Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Resolved Issues

 

Learn about issues that are resolved in Junos OS main and maintenance releases for vSRX.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 19.3R3

Application Layer Gateways (ALGs)

  • With ALG enabled, when ALG has done the payload-NAT, packet size might be bigger than the outgoing interface's MTU. If the packet's IP header has DF (Do not Fragment) flag, this packet cannot be sent out. PR1444068

  • Previously, the MSRPC ALG only supported operation number 4 messages (opnum 4 - RemoteCreateInstance) for extracting for MSRPC data sessions. We now support opnum 3 messages (opnum 3 - RemoteGetClassObject) for extracting for MSRPC data session. PR1462692

  • With FTP ALG enabled, if there is more than one FTPS connection between an FTP client and server pair, the closure of one connection might cause other connections between that FTP client and server pair to be affected; hence there might be traffic impact. It is a rare timing issue. PR1483834

Chassis Clustering

  • On single-thread vSRX and VSRX 3.0 instances, when PMI (PowerMode IPsec) mode is enabled, the IPsec traffic will be dropped after failover due to antireply check failure. PR1473037

Flow-based and Packet-based Processing

  • A warning message is displayed when the user tries to enroll ECDSA key-pair type localcert with SCEP. PR1420736

  • On vSRX 3.0 running on hypervisors that are connected to NAS, if the storage connection to NAS fails for a few minutes and is then recovered, traffic forwarding might be interrupted for about 10 minutes. PR1421832

  • On vSRX 3.0 platforms, throughput observed is less than that on vSRX. This issue might impact device performance. PR1429548

  • On vSRX platforms, if the single root I/O virtualization (SR-IOV) virtual function does not have trust mode enabled, the IPv6 Neighbor Discovery Protocol (NDP) address resolution will not work when it is initiated from the remote host. PR1433959

  • On vSRX 3.0 platforms, when OCSP is configured with a valid OCSP URL and a connection with the CA server is established to validate multiple certifications and the connection is successful, the CA server does not respond and the OCSP connection times out. PR1434638

  • Introduction of default inspection limits to application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180

  • On vSRX3.0 platforms, traffic loss might occur when application service is configured. PR1455465

  • On vSRX 3.0 in a chassis cluster, the diagnostic script falsely fails SSL configuration consistent check with the following error- AAMW diagnostic Error : Couldn't initiate connection rslt:-1 err:No route to host clusters. PR1463701

  • When traffic goes through vSRX3.0 platforms, in some rare cases core-dump files may be generated and traffic will be dropped. This issue might cause the Packet Forwarding Engine to not come up and all interfaces to be down. PR1465132

  • On vSRX instances running on cloud platforms, such as Microsoft Azure and AWS, memory leaks might occur if you deploy vSRX with more vCPUs than what is supported. This might result in intermittent traffic outage. PR1469123

  • On vSRX platforms with the class-of-service (CoS) feature used, in the rare condition of accessing a stale CoS related memory, the srxpfe process might crash. PR1474124

  • When destination-path-group is deleted in config and added again, the fc-id, dscp, fc name, loss priority fields are reset. The configured values are not being taken. PR1489948

  • Juniper Networks Security Intelligence (SecIntel) mistakenly engages tcp-proxy when SSL proxy is not engaged. This would lead to reduced flow performance, and the throughput of the device would be significantly impacted. PR1491682

Intrusion Detection and Prevention (IDP)

  • When creating dynamic-attack-groups within IDP that contain many (30+) filters, the query might fail and the group would not be populated with any attacks. PR1467561

  • If the total number of applications (predefined as well as the custom applications configured) crosses 4096, attack detection might fail. PR1497340

J-Web

  • J-Web does not support disabling or enabling the security firewall or global policy rules The policy rules that are deactivated through the CLI are not visible in the J-Web UI. PR1460161

Licensing

  • Adding the license to a vSRX instance while it is getting spun through cloud-init fails. You have to manually add the license after the device has booted up. PR1469978

Platform and Infrastructure

  • On vSRX3.0 platforms in a Hyper-V scenario, the parsed VLAN ID of packets with 802.1Q VLAN tags might be incorrect, which results in no connectivity to other physical devices on the same VLAN over 802.1Q trunk. PR1477315

  • SRXPFE core files are seen when socket open error occurs during the initialization phase. Self-healing takes place when the SRXPFE reboots and starts processing traffic. PR1479156

Routing Policy and Firewall Filters

  • Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002

Unified Threat Management (UTM)

