Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Behavior


This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 12.3X48.

Authentication and Access Control

  • The maximum total group length in an LDAP response is 256 bytes. PR1195365

Chassis Clustering

  • In rare situations, RG1+ failover due to the failure of an FPC or SPU might trigger MAC move protection on the neighboring switch. PR1333505

  • IP monitoring for redundancy groups might not work on the secondary node if the reth interface has more than one physical interface configured. This is because the backup node sends traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch drops the traffic. PR1344173

Class of Service (CoS)

  • On SRX240 devices, some queues might not get enough packets when the traffic is high. PR1061350

Flow-Based and Packet-Based Processing

  • Packets are dropped for the initial 15 seconds after the GRE tunnel is brought up over the VDSL interface. PR821330

  • When you configure the TCP connections of the system log stream with a value greater than 1 (for example, a value of 3), the redundancy group’s failover clears the log connections and re-creates the TCP log connections. The value of the TCP connections is decremented, and the value is reduced to 2. PR1038113

  • On SRX5400, SRX5600, and SRX5800 devices, network processor offloading and UTM cannot coexist. Network processor offloading is disabled automatically if UTM is enabled. PR1059527

  • On SRX5400, SRX5600, and SRX5800 devices, packets go out of order when the device merges the prefragmented IPv6 packets and then fragments the merged IPv6 packets. PR1090550

  • On SRX Series devices, Z-mode RT logs are not supported on chassis clusters that are running in active/active mode. PR1325609

  • In an SRX Series chassis cluster set up with dual control links, if the primary control link flaps continuously for an extended duration, then the cluster might go into an unstable state. This can happen even if the secondary control link is configured and stable. PR1338773

  • The dynamic address feed name must be shorter than 32 bytes. PR1353681

  • SRX220 and SRX240 devices show that a license is added successfully with a colon (:) in the output of the request system license add command, even if no license key is entered. PR1388155

Forwarding and Sampling

  • On SRX Series devices running Junos OS Release 12.3, configuration file archival through transfer-on-commit does not work with the SFTP URL. PR1372024

Network Management and Monitoring

  • On SRX Series devices, when a GRE tunnel is configured over a physical interface that has rpf-check configured, traffic destined for the IP address of the GRE tunnel is dropped because reverse path forwarding fails. As a workaround, configure the rpf-check mode loose on the underlying physical interface instead of the default rpf-check. PR1288342

  • On SRX Series devices, when BGP route change happens on a large scale, the devices trigger a protective scheme on the entire system to avoid the generation of core files. As a result, packets passing through SRX Series devices are dropped for a short period of time. PR1418179

Platform and Infrastructure

  • When interface monitoring is enabled, the PPPoE interface becomes inactive after the reth interface is disabled. PR1060590

Unified Threat Management (UTM)

  • On SRX Series devices, wildcards behave differently starting from Junos OS Release 12.1X47. PR1270382


  • On SRX Series devices, if an IPsec VPN tunnel is established using IKEv2, due to a bad SPI, packets might be dropped during CHILD_SA rekey when the device is the responder for this rekey. As a workaround, to ensure that the SRX Series devices are always the initiator for CHILD_SA rekey, set the lifetime-seconds to a lower value than it is set on the remote peer. The lifetime can be set under [edit security ipsec proposal]. PR1129903