Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

[accounting-options] Hierarchy

On SRX210 and SRX240 devices, the accounting, source-class, and destination-class statements in the [accounting-options] hierarchy level are not supported.

AX411 Access Point

On SRX100 devices, there are command-line interface (CLI) commands and J-Web tabs for wireless LAN configurations related to the AX411 Access Point. However, at this time the SRX100 devices do not support the AX411 Access Point.

Chassis Cluster

On SRX Series and J Series devices, the following features are not supported when chassis clustering is enabled on the device:

All packet-based protocols, such as MPLS, Connectionless Network Service (CLNS), and IP version 6 (IPv6)

Any function that depends on the configurable interfaces:

lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP)
gr-0/0/0—Generic routing encapsulation (GRE) and tunneling
ip-0/0/0—IP-over-IP (IP-IP) encapsulation
pd-0/0/0, pe/0/0/0, and mt-0/0/0—All multicast protocols
lt-0/0/0—Real-time performance monitoring (RPM)
WXC Integrated Services Module (WXC ISM 200)
ISDN BRI

Layer 2 Ethernet switching

The factory default configuration for SRX100, SRX210, and SRX240 devices automatically enables Layer 2 Ethernet switching. Because Layer 2 Ethernet switching is not supported in chassis cluster mode, for these devices, if you use the factory default configuration, you must delete the Ethernet switching configuration before you enable chassis clustering.

Caution: Enabling chassis clustering while Ethernet switching is enabled is not a supported configuration. Doing so might result in undesirable behavior from the devices, leading to possible network instability.

The default configuration for other SRX Series devices and all J Series devices does not enable Ethernet switching. However, if you have enabled Ethernet switching, be sure to disable it before enabling clustering on these devices too.

For more information, see the “Disabling Switching on SRX100, SRX210, and SRX240 Devices Before Enabling Chassis Clustering” section in the JUNOS Software Security Configuration Guide.

SRX Series devices have the following limitations:

Only two of the 10 ports on each PIC of 40-port 1-Gigabit Ethernet I/O cards (IOCs) for SRX5600 and SRX5800 devices can simultaneously enable IP address monitoring. Because there are four PICs per IOC, this permits a total of eight ports per IOC to be monitored. If more than two ports per PIC on 40-port 1-Gigabit Ethernet IOCs are configured for IP address monitoring, the commit will succeed but a log entry will be generated, and the accuracy and stability of IP address monitoring cannot be ensured. This limitation does not apply to any other IOCs or devices.
SRX3400, SRX3600, SRX5600, and SRX5800 devices have the following limitations:
- IP address monitoring is not permitted on redundant Ethernet interface LAGs or on child interfaces of redundant Ethernet interface LAGs.
- In-service software upgrade (ISSU) does not support version downgrading. That is, ISSU does not support running an ISSU install of a software release package earlier or with a smaller release number than the currently installed version.
On SRX3000 and SRX5000 line chassis clusters, screen statistics data can be gathered on the primary device only.

J Series devices have the following limitations:

A Fast Ethernet port from a 4-port Ethernet PIM cannot be used as a fabric link port in a chassis cluster.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in-service software upgrade (ISSU) does not support version downgrading. That is, ISSU does not support running an ISSU install of a JUNOS Software version that is earlier than the currently installed version.

Command-Line Interface (CLI)

On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the device by using the CLI.

The number of users allowed to access the device is limited as follows:

For SRX210 devices: four CLI users and three J-Web users
For SRX240 devices: six CLI users and five J-Web users

Dynamic VPN

SRX100, SRX210, and SRX240 devices have the following limitations:

The IKE configuration for the dynamic VPN client does not support the hexadecimal preshared key.
The dynamic VPN client IPsec does not support the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol with NULL authentication.
When you log in through the Web browser (instead of logging in through the dynamic VPN client) and a new client is available, you are prompted for a client upgrade even if the force-upgrade option is configured. Conversely, if you log in using the dynamic VPN client with the force-upgrade option configured, the client upgrade occurs automatically (without a prompt).

Flow and Processing

Maximum concurrent SSH, Telnet, and Web sessions—On SRX210, SRX240, and SRX650 devices, the maximum number of concurrent sessions is as follows:
Sessions
SRX210
SRX240
SRX650
ssh
3
5
5
telnet
3
5
5
Web
3
5
5
Note: These defaults are provided for performance reasons.
On SRX210 and SRX240 devices, for optimized efficiency, we recommend that you limit use of CLI and J-Web to the following numbers of sessions:
Device
CLI
J-Web
Console
SRX210
3
3
1
SRX240
5
5
1
On SRX100 devices, Layer 3 control protocols (OSPF, using multicast destination MAC address) on the VLAN Layer 3 interface work only with access ports.
On SRX210, SRX240, and J Series devices, broadcast TFTP is not supported when flow is enabled on the device.
On SRX5800 devices, network processing bundling is not supported in Layer 2 transparent mode.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, downgrading is not supported in low-impact in-service software upgrade (ISSU) chassis cluster upgrades (LICU).

