Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Known Issues

The following problems currently exist in Juniper Networks SRX Series Services Gateways. The identifier following the descriptions is the tracking number in the Juniper Networks Problem Report (PR) tracking system.

Note: For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at https://www.juniper.net/prsearch.

Access Point Network

  • On high-end SRX Series devices, if the SGSN and the GGSN are using the same IP address then the device cannot detect it and a conflict GSN entry will be installed on a different SPU. PR893436
  • On high-end SRX Series devices, one IP address cannot be configured as a private IP and public IP. The GTP framework cannot detect this conflict. The conflict GSN entries will be installed on a different SPU. PR893460

Application Identification (AppID)

  • On high-end SRX Series devices, in certain cases, configuring AppQoS rules causes the application system cache not to be populated with entries from the application identification results. PR755979

Application Layer Gateways (ALGs)

  • On high-end SRX Series devices, there can be two reasons that might cause the ASL session synchronization failure:
    • Flow session is destroyed before the ASL session is received.
    • ASL resource or session synchronization RTO is lost.

    PR920540

Authentication and Access Control

  • On high-end SRX Series devices, during firewall HTTP/HTTPS pass-through authentication, the device incorrectly removes the preceding colon in the password string. Due to this the authentication fails and the authentication entry cannot be created in case there is a preceding colon in the password string. PR1187162

Chassis Cluster

  • On SRX5600 virtual chassis, when you swap the members of a LAG interface, a vmcore or ksyncd core file might be generated on the backup Routing Engine. PR711679
  • On high-end SRX Series devices in a chassis cluster, if a reth Layer 3 logical interface is disabled, the reth interface remains active and the direct route for this logical interface is not removed from the forwarding table. All the traffic destined for the disabled network still gets routed out to the disabled reth interface. PR740856.
  • On SRX1400 devices in a chassis cluster, after you commit a configuration, the LED changes from green state to off. PR749672
  • On high-end SRX Series devices in a chassis cluster, if the secondary node is rebooted with new web authentication requests coming into the chassis cluster continuously, the web authentication entry ID is not the same between the two nodes when testing in-service hardware upgrade (ISHU). PR826100
  • On SRX5600 and SRX5800 devices, when you reboot the device, cyclic redundancy check (CRC) error logs recorded in chassis log file might appear. However, this does not affect the normal operation of the device and can be ignored. PR877722
  • On high-end SRX devices, for GTPv0 and GTPv1, if the time interval between the primary PDP activation message and the secondary PDP activation message is too small, the secondary GTP-U tunnel on the chassis cluster backup node will not be established. The no control tunnel error counters are also detected on the chassis cluster backup node. Due to this error, the secondary GTP-U tunnel creation fails on the backup node leading to the failure of the related secondary GTP-U tunnels on the backup nodes. PR924791
  • On SRX Series devices in chassis clusters, the PIC might go offline on one of the nodes due to RG0 failover caused by rebooting the device. PR933248
  • On high-end SRX Series devices, when U tunnel conflict happens (two U tunnels have the same GSN IP and TEID) and its C tunnel locates on another SPU board, users delete related NAT rules or run clear security gprs gtp tunnel all command. The GSN entry for the C tunnel goes to obsolete status, but its tunnel number might not go to zero, which causes this GSN entry not be cleared finally. PR937464
  • On high-end SRX Series devices, the CLI commands for security intelligence and dynamic address are supported only on primary node. If you get the following error message: the security-intelligence subsystem is not responding to management requests, run the commands again on the primary node. PR961840
  • On high-end SRX Series devices, it is strongly recommended that the device is running below 50% of CPU at control plane and data plane before starting ISSU. If the primary device is running more than 70% CPU, ISSU will fail in most cases because of cold synchronization failures. Use the show chassis routing-engine (RE CPU) and show security monitoring (SPC CPU) commands to check CPU utilization. If the device is running in high CPU, it is strongly recommend to disable the traceoptions or only allow critical level logging using set deactivate chassis cluster traceoptions and security policy log commands. If CPU usage is high because of heavy traffic then redirect the traffic to other security device or wait till the traffic comes down. PR1016437
  • On all SRX Series devices with dual fabric link chassis cluster, one of fabric link sometimes shows as down after RG0 failover or node reboot even there is fabric probe on the link. PR1207919

