Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: Release 12.1X47-D45

Application Identification (AppID)

  • On SRX Series devices with AppID and ASC (application-system-cache) enabled, when you run the show services application-identification application-system-cache command, or its RPC equivalent get-appid-application-system-cache may raise the PFE (SPU) CPU up to 100% utilization. PR1169694

Application Layer Gateways (ALGs)

  • On SRX Series devices, MSRPC ALG cannot decrypt the encrypted EPM messages (authlevel RPC_C_AUTHN_LEVEL_PKT_PRIVACY ) and drops the encrypted EPM messages. The new behavior will bypass such encrypted messages and generate a syslog message. PR1192477
  • On all SRX Series devices, when RSH ALG is enabled manually, RSH ALG receives a message whose stderr port is 0, RSH ALG will drop packets and will not open the gate for it. Disable the RSH ALG to resolve the issue. PR1196530

Chassis Clustering

  • On branch SRX Series devices with chassis cluster configured in Layer 2 mode, if integrated routing and bridging (IRB) is configured, all the packets destined to the IRB interface's MAC address arrive at the secondary node, and are forwarded to the primary node. In some cases, the packets are ARP request unicast to IRB MAC in the secondary node. Packets are forwarded to the primary node and then broadcasted in the security zone. Such ARP request packets might cause a traffic loop, which can result in high Packet Forwarding Engine (PFE) CPU utilization in the secondary node. PR1042588
  • On all high-end SRX Series devices in a chassis cluster, high CPU usage on data-plane might occur when ipsec-performance-acceleration is enabled. PR1097278
  • On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you simultaneously reboot both the nodes of the device, the secondary node cannot respond after reboot until the IOCs on the other node are online. After all line cards of the primary nodes are online, the fabric recovery procedure changes the secondary node from ineligible to the normal secondary state. PR1104249
  • On SRX1400 devices in a chassis cluster with a 10-Gigabit Ethernet SYSIO board of hardware revision 20, the first control link on port ge-0/0/10 might not come up after an ungraceful power-off and power-on. PR1166549
  • On all SRX devices in chassis cluster mode, when some configuration needs to be changed, after issuing the CLI commit confirm (the time parameter value can be between 1-65535) and commit command on the primary node, the secondary node does not commit. PR1171366
  • On high-end SRX Series devices, constant stream of SPU host mbuf stall messages are seen when the multicast feature is used in the SRX chassis cluster. PR1194485

Command-Line Interface (CLI)

  • On branch SRX Series devices, under the output of show chassis craft-interface node 0/1 command, the Front Panel HA Indicator: does not show the correct LED status. PR1189006
  • On high-end SRX Series devices, secret data such as encrypted passwords was displayed in RSI by show configuration | except SECRET command in RSI. PR1192579

Flow-based and Packet-based Processing

  • On SRX550 devices, the LAN bypass feature must be disabled. PR1031318
  • On SRX1400 Series devices, the only valid value is 0 for the command set security idp sensor-configuration ssl-inspection maximum-cache-size *. As expected, the valid number should be a range from 1 to 5000000. PR1091686
  • On high-end SRX Series devices running NAT traffic under high stress, continuous chassis cluster failover may result in minor CP session leak (the ratio is about 1~2/40 billion). There is no other effect on the system other than wasting the leaked sessions. PR1124695
  • On branch SRX Series devices, memory leaks on the mib2d process when polling of SNMP OID .1.3.6.1.2.1.54.1 (SYSAPPLMIB). PR1144377
  • On SRX Series devices, RPC requests might return usp_ipc_client_recv error when sending multiple RPC requests simultaneously to the device. PR1146347
  • On all SRX Series devices, in a rare condition, memory might be overwritten on Jtree, which causes the flowd process to crash. PR1165155
  • On all SRX Series devices, if bridge-domain VLAN is configured then the device cannot learn gateway MAC in the ARP table. PR1158276
  • On high-end SRX Series devices with XMCHIP-based cards (such as IOC-II or SPC-II), some XMCHIP hardware failures are not properly detected by the hardware monitoring. This issue is caused by a hardware problem with XMCHIP ASIC card. The fix improves the hardware monitoring subsystem, so that these errors trigger chassis alarm and automatic RG1+ failover, similar to other hardware failure cases. PR1167721
  • On SRX 5000 Series devices, when the control link is down, the secondary node becomes ineligible and then goes to disabled state. But the FPCs restart continuously after going to disabled state when they should remain offline till rebooted. PR1170024
  • On SRX650 devices, traffic might be dropped intermittently due to high RE CPU usage. PR1170231
  • On all SRX Series devices, when configuring white-list for security screen, it might cause memory corruption in Jtree, which results in the flowd process crash. PR1172844
  • On all SRX devices PKI (re) enrollment stops in case of manual enrollment. If the CA is configured to approve certificate requests manually, CA responds back with PENDING for SCEP enrollment request until, the administrator accepts the request. After receiving the PENDING response, pkid needs to resend the enrollment request at configured retry-interval time. The retry was not happening because of this bug and enrollment was failing. This behavior was observed only when SNMP walk was performed on certificates while enrollment was also in progress. PR1173598
  • On high-end SRX Series devices with chassis cluster enabled, under heavy traffic load, the primary cluster node may experience a flowd coredump while the secondary node is booting up. PR1177853
  • On SRX550 or SRX650 devices with SRX-GP-8SFP card installed, if 4 or more SFP transceivers are installed on the SRX-GP-8SFP card, soft rebooting might cause the twsi0: Device timeout on unit 1 messages fill the console with one of the following issues: 1. System hang; or 2. System booted-up, but the SRX-GP-8SFP card is in offline state. PR1178637
  • On all high-end SRX Series devices, all traffic is affected when the traffic opens connection from two directions at the same time. Configure a bidirectional traffic permit policy to avoid this issue. PR1178954
  • On all SRX devices, if LACP is enabled on a reth interface, wrong next hop interface is sometimes shown in the next hop database after chassis failover. As a result, both the inbound and transited traffic might be impacted. PR1180512
  • On all SRX chassis cluster, IPsec VPN traffic will be dropped intermittently if Jflow is enabled and sends out packets to remote server through an IPsec VPN tunnel through the st0 interface. This is because few Jflow packets will be sent out by the backup node and causes ESP sequence number out of order. PR1180537
  • In inter-LSYS scenario, packets may be forwarded by obsolete forwarding sessions thereby causing high SPU utilization. PR1182125
  • On SRX210, SRX220, SRX240, and SRX550 devices, the flowd process might crash while configuring the 1x Gigabit Ethernet high-performance SFP Mini-PIM interface on the reth interface. PR1182981
  • On all high-end SRX Series devices, the device does not send out ICMP type 3 code 4 packet if it works in chassis cluster and the SPC card is in the combo mode. By default, all high-end SRXs devices are in the combo mode, as per the perspective of the SPC (Services Processing Card), which means that the SPC acts as both the CP SPU and FLOW SPU. PR1183249
  • On branch SRX Series devices, when the 1-Port GE high performance SFP mPIM is used as the fabric port in the SRX240 chassis cluster, the port is reported as up but traffic is not forwarded. PR1184731
  • On all high-end SRX Series devices, the software-NH value increases and causes the traffic outage. PR1190301
  • On branch SRX Series devices, the flowd process crashes and generates a core dump while processing MS-RPC or SUN-RPC traffic on the secondary node. PR1190929
  • On all SRX Series devices, a vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the router rather than discarded. The crafted packet, destined to the router, will then be processed by the routing engine (RE). A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out. Refer to JSA10749 for more information. PR1191838
  • On SRX Series devices, if there are two or more IP Monitoring configured, and they operate the same IP prefix, then unexpected behavior with IP Monitoring might occur, such as false negative. PR1192668
  • On high-end SRX Series devices, the flowd core might crash on node1 and causes the ISSU failure while performing ISSU from Junos OS Release 12.1X44-D60 to Junos OS Release 12.1X46-D55 or later 12.1X46 releases. PR1193679
  • On all SRX Series devices, when range-address is configured on an address-book and invoked by a security policy, an abnormal memory access might occur, which causes the flowd process crash. PR1196122

Interfaces

  • On branch SRX Series devices, the IP address count per logical interface has been enhanced to support up to eight IP addresses when sending GARP packets. PR1153410
  • On all SRX Series devices, the gigether-options and no-auto-negotiation configuration are automatically added to the physical interface if changing the description of the physical interface through J-web. It might cause some unexpected issues in interface negotiation and inter-connectivity. PR1174498
  • On all SRX Series devices, when an outside interface and inside interface is in different VR, SSH or telnet from an external host to an SRX internal interface is not successful. PR1178284

Intrusion Detection and Prevention (IDP)

  • On SRX Series devices, you cannot compile the IDP policy when LSYS idp-policy-combined is created. PR1187731

J-Web

  • On all branch SRX Series devices, when you configure J-Web setup wizard through creating new configuration and applying the same does not reflect all the configuration in a router. This displays configuration change alert and ask for committing the configuration. PR1058434
  • On all branch SRX Series devices, error message is seen on J-Web when adding a custom-applications setting, while no error message is seen on the CLI for the same configuration. PR1183037
  • On SRX Series devices in a chassis cluster, J-Web does not show correct chassis cluster status in the following page. J-Web: Monitor->System view->cluster status. PR1208901
  • On all SRX Series devices, after using J-Web it may occur that the CPU utilization on the routing engine will stay high and does not recover. PR1219638

Layer 2

  • On SRX550 device, some specific LLC frames are dropped when the SRX550 device is received on a VPLS enabled interface. PR1160561
  • On SRX Series devices, in Layer 2 and Layer 3 mixed-mode, with flooding enabled, when there is no Layer 2 egress interface up, a packet from Layer 2 interface might be forwarded to Layer 3 interface wrongly during the flooding process. PR1189004

Network Address Translation (NAT)

  • On all SRX Series devices, intranet IPs can communicate with each other on open ports while you are using only junos-persistent-nat application in trust-to-trust policy with persistent NAT and hairpin. This issue can be avoided when destination-address drop-untranslated is configured in the policy. PR1171160
  • On high-end SRX Series devices, when NAT with port-block allocation (PBA) is configured, the CPU is utilized at the optimum level and it affects the protocols such as LACP. This issue might cause temporary network instability. PR1172347
  • On all SRX Series devices, when vSRX or SRX is doing NAT66, the ICMPv6 packet will has a wrong TCP sequence after NAT66. This might cause the client side to not accept the ICMPv6 packet, so that the service cannot connect. This issue affects all types of ICMPv6 error messages. PR1183188
  • On high-end SRX Series devices, the Network Security Daemon (NSD) may crash on the backup node occasionally if a large configuration with 32 logical-systems and more than 10000 NAT rules are loaded and overrided by a configuration without logical system and NAT. The chassis cluster can be set up normally after the crash. PR1183342

Network Management and Monitoring

  • On all high-end SRX devices in chassis cluster, when there are both IPv4 and IPv6 traffic processed by the device, due to a timing issue in session manipulation (session installation and deletion) by multiple real-time threads, the flow entry might be leaked in the flow table. This issue might cause the flowd process crash on the backup node. PR1180162
  • On all high-end SRX devices, when you run show system license usage command it may show invalid scale-subscriber license on new RG00 master node after RG0 failover. This is only a cosmetic issue and there is no impact to function/performance/traffic. PR1197211

Platform and Infrastructure

  • On all high-end SRX devices, flowd process might crash and cause traffic outage if the SPU (Services Processing Unit) CPU usage is higher than 80%. Therefore, some threads are in waiting status and the watchdog cannot be toggled timely causing the flowd process to crash. PR1162221
  • On SRX240 devices, the device does not generate jnxOverTemperature trap when the temperature warm alarm is set. PR1174742
  • On all SRX platforms, one or multiple J-Web sessions are established in browser. After navigate different tab and multiple PHP process are remained. This cause high CPU usage on RE. When encounter the issue, please use workaround to restore it. PR1186172

Routing Policy and Firewall Filters

  • On high-end SRX Series devices, there might be a traffic outage if failover happens between node0 and node1 and the network security daemon (NSD) fails to read the security policies from the configuration file. PR1182591

Unified Threat Management (UTM)

  • On all SRX Series devices, the device might try to establish a session with the cloud threatseeker server on the internet if there are no UTM licenses installed on the device. In a normal situation, UTM will first start EWF (Enhanced Web Filtering) server to resolve checking when the UTM license is installed. PR1159964
  • On branch SRX Series devices, the UTM spam detection tags the wrong header. The spam-tag will be inserted to the DKIM-Signature: header instead of the email subject if the DKIM-signature is included in the email. PR1198169

  • On SRX Series devices, during firewall HTTP/HTTPS pass-through authentication, the device incorrectly removes the preceding colon in the password string. Due to this the authentication fails and the authentication entry cannot be created in case there is a preceding colon in the password string. PR1187162

User Interface and Configuration

  • On branch SRX Series devices, after rolling back (rollback 0) and loading override configuration continuously, the system will eventually fail to commit any new configuration changes. PR1137944

VPN

  • On SRX Series devices with IPsec VPN configured using IKEv2, the IKEv2 responder does not respond to retransmissions if its external-interface is inside a custom routing instance. PR1103027
  • On SRX Series devices, in some cases, a memory leak might occur when using route-based or policy-based VPN and peer attempting multiple phase 2 connections with different proxy IDs. PR1174974

Resolved Issues: Release 12.1X47-D40

Layer 2 Features

  • On SRX550 device, some specific LLC frames are dropped when the SRX550 device is received on a VPLS enabled interface. PR1160561

Network Address Translation (NAT)

  • On high-end SRX Series devices, when NAT with PBA (port-block allocation) is configured, the CPU is utilized at optimum level and it affects protocols such as LACP. This might cause temporary network instability. PR1172347

VPN

  • On SRX Series devices with IPsec VPN configured using IKEv2, the IKEv2 responder does not respond to retransmissions if its external-interface is inside a custom routing instance. PR1103027

Resolved Issues: Release 12.1X47-D35

Chassis Cluster

  • On all high-end SRX Series devices in a chassis cluster, when both the nodes are rebooted simultaneously, the interface monitoring fails even when the monitored interface is active, resulting in unnecessary failure on the redundancy group. PR1032711
  • On all branch SRX Series devices in a chassis cluster, the set protocols lldp interface all command configures the LLDP protocol on the reth interface, although the reth interface does not support LLDP. PR1127960
  • On all high-end SRX Series devices in a chassis cluster, the G-ARP is not sent with a static MAC address when chassis cluster failure occurs. PR1115596
  • On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster with SRX5K-MPC (IOC2), SRX5K-MPC3-100G10G (IOC3), or SRX5K-MPC3-40G10G (IOC3) installed, when VLAN tagging is configured on the reth interface and LACP is enabled, and if the logical reth interfaces with VLAN tagged are configured within separate security zones, then the LACP protocol fails. PR1128355

