Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Known Behavior

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 12.1X47 for the SRX Series.

Application Identification and Tracking

  • In Junos OS Release 12.1X47-D10 with application identification enabled, an impact on the application traffic throughput is observed compared to Junos OS Release 12.1X46 or earlier releases under the following scenarios:
    • Application system cache is disabled
    • Average session data length is very small (less than 44 KB)
    • Specific application traffic distributed extensively across non-standard random ports
    • Certain application traffic generator profiles are used (not in typical real-world deployments)

    You can use the new performance mode CLI command for improving application traffic throughput by configuring the enable-performance-mode parameter.

    • Use the set services application-identification enable-performance-mode command to set the deep packet inspection (DPI) in performance mode with default packet inspection limit as two packets, including both client-to-server and server-to-client directions.
    • Use the set services application-identification enable-performance-mode max-packet-threshold value command to set the maximum packet threshold for DPI performance mode based on your input, including both client-to-server and server-to-client directions. Packet inspection limit can be changed with this CLI command. Range for the max-packet-threshold value is 1 through 100.
    • Use the delete services application-identification enable-performance-mode command to switch DPI to default accuracy mode and disable the performance mode.

      Note: By default, DPI performance mode is not enabled on the SRX Series device.

    Use the show services application-identification status command to display detailed information about application identification status.

    In the following sample, the DPI Performance mode field displays whether the DPI performance mode is enabled or not. This field is displayed in the CLI command output only if the performance mode is enabled.

    pic: 2/1
    
    Application Identification
    Status                            Enabled
    Sessions under app detection      0
    Engine Version                    4.18.2-24.006 (build date Jul 30 2014)
    Max TCP session packet memory     30000
    Force packet plugin               Disabled
    Force stream plugin               Disabled
    DPI Performance mode:             Enabled 
    Statistics collection interval    1 (in minutes)
    
    Application System Cache
    Status                            Enabled
    Negative cache status             Disabled
    Max Number of entries in cache    262144
    Cache timeout                     3600 (in seconds)
    
    Protocol Bundle
    Download Server                   https://services.netscreen.com/cgi-bin/index.cgi
    AutoUpdate                        Disabled
    Slot 1:
    Application package version       2399
    Status                            Active
    Version                           1.40.0-26.006 (build date May 1 2014)
    Sessions                          0
    Slot 2
    Application package version       0
    Status                            Free
    Version
    Sessions                          0
    
  • On all SRX Series devices, in next-generation application identification, the CLI statements and commands listed in Table 7 are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.

    Table 7: Items Deprecated in Junos OS Release 12.1X47-D10

    Statement

    Hierarchy

    Additional Information

    nested-application

    [edit services application-identification]

    Configure a custom nested application definition that will be used by the system to identify the nested application as it passes through the device.

    nested-application-settings

    [edit services application-identification]

    Configure nested application options for application identification services.

    enable-heuristics

    [edit services application-identification]

    Enable encryption and P2P detection.

    max-checked-bytes

    [edit services application-identification]

    Configure the maximum number of bytes to be applied with the application signatures.

    nested-application

    [edit security idp custom-attack attack-name attack-type signature protocol-binding]

    [edit security idp custom-attack attack-name attack-type chain protocol-binding]

    Specify the nested application name during configuration of custom attack objects to detect known or unknown attacks.

    Note: All nested applications that used to be listed under this statement are now listed under application application-name statement at [edit security idp custom-attack attack-name attack-type signature/chain protocol-binding] hierarchies.

    nested-application

    [security application-firewall]

    Enable the nested application dynamic lookup to match the application firewall with an application rule during application firewall policy lookup, if there is no explicit rule for nested application.

    max-sessions

    [edit services application-identification]

    Specify the maximum number of sessions application identification maintains. If the value reaches the maximum, all new sessions are dropped

    request services application-identification application copy predefined-application-name

    NA

    Copy a predefined application signature from the database to the configuration and change the name.

    show services application-identification counter ssl-encrypted-sessions

    NA

    Display application identification counters for SSL-encrypted traffic.

  • On all SRX Series devices, custom application signatures are not supported with this version of application identification.

    As a part of this change, the CLI statements used for configuring custom applications as listed in Table 8 are not supported in this release.

    Table 8: Statements Not Supported in Junos OS Release 12.1X47-D10

    Statement

    Hierarchy

    Additional Information

    application

    [edit services application-identification]

    Configure a custom application definition for the desired application name that will be used by the system to identify the application as it passes through the device.

    application-group

    [edit services application-identification]

    Specify any number of associated predefined applications, user-defined applications, and other groups for ease of use in configuring application-based policies.

