Known Limitations in JUNOS Release 10.2 for SRX Series Services Gateways and J Series Services Routers

[accounting-options] Hierarchy

• On SRX210 and SRX240 devices, the accounting, source-class, and destination-class statements in the [accounting-options] hierarchy level are not supported.

AppSecure

• JUNOS Software Application Identification—When creating custom application or nested application signatures for JUNOS Software application identification, the order value must be unique among all pre-defined and custom application signatures. The order value determines the application matching priority of the application signature.

  The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.

AX411 Access Point

• On SRX100 devices, there are command-line interface (CLI) commands and J-Web tabs for wireless LAN configurations related to the AX411 Access Point. However, at this time the SRX100 devices do not support the AX411 Access Point.

Chassis Cluster

On SRX Series and J Series devices, the following features are not supported when chassis clustering is enabled on the device:

• On SRX3400, SRX3600, SRX5600 and SRX5800 devices, only redundant Ethernet interfaces (reth) are supported for IKE external interface configuration in IPSec VPN. Other interface types can be configured but IPSec VPN will not work.
• Packet-based forwarding for MPLS and International Organization for Standardization (ISO) protocol families.

  Note: Chassis cluster features depend on flow-based forwarding. Flow-based forwarding for IP version 6 (IPv6) is supported, whereas flow-based processing for MPLS and ISO protocol families is not supported.

• Any function that depends on the configurable interfaces:
  • lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP)
  • gr-0/0/0—Generic routing encapsulation (GRE) and tunneling
  • ip-0/0/0—IP-over-IP (IP-IP) encapsulation
  • pd-0/0/0, pe/0/0/0, and mt-0/0/0—All multicast protocols
  • lt-0/0/0—Real-time performance monitoring (RPM)
  • WXC Integrated Services Module (WXC ISM 200)
  • ISDN BRI
  • Layer 2 Ethernet switching

    The factory default configuration for SRX100, SRX210, and SRX240 devices automatically enables Layer 2 Ethernet switching. Because Layer 2 Ethernet switching is not supported in chassis cluster mode, for these devices, if you use the factory default configuration, you must delete the Ethernet switching configuration before you enable chassis clustering.

    Caution: Enabling chassis clustering while Ethernet switching is enabled is not a supported configuration. Doing so might result in undesirable behavior from the devices, leading to possible network instability.

    The default configuration for other SRX Series devices and all J Series devices does not enable Ethernet switching. However, if you have enabled Ethernet switching, be sure to disable it before enabling clustering on these devices too.

    For more information, see the “Disabling Switching on SRX100, SRX210, and SRX240 Devices Before Enabling Chassis Clustering” section in the JUNOS Software Security Configuration Guide.

• On SRX Series and J Series devices in chassis cluster, packet capture is not supported on the reth interface.

SRX Series devices have the following limitations:

• Only two of the 10 ports on each PIC of 40-port 1-Gigabit Ethernet I/O cards (IOCs) for SRX5600 and SRX5800 devices can simultaneously enable IP address monitoring. Because there are four PICs per IOC, this permits a total of eight ports per IOC to be monitored. If more than two ports per PIC on 40-port 1-Gigabit Ethernet IOCs are configured for IP address monitoring, the commit will succeed but a log entry will be generated, and the accuracy and stability of IP address monitoring cannot be ensured. This limitation does not apply to any other IOCs or devices.
• SRX3400, SRX3600, SRX5600, and SRX5800 devices have the following limitations:
  • IP address monitoring is not permitted on redundant Ethernet interface LAGs or on child interfaces of redundant Ethernet interface LAGs.
  • In-service software upgrade (ISSU) does not support version downgrading. That is, ISSU does not support running an ISSU install of a software release package earlier or with a smaller release number than the currently installed version.
• On SRX3000 and SRX5000 line chassis clusters, screen statistics data can be gathered on the primary device only.
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in-service software upgrade (ISSU) does not support version downgrading. That is, ISSU does not support running an ISSU install of a JUNOS Software version that is earlier than the currently installed version.

J Series devices have the following limitation:

• On J Series devices, a Fast Ethernet port from a 4-port Ethernet PIM cannot be used as a fabric link port in a chassis cluster.

Command-Line Interface (CLI)

On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the device by using the CLI.