Sessions	SRX210	SRX240	SRX650
ssh	3	5	5
telnet	3	5	5
Web	3	5	5

Device	CLI	J-Web	Console
SRX210	3	3	1
SRX240	5	5	1

Hardware

This section covers filter and policing limitations.

On SRX3400 and SRX3600 devices, the following feature is not supported by a simple filter:
- Forwarding class as match condition
On SRX3400 and SRX3600 devices, the following features are not supported by a policer or a three-color-policer:
- Color-aware mode of a three-color-policer
- Filter-specific policer
- Forwarding class as action of a policer
- Logical interface policer
- Logical interface three-color policer
- Logical interface bandwidth policer
- Packet loss priority as action of a policer
- Packet loss priority as action of a three-color-policer
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following features are not supported by a firewall filter:
- Policer action
- Egress FBF
- FTF
SRX3400 and SRX3600 devices have the following limitations of a simple filter:
- In the packet processor on an IOC, up to 100 logical interfaces can be applied with simple filters.
- In the packet processor on an IOC, the maximum number of terms of all simple filters is 4000.
- In the packet processor on an IOC, the maximum number of policers is 4000.
- In the packet processor on an IOC, the maximum number of three-color-policers is 2000.
- The maximum burst size of a policer or three-color-policer is 16 MB.

On SRX650 devices, the T1/E1 GPIMs (2 or 4 port version) do not work in 9.6R1. This issue is resolved in JUNOS Release 9.6R2 and JUNOS Release 10.1, but if you roll back to the 9.6R1 image, this issue is still seen.

Interfaces and Routing

On SRX650 devices, MAC pause frame and FCS error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.
On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the reserved VLAN address range, and the user is not allowed any configured VLANs from this range.
On SRX650 devices, the last 4 ports of a 24-Gigabit Ethernet switch GPIM can be used either as RJ-45 or SFP ports. If both are present and providing power, the SFP media is preferred. If the SFP media is removed or the link is brought down, then the interface will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED for the RJ-45 port might go up and down intermittently. Similarly when the RJ-45 medium is active and an SFP link is brought up, the interface will transition to the SFP medium, and this transition could also take a few seconds.
On SRX Series and J Series devices, the user can use IPsec only on an interface that resides in the routing instance inet 0. The user will not be able to assign an internal or external interface to the IKE policy if that interface is placed in a routing instance other than inet 0.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following multicast IPv6 and MVPN CLI commands are not supported. However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message.
- show pim interfaces inet6
- show pim neighbors inet6
- show pim source inet6
- show pim rps inet6
- show pim join inet6
- show pim mvpn
- show multicast next-hops inet6
- show multicast rpf inet6
- show multicast route inet6
- show multicast scope inet6
- show multicast pim-to-mld-proxy
- show multicast statistics inet6
- show multicast usage inet6
- show msdp sa group <group>
- set protocols pim interface interface family inet6
- set protocols pim disable interface interface family inet6
- set protocols pim family inet6
- set protocols pim disable family inet6
- set protocols pim apply-groups group disable family inet6
- set protocols pim apply-groups group family inet6
- set protocols pim apply-groups-except group disable family inet6
- set protocols pim apply-groups group interface interface family inet 6
- set protocols pim apply-groups group apply-groups-except group family inet 6
- set protocols pim apply-groups group apply-groups-except group disable family inet 6
- set protocols pim assert-timeout timeout-value family inet6
- set protocols pim disable apply-groups group family inet 6
- set protocols pim disable apply-groups-except group family inet 6
- set protocols pim disable export export-join-policy family inet 6
- set protocols pim disable dr-election-on-p2p family inet 6
- set protocols pim dr-election-on-p2p family inet 6
- set protocols pim export export-join-policy family inet 6
- set protocols pim import export-join-policy family inet 6
- set protocols pim disable import export-join-policy family inet 6
On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to 19 kbps. On oversubscription of this amount (that is, bidirection traffic of 20 kbps or above), keepalives not get exchanged, and the interface goes down.

Intrusion Detection and Prevention (IDP)