Dynamic Host Configuration Protocol (DHCP)

  • On all SRX Series devices configured as a DHCP relay agent using the jdhcpd process, option 82 is not supported. The DHCP discover or bootp packets containing option 82 will be dropped. PR979145
  • On all SRX Series devices behaving as DHCP servers, the DHCP binding with lease time configured might never expire, resulting in exhaustion of all IP addresses of the DHCP pool. PR1050723
  • On all branch SRX Series devices configured as DHCP servers, unless the DHCP client requests, the device does not send the DHCP option 125. This behavior is not compliant with the RFC 3925 definition. As per the RFC 3925 definition, the DHCP server should send the DHCP option 125 without a request from the client. PR1116940

Flow-Based and Packet-Based Processing

  • On all high-end SRX Series devices, the name of the ICMP6 big packet is changed to junos-icmp6-packet-too-big instead of junos-icmp6-packet-to-big. PR917007
  • On all SRX Series devices, IPsec VPN packets are dropped in a chassis cluster Z mode when a fragmentation is required. PR956808
  • On all branch SRX Series devices, if a TCP session is initiated from a remote host through the interface in the inet.0 routing table to the loopback interface, then the TCP 3-way handshake fails, because the second wind (reverse wind) is associated with the wrong routing instance ID for the syn-ack packet. PR962801
  • On all high-end SRX Series devices, if equal-cost multipath (ECMP) routing is configured, in a race condition of ECMP route updating, the flowd process might crash. PR1105809
  • On all high-end SRX Series devices when dynamic routing with ECMP is in use, flowd process crash might be observed. PR1125629
  • On high-end SRX Series devices, in a rare condition, SPUs might run into a deadlock situation, which results in a flowd process crash. PR1132059

Hardware

  • On all high-end SRX Series devices, model numbers of Restriction of Hazardous Substances (RoHS) compatible power entry modules (PEMs) are not displayed when you run the show chassis hardware models command. PR1138773

Interfaces and Chassis

  • On all high-end SRX Series devices, the following error message is displayed: error: xsl:import : unable to load. PR815978
  • On all high-end SRX Series devices with enhanced fan trays equipped, Fan Tray Unable to Synch alarm may be seen. PR1013824
  • On all high-end SRX Series devices, when you modify a security zone that has many interfaces (for example, when adding or deleting an interface in such a zone), an abnormally high CPU load might occur upon commit. PR1131679
  • On SRX240, SRX550, and SRX650 devices, after a system reboot or disabling and then enabling a Layer 2 reth interface, the reth interface might not work even when the state of the interface is shown as up. PR1137395

Interface and Routing

  • On all high-end SRX Series devices with a PKI profile configured, loading the certificate of an unknown key type will crash the PKID process. Currently, the device supports only RSA, DSA, and ECDSA certificates of known key sizes. PR1118569

Intrusion Detection and Prevention (IDP)

  • On all high-end SRX Series devices with IDP SSL inspection enabled, traffic with an RSA key size of more of than 2000 might cause high CPU usage and performance degradation on the data plane. PR1125387

IPv6

  • On all SRX Series devices, IPv6 host inbound traffic will be dropped when it is sent to xnm-ssl and xnm-clear-text services that are permitted in host inbound traffic. PR1147446

Network Address Translation (NAT)

  • On all high-end SRX Series devices in a chassis cluster, when NAT with port-block allocation is configured, duplicate system log messages are generated for each port block allocation and port block release. PR1118563
  • On all high-end SRX Series devices when PBA NAT is configured, the last port-block might be released too early, without considering the configured active-block timeout value. PR1146288

Platform and Infrastructure

  • On SRX5000 line devices equipped with MIC 10x 10GE SFP+, 10-GB ports of these cards might stay offline when a link flaps or when an SFP+ is inserted after 3 months when the link is active. PR905589
  • On all branch SRX Series devices, when you use the commit confirmed command, you issue the final commit command a few seconds before the scheduled rollback, the system tries to commit and revert to the previous configuration at the same time, which leads to a configuration database corruption issue. PR994466
  • On SRX Series devices in a chassis cluster with dual control-link, if the first control-link (em0) goes down, the master Routing Engine does not send the IP traffic to the remote node. This means that if, for example, redundancy-group 0 (control plane) is primary on one node and redundancy-group 1 (dataplane) is primary on another node, any IP traffic originated on the Routing Engine will not be passed out. PR1051535
  • On SRX5600 and SRX5800 devices with SRX5K RE-13-20, the second control port -em1 link stays down in dual control link configuration when the Routing Engine is installed in slot 1. PR1077999
  • On all branch SRX Series devices, when you run the set system autoinstallation command to configure the unit 0 logical interface for all the active state physical interfaces, the CLI command fails and does not allow the unit logical interface to be configured. Because of this issue the dcd process might crash, causing improper installation of the interface-related configuration. PR1147657

Routing Policy and Firewall Filters

  • On all high-end SRX Series devices, if there are two routing instances of instance type default and virtual router, when you change the instance type of one routing instance from default to virtual router after the routing policy is configured, the route is missing from the second routing instance. As a workaround, deactivate the first routing instance and the routing policy, and then activate the first routing instance to correct the issue. PR969944
  • When polling the following OIDs through SNMP, file Descriptor leak might be seen during the nsd process.
    • jnxLsysSpCPSummary
    • jnxLsysSpSPUSummary
    • jnxLsysSpCPUEntry
    • jnxLsysSpCPUTable

    PR1079629

Security Policy

  • On all high-end SRX Series devices, when multiple address books containing DNS names defined in multiple Logical Systems (LSYSs) are invoked in security policies, the DNS address gets updated in the DNS cache but it does not get updated in the security policies. PR1132681

Unified Threat Management (UTM)

  • On all branch SRX Series devices, when the device is configured using HTTPS for UTM antivirus pattern update, the device incorrectly sends the polling packets on TCP port 80, which results in route lookup failure and pattern update failure. PR1133283
  • On all SRX Series devices in a chassis cluster with UTM configured, in a rare condition, the reth interface might go down, and this might cause the flowd process to crash. PR1136367
  • On all SRX Series devices, the Enhanced Web Filtering (EWF) module is bypassed if the TCP session starts with a TCP SYN packet that has multiple flags turned on in its header (for example, SYN+ECN+CWR). PR1144200

User Firewall

  • On all SRX Series devices, configurations attempting to use ssl-termination-profile for HTTPS traffic handling using user firewall authentication are ignored. PR1140115

VPN

  • On all high-end SRX Series devices, if traffic selectors are configured for IPsec VPN, the data traffic of some applications in which the control session and the data session are separated will fail pass-through authentication over the IPsec VPN tunnel. For example, the data session of FTP working in active mode might fail. PR1103948
  • On all high-end SRX Series devices, downloading a large CRL over LDAP fails in some conditions, causing high CPU usage on the Routing Engine. PR1130164
  • On all branch SRX Series devices acting as a hub in a hub-and-spoke VPN scenario, after a system reboot, some IPsec VPN tunnels might not be established. PR1132925
  • On all branch SRX Series devices, the dynamic VPN cannot connect when the following error is displayed in Pulse Client: fail to get HTTP Response. PR1135780
  • On all branch SRX Series devices behaving as a key server in a group VPN scenario, the real-time thread might get into a loop during the VPN tunnel session manipulation, which results in a flowd process crash. PR1139516

Resolved Issues: Release 12.1X47-D30

Application Layer Gateways (ALGs)

  • On all SRX Series devices, the RSH ALG does not inspect the legality of the control message. Hence the malformed messages are bypassed. However, by default, the RSH ALG is disabled on Junos OS releases containing this fix. PR1093558

Chassis Cluster

  • On SRX1400, SRX3400, or SRX3600 devices in a chassis cluster, if the chassis cluster fabric ports are connected through a switch, some random packets might come into the chassis cluster fabric ports. These packets are interpreted as chassis cluster packets (such as real-time objects) and are forwarded to an invalid SPU. For example, the packets are forwarded to a SPU that does not exist (depending on the interpretation of the invalid packets). The invalid chassis cluster packets cannot be forwarded to the invalid SPU. Hence, the packets will be queued on a certain network processor. When the network processor is full, all data traffic will be blocked on the ports associated with that network processor. PR1042676
  • On all branch SRX Series devices, when any of the two possible power supplies (PS) is missing on the SRX650 device, it does not generate the alarm. In addition, the device is checking if any of the two power supplies is functioning correctly to provide the result in the output of the show chassis craft-interface command. However, for the status of the power supply, the output of the show chassis craft-interface is PS 0 instead of PS. PR1104842
  • On all SRX Series devices in a chassis cluster, if sampling is configured with the input option on an interface, the non-first fragmented packets are dropped on the secondary node. This occurs when the fragmented packets enter the interface, traverse through the fabric interface, and finally are sent out through the secondary node (z mode). PR1054775
  • On SRX5400, SRX5600 and SRX5800 devices, if IP monitoring is enabled and when the SRX5K-MPC3-40G10G is not present, the following warning message is displayed:

    Warning: If you enable this feature on 40x1GE IOC, please refer to manual for the limitation.

    This warning message refers only to the SRX5K-MPC3-40G10G card, whereas this message should actually refer to all the IOCs for SRX5000 line devices.

    As a result, an incorrect warning message is displayed when IP monitoring is enabled. PR1082396

CLI

  • On SRX5400, SRX5600, and SRX5800 devices, ICMP Out Errors with a rate of 10,000 per second are generated when you issue the show snmp mib get decimal 1.3.6.1.2.1.5.15.0 command. PR1063472

DHCP

  • On all branch SRX Series devices, when the device act as a DHCP server using the jdhcpd process, the device assigns an IP address from an incorrect DHCP pool to a DHCP client in certain scenarios. This happens if a DHCP client sends the discover message along with a requested IP address, then the authd process utilizes the requested IP address to find the pool with priority. As a result, the device assigns an IP address from a wrong DHCP pool to the DHCP client when there is a DHCP pool, sharing the same subnet with a requested IP address but not the expected pool of the DHCP client. PR1097909

Flow-Based and Packet-Based Processing

  • On all high-end SRX Series devices configured with chassis cluster and logical systems (LSYS), when the session number is close to the configured LSYS session limit, sessions might not be successfully created on the secondary node. The sessions will be created on the backup flow SPUs, but not on the central point. As a result, the backup flow SPUs will keep retrying until the SPUs are successful. When this situation continues, the session limit on the secondary node’s SPU will reach the maximum limit value and this will affect the new session creation.

    Note: The number of sessions on the secondary node SPU is usually higher than on the primary node SPU.

    PR1061067

  • On all SRX Series devices, the link-local packets for IPv4 (169.254.0.0/16) and IPv6 (fe80::/10) addresses are dropped. There is no configuration option available to change this behavior and forward the link-local packets. PR1078931
  • On all SRX Series devices, if 1:1 sampling is configured for J-Flow and the device processes a high volume of traffic, a race condition of an infinite loop of J-Flow entry might get deleted. As a result, the flowd process crashes. PR1088476
  • On all SRX Series devices, J-Flow might not work when there is a large number of AS path records. For example, when the number of AS path records exceeds more than 400,000, the J-Flow configuration does not connect to the FPC or the PIC. PR1089141
  • On all SRX Series devices configured with OSPFv3 , if the JSF DPI plugin (JDPI) enables session serialization, the device drops the OSPFv3 packets in transparent mode when the packets are reinjected. PR1094093
  • On all branch SRX Series devices, the maximum-sessions value is not displayed correctly. PR1094721
  • On all SRX Series devices, if Services Offloading is enabled, in certain cases, such as packets flowing on an LAG interface or fragmented packets processing, duplicated packets might be randomly generated and forwarded out of the device. PR1104222
  • On all branch SRX Series devices in GRE over IPsec VPN, when the VPN is deactivated, the interface outside the GRE session changes to default route and does not return to the secure tunnel (st0) interface even when VPN is activated.

    As a result, the traffic might get dropped after VPN tunnel flapping in GRE over IPsec. PR1113942

Interfaces and Chassis

  • On all high-end SRX Series devices, incorrect cable type is displayed for UNI-SFPs. PR886753
  • On SRX100, SRX110 and SRX210 devices, the 4G USB modem does not redial automatically when the modem is used to connect to the Internet. PR1040125
  • On all high-end SRX Series devices, when you modify a security zone that has many interfaces, abnormally high CPU load might occur on the Routing Engine when you commit the changes. PR1131679

Interfaces and Routing

  • On all high-end SRX Series devices, if VLAN tagging is configured on an aggregated Ethernet (ae) or a redundant ethernet (reth) interface, then deleting a logical interface of this ae or reth interface might cause the SPU crash to stop responding on the kernel level. PR1093804
  • On all high-end SRX Series devices, you cannot configure more than one lt-0/0/0.x interface per logical system (LSYS) for the following maintenance releases:
    • Junos OS Release 12.1X44-D35 through Junos OS Release 12.1X44-D55
    • Junos OS Release 12.1X46-D25 through Junos OS Release 12.1X46-D40
    • Junos OS Release 12.1X47-D10 through Junos OS Release 12.1X47-D25
    • Junos OS Release 12.3X48-D10 through Junos OS Release 12.3X48-D15
    • Junos OS Release 15.1X49-D10 through Junos OS Release 15.1X49-D25

However, this limitation is resolved with the condition that you can only configure more than one lt-0/0/0.x interface per LSYS when you have no interconnect LSYS configured and if the interconnect LSYS is configured, then you can have only one lt-0/0/0.x interface per LSYS.

