Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Resolved Issues: 21.2R1

Application Layer Gateways (ALGs)

  • On all SRX Series devices, if the SIP ALG is enabled, a core file might be generated. PR1555817

Chassis Clustering

  • Disabled node on chassis cluster sent out ARP request packets. PR1548173

  • SPU pause might be seen under GPRS tunneling protocol scenario. PR1559802

Flow-Based and Packet-Based Processing

  • Instability with RGs on cluster. PR1550637

  • The usp_max_tcplib_connection is not expected on SRX1500, SRX4100, and SRX4200 devices. PR1563881

  • On the SRX platforms, the flowd or srxpfe process might crash when clearing the TCP-Proxy session. Traffic loss might be seen during the flowd or srxpfe process crash and restart. PR1573842

  • On SRX Series devices, the filter from-zone has been added to the utility monitor security packet-drop. PR1574060

Forwarding and Sampling

  • The configuration archive transfer-on-commit fails when running Junos OS Release 18.2R3-S6.5. PR1563641

General Routing

  • The flowd process might generate core files frequently on SRX340. PR1463689

  • Packet drops might be seen with all commit events with 1G speed configured interface. PR1524614

  • The JNH memory leak could be observed on MPCs or MICs. PR1542882

  • The output of the command show services application-identification group detail incorrectly included Micro-Applications (Micro-Apps) in the output of every group. PR1544727

  • The kmd process might stop when the interface flaps. PR1544800

  • SRX1500 reports fans running at over speed. PR1546132

  • On SRX4100 and SRX4200 devices, if PEM0 is removed, the output of jnxOperatingDescr.2 command might be incomplete. PR1547053

  • PKI CMPv2 client certificate enrollment does not work on SRX when using root-CA. PR1549954

  • SRX4600 device might reset and fail to boot due to a failure accessing Solid State Drive (SSD). PR1551047

  • On SRX1500, SRX-SFP-1GE-T (Part#740-013111) for a copper cable might be corrupted after reboot. PR1552820

  • The speed mismatch error is seen while trying to commit reth0 with gigether-options. PR1553888

  • Application identity unknown packet capture utility does not function on SRX Series devices when enhanced-services mode is enabled. PR1558812

  • The show security log report top session-close group-by application order-by risk top-number 8 where-application-risk high xml encapsulation structure changed and caused script fail. PR1559013

  • The show security log report top idp group-by threat-severity order-by count top-number 5 where-attack command display changes. PR1560027

  • The PIC in SRX5K-SPC3 or MX-SPC3 card might get stuck in offline status after flowd process stops on it. PR1560305

  • The pkid process runs at 100 percent when the device is unable to connect to a particular URL. PR1560374

  • The DNS commands might not be executed and any new configuration might not take effect on connecting the SRX Series device to Juniper Sky ATP. PR1561169

  • The show security log report top session-close group-by application order-by risk top-number 8 where-application-risk high xml encapsulation changed. PR1561286

  • The idpd process might stop when committing IDP configuration under logical systems and tenant systems during RGs failover. PR1561298

  • Fabric probe packets might be processed incorrectly when power-mode-ipsec is enabled. PR1564117

  • The flowd process might pause and generates a core dump if JFlow version 9 is configured. PR1567871

  • Wi-Fi mPIM on SRX Series devices is reaching out to NTP and DNS servers. PR1569680

  • Missing snmp operation state method for power distribution module on SRX5800 and MX960 devices. PR1570433

  • MACsec not using network-control queue. PR1571977

  • Traffic going through the VRRP interface might be dropped when VRRP enabled IRB interface goes down. PR1572920

  • In certain conditions on SRX Series devices, the timer values are updated for an existing fast BFD session, it may cause a fast BFD session deletion on the Packet Forwarding Engine. This will result in BFD session remaining down or Packet Forwarding Engine generates core files occasionally. PR1578946

  • The ipfd process might stop and generate a core file when SecProfiling thread feeds are fetched from policy enforcer. PR1582454

  • On SRX1500 device with AE interface configured, if the IRB interface is also configured and enabled, the srxpfe process might stop. PR1582989

  • The 1G interfaces might not come up after device reboot. PR1585698

  • On all Junos OS devices, the l2ald process pause could be observed on changing the routing-instance from VPLS to non-L2 routing-instance, with same routing-instance name is being used for both VPLS and non-L2 routing-instance. PR1586516