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, application-level distributed denial-of-service (application-level DDoS) detection does not work if two rules with different application-level DDoS applications process traffic going to a single destination application server. When setting up application-level DDoS rules, make sure you do not configure rulebase-ddos rules that have two different application-ddos objects while the traffic destined to one application server can process more than one rule. Essentially, for each protected application server, you have to configure the (application-level DDoS rules so that traffic destined for one protected server only processes one application-level DDoS rule.
Note: Application-level DDoS rules are terminal, which means that once traffic is processed by one rule, it will not be processed by other rules.
The following configuration options can be committed, but they will not work properly:
source-zone
destination-zone
destination-ip
service
application-ddos
Application Server
source–zone-1
dst-1
any
http
http-appddos1
1.1.1.1:80
source-zone-2
dst-1
any
http
http-appddos2
1.1.1.1:80
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-level denial-of-service (application-level DDoS) rulebase (rulebase-ddos) does not support port mapping. If you configure an application other than default, and if the application is from either predefined JUNOS Software applications or a custom application that maps an application service to a nonstandard port, application-level DDoS detection will not work.
When you configure the application setting as default, IDP uses application identification to detect applications running on standard and nonstandard ports, hence the application-level DDoS detection would work properly.
On SRX Series and J Series devices, IP actions do not work when you select a timeout value greater than 65,535 in the IDP policy.
On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions supported is 16,000.
On SRX Series devices, all IDP policy templates are supported except All Attacks. There is a 100-MB policy size limit for integrated mode and a 150-MB policy size limit for dedicated mode, and the current IDP policy templates supported are dynamic, based on the attack signatures being added. Therefore, be aware that supported templates might eventually grow past the policy-size limit.
On SRX Series devices, the following IDP policies are supported:
- DMZ_Services
- DNS_Service
- File_Server
- Getting_Started
- IDP_Default
- Recommended
- Web_Server
IDP deployed in both active/active and active/passive chassis clusters has the following limitations:
- No inspection of sessions that fail over or fail back.
- The IP address action table is not synchronized across nodes.
- The Routing Engine (RE) on the secondary node might not be able to reach networks that are reachable only through a Packet Forwarding Engine (PFE).
- The SSL session-ID cache is not synchronized across nodes. If an SSL session reuses a session-ID and it happens to be processed on a node other than the one on which the session-ID is cached, the SSL session cannot be decrypted and will be bypassed for IDP inspection.
IDP deployed in active/active chassis clusters has the following limitation:
- For time-binding scope source traffic, if attacks from a source with more than one destination have active sessions distributed across nodes, the attack might not be detected because time-binding counting has a local-node-only view. Detecting this sort of attack requires an RTO synchronization of the time-binding state that is not currently supported.

source-zone	destination-zone	destination-ip	service	application-ddos	Application Server
source–zone-1	dst-1	any	http	http-appddos1	1.1.1.1:80
source-zone-2	dst-1	any	http	http-appddos2	1.1.1.1:80

J-Web

On J Series devices, some J-Web pages for new features (for example, the Quick Configuration page for the switching features on J Series devices) display content in one or more modal pop-up windows. In the modal pop-up windows, you can interact only with the content in the window and not with the rest of the J-Web page. As a result, online Help is not available when modal pop-up windows are displayed. You can access the online Help for a feature only by clicking the Help button on a J-Web page.
On SRX650 devices, you cannot use J-Web to configure a VLAN interface for an IKE gateway. To configure a VLAN interface for an IKE gateway, use the CLI.

NetScreen-Remote

On SRX Series devices, NetScreen-Remote is not supported in JUNOS Release 10.1.

Network Address Translation (NAT)

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKE negotiations involving NAT traversal do not work if the IKE peer is behind a NAT device that will change the source IP address of the IKE packets during the negotiation. For example, if the NAT device is configured with DIP, it changes the source IP because the IKE protocol switches the UDP port from 500 to 4500.
The following describes the maximum numbers of NAT rules and rule sets supported:
- For static NAT, up to 32 rule sets and up to 256 rules per rule set can be configured on a device.
- For destination NAT, up to 32 rule sets and up to 8 rules per rule set can be configured on a device.
- For source NAT, the following are the maximum numbers of source NAT rules that can be configured on a device:
  - 512 for J Series, SRX100, and SRX210 devices
  - 1024 for SRX240 and SRX650 devices
  - 8192 for SRX3400, SRX3600, SRX5600, and SRX5800 devices
  These are systemwide maximums for total numbers of source NAT rules. There is no limitation on the number of rules that you can configure in a source NAT rule set as long as the maximum number of source NAT rules allowed on the device is not exceeded.

Performance

J Series devices now support IDP and UTM functionality. Under heavy network traffic in a few areas of functionality, such as NAT and IPsec VPN, performance is still being improved to reach the high levels to which Juniper Networks is consistently committed.

SNMP

On J Series devices, the SNMP NAT-related MIB is not supported in JUNOS Release 10.1.

System

On SRX650 devices, if one of the four Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/3) is linked up at 10 or 100 Mbps, it will not support jumbo frames. Frames greater than 1500 bytes are dropped.

Unified Threat Management (UTM)

UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only 512 MB of memory, you must upgrade the memory to 1 GB to run UTM.

VPNs

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the IPsec NAT-T tunnels scaling and sustaining issues are as follows:
- For a given private IP address, the NAT device should translate both 500 and 4500 private ports to same public IP address.
- The total number of tunnels from a given public translated IP cannot exceed 1000 tunnels.

WLAN

The following are the maximum numbers of access points that can be configured and managed from SRX Series devices:
- SRX210—4 access points
- SRX240—8 access points
- SRX650—16 access points

Note: The number of licensed access points can exceed the maximum number of supported access points. However, you can only configure and manage the maximum number of access points.