Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
- Outstanding Issues In JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
- Resolved Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Outstanding Issues In JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
The following problems currently exist in SRX Series and J Series devices. The identifier following the description is the tracking number in our bug database.
Application Layer Gateways (ALGs)
- On SRX5600 devices, if you run the show security alg sip counters command while doing a bulk call generation, it might bring down the SPU with a flowd core file error. [PR/292956]
- On SRX210 devices, the SCCP call cannot be set up after disabling and enabling the SCCP ALG. The call does not go through. [PR/409586]
- On SRX3400 and SRX3600 devices, RTSP, TFTP, and FTP ALG at scale in Layer 2 mode with A/P is not supported in JUNOS Release 10.1. [PR/474140]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, by default
ALGs are enabled. When security policies are configured with IDP service,
there might be packet drops. When IDP service is enabled through security
policy configuration, we recommend that you disable some or all ALGs
through configuration to avoid packet drops. For example: set security alg rtsp disable.[PR/474629].
Note: Disabling ALGs will prevent auxiliary or pinholes session creation and those sessions might not be permitted based on security policy. The choice depends on the customer network and what services are being run, whether ALGs need to be enabled and whether IDP inspection is required for all or a subset of traffic.
Authentication
- On J Series devices, your attempt to log in to the router from a management device through FTP or Telnet might fail if you type your username and password in quick succession before the prompt is displayed, in some operating systems. As a workaround, type your username and password after getting the prompts. [PR/255024]
- On J Series devices, after the user is authenticated, if the webauth-policy is deleted or changed and an entry exists in the firewall authentication table, then an authentication entry created as a result of webauth will be deleted only if a traffic flow session exists for that entry. Otherwise, the webauth entry will not get deleted and will only age out. This behavior will not cause a security breach. [PR/309534]
AX411 Access Point
- On SRX210 PoE devices, the access point reboots when 100 clients are associated simultaneously and each one is transmitting 512 bytes packets at 100 pps. [PR/469418]
- On SRX650 devices, when an access point is part of default cluster and you change the default cluster after the access point is connected to it, the changes might not be reflected. As a workaround, restart the wireless LAN service. [PR/497752]
- On AX411 Access Points, an access point might not synchronize
with the newly associated configuration (by changing or swapping the
MAC address ) and also might not join the changed cluster when it
is associated to a new config block in the WLAN access point configuration.
As a workaround, deactivate and activate the access point the following
CLI commands:
#deactivate wlan access-point < ap-name >
#commit
#activate wlan access-point < ap-name >
#commit[PR/504581]
Chassis Cluster
- On J Series devices in a chassis cluster, the show interface terse command on the secondary Routing Engine does not display the same details as that of the primary Routing Engine. [PR/237982]
- On J4350 Services Routers, because the clear security alg sip call command triggers a SIP RTO to synchronize sessions in a chassis cluster, use of the command on one node with the node-id, local, or primary option might result in a SIP call being removed from both nodes. [PR/263976]
- On J Series devices, when a new redundancy group is added to a chassis cluster, the node with lower priority might be elected as primary when the preempt option is not enabled for the nodes in the redundancy group. [PR/265340]
- On J Series devices, when you commit a configuration for a node belonging to a chassis cluster, all the redundancy groups might fail over to node 0. If graceful protocol restart is not configured, the failover can destabilize routing protocol adjacencies and disrupt traffic forwarding. To allow the commit operation to take place without causing a failover, we recommend that you use the set chassis cluster heartbeat-threshold 5 command on the cluster. [PR/265801]
- On J Series devices in a chassis cluster, a high load of SIP ALG traffic might result in some call leaks in active resource manager groups and gates on the backup router. [PR/268613]
- On SRX Series devices in a chassis cluster, configuring the set system process jsrp-service disable command only on the primary node causes the cluster to go into an incorrect state. [PR/292411]
- On SRX Series devices in a chassis cluster, using the set system processes chassis-control disable command for 4 to 5 minutes and then enabling it causes the device to crash. Do not use this command on an SRX Series device in a chassis cluster. [PR/296022]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, 8-queue configurations are not reflected on the chassis cluster interface. [PR/389451]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the iflset functionality is not supported for aggregated interfaces like reth. [PR/391377]
- On an SRX210 device in a chassis cluster, when you upgrade the nodes, sometimes the forwarding process might crash and get restarted. [PR/396728]
- On an SRX210 device in a chassis cluster, when you upgrade to the latest software image, the interface links do not come up and are not seen in the Packet Forwarding Engine. As a workaround, you can reboot the device to bring up the interface. [PR/399564]
- On an SRX210 device in a chassis cluster, sometimes the reth interface MAC address might not make it to the switch filter table. This results in the dropping of traffic sent to the reth interface. As a workaround, restart the Packet Forwarding Engine. [PR/401139]
- On an SRX210 device
in a chassis cluster, the fabric monitoring option is enabled by default.
This can cause one of the nodes to move to a disabled state. You can
disable fabric monitoring by using the following CLI command:
set chassis cluster fabric-monitoring disable
[PR/404866]
- On an SRX210 Low Memory device in a chassis cluster, the firewall filter does not work on the reth interfaces. [PR/407336]
- On an SRX210 device in a chassis cluster, the restart forwarding method is not recommended because when the control link goes through forwarding, the restart forwarding process causes disruption in the control traffic. [PR/408436]
- On an SRX210 device in a chassis cluster, there might be a loss of about 5 packets with 20 Mbps of UDP traffic on an RG0 failover. [PR/413642]
- On SRX3400,
SRX3600, SRX5600, and SRX5800 devices, no trap is generated for redundancy
group 0 failover. You can check on the redundancy group 0 state only
when you log in to the device. The nonavailability of this information
is caused by a failure of the SNMP walk on the backup (secondary)
node. As a workaround, use a master-only IP address across the cluster
so that you can query a single IP address and that IP address will
always be the master for redundancy group 0. [PR/413719]
- On an SRX210 device with an FTP session ramp-up rate of 70,
either of the following might disable the secondary node:
- Back-to-back redundancy group 0 failover
- Back-to-back primary node reboot
[PR/414663]
- If an SRX210 device receives more traffic than it can handle, node 1 either disappears or gets disabled. [PR/416087]
- On SRX3400, SRX3600, SRX5600, SRX5800, and J Series devices in an active/active chassis cluster, when the fabric link fails and then recovers, services with a short time-to-live (such as ALG FTP) stop working. [PR/419095]
- On SRX5800 devices, SNMP traps might not be generated for the ineligible-primary state. [PR/434144]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices in chassis cluster active/active mode, the J-Flow samplings do not occur and the records are not exported to the cflowd server. [PR/436739]
