Issues in JUNOS Software Release 9.4 for SRX-series Services Gateways

• Outstanding Issues in JUNOS Software Release 9.4 for SRX-series Services Gateways
• Resolved Issues in JUNOS Software Release 9.4 for SRX-series Services Gateways

Outstanding Issues in JUNOS Software Release 9.4 for SRX-series Services Gateways

Authentication

• If after the user is authenticated, the webauth-policy is deleted or changed and an entry exists in the firewall authentication table, then an authentication entry created as a result of webauth will be deleted only if a traffic flow session exists for that entry. Otherwise, the webauth entry will not get deleted and will only age out. This behavior will not cause a security breach. [PR/309534]

Chassis Clustering

• Configuring an SRX-series device with set system process jsrp-service disable only on a primary node of the cluster causes the cluster to go into an incorrect state. [PR/292411]
• The device will crash if you use set system processes chassis-control disable for 4 to 5 minutes and then enable it. Do not use this command in chassis cluster mode. [PR/296022]
• On SRX 3400, SRX 3600, SRX 5600, and SRX 5000 devices, a few queue configurations do not get reflected on the interface part of the chassis cluster. [PR/389451]

Flow and Processing

• On an SRX-series device, the show security flow session command currently does not display aggregate session information. Instead, it displays sessions on a per-SPU basis. [PR/264439]
• On an SRX-series device, when traffic matches a deny policy, sessions will not be created successfully. However, sessions are still consumed, and the Unicast-sessions and Sessions-in-use fields shown by the show security flow session summary command will reflect this. [PR/284299]
• Configuring the flow filter with the all flag might result in traces that are not related to the configured filter. As a workaround, use the flow trace flag basic with the command set security flow traceoptions flag. [PR/304083]
• Firewall filter does not work correctly if it is configured to explicitly use icmp-type or icmp-code options to match specific icmp packets. [PR/458986]

Hardware

• As a part of the SIP, the call object is not correctly synchronized to the peer node. This results in a crash during failover when a SIP call is in progress. [PR/399189]
• On SRX 3400 and SRX 3600 devices, the minor alarm is not triggered when the center point (CP) or SPU session table is full. [PR/405990]

Intrusion Detection and Prevention (IDP)

• When multiple applications are specified in the following configuration:

  edit security idp idp-policy policy-name rulebase-ips rule rule-number match application

  IDP will process the very first application in the configuration. To avoid false negatives, configure only one application per rule in the IDP policy.

  [PR/302304]

• On SRX-series devices, the IDP status command show security idp status displays an error message when the device is processing heavy data traffic. [PR/388048]
• On SRX-series devices, the IDP status command show security idp status might fail when processing heavy traffic. As a result, IDP flow, session statistics, and packet statistics do not match firewall statistics. [PR/389501]
• On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, the HTTPS sessions with higher data transaction sizes fail due to heavy CPU usage, which results in the failure of new connections. [PR/390308]
• Selecting Configuration > Quick Configuration > Security Policies > IDP Policies > Security Package Update > Help brings up the IDP policy help page instead of the Signature update help page. To access the corresponding help page, select: Configuration > Quick Configuration > IDP Policies > Signature/Policies Update and then click Help. [PR/409127]
• When you commit the IDP policy for a large number of times under heavy stress traffic, further policy commits might fail with errors. Contact Juniper Technical Assistance Center (JTAC) for further assistance. [PR/415308]

Interface and Routing

• On SRX 5600 and SRX 5800 devices, ping to far-end reth interfaces does not work for different routing instances. [PR/408500]
• On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, when you run the show interfaces queue command, the four counters under RED drop packets:
  • bytes for Low
  • bytes for Medium-low
  • bytes for Medium-high
  • bytes for High

  do not show proper values. [PR/412812]

• The SRX 5600 and SRX 5800 devices might get disabled when you configure more than 1000 reth logical interfaces. [PR/417391]

J-Web

• On SRX 5600 and SRX 5800 devices, the LEDs on the Routing Engine and PICs are not glowing in the Chassis View in J-Web. [PR/297693]
• On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, in J-Web, when you right-click on Configure Interface on an interface in Chassis View, it displays the Configuration > Quick Configuration > Interface page is displayed. [PR/405392]

Management and Administration

• RPM operation fails if the device is acting as an RPM client and the destination interface option is used in the RPM client probe configuration. Because of this, RPM class of service will also not work. [PR/388381]
• On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, no trap is generated for RG0 failover. You can check on the RG0 state only when you log in to the device. Nonavailability of such information without login results in the failure of the snmpwalk on the backup/secondary node. As a workaround, use a master-only IP address across the cluster. This way, you can query a single IP address and that IP address will always be the master for RG0. [PR/413719]

Policies

• When the firewall and IDP policy both enable diffServ marking with a different DSCP value for the same traffic, the firewall DSCP value takes precedence and the traffic is marked using the firewall DSCP value. [PR/297437]

Security

• The SRX-series devices do not support egress Filter-based Forwarding (FBF). [PR/396849]
• On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, if the Infranet Controller auth table mapping action is configured as provision auth table as needed, UAC will terminate the existing sessions after Routing Engine failover. You might have to initiate new sessions. Existing sessions will not get affected after Routing Engine failover if Infranet Controller auth table mapping action is configured as Always provision auth table. [PR/416843]

System

• On SRX-series devices, when the J-Web session is terminated from the CLI, error and warning messages related to J-Web appear in the log. [PR/311181]

VPN

• On an SRX-series device, the shared IKE limit does not work in remote access. [PR/288551]

Resolved Issues in JUNOS Software Release 9.4 for SRX-series Services Gateways

There are no new resolved issues for this release.

Related Topics

• New Features in JUNOS Software Release 9.4 for SRX-series Services Gateways
• Known Limitations in JUNOS Software Release 9.4 for SRX-series Services Gateways
• Erratum in Documentation for JUNOS Software Release 9.4 for SRX-series Services Gateways
• Unsupported CLI Statements and Commands in JUNOS Software Release 9.4 for SRX-series Services Gateways