Flow-based and Packet-based Processing

  • On high-end SRX Series devices, when end-to-end debugging is enabled, if the traffic rate is 1000 packets per second (pps) or higher, packet loss is observed. PR786406
  • On high-end SRX Series devices, the XLR ingress paused condition causes traffic drop and latency to the processing traffic. PR829714
  • On high-end SRX Series devices, creating a session for the from-self OSPF or from-self OSPF3 traffic is not possible. If the from-self OSPF or from-self OSPF3 traffic enters the IPsec tunnel, you cannot perform pre-fragmentation for the traffic, because the traffic bypasses flow fragmentation process and the jexec cannot support the IPv6 post-fragmentation process. Hence, the packet is dropped by the jexec. PR918429
  • On all high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply the rate limiter for egress traffic. PR918942
  • On high-end SRX devices, in next-generation IOCs, when the IPv6 is in packet mode, the screens are not detected. As a workaround, use the flow mode instead of the packet mode. PR944273
  • On SRX Series 5000 devices using SPC II, the flowd process crashes due to a cache error. PR1005195
  • On SRX3400 devices, it is observed that TP and CPS in SSL-FP (enabled with IDP-REC policy, 1K key) drops by 15% to 18%. This issue has no impact on SRX5000 and SRX550 devices. The root-cause of the drop is traced to an openSSL fix, where openSSL got upgraded to version 1.0.1p in Junos OS Release 12.1X46-D55. The upgrade was essential so as to address several security vulnerabilities in SSL. PR1198833
  • On high-end SRX devices, packet-filter with destination-prefix/destination-port only matches traffic for one direction. PR1227357

GRPS

  • On high-end SRX devices, for GTPv0 and GTPv1, if the time interval between the primary PDP activation message and the secondary PDP activation message is too small, then secondary GTP-U tunnel on the chassis cluster backup node will not be established and the no control tunnel error counters are detected on the chassis cluster backup node. Due to this error, the secondary GTP-U tunnel creation fails on the backup node leading to the failure of the related secondary GTP-U tunnels on the backup nodes. PR929042
  • On high-end SRX Series devices, if the SRX Series device receives delete PDP response messages simultaneously for both secondary and primary PDP, the primary PDP message might be processed first. When the primary PDP tunnels are deleted, all the related secondary PDP tunnels are also deleted. As a result, some of the deleted PDP response messages might drop with no control tunnel errors, but all the requested PDP tunnels are deleted and there is no impact on the GTP tunnels. PR929355

Interfaces

  • On SRX Series devices, the loop back CLI configurations shdsl-options for pt interface is not working as expected. PR798180
  • On SRX Series devices, the SHDSL media and statistics counters are not incrementing after the introduction of micro-interruption to the line. The counters are also not cleared even after explicitly using the clear command. PR810334
  • On all SRX Series devices, SFP interfaces ge-0/0/7, ge-0/0/8, and ge-0/0/9 on the 1 GE SYSIO card auto-negotiate to 10 gigabits per second. PR946581
  • On high-end SRX Series devices, reth interfaces with more than one child interface per node (RLAG - redundant LAG) is not supported. PR996783

Intrusion Detection and Prevention (IDP)

  • On all high-end SRX Series devices, in the output of the show services application-identification application-system-cache command, the application-system-cache table for point-to-point encrypted traffic is incorrectly marked as Encrypted: No instead of Encrypted:Yes. PR704023
  • On all high-end SRX Series devices, the all attacks policy is not supported. The current IDP policy templates supported are dynamic, based on the attack signatures being added. Therefore, the supported templates might eventually grow past the policy size limit. PR876449
  • On all high-end SRX Series devices, when both the Gn and Gp interface pass through the device, and the Gn interface is NAT-enabled, the restart counter only takes effect on the Gn interface. PR893379
  • On high-end SRX Series devices, when IDP SSL inspection feature is enabled and processes traffic in a race condition of multiple threads updating a reference count concurrently a corrupted data might be created causing the idpd process to crash. PR1149604

