Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Known Issues

    This section lists the known issues in hardware and software in Junos OS Release 17.3R3.

    For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

    Outstanding Issues

    Application Layer Gateways (ALGs)

    • On SRX5000 line devices, when you use the SIP ALG and you have multiple local SIP servers with consecutive IP addresses, the SIP session distribution over the SPUs might not be optimal in some cases. PR1337549

    • On high-end SRX chassis clusters with Logical Systems configured, when any ALG (excepts DNS ALG) is enabled, and NAT is configured for the ALG sessions, the flowd process on the secondary node might crash. PR1343552

    Authentication and Access Control

    • On SRX Series devices with user firewall feature, the users sometimes fails to authenticate from LDAP server and gets the authorized group though the group mapping shows correctly for that particular user.PR1282744

    • For a security policy with HTTP pass-through firewall authentication being configured, we recommend that you configure web-redirect for HTTP pass-through firewall authentication instead of using direct HTTP pass-through firewall authentication because web browser may automatically carry credential in subsequential request to target web-server.PR1230447

    • A user session is disconnected due to aging out of a fwauth entry in spite of an existing session. PR1265571

    • Incomplete RSI is displayed on the configuration. PR1329967

    • On SRX Series devices, the sessions might close because of the "idle Timeout junos-fwauth-adapter" logs. PR1330926

    • The uacd process is unstable after upgrading to Junos OS Release 12.3X48 and higher. PR1336356

    • New configuration is available to configure the web-authentication timeout. PR1339627

    Chassis Clustering

    • On SRX Series devices, the configuration commit may succeed even though the external logical interface configuration(reth) associated with the Internet Key Exchange (IKE) VPN gateway configuration is deleted. This will lead to configuration load failure upon next device boot-up. PR1352559

    • On SRX5600 and SRX5800 devices, when the second routing-engine is installed to enable dual control links, the operational command show chassis hardware displays the the same serial number for both the second routing engines on both the nodes. PR1321502

    • On SRX Series devices in a chassis cluster, the synchronization monitoring configuration might fail if the following configuration is enabled: set system encrypt-configuration-files. The synchronization monitoring configuration failure might result in disabling the secondary node after reboot. PR1235628

    • On SRX1400, SRX3000 and SRX5000 Series devices, with a multicast scenario, when services-offload is enabled, all the packets might be dropped on backup node1 after RG1 failover from node0 to node1 . PR1323024

    • On SRX Series devices, if an IPv6 session is closed and at the same time the related data-plane Redundancy Group (RG) failover occurs, the IPv6 session on the backup node may get paused and cannot be cleared. PR1354448

    Class of Service (CoS)

    • On all SRX Series devices, if the action of forwarding-class is configured in the output direction on a firewall filter, the host outbound traffic matching the same term of this firewall filter will be blocked. PR1272286


    • On SRX5400, SRX5600, and SRX5800 devices, the CLI hangs while displaying CA profile group. This CA profile group contains CA certificates with 100’s of certificates, and the CLI times out as PKId needs excessive time to handle such requests. Instead of displaying entire CA group, you can display the individual CA profile inside the CA group to avoid this problem. PR1276619

    Flow-based and Packet-based Processing

    • On SRX Series devices, when you run the clear nhdb statistics command on an SPU PIC, the SPC might reset. PR1346320

    • The show host server name-server host CLI command fails when the source address is specified under the name-server configuration. PR1307128

    • On SRX 300 line devices, the Packet Forwarding Engine CPU utilization reaches 100% in every 10 minutes even though the session count has not been increased.PR1284971

    • On SRX300 line platforms in ethernet-switching mode, STP change state might not be pushed into the Packet Forwarding Engine. PR1259286

    • On all branch SRX Series devices, the set system ports console insecure feature does not work as expected and fails to prevent non-root users from performing password recovery by using the console. This vulnerability might allow a non-root user with physical access to the console port to gain full administrative privileges. Refer to JSA10683 for more information. PR1241006

    • On SRX Series devices, packet forwarding traffic is stopped when a transient memory parity error is observed on MPC Endpoint Mapper (EPM) port-group wedge. PR1220019

