Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
[+] Expand All
[-] Collapse All

Known Issues

The following problems currently exist in Juniper Networks branch SRX Series Services Gateways and J Series Services Routers. The identifier following the description is the tracking number in the Juniper Networks Problem Report (PR) tracking system.

Note: For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at

Application Identification (AppID)

  • On all branch SRX Series devices, AppID might not identify the application during stress traffic conditions for 1 GB memory devices due to insufficient memory. PR923548

Authentication and Access Control

  • On branch SRX Series devices, with pass-through authentication the firewall client access destination server by old browser ( like MS-IE4/MS-IE5), the flowd process might crash on all SRX Series devices when pass-through http traffic which matches the fwauth-polic. PR1203294

Chassis Cluster

  • On branch SRX Series devices in a chassis cluster, the clear interface stats command does not work when any of the nodes in a chassis cluster are down. PR550641
  • On SRX650 devices in a chassis cluster, when the fabric link is disabled manually by using the CLI, the secondary node remains in the secondary mode. As a result, in the active/active mode, the Z-traffic is dropped even when the secondary node is up and the fabric link status is down. PR839193
  • On SRX Series devices in chassis clusters, the PIC might go offline on one of the nodes due to RG0 failover caused by rebooting the device. PR933248
  • On all SRX Series devices with dual fabric link chassis cluster, one of fabric link sometimes shows as down after RG0 failover or node reboot even there is fabric probe on the link. PR1207919

Class of Service (CoS)

  • On all branch SRX Series devices in chassis clusters Z mode, the traffic rate-limited displays a deviation in the traffic forwarding rate. PR779368
  • On all branch SRX Series devices, you cannot apply CoS rewrite rules based on AppQoS. PR782050
  • On SRX240H and SRX240H2 devices, because of a system performance limitation, some queues of CoS might not get enough packets when the traffic is high. PR1061350


  • On SRX Series devices, the loop back CLI configurations shdsl-options for pt interface is not working as expected. PR798180
  • On SRX Series devices, the SHDSL media and statistics counters are not incrementing after the introduction of micro-interruption to the line. The counters are also not cleared even after explicitly using the clear command. PR810334
  • On all branch SRX Series devices, packet loss is seen initially for 15 seconds after the GRE tunnel is brought up over the VDSL interface. PR821330
  • On SRX210 and SRX220 devices, when the baseboard port or the 1XGE Mini-PIM port over IRB is configured to receive joins for any valid multicast address x.1.1.1, the multicast address is not recognized and it is not present in the PIM join or IGMP group. PR873909
  • On all SRX Series devices, SFP interfaces ge-0/0/7, ge-0/0/8, and ge-0/0/9 on the 1-Gigabit Ethernet SYSIO card auto-negotiate to 10 gigabits per second. PR946581
  • On branch SRX Series devices, IP Monitoring supports only point to point interface, you cannot configure the interface with point to multi-point encapsulation mode such as ether-over-atm-llc as next hop. PR956174
  • On branch SRX Series devices, when you disable the interface manually in IP monitoring, the backup route cannot be removed. PR957027
  • On all branch SRX Series devices, if flexible-vlan-tagging is configured on the underlying interface of a PPPoE interface, then the native-vlan will not be supported on this interface. Traffic sent out from the logical interface which is an underlying interface of PPPoE and native-vlan is configured will wrongly contain the VLAN tag. PR987068
  • On SRX210 or SRX220 chassis cluster, if a VLAN interface is configured as the interface of JDHCP server, then the DHCPDISCOVER message will be dropped on the switch chip, which results in the function of JDHCP server failure. PR1088134
  • On branch SRX Series devices, the vrf-table-label command is currently supported only on physical interfaces. This statement is not supported over aggregated interfaces or VLAN interfaces. PR1137159

Flow-based and Packet-based Processing

  • On all branch SRX Series devices, when data flowsets are exported after AS configuration changes, the changes to srcAS and dstAS values are not reflected immediately in the exported flows. PR864416
  • On all branch SRX Series devices, when sampling is enabled, the template-refresh-rate and option-refresh-rate options takes into account a default value of 60 seconds, if packets are configured without any value for seconds. PR865413
  • On SRX220H2 devices, the TCP connection rate might drop by 15 percent. PR898217
  • On all branch SRX Series devices, the IDF scheduler-map and the IFL scheduler-map are not supported simultaneously. PR1126942
  • On all branch SRX Series devices, flowd_octeon_hm core several times on both the nodes. PR1193835
  • On SRX200 devices, the flowd process might crash and generate core dump after upgrade to 12.1x46-D55 and above. PR1211282


  • On SRX550 devices, the USB modem is not supported due to hardware limitation. PR856058
  • On SRX650 devices, when using SRX-SFP-1GE-LX optics with Sumitomo part number SCP6G44-J8-ANE or SCP6G44-J7-ANE, the SFP will not work. After reboot the following message appears on the console: twsi0: Device timeout on unit 1. This specific type of SFP should not be used on SRX650. On other platforms this SFP works fine. PR1118061