J-Web

  • On high-end SRX Series devices, all fields in the edit policy window are empty in the logical systems. PR900975

Layer 2 Features

  • On high-end SRX Series devices, in the SNMP jnxJdhcpRelayBindings table, the oid value for the IP address and time have format errors. Hence, the oid value for the interface is lost. PR908619
  • On SRX5600 devices, when IP spoofing is configured in Layer 2 mode, before defining the IP spoofing and the address books for specific zones, if the delete security, delete security zone, delete security screen, or delete security address-book commands are run and the configuration is not committed, the addresses in the Packet Forwarding Engine (PFE) might be incorrect. Due to this issue, the IP spoofing might not work. PR943232

Network Address Translation (NAT)

  • On all high-end SRX Series devices in a chassis cluster, some persistent NAT table entries cannot be removed on the SPU when the device is under heavy traffic with multiple failovers. PR834823

Network Management and Monitoring

  • On SRX3400 and SRX3600 devices installed with dated or non-permanent full-cp-key license, when you upgrade to Junos OS Release 12.1X46-D15, the full-cp-key license might be marked as invalid. Due to this, the central point (CP) runs in central point flow mode instead of full central point mode. PR964261
  • On all SRX Series devices, the management process daemon (mgd) process might be stuck in a loop and cause high CPU usage on RE. PR991616
  • On all high-end SRX Series devices, in each node, there is only one Routing Engine. The RE 0 in the master node is the master Routing Engine and the RE 0 in the secondary node is the backup Routing Engine. The request system power-off both-routing-engines command powers off both the master and the backup Routing Engines simultaneously. PR1039758
  • On SRX5400, SRX5600, and SRX5800 devices, the flowd process might crash when services offload (SOF) is enabled. PR1084123
  • On all SRX Series devices, File Descriptor (FD) might leak on the httpd-gk process when the system fails to connect to the mgd process management socket. PR1127512
  • On SRX3400 and SRX3600 Series devices, in a rare condition, SPC might be stuck and generate a vmcore. PR1136599

Platform and Infrastructure

  • On high-end SRX Series devices, in Junos OS Release 11.2R7, CL73-AN was inadvertently enabled for ports 7, 8, and 9 on the 1 Gigabit Ethernet SYSIO card. As a result, links failed to come up on these ports. PR787010
  • On SRX Series devices, the RPC connection handle created inside a template is not passed from jcs:open() back to the template caller. PR790202
  • On all high-end SRX Series devices, when you try to reload a kernel module that is already linked to the kernel, an error message is displayed because the module is already present. No functionality is impacted by the error message. PR817861
  • On SRX Series devices, when forwarding restarts on the primary node or when the primary node is rebooted, the Flexible PIC Concentrator (FPC) on that node might not come online. Multiple reboots of the node are required to bring the FPC online. As a workaround, multiple reboots of the node are required to bring FPC online. PR868792
  • On high-end SRX Series devices, when all the input parameters for the command show security match-policies global source-ip destination-ip source-port destination-port protocol are not provided, then the management process might be triggered into an infinite loop. This results in high CPU utilization on the Routing Engine. PR893721
  • On all SRX Series devices, when the device acts as a DHCP client and if it receives a DHCP offer containing a large lease value (for example, the lease value is greater than or equal to 230,000,000 seconds) from a DHCP server, the DHCP process on the device crashes. The DHCP client interface acquires an IP address, but the routes will not be through DHCP. PR899941
  • On SRX5000 Series devices, with MIC 10x 10GE SFP+ equipped, 10G ports of these cards might stay offline where a link flaps or an SFP+ in inserted after above 3 months of link up. PR905589
  • On SRX5600 devices in a chassis cluster, when the telnet program is running on either the primary or secondary Routing Engine connecting to SPUs on the Packet Forwarding Engine (PFE) side, the connection gets stuck because an incorrect source IP is used by the telnet program in the multi-chassis environment. When the connection gets stuck, specify the local chassis IP by using -s parameter as its source IP for the telnet program to connect to SPUs. PR923782
  • On all SRX Series devices, security policies in [groups] configuration hierarchy might lead to security policies out-of-sync between PFE and RE. This is because the policy in groups might cause policy ID change while committing the configuration. PR926728
  • On all high-end SRX Series devices, if a large number of IPv6 addresses were configured on an interface, or a large number of logical interfaces, IFLs, on an interface with IPv6 addresses, kernel may be very busy when the interface is enabled or disabled. Key kernel modules, like TNP or RDP, can possibly not be scheduled in time under such situation and cause SPCs to go offline. Disabling duplicate address detection can help to mitigate the kernel busy situation. PR929300
  • On all high-end SRX devices, flowd process might crash and cause traffic outage if the SPU (Services Processing Unit) CPU usage is higher than 80%. Therefore, some threads are in waiting status and the watchdog cannot be toggled timely causing the flowd process to crash. PR1162221
  • On SRX 5000 Series devices, when control link is down, the secondary node becomes ineligible and then goes to disabled state. But FPCs restart continuously after going to disabled state when they should remain offline till rebooted. PR1170024
  • On SRX5400, SRX5600, and SRX5800 devices, the device stops working after broadcast storm and this situation lasts for nearly 12 hours. PR1192536

