Navigation  Back up to About Overview 
[+] Expand All
[-] Collapse All

Known Behavior

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 15.1X49-D90.

Class of Service (CoS)

The following limitations apply to CoS support on VPN st0 interfaces:

  • Currently, the maximum number for software queues is 2048. If the number of st0 interfaces exceeds 2048, not enough software queues can be created for all the st0 interfaces.
  • Only route-based VPN can apply st0 CoS. Table 1 describes the st0 CoS feature support for different types of VPN.

    Table 1: CoS Feature Support for VPN

    Classifier FeaturesSite-to-Site VPN (P2P)ADVPN/AutoVPN (P2MP)

    Classifiers, policers, and rewriting markers



    Queueing, scheduling, and shaping based on st0 logical interfaces


    Not supported

    Queueing, scheduling, and shaping based on virtual channels



  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, one st0 logical interface can bind to multiple VPN tunnels. The eight queues for the st0 logical interface cannot reroute the traffic to different tunnels, so pre-tunneling is not supported.

    Note: The virtual channel feature can be used as a workaround on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

  • When defining a CoS shaping rate on an st0 tunnel interface, consider the following restrictions:
    • The shaping rate on the tunnel interface must be less than that of the physical egress interface.
    • The shaping rate only measures the packet size that includes the inner Layer 3 cleartext packet with an ESP/AH header and an outer IP header encapsulation. The outer Layer 2 encapsulation added by the physical interface is not factored into the shaping rate measurement.
    • The CoS behavior works as expected when the physical interface carries the shaped GRE or IP-IP tunnel traffic only. If the physical interface carries other traffic, thereby lowering the available bandwidth for tunnel interface traffic, the CoS features do not work as expected.
  • On SRX550M, SRX5400, SRX5600, and SRX5800 devices, bandwidth limit and burst size limit values in a policer configuration are a per-SPU, not per-system limitation. This is the same policer behavior as on the physical interface.

Ethernet Switching

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, when you create an aggregated interface with two or more ports and if a link in the bundle goes down, the traffic forwarded through the same link will be rerouted two seconds later. This causes an outage for the traffic being sent to the link until reroute is complete.
  • SRX300, SRX320, SRX340, SRX345, and SRX550M devices do not support Connectivity Fault Management (CFM) packet level filtering. SRX Series devices do not forward the Link Trace Messages (LTMs) packets through Layer 2 engine if any CFM MPs configured on the device. You must configure maintenance association intermediate points (MIPs) on the intermediate device to pass the LTM packets to the other device.
  • In Junos OS Release 15.1X49-D40, the Three-color policer feature is not supported on SRX Series devices and vSRX instances.

Flow-based and Packet-based Processing

  • On SRX5400, SRX5600, and SRX5800 devices, in central point architecture, system logs are sent per second per SPU. Hence, the number of SPUs define the number of system logs per second.
  • On SRX340 and SRX345 devices, fabric interfaces must be configured such that the Media Access Control Security (MACsec) configurations are local to the nodes. Otherwise, the fabric link will not be reachable.

General Packet Radio Service (GPRS)

  • Starting in Junos OS Release 15.1X49-D40, the SCTP flow session utilizes a connection tag to more finely distribute SCTP traffic across SPUs on SRX5400, SRX5600, and SRX5800 devices that support the SCTP ALG. The connection tag is decoded from the SCTP vtag. A separate SCTP session will be created for each of the first three packets—that is, one session for INIT, INIT-ACK, and COOKIE-ECHO, respectively. Because, the reverse-direction traffic has its own session, the session can no longer match the existing forward-direction session and pass through automatically. Therefore, similar to the forward-direction policy, an explicit policy is needed for approving the reverse-direction SCTP traffic. In this scenario, the SCTP flow session requires a bidirectional policy configuration to be established for even a basic connection.
  • On SRX5000 Series devices, when you use the GTP inspection feature, during an ISSU from Junos OS Release 15.1X49-D10, 15.1X49-D20, or 15.1X49-D30 to Junos OS Release 15.1X49-D40 or later, GTPv0 tunnels will not be synchronized to the upgraded node.

    For GTPv1 and GTPv2, the tunnels will be synchronized, but the timeout gets restarted.

