Navigation  Back up to About Overview 
[+] Expand All
[-] Collapse All

Resolved Issues

This section lists the issues fixed in hardware and software in Junos OS Release 15.1X49-D90.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues

Application Identification and Tracking

  • On SRX Series devices, when Express Path (SOF) is enabled, the ASIC recalculates all the UDP checksum on I/O Card IOC and causes traffic problem on the IPsec session. PR1254897

Chassis Clustering

  • On SRX1500 devices in a chassis cluster, the SFP+-10G-CU3M DAC cable connects to the XE interface as the XE interface do not come UP physically. PR1246725
  • On SRX Series devices in a chassis cluster, sometimes it is observed that modifying IPsec VPN configuration might cause file mismatch of /var/etc/ between both primary and secondary nodes. The kmd process crashes on the new primary node after RG0 failover. PR1250178
  • On SRX345 device in a chassis cluster, when ethernet-switching is configured utilizing RETH and switching fabric (swfab) interfaces, the ARP table might be updated incorrectly and show MAC addresses being learnt through incorrect interfaces. The ethernet-switching table continues to show the correct information during the issue. PR1252965
  • On SRX Series devices, user firewall feature causes the memory leak on data plane. All the data plane memory can be used up and traffic failure might occur. PR1255022
  • On SRX devices in a chassis cluster, IRB interface does not work in switching mode. PR1259286
  • On SRX Series devices, when manual route-based IPsec VPN is configured, and enabled the VPN monitoring, might cause the st0 interface down, which results in VPN traffic dropping. PR1259422


  • On SRX1500 devices, traces cannot be enabled or disabled through the CLI options under tcp-encap traceoptions. PR1252544

Dynamic Host Configuration Protocol (DHCP)

  • On SRX Series devices, user might get stuck in RELEASE state with large negative lease time. This issue occurs due to the DHCP IPv4 or DHCP IPv6 relay environment with large scaled environment, and the system is under stress. PR1125189

Ethernet Switching

  • Starting with Junos OS Release 15.1X49-D40 and later, on SRX5400, SRX5600 and SRX5800 devices, some CLI commands are missed in the Request Support Information (RSI) script. PR1236874
  • On SRX5400, SRX5600, and SRX5800 devices, if fab 0 and fab 1 interfaces are changed, the device might drop STP Bridge Protocol Data Unit (BPDU) on RG1+ primary node in transparent mode. PR1243887
  • On SRX300, SRX320, SRX340, and SRX345 devices, if an Aggregated Ethernet (AE) interface is changed from layer 2 to layer 3, then the ARP learning on this AE interface fails. PR1258667
  • On SRX Series devices, when RG0 failover occurs, the Point-to-Point Protocol over Ethernet (PPPoE) session is disconnected. PR1259316

Flow-based and Packet-based Processing

  • On SRX5600 device, the DNS and WIN IPs are in reverse order in active-peer output when configured at access level and access profile level. PR1252186
  • On SRX Series devices, when you configure http-get Real-time Performance Monitoring (RPM) probes, the URL is lost in the get message. For example:
    services {
    rpm {
    probe Keepalive {
    test http-GET {
    probe-type http-get;
    target url;
    probe-count 1;
    probe-interval 5;
    test-interval 300;
    history-size 10;


  • On SRX Series devices, the IPv6 address is detected duplicate on RETH interface when doing inet6 address configurations and failing over at the same time. The Domain Name System (DNS) is sending packets from old primary and received from new primary node due to manual operation. Use configuration set interfaces rethx unit xx family inet6 dad-disable command to disable DAD function. PR1257109
  • On SRX345 device, when you use the NCP remote access client with the TCP encapsulation (Pathfinder) setting enabled, only one Data Plane Redundancy Group (RG1+) can be used. When you use multiple RG1+ and packets traverse the fabric link (Z-mode traffic), packets are dropped. PR1263443
  • On SRX Series devices, when http-reassemble is configured, non-http traffic over port 80 might be blocked by UTM Web filter, such as Real-Time Messaging Protocol (RTMP) traffic over port 80. PR1267317

Interfaces and Routing

  • On SRX5400, SRX5600, and SRX5800 devices, when a new API tunnel between SNMP and Routing Engine (RE) is established, SNMP is linked to common RE while device uses JSSG RE. In this scenario, the related interfaces are not set. PR1253672
  • On SRX Series devices, when Virtual Router Redundancy Protocol (VRRP) advertisements are sent in between L2 and VLAN interface from peer but not received properly, can cause a VRRP split brain condition. PR1254800