  • On all SRX Series devices, application-level distributed denial of service is being deprecated in Junos OS Release 12.1X47-D10. As a part of this change, the CLI statements and commands listed in Table 9 are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.

    Table 9: Items Deprecated in Junos OS Release 12.1X47-D10

    Statement

    Hierarchy

    Additional Information

    application-ddos

    [edit security idp]

    Configure application-level distributed denial-of-service (DDoS) protection.

    rulebase-ddos

    [edit security idp idp-policy policy-name]

    Configure the rulebase parameters for application-level DDoS attacks.

    application-ddos

    [edit security idp sensor-configuration]

    Enables application-level DDoS statistics collection.

    clear security idp application-ddos cache

    Clear application-level distributed denial-of-service (DDoS) state including context, context value, and client classification.

    show security idp application-ddos application

    Display basic statistics for the servers being protected by the IDP application-level DDoS feature.

    show security idp counters application-ddos

    Display the status of all IDP application-DDoS counter values.

    clear security idp counters application-ddos

    Clear the status of all IDP application-DDoS counter values.

    We strongly recommend that you phase out deprecated items and replace them with supported alternatives.

  • On all high-end SRX Series devices, application-level distributed denial-of-service (application-level DDoS) detection does not work if two rules with different application-level DDoS applications process traffic going to a single destination application server. When setting up application-level DDoS rules, make sure that you do not configure rulebase-ddos rules that have two different application-ddos objects when the traffic destined to one application server can process more than one rule. Essentially, for each protected application server, you have to configure the application-level DDoS rules so that traffic destined for one protected server processes only one application-level DDoS rule.

    Note: Application-level DDoS rules are terminal, which means that once traffic is processed by one rule, it will not be processed by other rules.

    The following configuration options can be committed, but they will not work properly:

    source-zone

    destination-zone

    destination-ip

    service

    application-ddos

    Application Server

    source-zone-1

    dst-1

    any

    http

    http-appddos1

    1.1.1.1:80

    source-zone-2

    dst-1

    any

    http

    http-appddos2

    1.1.1.1:80

  • On all high-end SRX Series devices, application-level DDoS rule base (rulebase-ddos) does not support port mapping. If you configure an application other than default, and if the application is from either predefined Junos OS applications or a custom application that maps an application service to a nonstandard port, application-level DDoS detection will not work.

    When you configure the application setting as default, IDP uses application identification to detect applications running on standard and nonstandard ports; thus, the application-level DDoS detection would work properly.

Chassis Cluster

  • On SRX5400, SRX5600, and SRX5800 devices, the HA LED changes to Amber after an RG0 failover although the CLI output shows Green.

CLI and J-Web

  • In CLI and J-Web, the number of users allowed to access the device is limited as follows:

    Devices

    SXR100

    SRX110

    SRX210

    SRX220

    SRX240

    SRX550

    SRX650

    CLI Users

    6

    6

    4

    9

    6

    11

    11

    J-Web Users

    3

    3

    3

    5

    5

    5

    5

Dynamic Host Configuration Protocol (DHCP)

  • On all SRX Series devices, DHCPv4 is supported only in Layer 3 mode; the DHCP server and DHCP client are not supported in Layer 2 transparent mode.
  • On all SRX Series devices, DHCPv6 client authentication is not supported.
  • On all SRX Series devices, logical systems and routing instances are not supported for DHCP client in chassis cluster mode.

Flow-Based and Packet-Based Processing

  • On branch SRX Series devices with the SRX-MP-8GSHDSL card, the CRC and LOSW error counter values increase even when the connection is working fine. This is a cosmetic issue and the traffic is not impacted.
  • On all branch SRX Series devices, GRE fragmentation is not supported in packet-based mode.

General Packet Radio Service (GPRS)

  • On all high-end SRX Series devices, only a unified ISSU to an immediate Junos OS release is supported. For example, Unified ISSU from Junos OS release 12.1X44 to Junos OS release 12.1X45 is supported.

Hardware

  • SRX5800 devices does not support a redundant SCB card (third SCB) if an SRX5k SPC II (FRU model number: SRX5K-SPC-4-15-320) is installed on the device. If you have installed an SRX5K SPC II on an SRX5800 device with a redundant SCB card, make sure to remove the redundant SCB card.
  • On SRX5400, SRX5600, and SRX5800 devices, Services offloading is not supported on Modular Port Concentrator (SRX5K-MPCs)/Modular Interface Cards (MICs).

Interfaces and Chassis

  • On all branch SRX Series devices, the CLNS routing is not supported on aggregated Ethernet interfaces.
  • On all SRX Series devices, the Link Layer Discovery Protocol (LLDP) is not supported on reth interfaces.