    Beginning with Junos OS Release 15.1X49-D40, ISSU is fully supported with the GTP inspection feature enabled.

Interfaces and Routing

  • On SRX1500 devices, when 1G SFP-T is used on the 1G SFP ports (ge-0/0/12 to ge-0/0/15), the ge interface does not operate at 100M speed.

Integrated User Firewall

  • In Junos OS Release 15.1X49-D50, you cannot use the Primary Group, whether by its default name of Domain Users or any other name (if you happened to have changed it), in integrated user firewall configurations.

    When a new user is created in Active Directory, the user is added to the global security group Primary Group which is by default called Domain Users. The Primary Group is less specific than other groups created in Active Directory because all users belong to it. Consequently it can become very large.

Software Installation and Upgrade

  • On SRX5000 Series devices, In-Service Software Upgrade (ISSU) is not supported for upgrading from earlier Junos OS releases to Junos OS Release 15.1X49. ISSU is supported for upgrading to successive Junos OS Release 15.1X49 releases and to major Junos OS releases.

    Note: SRX300 Series devices and SRX550M devices do not support ISSU.

Platform and Infrastructure

  • On SRX5800 devices, if global SOF policy (all session service-offload) is enabled, the connections per second (CPS) will be impacted due to IOC2 limitation. It is recommended to use IOC3 card if more sessions are required for SOF or lower the SOF session amount to make sure IOC2 is capable of handling it.

USB autoinstallation

  • On SRX300 Series Services Gateways on which the USB autoinstallation feature is enabled (the default configuration), removal of a USB storage device immediately after insertion is not supported.

    Note: USB autoinstallation is not supported on SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices.

    After you insert a USB storage device, Junos OS scans the device to check whether it contains the USB autoinstallation file. This process might take up to 50 seconds to complete depending on the quality of the USB storage device and the number and size of the files in the device. Removing the USB storage device while this process is running might cause the services gateway to reboot, the USB port to stop working, and data loss on the USB. We recommend that after inserting a USB storage device, you wait for at least 60 seconds before removing it.

    By issuing the set system autoinstallation usb disable command (which disables the USB autoinstallation feature) before you insert the USB device, you can reduce the waiting interval between insertion and removal of a USB storage device from 60 seconds to 20 seconds.


  • If the IKE external interface is disabled then enabled, tunnels that use TCP connections with NCP Exclusive Remote Access Clients may not come up. If this occurs, reduce the TCP timeout for the client connections with the inactivity-timeout option at the [edit applications application application-name] hierarchy level. The destination-port configured at the [edit applications application application-name] hierarchy level must match the ports option configured at the [edit security tcp-encap profile profile-name] hierarchy level. The configuration application must then be specified in the match application configuration at the [edit security policies from-zone from-zone to-zone to-zone policy policy-name] hierarchy level.

    Tunnels that use TCP connections might not survive ISSU if the dead peer detection (DPD) timeout is not large enough. If you see this happening, increase the DPD timeout to a value greater than 120 seconds. The DPD timeout is a product of the configured DPD interval and threshold. For example, if the DPD interval is 32 and the threshold is 4, the timeout is 128.

  • ISSU with VPN configuration is not supported when upgrading from a Junos OS release prior to 15.1X49-D75 to Junos OS Release 15.1X49-D75 and later releases. You can use ISSU with VPN configuration when upgrading from Junos OS Release 15.1X49-D75 to later releases. You can also use ISSU with VPN configuration to upgrade from Junos OS Release 15.1X49-D10 up to Junos OS Release 15.1X49-D70.
  • On SRX Series devices, configuring RIP demand circuits over P2MP VPN interfaces is not supported.
  • On SRX5400, SRX5600, and SRX5800 devices, do not use ISSU if upgrading from Junos OS Release 15.1X49-D30 through Junos OS Release 15.1X49-D60, if using any VPN configurations.

    As a workaround deactivate or remove all the VPN commands from the configuration before executing ISSU. If the workaround is used, all VPN tunnels and VPN traffic will be dropped during ISSU upgrade. Once ISSU has completed you may then re-enable the VPNs as before.

Modified: 2017-11-28