Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Behavior


This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 15.1X49-D200 for vSRX.

Chassis Clustering

  • The vSRX chassis cluster control link might go down when the traffic is high and the secondary node is disabled. PR1229172

  • When running VMware ESXi 5.5.0U3, in the show chassis fpc detail output, the current status of fpc0 shows that it is in cluster mode. Normally, the mode is displayed as online. As a workaround, use VMware ESXi 5.5.0U2 or upgrade to VMware ESXi 6.0. PR1141998

  • If the Forwarding Engine Boards (FEBs) go offline due to a hardware failure on the primary node of a chassis cluster, traffic might be disrupted until the data plane recovers. PR1144996

  • In a chassis cluster, the following issues might occur:

    • Coldsync failure might occur when PCI Passthrough is used as a fabric link.

    • The vSRX instance might become unresponsive when Page Modification Logging (PML) is enabled with an Intel E5 or E7 instance with four vCPUs.

    • An XL710 driver-specific MAC-VLAN limitation might cause traffic to stop or be dropped.



  • On a vSRX instance, you cannot capture plain ping-to-host revenue ports traffic by using the Monitor traffic command.PR1234321

Ethernet Switching

  • On a VMware ESXi host, packets with VLAN do not cross over ESXi hosts when NSX components are installed through a Virtual Extensible LAN (VXLAN) port groups. PR1092517

  • vmx is not supported for vSRX deployed on Microsoft Azure Cloud. It has no impact to vSRX functionalities, but it will slightly affect the bootup time and configuration commit time. PR1231270

Flow-based and Packet-based Processing

  • When vSRX FTP self-traffic crosses a virtual router, the FTP session might fail. PR1079190

  • The loopback interface (lo0.0) and the GRE physical interface are not supported in different zones. As a workaround, configure the interfaces in the same zone, or use the physical interface's IP address as the GRE source IP address. PR1081171

  • When a vSRX instance is deployed on Contrail 2.2 and if the deployment is scaled for multiple instances, one of the instances might go into debug prompt mode. PR1120585

  • FIPS Mode Firewall cannot enroll in Sky ATP. The request security pki ca-certificate enroll command is not supported in FIPS mode. PR1430364

Interfaces and Routing

  • In deployments using SR-IOV interfaces, Address Resolution Protocol (ARP) does not work when jumbo frames are used on a physical NIC. PR1074041

  • When Intel X710 and CL710 cards are used as SR-IOV interface, VLAN is not supported. PR1278672

  • VRRP is not supported on vSRX instances based on VMware hypervisors because VMware does not support virtual MAC addresses. PR1079742

  • On a vSRX instance with a DPDK driver, the Gigabit Ethernet interface does not get the link up state message from the virtual function (VF) interface of the DPDK driver when the state of the physical function (PF) interface changes from down to up. PR1081116

  • Due to some issues in DPDK library 1.8, the status of the vmxnet3 interface is not displayed correctly when the vSRX VM NIC setting is edited and the option Connected is selected as Check or Uncheck. PR1081422

  • In deployments using SR-IOV interfaces, packets are dropped when an external MAC address is assigned to a physical interface on a vSRX instance. This issue occurs because SR-IOV does not allow changes to the MAC address in either the physical function (PF) or the virtual function (VF). PR1091333

  • When a vSRX Layer 2 chassis cluster with a virtio device is deployed on a KVM server, there might be packet loss during a redundancy group failure because the MAC entry at the vSwitch layer cannot be updated by the chassis cluster. PR1092288

  • With vSRX in transparent mode on a VMware ESXi 5.1 host, some packets might get corrupted at the VMXNET3 driver level, if TCP segmentation offload (TSO) is enabled on the host. As a workaround, disable TSO on the host. Also, this issue does not occur with VMware ESXi 5.5 and later versions. PR1200051

  • DPDK does not provide the out-multicast count on its interface drive. Hence, the interface out count for multicast packets is displayed as input count on the egress interface. PR1093389

  • For vSRX instances, RSVP and MPLS do not work with an ESXi host when NSX components are installed. PR1092514

  • When performing a rapid disable interface or enable interface sequence on a vSRX instance (for example, by using a script), the NIC might become unresponsive and might be unable to receive packets. This is a limitation of the Intel i40e driver. As a workaround, avoid using a script to perform a rapid disable interface or enable interface sequence on a vSRX instance. If you encounter this issue, login to the host and reload the Intel i40e driver to recover the NIC. PR1253659


  • Adding a block of 2000 or more global addresses at a time to the list of exempted addresses for an SSL proxy profile might cause the J-Web interface to become unresponsive. PR1278087

  • In the J-Web interface, you cannot view the custom log files that are created for event logging. PR1280857

  • J-Web does not support feature-level role-based access control (RBAC) for system users. Only users with permission "all" are supported. A user with limited configuration permission, such as configure, view, or view-configuration except "all", can perform commit from the CLI. PR1404887

Performance and Scaling

  • On vSRX instances with eight vNIC instances, UDP throughput might decrease when compared to the UDP throughput on vSRX instances with the default configuration of three vNIC instances. PR1075940

  • vSRX uses DPDK to increase packet performance by caching packets to send traffic in burst mode. Latency-sensitive applications must account for this burst operation. PR1087887

Platform and Infrastructure

  • On vSRX instances deployed on a VMware virtual machine, the serial console cannot be used through the network to redirect console messages to a Telnet session. PR1064974

  • The AWS snapshot feature cannot be used to clone vSRX virtual machines (VMs). PR1160582

Routing Protocols

  • On all SRX Series device acted as a Rendezvous Point (RP), when it receives successive PIM register packets, only the first one will be decapsulated and sent out, the subsequent PIM register packets will be dropped. And the multicast data packets also might be dropped as Reverse Path Forwarding (RPF) check failure during the time of multicast routing entry installation sequence. PR1114293

Unified Threat Management (UTM)

  • In vSRX deployments configured with Sophos Antivirus, some files that are larger than the configured max-content-size might not go into fallback mode. After these files are retransmitted several times, they might pass with a clean or an infected result. This issue is specific to a few protocols that do not send the content size before attempting to transmit files. PR1093984


  • On vSRX instances, if you have configured a large number of IPsec VPNs—for example, 1000 or more—when you use the show security ipsec security-associations command to check the IPsec SA, an error message might be displayed. This error message is not displayed after multiple attempts, and after you execute the clear security ipsec security-associations command. A timeout error message might be displayed because of a lack of response from the system. PR1093872

  • IPv6 firewall filters cannot be applied to virtual channels. PR1182367