The number of users allowed to access the device is limited as follows:

• For SRX210 devices: four CLI users and three J-Web users
• For SRX240 devices: six CLI users and five J-Web users
• On SRX210 devices with Integrated Convergence Services, TDM configuration change might interrupt existing TDM calls. The voice calls do not work. Run the CLI restart rtmd command after making a configuration change.

Dynamic VPN

SRX100, SRX210, and SRX240 devices have the following limitations:

• The IKE configuration for the dynamic VPN client does not support the hexadecimal preshared key.
• The dynamic VPN client IPsec does not support the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol with NULL authentication.
• When you log in through the Web browser (instead of logging in through the dynamic VPN client) and a new client is available, you are prompted for a client upgrade even if the force-upgrade option is configured. Conversely, if you log in using the dynamic VPN client with the force-upgrade option configured, the client upgrade occurs automatically (without a prompt).

Flow and Processing

• On SRX Series and J Series devices, high CPU utilization triggered due to various reasons like CPU intensive commands, SNMP Walks etc causes the BFD to flap while processing large BGP updates.
• Equal-cost multipath (ECMP) does not work with NAT/tunnelling when transit traffic is passed.
• On SRX5800 devices, the IOC hot swap is not supported with network processing bundling. If an IOC that has network processing bundling configured gets unplugged, all traffic to that network processor bundle will be lost.
• GPRS tunneling protocol (GTP) application is supported on well-known ports only. Customized application on other ports is not supported.
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, downgrading is not supported in low-impact in-service software upgrade (ISSU) chassis cluster upgrades (LICU).
• On SRX5800 devices, network processing bundling is not supported in Layer 2 transparent mode.
• On SRX210, SRX240, and J Series devices, broadcast TFTP is not supported when flow is enabled on the device.
• Maximum concurrent SSH, Telnet, and Web sessions—On SRX210, SRX240, and SRX650 devices, the maximum number of concurrent sessions is as follows:

  Sessions	SRX210	SRX240	SRX650
  ssh	3	5	5
  telnet	3	5	5
  Web	3	5	5

  Note: These defaults are provided for performance reasons.

• On SRX210 and SRX240 devices, for optimized efficiency, we recommend that you limit use of CLI and J-Web to the following numbers of sessions:

  Device	CLI	J-Web	Console
  SRX210	3	3	1
  SRX240	5	5	1

• On SRX100 devices, Layer 3 control protocols (OSPF, using multicast destination MAC address) on the VLAN Layer 3 interface work only with access ports.

Hardware

This section covers filter and policing limitations.

• On SRX3400 and SRX3600 devices, the following feature is not supported by a simple filter:
  • Forwarding class as match condition
• On SRX3400 and SRX3600 devices, the following features are not supported by a policer or a three-color-policer:
  • Color-aware mode of a three-color-policer
  • Filter-specific policer
  • Forwarding class as action of a policer
  • Logical interface policer
  • Logical interface three-color policer
  • Logical interface bandwidth policer
  • Packet loss priority as action of a policer
  • Packet loss priority as action of a three-color-policer
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following features are not supported by a firewall filter:
  • Policer action
  • Egress FBF
  • FTF
• SRX3400 and SRX3600 devices have the following limitations of a simple filter:
  • In the packet processor on an IOC, up to 100 logical interfaces can be applied with simple filters.
  • In the packet processor on an IOC, the maximum number of terms of all simple filters is 4000.
  • In the packet processor on an IOC, the maximum number of policers is 4000.
  • In the packet processor on an IOC, the maximum number of three-color-policers is 2000.
  • The maximum burst size of a policer or three-color-policer is 16 MB.

• On SRX650 devices, the T1/E1 GPIMs (2 or 4 port version) do not work in 9.6R1. This issue is resolved in JUNOS Release 9.6R2 and later releases, but if you roll back to the 9.6R1 image, this issue is still seen.
• On SRX240 and SRX650 devices and 16-port or 24-port GPIMs, the 1G half-duplex mode of operation is not supported in the autonegotiation mode.

