Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • Use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

  • For accelerated flows such as Express Path, the packet or byte counters in the session close log and show session output take into account only the values that accumulated while traversing the NP. PR1546430

General Routing

  • SRX1500 devices generates chassis alarms related to TSensor and fan tray. PR1352281

  • In race condition, if a BGP route is resolved over the same prefix protocol next hop in a routing table that has routes of the prefix from different routing protocols, when the routes are flapping (firstly these routes are down and then up), the BGP route will be re-resolved, and then the rpd crash might be seen. PR1458595

  • When the device is downgraded to a release earlier than Junos OS Release 21.1 and then upgraded again to Junos OS Release 21.1, the appiddb tables might not get populated properly and have 0 entries. For such cases, after upgrading, uninstall and reinstall signature package. PR1567199

  • Packets with the MAC address of eth0 and macvlan0@eth0 interface might be sent out to the management interface on VMHOST platform with NG-RE. PR1571753

  • For Junos OS release 21.2R1, when flapping ISIS by disabling and enabling isis protocols continuously for more than 5 times on SRX5000 line of devices, ISIS adjacency will not be recovered with gr interface. PR1572209

  • HTTP sessions takes approx 10 minutes to re-establish after a link flap between hub and spoke. PR1577021

  • With SSL proxy configured along with web-proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526

  • HA AP mode on-box logging in LSYS and tenant, intermittently security log contents of binary log file in LSYS are not as expected. PR1587360

  • Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages These messages can be seen in the RT-flow close log and these are due to JDPI not engaged for the session. This may affect the app identification for the web-proxy session traffic. PR1588139

  • On SRX Series devices, when firewall authentication is configured with pass-through traffic for http/https with user firewall, SRX Series devices will delete the authentication entries post 10 seconds to avoid re-authentication. PR1588241

  • Unexpected port value 0 is seen instead of undefined. PR1589598

  • On SRX345 device, icmp checksum error and packet drops are observed while doing rapid ping on vdsl interface with MTU 1514. PR1591230

  • There is a behaviour change in APPTRACK logs, by default logs are disabled. PR1591966

  • In Junos OS releases 20.3 R3, 20.4R3 and 21.1R2, sometimes on reboot schedule-report are not getting generated. PR1594377

  • For Junos OS release 20.3R3, 20.4R3, 21.1R2, 21.2R1, phone-home ZTP is failing on SRX Series devices as phone home client is unable to connect to phone home server or redirect server. PR1598462

  • Intermittently the trace messages are not logged on sending multicast traffic. PR1598930

  • On all SRX Series devices, if DNS proxy is enabled on VRRP interfaces, then DNS proxy functionality might fail to work. PR1607867

  • When you enable TCP path finder in the VPN gateway, VPN connection is established properly. After VPN connection is established, able to ping from JSC installed client to server behind gateway, but unable to ping from server behind gateway to JSC installed client. PR1611003

Interfaces and Chassis

  • Traffic drop might be seen on irb interface on SRX1500 for network control forwarding class when verifying dscp classification based on single and multiple code-points. PR1611623

Intrusion Detection and Prevention (IDP)

  • On SRX Series devices, it is unable to use latest signature pack due to IDP DB failing to update. PR1594283


  • UI lists the IPSec VPNs information for uncommitted IPSec VPNs configuration under Monitor -> Netwrok -> IPSec VPN PR1576609

  • For Dynamic VPN configuration, topology is shown as Site to Site or Hub Spoke under Monitor -> Network -> IPsec VPN page. PR1597889

Platform and Infrastructure

  • The commit synchronize command fails because the kernel socket gets stuck. PR1027898

  • On SRX Series devices with Bidirectional Forwarding Detection (BFD) enabled for multiple protocols (such as OSPF, ISIS, BGP, PIM), the ppmd process might crash after an upgrade. PR1335526

  • The device will be unavailable while performing FIPS 140-2/FIPS 140-3 level 2 internal test on FreeBSD 12 based Junos OS platforms. PR1623128

Routing Policy and Firewall Filters

  • when SSL proxy global-config is set with with enable-proxy-on-default-fw-policy-match, the traffic is hitting pre-id policy instead of default policy for Yahoo traffic. PR1542790

  • The issue is related to output of one of the CLI command where it display some additional then expected data. However it will not cause any issue with data path functionality on PFE. It's more like display issue. PR1582344

Unified Threat Management (UTM)

  • There is no counter for juniper-local default action. PR1570500


  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • In some scenario sometimes SRX5000 line of devices might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

  • An IPsec policy must not have both ESP and AH proposals. The configuration will commit, but the IPsec traffic will not work. Do not configure an IPsec policy with proposals using both ESP and AH protocols. PR1552701

  • The certificate identifier length is incorrect in certain cases and this issue is seen in the ca certificate show security pki ca-certificate detail command. PR1589084