Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Limitations

 

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 15.1X49-D240.

Authentication and Access Control

  • On SRX Series devices, TLS version 1.0 and TLS version 1.1 SSL protocols are blocked because of reported security vulnerabilities. This change might affect users accessing J-Web or the Web authentication GUI, or using dynamic VPN through the Pulse client when using an older version of Junos OS or older versions of browsers that do not support the TLS version 1.2 protocol. This change affects Junos OS Release 15.1X49-D100 and later releases. PR1283812

  • On SRX4100, SRX4200, SRX4600, vSRX, and SPC3 platforms, bandwidth policers might cause low throughput when processing high-rate multiflow traffic. PR1459936

Chassis Clustering

  • In a chassis cluster set up on SRX550M devices, traffic loss for about 10 seconds is observed when there is a power failure on the active chassis cluster node. PR1195025

  • IP monitoring for redundancy groups might not work on the secondary node if the reth interface has more than one physical interface configured. This is because the backup node sends traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch drops the traffic. PR1344173

  • During chassis cluster cold synchronization, the GTP-U session is synchronized with the secondary device before it is synchronized with the GTP-U tunnel. As a result, the GTP-U tunnel cannot be linked with the corresponding GTP-U flow session, and the GTP-U tunnel is not refreshed by GTP-U traffic until new sessions are created. If old sessions do not age out on the primary device, all GTP-U traffic goes through the fast path and no session creation events are triggered. Then, after the GTP-U timeout period, the tunnels on the secondary device also age out earlier. PR1353791

Flow-Based and Packet-Based Processing

  • On SRX Series devices, the show arp command displays all the ARP entries learned from all interfaces. While switching to Layer 2 global mode, the ARP entries learned from the IRB interface show only one specific VLAN member port instead of the actual VLAN port learned in the ARP entries. PR1180949

  • On SRX1500 devices configured in the Ethernet switching mode, a few MAC entries might still be displayed in the output of the show ethernet-switching table command even after the age-out time has passed for all MAC addresses. This issue occurs only when the MAC learning table has 17,000 MAC entries or more. PR1194667

  • On SRX300, SRX320, SRX340, and SRX345 devices, you cannot launch the setup wizard by using the reset configuration button when the device is in Layer 2 transparent mode. You can launch the setup wizard by using the reset configuration button on the device only when the device is in switching mode. PR1206189

  • On SRX300, SRX320, SRX340, SRX345, and SRX1500 devices, the vSRX 2.0 command set system internet-options tcp-mss does not work in Junos OS Release 15.1X49. PR1213775

  • On SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices, VPLS and Ethernet switching must not be configured together on the same device. We recommend that you avoid using an Ethernet-switching configuration on these platforms when VPLS is enabled. PR1214803

  • On SRX345 and SRX550M devices, frames carried with a priority bit on the Tag Protocol Identifier (TPID) are lost when the packet passes through with Layer 2 forwarding. PR1229021

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, after a certain period of enabling 802.1X, multiple first-message EAP frames with the same timestamp are transmitted. This does not affect any 802.1X functionality. PR1245325

  • On SRX Series devices, OSPF over GRE running on IPsec is not supported on a device with a standalone central point. PR1274667

  • A modem profile is not active until the profile is defined. You need to define a profile before selecting it. PR1254427

  • A FIPS core file is generated when you perform a firmware upgrade or downgrade. In Junos OS FIPS mode, the file integrity checking application veriexec treats the updated firmware file as a corrupted Junos OS file. PR1268240

  • On SRX Series devices, established AAMW sessions always use the configured AAMW parameters that exist at the time of session establishment. Configuration changes do not retroactively affect the already established sessions. For example, a session established when the verdict threshold is 5 always has 5 as the threshold even if the verdict threshold changes to other values during the session lifetime. PR1270751

  • On SRX Series devices, firewall authentication cannot retrieve domain information from the access profile configuration because firewall authentication does not push user domain information to the Juniper Identity Management Service server if the user authenticates through Web authentication, pass-through, or Web redirect with an LDAP access profile. PR1281063

