Known Behavior
This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 15.1X49-D210.
Authentication and Access Control
On SRX Series devices, TLS version 1.0 and TLS version 1.1 SSL protocols are blocked because of reported security vulnerabilities. This change might affect users accessing J-Web or the Web authentication GUI, or using dynamic VPN through the Pulse client when using an older version of Junos OS or older versions of browsers that do not support the TLS version 1.2 protocol. This change affects Junos OS Release 15.1X49-D100 and later releases. PR1283812
On SRX4100, SRX4200, SRX4600, and vSRX and SPC3 platforms, bandwidth policers might cause low throughput when processing high-rate multiflow traffic. PR1459936
Chassis Clustering
In a chassis cluster setup on SRX550M devices, traffic loss for about 10 seconds is observed when there is a power failure on the active chassis cluster node. PR1195025
IP monitoring for redundancy groups might not work on the secondary node if the reth interface has more than one physical interface configured. This is because the backup node sends traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch drops the traffic. PR1344173
During chassis cluster cold synchronization, the GTP-U session is synchronized to the secondary device before the GTP-U tunnel. As a result, the GTP-U tunnel cannot be linked with the corresponding GTP-U flow session, and the GTP-U tunnel is not refreshed by GTP-U traffic until new sessions are created. If old sessions do not age out on the primary device, all GTP-U traffic goes through fast path and no session creation events are triggered. Then, after the GTP-U timeout period, the tunnels on the secondary device also age out earlier. PR1353791
Flow-Based and Packet-Based Processing
On SRX Series devices, the show arp command displays all the ARP entries learned from all interfaces. While switching to the Layer 2 global mode, the ARP entries learned from the IRB interface show only one specific VLAN member port instead of the actual VLAN port learned in the ARP entries. PR1180949
On SRX1500 devices configured in Ethernet switching mode, a few MAC entries might still be displayed in the output of the show ethernet-switching table command even after the age-out time has passed for all MAC addresses. This issue occurs only when the number of MAC learning table entries is 17,000 MAC entries or more. PR1194667
On SRX300, SRX320, SRX340, and SRX345 devices, you cannot launch the setup wizard by using the reset configuration button when the device is in Layer 2 transparent mode. You can launch the setup wizard by using the reset configuration button on the device only when the device is in switching mode. PR1206189
On SRX300, SRX320, SRX340, SRX345, and SRX1500 devices, the vSRX 2.0 command set system internet-options tcp-mss does not work in Junos OS Release 15.1X49. PR1213775
On SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices, VPLS and Ethernet switching must not be configured together on the same device. We recommend that you avoid using an Ethernet-switching configuration on these platforms when VPLS is enabled. PR1214803
On SRX345 and SRX550M devices, frames carried with a priority bit on the Tag Protocol Identifier (TPID) are lost when the packet passes through with Layer 2 forwarding. PR1229021
On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, after a certain period of enabling dot1x, multiple first-message EAP frames with the same timestamp are transmitted. This does not affect any dot1x functionality. PR1245325
On SRX Series devices, if advanced anti-malware (AAMW) service is enabled, SMTP is configured in the AAMW policy with fallback permission enabled under the long network latency between the devices, and AWS is running Juniper Sky ATP service, file submission timeout error might occur. When sending the timeout error, the e-mail sent from Outlook might remain in the outbox of the sender, and the recipient might not receive the e-mail. PR1254088
A modem profile is not active until the profile is defined. You need to define a profile before selecting the profile. PR1254427
A FIPS core file is generated when you perform a firmware upgrade or downgrade. In Junos OS FIPS mode, the file integrity checking application veriexec treats the new updated firmware file as a corrupted Junos OS file. PR1268240
On SRX Series devices, AAMW established sessions always use the configured AAMW parameters that exist at the time of session establishment. Configuration changes do not retroactively affect the already established sessions. For example, a session established when the verdict threshold is 5 always has 5 as the threshold even if the verdict threshold changes to other values during the session lifetime. PR1270751
