Known Limitations in Junos OS Release 10.3 for SRX Series Services Gateways and J Series Services Routers

AppSecure

• Junos OS Application Identification—When you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application matching priority of the application signature.

  The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.

Chassis Cluster

• In large chassis cluster configurations on SRX3400 or SRX3600 devices, you need to increase the wait time before triggering failover. In a full-capacity implementation, we recommend increasing the wait to 8 seconds by modifying heartbeat-threshold and heartbeat-interval values in the [edit chassis cluster] hierarchy.

  The product of the heartbeat-threshold and heartbeat-interval values defines the time before failover. The default values (heartbeat-threshold of 3 beats and heartbeat-interval of 1000 milliseconds) produce a wait time of 3 seconds.

  To change the wait time, modify the option values so that the product equals the desired setting. For example, setting the heartbeat-threshold to 8 and maintaining the default value for the heartbeat-interval (1000 milliseconds) yields a wait time of 8 seconds. Similarly, setting the heartbeat-threshold to 4 and the heartbeat-interval to 2000 milliseconds also yields a wait time of 8 seconds.

• SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster limitations:

  • Virtual Router Redundancy Protocol (VRRP) is not supported.
  • In service software upgrade (ISSU) is not supported.
  • The 3G dialer interface is not supported.
  • On SRX Series device failover, access points on the Layer 2 switch reboot and all wireless clients lose connectivity for 4-6 minutes.
  • On VDSL mini-PIM, chassis cluster is not supported for both VDSL and ADSL mode.
  • Queuing on aggregated Ethernet (ae) interface is not supported.
  • PoE is not supported in chassis cluster mode.
  • Group VPN is not supported.
  • Sampling features like J-FLow, packet capture, and port mirror on reth interface are not supported.
  • UTM is not supported.
  • IDP is not supported for active/active chassis cluster and it is supported for active/backup chassis cluster in Junos OS Release 10.2 and later.
  • Switching is not supported in chassis cluster mode.
  • The chassis cluster MIB is not supported.
  • Any Packet based services like MPLS and CLNS.
  • lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP)
  • gr-0/0/0—Generic routing encapsulation (GRE) and tunneling
  • ip-0/0/0—IP-over-IP (IP-IP) encapsulation
  • lt-0/0/0—CoS for Real-time performance monitoring (RPM)
  • PP0: PPPoE, PPPoEoA is not supported.
  • ISDN/WXC( not supported in standalone as well)

For other limitations in chassis cluster, see “Limitations of Chassis Clustering” in the Junos OS Security Configuration Guide.

Command-Line Interface (CLI)

• On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the device by using the CLI. The number of users allowed to access the device is limited as follows:

  • For SRX210 devices: four CLI users and three J-Web users
  • For SRX240 devices: six CLI users and five J-Web users
• On SRX210 devices with Integrated Convergence Services, TDM configuration change might interrupt existing TDM calls. The voice calls do not work. Run the CLI restart rtmd command after making a configuration change.

Dynamic VPN

SRX100, SRX210, and SRX240 devices have the following limitations:

• The IKE configuration for the dynamic VPN client does not support the hexadecimal preshared key.
• The dynamic VPN client IPsec does not support the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol with NULL authentication.
• When you log in through the Web browser (instead of logging in through the dynamic VPN client) and a new client is available, you are prompted for a client upgrade even if the force-upgrade option is configured. Conversely, if you log in using the dynamic VPN client with the force-upgrade option configured, the client upgrade occurs automatically (without a prompt).

Flow and Processing

• On SRX Series and J Series devices, high CPU utilization triggered due to various reasons like CPU intensive commands, SNMP Walks etc causes the BFD to flap while processing large BGP updates.

For other limitations in flow and processing, see “Limitations of Flow and Processing” in the Junos OS Security Configuration Guide.

Hardware

This section covers filter and policing limitations.

