Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Behavior


This section contains the known behaviors and limitations in this release.

Weighted Round-Robin of Subscriber Traffic on a Port Limitations

The following list describes the limitations for WRR:

  • The delay-buffer rate must be configured for WRR to work correctly.

  • A discrepancy in the delay-buffer rate values among the VLANs belonging to the same level 2 scheduler node can cause the WRR to work incorrectly.

  • WRR does not work correctly if the ratio of the shaping rate is greater than 100 among all the subscribers.

  • The number of level 2 scheduler nodes and the number of subscribers per level 2 scheduler node must be equal to 32,000 for it to work correctly.

  • Any modification to the level 2 scheduler node configuration requires an FPC reset.

Group VPN Limitations

Junos OS group VPN does not provide support for the following:

  • GDOI groupkey-push exchange. Hence, both unicast and multicast push are not supported.

  • Multicast traffic

  • Post-fragmentation of packets


  • Anti-replay

  • GAP payload

  • Protocol and port in the policies sent by the server. The group member honors only the IP address/subnet specified in the policy.

  • Multiple unpaired policies for the same traffic key/SPI

  • Overlapping of both local and remote IP across routing instances in an IKE gateway configuration

  • Overlapping group VPN policies that can result in mismatched SAs

  • IPv6 for control and data traffic

  • Co-existence of IPsec and group VPN on the same service set

  • Co-existence of services like NAT and ALG on the same service set. NAT and group VPN can co-exist on different service sets. However, they cannot co-exist on the same service set.

  • Site To Site (S2S) VPN and Dynamic End Point (DEP) VPN can co-exist with group VPN on different service sets. However, they cannot co-exist on the same service set.

  • Multiple groups on same service set

  • Group member support with SRX GC/KS

  • Logical Key Hierarchy (LKH)

  • Graceful restart

  • High availability

  • Unified ISSU

  • Private key IPsec (PKI) support for authentication

  • Aggregated multiservices (AMS) interface and load balancing support

  • Multiple groups per service set

  • Same gateway for multiple groups, wherein the same local and remote address pair cannot be used for multiple groups.

  • Transport network (MPLS or VXLAN) are not supported.

  • The group VPN members can connect to a maximum of four Cisco GC/KSs with minimum interoperability with the cooperative servers.

  • The MX Series routers with redundancy between them act as Group VPN members and not as a key server.

  • The group VPN do not inspect the deny policy content.

  • No scope policy configuration support on the group VPN member.

  • The group VPN members will not receive heartbeat messages during a server reboot.

Non-Group VPN Limitations

Junos OS non-group VPN, which are regular IPsec use cases does not support the following:

  • The interface-style service set configuration is not supported with match-direction output.

  • The skip clause in service-filter.

  • The post-service-filter statement.

  • The tcp-mss statement that applies to all IPv4 TCP SYN packets traversing all the router’s ingress interfaces.

  • IPsec SNMP.

  • Routing protocol support for IPsec (like BGP or OSPE over IPsec).