Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • Use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

General Routing

  • The PKI CMPv2 (RFC 4210) client certificate enrolment does not properly work on SRX Series devices when using root-CA. PR1549954

  • Kernel might stop, with VM core files generated, and the system might reboot continuously after five child interfaces are added to the reth interface on one node. This might cause service impact. PR1551297

  • When the device is downgraded to a release earlier than Junos OS Release 21.1 and then upgraded again to Junos OS Release 21.1, the application identification database tables might not get populated properly and have 0 entries. For such cases, after upgrading, uninstall and reinstall signature package. PR1567199

  • Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages. These messages can be seen in the RT-flow close log and these are due to JDPI not engaged for the session. This may affect the application identification for the web-proxy session traffic. PR1588139

  • On SRX345, the ICMP checksum error and packet drops are observed while doing rapid ping on vdsl interface with MTU 1514. PR1591230

  • In Junos OS 20.3 R3 and 21.1R2 release, sometimes on reboot log files are not getting generated. PR1594377

  • For Junos OS 20.3R3, 21.1R2, and 21.2R1 releases, phone-home ZTP is failing on SRX Series devices as phone home client is unable to connect to Phone Home Server or Redirect Server. PR1598462

Routing Policy and Firewall Filters

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

  • One of the CLI command where it display some additional then expected data. However, it will not cause any issue with data path functionality on Packet Forwarding Engine. It's more like display issue. PR1582344


  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX Series device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE IDs. PR1407356

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • An IPsec policy must not have both ESP and AH proposals. The configuration will commit, but the IPsec traffic will not work. Do not configure an IPsec policy with proposals using both ESP and AH protocols. PR1552701
  • Do not configure two traffic selectors for the same peer under the same IPsec VPN with the same values. PR1554533