On SRX Series devices, OSPF over GRE running on IPsec is not supported on a device with a standalone central point. PR1274667
On SRX Series devices, firewall authentication cannot retrieve domain information from the access profile configuration because firewall authentication does not push user domain information to the Juniper Identity Management Service server if the user authenticates through web-authentication, pass-through, or web-redirect with an LDAP access profile. PR1281063
The use firewall process useridd repeatedly attempts to reconnect to the AD server when the connection fails. Consequently, useridd is unable to handle other messages. You (the administrator) must remove or deactivate unused or incorrect user firewall configurations. PR1307851
On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, using an SFP-T module can cause an early linkup if you connect a device during the boot process. PR1314167
Packet reorder occurs on the traffic received on the PPP interface. PR1340417
FTP using Microsoft NLB does not work correctly in transparent mode. PR1341446
Primary group-domain computers are not supported by the user firewall integration. PR1361512
When using a crossover cable, the interfaces are down when there is a change from 10 million to 100 million. PR1387978
When using advanced, application-based, multipath routing, the sender sequences packets in order and delivers the packets to the receiver. If the receiver receives the packets out of order, then in Junos OS Release 15.1X49-D200 and later, the packets are dropped. Since IPsec might reorder the packets coming from the sender for fragmented packets, packets might get dropped at the receiver. PR1403584
Packets might be dropped in an SD-WAN use case if IPsec is not configured (for example, IP over MPLS over GRE) in HA Z mode. This issue does not occur if IPsec is configured (IP over MPLS over GRE over IPsec) or in chassis cluster active/passive mode. PR1415343
On all SRX Series devices, when a flow containing fragmented IP packets passes through the firewall of an SRX Series device, if the same IP ID value is used by two different fragmented packets within 2 seconds, the second fragmented IP packet is dropped. PR1482074
Interfaces and Chassis
On SRX1500 devices, when a 1-Gigabit Ethernet SFP-T is used on 1-Gigabit Ethernet SFP ports (ge-0/0/12 to ge-0/0/15), the ge interface does not operate at 100-Mbps speed. PR1133384
On SRX Series devices, after the user changes some interface configurations, a reboot warning message might appear. The warning message is triggered only when the configuration of the interface mode is changed from route mode to switch or mixed mode. This is a configuration-related warning message, so it might not reflect the current running state of the interface mode. PR1165345
On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, the current Ethernet switching MAC aging uses software to age out MAC addresses learned in bulk. You cannot age out a specific MAC address learned at a specific time immediately after the configured age. The MAC address might age out close to two times the configured age-out time. PR1179089
On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, use logical tunnel interface lt-0/0/0 as the destination interface option for an RPM probe-server on the device. PR1257502
J-Web
On SRX550M and SRX1500 devices, there is no option to configure Layer 2 firewall filters from J-Web, irrespective of the device mode. PR1138333
On SRX Series devices in a chassis cluster, if you want to use J-Web to configure and commit configurations, you must ensure that all other user sessions are logged out, including any CLI sessions. Otherwise, the configurations might fail. PR1140019
On SRX1500 devices in J-Web, the snapshot functionality Maintain>Snapshot>Target Media>Disk>Click Snap Shot is not supported. PR1204587
On SRX Series devices, you cannot create profiles for CL-1/0/0 using J-Web and the CLI. The error message interface not found is displayed. We recommend using only one LTE Mini-PIM in the supported devices. PR1262543
On SRX Series devices, when you log in to J-Web, navigate to Monitor>Services>DHCP>DHCP Relay, and click the Help page icon, the Online Help page displays a 404 error message. PR1267751
On SRX Series devices, adding 2000 global addresses at a time to the SSL proxy profile exempted addresses can cause the webpage to become unresponsive. PR1278087
On SRX Series devices, you cannot view the custom log files created for event logging in J-Web. PR1280857