Integrated User Firewall

  • On SRX Series devices, Integrated User Firewall has the following limitations:
    • IPv6 addresses are not supported.
    • Logical systems are not supported.
    • The WMIC does not support multiple users logged onto the same PC.
    • Domain controllers and domain PCs must be running Windows OS. The minimum support for a windows client is Windows XP. The minimum support for a server is Windows server 2003.

Intrusion Detection and Prevention (IDP)

  • On all high-end SRX Series devices, in sniffer mode, ingress and egress interfaces work with flow showing both source and destination interfaces as the egress interface.

    As a workaround, in sniffer mode, use the tagged interfaces. Hence, the same interface names are displayed in the logs. For example, ge-0/0/2.0 as ingress interface (sniff) and ge-0/0/2.100 as egress interface are displayed in the logs to show the source interface as ge-0/0/2.100.

    set interfaces ge-0/0/2 promiscuous-mode

    set interfaces ge-0/0/2 vlan-tagging

    set interfaces ge-0/0/2 unit 0 vlan-id 0

    set interfaces ge-0/0/2 unit 100 vlan-id 100

    Note: On all branch SRX Series devices, the sniffer mode is not supported.

IP Monitoring

  • On SRX5400, SRX5600, and SRX5800 devices, in each PIC on the 40x1GE IOC cards only 2 of the 10 ports can be enabled with IP monitoring on both the primary and secondary sides. If more than two ports on the same PIC are enabled with IP monitoring, the behavior of IP monitoring through reth or RLAG on the secondary side might be abnormal.
  • On SRX5400, SRX5600, and SRX5800 devices, the maximum number of IP addresses that can be configured for monitoring is limited to 64.
  • On SRX1400, SRX3400, and SRX3600 devices, the maximum number of IP addresses that can be configured for monitoring is limited to 32.
  • On all high-end SRX Series devices, the default configuration and minimum interval of IP monitoring is 1 second, and the maximum interval is 30 seconds.
  • On all high-end SRX Series devices, the default and minimum threshold of IP monitoring is 5, and the maximum threshold is 15.
  • When IP monitoring is enabled on a different subnet than the reth IP address, then you must configure the proxy-arp unrestricted option on the upstream router.
  • On SRX5400, SRX5600, and SRX5800 devices, IP monitoring does not support MIC online/offline status.

IPv6

  • On all branch SRX Series devices, IPv6 flows are not supported in transparent mode.

Layer 2 Transparent Mode

  • On all branch SRX Series devices, configuring Layer 2 Ethernet switching family in Transparent Mode for an interface is not supported.

Network Address Translation (NAT)

  • On high-end SRX Series devices, the number of IP addresses for NAT with port translation has been increased to 1M addresses.

    The SRX5000 line, however, supports a maximum of 384M translation ports and cannot be increased. To use 1M IP addresses, you must confirm that the port number is less than 384. The following CLI commands enable you to configure the twin port range and limit the twin port number:

    • set security nat source pool-default-twin-port-range <low> to <high>
    • set security nat source pool sp1 port range twin-port <low> to <high>

TCP-Based DNS

  • On all SRX Series devices, the Routing Engine policy supports a maximum of 1024 IPv4 address prefixes and 256 IPv6 address prefixes that can be sent to the Packet Forwarding Engine. If the maximum number of IPv4 or IPv6 address prefixes exceeds the limits, the addresses over the limitations will not be sent to the Packet Forwarding Engine and a system log message is generated. The maximum number of addresses in a TCP DNS response is 4094 for IPv4 addresses and 2340 for IPv6 addresses, but only 1024 IPv4 addresses and 256 IPv6 addresses are loaded to the Packet Forwarding Engine.

Upgrade and Downgrade

  • On the SRX240B2 and SRX240H2 models, when you try to upgrade from Junos OS Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade fails when attempting to validate the configuration. To resolve this, use the no-validate option.

VPN

  • On SRX Series devices, when a Phase 2 Security Association configured with traffic selectors comes up, a route will be added in the routing table. This route cannot be leaked to other routing-instances using rib-groups. For leaking routes inserted by traffic selectors, use the import-policy option.
  • RIP is not supported in point-to-multipoint (P2MP) VPN scenarios including AutoVPN deployments. We recommend OSPF or IBGP for dynamic routing when using P2MP VPN tunnels.
  • On SRX Series devices, configuring RIP demand circuits over VPN interfaces is not supported.
  • On SRX Series devices, configuring XAuth with AutoVPN secure tunnel (st0) interfaces in point-to-multipoint mode and dynamic IKE gateways is not supported.
  • On a high-end SRX Series device, VPN monitoring of an externally connected device (such as a PC) is not supported. The destination IP address for VPN monitoring must be a local interface on the high-end SRX Series device.

Related Documentation

Modified: 2016-11-30