Interfaces and Routing

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the Link Aggregation Control Protocol (LACP) is not supported on Layer 2 interfaces.
• On SRX650 devices, MAC pause frame and FCS error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.
• On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the reserved VLAN address range, and the user is not allowed any configured VLANs from this range.
• On SRX650 devices, the last 4 ports of a 24-Gigabit Ethernet switch GPIM can be used either as RJ-45 or SFP ports. If both are present and providing power, the SFP media is preferred. If the SFP media is removed or the link is brought down, then the interface will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED for the RJ-45 port might go up and down intermittently. Similarly when the RJ-45 medium is active and an SFP link is brought up, the interface will transition to the SFP medium, and this transition could also take a few seconds.
• On SRX Series and J Series devices, you can configure the st0 interface for IPsec VPN in any routing instance, but you must configure the gateway external interface in inet.0. The system allows you to assign an external interface that is placed in a routing instance other than inet.0, but that configuration is not supported.
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following multicast IPv6 and MVPN CLI commands are not supported. However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message.
  • show pim interfaces inet6
  • show pim neighbors inet6
  • show pim source inet6
  • show pim rps inet6
  • show pim join inet6
  • show pim mvpn
  • show multicast next-hops inet6
  • show multicast rpf inet6
  • show multicast route inet6
  • show multicast scope inet6
  • show multicast pim-to-mld-proxy
  • show multicast statistics inet6
  • show multicast usage inet6
  • show msdp sa group group
  • set protocols pim interface interface family inet6
  • set protocols pim disable interface interface family inet6
  • set protocols pim family inet6
  • set protocols pim disable family inet6
  • set protocols pim apply-groups group disable family inet6
  • set protocols pim apply-groups group family inet6
  • set protocols pim apply-groups-except group disable family inet6
  • set protocols pim apply-groups group interface interface family inet6
  • set protocols pim apply-groups group apply-groups-except group family inet6
  • set protocols pim apply-groups group apply-groups-except group disable family inet6
  • set protocols pim assert-timeout timeout-value family inet6
  • set protocols pim disable apply-groups group family inet6
  • set protocols pim disable apply-groups-except group family inet6
  • set protocols pim disable export export-join-policy family inet6
  • set protocols pim disable dr-election-on-p2p family inet6
  • set protocols pim dr-election-on-p2p family inet6
  • set protocols pim export export-join-policy family inet6
  • set protocols pim import export-join-policy family inet6
  • set protocols pim disable import export-join-policy family inet6
• On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to 19 kbps. On oversubscription of this amount (that is, bidirection traffic of 20 kbps or above), keepalives not get exchanged, and the interface goes down.

Intrusion Detection and Prevention (IDP)

• On J2320,J2350, and J4350 devices, because of heap memory fragmentation Client to Server-Server to Client (CSSC) IDP policy load fails when you try to load the CSSC policy after loading the recommended policy.
• On SRX100, SRX210, SRX240, and SRX650 devices, maximum supported entries in ASC table for is 100,000 entries. However, since the user land buffer has fix size of 1MB as a limitation, therefore it displays maximum 38837 cache entries.
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, application-level distributed denial-of-service (application-level DDoS) detection does not work if two rules with different application-level DDoS applications process traffic going to a single destination application server. When setting up application-level DDoS rules, make sure you do not configure rulebase-ddos rules that have two different application-ddos objects while the traffic destined to one application server can process more than one rule. Essentially, for each protected application server, you have to configure the application-level DDoS rules so that traffic destined for one protected server only processes one application-level DDoS rule.

  Note: Application-level DDoS rules are terminal, which means that once traffic is processed by one rule, it will not be processed by other rules.

  The following configuration options can be committed, but they will not work properly:

  source-zone	destination-zone	destination-ip	service	application-ddos	Application Server
  source–zone-1	dst-1	any	http	http-appddos1	1.1.1.1:80
  source-zone-2	dst-1	any	http	http-appddos2	1.1.1.1:80

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-level denial-of-service (application-level DDoS) rulebase (rulebase-ddos) does not support port mapping. If you configure an application other than default, and if the application is from either predefined JUNOS Software applications or a custom application that maps an application service to a nonstandard port, application-level DDoS detection will not work.

  When you configure the application setting as default, IDP uses application identification to detect applications running on standard and nonstandard ports, hence the application-level DDoS detection would work properly.

• On SRX Series and J Series devices, IP actions do not work when you select a timeout value greater than 65,535 in the IDP policy.
• On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions supported is 16,000.
• On SRX Series devices, all IDP policy templates are supported except All Attacks. There is a 100-MB policy size limit for integrated mode and a 150-MB policy size limit for dedicated mode, and the current IDP policy templates supported are dynamic, based on the attack signatures being added. Therefore, be aware that supported templates might eventually grow past the policy-size limit.