- On SRX240 Low Memory and High Memory devices, binding the same IKE policy to a dynamic gateway and a site-to-site gateway is not allowed. [PR/440833]
- On SRX650 devices, the following message appears on the new
primary node after a reboot or a RG0 failover:
WARNING: cli has been replaced by an updated version: CLI release 9.6B1.5 built by builder on 2009-04-29 08:24:20 UTC Restart cli using the new version ? [yes,no] (yes) yes
[PR/444470]
- On SRX240 and SRX650 devices in chassis cluster active/active preempt mode, the RTSP session breaks after a primary node reboot and preempt failover. The following common ALGs will be broken: RSH, TALK, PPTP, MSRPC, RTSP, SUNRPC, and SQL. [PR/448870]
- On SRX240 devices, the cluster might get destabilized when the file system is full and logging is configured on JSRPD and chassisd. The log file size for the various modules should be appropriately set to prevent the file system from getting full. [PR/454926]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster, the ping operation to the redundant Ethernet interface (reth) fails when the cluster ID changes. [PR/458729]
- On SRX100 devices, after primary node reboot and cold synchronization are finished, the chassis cluster auth session timeout age and application name cannot synchronize with the chassis cluster peers. [PR/460181]
- On SRX5600 devices, low-impact in-service software upgrade (ISSU) chassis cluster upgrade does not succeed with the no-old-master-upgrade option when you upgrade from JUNOS Release 9.6R2 to JUNOS Release 10.1. [PR/471235]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the secondary node displays incorrect interface status after a low-impact in-service software upgrade (ISSU) from JUNOS Release 9.6R2 to JUNOS Release 10.1R1. [PR/482566]
- On SRX3400 and SRX3600 devices, chassis cluster upgrades (LICU) with no-old-master-upgrade from JUNOS Release 9.6R2.11 to 10.0R1.x and from JUNOS Release 10.0R1.8 to 10.1x.x do not work. [PR/483485]
- On SRX5600 devices with an active/active chassis cluster configuration, under stress conditions, memory pointers of the appid module could be inappropriately assigned. This might cause memory corruption. [PR/483522]
- On SRX3600 devices, after you disable and enable the secondary node track, the IP status remains unreachable. [PR/488890]
- On SRX5600, SRX5800 devices, the shaping rate doubles during LICU upgrades after the secondary node becomes the primary node and continues to be the same doubled value after LICU, when the LICU upgrade is performed for JUNOS Release 10.0R2 to 10.1R2.[PR/491834]
- On SRX5600 and SRX5800 devices, the shaping rate is not honored during LICU upgrades. During LICU upgrades, when the secondary node is upgraded to the primary node, the shaping rate is doubled and continues to be the same doubled value after the LICU upgrade is finished. [PR/499481]
Class of Service (CoS)
- J4350 and J6350 devices might not have the requisite data buffers needed to meet expected delay-bandwidth requirements. Lack of data buffers might degrade CoS performance with smaller-sized (500 bytes or less) packets. [PR/73054]
- On J Series devices, with a CoS configuration, when you try to delete all the flow sessions using the clear security flow session command, the WXC application acceleration platform might fail over with heavy traffic. [PR/273843]
- On SRX Series devices, class-of-service-based forwarding (CBF) does not work. [PR/304830]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you change the scheduler type on the Layer 2 aggregated Ethernet interface, the clear interface statistics command does not work for the aggregated Ethernet bundle. [PR/485904]
Enhanced Switching
- On J Series devices, if the access port is tagged with the same VLAN that is configured at the port, the access port accepts tagged packets and determines the MAC. [PR/302635]
Flow and Processing
- On J Series devices, even when forwarding options are set to drop packets for the ISO protocol family, the device forms End System-to-Intermediate System (ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2 terminating packets. [PR/252957]
- On SRX Series devices, the show security flow session command currently does not display aggregate session information. Instead, it displays sessions on a per-SPU basis. [PR/264439]
- On J Series devices, OSPF over a multipoint interface connected as a hub-and-spoke network does not restart when a new path is found to the same destination. [PR/280771]
- On SRX Series devices, when traffic matches a deny policy, sessions will not be created successfully. However, sessions are still consumed, and the unicast-sessions and sessions-in-use fields shown by the show security flow session summary command will reflect this. [PR/284299] [PR/397300]
- On J Series devices, outbound filters will be applied twice for host-generated IPv4 traffic. [PR/301199]
- On SRX Series devices, configuring the flow filter with the all flag might result in traces that are not related to the configured filter. As a workaround, use the flow trace flag basic with the command set security flow traceoptions flag. [PR/304083]
- On SRX210, SRX240, and SRX650 devices, after the device fragments packets, the FTP over a GRE link might not perform properly because of packet serialization. [PR/412055]
- On SRX240 devices, traffic flooding occurs when multiple Multicast (MC) IP group addresses are mapped to the same MC MAC address because multicast switching is based on the Layer 2 address. [PR/418519]
On SRX650 devices, the input DA errors are not updated when packets are dropped because of MAC filtering on the following:
- SRX240
- SRX210
- 16-port and 24-port GPIMs
- SRX650 front-end port
[PR/423777]
- On SRX650 devices, the uplinks to the CPU can be exhausted and the system can be limited to 2.5 GB throughput traffic when the device is using similar kinds of source MAC addresses. [PR/428526]
- On SRX5600 and SRX5800 devices, the network processing bundle configuration CLI does not check if PICs in the bundle are valid. [PR/429780]
- On SRX650 devices, packet loss is observed when the device interoperates with an SSG20 with AMI line-encoding. [PR/430475]
- On an SRX210 on-board Ethernet port, an IPv6 multicast packet received gets duplicated at the ingress. This happens only for IPv6 multicast traffic in ingress. [PR/432834]
- On an SRX5800 device with a 1-Gbps IOC, when more than 10 ports per port module are used, intermittent packet loss occurs because of oversubscription. As a workaround, reboot the SRX5800 device. [PR/433209 ]
- On SRX3400 and SRX3600 devices, the ramp rate of session creation is slow at times for fragmented UDP traffic. [PR/434508]
- On SRX5800 devices, when there are nonexistent PICs in the network processing bundle, the traffic is sent out to the PICs and is lost. [PR/434976]
- The SRX5600 and SRX5800 devices create more than the expected number of flow sessions with NAT traffic. [PR/437481]
- On J Series devices, NAT traffic that goes to the WXC ISM 200 and return back clear (that is, not accelerated by the WXC ISM 200) does not work. [PR/438152]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, there is missing information in the jnxJsFwAuthMultipleFailure trap message. The trap message is required to contain the username, IP address, application, and trap name, but the username is missing. [PR/439314]
- On SRX5800 devices, for any network processing bundle configuration change to take effect, a reboot is needed. Currently there is no message displayed after a bundle configuration change. [PR/441546]
- On SRX5800 devices, the IOC hot swap is not supported with network processing bundling. If an IOC that has network processing bundling configured gets unplugged, all traffic to that network processor bundle will be lost. [PR/441961]
- On SRX5800 devices with interfaces in a network processing bundle, the ICMP flood or UDP flood cannot be detected at the threshold rate. However, it can be detected at a higher rate when the per-network processor rate reaches the threshold. [PR/442376]
- On SRX5600 devices, equal-cost multipath (ECMP) does not work at Layer 4 when transit traffic is passed. [PR/444054]
