Resolved Issues: 21.3R1

Unified-access-control (UAC) authentication might not work post system reboot. PR1585158

Security policies might not be synced to all Packet Forwarding Engines post upgrade. PR1591559

The srxpfe process might crash during route churn. PR1572240

On SRX Series devices, the filter from-zone has been added to the utility monitor security packet-drop. PR1574060

Performance degradation might be observed when power-mode-ipsec is enabled. PR1599044

SSL-FP logging for non SNI session. PR1442391

The flowd might core dump frequently on SRX340 device. PR1463689

PKI CMPv2 client certificate enrollment does not work on SRX when using root-CA. PR1549954

Application identity unknown packet capture utility does not function on SRX Series devices when enhanced-services mode is enabled. PR1558812

Some transmitting packets might get dropped due to the disable-pfe action is not invoked when the fabric self-ping failure is detected. PR1558899

The PIC in SRX5K-SPC3 and MX-SPC3 card might get stuck in offline status after flowd crash occurs on it. PR1560305

The show pfe statistics traffic command shows wrong output. PR1566065

Packets with the MAC address of eth0 and macvlan0@eth0 interface might be sent out to the management interface on VMHOST platform with NG-RE. PR1571753

Traffic is dropped to or through VRRP virtual IP on SRX380 device. PR1581554

The ipfd process might crash with a core dump when SecProfiling thread feeds are fetched from Policy Enforcer(PE). PR1582454

The srxpfe process might crash on SRX1500 device. PR1582989

Packet drop or srxpfe core dump might be observed due to Glacis FPGA limitation. PR1583127

The APPID process might crash with a core if multiple commands are run simultaneously. PR1583606

Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed. PR1585542

On SRX Series devices, significant performance improvements for JDPI's micro-application identification were included in this release. PR1585683

The 1G interfaces might not come up after device reboot. PR1585698

The l2ald process might crash on issuing ethernet-switching commands. PR1586426

The l2ald process might crash on changing the routing-instance. PR1586516

On SRX Series devices, the protocol-version command which controls TLS-versions (1.1, 1.2, 1.3, etc) within SSL-Proxy has been unhidden. PR1587149

On SRX Series devices, the unknown packet-capture functionality will no longer record SSL. UNKNOWN flows by default. This behavior can be changed by enabling the set services application-identification packet-capture ssl-unknown command. Without configuration the ssl-unknown command, the SRX will only capture flows marked as UNKNOWN or INCONCLUSIVE. PR1587875

Garbage characters might be received in quarantine notification. PR1587962

IP packets might be dropped on SRX Series devices. PR1588627

The jsqlsyncd process files generation might cause device to panic crash after upgrade. PR1589108

SRX connection to Juniper Secure Connect might fail with IKE negotiation request from user disallowed as remote-access user license limit exceeded. PR1589865

Pass-through traffic might fail post reboot when Secure Web Proxy is configured. PR1589957

Traffic loss might be observed for interface configured in subnet 137.63.0.0/16. PR1590040

The REST API does not work for SRX380 device. PR1590810

The issue (empty feed-name) starts with the hit returned from cache which points to the node with the parameter of feed-ID (2) inconsistent with the feeds-update (when it's 1). As a result the incorrect feed-ID points to the empty entry in the array of the feed-names. PR1591236

J-Web deny log nested-application="UNKNOWN" instead of specific application. PR1593560

System log will be generated when max-session or total memory limit is hit for packet capture. PR1594669

Node1 fpc0 (SPM) goes down after ISSU and RG0 failover. PR1595462

Network based application recognition value for IPv4 application-id are not as expected. PR1595787

Delay might be observed between Services Processing Card (SPC) failing and failover to other node. PR1596118

The flowd process might generate core files if the application-services security policy is configured. PR1597111

The srxpfe process might stop and generate a core file post targeted-broadcast forward-only command interface configuration commit. PR1597863

The flowd process might generate core files if the AppQOS module receiving two packets of a session. PR1597875

The flowd process might stop in AppQoE scenarios. PR1599191

The httpd-gk core file might be observed when IPsec VPN is configured. PR1599398

The flowd process might crash if the DNS inspection feature is enabled by configuring SMS policy. PR1604773

Memory leak at the useridd process might be observed when Integrated User Firewall is configured. PR1605933