  On SRX Series devices, the following IDP policies are supported:

  • DMZ_Services
  • DNS_Service
  • File_Server
  • Getting_Started
  • IDP_Default
  • Recommended
  • Web_Server
• IDP deployed in both active/active and active/passive chassis clusters has the following limitations:
  • No inspection of sessions that fail over or fail back.
  • The IP action table is not synchronized across nodes.
  • The Routing Engine (RE) on the secondary node might not be able to reach networks that are reachable only through a Packet Forwarding Engine (PFE).
  • The SSL session-ID cache is not synchronized across nodes. If an SSL session reuses a session-ID and it happens to be processed on a node other than the one on which the session-ID is cached, the SSL session cannot be decrypted and will be bypassed for IDP inspection.
• IDP deployed in active/active chassis clusters has the following limitation:
  • For time-binding scope source traffic, if attacks from a source with more than one destination have active sessions distributed across nodes, the attack might not be detected because time-binding counting has a local-node-only view. Detecting this sort of attack requires an RTO synchronization of the time-binding state that is not currently supported.

IPv6 Support

• ALG—We do not support Application Layer Gateway (ALG) features for IPv6 sessions in JUNOS Release 10.2.
• Chassis cluster—The following features are not supported for IPv6 traffic in JUNOS Release 10.2:
  • Active-active deployments for IPv6 sessions
  • IP address monitoring for IPv6 destinations
• Class of service—We do not support policers or simple filters for IPv6 traffic in JUNOS Release 10.2.
• Flow-based processing—If you change the forwarding option mode for IPv6, you must perform a reboot to initialize the configuration change. Table 10 summarizes device status upon configuration change.

  Table 10: Device Status Upon Configuration Change

  Configuration Change	Commit Warning	Reboot Required	Impact on Existing Traffic Before Reboot	Impact on New Traffic Before Reboot
  Drop to flow-based	Yes	Yes	Dropped	Dropped
  Drop to packet-based	No	No	Packet-based	Packet-based
  Flow-based to packet-based	Yes	Yes	None	Flow sessions created
  Flow-based to drop	Yes	Yes	None	Flow sessions created
  Packet-based to flow	Yes	Yes	Packet-based	Packet-based
  Packet-based to drop	No	No	Dropped	Dropped

• IPv6 transition mechanisms—We do not support transition mechanisms, such as NAT, NAT-PT, DS-lite, or tunneling in JUNOS Release 10.2.
• J-Web—We do not support configuration of IPv6-related settings with J-Web in JUNOS Release 10.2. You must use the CLI to configure these settings.
• Multicast—We do not support IPv6 multicast in JUNOS Release 10.2.
• NSM—We do not support configuration of IPv6-related settings with NSM in JUNOS Release 10.2. You must use the CLI to configure these settings.
• Routing protocols—We do not support equal cost multipath (ECMP) or Intermediate System-to-Intermediate System (IS-IS) protocols in JUNOS Release 10.2.
• Screens—The following screens are not supported for IPv6 sessions in JUNOS Release 10.2: syn-flood/syn-proxy/syn-cookie, syn-ack-ack-proxy, ip-spoofing.
• Security policy—We do not support IDP and UTM for IPv6 sessions in JUNOS Release 10.2. If your current security policy uses rules with the IP address wildcard any, and IDP and UTM features enabled, you will encounter configuration commit errors because IDP and UTM features do not yet support IPv6 addresses. To resolve the errors, modify the rule returning the error so that it uses the any-ipv4 wildcard; and create separate rules for IPv6 traffic that do not include IDP or UTM features.

• Stateless firewall filters—The following features are not supported for IPv6 traffic in JUNOS Release 10.2:

  • Matching: IPv6 prefix list
  • Actions: counter, log, reject, syslog
• System operations—We do not support DHCPv6 in JUNOS Release 10.2.
• User authentication—We do not support firewall authentication or Web authentication over IPv6 in JUNOS Release 10.2.
• VPN—We do not support IPsec or SSL VPN for IPv6 traffic in JUNOS Release 10.2.