PR1121888

Intrusion Detection and Prevention (IDP)

  • On all high-end SRX Series devices in a chassis cluster, you cannot update IDP signatures through J-Web. PR1084592

J-Web

  • On all SRX Series devices, when you log in to J-Web using the logical system through Internet Explorer, the error Exception in data refresh might be displayed in the J-Web dashboard messages log. PR1096551
  • On all SRX Series devices, changing another ALG configuration through J-Web causes the IKE-ESG ALG configuration to be changed. PR1104346
  • On all SRX Series devices, the default option is selected under the security > logging > application tracking hierarchy. This enables application-tracking if any syslog configuration is saved. PR1106629
  • On all high-end SRX Series devices, when you log in to J-Web as a logical system user, the compare result window does not appear when you click the compare option. PR1115191

Layer 2 Ethernet Services

  • On all branch SRX Series devices, when the device behaves as a DHCP server using the jdhcpd process, the device assigns an IP address from the wrong DHCP pool to the DHCP client in certain scenarios. This happens when a DHCP client sends the discover message with a requested IP address, then the authd process utilizes the requested IP address to find the pool with priority. This causes the device to assign an IP address from the wrong DHCP pool to the DHCP client when there is a DHCP pool sharing the same subnet with a requested IP address but not the expected pool of the DHCP client.PR1097909
  • On all SRX Series devices, if both DHCP client and DHCP server (using the jdhcpd process) are enabled, changing the DHCP related configurations might cause the jdhcpd process to exit unexpectedly. PR1118286

Network Address Translation (NAT)

  • On all SRX Series devices, when domain names are used as a matching condition on security policies, the SRX Series device sends the resolved request to the DNS server. If the DNS server is unreachable, the SRX Series device will keep trying to resend the request to the DNS server. As a result, all the file descriptors on the nsd process become exhausted. PR1089730
  • On all high-end SRX Series devices in a chassis cluster, when NAT with port-block allocation is configured, duplicate system log messages are generated for each port block allocation and port block release. PR1118563
  • On all high-end SRX Series devices, security policies are not downloaded after ISSU from Junos OS Release 12.1X46-D40 to Junos OS Release 12.3X48-D15. PR1120951

Network Management and Monitoring

  • On all SRX Series devices, when using point-to-multipoint (P2MP) automatic NHTB IPsec tunnels, routes using a next-hop IP that is in the st0.x subnet are incorrectly marked as active prior to the VPN tunnel establishment. PR1042462

Platform and Infrastructure

  • On all branch SRX Series devices, setting the Real-time Performance Monitoring (RPM) next-hop metric value does not take effect. PR1087753
  • On all SRX Series devices, the kernel might crash when running the automatic script. PR1090549
  • On all branch SRX Series devices, upgrade to certain Junos OS versions might fail when a commit script is configured. PR1096576
  • On all high-end SRX Series devices, an SPU might become inaccessible from the Routing Engine because of a memory-buffer counter corruption. Because of this issue, a service outage occurs in certain scenarios, for example, when IPsec is configured with certificate-based authentification. PR1102376

Routing Policy and Firewall Filters

  • On all high-end SRX Series devices, you will not be able to configure a nested default application-set within a logical system. This is because, the pre-defined application-sets can only be invoked in a root Logical System (LSYS) and it cannot be invoked in custom LSYSs. PR1075409

SNMP

  • On all SRX Series devices, when you set up the SNMPv3 privacy password and authentication password, NSM fails to update the passwords to the devices that are managed by NSM. PR1075802

User Interface and Configuration

  • On all SRX Series devices, committing a traffic-selector (TS) configuration might fail. As a result, ffp core files are generated. PR1089676

VPN

  • On all SRX Series devices, the default trusted-ca list (Trusted_CAs.pem) is not supported by Junos OS. PR1044944
  • On all high-end SRX devices with IPsec VPN configured, the IPsec VPN tunnel might fail to reestablish after recovery tunnel flapping. This is because an old, invalid tunnel session exists on the central point. As a result, an attempt to create the new tunnel session fails. PR1070991
  • On all SRX Series devices with site-to-site IPsec VPN configured using IKEv2, if an active tunnel existed and the SRX Series device acted as the responder of IKEv2 negotiation, then the VPN peer initiating a duplicate IKEv2 Phase 2 negotiation request will cause the IPsec VPN tunnel to go to inactive state on the data plane side of the SRX Series device. PR1074418
  • On all high-end SRX Series devices, when the alarm-without-drop option is configured for the UDP Flood Protection screen, packets classified as attack packets might be sent out of order. This can result in performance degradation. PR1090963
  • On all high-end SRX Series devices, the output of the show system processes resource-limits process-name pki-service command cannot be shown correctly because of a missing file. PR1091233
  • On all branch SRX Series devices in a group VPN setup, a memory-leak issue might occur on the gksd and gkmd processes. PR1098704
  • On all branch SRX Series devices, an IPsec VPN using ESP encapsulation above the group VPN is not supported. As a result, the IPsec VPN traffic will be dropped because bad SPI packets are seen in the group VPN. PR1102816
  • On all SRX Series devices, the IPsec tunnel might not come up on the data plane if both the st0 interface configuration and the IPsec VPN configuration, which are under the [security ike] and [security ipsec] hierarchies, are provided in one commit. PR1104466
  • On all SRX Series devices, user cannot perform successful IPsec VPN tunnel failover over a secondary ISP link by using P2MP tunnels in a specific VPN redundant deployment. This issue occurs:
    • When IPsec VPN is configured
    • When the VPN tunnel is set up by using the two different external interfaces within two different IKE gateways to connect to the same VPN peer
    • When RPM is configured for a route failover between the two external interfaces links
    • When VPN monitoring is configured

    Whenever the primary link is down, VPN tunnel failover occurs on the secondary link as expected. However, when the primary link is up again, VPN flapping occurs and the primary VPN tunnel might delay to establish the link. As a result, IPsec VPN tunnel failover fails. PR1109372

Resolved Issues: Release 12.1X47-D25

Application Layer Gateways (ALGs)

  • On all SRX Series devices in a chassis cluster with TCP-based ALG enabled and the TCP keepalive mechanism used on the TCP server and client, after a data plane redundancy group (RG1+) failover, the keepalive message causes the mbuf to be held by the ALG until the session timeout. This results in generation of a high mbuf usage alarm. Application communication failure occurs due to lack of mbuf. PR1031910
  • On all SRX Series devices with the SIP ALG and NAT enabled, if you place a call on hold or off hold many times, each time with different media ports, the resource in the call is used, resulting in one-way audio. Tearing down the call clears the resource, and following calls are not affected. PR1032528
  • On all SRX Series devices (except SRX110) in a chassis cluster with the SCCP ALG enabled and if the SCCP state in use flag is not configured in the process of the SCCP call in the device, the related real-time object (RTO) hot synchronization might cause the flowd process to crash. PR1034722
  • On all SRX Series devices with the MS-RPC ALG enabled, the flowd process might crash when the MS-RPC ALG processes the crafted ISystemActivator RemoteCreateInstance Response packets. PR1036574
  • On all SRX Series devices with the SIP ALG and NAT enabled, the SIP ALG does not execute IP translation for the retransmitted 183 session progress messages. In this scenario, the SIP call will fail when the device receives the first 183 session progress messages without SDP information, but the retransmitted 183 session progress messages contains SDP information. PR1036650
  • On all branch SRX Series devices, SIP ALG code has been enhanced to support RFC 4566 regarding the SDP lines order and to avoid issues of no NAT in owner filed (0 line) in some circumstances. PR1049469
  • On all high-end SRX Series devices, the SIP ALG decode packet error occurs in the system log when the unsupported blank packets are used as keepalive messages. PR1057170
  • On all SRX Series devices, the current SIP parser does not parse the quotation marks in the mime message boundary, and the message body of the SIP messages might be cut off. PR1064869
  • On all SRX Series devices with the MS-RPC ALG enabled, the flowd process might crash due to incorrect MS-RPC ALG parsing for the ISystemActivator RemoteCreateInstance Response packets. PR1066697
  • On all SRX Series devices with H.323 ALG and NAT enabled to process H.323 traffic, if H.323 calls contain the same source IP address and port number but in different positions, then some of the unidirectional sessions of H.323 might be seen. As a result, calls related to the H.323 ALG fail. PR1069067
  • On all SRX Series devices with NAT configured, a memory overwrite issue occurs when the scaling RAS or H.323 traffic passes through the device and the device fails to perform NAT for RAS or H.323 traffic. As a result, the flowd process might crash. PR1084549

Application Identification and Tracking

  • On all SRX series devices, when next-generation application identification is enabled and traffic is processed, intermittent high CPU utilization on data plane is observed. PR1064680

Authentication

  • On all high-end SRX Series devices with firewall authentication configured, an authentication entry leak on the data plane occurs when an authenticated user tries to re-authenticate. As a result, firewall authentication will not allow anymore authentication entries to be created. PR969085
  • On all SRX Series devices with firewall authentication enabled, when a firewall authentication from an authenticated IP address for a new authentication fails, and then a pass-through firewall authentication tries this entry, the firewall authentication function accesses a freed memory, which results in a flowd process crash. PR1040214
  • On all high-end SRX Series devices with firewall authentication enabled, in a rare timing condition, if there are many pending sessions in a firewall authentication entry with failed state, then a packet entering and matching this failed authentication entry might cause the flowd process to crash. PR1048623

Chassis Cluster

  • On all branch SRX Series devices, the secondary node in a chassis cluster environment might crash or go into DB mode, displaying the panic:rnh_index_alloc message. This issue is sometimes observed in a chassis cluster environment with multipoint st0.x interface configured, and the tunnel interfaces flaps according to IPsec idle-timeout or IPsec vpn-monitor. PR1035779
  • On SRX5400, SRX5600, and SRX5800 devices with an SPC2 installed, after the control plane (RG0) failover, if the RG0 and data plane groups (RG1+) are active on different nodes, then the primary Routing Engine might drop the connection with the remote SPUs (the SPUs reside on an another node, which is the Routing Engine in a secondary state). As a result, traffic outage occurs. PR1059901
  • On all branch SRX Series devices in a chassis cluster, if the switching fabric (swfab) interface is configured, the swfab interface incorrectly updates the state of the fabric (fab) interface. As a result, the fab interface might be stuck in the down state. PR1064005
  • On all high-end SRX Series devices in a chassis cluster, when you reboot the primary node using the request system reboot command, the secondary node might crash after a few seconds. PR1077626
  • On SRX5600 and SRX5800 devices, traffic outage might occur with hardware errors (IA PIO errors). When the devices are configured in a chassis cluster, the hardware errors (IA PIO errors) do not trigger RG1+ failover. This fix is used to raise an FPC minor alarm to trigger the RG1+ to switch over for a chassis cluster. PR1080116
  • On all SRX Series devices, all interfaces of the RG0 secondary node go down when the connection between the kernel of the primary node and the ksyncd of the secondary node fails. This occurs because of the memory leak in the shared-memory process (shm-rtsdbd). PR1084660

Class of Service (CoS)

  • On all branch SRX Series devices with CoS configured on a high-speed interface for multiple queues, if one queue is oversubscribed, the traffic on this queue does not drop. However, this results in traffic drop for other queues which have a specific bandwidth available. PR1068288
  • On all SRX Series devices, the CoS rewrite rules do not work for VPN traffic if the rules are configured with loss priority high. This occurs when the packets are reinjected into the IPsec tunnel encapsulation process. PR1085654

CLI

  • On all branch SRX Series devices, when the underlying interface of the PPPoE interface is a reth interface, there is a delay of 10 seconds in displaying the PPPoE interface information when you run the show interfaces pp*.* command. As a result, a slower response time for the SNMP command related to the PPPoE interface is also observed. PR1068025
  • On all SRX Series devices, when you run the show security policies hit-count command, the Routing Engine memory is overwritten. As a result, the nsd process crashes. This issue occurs when security policies are not synchronised between the Routing Engine and the data plane. PR1069371

Dynamic Host Configuration Protocol (DHCP)

  • On all SRX Series devices configured as a DHCP server (using the jdhcpd process), when the DHCP server gets a new request from a client and applies an IP address from the authentication process (authd), the jdhcpd process communicates with authd process twice as expected (once for the DHCP discovery message and once for the DHCP request message). If the authentication fails in the first message, the authd process will indefinitely wait for the second authentication request. However, the jdhcpd process never sends the second request, because the process detects that the first authentication did not occur. This causes memory leak on the authd process, and the memory might get exhausted, generating a core file and preventing DHCP server service. High CPU usage on the Routing Engine might also be observed. PR1042818
  • On all SRX Series devices, when an interface is configured as a DHCP client using the dhcpd process, the DHCP discovers that the message cannot be sent out and the interface does not fetch the IP address. This occurs when the hostname is not configured. As a result, the DHCP client cannot not fetch an IP address. PR1073443
  • On all branch SRX Series devices with a DHCPv6 client configured, when the device tries to obtain an IPv6 address through the DHCPv6 prefix delegation, the device forms an incorrect IPv6 address format. As a result, the IPv6 address allocation fails. PR1084269

Flow-Based and Packet-Based Processing

  • On all SRX Series devices, due to an indirect next-hop change, memory corruption occurs in the flow route lookup table, causing the flowd process to crash. PR988659
  • On all multiple thread-based SRX Series devices (SRX240 and above), if IDP, AppSecure, ALG, GTP, or the SCTP feature, which is required for serialization flow processing is enabled, the device might encounter an issue where two flow threads work on the same session at the same time for the serialization flow processing. This issue might cause memory corruption, and then result in a flowd process crash. PR1026692
  • On all SRX Series devices in a chassis cluster Z mode, if static NAT or destination NAT is configured, and in the NAT rule, the IP address of the incoming interface is used as a matching condition of the destination address (for example, set security nat static <rule-set-name> rule <rule-name> match destination-address <use the IP address of incoming interface>), then the traffic matching the NAT rule is discarded. PR1040185
  • On all SRX Series devices with GRE tunnel configured, the carrier interface of GRE tunnel is not updated when a more accurate and new route to the tunnel destination address is added, which might cause traffic loss in some scenarios. PR1040666
  • On all SRX Series devices in a chassis cluster, during control plane RG0 failover, a policy resynchronization operation compares the policy message between the Routing Engine and the Packet Forwarding Engine. However, some fields in the security policy data message are not processed. Data for unprocessed fields might be treated differently and cause the flowd process to crash. PR1040819
  • On all high-end SRX Series devices, when self-generated traffic is processed by IDP, the IDP function might trigger an unmatched flow lock operation, which leads to a dead lock condition, and eventually causes the flowd process to crash. PR1046801
  • On all high-end SRX Series devices in transparent mode, when the PIM register-stop message passes through the device, the device cannot match the PIM session that is created by the register packet. The PIM register-stop message tries to create a new session, and the session is dropped during the session creation process due to a session conflict. PR1049946
  • On all branch SRX Series devices, after IDP drop action is performed on a TCP session, the TCP session timeout is not accurate. PR1052744
  • On all branch SRX Series devices with IP-in-IP tunnel configured, due to incorrect configuration (routing loop caused by route change and so on), packets might be encapsulated by the IP-in-IP tunnel several times. As a result, packets are corrupted and the flowd process might crash. PR1055492
  • On SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, in a rare condition, the session might be doubly released by multiple threads during internal processing by the NAT module. As a result, the flowd process crashes. PR1058711
  • On all high-end SRX Series devices, when the SPU works in high stress, the internal event queue becomes full and the event is lost. Because there is no retransmission mechanism for the internal event, this leads to a stuck session. The stuck session is recovered by up layer applications. For example, when the TCP session of the log module is stuck, the log message cannot be sent. After 30 seconds, the log module detects this and restarts the new connection to send the log message. PR1060529
  • On all SRX Series devices running Junos OS Release 12.3X48-D10 or later, with enhanced Web filtering configured, the connection to the Websense ThreatSeeker Intelligence Cloud might time out if strict-syn-check is enabled under the [security flow tcp-session] hierarchy. PR1061064
  • On SRX550 devices with 2G memory, traffic processed by the serialization process is dropped when the maximum limit of serialization sessions (32,000) is exceeded. As a result, advanced services such as IDP, ALG, GTP, SCTP, and AppSecure are impacted. The limitation of maximum serialization sessions has to be enlarged to 64k. PR1061524
  • On all branch SRX Series devices with health monitor configured for Routing Engine, the system health management process (syshmd) might crash due to a memory corruption in some rare conditions, such as in the scenario that concurrent conflicting manipulation of the file system occurs. PR1069868
  • On all high-end SRX Series devices, the flowd process might crash when the multicast traffic processes the route lookup failure. PR1075797
  • On all branch SRX Series devices, the flowd process might crash when the port of the Mini-Physical Interface Module (Mini-PIM) is enabled and configured as a trunk. PR1076843
  • On all SRX Series devices with source NAT configured, the ICMP error packets with 0 value of MTU might be generated on the egress interface when the packets fail to match the NAT rules. PR1079123
  • On all SRX Series devices, if there are any configuration changes made to the interface (for example, when you add a new unit for an interface), an internal interface-related object will be freed and reallocated. However, in a rare condition, some packets queued in the system might refer to the freed object, causing the flowd process to crash. PR1082584
  • On all high-end SRX Series devices, the flowd process might crash because of a 64-bit unaligned memory access. PR1085153
  • On all SRX Series devices, the inactivity-timeout value of predefined junos-defaults applications cannot be changed, although it is configured with a value of approximately 10,000. PR1093629

