LEDs on the J-Web Chassis View for a Routing
Engine and PICs are not shown as green when they are up and online
on chassis view in an SRX-series device. [PR/297693]
Chassis Cluster
Configuring an SRX-series device with set system process jsrp-service disable only on a primary node
of the cluster causes the cluster to go into bad state. [PR/292411]
The device will crash if you use set
system processes chassis-control disable for 4-5 minutes and
then enable it. Do not use this command in chassis cluster mode. [PR/296022]
On SRX 5600 and SRX 5800 devices, local interfaces
are not supported in chassis cluster mode. [PR/296168]
You cannot apply shaper, scheduler, and
output-control-profile to the reth interface on an SRX-series
device. [PR/298102]
Chassis SNMP objects are not reporting correctly
when the device is operating in JSRP cluster mode with JUNOS software.
[PR/304082]
Platforms supporting chassis cluster do not
support vlan-ids greater than 1023 on reth interfaces. [PR/314636]
Class of Service
On SRX 5600 devices, class-of-service based-forwarding
(CBF) is not working. [PR/304830]
Flow
On an SRX-series device, the show security
flow session command currently does not display aggregate session
information. Instead, it displays sessions on a per-SPU basis. [PR/264439]
In a SRX-series device, when traffic matches
a deny policy, sessions will not be created successfully. However,
sessions are still consumed, and the "Unicast-sessions" and "Sessions-in-use"
fields shown by the show security flow session summary command will
reflect this. [PR/284299]
You are unable to run the show security
flow session command on the secondary node in the following instances:
When you restart an SRX-series device
When the device crashes due to kernel replication process
(kysncd)
As a workaround, restart the chassis-control of the device.
[PR/290053]
Configuring the flow filter with the all flag might result in traces that are not related to the
configured filter. As a workaround, use flow trace flag basic with the command set security flow traceoptions flag. [PR/304083]
Hardware
On SRX 5600 and SRX 5800 devices, the HA
LED on the SPC does not light. [PR/303899]
IDP
On SRX 5600 and SRX 5800 devices, IDP does
not respond to security package requests after you create the policy
with all the predefined attack groups. As a workaround, delete all
the policies and retry. [PR/279147]
On SRX 5600 and SRX 5800 devices, the large
policy load fails on the second successive attempt with policy aging
enabled. [PR/289362]
When the firewall and IDP policy both enable diffServ marking with a different DSCP value for the same traffic,
the firewall DSCP value takes precedence and the traffic is marked
using the firewall DSCP value. [PR/297437]
When you push a large IDP policy under insufficient
memory, the policy fails to get through due to heavy traffic. [PR/300411]
On SRX 5600 and SRX 5800 devices, when a
new signature pack is downloaded and installed in the absence of a
policy on the dataplane, the new detector is not installed on both
the Routing Engine and the dataplane. [PR/303561]
Loading a new IDP policy fails as the memory
on the device is insufficient and the last policy pushed to the device
is restored. As a result, logs are generated incorrectly for the failed
policy loads. [PR/304388]
On SRX 5600 and SRX 5800 devices, the output
of show security idp status output is not accurate for chassis
cluster. [PR/310777]
When there are 8 or 9 policies already in
the data plane, a policy cannot load because of insufficient heap
memory. [PR/388190]
Interfaces
Jumbo frames are not supported. [PR/271507]
Readback error messages are seen in the system
log on commit. [PR/306046]
Fragmentation does not work on packets originating
from the device when the interface is part of a virtual-router routing
instance. [PR/306836]
J-Web
On SRX 5600 and SRX 5800 devices, there are
no options for loading and activating the policy template through
J-Web. [PR/291317]
On SRX 5600 and SRX 5800 devices, the J-Web
policy rule configuration page should list the available predefined
attacks and groups, so that the user can select the attacks and groups
and configure the rules. [PR/295283]
When the J-Web session is terminated from
the CLI, error and warning messages related to J-Web appear in the
log. [PR/311181]
Routing Engine
The SRX 5600 and SRX 5800 services gateways support only a single Routing
Engine installed in the Switch Control Board (SCB) in slot 0. The
device will not start if a Routing Engine is installed in an SCB in
slot 1. [PR/303914]
System
The show security monitoring Flexible PIC
Concentrator (FPC) shows previous data when a card is replaced. [PR/285551]
The new custom detector installation does
not get loaded to the data plane. As a result, the Packet Forwarding
Engine displays the old detector version. As a workaround, reboot
the device. [PR/291205]
On SRX-series devices, you can reboot the
media disk from the CLI but not from the J-Web interface. [PR/300270]
