Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Resolved Issues


This section lists the issues that have been fixed in the Junos OS Release 18.4.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 18.4R3

Application Security

  • The SSL decryption mirroring feature of SSL proxy does not work PR1449131

  • When running SSL proxy on the firewall, the locally generated certificate is not validated by OpenSSL client. PR1436831


  • The show security dynamic-address category-name Whitelist feed-name whitelist command and the show security dynamic-address category-name <category-name> feed-name <feed-name> commands do not work. PR1424287

Flow-Based and Packet-Based Processing

  • The after-NAT IP fragment packet might be dropped by firewall filter. PR1421497

  • The IPv6 NDP might not work if SR-IOV VF trust mode is not enabled. PR1433959

  • VSRX3.0: PKI daemon core file is seen with OCSP, when CA server is not responding. PR1434638

  • On vSRX 3.0 instances, core files are seen in ipfd process without relevant configuration. PR1438016

  • vSRX instances on Microsoft Azure cannot be managed using the serial console. PR1439148

  • The appid daemon process might crash when installing security package. PR1440258

  • On VSRX3.0, the increase of 'Swap Utilization' might be seen. PR1450204

  • On vSRX and vSRX 3.0, the chassis cluster control link remains up even though the control link is actually down. The failover cannot be executed in this situation, and this issue has traffic or service impact. PR1452488

  • On vSRX3.0 platform, traffic loss might occur when application service is configured. PR1455465

  • BFD sessions flap intermittently in the vSRX platform. PR1455954

  • When traffic goes through vSRX3.0 devices, Packet Forwarding Engine will not come up and all interfaces will be down. PR1465132

Intrusion Detection and Prevention (IDP)

  • When creating dynamic-attack-groups within IDP that contain many (30+) filters, the query would fail and the group would not be populated with any attacks. PR1467561

Platform and Infrastructure

  • When vSRX3.0 running on hypervisor connects to NAS, if the storage connection to NAS fails for a few minutes and then the connection is recovered, the traffic forwarding by vSRX 3.0 might be interrupted for about 10 minutes. PR1421832

  • VSRX3.0 instances cannot pull data from Policy Enforcer in SecIntel deployment. PR1429390

  • On vSRX instances, when the secure wire feature is used, a flowd process core file might be generated when one of the secure wire interfaces goes down. PR1430071

  • The RPM http-get probe always returns HTTP 400 error. PR1436338

  • The ksyncd process might crash and restart on SRX Series devices. PR1440576

  • Memory leaks occur on vSRX running on cloud platforms. PR1442136

  • SRX series devices or vSRX instances/platforms fail to download dynamic-address feed from security director. PR1442248

System Logs

  • System Logs generated by security policies do not populate the username field if the policy is a unified policy. This applies to all security logs (RT_FLOW, APP_TRACK, UTM and so on). PR1434124

Unified Threat Management (UTM)

  • On SRX Series devices, memory might leak if Websense Redirect Web Filtering is configured. PR1445222


  • The IPsec VPN traffic drop might be seen on SRX Series platforms with NAT-T scenario. PR1444730

Resolved Issues: 18.4R2

Flow-Based and Packet-Based Processing

  • With vSRX, capacity of usp_max_tcpproxy_connection might be reduced from 48,000 sessions to 24,000 sessions. Layer 7 protocols using TCP such as ALG, UTM, and so on would be affected. The maximum number of sessions supported will be reduced to 24,000. PR1397371

  • If the traffic-log feature is configured, logs might incorrectly display IPv4 addresses in an IPv6 format. PR1421255

  • On vSRX 3.0 instances, the restart forwarding command fails. PR1426067

Interfaces and Routing

  • When you perform an upgrade from a previous release, vSRX instances on Azure will have MAC address missing from ge-0/0/1. PR1410825

Platform and Infrastructure

  • With vSRX 3.0, REST API query returns a 500 error. This is due to the incorrect mapping of the path to the required REST API libraries. PR1412087

  • If larger data types are written into smaller data types, the neighbor stack pointers are overwritten, thereby corrupting the data types. Accessing the address generates a core file, and the vSRX instance stops functioning. PR1412441

  • During bootup, if FreeBSD SCSI and USB drive have the same device name, SCSI might be mistaken as USB drive and cause bootstrap failure. PR1422490

  • With vSRX (not vSRX3.0), REST API query returns a 500 error. This is due to the incorrect mapping of the path to the required REST API libraries PR1426588

  • When trying to get the output in JSON format for the command 'show security dynamic-address category CC, you might observe an 500 - Internal Server Error. This was because the maximum size allowed for a markup identifier crossed the limit. PR1430799

Routing Policy and Firewall Filters

  • On vSRX 3.0 instances, when utilizing unified policies, Packet Forwarding Engine process (pfed) might crash and create a core file. PR1414863

  • If one domain address is configured inside policies, then the device or the instance assumes that this domain address is needed by policies and will always retry to get the addresses for this domain. This domain will remain in the "DNS cache" until it is removed from all policies. When DNS server replies with any error codes (such as ServFail, NXDomain, YX Domain, and so on), the current DNS cache entry (domain name and ip-list) is not flushed. PR1426186


  • When aes-gcm is configured in an IKE proposal, then commit check enforces the IPsec proposal to use aes-gcm. PR1366459

  • vSRX 3.0 supports suiteb-gcm-128 and suiteb-gcm-256 IKE and IPsec proposals. PR1400214

  • The kmd process stops and generates a core file when the encryption-algorithm is not configured in the IPsec proposal. PR1403156

  • On vSRX 3.0 instances, the PKI daemon might generate core files when the auto-enrollment feature is enabled. PR1415968

Resolved Issues: 18.4R1

Application Layer Gateways (ALGs)

  • When using a SIP configuration on a vSRX VM, SIP call might fail if an INVITE message includes more than one VIA header. Only one VIA header is retained and the extra headers are stripped off. PR1351664

Chassis Clustering

  • In a chassis cluster with vSRX 3.0, when an instance boots up as the secondary node, sometimes the application package is not automatically installed. You can manually download and install the application package by using the CLI. PR1363431

  • With a KVM hypervisor on vSRX HA DUT, the child Gigabit Ethernet interfaces have the same MAC address of the redundant Ethernet (reth) interface regardless of whether the child interfaces are on the primary or the secondary node of the vSRX instance. PR1385138

Flow-Based and Packet-Based Processing

  • vSRX 3.0 reboots when a Ctrl+Alt+Del signal is received from the console. PR1388600

  • In an OpenStack environment with vSRX and vSRX 3.0, cloud initialization might not work. PR1388949

  • On a vSRX instance configured with one data plane CPU, the flow trace-options debug command does not display useful information. PR1391535

Interfaces and Routing

  • PKI daemon generates cores files when an interface is configured with targeted-broadcast forward-and-send-to-re; for example, in the configuration set interfaces ge-0/0/0 unit 0 family inet targeted-broadcast forward-and-send-to-re. PR1384800


  • Trial License after deletion reappears when you reboot. PR1367939

Routing Protocols

  • With vSRX 3.0 instances, a BGP peer cannot be established between two vSRX instances. This issue exists for the self-traffic of the instance. PR1370605