Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Limitations

Learn about known limitations in Junos OS Release 21.2R3 for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

General Routing

  • Due to enhancements in AppID starting Junos OS Release 21.1R1, database files are not compatible with earlier releases. Hence, this issue is expected to be seen during downgrade from Junos OS Release 21.1R1 to earlier releases. PR1554490

Platform and Infrastructure

  • For upgrades to Junos OS version 21.2 or higher from Junos OS versions below 21.2, the no-validate option needs to be used in the request system software upgrade or the request system software in-service-upgrade (ISSU) command. Note: This does not apply to SRX300 series and SRX550HM devices.

    For the case of ISSU however, the no-validate option does not take effect and you need to use the hidden no-compatibility-check option instead as a workaround to be able to use ISSU to Junos 21.2 or higher successfully. This issue was fixed in Junos releases 20.3R3-S5, 20.4R3-S4, 21.1R3-S3 and higher releases. PR1590099 and PR1638499

  • On SRX platforms, when performing ISSU to Junos OS release 22.1 or above releases from a pre-22.1 release, ISSU will be aborted with the warning message "ISSU is not supported for Clock Synchronization (SyncE)". As a workaround use the hidden no-compatibility-check option in the ISSU command. This issue is resolved in 21.3R3, 21.4R2, 21.4R3 and higher releases. PR1652838


  • On SRX5000 line of devices, in some scenario, the device output might display obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

  • In SPC2 and SPC3 mixed-mode HA deployments, tunnel per second (TPS) is getting affected while dead peer detection (DPD) is being served on existing tunnels. This limitation is due to a large chunk of CPU being occupied by infrastructure (gencfg) used by IKED to synchronize its DPD state to the backup nodes. PR1473482