- On an SRX3400 device in combo mode with two SPCs and one NPC, not all sessions are created under the stress test. [PR/450482]
- On J Series devices, there is a drop in throughput on 64-byte packet size T3 links when bidirectional traffic is directed. [PR/452652]
- On SRX240 PoE and J4350 devices, the first packet on each multilink class gets dropped on reassembly. [PR/455023]
- On SRX240 PoE and J Series devices, packet drops are seen on the lsq interface when transit traffic with a frame length of 128 bytes is sent. [PR/455714]
- On SRX5600 and SRX5800 devices, system log messages are not generated when CPU utilization returns to normal. [PR/456304]
- On SRX210, SRX240, and J6350 devices, the serial interface goes down for long duration traffic when FPGA 2.3 version is loaded in the device. As a result, the multilink goes down. This issue is not seen when downgrading the FPGA version from 2.3 to 1.14. [PR/461471]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in end-to-end debugging, the cp-lbt event actions are not working. There is no change in behavior with or without the cp-lbt event. [PR/462288]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, during end-to-end debugging with the jexec event, packet summary trace messages have unknown IP addresses in the packet summary field. [PR/463534]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, data path-debug rate-limit does not work properly.When users configure a low rate limit for a large number of trace messages, the system should suspend the trace messages after the configured maximum is reached. The system is not suspending the trace messages. [PR/464151]
- GPRS tunneling protocol (GTP) application is supported on well-known ports only. Customized application on other ports is not supported. [PR/464357]
- On J Series devices, interfaces with different bandwidths (even if they are of same interface type, for example, serial interfaces with different clock rates or channelized T1/E1 interfaces with different timeslots) should not be bundled under one ML bundle. [PR/464410]
- SRX3400 and SRX3600 devices with one Services Processing Card and two Network Processing Cards operating under heavy traffic produce fewer flow sessions. [PR/478939]
Hardware
- On SRX210 devices, the MTU size is limited to 1518 bytes for the 1-port SFP Mini-PIM. [PR/296498]
- On SRX240 and SRX650 devices and 16-port or 24-port GPIMs, the 1G half-duplex mode of operation is not supported in the autonegotiation mode. [PR/424008]
- On SRX240 devices, the Mini-PIM LEDs glow red for a short duration (1 second) when the device is powered on. [PR/429942]
- On SRX240 devices, the file installation fails on the right USB slot when both of the USB slots have USB storage devices attached. [PR/437563]
- On SRX240 devices, the combinations of Mini-PIMs cause SFP-Copper links to go down in some instances during bootup, restarting fwdd, and restarting chassisd. As a workaround, reboot the device and the link will be up. [PR/437788]
- On SRX650 devices, the 16-port Gigabit Ethernet switch GPIM is incorrectly labeled as XGPIM. This switch is a double-high XPIM that will operate only in slots 2 to 4 or 6 to 8, connecting to the 20-gigabit connector in slots 2 or 6, respectively. [PR/444511]
- On SRX5600 devices, during a Routing Engine reboot when processes are being shut down, a rare race condition occurs that can lead to a Routing Engine kernel crash. [PR/488484]
Infrastructure
- On J Series devices, you cannot use a USB device that provides U3 features (such as the U3 Titanium device from SanDisk Corporation) as the media device during system boot. You must remove the U3 support before using the device as a boot medium. For the U3 Titanium device, you can use the U3 Launchpad Removal Tool on a Windows-based system to remove the U3 features. The tool is available for download at http://www.sandisk.com/Retail/Default.aspx?CatID=1415. (To restore the U3 features, use the U3 Launchpad Installer Tool accessible at http://www.sandisk.com/Retail/Default.aspx?CatID=1411). [PR/102645]
- On J Series devices, if the device does not have an ARP entry for an IP address, it drops the first packet from itself to that IP address. [PR/233867]
- On J Series devices, when you press the F10 key to save and exit from BIOS configuration mode, the operation might not work as expected. As a workaround, use the Save and Exit option from the Exit menu. This issue can be seen on the J4350 and J6350 routers with BIOS Version 080011 and on the J2320 and J2350 routers with BIOS Version 080012. [PR/237721]
- On J Series devices, the Clear NVRAM option in the BIOS configuration mode does not work as expected. This issue can be seen on the J4350 and J6350 routers with BIOS Version 080011 and on the J2320 and J2350 routers with BIOS Version 080012. To help mitigate this issue, note any changes you make to the BIOS configuration so that you can revert to the default BIOS configuration as needed. [PR/237722]
- On J Series devices, If you enable security trace options, the log file might not be created in the default location at /var/log/security-trace. As a workaround, manually set the log file to the directory /var/log/security-trace. [PR/254563]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the SNMP set for the MIB object usmUserPrivKeyChange does not work. [PR/482475]
Integrated Convergence Services
The following issues currently exist in SRX210 and SRX240 devices with Integrated Convergence Services:
- On SRX210 devices with Integrated Convergence Services, the call hold feature does not work for Xlite softphones. [PR/432725]
- At least one time slot must be configured for data for voice channels on T1 lines to work. [PR/442932]
- On SRX240 devices with Integrated Convergence Services, T1 configuration does not support all the 24 time slots for voice calls. It is limited to 5 time slots or line channels currently. [PR/442934]
- The music-on-hold feature is not supported for SIP phones. [PR/443681]
- The peer call server configuration for the media gateway page in J-Web does not correctly display the port number field when TCP is used as the transport. [PR/445734]
- When you click the trunk-group field in J-Web, the configured trunk values are not displayed. [PR/445765]
- Comfort noise packets are not generated when both voice activity detection (VAD) and comfort noise generation are enabled for an FXS station. [PR/448191]
- In J-Web, if you do not configure the class of restriction and a station template, you cannot configure a station. [PR/452439]
- J-Web does not provide support for the SIP template extension inheritance feature. [PR/455787]
- SNMP does not provide support for survivable call server (SRX Series SCS) statistics. [PR/456454]
- Consecutive G.711 faxes pass through between two FXS ports fails when originating and terminating sides alternate. [PR/465775]
- When T1 lines for stations or trunks are configured, you might hear a momentary burst of noise on the phone. [PR/467334]
- You must restart the flow daemon to commit runtime T1 configuration changes. [PR/468594]
- The SIP-to-SIP simultaneous call capacity is limited to 10 calls. [PR/478485]
Interfaces and Routing
- On J4350 and J6350 devices, the link status of the onboard Gigabit Ethernet interfaces (ge-0/0/0 through ge-0/0/3) or the 1-port Gigabit Ethernet ePIM interface fails when you configure these interfaces in loopback mode. [PR/72381]
- On J Series Routers, asymmetric routing, such as tracing a route to a destination behind J Series devices with Virtual Router Redundancy Protocol (VRRP), does not work. [PR/237589]
- On J2320 devices, when you enable the DHCP client, the default route is not added to the route table. [PR/296469]
- On SRX5600 and SRX5800 devices, ping to far-end reth interfaces does not work for different routing instances. [PR/408500]
- On SRX240 devices, drops in out-of-profile LLQ packets might be seen in the presence of data traffic, even when the combined (data+LLQ) traffic does not oversubscribe the multilink bundle. [PR/417474]
- On SRX240 and SRX650 devices, when you are configuring the link
options on an interface, only the following scenarios are supported:
- Autonegotiation is enabled on both sides.