  • On SRX Series devices, the protocol-version command which controls TLS versions (1.1, 1.2, 1.3, etc) within SSL proxy are unhidden. PR1587149

  • On SRX Series devices, the unknown packet-capture functionality will no longer record SSL. UNKNOWN flows by default. This behavior can be changed by enabling the set services application-identification packet-capture ssl-unknown command. Without configuration the ssl-unknown command, the SRX Series devices will only capture flows marked as UNKNOWN or INCONCLUSIVE. PR1587875

  • On SRX Series devices, the pass-through traffic on secure web proxy might fail after rebooting the device. PR1589957

Interfaces and Chassis

  • When SRX Series devices receive proxy ARP requests on VRRP interfaces, SRX Series devices send ARP replies with the underlying interface MAC address. PR1526851

  • Backup Routing Engine or backup node might get stuck in bad status with improper backup-router configuration. PR1530935

  • The configuration check out failed with error message: identical local address found on rt_inst [default], intfs. PR1581877

Intrusion Detection and Prevention (IDP)

  • The greater than or less than symbols are allowed for age-of-attack filter of dynamic attack group configuration. The age-of-attack field in signatures will be changed to CVE dates from activation dates. PR1397599

  • IDP now supports the ability to create dynamic-attack-groups based on attack-prefix wildcards. PR1537195

  • Adding signature in packet drop reason and sending to record packet drops module. PR1574603

  • The IDP policy process might become unresponsive and fail to compile the IDP policy after an IDP automatic update. PR1577684


  • J-Web GUI does not allow you to save a rule if the cumulative shared objects are more than 2500 before the policy grid is saved. When there are several shared objects, there will be a noticeable delay in opening sources and destinations of a rule, and performing the rule action. PR1540047

  • When the commit pending changes message is shown on the J-Web GUI, the contents of other messages, landing page, or pop-ups will not be clearly visible. PR1554024

  • To improve performance in Monitoring > Network > Interfaces page, Admin Status is removed, services and protocols data merged into one host inbound traffic. PR1574895

Network Address Translation (NAT)

  • Incorrect IPv6 UDP checksum inserted after translation of packet from IPv4 to IPv6, when IPv4 packet did not have a UDP checksum. PR1596952

Network Management and Monitoring

  • The mib2d process crashes and generates a core files on backup Routing Engine. PR1557384

  • SSH connection might become unresponsive and logs show kern.maxfiles limit exceeded by uid messages. PR1567634

Platform and Infrastructure

  • The show chassis errors command is not supported on SRX5000 line of devices with RE3 and SCB3 installed. PR1560562

  • The show chassis ethernet-switch errors command unexpectedly shows error counters for port 14 on the SRX5800 device. PR1563978

  • On SRX5000 line of devices, the power budget calculation incorrectly assumes that all SCB cards contain a Routing Engine (RE). Hence, the available power budget is incorrectly decreased by 90W for each SCB which does not contain an RE. PR1568183

  • There is a limitation where image validation might cause an MGD core thus causing ISSU to abort. This is due to incompatible BSD releases. PR1590099

Routing Policy and Firewall Filters

  • The junos-defaults construct within a unified-policies application match criteria now restricts the ports and protocols of a flow on a per-dynamic-application basis. PR1551984

  • SecIntel connection name resolution errors due to SecIntel memory leaks. PR1566128

  • Traffic loss might be seen when a big number of applications or addresses is referenced by one policy. PR1576038

Unified Threat Management (UTM)

  • UTM license expiry event lost might cause the device can't quit in advance service mode and the maximum-sessions is decreased by half. PR1563874


  • Traffic that goes through policy-based IPsec tunnel might be dropped after RG0 failover. PR1550232

  • The iked process might stop with Multinode High Availability setup. PR1559121

  • The pkid process generates core files while you do auto-enrollment of local certificates. PR1564300

  • When there are multiple IPsec SAs, backup SA starts IPsec rekey. PR1565132

  • The iked process might crash by operational commands on the SRX5000 line of devices with SRX5000-SPC3 card installed. PR1566649

  • On all SRX Series devices and NFX350, if IPsec tunnels are configured with configuration payload VPN, they might not come up if the configured subnet mask on st0 is not equal to /8, /16 or /24. PR1593408