  • The source and destination IP or port fields were reversed for Content-Filtering and Anti-Virus logs. These fields now reflect the source and destination of the flow correctly. PR1499327

VPNs

  • PKI timeout error might be observed while generating DSA type key-pair with size 4096. PR1316747

Resolved Issues: 19.3R2

Application Security

  • On vSRX, predefined Juniper Sky ATP and Security Intelligence (SecIntel) policies are not listed, which might cause an error when using the configuration wizard in J-Web. PR1447273

Chassis Cluster

  • On vSRX and vSRX 3.0, the chassis cluster control link remains up even though the control link is actually down. The failover cannot be executed in this situation, and this issue has traffic or service impact. PR1452488

Interfaces and Routing

  • On vSRX 3.0 deployed on Nutanix AHV, the revenue ports ge-0/0/x do not get created and hence the vSRX is unable to handle any traffic. This issue applies only to Junos OS Release 19.1 and later releases. PR1461115

Platform and Infrastructure

  • If vSRX is configured to download dynamic-address feed from an HTTPs server that configured by security director, the download processing will fail. This issue causes the IP address contained in the list to not be sent from SD to SRX device. If the vSRX has a policy referencing the IP address, it will not match pass-through traffic. PR1442248

  • vSRX 3.0 in Junos OS Release 19.3R1 cannot be launched on a VM with total memory less than 4 GB. Because AWS C4.L instance type has 3.75 GB, vSRX3.0 in Junos OS Release 19.3R1 release does not support C4.L. PR1454553

  • BFD sessions flap intermittently on vSRX instances. PR1455954

Resolved Issues: 19.3R1

CLI

  • The show security dynamic-address category-name Whitelist feed-name whitelist command and the show security dynamic-address category-name <category-name> feed-name <feed-name> commands do not work. PR1424287

  • On vSRX 3.0 instances, the restart forwarding command fails. PR1426067

Flow-Based and Packet-Based Processing

  • On vSRX instances, when the secure-wire feature is used, a flowd process core file might occur when one of the secure-wire interfaces goes down. PR1430071

  • On vSRX 3.0 instances, core files are seen in ipfd process without relevant configuration. PR1438016

  • The ksyncd process might crash due to timing issue. HA secondary node cannot synchronize kernel states successfully. PR1440576

  • On VSRX 3.0, gradual increase in 'Swap Utilization' might be observed, and might be instable and stop. Based on which processes need this swap space, the impact would be different. For example, Routing Engine response will be slow or sometimes the Packet Forwarding Engine might generate the error message no more swap space. PR1450204

Platform and Infrastructure

  • If larger data types are written into smaller data types, the neighbor stack pointers are overwritten, thereby corrupting the data types. Accessing the address generates a core file, and the vSRX instance stops functioning. PR1412441

  • During bootup, if FreeBSD SCSI and USB drive have the same device name, SCSI might be mistaken as the USB drive and cause bootstrap failure. PR1422490

  • With vSRX instances, REST API query returns a 500 error. This is due to the incorrect mapping of the path to the required REST API libraries. PR1426588

  • vSRX instances on Microsoft Azure cannot be managed using the serial console. PR1439148

  • On vSRX instances running on cloud platforms, such as Microsoft Azure and AWS, memory leaks might occur if you deploy vSRX with more vCPUs than what is supported. This might result in intermittent traffic outage. PR1442136

Routing Policy and Firewall Filters

  • On vSRX 3.0 instances, when utilizing unified policies, Packet Forwarding Engine process (pfed) might stop and generate a core file. PR1414863

  • If one domain address is configured inside policies, then the device or the instance assumes that this domain address is needed by policies and will always retry to get the addresses for this domain. This domain will remain in the DNS cache until it is removed from all policies. When the DNS server replies with any error codes (such as ServFail, NXDomain, and YX Domain), the current DNS cache entry (domain name and IP list) is not flushed. PR1426186

System Logs

  • System logs generated by security policies do not populate the username field if the policy is a unified policy. This applies to all security logs (RT_FLOW, APP_TRACK, UTM, and so on). As a workaround, setting security-log-enable option on the traffic ingress zone will populate the right username in RT_FLOW. Other logs will still not show the username value. PR1434124

Unified Threat Management (UTM)

  • UTM WR might have memory leak on utmd process on the Routing Engine. PR1445222

VPNs

  • IPsec VPN traffic drop might be observed with NAT-T scenario. PR1444730