    • On SRX3000 line and SRX5000 line platforms, cold-sync will fail when SPC is stuck and traffic loss occurs. PR1240983

    • On applying jflow related configuration, the vmcore log file is generated. PR1292443

    • On SRX Series devices with chassis cluster enabled, the ingress interface of the multicast session in the first logical system is reth2.0, which belongs to redundancy group 2. Redundancy group 2 is active on node 1. The ingress interface of multicast session in the second logical system will be the PLT interface, which belongs to redundancy group 1. Redundancy group 1 is active on node 0. So, the multicast session in the second logical system will be active on node 0. Due to this condition multicast session active/backup is not aligned with forwarding traffic. This issue occurs when multicast traffic goes across logical systems. As a workaround to make RG-1 and RG-2 active on the same node. PR1295893

    • The IPsec tunnel might fail to establish if the datapath-debug configuration includes the preserve-trace-order option or the record-pic-history option or both options. PR1311454

    • On chassis cluster, if IPSec VPN tunnel with traffic-selector is configured, when packets TTL is 1 and across SRX, the flow core dump is generated on both nodes of a cluster. PR1316134

    • Return traffic through the routing instance might drop intermittently after changing the zone and routing-instance configuration on the st0.x interface. PR1316839

    • Flowd core files are generated on both nodes, causing an outage. PR1324476

    • On the SRX5000 line of devices with an SRX5K-MPC3-40G10G (IOC3) or an SRX5K-MPC3-100G10G, the IPv6 traffic might be dropped if the IOC3 with the Express path feature is applied.PR1331401

    • SSH to the loopback interface of the SRX does not work, when AppTrack is configured on the Zone which has the loopback interface.PR1343736

    • The flowd process might stop when the SYN-proxy function is configured.PR1343920

    • On SRX5000 Series devices, when running the SNMP mib IjnxJsSPUMonitoringCurrentFlowSession and nxJsSPUMonitoringTotalSessIPv4.0, the numbers displayed are not accurate. PR1344352

    • On SRX Series devices, the IPSec replay error might be seen on the IKE peer in cluster Z mode. PR1349724

    Interfaces and Routing

    • The CLI command set protocols rstp interface all does not enable RSTP on all interfaces. PR1355586

    • On SRX series devices, if the MPLS interface is enabled, the pps statistics are not correct for the input packets. PR1328161

    • The connection between the SRX Series device and JIMS times out. The solution is to enforce keepalives on the TCP connection. The SRX Series code is being modified to enforce keepalives. In the meantime the JIMS 1.0.1R1 release has a workaround to avoid the issue: JIMS server will enforce keepalive (likely depends on SRX series fix as well) Connection limit will be raised to 1000 from 10. PR1311446

    • IRB interface cannot be disabled or enabled in RPM. PR1219570

    Intrusion Detection and Prevention (IDP)

    • The output of show security idp status does not accurately reflect the number of decrypted SSL/TLS sessions being inspected by IDP. PR1304666


    • In the factory default configuration we have following commands to open up the Phone home page set system phone-home server and set system phone-home rfc-complaint command. If you want to configure the device by using J-Web then you will have to click the option SKIP to JWEB. Once you click you will be asked for root authentication password and to clear the phone commands in CLI. Session will redirect to J-Web page automatically to configure the Setup wizard. Automatic redirection does not work in FireFox and Internet Explore. You need to perform a manual refresh in these browsers. PR1284341

    • On SRX Series devices, the DHCP relay configuration in J-Web under Configure>Services>DHCP>DHCP Relay page is not available. However, the same DHCP relay can be configured using the CLI. PR1205911

    • On SRX Series devices, the Routing Engine (RE) resource utilization on J-Web dashbord displays as 100% when J-Web fails to get resource information.. PR1351416

    Network Address Translation (NAT)

    • On SRX5000 Series devices, if the SIP or H323 ALG is configured, the arena utilization on a FPC might spike and displays a warning log message Warning: Arena utilization reaches critical level!. Then arena utilization falls back to normal level. If the memory is exhausted, it might affect some features of SRX. PR1336228

