Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Limitations


This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 15.1X49-D240 for vSRX.

Authentication and Access Control

  • When using a third-party certificate chain for WebAuth redirect page or HTTPS REST API or J-Web access, which contains at least one intermediate CA certificate, you might observe that vSRX does not send intermediate certificate to the client. PR1443072

Chassis Clustering

  • The vSRX chassis cluster control link might go down when the traffic is high and the secondary node is disabled. PR1229172

  • When running VMware ESXi 5.5.0U3, in the output of the show chassis fpc detail command, the current status of fpc0 is displayed as cluster mode. Actually the mode to be displayed as online instead of cluster mode. As a workaround, use VMware ESXi 5.5.0U2, or upgrade to VMware ESXi 6.0. PR1141998

  • In a chassis cluster, the following issues might occur:

    • Coldsync failure might occur when PCI Passthrough is used as a fabric link.

    • The vSRX instance might become unresponsive when Page Modification Logging (PML) is enabled with an Intel E5 or E7 processor with four vCPUs.

    • An XL710 driver-specific MAC-VLAN limitation might cause traffic to stop or be dropped.



  • On a vSRX instance, you cannot capture plain ping-to-host revenue ports traffic by using the monitor traffic command. PR1234321

Ethernet Switching

  • On vSRX platform, packets with vlan-tag cannot cross over ESXi hosts through VXLAN port groups when NSX components are installed. PR1092517

  • vMX (hardware virtualization) is not supported for vSRX deployed on Microsoft Azure Cloud. It has no impact on vSRX functionalities, but it will slightly affect the bootup time and configuration commit time. PR1231270

Flow-Based and Packet-Based Processing

  • When vSRX FTP self-traffic crosses a virtual router, the FTP session might fail. PR1079190

  • The loopback interface (lo0.0) and the GRE physical interface are not supported in different zones. As a workaround, configure the interfaces in the same zone, or use the physical interface's IP address as the GRE source IP address. PR1081171

  • FIPS mode firewall cannot enroll in Juniper Sky ATP. The request security pki ca-certificate enroll command is not supported in FIPS mode. PR1430364

Interfaces and Routing

  • In deployments using SR-IOV interfaces, Address Resolution Protocol (ARP) does not work when jumbo frames are used on a physical NIC. PR1074041

  • VRRP is not supported on vSRX instances based on VMware hypervisors because VMware does not support virtual MAC addresses. PR1079742

  • On a vSRX instance with a DPDK driver, the Gigabit Ethernet interface does not get the link up state message from the virtual function (VF) interface of the DPDK driver when the state of the physical function (PF) interface changes from down to up. PR1081116

  • Due to some issues in DPDK library 1.8, the status of the vmxnet3 interface is not displayed correctly when the vSRX VM NIC setting is edited and the option Connected is selected as Check or Uncheck. PR1081422

  • In deployments using SR-IOV interfaces, packets are dropped when an external MAC address is assigned to a physical interface on a vSRX instance. This issue occurs because SR-IOV does not allow changes to the MAC address in either the physical function (PF) or the virtual function (VF). PR1091333

  • When a vSRX Layer 2 chassis cluster with a virtio device is deployed on a KVM server, there might be packet loss during a redundancy group failure because the MAC entry at the vSwitch layer cannot be updated by the chassis cluster. PR1092288

  • RSVP or MPLS cannot work on an ESXi host with NSX components installed. PR1092514

  • DPDK does not provide the out-multicast count on its interface drive. Hence, the interface out count for multicast packets is displayed as input count on the egress interface. PR1093389

  • With vSRX in transparent mode on a VMware ESXi 5.1 host, some packets might get corrupted at the VMXNET3 driver level, if TCP segmentation offload (TSO) is enabled on the host. As a workaround, disable TSO on the host. This issue does not occur with VMware ESXi 5.5 and later versions. PR1200051

  • When performing a rapid disable interface or enable interface sequence on a vSRX instance (for example, by using a script), the NIC might become unresponsive and might be unable to receive packets. This is a limitation of the Intel i40e driver. As a workaround, avoid using a script to perform a rapid disable interface or enable interface sequence on a vSRX instance. If you encounter this issue, log in to the host and reload the Intel i40e driver to recover the NIC. PR1253659

  • When Intel X710 and CL710 cards are used as SR-IOV interface, VLAN is not supported. PR1278672


  • Adding a block of 2000 or more global addresses at a time to the list of exempted addresses for an SSL proxy profile might cause the J-Web interface to become unresponsive. PR1278087

  • J-Web does not support feature-level role-based access control (RBAC) for system users. Only users with permission "all" are supported. A user with limited configuration permission, such as configure, view, or view-configuration except "all", can perform commit from the CLI. PR1404887

  • In the J-Web interface, you cannot view the custom log files that are created for event logging. PR1280857

Performance and Scaling

  • On vSRX instances with eight vNIC instances, UDP throughput might decrease when compared to the UDP throughput on vSRX instances with the default configuration of three vNIC instances. PR1075940

  • vSRX uses DPDK to increase packet performance by caching packets to send traffic in burst mode. Latency-sensitive applications must account for this burst operation. PR1087887

Platform and Infrastructure

  • On vSRX instances deployed on a VMware virtual machine, the serial console cannot be used through the network to redirect console messages to a Telnet session. PR1064974

  • The vSRX2.0 instances might be in db prompt when you initiate 50+ vSRX2.0 instances.PR1120585

  • The AWS snapshot feature cannot be used to clone vSRX virtual machines (VMs). PR1160582

  • For vSRX (not vSRX 3.0), it is required to have Hardware Virtualization (VMX CPU flag) enabled. If it is not enabled, unexpected behavior may be seen, such as chassis cluster issues and vmcore occurring in the Routing Engine. PR1234975

Routing Protocols

  • On a vSRX instance acting as a Rendezvous Point (RP), when it receives successive PIM register packets, only the first one is de-encapsulated and sent out. The subsequent PIM register packets are dropped. And the multicast data packets also might be dropped because of a Reverse Path Forwarding (RPF) check failure during the time of multicast routing entry installation sequence. PR1114293

Unified Threat Management (UTM)

  • In vSRX deployments configured with Sophos Antivirus, some files that are larger than the configured max-content-size might not go into fallback mode. After these files are retransmitted several times, they might pass with a clean or an infected result. This issue is specific to a few protocols that do not send the content size before attempting to transmit files. PR1093984


  • IPv6 firewall filters cannot be applied to virtual channels. PR1182367

  • An error message might occur for show or clear commands if IPsec VPN is configured with over 1000 tunnels. PR1093872