  • The user firewall process useridd repeatedly attempts to reconnect to the Active Directory server when the connection fails. Consequently, useridd is unable to handle other messages. You (the administrator) must remove or deactivate unused or incorrect user firewall configurations. PR1307851

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, using an SFP-T module can cause an early linkup if you connect a device during the boot process. PR1314167

  • Packet reordering occurs on the traffic received on the PPP interface. PR1340417

  • FTP using Microsoft NLB does not work correctly in transparent mode. PR1341446

  • Primary group-domain computers are not supported by the user firewall integration. PR1361512

  • When using a crossover cable, the interfaces are down when there is a change from 10 million to 100 million. PR1387978

  • When using advanced, application-based, multipath routing, the sender sequences packets in order and delivers the packets to the receiver. If the receiver receives the packets out of order, then in Junos OS Release 15.1X49-D200 and later, the packets are dropped. Because IPsec might reorder packets coming from the sender for fragmentation, packets might get dropped at the receiver. PR1403584

  • Packets might be dropped in an SD-WAN use case if IPsec is not configured (for example, IP over MPLS over GRE) in HA Z mode. This issue does not occur if IPsec is configured (IP over MPLS over GRE over IPsec) or in chassis cluster active or passive mode. PR1415343

  • On all SRX Series devices, when a flow containing fragmented IP packets passes through the firewall of an SRX Series device, if the same IP ID value is used by two different fragmented packets within 2 seconds, the second fragmented IP packet is dropped. PR1482074

Interfaces and Chassis

  • On SRX Series devices, after the user changes some interface configurations, a reboot warning message might appear. The warning message is triggered only when the configuration of the interface mode is changed from route mode to switch or mixed mode. This is a configuration-related warning message, so it might not reflect the current running state of the interface mode. PR1165345

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, the current Ethernet switching MAC aging uses software to age out MAC addresses learned in bulk. You cannot age out a specific MAC address learned at a specific time immediately after the configured age. The MAC address might age out close to two times the configured age-out time. PR1179089

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, use the logical tunnel interface lt-0/0/0 as the destination interface option for an RPM probe server on the device. PR1257502

J-Web

  • On SRX550M and SRX1500 devices, there is no option to configure Layer 2 firewall filters from J-Web, irrespective of the device mode. PR1138333

  • On SRX Series devices in a chassis cluster, if you want to use J-Web to configure and commit configurations, you must ensure that all other user sessions are logged out, including any CLI sessions. Otherwise, the configurations might fail. PR1140019

  • On SRX1500 devices in J-Web, the snapshot functionality Maintain > Snapshot > Target Media > Disk > Click Snap Shot is not supported. PR1204587

  • On SRX Series devices, you cannot create profiles for cl-1/0/0 using J-Web and the CLI. The error message “interface not found” is displayed. We recommend that you use only one LTE Mini-PIM in the supported devices. PR1262543

  • On SRX Series devices, when you log in to J-Web, navigate to Monitor > Services > DHCP > DHCP Relay, and click the Help page icon, the Online Help page displays a 404 error message. PR1267751

  • On SRX Series devices, adding 2000 global addresses at a time to the addresses exempted in the SSL proxy profile can cause the webpage to become unresponsive. PR1278087

  • On SRX Series devices, you cannot view the custom log files created for event logging in J-Web. PR1280857

  • On SRX Series devices running Junos OS Release 15.1X49-D90 and earlier releases, J-Web often does not display the IPD log that is locally saved. PR1336341

  • On SRX Series devices using Junos OS Release 15.1X49, a J-Web operation does not reset the idle time in the output of the show system users command. PR1445779

Platform and Infrastructure

  • On SRX5800 devices, if a global SOF policy (all-session service-offload) is enabled, the connections per second are impacted due to an IOC2 limitation. We recommend that you use an IOC3 card if more sessions are required for SOF, or lower the SOF session amount to ensure that IOC2 is capable of handling it. PR1121262

  • On SRX5800 devices, if the system service REST API is added to the configuration, even though the commit can be completed, all the configuration changes in this commit do not take effect. This occurs because the REST API daemon fails to come up, and the interface IP address is not available during bootup. The configuration is not read on the Routing Engine side. PR1123304

