Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Known Behavior

 

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 15.1X49-D190.

Authentication and Access Control

  • On SRX Series devices, TLS1.0 and TLS1.1 SSL protocols are blocked because of reported security vulnerabilities. This change might affect users accessing J-Web or Web authentication GUI, or using Dynamic VPN through Pulse client, when using an older OS or earlier version browsers where the TLSv1.2 protocol is not supported. This change affects Junos OS Release 12.3X48-D55, 15.1X49-D100, and later Junos OS releases for SRX Series. PR1283812

Chassis Clustering

  • On SRX550M devices in a chassis cluster, traffic loss for about 10 seconds is seen when there is power failure on the active chassis cluster node. PR1195025

  • On all SRX Series branch devices, if you enable IP monitoring for redundancy groups, the feature might not work properly on the secondary node if the reth interface has more than one physical interface configured. This is because the backup node sends traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch will drop. PR1344173

  • For HA cold synchronization, the GTP-U session is synchronized to the secondary device before the GTP-U tunnel. As a result, the GTP-U tunnel cannot be linked with the corresponding GTP-U flow session, and the GTP-U tunnel is not refreshed by GTP-U traffic until new sessions are created. If old sessions do not age out on the primary device, all GTP-U traffic will go through fast path and no session creation events are triggered. Then, after the GTP-U timeout period, the tunnels on the secondary device will be aged out earlier. PR1353791

Flow-Based and Packet-Based Processing

  • On SRX Series devices, the show arp command displays all the ARP entries learned from all interfaces. When Layer 2 global mode is switching, the ARP entries learned from the IRB interface can show only one specific VLAN member port instead of the actual VLAN port learned in the ARP entries. PR1180949

  • On SRX1500 devices configured in Ethernet switching mode, a few MAC entries might still be displayed in the output of the show ethernet-switching table command even after the age-out time has passed for all MAC addresses. This issue is applicable only when the number of MAC learning table entries is equal to or more than 17,000 MAC entries. PR1194667

  • On SRX300, SRX320, SRX340, and SRX345 devices, you cannot launch the setup wizard after using the reset configuration button when the device is in Layer 2 transparent mode. You can launch the setup wizard by using the reset configuration button on the device when the device is in switching mode. PR1206189

  • On SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices, VPLS traffic forwarding stops working after enabling Ethernet-switching configuration. VPLS and Ethernet-switching must not be configured together on the same device. It is recommended to avoid using an Ethernet-switching configuration on these platforms when VPLS is enabled. PR1214803

  • On SRX345 and SRX550M devices, frames carried with a priority bit on the Tag Protocol Identifier (TPID) are lost when the packet passes through with Layer 2 forwarding. PR1229021

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, after a certain period of enabling dot1x, multiple first-message EAP frames with the same timestamp are transmitted. However, this does not affect any dot1x functionality. PR1245325

  • On SRX Series devices, if advanced anti-malware (AAMW) service is enabled, and SMTP is configured in the AAMW policy with fallback permission enabled under the long network latency between the devices, and AWS is running Juniper Sky ATP service, file submission timeout error might occur. When sending the timeout error, there is a possibility that the e-mail sent from Outlook might stay in the outbox of the sender, and the receiver might not receive the e-mail. PR1254088

  • A modem profile is not active until a profile is defined. You need to define a profile before selecting a profile. PR1254427

  • A FIPS core file is generated when you perform a firmware upgrade or downgrade. In Junos OS FIPS mode, the file integrity checking application veriexec treats the new updated firmware file as a corrupted Junos OS file. PR1268240

  • On SRX Series devices, AAMW established sessions always use the configured AAMW parameters at the time of session establishment. Configuration changes do not retroactively affect the already established sessions. For example, a session established when the verdict threshold is 5 always has 5 as the threshold even if the verdict threshold changes to other values during the session lifetime. PR1270751

  • On SRX Series devices, OSPF-over-GRE-over IPsec is not supported on a device with a standalone central point. PR1274667

  • On SRX Series devices, firewall authentication cannot retrieve domain information from the access profile configuration, because the firewall authentication does not push user domain information to the Juniper Identity Management Service server if the user authenticates through web-authentication, pass-through, or web-redirect with an LDAP access profile. PR1281063

  • The user-firewall process useridd will keep retrying connecting to AD server when it fails to connect to the server. This makes useridd is unable to handle other messages. Therefore the administrator must remove or deactivate those unused/incorrect user-firewall configuration. PR1307851

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, using an SFP-T module can cause an early linkup on connecting a device during the boot process. PR1314167

  • FTP using Micorosoft NLB does not work correctly in transparent mode. PR1341446

  • The SRX Series devices does not get the built-in domain computers group for the new computers added to the domain. PR1361512

  • The interface cannot up when you change from 10m to 100m when using the crossover cable. PR1387978

  • When using Advanced, application based, Multipath routing, the sender sequences packets in order and delivers it to the receiver. If the receiver receives the packets out of order, then in the current release it is designed to drop the packets. Since IPSEC may reorder the packets coming out of the sender for fragmented packets, it may get dropped at the receiver. PR1403584

Interfaces and Chassis

  • On SRX1500 devices, when a 1-Gigabit Ethernet SFP-T is used on 1-Gigabit Ethernet SFP ports (ge-0/0/12 to ge-0/0/15), the ge interface does not operate at 100-Mbps speed. PR1133384

  • On SRX Series devices, after the user changes some interface configuration, a reboot warning message might appear. The warning message is triggered only when the configuration of the interface mode is changing from route mode to switch or mixed mode. This is a configuration-related warning message, so it might not reflect the current running state of the interface mode. PR1165345