    Network Management and Monitoring

    • On SRX Series devices, the syslog messages from the secondary node might not reach the syslog server when reth I/F is source interface for syslog. This issue does not impact traffic.PR1252128

    • On SRX1400, SRX3400, and SRX3600 devices with a NP-IOC card installed, the data-plane related to the NP-IOC card might be stuck, which might cause child interfaces to be removed from the ae/reth LAG when the LACP is enabled. PR1285011

    Platform and Infrastructure

    • On SRX1500 devices, when the power supply fails, the trap sent might contain incorrect information. PR1315937

    • An SPU might become inaccessible from the Routing Engine because of a memory-buffer counter corruption. Because of this issue, a service outage occurs in certain scenarios, for example, when IPsec is configured with certificate-based authentication. PR1102376

    • Starting with Junos OS Release 15.1X49-D30 and later, on SRX5400, SRX5600, and SRX5800 devices, some CLI commands are missed in the Request Support Information (RSI) script. PR1236874

    • On SRX Series devices, when committing the configuration with apply-groups, the VPN might flap. PR1242757

    • On SRX Series devices, the routes activated by IP-Monitoring is not getting cleared after the probe status change from Fail to Pass. The show services ip-monitoring status shows the route NOT-APPLIED but show route might show ip-monitoring route active (Static route with preference 1). PR1263078

    • On SRX Series devices, Network Time Protocol (NTP) synchronous got failed minutes after synchronizing NTP. PR1296236

    • On SRX5400, SRX5600, and SRX5800 devices, the packet captured by datapath-debug on an IOC2 card might be truncated. PR1300351

    • On SRX Series devices, IPsec VPN tunnels might go down when you commit the configuration from Junos Space, Junos script, or J-Web. PR1317664

    • The data plane does failover from node 0 to node 1 when one SPC stops unexpectedly. PR1331809

    Routing Policy and Firewall Filters

    • On SRX Series devices with User Firewall feature, under some conditions, a core file of flowd or useridd might be triggered. PR1299494

    • On SRX Series devices, when you use Integrated User Firewall (IUF), the useridd might consume high CPU usage. The traceoptions of IUF might have lots of UGCALC_AD_MEMBER_UPDATE messages. PR1280783

    • On SRX Series devices, when there is at least one policy using the range address in a zone, the network security daemon (NSD) crashes after executing show security shadow-policies command. PR1232736

    • On SRX Series devices, the nsd process crashes on Packet Forwarding Engine (PFE) when you commit a large security policy (for example: 70,000 lines)).PR1354576

    Routing Protocols

    • On SRX Series devices, RIP is supported in packet-to-packet DC mode on st0 interfaces.PR1141817

    • Dedicated BFD does not work on SRX Series devices. PR1312298

    • A new CLI command stickydr interval is introduced to prevent traffic loss during DR failover. PR1352589

    Software Installation and Upgrade

    • On SRX1500 devices, the fan speed often fluctuates. PR1335523

    • Downgrading SRX1500, SRX4100, and SRX4200 devices from Junos OS release 17.4R1 or higher version to Junos os release 15.1X49 or Junos OSrelease 17.3 will return to factory-default configurations. Delete the IDP configuration before proceeding to downgrade. PR1330180

    System Logs

    • RT_SCTP_DATA_MSG_M3UA_SI SCTP messages are not logged in sctp_syslog messages. PR1268849

    User Firewall and Authentication

    • User firewall has provision to fetch the user-group from the active directory server. PR1268849

    Unified Threat Management (UTM)

    • For a security policy with HTTP pass-through firewall authentication being configured, it is recommended to configure web-redirect for HTTP pass-through firewall authentication instead of using direct HTTP pass-through firewall authentication because the web browser might automatically carry credentials in subsequent request to the target web-server. PR1351457

    VLAN Infrastructure

    • In SRX Series devices working on transparent mode, an invalid MAC cache entry may be used to match the destination MAC for packets, which results in the flowd process crash. The fix is to add a preventive check to MAC entry from the MAC cache table. PR1355381


    • On all SRX Series devices, enabling or disabling CRL download in CA profile does not work as expected. PR1280530

