Resolved Issues: 21.1R1

Disabled node on SRX cluster sent out ARP request packets. PR1548173

SPU process stop might be seen under a GPRS tunneling protocol scenario. PR1559802

When no logical system or tenant system flow trace is configured and no root-override is configured, the latest behavior is to not log any flow trace for that logical system or tenant system, instead of dumping all to root flow trace as before. PR1530904

THR capacity update on SRX Series devices. PR1538058

The rst-invalidate-session command does not work if configured together with the no-sequence-check command. PR1541954

Application fragmented traffic might get dropped on SRX Series devices. PR1543044

Instability with RGs on cluster. PR1550637

Adjust the default route change timeout value. PR1553621

The usp_max_tcplib_connection is not expected on SRX1500, SRX4100, and SRX4200 devices. PR1563881

On the SRX1500 device, the traffic rate shown in the CLI command is not accurate. PR1527511

The MAC table is null in Layer 2 mode after one pass-through session is created successfully. PR1528286

The firewall filter SA and DA tags are not in the log messages as expected in port details. PR1539338

Packet drop might be seen when a packet with destination port 0 is received on the SRX380 device. PR1540414

Tail drops might occur on SRX Series devices if shaping-rate is configured on lt- interface. PR1542931

The nsd process might stop when DNS-based allowlisting is configured under SSL proxy. PR1542942

The Wi-Fi Mini-Physical Interface Module (Mini-PIM) does not support pure g mode with 2.4-GHz radio. PR1543824

The output of the show services application-identification group detail command incorrectly included Micro-Applications (Micro-Apps) in the output of every group. PR1544727

On SRX4100 and SRX4200 devices, if PEM0 is removed, the output of jnxOperatingDescr.2 might be incomplete. PR1547053

Advanced anti-malware file or e-mail statistics does not get incremented with the latest PB version. PR1547094

Continuous "LCC: ch_cluster_lcc_set_context:564: failed to lock chassis_vmx mutex 11" chassisd logs generated. PR1547953

Lcmd log "gw_cb_presence:136: PEM(slot = 0): error detecting presence ( fruid = 15, drv_id = 30, status = -11 )" generated every second on the SRX4100 and SRX4200. PR1550249

On SRX1500, SRX-SFP-1GE-T (Part#740-013111) for a copper cable might be corrupted after reboot. PR1552820

The volume displayed in traffic map are redefined. PR1553066

The speed mismatch error is seen while trying to commit reth0 with gigether-options. PR1553888

An IPFD core file might be generated when using Adaptive Threat Profiling. PR1554556

On an SRX550M device, the dumpdisklabel command fails with message "ERROR: Unknown platform srx550m." PR1557311

AppID's Unknown Packet Capture utility does not function on SRX Series devices when enhanced-services mode is enabled. PR1558812

The show security log report top session-close group-by application order-by risk top-number 8 where-application-risk high xml encapsulation structure changed and caused script fail. PR1559013

The show security log report top idp group-by threat-severity order-by count top-number 5 where-attack command display will change the idp reporting to match the threat-severity in idp log.. PR1560027

High CPU usage on pkid process might be seen when the device is unable to connect to a particular CRL URL. PR1560374

The DNS commands may not be executed and also any new configuration may not take effect on connecting the SRX Series device to Juniper ATP Cloud. PR1561169

There is an idpd core file at ../../../../../../../src/junos/secure/usr.sbin/idp-confd/idpd_lsys.c:771. PR1561298

When multiple IRB interfaces belong to the same VRRP group ID, if one of IRB intefaces goes down, it causes disruption in traffic going through another IRB interface. PR1572920

When SRX Series devices receive proxy ARP requests on VRRP interfaces, the devices send ARP replies with the underlying interface MAC address. PR1526851

Backup Routing Engine or backup node may be stuck in bad status with an improper backup-router configuration. PR1530935

The greater than or less than symbols are allowed for age-of-attack filter of dynamic attack group configuration. The age-of-attack field in signatures will be changed to CVE dates from activation dates.

PR1397599

The flowd or srxpfe process might generate core files during the idpd process commit on SRX Series devices. PR1521682

IDP now supports the ability to create dynamic-attack-groups based on attack-prefix wildcards. For example, you can include all of the Metasploit-based scans by applying this filter to a dynamic-attack-group: set attack-prefix values SCAN:METASPLOIT:*. PR1537195

SOF support for partial packet plugins on traditional or unified policy. PR1542497

Need syslog to indicate signature download completion. PR1543571

IDP policy load might fail post image upgrade for Junos OS Release 15.1X49 releases. PR1546542

The idpd process crashes and generates a core file. PR1547610

Sometimes, when you edit the local gateway in the remote access VPN workflow under VPN>IPsec VPN, J-web might not display one or more drop-down values. PR1521788

J-Web browser tab title to include product model name and hostname. PR1523760

J-Web GUI does not allow you to save the rules with more than 2500 cumulative shared objects. PR1540047

After commit pending changes message is shown, the contents of other messages, landing page, or pop-ups will not be visible completely. PR1554024

The RG1 interface failover occurs when RG0 failover is triggered. PR1366825

Syslog reporting PFE_FLOWD_SELFPING_PACKET_LOSS: Traffic impact: Selfping packets loss/err: 300 within 600 second error messages in node 0 and node 1 control panel. PR1522130

The commit might not fail as expected when reth interface is deleted. PR1538273

Traffic might be dropped unexpectedly when the url-category match condition is used on a security policy. PR1546120

Global policies working with multi-zones cause high Packet Forwarding Engine CPU utilization. PR1549366

Policy configured with the route-active-on condition may work incorrectly for local routes. PR1549592

NSD process stops when the secprofiling feed name is 64 bytes. PR1549676

The junos-defaults construct within a unified-policies application match criteria now restricts the ports and protocols of a flow on a per-dynamic-application basis. PR1551984

Unified policies in global zone contexts do not work when from-zone or to-zone is defined. PR1558009

On the SRX5000 line of devices, the secondary node might get stuck in performing ColdSync after a reboot or upgrade, or if ISSU is performed. PR1558382

The traffic may be dropped if you insert one global policy above others on SRX Series devices. PR1558827

Incorrect counter type (counter instead of gauge) specified for some values in MIB jnxUserAAAMib. PR1533900

Stream buffer memory leak might happen when UTM is configured under unified policies. PR1557278

UTM license expiry event lost may cause the device can't quit advance service mode and maximum-sessions decreased by half. PR1563874

The outbound-ssh routing-instance is shown as unsupported. PR1558808

The output of show security ipsec security-associations command might display empty space instead of keyword null for encryption algorithm. PR1507270

On all SRX Series devices using IPsec with NAT traversal, MTU size for the external interface might be changed after IPsec SA is reestablished. PR1530684

After IPsec tunnel using policy-based VPN is overwritten by another VPN client, traffic using this IPsec tunnel will be dropped. PR1546537

Traffic going through a policy-based IPsec tunnel might be dropped after RG0 failover. PR1550232

The iked process may crash with L3HA setup. PR1559121

The iked process might crash by operational commands on the SRX5000 line of devices with SRX5000-SPC3 card installed. PR1566649