Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Issues


This section lists the known issues in hardware and software in Junos OS Release 17.4R2.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Outstanding Issues

Application Layer Gateways (ALGs)

  • In a chassis cluster with logical systems are configured, any ALG (except DNS ALG) enabled, and NAT configured for the ALG sessions, the flowd process on the secondary node might not work. PR1343552

Chassis Cluster

  • On SRX5600 and SRX5800 devices in chassis cluster mode, when the secondary Routing Engine is installed to enable dual control links, the show chassis hardware command might display the same serial number for both the routing engines on both the nodes. PR1321502

  • On SRX Series devices, the forwarding plane might failover from node 0 to node 1 when an SPC stops unexpectedly. PR1331809

  • On SRX4600 device with chassis cluster enabled, when a failover occurs the dedicated fabric link is down. PR1365969

Class of Service (CoS)

  • On SRX Series devices, if the action of forwarding-class is configured in the output direction on a firewall filter, the host outbound traffic matching the same term of this firewall filter will be blocked. PR1272286

Flow-based and Packet-based Processing

  • On SRX Series devices, sometimes the time range slider is not working for all events, as well individual events in Google Chrome or Firefox browser. PR1283536

  • On SRX4600 device, when the next-hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725

  • On all SRX Series devices, filter-based forwarding (FBF) does not work when applied on IPsec tunnel interface (st0.*).PR1290834

  • On SRX Series devices with chassis cluster enabled, the ingress interface of the multicast session in the first logical system is reth2.0, which belongs to redundancy group 2. Redundancy group 2 is active on node 1. The ingress interface of multicast session in the second logical system will be the PLT interface, which belongs to redundancy group 1. Redundancy group 1 is active on node 0. So, the multicast session in the second logical system will be active on node 0. Due to this condition multicast session active/backup is not aligned with forwarding traffic. This issue occurs when multicast traffic goes across logical systems. As a workaround to make RG-1 and RG-2 active on the same node. PR1295893

  • On SRX300, SRX320, SRX340, and SRX345 devices, if there is power outage many times in a short period of time, the device might end up getting stuck in the loader prompt. PR1292962

  • On SRX Series devices, packet capture does not work after you change, delete, or add maximum capture size. PR1304723

  • On SRX Series devices, when you run the command clear nhdb statistics on the SPU PIC, the SPC might reset. PR1346320

  • The IPsec replay error for Z-mode traffic is observed. PR1349724

  • The IPsec VPN traffic might be dropped on pass-through SRX Series device after an IKE rekey. PR1353779

  • On the secondary control plane, a multicast session leak is observed for the PIM register. PR1360373

Intrusion Detection and Prevention (IDP)

  • After an IDP signature automatic update is scheduled, the secondary node might not update the signatures. PR1358489

Interfaces and Routing

  • Incorrect ingress packet per second is observed on the MPLS enabled interface. PR1328161

Interfaces and Chassis

  • On SRX1500, if Junos OS Release 15.1X49-D70 or later is installed and you have a single PEM in slot 0, you will see an alarm saying PEM 1 is not present. PR1265795

  • On SRX4600 device, the 1GE interface is not supported in Junos OS Release 17.4R2. PR1315073

Platform and Infrastructure

  • SSH to the device fails if the phone-home: kern.maxfiles limit is exceeded. PR1357076

  • On SRX4100 and SRX4200 devices, the SRX Network Time Protocol (NTP) client might not stay synchronized to the NTP server and as a result the device clock often switches from NTP to local time. PR1357843

Routing Policy and Firewall Filters

  • The application identification (AppID) classifies the traffic as UNKNOWN when it is sourced-from or destined-to the SRX Series device itself.

  • On SRX Series devices, DNS name entries in policies might not be resolved if the routing instance is configured under a system name server. PR1347006

Routing Protocols

  • On SRX Series devices, RIP is supported in packet to packet DC mode on st0 interfaces. PR1141817

  • A new CLI command stickydr is required to prevent traffic loss during the disaster recovery. PR1352589


  • IPsec uses ESP as the default protocol, if the user does not explicitly configure the protocol. PR1061838

  • When an SRX Series device acts as an initiator behind the NAT, disabling NAT on the router in between causes an immediate new negotiation failure because of an attempt to disable NAT using the port 4,500.The next attempt succeeds by using the port 500. Disabling NAT and bringing down all the existing tunnels and re-establishing the tunnels with port 500 is the expected behavior. PR1273213

  • On SRX Series devices, in case multiple traffic-selectors are configured for a peer with IKEv2 reauthentication, only one traffic-selector will rekey at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors will be cleared without immediate rekey. New negotiation of those traffic-selectors might trigger through other mechanisms such as traffic or by peer. PR1287168

  • On SRX Series devices, when the VPN monitoring feature is enabled, the st interfaces go down immediately. PR1295896

  • If a period . is present in the CA profile name then the PKID might face issues, if the PKID is restarted at any point. PR1351727

  • On SRX5600 and SRX 5800 devices, during VPN to AutoVPN configuration migration, traffic loss is observed. PR1362317