Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Behavior


This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 15.1X49-D210.

Authentication and Access Control

  • On SRX Series devices, TLS version 1.0 and TLS version 1.1 SSL protocols are blocked because of reported security vulnerabilities. This change might affect users accessing J-Web or the Web authentication GUI, or using dynamic VPN through the Pulse client when using an older version of Junos OS or older versions of browsers that do not support the TLS version 1.2 protocol. This change affects Junos OS Release 15.1X49-D100 and later releases. PR1283812

  • On SRX4100, SRX4200, SRX4600, and vSRX and SPC3 platforms, bandwidth policers might cause low throughput when processing high-rate multiflow traffic. PR1459936

Chassis Clustering

  • In a chassis cluster setup on SRX550M devices, traffic loss for about 10 seconds is observed when there is a power failure on the active chassis cluster node. PR1195025

  • IP monitoring for redundancy groups might not work on the secondary node if the reth interface has more than one physical interface configured. This is because the backup node sends traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch drops the traffic. PR1344173

  • During chassis cluster cold synchronization, the GTP-U session is synchronized to the secondary device before the GTP-U tunnel. As a result, the GTP-U tunnel cannot be linked with the corresponding GTP-U flow session, and the GTP-U tunnel is not refreshed by GTP-U traffic until new sessions are created. If old sessions do not age out on the primary device, all GTP-U traffic goes through fast path and no session creation events are triggered. Then, after the GTP-U timeout period, the tunnels on the secondary device also age out earlier. PR1353791

Flow-Based and Packet-Based Processing

  • On SRX Series devices, the show arp command displays all the ARP entries learned from all interfaces. While switching to the Layer 2 global mode, the ARP entries learned from the IRB interface show only one specific VLAN member port instead of the actual VLAN port learned in the ARP entries. PR1180949

  • On SRX1500 devices configured in Ethernet switching mode, a few MAC entries might still be displayed in the output of the show ethernet-switching table command even after the age-out time has passed for all MAC addresses. This issue occurs only when the number of MAC learning table entries is 17,000 MAC entries or more. PR1194667

  • On SRX300, SRX320, SRX340, and SRX345 devices, you cannot launch the setup wizard by using the reset configuration button when the device is in Layer 2 transparent mode. You can launch the setup wizard by using the reset configuration button on the device only when the device is in switching mode. PR1206189

  • On SRX300, SRX320, SRX340, SRX345, and SRX1500 devices, the vSRX 2.0 command set system internet-options tcp-mss does not work in Junos OS Release 15.1X49. PR1213775

  • On SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices, VPLS and Ethernet switching must not be configured together on the same device. We recommend that you avoid using an Ethernet-switching configuration on these platforms when VPLS is enabled. PR1214803

  • On SRX345 and SRX550M devices, frames carried with a priority bit on the Tag Protocol Identifier (TPID) are lost when the packet passes through with Layer 2 forwarding. PR1229021

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, after a certain period of enabling dot1x, multiple first-message EAP frames with the same timestamp are transmitted. This does not affect any dot1x functionality. PR1245325

  • On SRX Series devices, if advanced anti-malware (AAMW) service is enabled, SMTP is configured in the AAMW policy with fallback permission enabled under the long network latency between the devices, and AWS is running Juniper Sky ATP service, file submission timeout error might occur. When sending the timeout error, the e-mail sent from Outlook might remain in the outbox of the sender, and the recipient might not receive the e-mail. PR1254088

  • A modem profile is not active until the profile is defined. You need to define a profile before selecting the profile. PR1254427

  • A FIPS core file is generated when you perform a firmware upgrade or downgrade. In Junos OS FIPS mode, the file integrity checking application veriexec treats the new updated firmware file as a corrupted Junos OS file. PR1268240

  • On SRX Series devices, AAMW established sessions always use the configured AAMW parameters that exist at the time of session establishment. Configuration changes do not retroactively affect the already established sessions. For example, a session established when the verdict threshold is 5 always has 5 as the threshold even if the verdict threshold changes to other values during the session lifetime. PR1270751