  • On SRX5400, SRX5600, and SRX5800 devices, in a central point architecture, system logs are sent per second per SPU. Hence, the number of SPUs defines the number of system logs per second. PR1126885

  • On SRX1500 devices, when a 1GbE SFP-T transceiver is used on 1GbE SFP ports (ge-0/0/12 through ge-0/0/15), the ge interface does not operate at 100-Mbps speed. PR1133384

  • On all SRX Series devices, when you are using event mode logging, some AppTrack log messages might be lost in case of heavy logging. The reason is that the Packet Forwarding Engine might send the messages in batches, overflowing the log buffer on the Routing Engine. The log buffer has been increased as a mitigation, but in rare instances, some log messages might still be dropped. PR1133757

  • On SRX1500 devices, when the CPU usage is very high (above 95 percent), the connection between the AAMW process and PKI daemon might break. In this case, the AAMW process remains in the initializing state until that connection is established. PR1142380

  • On SRX1500 devices, after you change the revocation configuration of a CA profile, the change cannot be populated to the SSL-I revocation check. We recommend that you change the SSL-I configuration to enable or disable certificate revocation list (CRL) checking instead of CA profile configuration. PR1143462

  • On SRX1500 devices in a chassis cluster with the Juniper Sky Advanced Threat Prevention (ATP) solution deployed, if you disable and then reenable CRL checking of certificate validity, the system does not reenable CRL checking. PR1144280

  • On SRX340 and SRX345 devices, half-duplex mode is not supported. PR1149904

  • On SRX5400 devices, if a username or group name contains the characters * (ASCII 0x2a), (ASCII 0x28), (ASCII 0x29), \ (ASCII 0x5c), and NUL (ASCII 0x00), the query from the device to the LDAP server times out and might lead to high CPU utilization. PR1157073

  • On SRX300 and SRX320 devices, link mode cannot be set to half-duplex mode on internal small form-factor pluggable (SFP) ports. PR1165259

  • On SRX4100 and SRX4200 devices, although the CLI is configurable, the following features are not supported—Group VPN, VPN Suite B, and encrypted control links when in chassis cluster. PR1214410

  • When using a third-party certificate chain for the Web authentication redirect page, for the HTTP REST API, or for J-Web access, which contains at least one intermediate CA certificate, the SRX Series device does not send the intermediate certificate to the client. PR1408921

  • When an NTP server is newly added to the Junos OS configuration using a domain name, a DNS server IP address needs to have been already configured and committed in a previous commit. Otherwise, the commit will fail due to the NTP server domain name failing to be resolved to an IP address. As a workaround, use an IP address for the NTP server configuration. PR1411396

  • SRX320 PoE devices do not support LLDP from Junos OS Release 15.1X49-D170 onward. PR1438467

Unified Threat Management (UTM)

  • On SRX Series devices with Sophos Antivirus (SAV) configured, some files that have size larger than the max-content-size might not go into fallback state. This might occur when a protocol does not predeclare the content size. PR1005086

  • On SRX550M devices using Junos OS Release 12.1X49-D30 for the enhanced Web filtering feature, performance drop is observed. PR1138189

VPNs

  • On SRX Series devices, if an IPsec VPN tunnel is established using IKEv2, due to a bad SPI, packets might be dropped during CHILD_SA rekey when the device is the responder for this rekey. As a workaround, to ensure that the SRX Series devices are always the initiator for CHILD_SA rekey, set lifetime-seconds to a lower value than it is set on the remote peer. The lifetime can be set under [edit security ipsec proposal]. PR1129903

  • On SRX5400, SRX5600, and SRX5800 devices, when CoS is enabled on the st0 interface and the incoming traffic rate destined for the st0 interface is higher than 300,000 packets per second (pps) per SPU, the device might drop some of the high-priority packets internally and shaping of outgoing traffic might be impacted. We recommend that you configure the appropriate policer on the ingress interface to limit the traffic below 300,000 pps per SPU. PR1239021