Known Limitations in JUNOS Software Release 9.5 for SRX-series
Services Gateways
Accounting-Options Hierarchy
In the CLI accounting-options hierarchy for SRX 210
and SRX 240 devices, accounting, source-class, and destination-class
are not supported.
Chassis Cluster
For this release of JUNOS software, the following
features are not supported when chassis clustering is enabled on
the device:
All packet-based protocols, such as MPLS, Connectionless
Network Service (CLNS), and IP version 6 (IPv6)
Any function that depends on the configurable interfaces:
lsq-0/0/0—Link services Multilink Point-to-Point
Protocol (MLPPP), Multilink Frame Relay (MLFR), and Compressed
Real-Time Transport Protocol (CRTP)
gr-0/0/0—Generic routing encapsulation
(GRE) and tunneling
ip-0/0/0—IP-over-IP (IP-IP) encapsulation
pd-0/0/0, pe/0/0/0, and mt-0/0/0—All multicast protocols
lt-0/0/0—Real-time performance monitoring
(RPM)
WXC Integrated Services Module (WXC ISM 200)
L2-Ethernet switching
ISDN BRI
Multicast traffic streams
Dial-up VPN is not supported on SRX 3400, SRX 3600, SRX
5600, and SRX 5800 chassis clusters. It is supported in standalone
mode.
IDP feature is not supported in active/active chassis
clustering.
Additional limitations include:
For SRX 3000 and SRX 5000 line chassis clusters, screen
statistics data can be gathered on the primary device only.
After fabric interfaces have been configured on a chassis
cluster, removing the fabric configuration on either node will cause
the redundancy group 0 (RG0) secondary node to move to a disabled
state. (Resetting a device to the factory default configuration removes
the fabric configuration and thereby causes the RG0 secondary node
to move to a disabled state.) After the fabric configuration is committed,
do not reset either device to the factory default configuration.
CLI
On SRX 210 and SRX 240 devices, J-Web crashes if more than nine users log into
the router via the CLI.
The number of users allowed to access the routers
is limited.
For SRX 210 devices: four CLI users and three J-Web users
For SRX 240 devices: six CLI users and five J-Web users
Flow and Processing
Maximum Concurrent ssh , telnet , and Web Session
For ssh, telnet, and Web sessions, the maximum number
of concurrent sessions is as follows:
Sessions
SRX 210 Devices
SRX 240 Devices
SRX650 Devices
ssh
3
5
5
telnet
3
5
5
web
3
5
5
Note:
These defaults are provided for performance reasons.
Hardware
This section covers the filter and policing limitations:
The following features are not supported by simple
filter on SRX 3400 and SRX 3600 devices:
Forwarding class as match condition.
The following features are not supported
by policer and three-color-policer on SRX 3400 and SRX 3600 devices:
color-aware mode of a three-color-policer
filter-specific policer
forwarding class as action of a policer
logical interface policer
logical interface three-color policer
logical interface bandwidth policer
packet loss priority as action of a policer
packet loss priority as action of a three-color-policer
The following features are not supported
by a firewall filter on SRX 3400, SRX 3600, SRX 5600, and SRX 5800
devices:
policer action
egress FBF
FTF
The following are the limitations of a simple
filter on SRX 3400 and SRX 3600 devices:
In one Broadcom packet processor on an IOC, up to 100
logical interfaces can be applied with simple filters.
In one Broadcom packet processor on an IOC, max number
of terms of all simple filters is 4000.
In one Broadcom packet processor on an IOC, max number
of policers is 4000.
In one Broadcom packet processor on an IOC, max number
of three-color-policers is 2000.
The maximum burst size of a policer or three-color-policer
is 16M bytes.
Interfaces and Routing
MAC pause frame and FCS error frame counters are not supported
for the interfaces ge-0/0/0 through ge-0/0/3 on
the SRX650 services gateway.
On SRX 240 devices, the IP Multicast switching is not supported
and hence the multicast snooping is based on corresponding IP multicast
L2 address (01:00:5e:xx:xx:xx). In this case all multicast receivers
with IP multicast address mapped to the same L2 address will receive
the packets.
VLAN Range from 3967 to 4094 falls under reserved VLAN for SRX
240 and SRX650 and user is not allowed configured VLANs from this
range.
On SRX650 devices, the last 4 ports of 24 GE-GPIM can be used
either as RJ45 or SFP ports. If both are present and providing power,
the SFP media is preferred. If the SFP media is removed or the link
is brought down, then the interface will switch to the RJ45 medium.
This can take up to 15 seconds, during which the LED for the RJ45
port may go up and down intermittently. Similarly when RJ45 medium
is active, and a SFP link is brought up, the interface will transition
to SFP medium and this transition could also take a few seconds.
The user can only use IPsec on an interface that resides in
routing instance inet 0. The user will not be able to assign an external
interface to the IKE policy if that interface is placed in a routing
instance other than inet 0.
Intrusion Detection and Prevention (IDP)
On SRX-series devices, IP actions do not work when you select
a timeout value greater than 65535 in the IDP policy.
On SRX 210, SRX 240, and SRX650 devices, the maximum number
of IDP sessions supported in 9.5 is 16K.
This release of JUNOS software for SRX-series devices supports
all IDP policy templates except All Attacks. There is a 100-MB policy
size limit, and the current IDP policy templates supported are dynamic,
based on the attack signatures being added. Therefore, be aware that
supported templates might eventually grow past this 100-MB policy
size limit.
The following IDP policies are supported on SRX
devices:
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Web_Server
By default, the detector embedded in the SRX-series devices
has the SIP, SSL, SSH, and MSPRC protocol decoders disabled.
IDP failover is not supported in chassis clustering.
Netscreen Remote
Netscreen Remote is not supported on SRX-series devices.
System
By default, the detector embedded in the SRX-series devices
has the SIP, SSL, SSH, and MSPRC protocol decoders disabled.
On the four Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/3)
of an SRX650 device, if a port is linked up at 10 Mbps or 100 Mbps,
it will not support jumbo frames. Frames greater than 1500 bytes will
be dropped.