  • On SRX Series devices, OSPF over GRE running on IPsec is not supported on a device with a standalone central point. PR1274667

  • On SRX Series devices, firewall authentication cannot retrieve domain information from the access profile configuration because firewall authentication does not push user domain information to the Juniper Identity Management Service server if the user authenticates through web-authentication, pass-through, or web-redirect with an LDAP access profile. PR1281063

  • The use firewall process useridd repeatedly attempts to reconnect to the AD server when the connection fails. Consequently, useridd is unable to handle other messages. You (the administrator) must remove or deactivate unused or incorrect user firewall configurations. PR1307851

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, using an SFP-T module can cause an early linkup if you connect a device during the boot process. PR1314167

  • Packet reorder occurs on the traffic received on the PPP interface. PR1340417

  • FTP using Microsoft NLB does not work correctly in transparent mode. PR1341446

  • Primary group-domain computers are not supported by the user firewall integration. PR1361512

  • When using a crossover cable, the interfaces are down when there is a change from 10 million to 100 million. PR1387978

  • When using advanced, application-based, multipath routing, the sender sequences packets in order and delivers the packets to the receiver. If the receiver receives the packets out of order, then in Junos OS Release 15.1X49-D200 and later, the packets are dropped. Since IPsec might reorder the packets coming from the sender for fragmented packets, packets might get dropped at the receiver. PR1403584

  • Packets might be dropped in an SD-WAN use case if IPsec is not configured (for example, IP over MPLS over GRE) in HA Z mode. This issue does not occur if IPsec is configured (IP over MPLS over GRE over IPsec) or in chassis cluster active/passive mode. PR1415343

  • On all SRX Series devices, when a flow containing fragmented IP packets passes through the firewall of an SRX Series device, if the same IP ID value is used by two different fragmented packets within 2 seconds, the second fragmented IP packet is dropped. PR1482074

Interfaces and Chassis

  • On SRX1500 devices, when a 1-Gigabit Ethernet SFP-T is used on 1-Gigabit Ethernet SFP ports (ge-0/0/12 to ge-0/0/15), the ge interface does not operate at 100-Mbps speed. PR1133384

  • On SRX Series devices, after the user changes some interface configurations, a reboot warning message might appear. The warning message is triggered only when the configuration of the interface mode is changed from route mode to switch or mixed mode. This is a configuration-related warning message, so it might not reflect the current running state of the interface mode. PR1165345

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, the current Ethernet switching MAC aging uses software to age out MAC addresses learned in bulk. You cannot age out a specific MAC address learned at a specific time immediately after the configured age. The MAC address might age out close to two times the configured age-out time. PR1179089

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, use logical tunnel interface lt-0/0/0 as the destination interface option for an RPM probe-server on the device. PR1257502


  • On SRX550M and SRX1500 devices, there is no option to configure Layer 2 firewall filters from J-Web, irrespective of the device mode. PR1138333

  • On SRX Series devices in a chassis cluster, if you want to use J-Web to configure and commit configurations, you must ensure that all other user sessions are logged out, including any CLI sessions. Otherwise, the configurations might fail. PR1140019

  • On SRX1500 devices in J-Web, the snapshot functionality Maintain>Snapshot>Target Media>Disk>Click Snap Shot is not supported. PR1204587

  • On SRX Series devices, you cannot create profiles for CL-1/0/0 using J-Web and the CLI. The error message interface not found is displayed. We recommend using only one LTE Mini-PIM in the supported devices. PR1262543

  • On SRX Series devices, when you log in to J-Web, navigate to Monitor>Services>DHCP>DHCP Relay, and click the Help page icon, the Online Help page displays a 404 error message. PR1267751

  • On SRX Series devices, adding 2000 global addresses at a time to the SSL proxy profile exempted addresses can cause the webpage to become unresponsive. PR1278087

  • On SRX Series devices, you cannot view the custom log files created for event logging in J-Web. PR1280857

  • On SRX Series devices running Junos OS Release 15.1X49-D90 and earlier releases, J-Web often does not display the IPD log that is locally saved. PR1336341