• On SRX3400 and SRX3600 devices, the following feature is not supported by a simple filter:
  • Forwarding class as match condition
• On SRX3400 and SRX3600 devices, the following features are not supported by a policer or a three-color-policer:
  • Color-aware mode of a three-color-policer
  • Filter-specific policer
  • Forwarding class as action of a policer
  • Logical interface policer
  • Logical interface three-color policer
  • Logical interface bandwidth policer
  • Packet loss priority as action of a policer
  • Packet loss priority as action of a three-color-policer
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following features are not supported by a firewall filter:
  • Policer action
  • Egress FBF
  • FTF
• SRX3400 and SRX3600 devices have the following limitations of a simple filter:
  • In the packet processor on an IOC, up to 100 logical interfaces can be applied with simple filters.
  • In the packet processor on an IOC, the maximum number of terms of all simple filters is 4000.
  • In the packet processor on an IOC, the maximum number of policers is 4000.
  • In the packet processor on an IOC, the maximum number of three-color-policers is 2000.
  • The maximum burst size of a policer or three-color-policer is 16 MB.
• On SRX650 devices, the T1/E1 GPIMs (2 or 4 port version) do not work in 9.6R1. This issue is resolved in Junos OS Release 9.6R2 and later releases, but if you roll back to the 9.6R1 image, this issue is still seen.
• The SRX220 Services Gateway does not support the 1-port SFP Mini-PIM.
• The SRX220 Services Gateway does not support any new software features initially introduced in Junos OS Release 10.3. It only supports software features introduced in Junos OS Release 10.2 and earlier.
• On SRX240 and SRX650 devices with 16-port or 24-port GPIMs, the 1G half-duplex mode of operation is not supported in the autonegotiation mode.

Interfaces and Routing

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the Link Aggregation Control Protocol (LACP) is not supported on Layer 2 interfaces.
• On SRX650 devices, MAC pause frame and FCS error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.
• On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the reserved VLAN address range, and the user is not allowed any configured VLANs from this range.
• On SRX650 devices, the last 4 ports of a 24-Gigabit Ethernet switch GPIM can be used either as RJ-45 or SFP ports. If both are present and providing power, the SFP media is preferred. If the SFP media is removed or the link is brought down, then the interface will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED for the RJ-45 port might go up and down intermittently. Similarly when the RJ-45 medium is active and an SFP link is brought up, the interface will transition to the SFP medium, and this transition could also take a few seconds.
• On SRX Series and J Series devices, the user can use IPsec only on an interface that resides in the routing instance inet 0. The user will not be able to assign an internal or external interface to the IKE policy if that interface is placed in a routing instance other than inet 0.
• On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to 19 Kbps. On oversubscription of this amount (that is, bidirection traffic of 20 Kbps or above), keepalives not get exchanged, and the interface goes down.
• On SRX3400 and SRX3600 devices, BGP based VPLS over aggregated ethernet (ae) interfaces does not work as it is not supported in this release. It works on child ports and physical interfaces.
• On SRX100, SRX210, SRX240 and SRX650 devices, on the L3 AE interface, the following features are not supported:
  • Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPOE etc) on L3 AE interfaces
  • J-Web
  • L3 AE for 10 GE XPIM ports

Intrusion Detection and Prevention (IDP)

• IDP does not allow header checks for nonpacket contexts.

• On SRX100 and SRX210 devices, policy compilation takes a long time because:

  • Software DFA is now used for attack signature compilation.
  • IDPD daemon gets lesser CPU time slice during compilation.
  To make the policy compilation take a lesser time, delete the active IDP policy and then reset the active IDP policy to the required policy template.
• On SRX240 devices, the total available heap memory is 182MB, out of which flow and jsf modules use 39MB. As a result, there is not enough memory for IDP to load the IDP_Default policy.

For all other limitations in IDP, see “Limitations of IDP” in the Junos OS Security Configuration Guide.

IPv6 Support

For limitations in IPv6, see “Limitations of IPv6” in the Junos OS Security Configuration Guide.

J-Web

• On SRX-3400, SRX-3600, SRX-5600, and SRX-5800 devices, in J-Web, Point and Click CLI configuration page shows error when committed along with candidate configuration on CLI.
• On J Series devices, some J-Web pages for new features (for example, the Quick Configuration page for the switching features on J Series devices) display content in one or more modal pop-up windows. In the modal pop-up windows, you can interact only with the content in the window and not with the rest of the J-Web page. As a result, online Help is not available when modal pop-up windows are displayed. You can access the online Help for a feature only by clicking the Help button on a J-Web page.
• On SRX650 devices, you cannot use J-Web to configure a VLAN interface for an IKE gateway. To configure a VLAN interface for an IKE gateway, use the CLI.

