Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based Packet-Based Processing

  • On SRX5000 line of devices with power-mode-ipsec enabled, the encap success received from PMI path packet might not show correct value output. PR1599044

General Routing

  • SRX 1500 Services Gateway generates chassis alarms related to the TSensor and fan tray. PR1352281

  • The show pfe statistics traffic command displays wrong output. To check the statistics use the show pfe statistics command. PR1566065

  • When the device is downgraded to a release earlier than Junos OS Release 21.1 and then upgraded again to Junos OS Release 21.1, the appiddb tables might not get populated properly and have 0 entries. For such cases, after upgrading, uninstall and reinstall signature package. PR1567199

  • For Junos OS release 21.2R1, when flapping IS-IS by disabling and enabling IS-IS protocols continuously for more than 5 times on SRX5000 line of devices, the IS-IS adjacency will not be recovered with gr interface. PR1572209

  • HTTP sessions takes approximately 10 minutes to re-establish after a link flap between hub and spoke devices. PR1577021

  • HA AP mode on-box logging in logical systems and tenant systems, intermittently security log contents of binary log file in logical systems are not as expected. PR1587360

  • Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages These messages can be seen in the RT-flow close log and these are due to JDPI not engaged for the session. This might affect the application identification for the Web proxy session traffic. PR1588139

  • On SRX345 device, ICMP checksum error and packet drops are observed while doing rapid ping on vdsl interface with MTU 1514. PR1591230

  • In Junos OS release 20.3R3, sometimes on reboot log files are not getting generated. PR1594377

  • Sometimes, when Jflow v9 flow record can contain wrong application id from cache, which can lead wrong identification of traffic application. PR1595787

  • AAMW functions will be bypassed on HTTPs after AppID package upgraded to version 3313 or later in Junos OS release 21.2R1. PR1597179

  • In Junos OS release 20.3R3, 21.1R2, and 21.2R1 the phone home ZTP is failing on SRX Series devices as phone home client is unable to connect to Phone Home Server or Redirect Server. PR1598462

  • Intermittently the trace messages are not logged on sending multicast traffic. PR1598930

J-Web

  • UI lists the IPsec VPNs information for uncommitted IPsec VPNs configuration under Monitor -> Netwrok -> IPsec VPN. PR1576609

  • For Dynamic VPN configuration, topology is shown as Site to Site or Hub and Spoke under Monitor -> Network -> IPsec VPN page. PR1597889

Routing Policy and Firewall Filters

  • The issue is related to output of one of the CLI command where it display some additional then expected data. However, it will not cause any issue with data path functionality on Packet Forwarding Engine. PR1582344

VPNs

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • An IPsec policy must not have both ESP and AH proposals. The configuration will commit, but the IPsec traffic will not work. Do not configure an IPsec policy with proposals using both ESP and AH protocols. PR1552701

  • In Layer 3 HA setup, core files are generated if you configure firewall to drop esp packets after the link encryption tunnel is up. PR1573102

  • The certificate identifier length is incorrect in certain cases and this issue is seen in the CA certificate show command output show security pki ca-certificate detail. PR1589084

  • On SRX Series devices, when site-to-site IPsec VPN is configured with traffic-selectors, if the VPN peer initiates an IKE negotiation using source-port other than 500, and at the same time, the IPsec IKE rekey (For the same VPN tunnel as the previous VPN peer initiates) occurs on the SRX Series device, the kmd process might crash. PR1596103