This section contains the known behaviors and limitations in this release.
Weighted Round-Robin of Subscriber Traffic on a Port Limitations
The following list describes the limitations for WRR:
The delay-buffer rate must be configured for WRR to work correctly.
A discrepancy in the delay-buffer rate values among the VLANs belonging to the same level 2 scheduler node can cause the WRR to work incorrectly.
WRR does not work correctly if the ratio of the shaping rate is greater than 100 among all the subscribers.
The number of level 2 scheduler nodes and the number of subscribers per level 2 scheduler node must be equal to 32,000 for it to work correctly.
Any modification to the level 2 scheduler node configuration requires an FPC reset.
Group VPN Limitations
Junos OS group VPN does not provide support for the following:
GDOI groupkey-push exchange. Hence, both unicast and multicast push are not supported.
Post-fragmentation of packets
GDOI SNMP MIBs
Protocol and port in the policies sent by the server. The group member honors only the IP address/subnet specified in the policy.
Multiple unpaired policies for the same traffic key/SPI
Overlapping of both local and remote IP across routing instances in an IKE gateway configuration
Overlapping group VPN policies that can result in mismatched SAs
IPv6 for control and data traffic
Co-existence of IPsec and group VPN on the same service set
Co-existence of services like NAT and ALG on the same service set. NAT and group VPN can co-exist on different service sets. However, they cannot co-exist on the same service set.
Site To Site (S2S) VPN and Dynamic End Point (DEP) VPN can co-exist with group VPN on different service sets. However, they cannot co-exist on the same service set.
Multiple groups on same service set
Group member support with SRX GC/KS
Logical Key Hierarchy (LKH)
Private key IPsec (PKI) support for authentication
Aggregated multiservices (AMS) interface and load balancing support
Multiple groups per service set
Same gateway for multiple groups, wherein the same local and remote address pair cannot be used for multiple groups.
Transport network (MPLS or VXLAN) are not supported.
The group VPN members can connect to a maximum of four Cisco GC/KSs with minimum interoperability with the cooperative servers.
The MX Series routers with redundancy between them act as Group VPN members and not as a key server.
The group VPN do not inspect the deny policy content.
No scope policy configuration support on the group VPN member.
The group VPN members will not receive heartbeat messages during a server reboot.
Non-Group VPN Limitations
Junos OS non-group VPN, which are regular IPsec use cases does not support the following:
The interface-style service set configuration is not supported with match-direction output.
The skip clause in service-filter.
The post-service-filter statement.
The tcp-mss statement that applies to all IPv4 TCP SYN packets traversing all the router’s ingress interfaces.
Routing protocol support for IPsec (like BGP or OSPE over IPsec).