Installation and Upgrade

  • On SRX650 devices, if the u-boot revision is 2.5 or later, installing the Junos OS release image from TFTP in loader mode fails. PR1016954

Integrated User Firewall

  • On SRX240, SRX550, and SRX650 devices with integrated user firewall authentication configured, when you attempt to remove the user entry from the authentication table, the flowd process might crash. PR1078801
  • On all SRX Series devices with integrated user firewall configured, when the user group is specified under the source-identity match criteria even though the valid user entry exists in the active-directory-authentication-table, the traffic fails to match the security policy for the user who belongs to that user group. PR1084826

Interfaces and Routing

  • On all high-end SRX Series devices, during the ISSU process, the Packet Forwarding Engine connects and sometimes disconnects the Routine Engine. Hence, the IP resolve events sent to the Packet Forwarding Engine are ignored. When you configure multiple DNS policies after the ISSU process, some of the policies will not have IP addresses in the Packet Forwarding Engine. PR985731
  • On all branch SRX Series devices configured as a CHAP authentication client, in a PPPoE over ATM LLC encapsulation scenario, the connection might not be established because of an incorrect sequence of messages being exchanged with the second LNS. PR1027305
  • On all SRX Series devices, the commit synchronize command fails because the kernel socket gets stuck. PR1027898
  • On SRX210 and SRX220 devices, broadcast packets might not be sent to the Routing Engine following system initialization. PR1029424
  • On SRX550 and SRX650 devices, 20 to 40 percent traffic loss is seen on the port of the SRX-GP-2XE-SFP-PTX after changing the speed from 10 GB to 1 GB. This issue is seen in both fiber and copper mode. When you switch between fiber and copper mode on the port of the SRX-GP-2XE-SFP-PTX, the speed might vary within the configuration. PR1033369
  • On all branch SRX Series devices in a chassis cluster with PPPoE configured on a redundant Ethernet (reth) interface, when both nodes reboot, the PPPoE interface (pp0.x) sometimes is not prepared, despite the PPPoE session being up. PR1050264
  • On all branch SRX Series devices with PPPoE configured, when PPPoE fails to authenticate, the software next-hop entry will leak in the data plane, gradually consuming all 64,000 software next-hop entries. When the software next-hop table is full, the following next-hop error pops up:RT_PFE: NH IPC op 2 (CHANGE NEXTHOP) failed, err 6 (No Memory) peer_class 0, peer_index 0 peer_type 10. PR1055882
  • On SRX1400, SRX3400, and SRX3600 devices, memory leak occurs on the Control Plane Processor (CPP) logical interfaces are deleted and the interprocess communication messages are received by the CPP. High memory usage on the CPP might be seen in an interface flapping situation. PR1059127
  • On SRX1400 devices with jumbo frames and low interpacket gaps, the interface (ge-0/0/0 to ge-0/0/5) reports Jabber or code violation errors, resulting in traffic loss. PR1080191
  • On SRX550 and SRX650 devices, if a port of an 8-Port Gigabit Ethernet SFP XPIM card is set to the Ethernet switching family, locally generated packets might be dropped by the port. PR1082040
  • On all branch SRX Series devices, if the destination interface and the next hop are configured for HTTP probes for real-time performance monitoring, the HTTP probes might not work. PR1086142

Intrusion Detection and Prevention (IDP)

  • On all branch SRX Series devices, severity for the IDP report changes from log severity to threat severity. PR1019401

J-Web

  • On all SRX Series devices, the packet capture function cannot be displayed through J-Web. However, the packet capture function can be disabled by using the CLI. PR1023944
  • On all branch SRX Series devices, J-Web sets a limitation on the size of the configuration fetched from a device to avoid memory exhaustion. When the configuration size exceeds this limitation, J-Web fails to load the configuration on Junos OS Release 12.3X48-D10. PR1037073
  • On all branch SRX Series devices, security policy log or security policy count is not displayed when the match condition is RT_FLOW_SESSION. PR1056947
  • On all branch SRX Series devices, when you configure J-Web setup wizard through creating new configuration and applying the same does not reflect all the configurations in a router. This displays configuration change alert and ask for committing the configuration. PR1058434
  • On all SRX Series devices, if a security policy contains a tcp-options statement, modifying this security policy by using J-Web results in the loss of the tcp-options statement. This is because the tcp-options configuration is missing in the J-Web security policy configuration. PR1063593
  • On all branch SRX Series devices in a chassis cluster, you cannot set the password with special characters such as !, @, #, $, %, ^, ", and so on using the J-Web chassis cluster wizard. PR1084607

Network Address Translation (NAT)

  • On all SRX Series devices with persistent NAT enabled, if an invalid flow with the protocol value 0 creates a persistent NAT entry, then this persistent NAT entry is not cleared even when the invalid session is cleared. PR935325
  • On SRX5400, SRX5600, and SRX5800 Series devices with the SPC2 (SRX5K-SPC-4-15-320) installed, if a NAT IP address pool is configured with a large number of IP addresses (more than 56, 000), executing the show snmp mib walk jnxJsNatSrcNumPortInuse command causes the flowd process to crash. PR1052154
  • On SRX5400, SRX5600, and SRX5800 devices with the SRX5K-SPC-4-15-320 (SPC2) installed, if a NAT IP address pool is configured with a large number of IP addresses (more than 56, 000), then running the show snmp mib walk jnxJsNatSrcNumPortInuse command causes the LACP to flap. PR1053650
  • On all high-end SRX Series devices, after ISSU, the configuration might not take effect and the NAT configuration remains ineffective. However, the non-NAT configuration will take effect when you run the commit full command. PR1071819
  • On all branch SRX Series devices in a chassis cluster, the H.323 ALG might not work properly after the chassis cluster failover. This is because the ALG binding synchronization message fails to synchronize the secondary device. PR1082934
  • On all SRX Series devices, when the NAT configuration changes are made, the flowd process might crash. As a result, the memory allocation is affected. PR1084907
  • On all SRX Series devices, the entry's timeout value of ALG is configured larger than the timer wheel's maximum timeout value (7200 seconds). However, this entry cannot be inserted into the timer wheel. As a result, an ALG persistent NAT binding leak occurs. PR1088539

PKID

  • On all SRX Series devices, when you use UTF-8 encoding to generate the certificate with the certificate authority (CA), certificate validation fails. PR1079429

Platform and Infrastructure

  • On all branch SRX Series devices, the set system ports console insecure feature does not work as expected and fails to prevent non-root users from performing password recovery by using the console. This vulnerability might allow a non-root user with physical access to the console port to gain full administrative privileges.

    Refer to JSA10683 for more information. PR1016488

  • On all branch SRX Series devices, after enabling IEEE 802.1X, the connected devices on some ports might fail to be authenticated. This is because MAC authentication requests might get stuck on the eswd process, therefore this issue might be seen on certain random ports, not all ports. PR1042294
  • On all branch SRX Series devices, the message twsi0: Device timeout on unit 1 fills the console on soft reboot. PR1050215
  • On all SRX Series devices, the configurations of group junos-defaults are lost after a configuration roll back. As a result, the commit command fails. PR1052925
  • On all branch SRX Series devices with U-boot version below 2.8, U-boot fails to boot up images after an abnormal system restart such as an unexpected power-cycle. PR1061649
  • On SRX100 devices, when you run the show snmp mib walk jnxMibs command, the chassisd log repeatedly generates the fru is present: out of range slot -1 for FAN message. PR1062406
  • On all branch SRX Series devices, the log displays the message log: /kernel: veriexec: fingerprint for dev. This is a cosmetic issue. PR1064166
  • On all branch SRX Series devices, when the set system autoinstallation interfaces interface-name bootp command is configured, the autoinstallation enabled interface receives an IP address from the DHCP server and installs a default route on the data plane. If the autoinstallation enabled interface flaps, the default route might change and remain in dead state. PR1065754
  • On SRX100 devices, when the device is configured as an authentication enforcer of 802.1x, authentication from certain special supplicants might fail. This is because the software engine that processes the next-hops in the device incorrectly processes the packet coming from the supplicant with a special source MAC address. As a result, the packets are dropped. PR1067588
  • On SRX100, SRX110, and SRX210 devices, when you use Sierra Wireless USB 3G modem to connect to the network, Junos Space (or other Network Management devices) might fail to discover the SRX Series devices. This is because the Sierra Wireless USB 3G modem generates a duplicate address that causes the failure. PR1070898
  • On SRX650 devices, when the copper SFP-T connector is inserted into the 8-Port Gigabit Ethernet SFP XPIM (8xSFP GPIM), the link state might not come up. PR1074937
  • On all SRX Series devices, the system log utility of the rtlogd process might crash when the WebTrends Enhanced Log File (WELF) format is configured for the security log. PR1086738

Security Policy

  • On all SRX Series devices, when two security policies are combined and the whole address space is used, then the secondary security policy might fail to evaluate traffic. PR1052426
  • On all SRX Series devices, when there are more than 32 policies configured in a global security policy, and if there is a zone-based global security policy whose sequence number is greater than 32, then a policy mismatch error might occur, causing incorrect traffic evaluation. PR1057215
  • On all SRX Series devices, changing a dynamic address of a security policy might cause its dynamic address identification to be mismatched between the Routing Engine and the Packet Forwarding Engine due to the difference between the new and the old configuration being ignored. PR1061253
  • On all high-end SRX Series devices configured in a chassis cluster, the count option in security policy might not work after failover. This is because the Packet Forwarding Engine does not resend the message with policy states to the Routing Engine after failover. The policy lookup counter might disappear when you execute the show security policies from-zone * to-zone * policy-name * detail |grep lookups command. PR1063654
  • On all high-end SRX Series devices, the Network Security Daemon (NSD) is susceptible to a denial-of-service vulnerability. This issue occurs while processing certain DNS response messages for the name resolution requests initiated by the device. As a result, an attack requires a rogue DNS server.

    Refer to JSA10692 for additional information. PR1067941

  • On all SRX Series devices, the IDP exempt rule does not work when a source or destination zone is configured as a specific zone (instead of any), and if one or more IP addresses are configured to match the exempt rule and an attack traffic flow (destined to IP addresses that are configured to match the exempt rule) is for a standard application on a non-standard port (for example, HTTP ports other than 80). PR1070331
  • On all SRX Series devices, the security policy scheduler fails to activate or deactivate policies when the daylight saving time (DST) change occurs. PR1080591

System Logging

  • On all SRX Series devices, when IDP IP action log is configured for a security policy that matches a user identification, the information about the user name and roles is not updated in IP action logs. PR1055075
  • On all SRX Series devices, the user or role retrieval information is not updated properly in the structured syslog format. PR1055097

Unified Threat Management (UTM)

  • On all SRX Series devices, when UTM Sophos antivirus is enabled and a file that is not supported by Sophos antivirus is transferred through SMTP, the device might not be able to handle the last packet, and mail will be on hold. When packets are later sent on this session, the packet that was on hold will be handled by the device and the system will return to normal state. PR1049506
  • On all SRX Series devices, under certain race conditions, if the interface associated with the name server is down, the flowd process might crash because UTM internal function was not configured. PR1066510
  • With Enhanced Web Filtering (EWF) configured, if the UTM EWF category object updating the data plane fails, the UTM EWF category object will not be updated anymore. This issue occurs during the system initialization process of an SRX Series chassis cluster. PR1073198
  • On all branch SRX Series devices with UTM Web filtering configured and if multiple websense-redirect profiles are configured with different Websense servers, only one Websense server is available and seen in the up state. PR1077779

VPN

  • On all branch SRX Series devices, in group VPN setups, all the already registered members might suddenly disappear from the key server due to memory leak. PR1023940
  • On SRX1400 devices, packets that are forwarded through the port of the SRX1K-SYSIO-GE card might be dropped due to CRC error. PR1036166
  • On all SRX Series devices configured with a large number of IPsec VPN tunnels, in a very rare condition, if VPN monitoring is enabled, the kmd process might crash when you delete the partial VPN tunnels. PR1044660
  • On all high-end SRX series devices, in a tunnel over route-based IPsec VPN, GRE or IP-in-IP tunnel scenario, such as IPsec VPN over GRE tunnel, after the encapsulation of the first tunnel, the next-hop in internal processing might not be set properly to point to the second tunnel, which results in packet loss. PR1051541
  • On all branch SRX Series devices with dynamic VPN configured, the KMD process restarts or crashes, causing an IP address leak on the dynamic VPN address pool. PR1063085
  • On all SRX Series devices, the maximum number of characters allowed for an IKE policy name is limited to 31 bytes. Although you can configure more than 31 bytes by using the CLI, the bytes in excess of the limit are ignored on the data plane. PR1072958
  • On all branch SRX Series devices with dynamic VPN configured, the key management process (KMD) might crash when an IKE payload with a different port number is received. PR1080326

Resolved Issues: Release 12.1X47-D20

Application Layer Gateways (ALGs)

  • On all high-end SRX Series devices, the SCTP traffic sessions are established on an SPU that is selected by the port’s hash algorithm. This means that the session affinity does not take effect for SCTP traffic even if the SCTP ALG is disabled.

