
• Unsupported CLI Statements and Commands in JUNOS Software Release 9.3 for SRX-series Services Gateways