Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Resolved Issues

 

This section lists the issues that have been fixed in the Junos OS Release 17.4.

Note

The Junos OS Release 17.4R3 for vSRX is at feature parity with Junos OS Release 17.4R1. For the complete list of resolved issues in Junos OS Release 17.4R1, see Junos OS Release 17.4R1 for vSRX Release Notes  .

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 17.4R3

Flow and Processing

  • On vSRX platform, when the secure-wire feature is used, a flowd core file might occur when one of the secure-wire interfaces goes down. PR1430071

Interfaces and Routing

  • In KVM hypervisor, The MAC address of the child ge-x/x/x interface will be the same as the MAC address of the redundant (reth) interface no matter even when the child interface is on the primary or secondary node on the vSRX chassis cluster DUT. PR1385138

  • vSRX instances on Microsoft Azure cannot be managed using the serial console. PR1439148

J-Web

  • In J-Web, the local-identity option of client VPN is not available. If you configure the local-identity option from CLI and perform commit using J-Web, then the configuration of local-identity will be removed. This might disable the VPN establishment. PR1404024

Licensing

  • Trial License after being deleted reappears after reboot. PR1367939

Platform and Infrastructure

  • If larger data types are written into smaller data types, the neighbor stack pointers are overwritten, thereby corrupting the data types. Accessing the address generates a core file, and the vSRX instance stops functioning. PR1412441

Routing Policy and Firewall Filters

  • If one domain address is configured inside policies, then the device or the instance assumes that this domain address is needed by policies and will always retry to get the addresses for this domain. This domain will remain in the "DNS cache" until it is removed from all policies. When DNS server replies with any error codes (such as ServFail, NXDomain, YX Domain and so on), the current DNS cache entry (domain name and ip-list) is not flushed. PR1426186

Security

  • Ipfd process core files are seen due to file handler memory leak. PR1390150

Upgrade and Downgrade

  • When you perform an upgrade from a previous release, vSRX instances on Azure will have MAC address missing from ge-0/0/1. PR1410825

VPNs

  • When aes-gcm is configured in an IKE proposal, then commit check enforces the IPsec proposal to use aes-gcm. PR1366459

  • The kmd process stops and generates a core file when the encryption-algorithm is not configured in the IPsec proposal. PR1403156

  • On vSRX 3.0 instances, the pkid process might generate core files when the auto-enrollment feature is enabled. PR1415968

Resolved Issues: 17.4R2

Application Layer Gateways (ALGs)

  • When using a SIP configuration on a vSRX VM, the SIP call may fail if the INVITE is coming in with more than one VIA Headers. The vSRX VM will strip off extra headers and only maintain one VIA Header. Added the configuration set security alg sip keep-via-header command to enable or disable control over whether to strip off the VIA Headers in SIP request messages. The default value of this configuration is disable. PR1351664

    Note

    If the configuration set security alg sip keep-via-header command is set to enable, the SIP ALG would only apply NAT translation to the first VIA Headers in SIP request messages.

  • When using a SIP configuration on a vSRX VM, the route header in the SIP ACK request might not be correctly NAT translated (SIP-ALG) PR1361470

Chassis Clustering

  • In HA deployments, VPN cleanup might not function as expected. When operating under certain circumstances, a VPN security association (SA) installed in the PFE is incorrectly associated to a wrong VPN interface, and a kmd daemon restart or RG0 failover does not clean up the incorrectly linked VPN, which causes VPN traffic to continuously fail. PR1352537

Interfaces and Routing

  • The minimum source-threshold and destination-threshold value for tcp syn-flood in the set security screen ids-option command has changed from 1 to 4. PR1349327

IPv6 Flow

  • The flowd process (responsible for traffic forwarding in all SRX platforms, including vSRX instances) might become unresponsive and generate a core dump in a situation where traffic is passing through IPSec tunnels and tunnel flapping happens at the same time. PR1339905

    • If the SRX platform is configured in high-availability mode, the RG1+ (data-plane) will fail-over to the secondary node.

    • If the SRX platform is configured in stand-alone mode, there will be temporary traffic interruption until the flowd process is automatically restored.