Routing Policy and Firewall Filters

  • On all SRX Series devices, there might be a traffic outage if failover happens between node0 and node1 and the network security daemon (NSD) fails to read the security policies from the configuration file. PR1182591

System Logs

  • On high-end SRX Series devices, I2C related error messages in the log file are seen during run-time. This error message is harmless, this issue does not impact production traffic. PR937357

Unified Threat Management (UTM)

  • On high-end SRX Series devices, under high CPS and UTM SAV interested traffic, SRX devices might ramp up to 99% CPU usage due to central lock of object cache memory allocation. There is no clear boundary since allocation race condition is varying. Basically, reducing traffic CPS could lower high CPU usage. PR967739
  • On high-end SRX Series devices in a High-availability (HA) cluster, the event message LIBJNX_REPLICATE_RCP_ERROR would be generated when the secondary node fails to synchronize the SAV database from the primary node in the scenario of disabling UTM. PR1071708
  • On SRX Series devices, when UTM, Security log, or Advanced Anti-Malware Service is used, in a rare condition, a memory corruption might occur on the data-plane, which results in the flowd process crash. PR1154080

User Interface and Configuration

  • On all SRX Series devices under certain condition, if the configuration of interface and security zone are out of synchronization between the Routing Engine and Packet Forwarding Engine, the interfaces might be bound to NULL security zone. As a result, the network security daemon (NSD) process would crash. PR1000309

VPNs

  • On all high-end SRX Series devices, IPsec replay errors might be observed after RG1 failovers. PR832834
  • On all high-end SRX Series devices, in an AutoVPN deployment, when the multicast traffic sender is located behind a spoke, the multicast traffic might drop for up to 6 minutes during ISSU in the hub. The recommended AutoVPN multicast topology is to locate the multicast source behind a hub. PR946951
  • On high-end SRX Series devices, traffic selectors are not supported in IPsec VPN when the bound tunnel interface (st0.x) belongs to a user logical system (LSYS). PR960097
  • On all SRX Series device, if there are many IPsec VPNs configured, any configuration commit related to IPsec VPN might cause a pause in the kmd process, which might cause Dead-Peer-Detection (DPD) timeout and VPN tunnel renegotiation. PR1129848
  • On all SRX Series devices, if IPsec VPN tunnel is established using IKEv2, few drops might be observed during CHILD_SA rekey with the reason "bad SPI", when the SRX is the responder for this rekey. PR1129903
  • On all SRX Series devices, when using P2MP IPSec VPN tunnels with Dynamic routing over tunnel, a ksyncd core may be encountered after RG0 failover on previous RG0 primary node, if dynamic routing is removed from VPN tunnel prior to RG0 failover. PR1170531

Related Documentation

Modified: 2017-04-24