This section lists the issues that have been fixed in the Junos OS Release 17.4.
The Junos OS Release 17.4R3 for vSRX is at feature parity
with Junos OS Release 17.4R1. For the complete list of resolved issues
in Junos OS Release 17.4R1, see Junos OS Release 17.4R1 for vSRX Release Notes
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: 17.4R3
Flow and Processing
On vSRX platform, when the secure-wire feature is used, a flowd core file might occur when one of the secure-wire interfaces goes down. PR1430071
Interfaces and Routing
In KVM hypervisor, The MAC address of the child ge-x/x/x interface will be the same as the MAC address of the redundant (reth) interface no matter even when the child interface is on the primary or secondary node on the vSRX chassis cluster DUT. PR1385138
vSRX instances on Microsoft Azure cannot be managed using the serial console. PR1439148
In J-Web, the local-identity option of client VPN is not available. If you configure the local-identity option from CLI and perform commit using J-Web, then the configuration of local-identity will be removed. This might disable the VPN establishment. PR1404024
Trial License after being deleted reappears after reboot. PR1367939
Platform and Infrastructure
If larger data types are written into smaller data types, the neighbor stack pointers are overwritten, thereby corrupting the data types. Accessing the address generates a core file, and the vSRX instance stops functioning. PR1412441
Routing Policy and Firewall Filters
If one domain address is configured inside policies, then the device or the instance assumes that this domain address is needed by policies and will always retry to get the addresses for this domain. This domain will remain in the "DNS cache" until it is removed from all policies. When DNS server replies with any error codes (such as ServFail, NXDomain, YX Domain and so on), the current DNS cache entry (domain name and ip-list) is not flushed. PR1426186
Ipfd process core files are seen due to file handler memory leak. PR1390150
Upgrade and Downgrade
When you perform an upgrade from a previous release, vSRX instances on Azure will have MAC address missing from ge-0/0/1. PR1410825
When aes-gcm is configured in an IKE proposal, then commit check enforces the IPsec proposal to use aes-gcm. PR1366459
The kmd process stops and generates a core file when the encryption-algorithm is not configured in the IPsec proposal. PR1403156
On vSRX 3.0 instances, the pkid process might generate core files when the auto-enrollment feature is enabled. PR1415968
Resolved Issues: 17.4R2
Application Layer Gateways (ALGs)
When using a SIP configuration on a vSRX VM, the SIP call may fail if the INVITE is coming in with more than one VIA Headers. The vSRX VM will strip off extra headers and only maintain one VIA Header. Added the configuration set security alg sip keep-via-header command to enable or disable control over whether to strip off the VIA Headers in SIP request messages. The default value of this configuration is disable. PR1351664
If the configuration set security alg sip keep-via-header command is set to enable, the SIP ALG would only apply NAT translation to the first VIA Headers in SIP request messages.
When using a SIP configuration on a vSRX VM, the route header in the SIP ACK request might not be correctly NAT translated (SIP-ALG) PR1361470
In HA deployments, VPN cleanup might not function as expected. When operating under certain circumstances, a VPN security association (SA) installed in the PFE is incorrectly associated to a wrong VPN interface, and a kmd daemon restart or RG0 failover does not clean up the incorrectly linked VPN, which causes VPN traffic to continuously fail. PR1352537
Interfaces and Routing
The minimum source-threshold and destination-threshold value for tcp syn-flood in the set security screen ids-option command has changed from 1 to 4. PR1349327
The flowd process (responsible for traffic forwarding in all SRX platforms, including vSRX instances) might become unresponsive and generate a core dump in a situation where traffic is passing through IPSec tunnels and tunnel flapping happens at the same time. PR1339905
If the SRX platform is configured in high-availability mode, the RG1+ (data-plane) will fail-over to the secondary node.
If the SRX platform is configured in stand-alone mode, there will be temporary traffic interruption until the flowd process is automatically restored.
