Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Issues


This section lists the known issues in hardware and software in Junos OS Release 12.3X48-D105.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • When you disable the services offloading feature, a warning message is displayed that the device is not rebooted. PR748673

  • When an FI: Cell underflow or FI: Aliasing on allocates error occurs, the system logs the error messages but does not raise a CMERROR alarm. PR1076299

  • On SRX Series devices, in an IPv6 VRRP scenario, when a host sends router solicitation messages to the VRRP virtual IPv6 address, the VRRP master replies with router advertisement messages with the physical MAC address instead of the virtual MAC address. The secondary VRRP device replies to the router advertisement messages with a physical MAC address. As a result, the host has two default gateways installed and sends traffic directly to two devices but not to the VRRP virtual IP address. This issue affects VRRP function and traffic. PR1108366

  • On vSRX, SRX1500, SRX4K, ACX5K, EX4600, QFX5100, QFX5110, QFX5200, QFX10,000 line of devices and NFX Series, when the user uses console management port to authenticate, the credentials used during device authentication are written to a log file in clear text. Refer to for more information. PR1290331

  • On SRX Series devices, in an SSL proxy scenario, if Transport Layer Security (TLS) packets contain an Application-Layer Protocol Negotiation (ALPN) extension (RFC 7301), the ALPN extension is removed by the SSL proxy, resulting in negotiation failure of the application-layer protocol (for example, HTTP/2). PR1360820

  • When a commit is performed twice in succession, you might see a warning for the Enhanced Web Filtering (EWF) license if EWF is configured and a valid license is applied. PR1362880

  • On SRX3000 line of devices with chassis cluster, when a node joins the chassis cluster, a very small amount of packet drop might occur on the active node during 100 msec. PR1373545

  • VPN tunnels flap after a group is added or deleted in edit private mode on a clustered setup. PR1390831

  • SRX Series devices cannot obtain a global IPv6 address through DHCPv6 when using a PPPoE interface with a logical unit number greater than 0. PR1402066

  • The PKI keys exported using the command run request security pki key-pair export on Junos OS might have insecure file permissions. This might allow another user on the Junos OS device with shell access to read them. PR1419515

  • On SRX5400, SRX5600, and SRX5800 devices with high availability (HA) in Z mode, a session might be in the backup state on both nodes (the expected working state is active/backup instead of backup/backup) if the corresponding route to the session is out of sync between notes in a rare case. As a result, the fragmented traffic for the session gets looped on the fabric (fab) interface between the nodes. PR1465100

Interfaces and Chassis

  • When more than 200 Virtual Router Redundancy Protocol (VRRP) groups are configured, the CPU of the Routing Engine becomes very busy, and the show vrrp command fails to run, leading to a timeout error message. As a workaround, increasing the advertisement interval of the VRRP protocol data unit (PDU) can reduce the pressure on the CPU of the Routing Engine. PR1054359

Platform and Infrastructure

  • On SRX Series devices running FreeBSD 6-based Junos OS software, when a USB flash device with a mounted file system is physically detached by a user, the system might panic. The issue is resolved with FreeBSD 10 and later (Upgraded FreeBSD). PR695780

  • When you use multicast with more than 600 copies of a multicast packet for a multicast group, the flowd process might crash while committing a change of multicast configuration. PR986592

  • On SRX Series devices, mgd core files are generated during RPC communication between the SRX Series device and Junos Space or Junos OS CLI if the % symbol is present in the description or annotation. PR1287239

  • Datapath debugging allows commits that have a missing configuration. PR1295796

  • On the SRX5000 line of devices, the em-interface is an internal interface. If the em-interface goes down, the control link is lost, and the SRX Series cluster has an abnormal status. PR1342362

  • The PICs might go offline and a split-brain scenario might be seen when interrupt storm happens on the internal Ethernet interface em0 or em1. PR1429181

  • On the SRX5000 line of devices running Junos OS Release 12.3X48, in rare cases the request system software delete-backup command does not actually delete the old Junos OS package. As a workaround, you can manually delete the old Junos OS package at /cf/packages/. PR1484228

Routing Policy and Firewall Filters

  • In a rare case, a specific domain is not resolved by the SRX Series devices when using the DNS address book. This is because the DNS library resolver fails to identify the pointer with a big offset in the compressed DNS name. PR1471408

  • On SRX Series devices that have a security policy counter deployed, the count option in the security policy might not work. As a result, issuing show security policies <> detail might not print traffic statistics for the security policy. PR1471621

Routing Protocols

  • In rare cases, when one node has been upgraded and failover is complete, the ppmd process might lose connection to the new master. This can lead to the generation of a ppmd core file. PR1347277

  • On all platforms running Junos OS, an internal route leak might occur between routing instances. If when both instance import and instance export policies contain as-path-prepend actions. If this as-path is referred to some route, the rpd process might stop a change or delete an operation on the route (clearing BGP neighborship, changing BGP or policy configuration, and so on). PR1471968

User Interface and Configuration

  • On SRX Series devices, under certain conditions, if the configurations of the interface and security zone are not synchronized between the Routing Engine and the Packet Forwarding Engine, the interfaces might be bound to the NULL security zone. As a result, the network security (nsd) process might stop. PR1000309


  • In a dynamic VPN setup, when Pulse Secure clients are connected to the device, the clients are authenticated successfully and they receive IP address information from the device. However, the clients do not receive the secondary DNS information even though the secondary DNS information is configured on the device. PR1016125

  • On SRX Series devices, when you change a data plane redundancy group number from one value to another (for example, from RG1 to RG4), traffic outage might occur. PR1302846

  • On all SRX Series devices, if there is a period (.) in the configured CA profile name, the PKI daemon runs into issues after a device restart or a pki-service restart, causing PKI daemon related issues such as CRL download failure. PR1351727