    However, since the SCTP and session affinity conflict occurs naturally, the session affinity does not support SCTP traffic when the SCTP ALG is enabled. PR1019859

  • On all SRX Series devices with the SIP ALG and NAT enabled, the SIP ALG does not execute IP translation for the retransmitted 183 session progress messages. In this scenario, the SIP call will fail when the device receives the first 183 session progress messages without SDP information, but the retransmitted 183 session progress messages contains SDP information. PR1036650
  • On all SRX Series devices, the DNS ALG does not terminate the session when a truncated DNS reply is received. Hence, the session remains up until high timeout (10~50) is reached. PR1038800
  • On all SRX Series devices, if the SUN RPC traffic has the same IP address, port number, and program ID but is coming from different source zones other than the session, the traffic is dropped by the SUN RPC ALG. PR1050339

Chassis Cluster

  • On SRX5400, SRX5600, and SRX5800 devices with SPC II cards installed, when IP spoofing is enabled, after the device under test (DUT) is rebooted, the address books in the Packet Forwarding Engine will be removed and not pushed back into the Packet Forwarding Engine. Due to this issue, the IP spoofing does not work after reboot. PR920216
  • On all SRX Series devices configured in a chassis cluster, VLAN interfaces on the primary node might flap or become down. PR1001162
  • On all high-end SRX Series devices in a chassis cluster, when you perform an ISSU upgrade on a chassis cluster containing an IDP detector configuration, the FPCs on one node might remain in the offline state. PR1025203

CLI

  • On all high-end SRX Series devices, system commit synchronize is not supported. Hence, when you configure it, it will not be committed due to a configuration lock. PR1012692
  • On all SRX Series devices, CLI auto-complete does not work for any keywords after you run the set system login class <name> permissions command. PR1032498

Dynamic Host Configuration Protocol (DHCP)

  • On all high-end SRX Series devices, the DHCP server option-82 does not work. PR949717
  • On all branch SRX Series devices, in DHCP requests, the IP TTL value is set to 1 and the DHCP option 12 is missing. PR1011406
  • On all branch SRX Series devices configured as a DHCP server (using JDHCP), even though the next-server (siaddr) and tftp boot-server options are configured, the siaddr and tftp boot servers are set with the IP address as 0.0.0.0 in DHCP reply packets. PR1034735
  • On all SRX Series devices configured as a DHCP server (using the jdhcpd process), when the DHCP server gets a new request from a client and applies an IP address from the authentication process (authd), the jdhcpd process communicates with authd process twice as expected (once for the DHCP discovery message and once for the DHCP request message). If the authentication fails in the first message, the authd process will indefinitely wait for the second authentication request. However, the jdhcpd process never sends the second request, because the process detects that the first authentication did not occur. This causes memory leak on the authd process, and the memory might get exhausted, generating a core file and preventing DHCP server service. High CPU usage on the Routing Engine might also be observed. PR1042818

Flow-Based and Packet-Based Processing

  • On all high-end SRX Series devices, after a failover, there is a reroute process for each existing session on the newly active device. The reroute is delayed and is triggered by the first packet hitting an existing session. If multiple packets of the same session come in at once, and are picked up by different threads for processing, only one thread will run the reroute, while the other threads have to wait for the result before forwarding the packet. This waiting period penalizes traffic for other sessions and affects the overall throughput. Therefore, such packets will be dropped instead of waiting in order to optimize the overall system fairness and throughput. This drop does not affect newly created sessions, because that is a different data path. PR890785
  • On all high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply the rate limiter for egress traffic. PR918942
  • On all branch SRX Series devices, the temporary flowd process crashes while you run the get-software-information level=detail command using a NETCONF client. This type of flowd crash is harmless. PR937450
  • On SRX1400 devices, in a rare condition, SPUs might run into dead loop situation. High CPU usage on SPUs will be seen, and the flowd process will crash in the end. PR1017665
  • On all branch SRX Series devices in Layer 2 transparent mode, the flowd process might generate a core file when two packets of the same connection are received in a short time before the flow session is created, and destination MAC address lookup succeeds for these two packets. PR1025983
  • On all high-end SRX Series devices, when a device forwards traffic, a flowd core file is generated. This is a generic issue and does not impact any feature. PR1027306
  • On SRX5400, SRX5600, and SRX5800 devices with an SRX5K IOC II, configuring a sampling feature (flow monitoring) might cause high kernel heap memory usage. PR1033359
  • On all SRX Series devices, when WebTrends Enhanced Log File (WELF) format is configured for the security log, the device generates very long WELF-formatted logs (for example, logs more than 1000 bytes). When the log is truncated on the Packet Forwarding Engine and sent to the Routing Engine, memory corruption occurs, causing the flowd process to crash. This issue generally occurs when UTM Web filtering is configured. PR1038319
  • On all SRX Series devices in a chassis cluster Z mode, if static NAT or destination NAT is configured, and in the NAT rule, the IP address of the incoming interface is used as a matching condition of the destination address (for example, set security nat static <rule-set-name> rule <rule-name> match destination-address <use the IP address of incoming interface>), then the traffic matching the NAT rule is discarded. PR1040185

Interfaces and Routing

  • On all high-end SRX Series devices, when a router is acting as an NTP broadcast server, broadcast addresses must be in the default routing instance. NTP messages are not broadcasted when the address is configured in a VPN virtual routing and forwarding (VRF) instance. PR887646
  • On all high-end SRX Series devices, LAG interface gratuitous ARP is neither generated nor sent out on the link when gratuitous-arp-on-ifup is configured. PR889851
  • On SRX240, SRX550, and SRX650 devices, a delay of several seconds (maximum 4 seconds) might occur to detect that the link is down. PR1008324
  • On all branch SRX Series devices, in a rare condition, during a failure of routing update, a free memory might be accessed again, which results in the flowd process crash. PR1017148
  • On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if reth LAG is configured and child interfaces are associated with different network processing units (NPUs), when the device undergoes high-speed session creation (for example, 360,000 connections per second (CPS) on an SRX5800 device), the central point CPU might be stuck at 99 percent utilization after a data plane redundancy group failover. PR1030913
  • On all branch SRX Series devices with First Hop Router (FHR) in multicast scenario, after the device reboots, the PIM tunnel selects loopback0.0 as the outgoing interface due to a timing issue where the route is not ready. If the loopback0.0 and the downstream interface are not in the same security zone, the PIM register packets will be dropped because of reroute failure. PR1031185
  • On all branch SRX Series devices, multiple CoS rewrite rules are applied to a single interface where only one rewrite rule is allowed. PR1034173
  • On all high-end SRX Series devices, in each node, there is only one Routing Engine. The RE 0 in the master node is the master Routing Engine and the RE 0 in the secondary node is the backup Routing Engine. The request system power-off both-routing-engines command powers off both the master and the backup Routing Engines simultaneously. PR1039758
  • On all high-end SRX Series devices, the request system power-off both-routing-engines command powers off both the nodes. PR1047349

Intrusion Detection and Prevention (IDP)

  • On SRX210 and SRX220 devices, due to memory constraints, the combination of large IDP policies (that is, IDP_Default) along with express antivirus (EAV) might not compile successfully. PR974851

J-Web

  • On all SRX Series devices, when you go to the Monitor>NAT>Source NAT page and click the Resource Usage tab, all Pool type values in the grid are displayed as PAT. J-Web fails to recognize the Non-PAT pool. PR1036621
  • On all branch SRX Series devices, J-Web does not display all the member link interfaces for aggregate Ethernet (ae) interface. PR1038850

Platform and Infrastructure

  • On all high-end SRX Series devices, when composite next hop is used, the RSVP session flap might cause if state mismatch between the master Routing Engine and the backup Routine Engine, which eventually leads to a kernel crash on the master Routine Engine. PR905317
  • On all branch SRX Series devices, when flexible-vlan-tagging option is enabled, the return traffic might be dropped on the tagged interface with the message packet dropped, pak dropped due to invalid l2 broadcast/multicast addr. PR1034602

Security Policy

  • On all branch SRX Series devices, when you swap the sequence of security policies or when security policies are disabled by a scheduler, the applications configured in these security policies might be added to other enabled security policies. This might cause unexpected applications to be evaluated by other security policies, and traffic to be permitted or denied unexpectedly. PR1033275
  • On all SRX Series devices, when there are more than 32 policies configured in a global security policy, and if there is a zone-based global security policy whose sequence number is greater than 32, then a policy mismatch error might occur, causing incorrect traffic evaluation. PR1057215

System Logging

  • On all SRX Series devices, if the stream mode logging has incomplete configuration for multiple streams, after reboot the system might not send out stream logs to the properly configured streams. PR988798
  • On all high-end SRX Series devices, RT_PFE errors might be generated due to reroute failure when a more specific route entry is added or deleted. PR1009947
  • On all branch SRX Series devices, flowd_octeon_hm: pconn_client_connect: Failed to connect to the server after 0 retries messages are repeated in the log file. PR1035936

Unified Threat Management (UTM)

  • On all high-end SRX Series devices, due to a memory leak issue in the utmd process, the utmd process might cause control plane CPU utilization that is higher than expected even when the Unified Threat Management (UTM) feature is not enabled. The memory leak can only be triggered if there is a UTM license installed on the system. PR1027986

VPN

  • On all branch SRX Series devices, IPsec tunnel reconnection might cause a memory leak. PR1002738
  • On all branch SRX Series devices, in group VPN setups, all the already registered members might suddenly disappear from the key server due to memory leak. PR1023940
  • On all branch SRX Series devices, if IPsec VPN is enabled using IKE version 2 (IKEv2), and a distinguished name is used to verify the IKEv2 phase 1 remote identity, then a remote peer initiates IKEv2 phase 1 Security Association (SA) renegotiation (SRX Series devices work as a responder), the new negotiated VPN tunnel might stay in an inactive state on the data plane, causing IPsec VPN traffic loss. PR1028949
  • On all branch SRX Series devices in a dynamic end point (DEP) VPN scenario, the VPN tunnel might stay in down state after the user-at-hostname value is changed. PR1029687
  • On all high-end SRX Series devices with IPsec VPN configuration, because of a rare timing issue, the IPsec VPN traffic might be dropped due to a "bad SPI" message on the traffic-receiving side during IPsec Security Association (SA) rekey. PR1031890
  • On all SRX Series devices, in AutoVPN configuration after reboot, the VPN tunnel might not come up and an error with the private key is reported. PR1032840
  • On all high-end SRX Series devices with policy-based IPsec VPN configured, deleting security policies that are associated with a VPN tunnel might result in a stale VPN tunnel remaining. In addition, the tunnel might be associated with the newly added security policies. PR1034049
  • On all SRX Series devices, when a primary IP address of an interface changes, some IPsec tunnels terminated on that interface might go down. PR1044620

Resolved Issues: Release 12.1X47-D15

Application Layer Gateways (ALGs)

  • On all SRX Series devices, when there is heavy SIP traffic through the device, high CPU usage is seen on one or more SPUs. This issue occurs due to a certain type of SIP-handling logic, which dumps payload packets to the internal buffer. This logic has been optimized to reduce load on the SPU. PR985932
  • On all SRX Series devices, when ALG processes the SIP traffic, a memory corruption issue might occur and crash the flowd process. PR992478
  • On all SRX Series devices in a chassis cluster with the PPTP ALG enabled and the PPTP session closed, a memory corruption might occur on the secondary node, which causes the flowd process to crash. PR993447
  • On all SRX Series devices, If the Sun RPC trace is enabled, a core file is generated on the secondary node when you upgrade through ISSU. PR998245
  • On all SRX Series devices with MS-RPC ALG enabled, occasionally, when more than one IP and port pair exist in the MS RPC response packet, and if these IP and port pair are same, the ALG group might leak. This issue might occur even in a Sun RPC scenario. PR1010499
  • On all SRX Series devices with SIP ALG enabled, when either retain-hold-resource and NAT are configured or retransmission of 183 session progress messages with SDP occurs (the first transmission did not have SDP), the SIP ALG incorrectly changes the IP address that is embedded inside the media payload to zero, causing a call failure. PR1016969
  • On all SRX Series devices, in certain situations, the H.323 ALG incorrectly handles translation because the stored position is not initialized properly. As a result, H.323 endpoints registration failure and call failure occur. PR1023528

Certificate Authority (CA)

  • When the PKI certificate expires at a later date, the output of the show security PKI ca-certificate detail command incorrectly shows "Not after: time not determined UTC" under the Validity field. PR878036

Chassis Cluster

  • On all branch SRX Series devices, in dual fabric link chassis clusters, when the control link and one fabric link go down, the chassis cluster goes into a "split brain" condition in which both nodes become primary. With one fabric link up, the secondary node of the chassis cluster goes into an ineligible state and then into the disabled state. PR989548
  • On all high-end SRX Series devices, when you use the maximize-cp-sessions option, it decreases the amount of memory available for other functions. Therefore, the SPUs might not reach the published maximum number of supported VPN tunnels when the maximize-cp-sessions option is configured. PR1027761

