Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • Use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

General Routing

  • The PKI CMPv2 (RFC 4210) client certificate enrolment does not properly work on SRX Series devices when using root-CA. PR1549954

  • On all SRX Series devices with Sky Advanced Threat Prevention (Sky ATP) used, when putting upper-case letters into the Realm name field during the Sky ATP CLI enrollment, it will output "Provided password for * is incorrect", which is incorrect and misleading. PR1550387

  • Kernel might stop, with VM core files generated, and the system might reboot continuously after five child interfaces are added to the reth interface on one node. This might cause service impact. PR1551297

  • When the device is downgraded to a release earlier than Junos OS Release 21.1 and then upgraded again to Junos OS Release 21.1, the appiddb tables might not get populated properly and have 0 entries. For such cases, after upgrading, uninstall and reinstall signature package. PR1567199

  • PKID core might occur during cert signature validation . This core is not very frequent and occurs due to memory corruption . PR1573892

  • With ssl-proxy configured along with web-proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526

  • Web-proxy: Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages These messages can be seen in the RT-flow close log and these are due to JDPI not engaged for the session. This may affect the app identification for the web-proxy session traffic. PR1588139

  • On SRX345, icmp checksum error and packet drops are observed while doing rapid ping on vdsl interface with MTU 1514. PR1591230

  • There is a behaviour change in application track logs. By default, logs are disabled. PR1591966

  • In Junos OS releases 20.3R3, 20.4R3 and 21.1R2, sometimes on reboot schedule report are not getting generated. PR1594377

  • For Junos OS releases 20.3R3, 20.4R3, 21.1R2, 21.2R1, phone home ZTP is failing on SRX Series devices as phone home client is unable to connect to Phone Home Server or Redirect Server. PR1598462

  • When static routes are added with gr interface names, there could be replication issues with mpls nexthops causing backup to core. PR1601996

Interfaces and Chassis

  • Traffic drop might be seen on irb interface on SRX1500 for network control forwarding class when verifying dscp classification based on single and multiple code-points. PR1611623

Intrusion Detection and Prevention (IDP)

  • On SRX Series devices, it is unable to use latest signature pack due to IDP DB failing to update. PR1594283

  • IDPD will not core when wrong package in given for offline download and it will do two level of validation.

    • Look for mandatory file in offline downloaded Package.
    • Secpack having manifest files which contains the list of files to be expected in package.

    So the fix is based on above file if package is missing any file from manifest file list then package will be considered as bad package. PR1623857

Platform and Infrastructure

  • On SRX Series devices with Bidirectional Forwarding Detection (BFD) enabled for multiple protocols (such as OSPF, ISIS, BGP, PIM), the ppmd process might crash after an upgrade. PR1335526

  • If authentication (tacplus-server, radius-server) is configured on a device, it may fail to open files in a rare case, which may cause the process mgd to stop. PR1600615

Routing Policy and Firewall Filters

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

  • When SSL Proxy's global-config is set with with enable-proxy-on-default-fw-policy-match, the traffic is hitting pre-id policy instead of default policy for Yahoo traffic. PR1542790

Routing Protocols

  • Commit error seen while adding static route for a link-local IPv6 destination address range. PR1599273

VPNs

  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX Series device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE IDs. PR1407356

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • In some scenario(e.g configuring firewall filter) sometimes srx5K might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

  • An IPsec policy must not have both ESP and AH proposals. The configuration will commit, but the IPsec traffic will not work. Do not configure an IPsec policy with proposals using both ESP and AH protocols. PR1552701

  • Do not configure two traffic selectors for the same peer under the same IPsec VPN with the same values. PR1554533