Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Resolved Issues: 21.2R2

Authentication and Access Control

  • Unified-access-control (UAC) authentication might not work post system reboot. PR1585158

Chassis Clustering

  • Security policies might not be synced to all Packet Forwarding Engines post upgrade. PR1591559

Flow-Based and Packet-Based Processing

  • Performance degradation might be observed when power-mode-ipsec is enabled. PR1599044

General Routing

  • SSL-FP Logging for non SNI session. PR1442391

  • Some transmitting packets might get dropped due to the disable-pfe action is not invoked when the fabric self-ping failure is detected. PR1558899

  • The show pfe statistics traffic command shows wrong output. PR1566065

  • When using log templates with unified policies, logs were not generated in a predictable manner. A new construct has been added that allows you to define a default log profile (set security log profile name default-profile) that can be used to improve this behavior when multiple log profiles are defined. PR1570105

  • Changes in SNMP traps configuration and data exported for TWAMP. PR1573169

  • Traffic is dropped to or through VRRP virtual IP on SRX380 device. PR1581554

  • The srxpfe process might stop on SRX1500 device. PR1582989

  • Packet drop or srxpfe core dump might be observed due to Glacis FPGA limitation. PR1583127

  • Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed. PR1585542

  • On SRX Series devices, significant performance improvements for JDPI's micro-application identification were included in this release. PR1585683

  • On SRX Series devices, the unknown packet-capture functionality will no longer record SSL. UNKNOWN flows by default. This behavior can be changed by enabling the set services application-identification packet-capture ssl-unknown command. Without configuration the ssl-unknown command, the SRX Series devices will only capture flows marked as UNKNOWN or INCONCLUSIVE. PR1587875

  • IP packets might be dropped on SRX Series devices. PR1588627

  • The jsqlsyncd process files generation might cause device to panic crash after upgrade. PR1589108

  • The pass through traffic might fail post reboot when secure web proxy is configured. PR1589957

  • Traffic loss might be observed for interface configured in subnet PR1590040

  • The REST API does not work for SRX380 devices. PR1590810

  • The issue (empty feed-name) starts with the hit returned from cache which points to the node with the parameter of feed-ID (2) inconsistent with the feeds-update (when it's 1). As a result the incorrect feed-ID points to the empty entry in the array of the feed-names. PR1591236

  • J-web deny log nested-application="UNKNOWN" instead of specific application. PR1593560

  • When combining log profiles and unified policies RT_FLOW_SESSION_DENY logs were not being generated corrected. PR1594587

  • When JDPI inspection-limits are reached, under certain circumstances, classification details were not propagated to interested Layer-7 Services, such as IDP. PR1595310

  • Node1 fpc0 (SPM) goes down after ISSU and RG0 failover. PR1595462

  • Jflow V9 application-id record: Network based application recognition value for IPv4 application-id are not as expected. PR1595787

  • Delay might be observed between Services Processing Card failing and failover to other node. PR1596118

  • The flowd process might core dump if application-services security policy is configured. PR1597111

  • AAMW functions will be bypassed on HTTPs after AppID package upgraded to version 3313 or later. PR1597179

  • The srxpfe process might crash and generate a core file post "targeted-broadcast forward-only" interface-config commit. PR1597863

  • The flowd process might generate files if the AppQoS module receiving two packets of a session. PR1597875

  • The flowd process might stop in AppQoE scenarios. PR1599191

  • The httpd-gk process might generate core files when IPsec VPN is configured. PR1599398

  • The CRC/Align errors and Fragment frames seen with traffic against 400G ports. PR1601151

  • Traffic might be dropped at NAT gateway if EIM is enabled. PR1601890

  • The flowd process might crash if the DNS-inspection feature is enabled by configuring SMS policy. PR1604773

  • Memory leak at the useridd process might be observed when Integrated User Firewall is configured. PR1605933

  • When the tap mode is enabled, the packet on ge-0/0/0 is dropped on RX side. PR1606293

  • The flowd process might crash if the DNS-inspection feature is enabled within SMS. PR1607251

  • Enabling dnsf traceoptions on SRX300 line of devices might result in flowd process stop. PR1608669

  • Enabling security-metadata-streaming-policy might cause Packet Forwarding Engine stop. PR1610260

  • DNS based SecIntel statistics were not populating correctly on SRX Series devices. PR1611071

  • Interface might not come up when 10G port is connected to 1G SFP. PR1613475

  • Enabling security-metadata-streaming DNS policy might cause a dataplane memory leak. PR1613489

  • On SRX Series devices running DNS Security in secure-wire mode, DGA verdicts would not be returned to the device. PR1616075

Interfaces and Chassis

  • IPv4 or IPv6 address from the config on the interface might not be applied when the interface is moved from tenants to interface stanza in the configuration. PR1605250

Intrusion Detection and Prevention (IDP)

  • Custom attack IDP policies might fail to compile. PR1598867

  • IDP policy compilation is not happening when a commit check is issued prior to a commit. PR1599954

  • The srxpfe might crash while the IDP security package contains a new detector. PR1601380

  • This release includes optimizations made to IDP that help improve its performance and behavior under load. PR1601926

  • High RE CPU usage occurs when routing-instance is configured under security idp security-package hierarchy level. PR1614013


  • The zone information disappears when functional zone is configured. PR1594366

  • A custom application name contains any is listed under pre-defined applications. PR1597221

  • J-Web might not display customer defined application services if one new policy is created. PR1599434

  • J-web application might stop with httpd core files are generated. PR1602228

  • Radius users might not be able to view or modify configuration through J-web. PR1603993

  • On all SRX Series devices, some widgets in J-Web might not load properly for logical systems users. PR1604929

Network Address Translation (NAT)

  • Incorrect IPv6 UDP checksum inserted after translation of packet from IPv4 to IPv6. PR1596952

Platform and Infrastructure

  • Junos OS: Upon receipt of specific sequences of genuine packets destined to the device the kernel will crash and restart (vmcore) (CVE-2021-0283, CVE-2021-0284). PR1557881

Routing Policy and Firewall Filters

  • The dns-name cannot be resolved if customer-defined routing instance is configured under name-server. PR1539980

  • High CPU usage might be seen on some SRX Series devices. PR1579425

Routing Protocols

  • Short multicast packets drop using PIM when multicast traffic received at a non-RPT or SPT interface. PR1579452

  • The fwauthd core files might be observed when upgrading to Junos OS 21.2R1 release. PR1588393

User Interface and Configuration

  • After image upgrade device might fail to come up due to certain configurations. PR1585479


  • The iked core during esp session state activation and deactivation after link encryption tunnel is up. PR1573102

  • The iked process might crash when IKEv2 negotiation fails on MX and SRX Series devices. PR1577484

  • Memory leaks on the iked process on SRX5000 line of devices with SRX5K-SPC3 installed. PR1586324

  • The IPsec tunnel might not come up if configured with configuration payload in a certain scenario. PR1593408

  • The kmd process might crash when VPN peer initiates using source-port other than 500. PR1596103

  • Tail drops might occur on SRX Series devices if shaping-rate is configured on st-interface. PR1604039