- Autonegotiation is disabled on both sides (forced speed),
and both sides are set to the same speed and duplex.
If one side is set to autonegotiation mode and the other side is set to forced speed, the behavior is indeterminate and not supported. [PR/423632]
- On SRX and J Series devices, the RPM operation will not work for the probe-type tcp-ping when the probe is configured with the option destination-interface. [PR/424925]
On SRX650 devices, the following loopback features are not implemented for T1/E1 GPIMs:
- Line
- FDL payload
- Inband line
- Inband payload
[PR/425040]
- On J4350 device, multicast traffic is not received when the source and the receiver are connected to same PE routers. [PR/429130]
- In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is
not supported. If the user configures IP CoS in conjunction with ATM
CoS, the logical interface level shaper matching ATM CoS rate must
be configured to avoid congestion drops in SAR.
Example:
set interfaces at-5/0/0 unit 0 vci 1.110
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS
set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS
set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER[PR/430756]
- On SRX650 devices, configuring dual and quad T1/E1 framing at the chassis level has no effect. [PR/432071]
- On SRX240 devices, the serial interface maximum speed in extensive output is displayed as 16384 Kbps instead of 8.0 Mbps. [PR/437530]
- On SRX Series devices,
incorrect Layer 2 circuit replication on the backup Routing Engine
might occur when you:
- Configure nonstop routing (NSR) and Layer 2 circuit standby simultaneously and commit them
- Delete the NSR configuration and then add the configuration back when both the NSR and Layer 2 circuits are up
As a workaround:
- Configure the Layer 2 circuit for non-standby connection.
- Change the configuration to standby connection.
- Add the NSR configuration.
[PR/440743]
- On SRX210 Low Memory devices, the E1 interface will flap and traffic will not pass through the interface if you restart forwarding while traffic is passing through the interface. [PR/441312]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you configure the SAP listen option using the protocol sap listen command in the CLI, listening fails in both sparse and sparse-dense modes. [PR/441833]
- On J Series devices, one member link goes down in a Multilink (ML) bundle during bidirectional traffic with Multilink Frame Relay (MFR). [PR/445679]
- On SRX 240 Low Memory devices and SRX 240 High Memory devices, the RPM Server operation does not work when the probe is configured with the option destination-interface.[PR/450266]
- On J Series devices, the DS3 interface does not have an option to configure multilink-frame-relay-uni-nni (MFR). [PR/453289]
- On SRX210 devices, the modem moves to the dial-out pending state while connecting or disconnecting the call. [PR/454996]
- On SRX100, SRX210, and J Series devices, out-of-band dial-in access using a serial modem does not work. [PR/458114]
- On SRX210 PoE devices, the G.SHDSL link does not come up with an octal port line card of total access 1000 ADTRAN DSLAM. [PR/459554]
- On J Series devices, tail drops are seen on a bundle for traffic with a bigger packet size and smaller fragmentation threshold. [PR/461417]
- On SRX210 High Memory devices, only six logical interfaces come up on the G.SHDSL ATM interface (including OAM channel). The other two logical interfaces are down. [PR/466296]
- On SRX100 and SRX200 devices with VDLS2, multiple carrier transitions (three to four) are seen during long duration traffic testing with ALU 7302 DSLAM. There is no impact on traffic except for the packet loss after long duration traffic testing, which is also seen in the vendor CPE. [PR/467912]
- On SRX210 devices with VDLS2, remote end ping fails to go above the packet size of 1480 as the packets are get dropped for the default MTU which is 1496 on an interface and the default MTU of the remote host ethernet intf is 1514. [PR/469651]
- On SRX210 devices, the G.SHDSL ATM logical interface goes down when ATM CoS is enabled on the interface with OAM. As a workaround, restart the FPC to bring up the logical interface. [PR/472198]
- On SRX210 devices with VDLS2, ATM COS VBR related functionality can not be tested because of lack of support from the vendor. [PR/474297]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show datapath-debug counter command gives error messages from the secondary node. [PR/477017]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, link speeds of 100 Mbps and 1 Gbps cannot be configured on the ae0 interface with child interfaces configured. When you commit the configuration, the system displays an error about the mismatch between the ae0 and child interfaces. [PR/482649]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you change the multicast scoping to a different multicast address, traffic other than which is configured for multicast scoping will not be received. [PR/482957]
- On SRX210 High Memory devices, IGMP v2 JOINS messages are dropped on an integrated routing and bridging (IRB) interface. As a workaround, enable IGMP snooping to use IGMP over IRB interfaces. [PR/492564]
- On SRX100 and SRX210 devices, every time the VDSL2 PIM is restarted in the ADSL mode, the first packet passing through the PIM will be dropped. This occurs because there is a bug in the SAR engine, which will not set the ATM connection until the first packet has been dropped due to no ATM connection. [PR/493099]
- The destination and destination-profile options for address and unnumbered-address within family inet and inet6 are allowed to be specified within a dynamic profile but not supported. [PR/493279]
- On SRX 210-High Memory devices, the physical interface module (PIM) shows time in ADSL2+ ANNEX-M, even though it is configured for ANNEX-M ADSL2. [PR/497129]
- On SRX210 High Memory devices, the GRE tunnel session is not created properly if the tunnel outgoing interface takes a long time to come up. On T1/E1 interfaces of SRX100, SRX210, SRX240, and SRX650 devices, traffic through GRE tunnel might not work. As a workaround, first create the physical interface and commit the configuration and then create a GRE tunnel configuration. [PR/497864]
- On SRX220 and SRX240 devices, when you activate or deactivate the ATM interface for the VDSL PIM inserted on slots two, three, or four, it might result in a flowd crash due to a bug in the VDSL driver. This problem might not be noticed on SRX210 devices. [PR/505347]
- On SRX5600 and SRX5800 devices, load balance does not happen within the aggregated Ethernet (ae) interface when you prefix length with /24 while incrementing the dst ip. [PR/505840]
Intrusion Detection and Prevention (IDP)
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when the firewall and IDP policy both enable diffServ marking with a different DSCP value for the same traffic, the firewall DSCP value takes precedence and the traffic is marked using the firewall DSCP value. [PR/297437]
- On SRX5600 and SRX5800 devices, when the device is processing heavy traffic, the show security idp status operational command might fail. As a result, IDP flow, session, and packet statistics do not match firewall statistics. [PR/389501] [PR/388048]
- The SRX210 device supports only one IDP policy at any given time. When you make changes to the IDP policy and commit, the current policy is completely removed before the new policy becomes effective. During the update, IDP will not inspect the traffic that is passing through the device for attacks. As a result, there is no IDP policy enforcement. [PR/392421]
- On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web selecting Configuration>Quick Configuration>Security Policies>IDP Policies>Security Package Update>Help brings up the IDP policy Help page instead of the Signature update Help page. To access the corresponding Help page, select Configuration>Quick Configuration>IDP Policies>Signature/Policies Update and then click Help. [PR/409127]
- On SRX3400, SRX3600, SRX5600 and SRX5800 devices, if you want to change to dedicated mode, the configuration of the security forwarding-process application-services maximize-idp-sessions command should be done right before rebooting the device. This should be done to avoid recompiling IDP policies during every commit. [PR/426575]
