Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways
Accounting-Options Hierarchy
- In the CLI accounting-options hierarchy for SRX 210 and SRX 240 devices, accounting, source-class, and destination-class are not supported.
Chassis Cluster
For this release of JUNOS software, the following features are not supported when chassis clustering is enabled on the device:
- All packet-based protocols, such as MPLS, Connectionless Network Service (CLNS), and IP version 6 (IPv6)
- Any function that depends on the configurable interfaces:
- lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP)
- gr-0/0/0—Generic routing encapsulation (GRE) and tunneling
- ip-0/0/0—IP-over-IP (IP-IP) encapsulation
- pd-0/0/0, pe/0/0/0, and mt-0/0/0—All multicast protocols
- lt-0/0/0—Real-time performance monitoring (RPM)
- WXC Integrated Services Module (WXC ISM 200)
- Layer 2 Ethernet switching
- ISDN BRI
- Multicast traffic streams
- Dial-up VPN is not supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 chassis clusters. It is supported in standalone mode.
- IDP feature is not supported in active/active chassis clustering.
Additional limitations include:
- For SRX 3000 and SRX 5000 line chassis clusters, screen statistics data can be gathered on the primary device only.
- After fabric interfaces have been configured on a chassis cluster, removing the fabric configuration on either node will cause the redundancy group 0 (RG0) secondary node to move to a disabled state. (Resetting a device to the factory default configuration removes the fabric configuration and thereby causes the RG0 secondary node to move to a disabled state.) After the fabric configuration is committed, do not reset either device to the factory default configuration.
CLI
On SRX 210 and SRX 240 devices, J-Web crashes if more than nine users log into the router via the CLI.
The number of users allowed to access the routers is limited.
- For SRX 210 devices: four CLI users and three J-Web users
- For SRX 240 devices: six CLI users and five J-Web users
Flow and Processing
Maximum Concurrent ssh , telnet , and Web Session
- For ssh, telnet, and Web sessions, the maximum number
of concurrent sessions is as follows:
Sessions
SRX 210 Devices
SRX 240 Devices
SRX650 Devices
ssh
3
5
5
telnet
3
5
5
web
3
5
5
Note: These defaults are provided for performance reasons.
Hardware
- This section covers the filter and policing limitations:
The following features are not supported by simple filter on SRX 3400 and SRX 3600 devices:
- Forwarding class as match condition.
The following features are not supported by policer and three-color-policer on SRX 3400 and SRX 3600 devices:
- color-aware mode of a three-color-policer
- filter-specific policer
- forwarding class as action of a policer
- logical interface policer
- logical interface three-color policer
- logical interface bandwidth policer
- packet loss priority as action of a policer
- packet loss priority as action of a three-color-policer
The following features are not supported by a firewall filter on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices:
- policer action
- egress FBF
- FTF
The following are the limitations of a simple filter on SRX 3400 and SRX 3600 devices:
- In one Broadcom packet processor on an IOC, up to 100 logical interfaces can be applied with simple filters.
- In one Broadcom packet processor on an IOC, max number of terms of all simple filters is 4000.
- In one Broadcom packet processor on an IOC, max number of policers is 4000.
- In one Broadcom packet processor on an IOC, max number of three-color-policers is 2000.
- The maximum burst size of a policer or three-color-policer is 16M bytes.
Interfaces and Routing
- MAC pause frame and FCS error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3 on the SRX650 services gateway.
- On SRX 240 devices, the IP Multicast switching is not supported and hence the multicast snooping is based on corresponding IP multicast L2 address (01:00:5e:xx:xx:xx). In this case all multicast receivers with IP multicast address mapped to the same L2 address will receive the packets.
- VLAN Range from 3967 to 4094 falls under reserved VLAN for SRX 240 and SRX650 and user is not allowed configured VLANs from this range.
- On SRX650 devices, the last 4 ports of 24 GE-GPIM can be used either as RJ45 or SFP ports. If both are present and providing power, the SFP media is preferred. If the SFP media is removed or the link is brought down, then the interface will switch to the RJ45 medium. This can take up to 15 seconds, during which the LED for the RJ45 port may go up and down intermittently. Similarly when RJ45 medium is active, and a SFP link is brought up, the interface will transition to SFP medium and this transition could also take a few seconds.
- The user can only use IPsec on an interface that resides in routing instance inet 0. The user is able to assign an external interface to the IKE policy if that interface is placed in a routing instance other than inet 0, but the configuration is not supported.
Intrusion Detection and Prevention (IDP)
- On SRX-series devices, IP actions do not work when you select a timeout value greater than 65535 in the IDP policy.
- On SRX 210, SRX 240, and SRX650 devices, the maximum number of IDP sessions supported in 9.5 is 16K.
- This release of JUNOS software for SRX-series devices supports
all IDP policy templates except All Attacks. There is a 100-MB policy
size limit, and the current IDP policy templates supported are dynamic,
based on the attack signatures being added. Therefore, be aware that
supported templates might eventually grow past this 100-MB policy
size limit.
The following IDP policies are supported on SRX devices:
- DMZ_Services
- DNS_Service
- File_Server
- Getting_Started
- IDP_Default
- Recommended
- Web_Server
- By default, the detector embedded in the SRX-series devices has the SIP, SSL, SSH, and MSPRC protocol decoders disabled.
- IDP failover is not supported in chassis clustering.
NetScreen-Remote
- NetScreen-Remote is not supported on SRX-series devices.
System
- By default, the detector embedded in the SRX-series devices has the SIP, SSL, SSH, and MSPRC protocol decoders disabled.
- On the four Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/3) of an SRX650 device, if a port is linked up at 10 Mbps or 100 Mbps, it will not support jumbo frames. Frames greater than 1500 bytes will be dropped.
Related Topics
- New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
- Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
- Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways
- Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for SRX-series Services Gateways
