Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Open Issues


This section lists the known issues in hardware and software in Junos OS Release 15.1X49-D220.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • On SRX550M devices, upgrade fails when you upgrade from Junos OS Release 15.1X49-D30 to a later release without using the no-validate option. PR1237971

  • On SRX Series devices, if the advanced anti-malware (AAMW) service is enabled, SMTP is configured in the AAMW policy with fallback permission enabled under the long network latency between the devices, and AWS is running the Juniper Sky ATP service, file submission timeout error might occur. When sending the timeout error, the e-mail sent from Outlook might remain in the outbox of the sender, and the recipient might not receive the e-mail. PR1254088

  • SNMP fails while polling data across custom routing instances on the SRX300 line of devices. PR1352311

  • On all SRX Series devices, in a chassis cluster with Z-mode traffic and local (non-reth) interfaces configured, when using ECMP routing between multiple interfaces residing on both node0 and node1, if a session is initiated through one node and the return traffic comes in through the other node, packets might be dropped due to reroute failure. PR1410233

  • On all SRX Series devices with the advanced anti-malware service configured, due to a rare issue in file system handling in the data plane, the flowd or srxpfe process might stop. PR1437270

  • On SRX1500 devices, the link does not come up after you replace a copper transceiver with a fiber transceiver until you reboot the device. PR1437615

  • An unexpected IP address is included in the custom IP feed on an SRX4100 cluster. You can resolve this issue by restarting the security intelligence process. PR1440157

  • The TCP session cannot time out properly upon receiving the TCP RESET packet, and the session timeout value does not change to 2 seconds. PR1467654

Install and Upgrade

  • On SRX1500 devices in a chassis cluster with the Juniper Sky Advanced Threat Prevention (ATP) solution deployed, if you disable and then reenable CRL checking of certificate validity, the system does not reenable CRL checking. PR1144280

Interfaces and Chassis

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, for logical interface scaling without per-unit-scheduler configured, the total number of logical interfaces is limited to 2048. With per-unit-scheduler configured on the physical interface, the total number of logical interfaces is limited to the CoS scheduler subunit upper limit of 2048. So, the maximum number of logical interfaces for per-unit-scheduler should be 2048 minus the number of physical interfaces that are up. With at least one logical interface up, the maximum number is 128. PR1138997

  • The monitor interface command starts the ifmon process. During this time, if the Telnet session to the router is disconnected unconventionally, then the ifmon process is not terminated and takes up 100 percent CPU utilization. The workaround is to terminate the stale ifmon process. PR1162521

  • On the SRX4000 line of devices, the fxp0 interface status does not show the proper state for speed and duplex. PR1392050

  • The multipath credit limit might be reset after multiple configuration changes and interface flaps. The credit limit might be reset based on the default interface speed of 1 Gbps and the default or configured bandwidth limit. PR1401090

  • T1 interfaces go down if Password Authentication Protocol (PAP) RADIUS authentication is configured. PR1402612

  • On SRX1500 platforms, if you configure interface-mac-limit on one interface and then send traffic with a different source MAC address (such as 10,000) on that interface, then the number of learned MAC addresses reaches the maximum limit (8192). Traffic cannot be transferred on all interfaces. PR1409018


  • On SRX4100 devices, a security policy page in J-Web does not load when it has 40,000 firewall policy configurations. Navigate to the Configure> Security> Security Policy page. PR1251714

  • On SRX Series devices, the dashboard widget applications, ThreatMap, and Firewall Top Denies initially show no data available even when the device has a large amount of data. Refresh the individual widgets to show the data. PR1282666

  • On SRX Series devices, the CLI terminal does not work for Google Chrome versions later than version 42. You can use the Internet Explorer version 10 or 11 or Firefox version 46 browser to use the CLI terminal. PR1283216

  • On SRX Series devices, sometimes the time range slider does not work for all events and individual events in Google Chrome and Firefox browsers. PR1283536

Network Management and Monitoring

  • The snmpd process leaks memory in the SNMPv3 query path and crashes. The issue is caused by a memory leak when the request PDU is dropped by SNMP when the snmp filter-duplicates configuration is enabled. Each request PDU has a structure pointer for the SNMPv3 security details. This is allocated when the PDU is created or cloned. But while dropping the duplicate requests, the corresponding structure is not freed, which causes the memory leak. PR1392616

Platform and Infrastructure

  • On SRX Series devices running FreeBSD 6.0 based Junos OS, when a USB flash drive with a mounted file system is physically detached by a user, the system might panic. The issue is resolved with FreeBSD 10 and later (upgraded FreeBSD). PR695780

  • On SRX5800 devices, if the system service REST API is added to the configuration, even though the commit can be completed, all the configuration changes in this commit do not take effect. This occurs because the REST API daemon fails to come up, and the interface IP address is not available during bootup. The configuration is not read on the Routing Engine side. PR1123304

  • On SRX Series devices, the flowd process might stop and cause traffic outage if the SPU CPU usage is higher than 80 percent. Therefore, some threads are in waiting status and the watchdog cannot be toggled on time, causing the flowd process to stop. PR1162221

  • On SRX Series devices, mgd core files are generated during RPC communication between the SRX Series device and Junos Space or Junos OS CLI if the % symbol is present in the description or annotation. PR1287239

  • On SRX5600 and SRX5800 devices in a chassis cluster, when a second Routing Engine is installed to enable dual control links, the show chassis hardware command might show the same serial number for the second Routing Engines on both the nodes. PR1321502

  • On the SRX4000 line of devices with chassis cluster setup, when more than two ports are bound as reth interfaces on each node, packet drop might be seen. PR1345941

  • When using third-party certificate chain for the Web authentication redirect page, for the HTTP REST API, or for J-Web access, which contains at least one intermediate CA certificate, the SRX Series device does not send the intermediate certificate to the client. PR1408921

  • An MTU change after a CFM session is brought up can impact Layer 2 Ethernet ping (loopback messages). If the new MTU is lower than the original value, then Layer 2 Ethernet ping fails. PR1427589

  • The PICs might go offline and split-brain might be seen when an interrupt storm happens on the internal Ethernet interface em0 or em1. PR1429181

  • Unable to launch J-Web when the device is upgraded using a USB image. PR1430941

Routing Policy and Firewall Filters

  • An SRX345 device running Junos OS Release 15.1X49-D180 has high NSD usage due to a possible memory leak. PR1452721

  • In a rare case, a specific domain is not resolved by the SRX Series device when using the DNS address book. This is because the DNS library resolver fails to identify the pointer with a big offset in the compressed DNS name. PR1471408


  • On SRX Series devices, if an IPsec VPN tunnel is established using IKEv2, due to a bad SPI, packets might be dropped during CHILD_SA rekey when the device is the responder for this rekey. As a workaround, to ensure that the SRX Series devices are always the initiator for the CHILD_SA rekey, by setting the lifetime-seconds statement to a lower value than it is set on the remote peer. The lifetime-seconds value can be set under [edit security ipsec proposal]. PR1129903

  • On SRX Series devices, if multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector rekeys at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. New negotiation of those traffic selectors might be triggered through other mechanisms such as traffic or peer. PR1287168

  • When using the operational mode request security ike debug-enable command for IKE debugging after using IKE traceoptions with a filename specified in the configuration, the debugged files are written to the same filename. PR1381328

  • VPN tunnels flap after a group is added or deleted in edit private mode in a clustered setup. PR1390831