Flow-Based and Packet-Based Processing

  • On all high-end SRX Series devices, the name of the ICMP6 big packet is changed to junos-icmp6-packet-too-big instead of junos-icmp6-packet-to-big. PR917007
  • On all high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply the rate limiter for egress traffic. PR918942
  • On all SRX Series devices, under certain conditions, the creation of a multicast leaf session might result in an invalid multicast next hop, which crashes the flow module. PR921438
  • On all branch SRX Series devices, multicast traffic might cause memory leak on the data plane. PR947894
  • On all SRX Series devices, CoS buffer sizes are not recalculated after you delete the interface units, and this might result in suboptimal CoS behavior. PR953924
  • On all high-end SRX Series devices, the IPv6 traffic is reordered during the encryption of IPsec VPN because the fragment order is not maintained for the IPv6 traffic. PR962600
  • On all high-end SRX Series devices in a chassis cluster, the CPU loading of the SPC’s new backup node might go higher after a data plane failover because of packets in an infinite loop between the nodes. PR963033
  • On all branch SRX Series devices with selective stateless packet-based services configured, self-traffic generated on custom routing instances will be dropped if it is forwarded in packet-based mode. PR968631
  • On SRX5400, SRX5600, and SRX5800 devices configured with SPC II cards, memory leak might occur on the SPC II Control Plane Processor (CPP), causing the SPC II CPP to reboot. PR975345
  • On all SRX Series devices (except the SRX110) in a chassis cluster, the flowd process might crash when it receives corrupted real-time objects (RTOs). PR981301
  • On SRX240, SRX550, and SRX650 devices, in certain circumstances, packets might go out of order or be dropped by the device. This issue affects multithreaded branch SRX Series devices and typically occurs in mixed traffic (TCP or UDP) environments. PR977614
  • On all SRX Series devices in a chassis cluster, when you terminate the GRE tunnel over IPsec VPN, sessions through the GRE tunnel are deleted unexpectedly when the session that is installed on the backup node times out, which is normally at eight times the session timeout. PR982880
  • On all SRX Series devices, the flow serialization impacts session performance for IDP, AppSecure, ALG, GTP, or SCTP, and it continues even after Layer 7 processing is completed. PR986326
  • On all branch SRX Series devices, due to an indirect next-hop change, memory corruption occurs in the flow route lookup table, causing the flowd process to crash. PR988659
  • On all high-end SRX Series devices, when fragmented packets are processed, the first fragment (the fragment contains Layer 4 information) is used to create the session, and the subsequent fragments are queued on a memory block. During session creation, the queued fragments might be processed for flow processing even though the session is still in pending state. As a result, order information is lost and the fragmented packets are forwarded out of order. PR993925
  • On all SRX Series devices, the logical tunnel interface encapsulated Frame Relay is not supported. When you configure logical tunnel interface encapsulated Frame Relay, the flowd process crashes. PR996072
  • On all SRX Series devices with integrated user firewall feature enabled, when there are 100,000 or more authentication entries, deactivating the useridd process might cause the flowd process to crash. PR996159
  • On all high-end SRX Series devices, when an equal-cost multipath (ECMP) route is installed in the forwarding table and is used by the flow module, and if a better route is available for the flow module or a subset of the ECMP route is pointing to the flow module, the flow module does not reroute to use the better route for existing sessions. PR996729
  • On all SRX Series devices, when functions using TCP proxy are enabled (for example, TCP- based ALGs FTP, H323, MGCP, MS RPC, PPTP, RSH, RTSP, SCCP, SIP, SQL, SUN RPC, and TALK; UTMs and TCP proxy screens such as SYS-ACK-ACK proxy flood and SYN flood), the TCP packets might be held for a long time in mbuf for TCP proxy processing. The system treats this situation as a memory leak, which causes the flowd process to crash. PR999416
  • On all branch SRX Series devices, when the classifier is set based on EXP bits and the ingress logical interface is a VLAN tagged interface and not unit 0, the classifier uses the default logical unit 0's classifier instead of the configured classifier queues, which forwards the MPLS traffic to the unintended egress queues. PR1002325
  • On all SRX Series devices, when the packet-capture option is configured on the egress interface and a multicast stream is sent through the device, the multicast traffic might not be captured. PR1005116
  • On all high-end SRX Series devices, the flowd process crashes due to a cache error. PR1005195
  • On SRX240H2, SRX240H2-POE, and SRX240H2-DC devices, the IDP cannot process any traffic due to incorrect setting of flow sessions. PR1011057
  • On all high-end SRX Series devices (except SRX1400), fragmented IPsec packets might be out of order after decryption, causing a TCP packet retransmission and performance degradation. PR1013223
  • On all high-end SRX Series devices, when the central point runs in combo mode on an SPC I card and enable-utm-memory and in-line-tap IDP mode are enabled concurrently, the flowd process crashes continuously. PR1019568
  • On all high-end SRX Series devices, in some scenarios, the flowd process might generate core files due to stack overflow while running a log collection script (for example, the shell script which sends various CLI and VTY commands) on the device. PR1020739
  • On all SRX Series devices, the flowd process might crash while applying a CoS filter for the host outbound traffic. PR1021150
  • On SRX5400, SRX5600, and SRX5800 devices with SRX5K IOC II, configuring a sampling feature (flow monitoring) might cause a high kernel heap memory usage. PR1033359

Dynamic Host Configuration Protocol (DHCP)

  • On all high-end SRX Series devices, you cannot get the DHCP relay information through SNMP if DHCP relay is configured under the logical system.

    For example, bash-3.2# snmpwalk -c lsys1/default@junos -t 5 -v 1 -Os -Oq -Oe -Pu -m /tmp/jnx-smi.mib:/tmp/jnx-jdhcp.mib 10.208.131.136 jnxJdhcpRelayStatistics PR909906

  • On all high-end SRX Series devices, the DHCP server option-82 does not work. PR949717
  • On all high-end SRX Series devices, the DHCP server SNMP information cannot be displayed in the logical system. PR956597
  • On all branch SRX Series devices, if the DHCPv6 client is configured for the PPPoE interface and the pp0 interface is disabled and enabled, the pp0 interface does not acquire the IPv6 address from the DHCPv6 server. PR998712

General Packet Radio Service (GPRS)

  • On all high-end SRX Series devices with GTP enabled, some GTP traffic might be dropped due to the reason message Reason zero TID/TEID. This is because some GTP messages do not contain TEID value in the GTP message header (such as Identification Response messages), and these messages are dropped incorrectly. PR999468

Interfaces and Routing

  • On SRX650 devices, the VLAN interface is down after a reboot. PR969079
  • On all SRX Series devices, the interface monitoring option causes an unexpected RG0 failover during the system reboot. This is because the interface monitoring option is only applicable to the data-plane interface and it should not be associated with the RG0, which represents control-plane redundancy. Enabling the interface monitoring option under the RG0 is not supported on high-end SRX Series devices. PR970023
  • On SRX550 and SRX650 devices with WAN cards installed, if an interface is configured for Ethernet switching mode and forwarding traffic, traffic processing might exhaust the mbuf pool. As a result, an interprocess communication (IPC) issue can occur, causing the WAN cards to go offline randomly. PR972332

Intrusion Detection and Prevention (IDP)

  • On all high-end SRX Series devices, Duplicate FLOW_IP_ACTION logs are generated while sending traffic. PR959512
  • On all SRX Series devices, when you configure an automatic security package update without configuring the schedule interval and start time, high CPU usage on the idpd process is seen. PR973758
  • On all SRX Series devices, when you upgrade from any Junos OS release to Junos OS Release 12.1X47-D15 with custom IDP attacks using custom nested applications, the mgd process commit fails. PR999282
  • On all SRX Series devices, the custom dynamic group with the service TCP filter or the service UDP filter does not include TCP or UDP port-bound attack signatures. The following error message is displayed:

    'dynamic-attack-group OTHER-PROTO-REC-CTS’

    Attack TCP-PROTO-REC-CTS: No matching members found. Group is empty

    error: configuration check-out failed

    However, the group should not be empty, because of the configured queries of the custom dynamic group. PR1002526

  • On all SRX Series devices, the Network Security Daemon (NSD) process might crash, causing the show security match-policies command to generate multiple core files. This is because the policy database does not synchronize between the Routine Engine and the Packet Forwarding Engine. PR1003099

J-Web

  • On all SRX Series devices, when you open several connections to J-Web from the same IP address, the HTTP process might hang and J-Web becomes unresponsive. PR974042
  • On all high-end SRX Series devices, no data is displayed for monitor-nat-source-resource usage. PR995880
  • On all branch SRX Series devices, pagination does not work when more policies are configured. PR996545
  • On all SRX Series devices, the serial number and the system uptime are not displayed in the Dashboard. PR1009371
  • On all SRX Series devices, J-Web does not work with Firefox version 31. A blank screen is displayed after you log in. PR1015430

Network Address Translation (NAT)

  • On all SRX Series devices, in rare cases, the device starts using sequential source ports for source NAT because of random function memory corruption. PR982931
  • On all high-end SRX Series devices, when you add a /96 IPv6 address to the host address of the deterministic NAT pool, an nsd core file is generated when you commit the configuration. PR985511
  • On all SRX Series devices in a chassis cluster, when source NAT is configured with a port no-translation pool and a port overflow pool with address persistent feature, the port resource of the overflow NAT pool leaks on backup node when the translated IP address creates conflict on the port no-translation pool. PR991649

Platform and Infrastructure

  • On SRX650 devices, when you execute the show security nat static rule all command continuously, the following message is displayed:

    kern.maxfiles limit exceeded by uid 0

    PR721715

  • When devices were configured to use RADIUS authentication, if the user-permission string sent from the RADIUS server was longer than 129 characters, the device failed to process the user-permission string. This resulted in user permissions being set incorrectly. PR736331
  • On all SRX Series devices, every time a user logs in with SSH, a veriexec: fingerprint mismatch message is reported in the log. PR929612
  • On all high-end SRX Series devices, there is some buffer leak in Application Delivery Controller (ADC) and Transparent Load Balancer (TLB) services due to the malfunction of atomic functions. PR934768
  • On all SRX Series devices, when a PKI certificate is manually loaded without an absolute path given for the filename, the system defaults to the /var/tmp directory instead of the current working directory. PR954114
  • On all high-end SRX Series devices in a chassis cluster with IPsec over the reth interface, the traffic from self to st0 interface might be dropped when the primary node of the RG0 is in Packet Forwarding Engine restart processing. PR955999
  • On all high-end SRX Series devices, when you use dual control link and LACP and if the first control link goes down, the LACP goes down on the secondary node for redundancy group 0. The secondary node might be the primary node for a data plane redundancy group (1+) and carries the traffic. Hence, the traffic might be interrupted. PR958841
  • The SRX3400 device supports a maximum of two NPCs when multiple NPCs are inserted. The NPC in slot 5 is not initialized completely, and only one NPC in either slot 6 or slot 7 is functional. PR963427
  • On all SRX Series devices, leading spaces are incorrectly added before the numerical value of <time-to-expire> element in the show arp expiration-time | display command output. PR974410
  • On SRX220 and SRX550 devices, you can configure a maximum of 250 connections as connection-limit. However, 250 connections cannot be established. To set the maximum-connection-limit, use the set system services telnet connection-limit command. PR976318
  • On all SRX Series devices, due to a communication error between the master agent (snmpd process) and the subagent (mib2d process), the device fails to register some MIBs. For example, the following commands do not display any output when you run the command:

    user@hostname>show snmp mib walk ifTable

    user@hostname:~$ snmpwalk -v 2c -c snmp@exp X.X.X.X ifAlias

    The following message is displayed:

    IF-MIB::ifAlias= No Such Object available on this agent at this OID.

    This means the OID is not registered. PR978535

  • On all high-end SRX Series devices with multicast enabled, frequent multicast route changes might cause a JTree memory leak on the SPC. If the SPC runs out of JTree memory, routing information might not be updated on the Packet Forwarding Engine, causing traffic loss. The following log message is displayed when JTree memory is running on the device:

    node1.fpc7.pic0 RSMON: Resource Category:jtree Instance:jtree0-seg0 Type:free-pages Available:1 is less than LWM limit:1638, rsmon_syslog_limit(). PR979712

  • On all high-end SRX Series devices in a chassis cluster, the backup node should not send SNMP traps. PR982777
  • On SRX5400, SRX5600 and SRX5800 devices, the authentication header packet is dropped in SRX5K IOC II after the ID sanity check due to inner protocol processing. PR986880
  • On SRX5400, SRX5600, and SRX5800 devices, after fabric reconnect, the fabric plane displays the Link error message after the fabric plane is online or offline. PR990679
  • On all high-end SRX Series devices, session ager might gets stuck due to a memory corruption, causing maximum session limitation to be reached on SPUs. PR991011
  • On all SRX Series devices, when you use netconf or Junos OS scripts to manage the device, the management process gets stuck in a loop, causing high CPU usage. PR991616
  • On all SRX Series devices, when you upgrade the device using ISSU, the system displays the following log messages:
    • May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0) : Cannot find service table entry ptr xeth_get_scheduler_numbers
    • May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0):xeth_get_ifd_member_rate_limit_stats(ge-23/0/0): No scheduler found for ifl:81
    • May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0) : Cannot find service table entry ptr xeth_get_scheduler_numbers
    • May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0):xeth_get_ifd_member_rate_limit_stats(ge-23/0/0): No scheduler found for ifl:81.

    PR995928

  • On SRX100, SRX110, and SRX210 devices, no events are displayed when the temperature of the chassis exceeds the thermal threshold value. PR999888
  • On all high-end SRX Series devices in a chassis cluster with interface monitoring enabled, interfaces might be incorrectly monitored as down due to a memory allocation issue. PR1006371
  • On SRX5400, SRX5600, and SRX5800 devices with an SRX5K IOC II, the SRX5K IOC II might send packets out of order, causing end-to-end performance degradation. PR1007455
  • On SRX3400 or SRX3600 devices in a chassis cluster, the FPC 0 Minor Errors alarm is raised because of the excessive invalid pkt type errors reported by the Network Processing Card (component). PR1008968
  • On SRX1400, SRX3400, and SRX3600 devices configured with firewall simple filters, if you change the simple filter terms, some terms might not be installed properly in the data plane. As a result, the simple filter might not work as expected. PR1012606
  • On all SRX Series devices, when a new user is created, the home directory for the user is not created. PR1015156

Screens

  • On all high-end SRX Series devices with flooding type screens configured, if multiple logical interfaces on the same network processing unit (NPU) have been configured in the same zone, then changing the flooding thresholds might cause each of these logical interfaces to have inconsistent thresholds, and sometimes some logical interfaces might not have any screen flood protection at all. PR972812

System Logging

  • On all high-end SRX Series devices, when the syslog option is configured under the [logical system] hierarchy, the system logs are not turned over correctly, some of the files in the /var/log directory are not compressed, and some of the files are compressed with only two lines. PR980061
  • On all high-end SRX Series devices, when you configure multiple stream mode under the [security log] hierarchy and one of the stream modes is set to severity warning, the system log traffic on the other streams is stopped. PR1009428

Unified Threat Management (UTM)

  • On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option enabled, the chunked HTTP traffic might be terminated unexpectedly by the client due to incorrect content sent by the branch SRX Series devices. As a result, the whole page or partial content is not displayed in the client browser. PR971895
  • On all SRX Series devices with UTM content filtering enabled, when the filename extension value is set to .com to block the URLs, the content filtering feature incorrectly treats the <searchpart> as a path and blocks the URLs ends with .com. PR1008108

