Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Resolved Issues


Learn which issues were resolved in Junos OS Release 20.1R1 for vSRX. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Layer Gateways (ALGs)

  • With ALG enabled, when ALG has done the payload-NAT, packet size might be bigger than the outgoing interface's MTU. If the packet's IP header has DF (Do not Fragment) flag, this packet cannot be sent out. PR1444068

Chassis Clustering

  • On vSRX 3.0 in chassis cluster, diagnostic script falsely fails SSL configuration consistent check with error AAMW diagnostic Error : Couldn't initiate connection rslt:-1 err: No route to host clusters.PR1463701

  • On single-thread vSRX and VSRX 3.0 instances, when PMI (PowerMode IPsec) mode is enabled, the IPsec traffic will be dropped after failover due to antireply check failure. PR1473037

Flow and Processing

  • A warning message is displayed when the user tries to enroll ECDSA keypair type local certificate with SCEP. PR1420736

  • When vSRX 3.0 running on hypervisor connects to NAS, if the storage connection to NAS fails for a few minutes and then the connection is recovered, the forwarding traffic of vSRX 3.0 might be interrupted for about 10 minutes. PR1421832

  • On vSRX 3.0 platforms, throughput observed is less than that on vSRX. This issue might impact device performance. PR1429548

  • On vSRX platforms, if the single root I/O virtualization (SR-IOV) virtual function does not have trust mode enabled, the IPv6 Neighbor Discovery Protocol (NDP) address resolution will not work when it is initiated from the remote host. PR1433959

  • When OCSP is configured with valid OCSP URL and a connection with CA server is established to validate multiple certificates, then connection is successful. Sending OCSP request is also successful, but CA server does not respond and the OCSP connection times out. PR1434638

  • Application identification is significantly more resistant to evasive applications. It does this by introducing default inspection limits, which can be adjusted by using the new set services application-identification inspection-limit command and the set services application-identification global-offload-byte-limit command. PR1454180

  • On vSRX 3.0 instances, traffic loss might occur when application service is configured. PR1455465

  • On vSRX 3.0 deployed on Nutanix AHV, the revenue ports ge-0/0/x do not get created and is unable to handle any traffic. PR1461115

  • When traffic goes through vSRX 3.0 platforms, in some rare cases core files might be generated and traffic will be dropped. This issue might cause the Packet Forwarding Engine not to come up and all interfaces to be down. PR1465132

  • On vSRX when you configure more than 148 streams, or on vSRX 3.0 when you configure more than 74 streams, the system will have configuration error alert. But the vSRX global stream capacity is 100, the vSRX 3.0 global stream capacity is 50. So, configure only with the system capacity. If you configure more than the capacity, the system might not work as expected. PR1471063

  • Cache entries are not seen when global ASC is off. PR1483928

Intrusion Detection and Prevention (IDP)

  • IDP offline signature update is not allowed on vSRX platforms. PR1467208

  • When creating dynamic-attack-groups within IDP that contain many (30+) filters, the query might fail and the group would not be populated with any attacks. PR1467561


  • Adding the license to the vSRX while it is getting spun through cloud-init fails. You have to manually add it after the device has booted up. PR1469978