On SRX Series devices running Junos OS Release 15.1X49-D90 and earlier releases, J-Web often does not display the IPD log that is locally saved. PR1336341
On SRX Series devices using Junos OS Release 15.1X49, J-Web operation does not reset the idle time in the output of the show system users command. PR1445779
Platform and Infrastructure
On SRX5800 devices, if a global SOF policy (all session service-offload) is enabled, the connections per second are impacted due to an IOC2 limitation. We recommend using an IOC3 card if more sessions are required for SOF, or lowering the SOF session amount to ensure that IOC2 is capable of handling it. PR1121262
On SRX5800 devices, if the system service REST API is added to the configuration, even though the commit can be completed, all the configuration changes in this commit do not take effect. This occurs because the REST API daemon fails to come up, and the interface IP address is not available during bootup. The configuration is not read on the Routing Engine side. PR1123304
On SRX5400, SRX5600, and SRX5800 devices, in a central point architecture, system logs are sent per second per SPU. Hence, the number of SPUs define the number of system logs per second. PR1126885
On all SRX Series devices, when using event mode logging, some AppTrack log messages might be lost in case of heavy logging. The reason is that the Packet Forwarding Engine might send the messages in batches, overflowing the log buffer on the Routing Engine. The log buffer has been increased as a mitigation, but in rare instances, some log messages might still be dropped. PR1133757
On SRX1500 devices, when CPU usage is very high (above 95 percent), the connection between the AAMW process and PKI daemon might break. In this case, the AAMW process remains in initializing state until that connection is established. PR1142380
On SRX1500 devices, after you change the revocation configuration of a CA profile, the change cannot be populated to the SSL-I revocation check. We recommend that you change SSL-I configuration to enable or disable certificate revocation list (CRL) checking instead of CA profile configuration. PR1143462
On SRX1500 devices in a chassis cluster with Juniper Sky Advanced Threat Prevention (ATP) solution deployed, if you disable and then reenable CRL checking of certificate validity, the system does not reenable CRL checking. PR1144280
On SRX340 and SRX345 devices, half-duplex mode is not supported. PR1149904
On SRX5400 devices, if a username or group name contains the following characters * (ASCII 0x2a), (ASCII 0x28), (ASCII 0x29), \ (ASCII 0x5c) and NUL (ASCII 0x00), the query from the device to the LDAP server times out and might lead to high CPU utilization. PR1157073
On SRX300 and SRX320 devices, link mode cannot be set to half-duplex mode on internal small form-factor pluggable (SFP) ports. PR1165259
On SRX4100 and SRX4200 devices, although the CLI is configurable, the following features are not supported—Group VPN, VPN Suite B, and encrypted control links when in chassis cluster. PR1214410
When using third-party certificate chain for the Web authentication redirect page, for the HTTP REST API, or for J-Web access, which contains at least one intermediate CA certificate, the SRX Series device does not send the intermediate certificate to the client. PR1408921
SRX320 PoE devices do not support LLDP from Junos OS Release 15.1X49-D170 onward. PR1438467
Unified Threat Management (UTM)
On SRX Series devices with Sophos Antivirus (SAV) configured, some files that have size larger than the max-content-size might not go into fallback state. This might occur when a protocol does not predeclare the content size. PR1005086
On SRX550M devices using Junos OS Release 12.1X49-D30 for the enhanced Web filtering feature, performance drop is observed. PR1138189
VPNs
On SRX Series devices, if an IPsec VPN tunnel is established using IKEv2, due to bad SPI, packet drop might be observed during CHILD_SA rekey when the device is the responder for this rekey. PR1129903
On SRX Series devices, an IPsec VPN tunnel that uses a PPPoE interface as the external interface fails after RG0 failover. PR1143955
On SRX5400, SRX5600, and SRX5800 devices, when CoS is enabled on the st0 interface and the incoming traffic rate destined for the st0 interface is higher than 3,00,000 packets per second (pps) per SPU, the device might drop some of the high-priority packets internally and shaping of outgoing traffic might be impacted. We recommend that you configure an appropriate policer on the ingress interface to limit the traffic below 3,00,000 pps per SPU. PR1239021