- On SRX3400, SRX3600, and SRX5600 devices, when you configure IDP to run in decoupled mode using the set security forwarding-process application-services maximize-idp-sessions command, network address translation (NAT) information will not be shown in the event log. [PR/445908]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you configure a policy containing more than 200 rules, with each rule containing the predefined attack groups (Critical, Major, and Minor), the memory constraint of the Routing Engine (500 MB) is reached. [PR/449731]
- On SRX3400, and SRX3600 devices, the logging rate is slightly less in SPUs operating in combo mode as compared to SPUs operating in non-combo mode. [PR/457251]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices in maximize-idp-sessions mode, there is an IPC channel between two data plane processes. The channel is responsible for transferring the "close session" message (and other messages) from the firewall process to the IDP process. Under stress conditions, the channel becomes full and extra messages might get lost. This causes IDP sessions in the IDP process to hang for longer than necessary, and they will time out eventually. [PR/458900]
- When an SRX Series device running JUNOS Release 10.1 (Layer 2 access-integrated mode) is rolled back to the JUNOS Release 9.6 image, the DUT comes up in JUNOS Release 9.6 with Layer 2 access-integrated mode, which was not supported in JUNOS Release 9.6. [PR/469069]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-level distributed denial-of-service (application-level DDoS) rulebase (rulebase-ddos) does not support port mapping. If you configure an application other than default, and if the application is from either predefined JUNOS Software applications or a custom application that maps an application service to a nonstandard port, application-level DDoS detection will not work. When you configure the application setting as default, IDP uses application identification to detect applications running on standard and nonstandard ports, hence the application-level DDoS detection works properly. [PR/472522]
J-Flow
- SRX3400, SRX3600, SRX5600, and SRX5800 devices support 4-byte autonomous system (AS) for BGP configuration. However, the J-Flow template versions 5 and 8 do not support 4-byte AS, because these J-Flow templates have 2 bytes for the SRC/DST AS field. [PR/416497]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, J-Flow sampling on the virtual router interface does not show the values of autonomous system (AS) and mask length values. The AS and mask length values of cflowd packets show 0 while sampling the packet on the virtual router interface. [PR/419563]
J-Web
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the LEDs on the Routing Engine and PICs are not shown as green when they are up and online on the J-Web Chassis View. [PR/297693]
- On SRX Series devices, when the user adds LACP interface details, a pop-up window appears in which there are two buttons to move the interface left and right. The LACP page currently does not have images incorporated with these two buttons. [PR/305885]
- On SRX210 devices, there is no maximum length limit when the user commits the hostname in CLI mode; however, only a maximum of 58 characters are displayed in the J-Web System Identification panel. [PR/390887]
- On SRX210, SRX240, and SRX650 devices, the complete contents of the ToolTips are not displayed in the J-Web Chassis View. As a workaround, drag the Chassis View image down to see the complete ToolTip. [PR/396016]
- On SRX100, SRX210, SRX240, and SRX650 devices, the LED status in the Chassis View is not in sync with the LED status on the device. [PR/397392]
- On SRX Series devices, when you right-click Configure Interface on an interface in the J-Web Chassis View, the Configure > Interfaces page for all interfaces is displayed instead of the configuration page for the selected interface. [PR/405392]
- On SRX210 Low Memory devices, in the rear view of the Chassis viewer image, the image of ExpressCard remains the same whether a 3G card is present or not. [PR/407916]
- On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices, selecting Configure>Security>Policy>IDP Policies>Security Package Update>Help in the J-Web user interface brings up the IDP policy Help page instead of the Signature update Help page. To access the corresponding Help page, select Configure>IDP>Signature Update and then click Help. [PR/409127]
- On SRX Series devices, the CLI Terminal feature does not work in J-Web over IPv6. [PR/409939]
- On SRX210 High Memory, SRX240 PoE, and J Series devices, IDP custom attacks and dynamic attack groups cannot be configured using J-Web. [PR/416885]
- On J2350, J4350, and J6350 devices, users cannot configure firewall filters using J-Web. The Firewall Filters menu was removed because it was not functioning properly. [PR/422898]
- On SRX210, SRX240, J2350, J4350, and J6350 devices, when J-Web users select the tabs on the bottom-left menu, the corresponding screen is not displayed fully, so users must scroll the page to see all the content. This issue occurs when the computer is set to a low resolution. As a workaround, set the computer resolution to 1280 x 1024. [PR/423555]
- On SRX Series and J Series devices, users cannot differentiate between Active and Inactive configurations on the System Identity, Management Access, User Management, and Date & Time pages. [PR/433353]
- On SRX210 device, in Chassis View, right-clicking any port and then clicking Configure Port takes the user to the Link aggregation page. [PR/433623]
- On SRX100 devices, in J-Web users can configure the scheduler without entering any stop date. The device submits the scheduler successfully, but the submitted value is not displayed on the screen or saved in the device. [PR/439636]
- On SRX100, SRX210, SRX240, and SRX650 devices, in J-Web the associated dscp and dscpv6 classifiers for a logical interface might not be mapped properly when the user edits the classifiers of a logical interface. This can affect the Delete functionality as well. [PR/455670]
- On SRX Series and J Series devices, when J-Web is used to configure a VLAN, the option to add an IPv6 address appears. Only IPv4 addresses are supported. [PR/459530]
- On SRX Series devices in J-Web the left-side menu items and page content might disappear when Troubleshoot is clicked twice. As a workaround, click the Configure or Monitor menu to get back the relevant content. [PR/459936]
- On SRX100, SRX210, SRX240, SRX650, and J Series devices, in J-Web, the options Input filter and Output Filter are displayed in VLAN configuration page. This feature is not supported, and the user cannot obtain or configure any value under these filter options. [PR/460244]
- On SRX100, SRX210, SRX240, SRX650, and J Series devices, in the J-Web interface, the Traceoptions tab in the Edit Global Settings window of the OSPF Configuration page (Configuration>Routing>OSPF Configuration) does not display the available flags (tracing parameters). As a workaround, use the CLI to view the available flags. [PR/475313]
- On SRX100, SRX210, SRX240, SRX650, and J Series devices, when you have a large number of static routes configured, and if you have navigated to pages other than to page 1 in the Route Information table in the J-Web interface (Monitor>Routing>Route Information), changing the Route Table to query other routes refreshes the page but does not return you to page 1. For example, if you run the query from page 3 and the new query returns very few results, the Route Information table continues to display page 3 with no results. Navigate to page 1 manually to view the results. [PR/476338]
- On SRX210 Low Memory, SRX210 High Memory, and SRX210 PoE devices, in the J-Web interface, Configuration>Routing>Static Routing does not display the IPv4 static route configured in rib inet.0. [PR/487597]
- On SRX100 (low memory and high memory), SRX210 (low memory, high memory, and PoE), SRX240 (low memory and high memory), SRX650, J2350, J4350, and J6350 devices, CoS feature commits occur without validation messages, even if you have not made any changes. [PR/495603]
Management and Administration