J-Web

• On J Series devices, some J-Web pages for new features (for example, the Quick Configuration page for the switching features on J Series devices) display content in one or more modal pop-up windows. In the modal pop-up windows, you can interact only with the content in the window and not with the rest of the J-Web page. As a result, online Help is not available when modal pop-up windows are displayed. You can access the online Help for a feature only by clicking the Help button on a J-Web page.
• On SRX650 devices, you cannot use J-Web to configure a VLAN interface for an IKE gateway. To configure a VLAN interface for an IKE gateway, use the CLI.

NetScreen-Remote

• On SRX Series devices, NetScreen-Remote is not supported in JUNOS Release 10.2.

Network Address Translation (NAT)

• NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edge of the carrier network, the device-wide NAT rule capacity has been changed.

  The number of destination and static NAT rules has been incremented as shown in Table 11. The limitation on the number of destination-rule-set and static-rule-set has been increased.

  Table 11 provides the requirements per device to increase the configuration limitation as well as scale the capacity for each device.

  Table 11: Number of Rules on SRX Series and J Series Devices

  NAT Rule Type	SRX100	SRX210	SRX240	SRX650	SRX3400 SRX3600	SRX5600 SRX5800	J Series
  Source NAT rule	512	512	1024	1024	8192	8192	512
  Destination NAT rule	512	512	1024	1024	8192	8192	512
  Static NAT rule	512	512	1024	1024	8192	8192	512

  The restriction on the number of rules per rule set has been increased so that there is only a device-wide limitation on how many rules a device can support. This restriction is provided to help you better plan and configure the NAT rules for the device.

• IKE negotiations involving NAT-T—On SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKE negotiations involving NAT-Traversal (NAT-T) traversal do not work if the IKE peer is behind a NAT device that will change the source IP address of the IKE packets during the negotiation. For example, if the NAT device is configured with DIP, it changes the source IP because the IKE protocol switches the UDP port from 500 to 4500.

Performance

• J Series devices now support IDP and UTM functionality. Under heavy network traffic in a few areas of functionality, such as NAT and IPsec VPN, performance is still being improved to reach the high levels to which Juniper Networks is consistently committed.

Point-to-Point Protocol over Ethernet (PPPoE)

• On SRX240 devices in a chassis cluster, the reth interface cannot be used as the underlying interface for Point-to-Point Protocol over Ethernet (PPPoE).

Security

• J Series devices do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use order radius password or ldap password.
• On SRX Series and J Series devices, the limitation on the number of addresses in address-set has been increased. The number of addresses in address-set now depends on the device and is equal to the number of addresses supported by the policy.

  Table 12 provides the address-set details per device to increase the configuration limitation.

  Table 12: Number of Addresses in address-set on SRX Series and J Series Devices

  Device	address-set
  Default	1024
  SRX100 High Memory	1024
  SRX100 Low Memory	512
  SRX210 High Memory	1024
  SRX210 Low Memory	512
  SRX240 High Memory	1024
  SRX240 Low Memory	512
  SRX650	1024
  SRX3400	1024
  SRX3600	1024
  SRX5600	1024
  SRX5800	1024
  J Series	1024

SNMP

• On J Series devices, the SNMP NAT-related MIB is not supported in JUNOS Release 10.2.

Switching

• On SRX100, SRX210, SRX240 and SRX650 devices, CoA is not supported with 802.1x.

System

• On SRX650 devices, if one of the four Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/3) is linked up at 10 or 100 Mbps, it will not support jumbo frames. Frames greater than 1500 bytes are dropped.

Unified Threat Management (UTM)

• UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only 512 MB of memory, you must upgrade the memory to 1 GB to run UTM.

VPNs

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the IPsec NAT-T tunnels scaling and sustaining issues are as follows:
  • For a given private IP address, the NAT device should translate both 500 and 4500 private ports to the same public IP address.
  • The total number of tunnels from a given public translated IP cannot exceed 1000 tunnels.

WLAN

• The following are the maximum numbers of access points that can be configured and managed from SRX Series devices:
  • SRX210—4 access points
  • SRX240—8 access points
  • SRX650—16 access points

Note: The number of licensed access points can exceed the maximum number of supported access points. However, you can only configure and manage the maximum number of access points.

Related Topics

• New Features in JUNOS Release 10.2 for SRX Series Services Gateways and J Series Services Routers
• Issues in JUNOS Release 10.2 for SRX Series Services Gateways and J Series Services Routers
• Errata and Changes in Documentation for JUNOS Release 10.2 for SRX Series Services Gateways and J Series Services Routers