    • On the hub side, autoVPN tunnel fails to come up if establish immediately is configured. Since establish immediately is not needed on the hub side, there is no impact if establish immediately is not configured on the hub side. PR1160948

    • On branch SRX Series devices in HA mode, VPN-monitoring with optimized option is configured and traffic goes through the IPsec tunnel. The VPN-monitoring status will be displayed as down after RG0 failover. PR1203723

    • On SRX5600 devices, if st0 interface is moved from one routing instance to another routing instance, there might be some traffic disruption.PR1241505

    • On SRX High End Series devices, if traffic-selector is configured with DPD backup gateway, the IKE redundant gateway failover fails. This may cause IPSec management daemon to restart. PR1249908

    • On SRX Series devices in a chassis cluster, in a rare condition, modifying the IPsec VPN configuration might cause /var/etc/ file mismatch between both primary node and secondary node, then the RG0 failover results in the kmd process crash on the new primary node. PR1250178

    • If a new IP is assigned by authd daemon after every user is authenticated, regardless of the user already having an IP assigned from an early authentication. In case of IKEv1, authentication occurs at every IKE phase 1 SA rekey. If the KMD daemon restarts immediately (within 2 minutes) after an IKEv1 phase 1 SA rekey, there is a possibility that the newly assigned IP has not been released to authd daemon yet. This will lead to the leak of that IP. PR1252181

    • On all SRX Series devices, when manual route-based IPsec VPN is configured, enabling VPN monitoring will cause the st0.* interface down, which results in VPN traffic dropping. PR1259422

    • ADVPN shortcuts can cause kmd core files on the suggester.PR1259844

    • On SRX Series devices, manual Next-Hop Tunnel Binding (NHTB) does not work on Junos OS 15.1X and 12.3X releases. The following error is displayed on the IKE traces Internal Error: Manual NHTB add failed. PR1266797

    • On SRX Series devices, if traffic-selector is configured, the IKE redundant gateway failover fails. PR1270000

    • When an SRX Series device acts as an initiator behind the NAT, disabling NAT on the router in between causes an immediate new negotiation failure because of an attempt to disable NAT using the port 4500. The next attempt succeeds by using the port 500. Disabling NAT and bringing down all the existing tunnels and re-establishing the tunnels with port 500 is the expected behavior. PR1273213

    • On all SRX Series devices, if a large number of IPsec VPN tunnels are established (for example, 16k traffic-selector based tunnels are established on an SRX5600 platform), changing the configuration of IPsec VPN (for example, removing some or all these IPsec VPN tunnels and then adding them again) might result in VPN tunnels being established in the the data plane. However, the VPN configuration is already removed in the Routing Engine, which results in the kmd process crash. PR1276058

    • On all SRX Series devices, when ike-ha-link-encryption is enabled, the IKE and IPsec configuration might not be pushed to data-plane. PR1277229

    • On SRX5000 line platforms, you cannot load PKI local-certificate and CA certificate with cmpv2. PR1277317

    • On all SRX Series devices, CRL download fails when missing content-length field in http header and CRL occupies are in at least 2 packets.PR1278631

    • Occasionally, next-hop tunnel binding (NHTB) is not installed during rekey for VPN using IKEv1.PR1281833

    • Commit returns a warning for NULL authentication and remains a commit error for FIPS mode. PR1285284

    • On SRX Series devices, in case multiple traffic-selectors are configured for a peer with IKEv2 reauthentication, only one traffic-selector rekeys at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic-selectors are cleared without immediate rekey. New negotiation of those traffic-selectors might be triggered through other mechanisms such as traffic or peer. PR1287168

    • On SRX Series devices, IPsec traffic statistics counters return 32-bit values, which might quickly overflow. PR1301688

    • The kmd process might stop in NAT-T scenario. PR1302814

    • The kmd process might generate a core file when all the VPNs are down.PR1336368

    • On SRX Series devices, when using the PKID and there is a period "." in the configured CA profile name, the PKID daemon will run into issues after device restart or a pki-service restart, causing PKI related issues such as CRL download failing. PR1351727

    Modified: 2018-05-31