  • On SRX Series devices, when you add new IP address to firewall filter, the J-Web PHP memory does not overflow. PR1253482
  • On SRX Series devices, when you view interfaces in J-Web Configure > Interfaces > Ports, the output does not show Zone for some interfaces. PR1255781
  • On SRX340 and SRX345 devices, on the Setup Wizard default mode, an address pool is created for a management IP network even if you change the default management IP address in the default-setup mode. PR1259742


  • On SRX Series devices with Selective Packet Services configured, multicast traffic might be sent out-of-order by the device. PR1246877

Platform and Infrastructure

  • On SRX Series devices, when using administrative users with restricted permissions, you might be unable to rollback to a certain version. PR1206074
  • On SRX Series devices, the secondary node in a chassis cluster environment might crash or go into DB mode, displaying the panic:rnh_index_alloc message. This issue is sometimes observed in a chassis cluster environment with multipoint st0.x interface configured, and the tunnel interfaces flaps according to IPsec idle-timeout or IPsec VPN-monitor. PR1244491
  • On SRX Series devices, watchdog issue happens if routing engine fails to update the watchdog timer every 3 minutes. The watchdog reboots the device. PR1256840
  • On SRX Series devices, the error message abnormal timer recovery is displayed frequently in the logs, without any service impact. PR1260274

Public Key Infrastructure

  • On SRX Series devices, the error message timeout communicating with pki-service daemon is displayed when you create local certificate with ECDSA key pair. For example:
    • user@host# request security pki generate-key-pair certificate-id <name> size 384 type ecdsa.
    • user@host# request security pki local-certificate generate-self-signed certificate-id <name> digest sha-256 domain-name subject CN=X, O=X, C=X add-ca-constraint.
    • In PKI trace is noticed that it is failing to sign x509 certificate. For example, ERROR: X509V3_EXT_conf_nid() failed for extn=hash. self_signed_x509: ERROR: add_ext() failed for extn 'hash'. self_signed_x509: cannot sign the x509. PR1259867

Unified Threat Management (UTM)

  • On SRX Series devices, when Advanced Anti-Malware (AAMW) service is enabled, enrolled with Sky ATP Service running in the cloud, and the user enables the traceoption with option flag daemon or flag. For example, set services advanced-anti-malware traceoptions flag daemon or set services advanced-anti-malware traceoptions flag all. If you commit the configuration changes in AAMW, there might be a coredump on Routing Engine (RE) AAMW daemon. The AAMW daemon recovers afterwards automatically. The coredump occurrence is rare. PR1261881


  • On SRX Series devices in an IPv6 VRRP scenario, when a host sends router solicitation messages to VRRP virtual IPv6 address, the VRRP master replies router advertisement messages with physical MAC address instead of virtual MAC address, and the VRRP slave replies router advertisement messages with physical MAC address. As a result, the host has two default gateways installed and sends traffic directly to two devices instead of VRRP virtual IP. This issue affects the VRRP function and traffic. PR1108366
  • On SRX5400, SRX5600, and SRX5800 devices, the st0 interface global counter statistics is not incrementing and keeps zero, although traffic passes through the tunnel sub-interfaces such as st0.0 and st0.1. PR1171958
  • On SRX1500 devices in a chassis cluster, IP leak might occur under the following scenarios:
    • In case of IKEv1, it is possible for an IPsec VPN tunnel to be active without an active IKEv1 phase 1 SA. Since the assigned IP address associated with an IPsec VPN tunnel (for a user) is stored in the record of phase 1 SA, if HA RG0 failover occurs while there is no active IKEv1 phase SA exist for an IPsec VPN tunnel, the assigned IP address will be released to the authd daemon when the IPsec VPN tunnel is disconnected.
    • In case a remote access IPsec VPN tunnel is cleared (for both IKEv1 and IKEv2), the assigned IP address is kept for 30 seconds before it is released back to the authd within an additional 2 minutes. If HA failover occurs during this time before the IP is received at the authd, there will be an IP address leak.
    • If a new IP is assigned by authd daemon after every user is authenticated, regardless of the user already having an IP assigned from an early authentication. In case of IKEv1, authentication occurs at every IKE phase 1 SA rekey. If the KMD daemon restarts immediately (within 2 minutes) after an IKEv1 phase 1 SA rekey, there is a possibility that the newly assigned IP has not been released to authd daemon yet. This will lead to the leak of that IP. PR1252181

Modified: 2017-11-28