Resolved Issues: 21.2R2

Unified-access-control (UAC) authentication might not work post system reboot. PR1585158

Security policies might not be synced to all Packet Forwarding Engines post upgrade. PR1591559

Performance degradation might be observed when power-mode-ipsec is enabled. PR1599044

SSL-FP Logging for non SNI session. PR1442391

Some transmitting packets might get dropped due to the disable-pfe action is not invoked when the fabric self-ping failure is detected. PR1558899

The show pfe statistics traffic command shows wrong output. PR1566065

When using log templates with unified policies, logs were not generated in a predictable manner. A new construct has been added that allows you to define a default log profile (set security log profile name default-profile) that can be used to improve this behavior when multiple log profiles are defined. PR1570105

Changes in SNMP traps configuration and data exported for TWAMP. PR1573169

Traffic is dropped to or through VRRP virtual IP on SRX380 device. PR1581554

The srxpfe process might stop on SRX1500 device. PR1582989

Packet drop or srxpfe core dump might be observed due to Glacis FPGA limitation. PR1583127

Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed. PR1585542

On SRX Series devices, significant performance improvements for JDPI's micro-application identification were included in this release. PR1585683

On SRX Series devices, the unknown packet-capture functionality will no longer record SSL. UNKNOWN flows by default. This behavior can be changed by enabling the set services application-identification packet-capture ssl-unknown command. Without configuration the ssl-unknown command, the SRX Series devices will only capture flows marked as UNKNOWN or INCONCLUSIVE. PR1587875

IP packets might be dropped on SRX Series devices. PR1588627

The jsqlsyncd process files generation might cause device to panic crash after upgrade. PR1589108

The pass through traffic might fail post reboot when secure web proxy is configured. PR1589957

Traffic loss might be observed for interface configured in subnet 137.63.0.0/16. PR1590040

The REST API does not work for SRX380 devices. PR1590810

The issue (empty feed-name) starts with the hit returned from cache which points to the node with the parameter of feed-ID (2) inconsistent with the feeds-update (when it's 1). As a result the incorrect feed-ID points to the empty entry in the array of the feed-names. PR1591236

J-web deny log nested-application="UNKNOWN" instead of specific application. PR1593560

When combining log profiles and unified policies RT_FLOW_SESSION_DENY logs were not being generated corrected. PR1594587

When JDPI inspection-limits are reached, under certain circumstances, classification details were not propagated to interested Layer-7 Services, such as IDP. PR1595310

Node1 fpc0 (SPM) goes down after ISSU and RG0 failover. PR1595462

Jflow V9 application-id record: Network based application recognition value for IPv4 application-id are not as expected. PR1595787

Delay might be observed between Services Processing Card failing and failover to other node. PR1596118

The flowd process might core dump if application-services security policy is configured. PR1597111

AAMW functions will be bypassed on HTTPs after AppID package upgraded to version 3313 or later. PR1597179

The srxpfe process might crash and generate a core file post "targeted-broadcast forward-only" interface-config commit. PR1597863

The flowd process might generate files if the AppQoS module receiving two packets of a session. PR1597875

The flowd process might stop in AppQoE scenarios. PR1599191

The httpd-gk process might generate core files when IPsec VPN is configured. PR1599398

The CRC/Align errors and Fragment frames seen with traffic against 400G ports. PR1601151

Traffic might be dropped at NAT gateway if EIM is enabled. PR1601890

The flowd process might crash if the DNS-inspection feature is enabled by configuring SMS policy. PR1604773

Memory leak at the useridd process might be observed when Integrated User Firewall is configured. PR1605933

When the tap mode is enabled, the packet on ge-0/0/0 is dropped on RX side. PR1606293

The flowd process might crash if the DNS-inspection feature is enabled within SMS. PR1607251

Enabling dnsf traceoptions on SRX300 line of devices might result in flowd process stop. PR1608669

Enabling security-metadata-streaming-policy might cause Packet Forwarding Engine stop. PR1610260

DNS based SecIntel statistics were not populating correctly on SRX Series devices. PR1611071

Interface might not come up when 10G port is connected to 1G SFP. PR1613475

Enabling security-metadata-streaming DNS policy might cause a dataplane memory leak. PR1613489

On SRX Series devices running DNS Security in secure-wire mode, DGA verdicts would not be returned to the device. PR1616075

IPv4 or IPv6 address from the config on the interface might not be applied when the interface is moved from tenants to interface stanza in the configuration. PR1605250

Custom attack IDP policies might fail to compile. PR1598867

IDP policy compilation is not happening when a commit check is issued prior to a commit. PR1599954

The srxpfe might crash while the IDP security package contains a new detector. PR1601380

This release includes optimizations made to IDP that help improve its performance and behavior under load. PR1601926

High RE CPU usage occurs when routing-instance is configured under security idp security-package hierarchy level. PR1614013

The zone information disappears when functional zone is configured. PR1594366

A custom application name contains any is listed under pre-defined applications. PR1597221

J-Web might not display customer defined application services if one new policy is created. PR1599434

J-web application might stop with httpd core files are generated. PR1602228

Radius users might not be able to view or modify configuration through J-web. PR1603993

On all SRX Series devices, some widgets in J-Web might not load properly for logical systems users. PR1604929

Incorrect IPv6 UDP checksum inserted after translation of packet from IPv4 to IPv6. PR1596952

Junos OS: Upon receipt of specific sequences of genuine packets destined to the device the kernel will crash and restart (vmcore) (CVE-2021-0283, CVE-2021-0284). PR1557881

The dns-name cannot be resolved if customer-defined routing instance is configured under name-server. PR1539980

High CPU usage might be seen on some SRX Series devices. PR1579425

Short multicast packets drop using PIM when multicast traffic received at a non-RPT or SPT interface. PR1579452

The fwauthd core files might be observed when upgrading to Junos OS 21.2R1 release. PR1588393

After image upgrade device might fail to come up due to certain configurations. PR1585479

The iked core during esp session state activation and deactivation after link encryption tunnel is up. PR1573102

The iked process might crash when IKEv2 negotiation fails on MX and SRX Series devices. PR1577484

Memory leaks on the iked process on SRX5000 line of devices with SRX5K-SPC3 installed. PR1586324

The IPsec tunnel might not come up if configured with configuration payload in a certain scenario. PR1593408

The kmd process might crash when VPN peer initiates using source-port other than 500. PR1596103

Tail drops might occur on SRX Series devices if shaping-rate is configured on st-interface. PR1604039