Network Management and Monitoring

  • On all branch SRX Series devices, when the source address is specified for a particular host, the event process might crash. PR769855
  • On SRX240B2 and SRX240H2 devices, when you try to upgrade the device from Junos OS Release 11.4 to Junos OS Release 12.1X44, Junos OS Release 12.1X45, Junos OS Release 12.1X46, or Junos OS Release 12.1X47, the upgrade fails when attempting to validate the configuration. PR958421
  • On all SRX Series devices, the management process daemon (mgd) process might be stuck in a loop and cause high CPU usage on RE. PR991616
  • On all branch SRX Series devices, the \x22 \x27 parsing fails because of the escape sequences in C. PR992606
  • On branch SRX Series devices, when you run the set system autoinstallation command to configure the unit 0 logical interface for all the active state physical interfaces, the CLI command fails and does not allow the unit logical interface to be configured. Due to this issue the DCD process might crash, causing improper installation of the interface-related configuration. PR1147657

Platform and Infrastructure

  • On SRX Series devices, the RPC connection handle created inside a template is not passed from jcs:open() back to the template caller. PR790202
  • On all branch SRX Series devices, the maximum MTU supported on the 1XGE Mini-PIM card is 9010 bytes for both optical and copper small form-factor pluggable transceiver (SFP). If a 1XGE Mini-PIM card is configured with a value greater than 9010, the earlier committed value takes effect, but no error message is displayed in the CLI. However, the log captures the failure to set the configured MTU value. PR825691
  • On SRX Series devices, when forwarding restarts on the primary node or when the primary node is rebooted, the Flexible PIC Concentrator (FPC) on that node might not come online. Multiple reboots of the node are required to bring the FPC online. PR868792
  • On all branch SRX Series devices, when reverse path forwarding (RPF) is enabled along with real-time performance monitoring (RPM), the device changes to db prompt and loses the reach ability when you delete some configurations. PR869528
  • On all SRX Series devices, when the device acts as a DHCP client and if it receives a DHCP offer containing a large lease value (for example, the lease value is greater than or equal to 230,000,000 seconds) from a DHCP server, the DHCP process on the device crashes. The DHCP client interface acquires an IP address, but the routes will not be through DHCP.


  • On all SRX Series devices, security policies in [groups] configuration hierarchy might lead to security policies out-of-sync between PFE and RE. This is because the policy in groups might cause policy ID change while committing the configuration. PR926728

    As a workaround, if using policies in groups name security you can ensure the issue will not trigger by having at all times policy configured under security hierarchy. This can be accomplished also with a dummy policy under security, but some policy has to be present. Please ensure that do not nest groups together in the groups configuration hierarchy. If policies are not required to be configured in groups name security hierarchy, please move all the security policies away from groups configuration and configure them in the security hierarchy. Note this issue will occur even deactivating the security policies configuration in groups hierarchy.

  • On all SRX Series devices, File Descriptor (FD) might leak on the httpd-gk process when system fails to connect to the mgd process management socket. PR1127512
  • On all branch SRX devices, if there are two or more IP Monitoring configured, and they operate the same IP prefix, then unexpected behavior with IP Monitoring might occur, such as false negative. PR1192668

Routing Policy and Firewall Filters

  • On branch SRX Series devices, the feed-server option is not supported. PR899426
  • On all SRX Series devices, there might be a traffic outage if failover happens between node0 and node1 and the network security daemon (NSD) fails to read the security policies from the configuration file. PR1182591

Unified Threat Management (UTM)

  • On SRX650 devices, after installing advance services such as UTM and IDP, the corresponding bit of the NVRAM environment variable will be set. This bit is used to decide if the advance service should be enabled or not. PR943672
  • On all branch SRX Series devices (SRX550 and SRX650) with Sophos Antivirus (SAV) configured, some files whose size is larger than the max-content-size might not go into fallback state. Instead, some protocols do not predeclare the content size. PR1005086
  • On SRX Series devices, when UTM, Security log, or Advanced Anti-Malware Service is used, in a rare condition, a memory corruption might occur on the data-plane, which results in the flowd process crash. PR1154080
  • On branch SRX Series devices, web traffic is blocked while using Enhanced Web Filtering with site-reputation-action. PR1178734


  • On branch SRX Series devices, RIP is not supported in P2MP VPN scenarios including AutoVPN deployments. We recommend OSPF or IBGP for dynamic routing when using P2MP VPN tunnels. PR1008110
  • On all SRX Series device, if there are lots of IPsec VPNs configured, any configuration commit related to IPsec VPN might cause a pause in the kmd process, which might cause Dead-Peer-Detection (DPD) timeout and VPN tunnel renegotiation. PR1129848
  • On branch SRX Series devices with chassis cluster enabled, when the RG0 failover occurs, the pp0 interface will flap if the IPsec VPN tunnel is established using a pp0 interface as the external interface. Due to a timing issue, the pp0 interface flapping might cause the VPN tunnel session and IPsec Security Association (SA) installed in the data-plane to be deleted but the IKE/IPsec SA installed in the Routing Engine will remain causing the VPN traffic outage. PR1143955
  • On branch SRX Series devices, when non-reth interfaces are used in a cluster and there is traffic that needs to be encapsulated in GRE and then sent over an IPsec tunnel, the other peer might notice ESP packets being sent by the device with incorrect sequence numbers. PR1169537
  • On all SRX Series devices, when using P2MP IPSec VPN tunnels with Dynamic routing over tunnel, a ksyncd core may be encountered after RG0 failover on previous RG0 primary node, if dynamic routing is removed from VPN tunnel prior to RG0 failover. PR1170531
  • On all branch SRX Series devices, using IKEv2 and agressive mode for several gateways where the external interfaces are the same, after some time of establishment, when trying to renew phase one, logs will show that the vpn will try to use the information of the last established VPN to renew this one, leading to a failure to reestablished the IPsec VPN. PR1187988

Related Documentation

Modified: 2017-04-24