Known Limitations

Due to enhancements in AppID starting Junos OS Release 21.1R1, database files are not compatible with earlier releases. Hence, this issue is expected to be seen during downgrade from Junos OS Release 21.1R1 to earlier releases. PR1554490

For upgrades to Junos OS version 21.2 or higher from Junos OS versions below 21.2, the no-validate option needs to be used in the request system software upgrade or the request system software in-service-upgrade (ISSU) command. Note: This does not apply to SRX300 series and SRX550HM devices.

For the case of ISSU however, the no-validate option does not take effect and you need to use the hidden no-compatibility-check option instead as a workaround to be able to use ISSU to Junos 21.2 or higher successfully. This issue was fixed in Junos releases 20.3R3-S5, 20.4R3-S4, 21.1R3-S3 and higher releases. PR1590099 and PR1638499

On SRX platforms, when performing ISSU to Junos OS release 22.1 or above releases from a pre-22.1 release, ISSU will be aborted with the warning message "ISSU is not supported for Clock Synchronization (SyncE)". As a workaround use the hidden no-compatibility-check option in the ISSU command. This issue is resolved in 21.3R3, 21.4R2, 21.4R3 and higher releases. PR1652838

On SRX5000 line of devices, in some scenario, the device output might display obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

In SPC2 and SPC3 mixed-mode HA deployments, tunnel per second (TPS) is getting affected while dead peer detection (DPD) is being served on existing tunnels. This limitation is due to a large chunk of CPU being occupied by infrastructure (gencfg) used by IKED to synchronize its DPD state to the backup nodes. PR1473482