Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Resolved Issues


This section lists the issues that have been fixed in the Junos OS Release 18.2.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 18.2R3

Flow-Based and Packet-Based Processing

  • With vSRX, capacity of usp_max_tcpproxy_connection might be reduced from 48,000 sessions to 24,000 sessions. Layer 7 protocols using TCP such as ALG, UTM, and so on would be affected. The maximum number of sessions supported will be reduced to 24,000. PR1397371

Interfaces and Routing

  • When you perform and upgrade from previous release, vSRX instances on Azure will have MAC address missing from ge-0/0/1. PR1410825

Platform and Infrastructure

  • With vSRX 3.0, REST API query returns a 500 error. This is due to the incorrect mapping of the path to the required REST API libraries. PR1412087

  • If larger data types are written into smaller data types, the neighbor stack pointers are overwritten, there by corrupting the data types. Accessing the address generates a core file, and the vSRX instance stops functioning. PR1412441

  • With vSRX instances, REST API query returns a 500 error. This is due to the incorrect mapping of the path to the required REST API libraries. PR1426588


  • When aes-gcm is configured in an IKE proposal, then commit check would enforce the IPsec proposal to use aes-gcm. PR1366459

  • vSRX 3.0 supports suiteb-gcm-128 and suiteb-gcm-256 IKE and IPsec proposals. PR1400214

  • The kmd process stops and generates a core file when the encryption-algorithm is not configured in the IPsec proposal. PR1403156

Resolved Issues: 18.2R2

Application Layer Gateways (ALGs)

  • When using a SIP configuration on a vSRX VM, SIP call might fail if an INVITE message includes more than one VIA header. Only one VIA header is retained and the extra headers are stripped off. PR1351664

  • When SIP ALG and NAT are configured, and SIP messages include multiple route headers (VIA, ROUTE, or RECORD-ROUTE), then the multiple route headers are not translated. PR1361470

Chassis Clustering

  • With a KVM hypervisor on vSRX 2.0 HA DUT, both the child Gigabit Ethernet interface have the same MAC address of the redundant Ethernet (reth) interface regardless of whether the child interfaces are on the primary or the secondary node of the vSRX2.0 instance. PR1385138

Flow-based and Packet-based Processing

  • In an OpenStack environment with vSRX2.0, cloud initialization might not work. PR1388949

  • On a vSRX instance configured with one data plane CPU, the flow debugging using trace options does not display useful information. PR1391535


  • PFE process generates cores files when an interface is configured with targeted-broadcastforward-and-send-to-re; for example, in the configuration set interfaces ge-0/0/0 unit0 family inet targeted-broadcast forward-and-send-to-re. PR1384800


  • An expired trial license cannot be deleted, and a warning message is generated after a system reboot. PR1367939


  • In a vSRX chassis cluster, VPN cleanup does not work as expected. If the VPN security association (SA) installed in the PFE is incorrectly associated to a wrong VPN interface, the kmd process restarts or the RG0 failover process cannot clean up the incorrectly linked VPN, causing VPN traffic to fail continuously. PR1352537

Resolved Issues: 18.2R1

Application Layer Gateways (ALGs)

  • When using a SIP configuration on a vSRX VM, the SIP call may fail if the INVITE is coming in with more than one VIA Headers. The vSRX VM will strip off extra headers and only maintain one VIA Header. Added the configuration set security alg sip keep-via-header command to enable or disable control over whether to strip off the VIA Headers in SIP request messages. The default value of this configuration is disable. PR1351664


    If the configuration set security alg sip keep-via-header command is set to enable, the SIP ALG would only apply NAT translation to the first VIA Headers in SIP request messages.

  • When using a SIP configuration on a vSRX VM, the route header in the SIP ACK request might not be correctly NAT translated (SIP-ALG) PR1361470

Chassis Cluster/High Availability

  • In a chassis cluster environment, when the primary node is powered-down suddenly, the failover time over to the backup node might be longer than expected, when can result in traffic loss. PR1304497

  • In HA deployments, VPN cleanup might not function as expected. When operating under certain circumstances, a VPN security association (SA) installed in the PFE is incorrectly associated to a wrong VPN interface, and a kmd daemon restart or RG0 failover does not clean up the incorrectly linked VPN, which causes VPN traffic to continuously fail. PR1352537

  • On all SRX models, including vSRX instances, if you enable the IP Monitoring feature in a chassis cluster environment, the cluster may become unresponsive due to a memory leak. This behavior is due to incorrect handling of the ICMP reply packet of the IP monitoring traffic.PR1366958

Interfaces and Routing

  • The minimum source-threshold and destination-threshold value for tcp syn-flood in the set security screen ids-option command has changed from 1 to 4. PR1349327


  • You might encounter issues when you attempt to view custom log files created for event logging in the J-Web interface. Only event logs captured in a policy-session log file can be viewed in the J-Web interface (Monitor > Events and Alarms > View Events), and other event logs captured in different files are missing. PR1280857


  • When the free vSRX Evaluation Trial license expires and is deleted, it reappears after you reboot the vSRX VM. When this occurs, the system will generate a warning message. PR1367939

Network Management and Monitoring

  • On a vSRX VM deployed with nested virtualization disabled (Nested=N), the vSRX fails to generate an SNMP trap when a cold-restart is performed. PR1350826

Platform and Infrastructure

  • When using a vSRX-M on a VMware ESXi hypervisor, the throughput for TCP traffic drops when you enable the per-unit-scheduler PR1335459

  • The vSRX might become unresponsive and enter into DB mode due to llmd file corruption (the llmd file is located on Linux). When this occurs, the llmd process becomes unresponsive and will generate a core dump. In this case, the show system core-dumps output can include information such as: PR1340825

  • When deploying a vSRX instance in a KVM or Contrail environment with the vhost_net NIC driver, the vSRX might process and forward all unicast packets which were flooded to the port, regardless of the destination MAC address. PR1344700

  • On an SRX4100 and 4200 Series device, as well as a vSRX instance, the output of the show interfaces extensive output displays Half duplex for GE interfaces, even when the link is actually operating as Full Duplex. This is a display issue and does not impact traffic. PR1358066

Unified Policy

  • This release includes support for service-specific ASC configuration, which allows the ASC to be enabled or disabled on a per-service basis. With the advent of Unified Policies, two services are introduced to the ASC: Security Services, and Miscellaneous Services. Security Services are responsible for policy-lookup behavior, while miscellaneous services are responsible for non-policy related items, such as APBR. Starting with 18.2R1, by default, the ASC will be disabled for security-services and enabled for miscellaneous-services. This has the possibility to impact existing legacy AppFW functionality post-upgrade to 18.2R1 as existing cache-entries will be ignored during policy-lookups. PR1363501