  • On SRX Series devices using Junos OS Release 15.1X49, J-Web operation does not reset the idle time in the output of the show system users command. PR1445779

Platform and Infrastructure

  • On SRX5800 devices, if a global SOF policy (all session service-offload) is enabled, the connections per second are impacted due to an IOC2 limitation. We recommend using an IOC3 card if more sessions are required for SOF, or lowering the SOF session amount to ensure that IOC2 is capable of handling it. PR1121262

  • On SRX5800 devices, if the system service REST API is added to the configuration, even though the commit can be completed, all the configuration changes in this commit do not take effect. This occurs because the REST API daemon fails to come up, and the interface IP address is not available during bootup. The configuration is not read on the Routing Engine side. PR1123304

  • On SRX5400, SRX5600, and SRX5800 devices, in a central point architecture, system logs are sent per second per SPU. Hence, the number of SPUs define the number of system logs per second. PR1126885

  • On all SRX Series devices, when using event mode logging, some AppTrack log messages might be lost in case of heavy logging. The reason is that the Packet Forwarding Engine might send the messages in batches, overflowing the log buffer on the Routing Engine. The log buffer has been increased as a mitigation, but in rare instances, some log messages might still be dropped. PR1133757

  • On SRX1500 devices, when CPU usage is very high (above 95 percent), the connection between the AAMW process and PKI daemon might break. In this case, the AAMW process remains in initializing state until that connection is established. PR1142380

  • On SRX1500 devices, after you change the revocation configuration of a CA profile, the change cannot be populated to the SSL-I revocation check. We recommend that you change SSL-I configuration to enable or disable certificate revocation list (CRL) checking instead of CA profile configuration. PR1143462

  • On SRX1500 devices in a chassis cluster with Juniper Sky Advanced Threat Prevention (ATP) solution deployed, if you disable and then reenable CRL checking of certificate validity, the system does not reenable CRL checking. PR1144280

  • On SRX340 and SRX345 devices, half-duplex mode is not supported. PR1149904

  • On SRX5400 devices, if a username or group name contains the following characters * (ASCII 0x2a), (ASCII 0x28), (ASCII 0x29), \ (ASCII 0x5c) and NUL (ASCII 0x00), the query from the device to the LDAP server times out and might lead to high CPU utilization. PR1157073

  • On SRX300 and SRX320 devices, link mode cannot be set to half-duplex mode on internal small form-factor pluggable (SFP) ports. PR1165259

  • On SRX4100 and SRX4200 devices, although the CLI is configurable, the following features are not supported—Group VPN, VPN Suite B, and encrypted control links when in chassis cluster. PR1214410

  • When using third-party certificate chain for the Web authentication redirect page, for the HTTP REST API, or for J-Web access, which contains at least one intermediate CA certificate, the SRX Series device does not send the intermediate certificate to the client. PR1408921

  • SRX320 PoE devices do not support LLDP from Junos OS Release 15.1X49-D170 onward. PR1438467

Unified Threat Management (UTM)

  • On SRX Series devices with Sophos Antivirus (SAV) configured, some files that have size larger than the max-content-size might not go into fallback state. This might occur when a protocol does not predeclare the content size. PR1005086

  • On SRX550M devices using Junos OS Release 12.1X49-D30 for the enhanced Web filtering feature, performance drop is observed. PR1138189


  • On SRX Series devices, if an IPsec VPN tunnel is established using IKEv2, due to bad SPI, packet drop might be observed during CHILD_SA rekey when the device is the responder for this rekey. PR1129903

  • On SRX Series devices, an IPsec VPN tunnel that uses a PPPoE interface as the external interface fails after RG0 failover. PR1143955

  • On SRX5400, SRX5600, and SRX5800 devices, when CoS is enabled on the st0 interface and the incoming traffic rate destined for the st0 interface is higher than 3,00,000 packets per second (pps) per SPU, the device might drop some of the high-priority packets internally and shaping of outgoing traffic might be impacted. We recommend that you configure an appropriate policer on the ingress interface to limit the traffic below 3,00,000 pps per SPU. PR1239021