VPN

  • On all SRX Series devices, in certain situations when the device has more than one IKE Security Association (SA) installed for the same peer device and Dead Peer Detection (DPD) is triggered, the messages are not sent out from the device to the peer device, causing the IKE SA to be installed on the device until the IKE SA expires. PR967769
  • On all SRX Series devices, when the device is configured with similarly named CA profiles (for example, caprofile, caprofile_1, caprofile_3 and so on) and CA certificates are loaded to these profiles, when first CA certificate is cleared other certificates which has the CA profile that starts with the same keyword will be cleared as well. PR975125
  • On all SRX Series devices, dynamic VPN user groups are not able to access certain remote resources. In this scenario, there are two policies referring to the same dynamic VPN and one of the policy directions is not set. Hence, the lookup fails in the null policy at the end. PR988263
  • On all SRX Series devices deployed in a hub-and-spoke VPN scenario as a hub point with dynamic endpoint VPN (DEP VPN) spokes, if and manual NHTBs are configured, changing (adding or deleting) NHTBs might cause other NHTBs to be deleted and existing tunnels to go down. PR1001692

Resolved Issues: Release 12.1X47-D10

Application Layer Gateways (ALGs)

  • On SRX Series devices with the VoIP-related ALG (either H.323 or SIP) and NAT enabled for the VoIP traffic, the corresponding ALG creates persistent-nat-binding entries for the reverse VoIP traffic (even though the persistent NAT feature is not configured in the source NAT rule) when VoIP traffic is transmitted into a custom routing instance. Hence, the system does not apply the custom routing instance information to the persistent-nat-binding entries, and the reverse traffic that matches the persistent-nat-binding entries is forwarded to the default routing instance instead of to the custom routing instance. The reverse traffic is dropped or forwarded to the wrong place. PR924553
  • On all SRX Series devices, the REAL ALG is not supported, but you can configure it from both the CLI and J-Web. PR943123
  • On all SRX Series devices with the SCCP ALG enabled, the SCCP ALG drops packets with unknown message identification. In a NAT scenario, the SCCP ALG performs NAT for different SCCP messages with different NAT results, and data traffic is dropped. PR952180
  • On all SRX Series devices, a flowd core file is generated because of a malformed SIP packet. PR956157
  • On all SRX Series devices, the Microsoft Active directory or Microsoft Outlook client might get disconnected from the server because the MS-RPC ALG incorrectly drops the data connections under heavy load. PR958625
  • On all SRX Series devices, when the ALG receives IPv6 payload information for processing and if the IPv6 flow mode is not enabled on the device, the flowd process might crash. PR964817
  • On all SRX Series devices, when RTSP ALG traffic passes through the routing-instance type virtual-router, traffic is dropped. PR979899

Authentication and Access Control

  • On all SRX Series devices, when Web authentication is enabled using the SecurID authentication, it will fail if there is a change in the DNS server configuration. The authd process causes the old DNS server to send the DNS request. PR885810
  • On SRX Series (except the SRX110) devices in a chassis cluster working as a Unified Access Control (UAC) enforcer, when RG0 failover occurs, the Packet Forwarding Engine might connect to the uac process before the uac process connects to the UAC server. In this condition, the uac process conveys to the Packet Forwarding Engine that the UAC server is disconnected. When the Packet Forwarding Engine receives this information, it denies new traffic that matches the UAC policies. The traffic is resumed after the connection of the uac process and UAC server is established. PR946655
  • On all SRX Series devices, the application firewall module might cause the Network Security Daemon (NSD) to create up to 4 KB of memory leak when you commit each configuration. PR969107

Chassis Cluster

  • On all SRX Series devices in a chassis cluster, the dcd process causes memory leak on the Routing Engine when you configure a reth interface (that is, activate, deactivate, delete, or add a reth interface). PR893759
  • On all SRX Series devices in a chassis cluster, when you download the IDP signature database from the primary node, it is not synchronized to the secondary node. PR914987
  • On all high-end SRX Series devices in a chassis cluster, in certain IPv6 configurations, the SPU sends out packets with an invalid header on the secondary node, which in turn triggers a hardware monitoring failure on the secondary node. PR935874
  • On all branch SRX Series devices in a chassis cluster, an identical address found on both private and public interfaces, and a kernel panic occurs after RG0 failover. PR937438
  • On all SRX Series devices (except the SRX110) in a chassis cluster, in certain conditions, the chassis cluster fabric link hello packet might be corrupted, causing the flowd process to crash. PR939828
  • Due to logic problems with the next-generation SPC nvram component, sometimes the central Packet Forwarding Engine processor tries to yield a thread during an interrupt-disable scenario. This operation causes the central Packet Forwarding Engine processor to hang, and the flexible PIC concentrator is marked as offline. As a result, the chassisd detects the flexible PIC concentrator as being down and resets all flexible PIC concentrators, causing failover in chassis clusters. PR940392
  • On all branch SRX Series devices, the counter for incoming traffic on a fabric interface (used for chassis cluster) always shows zero (0). PR949962
  • In Junos OS Release 12.1X46-D10 and earlier, in a chassis cluster environment, when a secondary node failed, no notification was sent to report the secondary node failure.

    Starting in Junos OS Release 12.1X47-D10, in a chassis cluster mode, the primary node sends the SNMP generic event trap to report failures on the primary node and the secondary node. PR953639

  • On all SRX Series devices (except the SRX110) in an asymmetric chassis cluster scenario, the secondary node (for example, node 1) uses a local interface to back up the interface in the primary node (for example, node 0). If there is a route change, then the traffic is sent to the egress from the backup interface, which is the local interface of node 1. After the route resumes, the traffic is sent back to the egress from the primary interface, which is the local interface of node 0. The session related to the route change is in active state on both the nodes. Traffic might be interrupted when the session times out on the backup node and the session on the primary node is deleted. PR951607
  • On all branch SRX Series devices, the G-ARP replies do not update the existing MAC address entry. When the MAC address timer expires, a new MAC address is updated. PR953879
  • On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, when the secondary node becomes ineligible due to control link failure and it might still forward the traffic. This causes the reth interface to flap and the related traffic to drop when the secondary node is in ineligible state. PR959280
  • On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you disable LACP on a reth interface, the related route's next hop remains in the hold state. PR960994
  • On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, after the primary node power cycle, the Flexible PIC Concentrators (FPCs) on both the nodes might lose the connection to the new primary Routing Engine, causing the FPCs on both the nodes to get stuck in present state. PR961351
  • On SRX3600 devices, the fabric-link becomes down when you execute manual failover using the request chassis cluster failover redundancy-group 0 node 0 command. PR965077

Dynamic Host Configuration Protocol (DHCP)

  • SRX100 devices send the same DHCP packets twice, but the SRX220 devices send the DHCP packets only once. PR894760
  • On all SRX Series devices, you cannot get the DHCP relay information through SNMP if DHCP relay is configured under the logical system. For example, bash-3.2# snmpwalk -c lsys1/default@junos -t 5 -v 1 -Os -Oq -Oe -Pu -m /tmp/jnx-smi.mib:/tmp/jnx-jdhcp.mib 10.208.131.136 jnxJdhcpRelayStatistics bash-3.2#.

    PR909906

  • On all SRX Series devices, in the DHCPv6 client command description, the word stateful was misspelled as statefull. It is changed to stateful in the description; however, the keyword is retained as statefull to avoid incompatibility. PR924692
  • On all high-end SRX Series devices, after you configure DHCPv6 in IPv6 mode, the dhcpv6 process crashes. PR940078
  • On all high-end SRX Series devices, DHCPv6 does not work in IPv6 mode. PR942246
  • On all high-end SRX Series devices, the DHCP server on the device gives the same IP address to two different hosts and both hosts are active in the MAC binding table, causing a connectivity issue. This issue might occur if the DHCP server receives a DHCP INFORM packet from a binding client and a DHCP RELEASE packet from the same client. PR969929

Flow-Based and Packet-Based Processing

  • On SRX220H2 devices, the TCP connection rate might drop by 15 percent. PR898217
  • On SRX100H2 devices, the device reboots unexpectedly and multiple core files are generated due to a DDR2 memory timing issue between DRAM and the CPU. The symptoms include flowd core files, core files from other processes (for example, snmpd, ntpd, and rtlogd), and silent reboot without core files and system freeze. These core files are related to RAM access (for example, pointer corruption in session ager ring entry), and there are no consistent circumstances that cause these core files to be generated. PR923364
  • On all SRX Series devices, when you run the clear security flow session command with a prefix or port filter, some of the sessions are not matched with the filter, causing a traffic drop or delay. This issue is triggered by any of the filters. PR925369
  • On all branch SRX Series devices, in some cases, the ARP response is not accepted when the frame size is above the common value (for example, when the frame was padded by intermediate Layer 2 devices). PR927387
  • On all SRX Series devices configured with IDP, for the AppSecure, ALG, GTP, or SCTP features that require serialization flow processing, the memory buffer might leak, causing the flowd process to crash. PR930728
  • On all SRX Series devices, when loading a configuration in private mode, the annotated message statement is truncated to 1024 characters. PR930834
  • On all SRX Series devices, if GRE tunnel configuration is committed without a correct route to the tunnel destination, the GRE tunnel session will bind the wrong anchor interface (the GRE tunnel outgoing interface) by route lookup. This anchor interface will not be updated even after the route is corrected when you commit the subsequent configuration. PR933591
  • On all SRX Series devices, the indirect next hop for ECMP is not supported. PR935867
  • On all SRX Series devices (except the SRX110) configured in a chassis cluster, under certain conditions, the flowd process might crash during the cold synchronization process. PR936014
  • On all high-end SRX Series devices, in certain circumstances, high CPU consumption on the data plane and eventual exhaustion of the internal system buffers might corrupt the forwarding table, causing partial traffic drops. PR938742
  • On all SRX Series devices, when IKE packets are received before Junos OS default applications are pushed to the Packet Forwarding Engine, the IKE sessions will be established without the IKE application having been marked. As a result, the fragmented IKE packet cannot be sent to iked, because the IKE session has not used IKE applications. PR942730
  • On all SRX Series devices, if the first packets of a single session come from both directions at the same time, the application information on the session is corrupted during session installation and the flowd process crashes. PR942877
  • On all SRX Series devices, when the device is in packet mode, after you change an interface configuration, the warning message warning: You have changed inet flow mode; You must reboot the system for your change to take effect is displayed. The same message is displayed on every commit until the next reboot. This message can be safely ignored. PR949472
  • On SRX240, SRX550, and SRX650 devices, when the device receives a TCP rest (RST) and a FIN (the second FIN of the session) at the same time for a session, the RST and the FIN packet might get processed by different threads. As a result, the session time out updates incorrectly, and the session remains on the session table for 150 seconds. PR950799
  • On all SRX Series devices, the flowd process might crash when the system performs persistent NAT function for ALG traffic. This is because of lack of memory to allocate for persistent NAT bindings. PR951011
  • On all SRX Series devices, when RG0 failover is triggered, the old RG0 primary device reboots or both devices reboot. PR953723
  • On SRX240, SRX550, and SRX650 devices, in certain situations, flow sessions time out and get corrupted. This leads to the flow sessions being set to an abnormally high value, which eventually leads to the session table becoming full. PR955630
  • On all high-end SRX Series devices, the flowd process might crash during the session installation. PR956775
  • On all SRX Series devices, SSH connection is not possible between Cisco devices running IOS version 15 or later and SRX Series devices running Junos OS Release 11.2 or later. PR957483
  • On all SRX Series devices, in a site to site VPN scenario, when the device is configured as an IPsec initiator, the flow session time out is refreshed by the reroute packet. This causes an old session to remain in the session table, the VPN connection not to recover, and packet drops to occur. PR959559
  • On all branch SRX Series devices, when you configure an ICMP probe-server option under the [services rpm] hierarchy for a specific interface (for example, ge-0/0/0), the device does not respond to ICMP requests from this interface. Other interfaces are not affected and can continue to respond to ICMP requests. PR960932
  • On all SRX Series devices, when you reboot the passive node, the CPU usage increases on flow SPUs of the primary node and this lasts for a few seconds when the traffic latency is increased. PR962401
  • On all SRX Series devices, filter-based forwarding (FBF) rules are ignored when existing sessions are rerouted. PR962765
  • On all branch SRX Series devices with IP spoofing screen enabled, the routing table search might fail due to the routing table being locked by the system, causing a false positive to an IP spoofing detection. PR967406
  • On all high-end SRX Series devices, when you send SCTP packets to test the capacity, the SCTP packet might generate a core file. PR968951
  • On all SRX Series devices, white spaces are not supported in the PKI certificate name. PR975374
  • On SRX550 devices, the max flow sessions are configured incorrectly. The devices have larger session capacities than the configured session values. PR977169
  • On all branch SRX Series devices, application traffic control rate limiters are unsupported on model H2. PR979901
  • On all SRX Series devices, in rare cases, the device starts using sequential source ports for source NAT because of random function memory corruption. PR982931

General Packet Radio Service (GPRS)

  • On all SRX Series devices, when you send the 4-way handshake control packets to create associations for the capacity test, a core file is generated. PR980262

Hardware

  • On SRX550 and SRX650 devices, the SRX-GP-DUAL/QUAD-T1-E1 GPIM might have interoperability issues with the remote CSU using the national standard feature due to the violation of ITU-T recommendation G.704. PR939944