NetScreen-Remote

• On SRX Series devices, NetScreen-Remote is not supported in Junos OS Release 10.3.

Network Address Translation (NAT)

• NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edge of the carrier network, the device-wide NAT rule capacity has been changed.

  The number of destination and static NAT rules has been incremented as shown in Table 5. The limitation on the number of destination-rule-set and static-rule-set has been increased.

  Table 5 provides the requirements per device to increase the configuration limitation as well as scale the capacity for each device.

  Table 5: Number of Rules on SRX Series and J Series Devices

  NAT Rule Type	SRX100	SRX210	SRX240	SRX650	SRX3400 SRX3600	SRX5600 SRX5800	J Series
  Source NAT rule	512	512	1024	1024	8192	8192	512
  Destination NAT rule	512	512	1024	1024	8192	8192	512
  Static NAT rule	512	512	1024	1024	8192	8192	512

  The restriction on the number of rules per rule set has been increased so that there is only a device-wide limitation on how many rules a device can support. This restriction is provided to help you better plan and configure the NAT rules for the device.

• IKE negotiations involving NAT-T—On SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKE negotiations involving NAT-Traversal (NAT-T) traversal do not work if the IKE peer is behind a NAT device that will change the source IP address of the IKE packets during the negotiation. For example, if the NAT device is configured with DIP, it changes the source IP because the IKE protocol switches the UDP port from 500 to 4500.

Performance

• J Series devices now support IDP and UTM functionality. Under heavy network traffic in a few areas of functionality, such as NAT and IPsec VPN, performance is still being improved to reach the high levels to which Juniper Networks is consistently committed.

Point-to-Point Protocol over Ethernet (PPPoE)

• On SRX240 devices in a chassis cluster, the reth interface cannot be used as the underlying interface for Point-to-Point Protocol over Ethernet (PPPoE).

Security

• J Series devices do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use order radius password or ldap password.
• On SRX220 High Memory devices, the maximum allowed concurrent firewall authentication users 750, which is less than the specified requirement of 1024 licenses.

For all other limitations in security, see “Addresses and Address Sets” in the Junos OS Security Configuration Guide.

SNMP

• On J Series devices, the SNMP NAT-related MIB is not supported in Junos OS Release 10.3.

Switching

• On SRX100, SRX210, SRX240, and SRX650 devices, CoA is not supported with 802.1x.
• On SRX100, SRX210, SRX240 and SRX650 devices, on the routed VLAN interface, the following features are not supported:
  • IPv6 (family inet6)
  • ISIS (family ISO)
  • Class-of-service
  • Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPOE etc) on VLAN interfaces
  • CLNS
  • PIM
  • DVMRP
  • VLAN interface MAC change
  • Gratuitous ARP
  • Change VLAN-Id for VLAN interface

System

• On SRX650 devices, if one of the four Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/3) is linked up at 10 or 100 Mbps, it will not support jumbo frames. Frames greater than 1500 bytes are dropped.

Unified Threat Management (UTM)

• UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only 512 MB of memory, you must upgrade the memory to 1 GB to run UTM.

VPNs

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the IPsec NAT-T tunnels scaling and sustaining issues are as follows:
  • For a given private IP address, the NAT device should translate both 500 and 4500 private ports to the same public IP address.
  • The total number of tunnels from a given public translated IP cannot exceed 1000 tunnels.

WLAN

• The following are the maximum numbers of access points that can be configured and managed from SRX Series devices:
  • SRX210—4 access points
  • SRX240—8 access points
  • SRX650—16 access points

Note: The number of licensed access points can exceed the maximum number of supported access points. However, you can only configure and manage the maximum number of access points.

Related Topics

• New Features in Junos OS Release 10.3 for SRX Series Services Gateways and J Series Services Routers
• Issues in Junos OS Release 10.3 for SRX Series Services Gateways and J Series Services Routers
• Errata and Changes in Documentation for Junos OS Release 10.3 for SRX Series Services Gateways and J Series Services Routers