If this issue occurs, the show system core-dumps command displays output similar to the following:
/var/tmp/flowd_xlr-SPC*_0*.core.0.gz (in high-end SRX) /var/tmp/flowd_octeon_hm.core-tarball.0.tgz (in branch SRX)
On all SRX platforms, including vSRX instances, in rare cases you might find that the routing engine CPU utilization becomes high after renewing a license key. PR1325236
Network Management and Monitoring
On a vSRX VM deployed with nested virtualization disabled (
Nested=N), the vSRX fails to generate an SNMP trap when a cold-restart is performed. PR1350826
Platform and Infrastructure
On the SRX1500, SRX4100, SRX4200, and vSRX platforms, when performing a commit command, the following error log messages might be observed: PR1305352
vSRX240 mgd: UI_CMDLINE_READ_LINE: User 'xxx', command 'commit' vSRX240 utmd: pvidb_get_value: Invalid key name: Cannot get value!
During an upgrade from Junos OS 17.3R1 to 17.4R1, if there is a specific AppSecure configuration, configuration errors might prevent HA cluster devices from booting up normally. PR1317563
On vSRX instances, and SRX1500, SRX4100, and SRX4200 Series devices, you might find that NTP synchronization fails after a period of time and switches to the local clock. PR1331444
When deploying a vSRX instance in a KVM or Contrail environment with the vhost_net NIC driver, the vSRX might process and forward all unicast packets which were flooded to the port, regardless of the destination MAC address. PR1344700
On an SRX4100 and 4200 Series device, as well as a vSRX instance, the output of the show interfaces extensive output displays
Half duplexfor GE interfaces, even when the link is actually operating as Full Duplex. This is a display issue and does not impact traffic. PR1358066
The show pfe statistics ip6 icmp command is nonexistent at the vSRX CLI. however the clear pfe statistics ip6 icmp command does exist. To address this behavior in the vSRX, both the show pfe statistics ip6 icmp and clear pfe statistics ip6 icmp commands have been removed from the CLI. PR1289803
Application Layer Gateways (ALGs)
An RM error might be encountered by the NFX250 Network Services Platform when sending 400 SIP calls (the NFX250 hosts the vSRX virtual firewall). This issue occurs because in the vSRX instance the
gate_resourcemaximum is limited by the
root-lsysresource limitation, which is less than the maximum gate number. PR1313781
Network Address Translation (NAT)
The configuration commit check might not detect a configuration error where a source NAT pool contains no address lines except a deactivated address line. This behavior might allow the source NAT pool to be committed without addresses, which can lead to a core dump when traffic utilizes a misconfigured NAT pool. This issue typically occurs when removing address statements from a NAT pool and leaving only a preexisting deactivated address statement in the NAT pool. PR1300019
Workaround: Always be sure to properly configure an IP address in the source NAT pool.
On vSRX, SRX5400, SRX5600, and SRX5800 devices, Stream Control Transmission Protocol (SCTP) packet has the incorrect SCTP checksum after the SRX Series device implements NAT on the payload. PR1310141
When operating under certain configurations, you might encounter an issue when performing real-time performance monitoring (RPM) to gather RPM statistics, where network traffic packets fail to be accounted for as they pass through a logical tunnel (LT) interface (for example, lt-0/0/0.0 connected to lt-0/0/0.1). When this issue occurs, this prevents sending the RPM probe to the specified probe target to measure performance. PR1303445
Unified Threat Management (UTM)
When you configure content filtering for HTTP to block a specific content type (for example, a zip file), the files are blocked but the custom message does not appear in the Web browser. This issue has been addressed; the configured message now appears in the Web browser as a notification about blocking the content that matches the specified content type. PR1308909
When configuring a manual route-based IPsec VPN, if you enable VPN monitoring this can cause the st0.* interface to go down, which results in VPN traffic being dropped. PR1259422
Workaround: Enter the restart ipsec-key-management CLI command to restart the kmd process and restore the VPN service.
When the kmd process is restarted, all existing phase 1 and phase 2 SA on the device will be cleared.
With the tcp-encap-profile command configured in an environment with a virtual routing instance, there might be packet drops on a port 500-based IPsec tunnel. No issues are observed with Pathfinder (port 443) based IPsec tunnels. PR1263518
In certain cases, when performing multiple high-availability failovers with a Pathfinder session, the vSRX might enter into an unresponsive state and send a reset connection to the NCP client, which terminates the connection. PR1263678