Interfaces and Routing

  • The counter for incoming traffic on a fabric interface (used for chassis cluster) always shows zero (0). PR520962
  • On SRX5600 virtual chassis, when you swap the members of a LAG, a vmcore or ksyncd core file might be generated on the backup Routing Engine. PR711679
  • On all SRX Series devices, when you configure and commit IPv6 addresses on a logical interface, the output of the show interface terse command does not reflect the change immediately. PR802229
  • SRX5800 devices might log the Bottom Fan Tray Unable to Synch message. However, this message can be ignored. PR833047
  • On all branch SRX Series devices with 3G wireless modems, the 3G dialer interface dl0.0 might get stuck in the down link state. PR855897
  • On SRX550 devices, the T3/E3 FPC goes offline after provisioning a switched port on ge-0/0/0 interface. PR919617
  • On SRX Series devices with the 3G USB wireless modem, when the signal is low, the 3G cellular modem interface (cl-0/0/*) displays the status as Connected even though there is no signal or there is a low signal with no network connection. This is because there is no mechanism for the wireless WAN process to notify the Routing Engine of the status change even though the Packet Forwarding Engine is notified. After the signal recovers, the 3G cellular modem interface is not able to dial again. PR923056
  • On all high-end SRX Series devices, the show interface extensive command is cut short with the error message error: route rpf stats get for interface. PR930630
  • When IS-IS is configured between the SRX Series device and some third-party devices, after the SRX Series device is rebooted and the IS-IS adjacency is reestablished, the routes advertised by the third-party devices might not install into the routing table in some cases. PR935109
  • On SRX550 devices with DS3/E3 interfaces, the external clocking option is disabled to overcome the limitation present in the hardware to support this clocking option. With the revised version of hardware, the external clocking limitation has been fixed. Hence the external clocking option is reenabled. PR936356
  • On all SRX Series devices, deactivating static routes can lead to deactivation of other configuration sections. PR939712
  • On all SRX Series devices, modifying a policy element that is deactivated by the policy scheduler leads to problems in searching the policy tree in memory. An incorrect policy match occurs after the policy is reactivated by the scheduler. PR944215
  • On all branch SRX Series devices with interfaces encapsulated with ethernet-ccc, when you connect to an ae interface with LACP enabled, the LACP packets do not pass through the ethernet-ccc encapsulated interface. PR945004
  • On SRX100B2, SRX100H2, SRX210B, SRX210HE2, SRX210HE2POE, SRX220H2, SRX220H2POE, SRX240B, SRX240B2, SRX240H2, and SRX240H2POE devices, the Point-to-Point Protocol over Ethernet (PPPoE) feature session is disconnected or the connection is not available. PR956307
  • On SRX210 and SRX220 devices, certain jumbo frames are dropped even though the MTU is set correctly. PR963271
  • On all SRX Series devices, the clear security dns-cache command is extended to resolve all DNS entries immediately. Similarly, the security policies containing DNS names are updated immediately to use the refreshed IP addresses after the FQDN addresses are resolved. PR970235
  • On all SRX Series devices, when the proxy-ndp feature is enabled on the interface, the entries in the IPv6 neighbor table from the interface might flap. PR970281
  • On SRX5400, SRX5600, and SRX5800 devices, the counters displayed in the reth interface are not correct. PR978421

Intrusion Detection and Prevention (IDP)

  • On SRX Series devices with IDP enabled, high data plane CPU usage occurs in certain SPUs for a few seconds. PR848485
  • On all SRX Series devices, when you disable the option idp policy-optimizer using the set security idp sensor-configuration no-policy-optimizer command, the policy fails to load after reboot. PR883258
  • On branch SRX Series devices with IDP enabled, when you use the hardware Deterministic Finite Automation (DFA), which is enabled by default on all devices except SRX100 and SRX110 in Junos OS Release 11.4, a false positive might occur for the signature APP:RDP-BRUTE-FORCE. PR911994
  • On all SRX Series devices, the new entry or flag representing an alert notification is seen in the system log message. If the alert is configured in the IDP rules, the flag is set to “yes”; otherwise, it is set to “no”. PR948401
  • On all high-end SRX Series devices, when the LACP mode is fast and the IDP is in inline-tap mode, a LACP flap might occur when you commit the configuration. PR960487
  • On all SRX Series devices, when you upgrade the detector version, the detector kconst value becomes the default value. PR971010

J-Web

  • On all SRX Series devices, the httpd process generates a verbose log in the default configuration. PR930723
  • On all SRX Series devices, when you make any changes on the J-Web page and try to commit or refresh the page, the operation might time out due to two Asynchronous JavaScript and XML (AJAX) requests being sent out at the same time. The second AJAX request is sent out when the first AJAX request does not receive a response. PR935552
  • When you change the password minimum-length characters from 6 to 8, J-Web shows the error message minimum-length is 6. PR942219
  • On all SRX Series devices, J-Web does not accept the keyword “any” in the address-book object name. PR944952
  • On all SRX Series devices, session logs generated by the global policies are not displayed on the Monitor > Events and Alarms > Security events page or in the policy log window on the Configure > Security > Policy page in J-Web. PR962892
  • On all branch SRX Series device, when dynamic VPN is configured, it is not possible to configure the local-certificate or pki-local-certificate options for Web management. A commit error is displayed when these options are configured. Only the self-signed certificate option can be configured. PR969672
  • On J-Web, the App-FW page does not show the counter information. PR972473

Network Address Translation (NAT)

  • On all SRX Series devices, when NAT protocol translation from IPv4 to IPv6 is enabled, a certain crafted packet might cause the flowd process to hang or crash. A hang or repeated crash of the flowd process creates an extended denial-of-service condition for the devices. PR954437
  • In Junos OS Release 12.1X46-D10 and earlier, the device could not send the SNMP trap for the NAT pool with logical systems configured.

    Starting with Junos OS Release 12.1X47-D10, the SNMP trap for the NAT pool with logical systems configuration can be sent from the device. PR959219

  • On all high-end SRX Series devices, the source paired address table for the IPv6 PBA pool is not released on the primary node after the session time out. PR975093

Platform and Infrastructure

  • On all high-end SRX Series devices, when the management-ethernet link-down ignore command is configured under the chassis alarm hierarchy, the show chassis alarm command does not display the fxp0: Ethernet Link Down alarm message. However, the following messages might been seen in the logs:

    craftd[1163]: %DAEMON-3: attempt to delete alarm not in list

    alarmd[1162]%DAEMON-4: Alarm cleared: RE color=IGNORE, class=CHASSIS

    reason=Host 0 fxp0: Ethernet Link Down

    PR749954

  • On all SRX Series devices, when you log in to the device, the login process might crash due to abnormal disconnection behaviors. PR802169
  • On SRX240, SRX550, and SRX650 devices, when the device receives out-of-order packets while transferring large TCP files, the throughput might be heavily impacted. PR881761
  • When GRE is enabled, AppQoS classification, marking, or rate limit does not work for fragmented packets in the client-to-server direction. PR924932
  • On all SRX Series devices, when using JDHCP, the server does not respond to the client with the DHCPOFFER packet when it receives the DHCPDISCOVER packet from the client. This causes the authd process to consume a large amount of CPU usage and increase the /mfs partition storage capacity. PR925111
  • On SRX5800 device in a chassis cluster, when the device is connected to the Nexus switch, control plane failover occurs. This failover causes the LACP timer to change from slow periodic to fast periodic. PR926019
  • On all SRX Series devices, for SCTP IPv6 traffic in traffic logs, all the source and destination ports are marked as port 1. PR928916
  • On SRX1400 devices with a SYSIO-XGE IOC cards, the xe-0/0/9 interface might not come up when the cable is reconnected after you upgrade to Junos OS Release 12.1X47-D10. PR929276
  • On all SRX Series devices, when the Network Security Daemon (NSD) holds a buffer related to the NAT proxy-arp process, memory leak occurs. This issue occurs when you commit the configuration. PR931329
  • On SRX1400 device, if the port ge-0/0/6 plugged in with a SPF-T (part number 740-013111) transceiver, the port might be set to physically down after upgrading to Junos OS Release. PR933751
  • On SRX1400, SRX3400, and SRX3600 devices configured in a chassis cluster with a SRX1K3K-NP-2XGE-SFPP card installed, the cold synchronization process might fail in certain SPC cards with the message No response from peer node after 900 tries. PR941845
  • On all SRX Series devices containing a large number of next-hop entries, and if the interface flap happens frequently, it might cause the Routing Engine not to allocate the next-hop index, causing the traffic to drop. PR943388
  • On all branch SRX Series devices, because of a timing issue, the VLAN interface might fail to add security zone information after the RG0 failover. PR944017
  • On SRX5400, SRX5600, and SRX5800 devices with a SRX5K-SPC-4-15-320 (next-generation SPC) installed, the hardware interrupt handler checks the link up or link down status for unused ports in the next-generation SPC internal. The next-generation SPC might cause the Control Plane Processor (CPP) to hang, causing all the Flexible PIC Concentrators (FPCs) to reset. PR959655
  • On SRX1400, SRX3400, and SRX3600 devices, high traffic on the fxp0 interface destabilizes the control plane functions. PR962909

Switching

  • On SRX210 devices running in packet mode, when DSCP marking (32 - 63) is on and the destination MAC in the packet header is present in the SRX ARP table, the devices reply to packets that are not destined to them. On devices in a chassis cluster, you must ensure that packets not destined to the SRX210 do not reach the device. PR950486

System Logging

  • On SRX3400 and SRX3600 devices, the following system logs are seen in the messages file:

    sfchip_show_rates_pfe: Fchip Plane 0, dpc 0, pfe <1/2/3>: Invalid dpc

    These system logs do not affect the device. PR738199

  • On SRX5400, SRX5600, and SRX5800 devices, when error-correcting code (ECC) errors occur on IOC or FIOC cards, it is difficult to identify the issue because the error is not being loaded in the device. PR900617
  • The error OpenSSL: error:14090086:lib(20):func(144):reason(134) means that server certificate verification has failed. The certificate might be a self-signed certificate or an expired certificate. PR932274
  • On all SRX Series devices, the following error message is displayed on system or event logs after you upgrade to Junos OS Release 12.1X47-D10: Can't find ifa on e1-x/0/x.y. This message is harmless and does not affect the E1 interfaces and can be ignored. PR971503
  • The SNMP walk for the jnxPicType2ASPCXLP object might fail and shows the jnxPicType2ASPCXLP (could not resolve 'jnxPicType2ASPCXLP' to an OID) error message in the logs and fails to receive information from the device. PR974463

Unified Threat Management (UTM)

  • On all branch SRX Series devices, webpages become unavailable and do not display any content when you enable Sophos antivirus for HTTP traffic. PR906534
  • On all high-end SRX Series devices, EWF logs are not marked with user role information. PR936799
  • On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option enabled, and the intelligent-prescreening option configured, the chunked packet that only contains chunk-size data without any actual data is recognized as an invalid data packet, and the packet is dropped before it passes to the KAV engine in the KAV HTTP proxy processing. PR937539
  • On all branch SRX Series devices, when the category action is permit, the result is the category site-reputation-action, and when the category reputation action is not defined, then the results are the global site-reputation action and the default action. This confusion occurs because the explicit permit action is not taken under the specific category. To resolve this problem, you can directly take the configuration-explicit action on the category. If you do not configure any action, then the next global site-reputation action is the result. The category reputation is not used in enhanced Web filtering. PR939352
  • On all high-end SRX Series devices, when you install a license, you might see the message license not valid for this product add license failed. Even though the message appears, the feature still functions normally. In addition, the show system license command does not display the Sophos antivirus, antispam, or Web filtering licenses. PR948347
  • On all branch SRX Series devices, the test security utm anti-virus command for the antivirus feature does not work due to an Invalid argument error message. PR951124
  • On all branch SRX Series devices, when the KAV license expires and a new license is installed, deleting the old license file causes the KAV engine status to change to Not Ready. The deleting event triggers an AV license status update. The utmd process might recognize that the KAV license is not installed and the pattern database is unloaded. PR954590
  • On all SRX Series devices with UTM and Sophos antivirus (SAV) service enabled, if source NAT for self-generated traffic is configured, the DNS queries from the UTM SAV service fail as timeouts. PR963978
  • On all high-end SRX Series devices, UTM blacklists and whitelists should work without an EWF license. PR970597

VPN

  • On all SRX Series devices, when IPsec is enabled, AppQoS does not assign egress traffic to the configured forwarding class. PR753762
  • On all SRX Series devices, in a site-to-site IPsec VPN deployments using IKEv2, when tunnels are removed through configuration change, the information is not propagated to the remote peer. Later, when the peer initiates a normal Phase-1 re-key process, the kmd process crashes and core files are generated. PR898198
  • On all SRX Series devices, during VPN configuration change with an interface configuration change at the same commit, or after rebooting the device with VPN and interface configured together, the tunnel sessions created in flowd are missed. This impacts the traffic flow on that tunnel. The invalid bind interface counter returns a nonzero value when you run the show usp ipsec global-stat command. PR928945
  • Certificate-based authentication would fail when the RSA signature from the remote peer used SHA-256 as the message digest algorithm. PR936141
  • On all SRX Series devices configured with IPsec VPN and with VPN monitor enabled, the VPN monitor function triggers socket leak, and it might result in some critical issue, such as flow SPUs becoming unresponsive. PR940093
  • On all SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link increases. PR941999
  • On all SRX Series devices with multiple proxy-identity (MPID), dead routes are seen while moving the st0 interface from one virtual router to another. PR943577
  • On all branch SRX Series devices configured in a chassis cluster with route based IPsec VPN enabled, during RG0 failover to the new primary node, if a route-based VPN does not have IPsec SAs associated with the tunnel, then the bind interface (st0) associated with the tunnel is marked down. The interface remains in down state, causing the VPN traffic to drop. PR944478
  • On all SRX Series devices, after traffic-selector configuration is deleted from the VPN configuration object, the data traffic stops passing through the tunnel. PR944598
  • On SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, high CPU usage occurs after installing the additional SPC cards without a full cluster reboot, and IPsec tunnels carry the SCTP traffic anchored on the device. PR945162
  • SRX Series devices cannot proceed to automatic certificate reenrollment through SCEP. The certificate validity period is incorrectly calculated during the autorenewal process. Also, when the CRL is downloaded through LDAP, it can be partially received from the CA server and the pkid process goes up. PR946619
  • On all SRX Series devices, when there are more than 100 traffic selectors configured on a VPN configuration object along with configured, established, tunnels, if all IPsec SAs for this VPN configuration object are cleared at the same time (because of a configuration change on a peer or the use of the clear operational command), the bind-interface associated with that VPN configuration object might be marked as down. PR947103
  • On all SRX Series devices, in a hub-spoke IPsec VPN scenario, when you commit the static NHTB configuration on the multipoint secure tunnel (st0) interface, the VPN routes might become active even though the VPN tunnel is down. This issue also occurs when you reboot the system with static NHTBs and the related static routes are configured. PR947149
  • On all SRX Series devices configured as a route-based IPsec Dynamic End Point (DEP) VPN node, the VPN tunnel interface st0.x link incorrectly remains up when IPsec Security Association (SA) is not established, even though VPN monitoring or establish-tunnels immediately is configured. PR947552
  • On all SRX Series devices, IPsec VPN packets are dropped in a chassis cluster Z mode when a fragmentation is required. PR956808
  • On all SRX Series devices, any configuration changes to the st0.x interface might delete NHTB entries for unrelated st0 interfaces. PR958190
  • On all SRX Series devices, in some situations, if the CRL server is not reachable, a memory leak might occur and show the kern.maxfiles limit exceeded by uid 0 message in console mode. Hence, the device administrator is not able to log in to the device anymore. PR959194
  • On all SRX Series devices, disabling anti-replay on a policy based VPN does not take effect immediately but requires kmd process to restart. PR979846
  • On all SRX Series devices, IPsec VPN tunnels could not come up due to unavailability of buffer space. PR985494
  • On all branch SRX Series devices, in group VPN member, the KMD_PM_IKE_SERVER_NOT_FOUND message appears repeatedly in the kmd log file after rekey.PR991306

Related Documentation

Modified: 2016-11-30