Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Resolved Issues

 

Learn about issues that are resolved in Junos OS main and maintenance releases for vSRX.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 19.2R3

Flow and Packet Processing

  • Security Intelligence mistakenly engages tcp-proxy when ssl-proxy is not engaged, leading to reduced flow performance. PR1491682

Intrusion Detection and Prevention (IDP)

  • The IDP attack detection might not work in a specific situation. PR1497340

J-Web

  • Infinite loading circle may be encountered via J-Web. PR1493601

Routing Policy and Firewall Filters

  • Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002

Unified Threat Management (UTM)

  • The source and destination IP or port fields were reversed for Content-Filtering and Anti-Virus logs. These fields now reflect the source and destination of the flow correctly. PR1499327

Resolved Issues: 19.2R2

Application Layer Gateways (ALGs)

  • When the ALG has completed the payload-NAT, the packet size might be bigger than the outgoing interface's MTU. If the packet's IP header has the DF (Don't Fragment) flag, then this packet cannot be sent out. PR1444068

  • FTPS traffic might get dropped if FTP ALG is used. PR1483834

Application Security

  • When running SSL proxy on the firewall, the locally generated certificate is not validated by the OpenSSL client. PR1436831

  • The SSL decryption mirroring feature of SSL proxy does not work. PR1449131

CLI

  • The show security dynamic-address category-name whitelist feed-name whitelist command and the show security dynamic-address category-name category-name feed-name feed-name command do not work. PR1424287

Flow and Packet Processing

  • A warning message is displayed when the user tries to enroll ECDSA key-pair type is localcert with SCEP. PR1420736

  • The after-NAT IP fragment packet might be dropped by firewall filter. PR1421497

  • On vSRX 3.0 running on hypervisors that are connected to NAS, if the storage connection to NAS fails for a few minutes and is then recovered, traffic forwarding might be interrupted for about 10 minutes. PR1421832

  • On vSRX 3.0 platforms, the throughput observed is less than that on vSRX. This issue might impact device performance. PR1429548

  • On vSRX instances, when the secure wire feature is used, a flowd core file might be generated when one of the secure wire interfaces goes down. PR1430071

  • On the vSRX platform, if the single root I/O virtualization (SR-IOV) virtual function does not have trust mode enabled, the IPv6 Neighbor Discovery Protocol (NDP) address resolution will not work when it is initiated from the remote host. PR1433959

  • On vSRX 3.0 instances, ipfd process core files are seen without the relevant configuration. PR1438016

  • vSRX instances on Microsoft Azure cannot be managed using the serial console. PR1439148

  • IP address on fxp0 interface keep flapping after deploying vSRX 3.0 instances on Azure cloud. Because of this issue, vSRX 3.0 instances cannot get the correct IP address from Azure cloud. PR1439278

  • In a race condition, the appid process might crash when the security package is being installed. PR1440258.

  • Memory leaks occur on vSRX running on cloud platforms. PR1442136

  • On vSRX 3.0 instances, gradual increase in 'Swap Utilization' might be observed. This might cause the instances to stop or become unstable. For example, Routing Engine response might be slow or sometimes the Packet Forwarding Engine might stop working, with the error message no more swap space. PR1450204

  • The Chassis Cluster control link remains up even though the control link is actually down. The failover cannot be executed in this situation, leading to traffic or service impact. PR1452488

  • Introduction of default inspection limits to application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180.

  • On vSRX 3.0 platforms, traffic loss might occur when application service is configured. PR1455465

  • On vSRX instances, BFD sessions flap intermittently. PR1455954

  • On vSRX 3.0 deployed on Nutanix AHV, the revenue ports ge-0/0/z do not get created and vSRX is unable to handle any traffic. PR1461115

  • When traffic goes through vSRX 3.0 instances, core files are generated and traffic is dropped. This issue might cause all interfaces to go down and the Packet Forwarding Engine does not come up. PR1465132

  • On vSRX instances running on cloud platforms, such as Microsoft Azure and AWS, memory leaks might occur if you deploy vSRX with more vCPUs than what is supported. This might result in intermittent traffic outage. PR1469123

  • Security Intelligence mistakenly engages tcp-proxy when ssl-proxy is not engaged, leading to reduced flow performance. PR1491682

Intrusion Detection and Prevention (IDP)

  • IDP offline signature update is not allowed on vSRX platforms. PR1467208

  • On the vSRX 3.0 platform, the SQL query for the dynamic attack group (DAG) category might fail and the DAG would not be populated with any attacks when DAGs are created (within IDP) with many (more than 30) filters. PR1467561

Licensing

  • Adding the license to a vSRX instance while it is getting spun through cloud-init fails. You have to manually add the license after the device has booted up. PR1469978

Platform and Infrastructure

  • VSRX 3.0 instances cannot pull data from Policy Enforcer in a SecIntel deployment. PR1429390

  • The RPM http-get probe always returns HTTP 400 error. PR1436338

  • In chassis cluster mode, the ksyncd process might crash due to a timing issue and the secondary node night not synchronize kernel states successfully. PR1440576

  • If downloading dynamic-address feed from an HTTPS server that is configured on Security Director is available, then the download process fails. As a result the IP address contained in the list not be sent from Security Director to the platform. If the platform has a policy referencing the IP address, then that policy will not match pass-through traffic. PR1442248

  • On vSRX 3.0 platforms in Hyper-V scenario, the parsed VLAN ID of packets with 802.1Q VLAN tag might be incorrect, which results in no connectivity to other physical devices on the same VLAN over 802.1Q trunk. PR1477315

System Logs

  • System logs generated by security policies do not populate the username field if the policy is a unified policy. This applies to all security logs (RT_FLOW, APP_TRACK, UTM, and so on). PR1434124

Unified Threat Management (UTM)

  • Memory might leak if Websense Redirect Web Filtering is configured. PR1445222

  • vSRX 3.0 cannot be launched on a VM with total memory less than 4 GB. Because the AWS C4.L instance type has total 3.75 GB, vSRX 3.0 does not support the C4.L instance type. PR1454553

VPNs

  • IPsec VPN traffic drop might be seen with NAT-T scenario. PR1444730

Resolved Issues: 19.2R1

Chassis Clustering

  • Chassis cluster is not supported for the advanced policy-based routing multipath feature. PR1393932

Interfaces and Routing

  • On vSRX 3.0 instances using KVM with X710 or XL710 SR-IOV as revenue interfaces, you cannot configure VLAN tagging within Junos OS because of an i40e host driver limitation. PR1378774

Flow-based and Packet-based Processing

  • If the traffic-log feature is configured, logs might incorrectly display IPv4 addresses in IPv6 format and packets might be dropped. PR1421255

Platform and Infrastructure

  • If larger data types are written into smaller data types, the neighbor stack pointers are overwritten, thereby corrupting the data types. Accessing the address generates a core file, and the vSRX instance stops functioning. PR1412441

  • With vSRX and vSRX 3.0 instances, REST API query returns a 500 error. This is due to the incorrect mapping of the path to the required REST API libraries. PR1426588PR1412087 respectively

Routing Policy and Firewall Filters

  • On vSRX 3.0 instances, when utilizing unified policies, the PFE process might stop, and a core file is generated. PR1414863