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, the current Ethernet switching MAC aging uses software to age out bulk learned MAC addresses. You cannot age out a specific MAC address learned at a specific time immediately after the configured age. Theoretically, the MAC address might age out close to two times the configured age-out time. PR1179089

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, use logical tunnel interface lt-0/0/0 as the destination interface option for an RPM probe-server on the device. PR1257502

J-Web

  • On SRX550M and SRX1500 devices, there is no option to configure Layer 2 firewall filters from J-Web, irrespective of the device mode. PR1138333

  • On SRX Series devices in a chassis cluster, if you want to use J-Web to configure and commit the configurations, you must ensure that all other user sessions are logged out, including any CLI sessions. Otherwise, the configurations might fail. PR1140019

  • On SRX1500 devices in J-Web, snapshot functionality Maintain>Snapshot>Target Media>Disk>Click Snap Shot is not supported. PR1204587

  • On SRX Series devices, you cannot create profiles for CL-1/0/0 using J-Web and the CLI. The error message interface not found is displayed. We recommended using only one LTE mPIM in the supported devices. PR1262543

  • On SRX Series devices, when you log in to J-Web and navigate to Monitor>Services>DHCP>DHCP Relay, when you click the Help page icon, the Online Help page displays a 404 error message. PR1267751

  • On SRX Series devices, adding 2000 global addresses at a time to the SSL proxy profile exempted addresses can cause the webpage to become unresponsive. PR1278087

  • On SRX Series devices, you cannot view the custom log files created for event logging in J-Web. PR1280857

  • On SRX Series devices running with Junos OS Release 15.1X49-D90 and earlier releases, J-Web often does not display IDP log locally saved. PR1336341

Platform and Infrastructure

  • On SRX5800 devices, if the system service REST API is added to the configuration, even though the commit can be completed, all the configuration changes in this commit will not take effect. This occurs because the REST API daemon fails to come up and the interface IP address is not available during bootup. The configuration is not read on the Routing Engine side. PR1123304

  • On SRX5400, SRX5600, and SRX5800 devices, in a central point architecture, system logs are sent per second per SPU. Hence, the number of SPUs define the number of system logs per second. PR1126885

  • On SRX5800 devices, if a global SOF policy (all session service-offload) is enabled, the connections per second will be impacted due to IOC2 limitation. We recommend using an IOC3 card if more sessions are required for SOF, or lowering the SOF session amount to make sure the IOC2 is capable of handling it. PR1121262

  • On SRX4100 and SRX4200 devices, although the CLI is configurable, the following features are not supported - Group VPN, VPN Suite B, and encrypted control links when in chassis cluster. PR1214410

  • On all SRX Series devices, when using event mode logging, some AppTrack log messages may be lost in case of heavy logging. The reason is that the Packet Forwarding Engine may send the messages in batches, overflowing the log buffer on the Routing Engine. The log buffer has been increased as a mitigation, but in rare occasions the dropping of some log messages may still occur. PR1133757

  • On SRX550M devices using Junos OS Release 12.1X49-D30 for the enhanced Web filtering feature, performance drop is observed. PR1138189

  • When using third-party certificate chain for the Web authentication redirect page, for the HTTP REST API, or for J-Web access, which contains at least one intermediate CA certificate, the SRX Series device does not send the intermediate certificate to the client. PR1408921

  • On SRX1500 devices, when CPU usage is very high (above 95 percent), there is a possibility that the connection between the AAMW process and PKI daemon can break. In this case, the AAMW process remains in initializing state until that connection is established. PR1142380

  • On SRX1500 devices, after you change the revocation configuration of a CA profile, the change cannot be populated to the SSL-I revocation check. It is recommended to change SSL-I configuration to enable or disable certificate revocation list (CRL) checking instead of CA-profile configuration. PR1143462

  • On SRX1500 devices in a chassis cluster with Juniper Sky Advanced Threat Prevention (ATP) solution deployed, if you disable and then reenable CRL checking of certificate validity, the system does not reenable CRL checking. PR1144280

  • On SRX340 and SRX345 devices, half-duplex mode is not supported. PR1149904

  • On SRX5400 devices, if a username or group name contains the following characters * (ASCII 0x2a), (ASCII 0x28), (ASCII 0x29), \ (ASCII 0x5c) and NUL (ASCII 0x00), the query from the device to the LDAP server will time out and might lead to high CPU utilization. PR1157073

  • SRX320 PoE devices do not support LLDP from Junos OS Release 15.1X49-D170 onward. PR1438467

Unified Threat Management (UTM)

  • On SRX Series devices with Sophos Antivirus (SAV) configured, some files that have size larger than the max-content-size might not go into fallback state. This may occur when a protocol does not predeclare the content size. PR1005086

VPNs

  • On SRX Series devices, if an IPsec VPN tunnel is established using IKEv2, due to bad SPI, packet drop might be observed during CHILD_SA rekey when the device is the responder for this rekey. PR1129903

  • On SRX Series devices, an IPsec VPN tunnel which uses a PPPoE interface as the external interface will fail after RG0 failover. PR1143955

  • On SRX5400, SRX5600, and SRX5800 devices, when CoS is enabled on the st0 interface and the incoming traffic rate destined for the st0 interface is higher than 3,00,000 packets per second (pps) per SPU, the device might drop some of the high priority packets internally and shaping of outgoing traffic might be impacted. It is recommended you configure an appropriate policer on the ingress interface to limit the traffic below 3,00,000 pps per SPU. PR1239021

  • Packet might be dropped in SD-WAN use case if there is no IPsec configured ((for example, IP over MPLS over GRE) in HA Z mode. Issue will not be seen if IPsec is configured (IP over MPLS over GRE over IPSec) or in chassis cluster active/passive mode. PR1415343