    If this issue occurs, the show system core-dumps command displays output similar to the following:

Licensing

  • On all SRX platforms, including vSRX instances, in rare cases you might find that the routing engine CPU utilization becomes high after renewing a license key. PR1325236

Network Management and Monitoring

  • On a vSRX VM deployed with nested virtualization disabled (Nested=N), the vSRX fails to generate an SNMP trap when a cold-restart is performed. PR1350826

Platform and Infrastructure

  • On the SRX1500, SRX4100, SRX4200, and vSRX platforms, when performing a commit command, the following error log messages might be observed: PR1305352

  • During an upgrade from Junos OS 17.3R1 to 17.4R1, if there is a specific AppSecure configuration, configuration errors might prevent HA cluster devices from booting up normally. PR1317563

  • On vSRX instances, and SRX1500, SRX4100, and SRX4200 Series devices, you might find that NTP synchronization fails after a period of time and switches to the local clock. PR1331444

  • When deploying a vSRX instance in a KVM or Contrail environment with the vhost_net NIC driver, the vSRX might process and forward all unicast packets which were flooded to the port, regardless of the destination MAC address. PR1344700

  • On an SRX4100 and 4200 Series device, as well as a vSRX instance, the output of the show interfaces extensive output displays Half duplex for GE interfaces, even when the link is actually operating as Full Duplex. This is a display issue and does not impact traffic. PR1358066

Routing Protocols

  • The show pfe statistics ip6 icmp command is nonexistent at the vSRX CLI. however the clear pfe statistics ip6 icmp command does exist. To address this behavior in the vSRX, both the show pfe statistics ip6 icmp and clear pfe statistics ip6 icmp commands have been removed from the CLI. PR1289803

Resolved Issues:17.4R1

Application Layer Gateways (ALGs)

  • An RM error might be encountered by the NFX250 Network Services Platform when sending 400 SIP calls (the NFX250 hosts the vSRX virtual firewall). This issue occurs because in the vSRX instance the gate_resource maximum is limited by the root-lsys resource limitation, which is less than the maximum gate number. PR1313781

Network Address Translation (NAT)

  • The configuration commit check might not detect a configuration error where a source NAT pool contains no address lines except a deactivated address line. This behavior might allow the source NAT pool to be committed without addresses, which can lead to a core dump when traffic utilizes a misconfigured NAT pool. This issue typically occurs when removing address statements from a NAT pool and leaving only a preexisting deactivated address statement in the NAT pool. PR1300019

    Workaround: Always be sure to properly configure an IP address in the source NAT pool.

  • On vSRX, SRX5400, SRX5600, and SRX5800 devices, Stream Control Transmission Protocol (SCTP) packet has the incorrect SCTP checksum after the SRX Series device implements NAT on the payload. PR1310141

RPM Statistics

  • When operating under certain configurations, you might encounter an issue when performing real-time performance monitoring (RPM) to gather RPM statistics, where network traffic packets fail to be accounted for as they pass through a logical tunnel (LT) interface (for example, lt-0/0/0.0 connected to lt-0/0/0.1). When this issue occurs, this prevents sending the RPM probe to the specified probe target to measure performance. PR1303445

Unified Threat Management (UTM)

  • When you configure content filtering for HTTP to block a specific content type (for example, a zip file), the files are blocked but the custom message does not appear in the Web browser. This issue has been addressed; the configured message now appears in the Web browser as a notification about blocking the content that matches the specified content type. PR1308909

VPN

  • When configuring a manual route-based IPsec VPN, if you enable VPN monitoring this can cause the st0.* interface to go down, which results in VPN traffic being dropped. PR1259422

    Workaround: Enter the restart ipsec-key-management CLI command to restart the kmd process and restore the VPN service.

    Note

    When the kmd process is restarted, all existing phase 1 and phase 2 SA on the device will be cleared.

  • With the tcp-encap-profile command configured in an environment with a virtual routing instance, there might be packet drops on a port 500-based IPsec tunnel. No issues are observed with Pathfinder (port 443) based IPsec tunnels. PR1263518

  • In certain cases, when performing multiple high-availability failovers with a Pathfinder session, the vSRX might enter into an unresponsive state and send a reset connection to the NCP client, which terminates the connection. PR1263678