When the tap mode is enabled, the packet on ge-0/0/0 is dropped on RX side. PR1606293

The flowd process might stop if the DNS inspection feature is enabled within SMS. PR1607251

Enabling dnsf traceoptions on SRX300 lines of devices might result in flowd crash. PR1608669

Enabling security-metadata-streaming-policy might cause Packet Forwarding Engine pause. PR1610260

On the SRX4600, when you connect a 1G SFP to the 10G port, a reboot is required. A new critical log will now be introduced so the requirement is more visible. In chassis clusters of SRX4600, both nodes need to be rebooted at the same time. PR1613475

VM might crash if file is shared between host operating system and guest operating system using virtFS. PR1551193

Facing configuration check-out failed with error message, the identical local address found on rt_inst [default] and intfs. PR1581877

The IPv4 or IPv6 address from the configuration on the interface might not be applied when the interface is moved from tenants to interface stanza in the configuration. PR1605250

Adding signature in packet drop reason and sending to record packet drops module. PR1574603

IDP policy compilation failure for over 1000 custom signatures. PR1589399

IDP signature DB update fails. PR1594283

Custom attack IDP policies might fail to compile. PR1598867

IDP policy compilation is not happening when a commit check is issued prior to a commit. PR1599954

The srxpfe might stop while the IDP security package contains a new detector. PR1601380

This release includes optimizations made to IDP that help improve its performance and behavior under load. PR1601926

Junos OS: J-Web allows a locally authenticated attacker to escalate their privileges to root. (CVE-2021-0278) PR1511853

The zone info disappears when functional zone is configured. PR1594366

A custom application name contains "any" is listed under predefined applications. PR1597221

J-Web might not display customer defined application services if one new policy is created. PR1599434

J-Web application might stop and generates httpd core files. PR1602228

Radius users might not be able to view or modify configuration through J-Web. PR1603993

On all SRX Series devices, some widgets in J-Web might not load properly for logical systems users. PR1604929

Incorrect IPv6 UDP checksum inserted after translation of packet from IPv4 to IPv6 addresses. PR1596952

Junos OS: Upon receipt of specific sequences of genuine packets destined to the device the kernel will crash and restart (vmcore) (CVE-2021-0283, CVE-2021-0284). PR1557881

The dns-name cannot be resolved if customer-defined routing instance is configured under name-server. PR1539980

Short multicast packets drop using PIM when multicast traffic received at a non-RPT or SPT interface PR1579452

BGP session carrying VPNv4 prefix with IPv6 next-hop might be dropped. PR1580578

The fwauthd process generates core files when upgrading to Junos OS release 21.2R1. PR1588393

Extra data plane CPU cycles for processing GTP traffic on SRX5000 line of devices. PR1586367

There is no counter for juniper-local default action. PR1570500

During rare circumstances, the mgd process might stop and generate a core file on Junos devices connected with Contrail Service Orchestration (CSO). PR1569903

The juniper.conf.gz file creates with empty data when we create an tenant system. PR1584850

After image upgrade device might fail to come up due to certain configurations. PR1585479

IS-SU upgrade aborted from Junos OS release 21.1R1.11 to Junos OS release 21.2I-20210415.0.0138 on SRX5000 lines of devices with chassis cluster. PR1590099

The pkid core dumping while auto-enrollment of local certificates. PR1564300

The srxpfe process might stop and generate a core file when IPsec VPN is used. PR1574409

IKEv2 soft-lifetime timer might expire later than expected time. PR1574717

The iked process might crash when IKEv2 negotiation fails on MX and SRX Series devices. PR1577484

The from-self packet might be dropped when it forwards through an IPsec VPN tunnel. PR1577550

The ikemd process might crash when SNMP get is performed on jnxIpSecTunnelMonTable. PR1582036

Memory leaks on the iked process on SRX5000 line of devices with SRX5K-SPC3 installed. PR1586324

The IPSec tunnel might not come up if configured with configuration payload in a certain scenario. PR1593408

The kmd process might crash when VPN peer initiates using source-port other than 500. PR1596103

Tail drops might occur on SRX Series devices if shaping-rate is configured on st-interface. PR1604039

Authentication fails on bringing up IPsec tunnel between DUT and Strongswan-peer with IKE (group21 sha-512 aes-192-cbc) proposal. PR1605275