- On SRX3400 and SRX3600 devices, a minor alarm is not triggered when the central point or SPU session table is full. [PR/405990]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the queue statistics are not correct after deletion and re-creation of a logical interface (IFL) or creation of a new IFL. IFL statistics are not cleared for 15 minutes after chassis-control is restarted. [PR/417947]
- On SRX5600 devices, when the system is in an unstable state (for example SPU reboot), NFS might generate residual.nfs files under the /var/tmp directory, which can occupy the disk space for a very long time. As a workaround, run the request sys storage cleanup command to clean up when the system has low disk space. [PR/420553]
- On SRX650 devices, the kernel crashes when the link goes down during TFTP installation of the srxsme image. [PR/425419]
- On SRX650 devices, continuous messages are displayed from syslogd when ports are in switching mode. [PR/426815]
- On SRX240 devices, if a timeout occurs during the TFTP installation, booting the existing kernel using the boot command might crash the kernel. As a workaround, use the reboot command from the loader prompt. [PR/431955]
- On SRX240 devices, when you configure the system log hostname as 1 or 2, the device goes to the shell prompt. [PR/435570]
- On SRX240 devices, the Scheduler Oinker messages are seen on the console at various instances with various Mini-PIM combinations. These messages are seen during bootup, restarting fwdd, restarting chassisd, and configuration commits. [PR/437553]
- On SRX5800 devices, rebooting is required for any NP bundle configuration change to take effect. Currently there is no notification displayed after the bundle configuration change to notify that a reboot is required for the change to take effect. [PR/441546]
- On SRX Series and J Series devices with session-init and session-close enabled, you should not clear sessions manually when too many sessions are in status "used". [PR/445730]
- On SRX5600 and SRX5800 devices, data path debug trace messages are getting dropped at above 1000 packets per second (pps). [PR/446098]
- On J2350, J4350, and J6350 devices, extended Bit Error Rate Test (BERT) takes an additional 3 hours to complete even though a BERT-period of 24 hours is set. [PR/447636]
Network Address Translation (NAT)
- On SRX240 High Memory devices, in a chassis cluster environment, the secondary node can go to DB> mode when there are many policies configured and TCP, UDP, and ICMP traffic matches the policies. [PR/493095]
- On J4350 devices, when you place internal calls, interface-based persistent NAT displays only one active hairpinning session instead of two, even after the call is established. [PR/504932]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, NAT behavior
in event logs is incorrect for JUNOS Release 10.2. Because of a bug,
the log output shows both source and destination IP from the client/server
instead of only the IP address with NAT. The output incorrectly shows
4.0.0.0->5.0.0.1.
The correct output should be as follows:
- For destination NAT, the IP address in the log should be 0.0.0.0->5.0.0.1.
- For source NAT, the ip address displayed in log should be 4.0.0.0->0.0.0.0.
[PR/505454]
Power over Ethernet (PoE)
- On SRX240 and SRX210 devices, the output of the PoE operational commands takes roughly 20 seconds to reflect a new configuration or a change in status of the ports. [PR/419920]
- On SRX210 and SRX240 devices, the deactivate poe interface all command does not deactivate the PoE ports. Instead, the PoE feature can be turned off by using the disable configuration option. Otherwise, the device must be rebooted for the deactivate setting to take effect. [PR/426772]
- On SRX210 and SRX240 devices, reset of the PoE controller fails when the restart chassis-control command is issued and also after system reboot. PoE functionality is not negatively impacted by this failure. [PR/441798]
- On SRX210 PoE devices managing AX411 Access Points, the devices might not be able to synchronize time with the configured NTP Server. [PR/460111]
- On SRX210 devices, the fourth access point connected to the
services gateway fails to boot with the default Power over Ethernet
(PoE) configuration. As a workaround, configure all the PoE ports
to a maximum power of 12.4 watts. Use the following command to configure
the ports:
root#set poe interface all maximum-power 12.4
[PR/465307] - On SRX100, SRX210, SRX240, and SRX650 devices, with factory default configurations the device is not able to manage the AX411 Acess Point. This might be due to the DHCP default gateway not being set. [PR/468090]
- On SRX210 PoE devices managing AX411 Access Points, traffic of 64 bytes at speed more than 45 megabits per second (Mbps) might result in loss of keepalives and reboot of the AX411 Access Point. [PR/471357]
- On SRX210 PoE devices, high latencies might be observed for the Internet Control Message Protocol (ICMP) pings between two wireless clients when 32 virtual access points (VAPs) are configured. [PR/472131]
- On SRX210 PoE devices, when AX411 Access Points managed by the SRX devices reboot, the configuration might not be reflected onto the AX411 Access Points. As a result, the Ax411 Access Point retains the factory default configuration. [PR/476850]
Security
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the egress filter-based forwarding (FBF) feature is not supported. [PR/396849]
- On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster, if the Infranet Controller auth table mapping action is configured as provision auth table as needed, UAC terminates the existing sessions after Routing Engine failover. You might have to initiate new sessions. Existing sessions will not get affected after Routing Engine failover if the Infranet Controller auth table mapping action is configured as always provision auth table. [PR/416843]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, you should not configure rulebase-DDoS rules that have two different application-DDoS objects to run on one destination service because the traffic destined to one application server can encounter more than one rule. Essentially, for each protected application server, you have to configure a single application-level DDoS rule. [PR/467326]
Unified Access Control (UAC)
- On J Series devices, MAC address-based authentication does not work when the router is configured as a UAC Layer 2 Enforcer. [PR/431595]
Unified Threat Management (UTM)
- On SRX210 High Memory devices, content filtering provides the ability to block protocol commands. In some cases, blocking these commands interferes with protocol continuity, causing the session to hang. For instance, blocking the FETCH command for the IMAP protocol causes the client to hang without receiving any response. [PR/303584]
- On SRX210 High Memory devices, when the content filtering message type is set to protocol-only, customized messages appear in the log file. [PR/403602]
- On SRX210 High Memory devices, the express antivirus feature does not send a replacement block message for HTTP upload (POST) transactions if the current antivirus status is engine-not-ready and the fallback setting for this state is block. An empty file is generated on the HTTP server without any block message contained within it. [PR/412632]
- On SRX240, SRX650, J2320, J2350, J4350, and J6350 devices, Outlook Express is sending infected mail (with an EICAR test file) to the mail server (directly, not through DUT). Eudora 7 uses the IMAP protocol to download this mail (through DUT). Mail retrieval is slow, and the EICAR test file is not detected. [PR/424797]
- On SRX650 devices operating under stress conditions, the UTM subsystem file partition might fill up faster than UTM can process and clean up existing temporary files. In that case, the user might see error messages. As a workaround, reboot the system [PR/435124]
- On SRX240 High Memory devices, FTP download for large files (larger than 4 MB) does not work in a two-device topology. [PR/435366]
- On SRX210, SRX240, and SRX650 devices, the Websense server stops taking new connections after HTTP stress. All new sessions get blocked. As a workaround, reboot the Websense server. [PR/435425]
- On SRX240 devices, if the device is under UTM stress traffic
for several hours, users might get the following error while issuing
a UTM command:
the utmd subsystem is not responding to management requests.
