Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues

 

This section lists the known issues in hardware and software in Junos OS Release 15.1X49-D210.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • The SSL proxy feature might not work properly on the SRX5000 line of devices (RE1, SPC1, SCB1, IOC1 cards). As a workaround, we recommend that you use software mode crypto on these devices. PR1439314

Flow-Based and Packet-Based Processing

  • SNMP fails while polling data across custom routing instances on the SRX300 line of devices. PR1352311

  • In a multithreaded environment, the service offload counter might be incorrect. PR1381312

  • On all SRX Series devices, in chassis cluster with Z mode traffic and local (non-reth) interfaces configured, when using ECMP routing between multiple interfaces residing on both node0 and node1, if a session is initiated through one node and the return traffic comes in through the other node, packets might be dropped due to reroute failure. PR1410233

  • On all SRX Series devices with advanced anti-malware service configured, due to a rare issue in file system handling in the data plane, the flowd or srxpfe process might stop. PR1437270

  • On SRX1500 devices, the link does not come up after you replace a copper transceiver with a fiber transceiver until you reboot the device. PR1437615

  • Unexpected IP address is included in custom IP feed on an SRX4100 cluster. You can resolve this issue by restarting the security intelligence process. PR1440157

  • On an SRX340 device with J-Flow version 9 configured, the flowd process might generate core files frequently when the device is busy. PR1463689

  • TCP session cannot time out properly upon receiving the TCP RESET packet, and the session timeout does not change to 2 seconds. PR1467654

Install and Upgrade

  • On SRX550M devices, upgrade fails when you upgrade from Junos OS Release 15.1X49-D30 to a later release without using the no-validate option. PR1237971

Interfaces and Chassis

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, for IFLS (logical interface) scaling without per-unit-scheduler configured, the total IFL number is limited to 2048. With per-unit-scheduler configured on the IFD interface, the total IFL number is limited to the CoS scheduler sub-unit upper limit of 2048. So, the IFL maximum number for per-unit-scheduler should be 2048 minus the number of physical interfaces that are up. With at least one logical interface up, the maximum number is 128. PR1138997

  • The monitor interface command starts the ifmon process. During this time, if the telnet session to the router is disconnected unconventionally, then the ifmon process is not terminated and takes up 100 percent CPU utilization. The workaround is to terminate the stale ifmon process. PR1162521

  • On the SRX4000 line of devices, the fxp0 interface status does not show the proper state for speed and duplex. PR1392050

  • Multipath credit limit might be reset after multiple configuration changes and interface flaps. The credit limit might be reset based on the default interface speed of 1 Gbps and default or configured bandwidth limit. PR1401090

  • T1 interfaces go down if Password Authentication protocol (PAP) RADIUS authentication is configured. PR1402612

  • On SRX1500 platforms, when you configure interface-mac-limit on one interface and then send traffic with a different source MAC address (such as 10,000) the interface, the number of learned MAC addresses reaches max-value limit (8192). Traffic cannot transfer on all interfaces. PR1409018

Intrusion Detection and Prevention (IDP)

  • On SRX Series devices, commit or show command for IDP might not work if SNMP queries are run when large-scale IDP is used. PR1444043

J-Web

  • On SRX4100 devices, a security policy page in J-Web does not load when it has 40,000 firewall policy configurations. Navigate to Configure> Security> Security Policy page. PR1251714

  • On SRX Series devices, the dashboard widget applications, ThreatMap, and Firewall Top Denies initially show no data available even when the device has a large amount of data. Refresh the individual widgets to show the data. PR1282666

  • On SRX Series devices, the CLI terminal does not work for Google Chrome versions later than version 42. You can use Internet Explorer version 10 or 11 or Firefox version 46 browsers to use the CLI terminal. PR1283216

  • On SRX Series devices, sometimes, the time range slider does not work for all events and individual events in Google Chrome and Firefox browsers. PR1283536

Network Address Translation (NAT)

  • The flowd or srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932

Network Management and Monitoring

  • The snmpd process leaks memory in snmpv3 query path and crashes. The issue is caused by a memory leak when the request PDU is dropped by SNMP when the snmp filter-duplicates configuration is enabled. Each request PDU has a structure pointer for the SNMPv3 security details. This is allocated when the PDU is created or cloned. But while dropping the duplicate requests, the corresponding structure is not freed, which causes the memory leak. PR1392616

Platform and Infrastructure

  • On SRX Series devices running FreeBSD 6-based Junos OS, when a USB flash device with a mounted file system is physically detached by a user, the system might panic. The issue is resolved with FreeBSD 10 and later. Contact JTAC to confirm whether the code and platform in your setup are running FreeBSD 10 or later. PR695780

  • On SRX Series devices, the flowd process might stop and cause traffic outage if the SPU CPU usage is higher than 80 percent. Therefore, some threads are in waiting status and the watchdog cannot be toggled on time, causing the flowd process to stop. PR1162221

  • On SRX Series devices, mgd core files are generated during RPC communication between the SRX Series device and Junos Space or CLI if the % symbol is present in the description or annotation. PR1287239

  • On SRX5600 and SRX5800 devices in a chassis cluster, when a second Routing Engine is installed to enable dual control links, the show chassis hardware command might show the same serial number for the second Routing Engines on both the nodes. PR1321502

  • On the SRX4000 line of devices with chassis cluster setup, when more than two ports are bound reth interfaces on each node, packet drop might be seen. PR1345941

  • MTU change after a CFM session is brought up can impact Layer 2 Ethernet ping (loopback messages). If the new MTU is lower than the original value, then Layer 2 Ethernet ping fails. PR1427589

  • The PICs might go offline and split-brain might be seen when interrupt storm happens on the internal Ethernet interface em0 or em1. PR1429181

  • Unable to launch J-Web when the device is upgraded using a USB image. PR1430941

Routing Policy and Firewall Filters

  • An SRX345 device running Junos OS Release 15.1X49-D180 has high NSD usage due to possible memory leak. PR1452721

  • In rare cases, a specific domain is not resolved by SRX Series devices when using the DNS address book. This is because the DNS library resolver fails to identify the pointer with a big offset in the compressed DNS name. PR1471408

VPNs

  • If multiple traffic selectors are configured for a peer with Internet Key Exchange version 2 (IKEv2) reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekey. A new negotiation of those traffic selectors is triggered through other mechanisms—for example, by traffic or by a peer. PR1287168

  • The VPN tunnels in two chassis cluster nodes can go out of synchronization after the VPN generates a core file in the active chassis cluster node. The VPN tunnels that are out of synchronization can impact traffic. PR1351646

  • When using the operational mode request security ike debug-enable command for IKE debugging after using IKE traceoptions with a file name specified in the configuration, the debugs are written to the same file name. PR1381328

  • VPN tunnels flap after adding or deleting a group in edit private mode on a clustered setup. PR1390831

  • On SRX Series devices with more than 500 IPsec VPN tunnels configured, the IPsec VPN might flap while establishing a connection for the first time. PR1455951