As a workaround, restart the utmd process. [PR/436029]
USB Modem
- On SRX210, SRX100, SRX240,
and SRX650 devices, when you restart fwdd at the dial-out side, the
umd interface goes down and the call never gets connected. As a workaround,
disable the dialer interface and restart the forwarding daemon. Enable
the dialer interface when the forwarding daemon is up and running.
As a result the dial-out side reconnects with the dial-in side successfully.
Perform the following steps:
- Disable the dialer interface.
root@noky# set interfaces dl0 disable
root@noky# commit
- Restart the forwarding daemon.
root@noky# run restart forwarding Forwarding Daemon started, pid 1407
root@noky# delete interfaces dl0 disable
root@noky# commit
- Enable the dialer interface.
root@noky# delete interfaces dl0 disable
root@noky# commit
[PR/480206]
- Disable the dialer interface.
- On SRX210 High Memory devices and J6350 devices, packet loss is seen during rapid ping operations between the dialer interfaces when packet size is more than 512 Kbps. [PR/484507]
- On SRX210 High Memory devices, the modem interface can handle bidirectional traffic of up to 19 Kbps. During oversubscription of 20-Kbps or more traffic, the keepalive packets are not exchanged and the interface goes down. [PR/487258]
- On SRX210 High Memory devices, IPv6 is not supported on dialer interfaces with a USB modem. [PR/489960]
- On SRX210 High Memory devices, http traffic is very slow through the umd0 interface. [PR/489961]
- On SRX210 High Memory devices, on multiple resets of the umd0 interface, the umd0 interface keeps flapping if the d10 (dialer) interface on either the dialin or dialout interface goes down because no keepalive packets are exchanged. As a workaround, increase the ATS0 value to 4 or greater. [PR/492970]
- On SRX100, SRX210, SRX240, and SRX650 devices, the call terminates if you remove and insert a USB modem. [PR/491820]
- On SRX210 High Memory devices and J6350 devices, the D10 link flaps during long-duration traffic of 15 Kbps and also when packet size is 256 Kbps or more. [PR/493943]
Virtual LANs (VLANs)
- On SRX650 devices, when VLAN tagging is configured and traffic is sent, the output of show interfaces ge-0/0/1 media detail VLAN tagged frame count is not shown. [PR/397849]
- On SRX240, SRX650, J4350, and J6350 devices, tagged frames on an access port with the same VLAN tag are not getting dropped. [PR/414856]
- On SRX100, SRX210, and SRX240 devices, the packets are not being sent out of the physical interface when the VLAN ID associated with the VLAN interface is changed. As a workaround, you need to clear the ARP. [PR/438151]
- On SRX100 Low Memory, SRX100 High Memory, SRX210 Low Memory, SRX210 High Memory, SRX240 High Memory, and SRX650 devices, the Link Layer Discovery Protocol (LLDP) organization-specific Type Length Value (TLV), medium attachment unit (MAU) information always propagates as "Unknown". [PR/480361]
- On SRX100 High Memory devices and SRX210 Low Memory devices, dot1x unauthenticated ports accept Link Layer Discovery Protocol (LLDP) protocol data units (PDUs) from neighbors. [PR/485845]
- For SRX210 High Memory devices, during configuration of access and trunk ports, the individual VLANs from the vlan-range are not listed. [PR/489872]
VPNs
- On SRX5600 devices, the shared IKE limit for IKE users is not currently enforced. More users than are specified in the shared IKE limit are able to establish IKE/IPsec tunnels. [PR/288551]
- On SRX210 and SRX240 devices, concurrent login to the device from a different management systems (for example, laptop or computers) are not supported. The first user session will get disconnected when a second user session is started from a different management system. Also, the status in the first user system is displayed incorrectly as “Connected”. [PR/434447]
- On SRX Series and J Series devices, the site-to-site policy-based VPNs in a three or more zone scenario will not work if the policies match the address “any”, instead of specific addresses, and all cross-zone traffic policies are pointing to the single site-to-site VPN tunnel. As a workaround, configure address books in different zones to match the source and destination, and use the address book name in the policy to match the source and destination. [PR/441967]
WLAN
- On SRX Series devices, when WLAN configuration is committed, it takes a while before the configuration is reflected on the access point, depending on the number of virtual access points and the number of access points connected. [PR/450230]
- On SRX210, SRX240 and SRX650 devices, J-Web online Help displays the list of all the countries and is not based on the regulatory domain within which the access point is deployed. [PR/469941]
WXC Integrated Services Module
- When two J Series devices with WXC Integrated Services Modules (WXC ISM 200s) installed are configured as peers, traceroute fails if redirect-wx is configured on both peers. [PR/227958]
- On J6350 devices, JUNOS Software does not support policy-based VPN with WXC Integrated Services Modules (WXC ISM 200s). [PR/281822]
Resolved Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
The following issues from JUNOS Release 10.0 R1 have been resolved with this release. The identifier following the description is the tracking number in our bug database.
Authentication
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when a firewall authentication session was initiated, the authentication entry was created on all the SPUs. However, in JUNOS Release 10.1 when multiple firewall authentication sessions were initiated by the same user simultaneously, authentication entries were not created in all the SPUs. As a result, some sessions timed out, and the user had to reconnect or retry to reach the server. [PR/475706: This issue has been resolved.]
Chassis Cluster
- On SRX3400 and SRX3600 devices in a chassis cluster, ESP authentication errors occurred while traffic was sent through 4000 site-to-site IPsec tunnels. [PR/426073: This issue has been resolved.]
- On SRX650 and J Series devices, doing a redundancy group 0 failover with 1000 logical interfaces on the reth interface caused replication errors. As a result, the ksyncd process generated a core file. [PR/428636: This issue has been resolved.]
- On SRX5600 and SRX5800 devices in a chassis cluster, whenever the reth interface with static MAC address was configured, the ping operation failed from the directly connected device to the chassis cluster. [PR/455051: This issue has been resolved.]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the track IP did not display the correct status if the ip-monitor configuration was under RG0. [PR/482556: This issue has been resolved.]
- On SRX Series devices configured in a chassis cluster,
the following informative messages were erroneously displayed during
failover, possibly creating the incorrect impression that errors
had occurred:
- l2ha_set_rg_state: Setting rg state for 1 (MASTER)
- l2ha_set_rg_state: Setting rg state for 1 (BACKUP)
[PR/498010: This issue has been resolved.]
Flow and Processing
- On SRX210 devices, the lowest rate ATM CoS PCR supported was 64 Kbps. The ping operation did not reach an ATM interface with a PCR lower than 64 Kbps. [PR/470994: This issue has been resolved.]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in Layer 2 mode, IGMP and multicast were supported only on the 224.X.X.X address. [PR/493166: This issue has been resolved.]
Hardware
- On SRX210 devices, the system took between 2 and 5 minutes to initialize. [PR/298635: This issue has been resolved.]
- On SRX240 devices, when users swapped the USBs after startup, the chassis-control subsystem did not respond to any chassis-related commands. [PR/437798: This issue has been resolved.]
- On SRX210 Low Memory devices, 3G AC402 Live Network Card activation got timed out. [PR/451493: This issue has been resolved.]
Infrastructure
- On SRX5600 and SRX5800 devices, e2e.trace showed an incorrect PIC number for the egress message. [PR/487331: This issue has been resolved.]
Integrated Convergence Services
- Unable to edit the media gateway IP address field on the peer call server page in J-Web. [PR/445750: This issue has been resolved.]
- The J-Web Call Feature Add button did not work. [PR/446422: This issue has been resolved.]
- Was not able to edit the extension number on the J-Web call features page. [PR/447523: This issue has been resolved.]
- When you edited the remote access number in J-Web, the change was not displayed until you refreshed the page. [PR/447530: This issue has been resolved.]
- Caller ID was not displayed on FXS stations for FXO to FXS calls in survivable call server (SRX Series SCS) state. [PR/451719: This issue has been resolved.]
- In J-Web, you were not able specify the station type (as either analog or SIP). [PR/452813: This issue has been resolved.]
- On SRX210 devices with Integrated Convergence Services, in J-Web, a commit was completed when a trunk group was configured without one or more trunks, but the trunk group configuration was not visible in J-Web or the CLI. [PR/460489: This issue has been resolved.]
- The voice prompt was not played when the user dialed an invalid extension. [PR/472357: This issue has been resolved.]
- The SRX210 device allowed the FXS 2 port to be configured as a station and as an FXS trunk concurrently. In this case, the system did not display a commit error. [PR/473561: This issue has been resolved.]
- For SIP trunk to FXO trunk calls routed through the peer call server, the SRX Series device removed the called party number in the SIP INVITE messages. [PR/473979: This issue has been resolved.]
Interfaces and Routing
- On SRX240, SRX650, and SRX5600 devices, the SNMP null zone counter was not increased when the reth interface was put into the null zone. [PR/427256: This issue has been resolved.]
- On SRX Series devices, when you configured attributes of an interface unit under both the [interfaces] and the [logical-router logical-router-name interface] hierarchies, only the configuration at the interfaces level was taken to effect. [PR/447986: This issue has been resolved.]
- On SRX210 PoE devices, the ATM interface on G.SHDSL interface did not go down when the interface was disabled through the disable command. [PR/453896: This issue has been resolved.]
Intrusion Detection and Prevention (IDP)
- On SRX210 devices during attack detection, multiple attacks got detected. This happened when the IDP policy contained rules that had the match criteria for the same attacks. Error/warning messages did not appear during policy compilation. [PR/414416: This issue has been resolved.]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices with application-level DDoS protection, the IDP session capacity dropped by 9 percent in integrated mode. [PR/479552: This issue has been resolved.]
- SRX5600 devices operating at high HTTPS session rate with the default session-id-cache-timeout value ran out of memory and began dropping sessions. [PR/476215: This issue has been resolved.]
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, HTTP throughput dropped 10 percent from ~3.6 Gbps to ~3.2 Gbps with one Services Processing Card. [PR/482801: This issue has been resolved.]
J-Web
- On SRX Series devices, when the user tried to associate an interface to GVRP, a new window appeared. This new window showed multiple move-left and move-right buttons. [PR/305919: This issue has been resolved.]
- On an SRX5600 device, when you clicked OK or Cancel from the IPS/Exempt rule configuration page, it took a long time to go to the next page when the Internet Explorer IE browser was used. The slow response was due to predefined attacks, attack group XML data fetching, and the way Internet Explorer IE refreshed the page. [PR/449017: This issue has been resolved.]
- On SRX100, SRX210, SRX240, SRX650, and J Series devices, in J-Web configuration for the routing feature, when you entered double quotation marks in the text boxes that accepted characters (for example, protocol name, file name, and description), then you could not delete the data with double quotation marks through J-Web. [PR/464030: This issue has been resolved.]
- On SRX210, SRX240, SRX650, and J Series devices, in the J-Web interface, Monitor>Switching>Spanning Tree showed a null page when Spanning Tree Protocol was not running on the device. [PR/484202: This issue has been resolved.]
- On SRX210, SRX240, and SRX650 devices, wired equivalent privacy (WEP) key validation was not properly executed in J-Web; sometimes an error returned even if the proper validation key was submitted. [PR/486910: This issue has been resolved.]
- On SRX3400 devices in chassis cluster mode, the predefined attacks list was also loaded. [PR/488607: This issue has been resolved.]
- On SRX devices using J-Web, the security zone associated to a logical unit other than zero got associated to a logical unit zero. [PR/504026: This issue has been resolved.]
Management and Administration
- On SRX5600 and SRX5800 devices, the simple filter did not work after reboot of the new primary node. [PR/486181: This issue has been resolved.]
Network Address Translation (NAT)
- On SRX210 and SRX240 devices, source NAT using interface IP address on the pp0 interface was not working. Traffic was not forwarded because of NAT translation failure through this interface. [PR/479256: This issue has been resolved.]
Power over Ethernet
- On SRX210 and SRX240 devices, the output for the show poe telemetries command showed the telemetry data in chronological order rather than the preferred reverse-chronological order (most recent data first). [PR/429033: This issue has been resolved.]
SNMP
- On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the value for the jnxBoxDescr.0 MIB object was incorrectly displayed as SRX 3400 instead of SRX3400. Note that there was no blank space between SRX and model number. (3400/3600). [PR/490296: This issue has been resolved.]
USB Modem
- On SRX210 Services Gateways with Integrated Convergence Services, when you had USB modem configurations and you removed the USB modem from USB port 1, the device rebooted. [PR/491777: This issue has been resolved.]
Virtual LANs (VLANs)
- On SRX650 devices, customer-vlans and vlan-push did not work together for the same VLAN. [PR/476999: This issue has been resolved.]
- On SRX5600 and SRX5800 devices, in Layer 2 mode the first packet was used for MAC learning, and it wasl not flooded, so the first packet was dropped when the MAC address was not available in the MAC table. [PR/486980: This issue has been resolved.]
- On SRX5600 and SRX5800 devices, IS-IS adjacency was not formed on the VLAN-tagged reth interface.[PR/488899: This issue has been resolved.]
VPNs
- On SRX5600 devices, the IKE authentication method displayed an unknown message on the dial-up VPN. [PR/393939: This issue has been resolved.]
Related Topics
- New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
- Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
- Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
