Resolved Issues: 21.3R2

Junos OS: MX Series and SRX Series: The flowd daemon will crash if the SIP ALG is enabled and specific SIP messages are processed (CVE-2022-22175). PR1604123

The Services-offload packets processed counter not incremented in security flow statistics. PR1616875

Security traffic log display service-name=None for some application. PR1619321

Cleartext fragments are not processed by flow. PR1620803

VLAN tagged packets might be dropped at TAP mode enabled interface. PR1624041

Some transmitting packets might get dropped due to the disable-pfe action is not invoked when the fabric self-ping failure is detected. PR1558899

When using log templates introduced in Junos OS release 21.1R1 with Unified Policies, logs were not generated in a predictable manner. A new construct has been added that allows you to define a default log profile set security log profile name default-profile command can be used to improve this behavior when multiple log profiles are defined. PR1570105

The fxp0 interface of an SRX550 device in cluster might become unreachable from an external network. PR1575231

HTTP sessions are not re-established fine after a link flap between hub and spoke. PR1577021

The error message tcp_timer_keep:Local(0x81100001:60753) Foreign(0x8f100001:33010) is seen in messages log every 80 seconds. PR1580667

Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages. PR1588139

When combining log profiles and unified policies RT_FLOW_SESSION_DENY logs were not being generated corrected. PR1594587

Traffic might be dropped at NAT gateway if EIM is enabled. PR1601890

Kernel pause might be seen when static routes are configured with GRE interfaces being used as next-hop. PR1601996

When the tap mode is enabled, the packet on ge-0/0/0 is dropped on RX side. PR1606293

DNS proxy functionality might not work on VRRP interfaces. PR1607867

Enabling security-metadata-streaming-policy might cause Packet Forwarding Engine stop. PR1610260

DNS-based SecIntel statistics were not populating correctly on SRX Series devices. PR1611071

On SRX Series devices running DNS Security, the notification option log-detections was not honoured. Prior to this release, a log was generated for every DNS request, regardless of its intent (malicious or benign). PR1611177

Interface might not come up when 10G port is connected to 1G SFP. PR1613475

Enabling security-metadata-streaming DNS policy might cause a dataplane memory leak. PR1613489

On SRX Series devices running DNS Security in secure-wire mode, DGA verdicts would not be returned to the device. PR1616075

The srxpfe process might stop when the DNS Security feature is enabled. PR1616171

On SRX Series devices using on-box logging, LLMD write failures might be seen under high load. The output of show security log llmd counters command can be used to view LLMD behavior. PR1620018

Traffic might get dropped due to memory issue on some SRX Series devices. PR1620888

Under rare circumstances, an srxpfe or flowd process generates core files when running advanced-anti-malware. PR1624124

Running DNS on all SRX Series devices, a memory leak on Packet Forwarding Engine might occur. PR1624655

Core files might be reported on installing IDP security package. PR1625364

The flowd process lost heartbeat for 45 consecutive seconds without alarm raised. PR1625579

When viewing DNS Tunnel detections in the ATP Cloud portal, the Source-IP and Destination-IP metadata is reversed. PR1629995

Depending on the configuration of the SRX Series devices, duplicate events might have been written to the on-box logging database. This fix improves LLMD performance by eliminating these duplicate write events. PR1630123

LLDP packets might be sent with incorrect source MAC for RETH or LAG child members. PR1630886

Reverse DNS Lookups will no longer be stored in the DNSF Cache when using DNS Security. PR1631000

IPv4 or IPv6 address might get removed when the interface configuration is moved from tenant stanza to interface stanza. PR1605250

High Routing Engine CPU usage occurs when routing-instance is configured under security idp security-package hierarchy level. PR1614013

IDP signature install taking longer time. PR1615985

AppID database update failing to download when used through IDP offline method. PR1623857

Your session has expired. Click ok to re-login when using root user. PR1611448

The AM or PM time format is displayed in customize for last field at Monitor > Logs > All Events. PR1628649

SRX Accounting and auditd process might not work on secondary node. PR1620564

Error message "gencfg_cfg_msg_gen_handler drop" is seen after running commit command. PR1629647

High CPU usage might be seen on some SRX Series devices. PR1579425

Observing commit error while configuring routing-options rib inet6.0 static on all Junos OS devices. PR1599273

The iked process might restart and generate core during session state activation or deactivation. PR1573102

Certificate identifier length for PKI CMPv2 CA cert is not displayed as expected in certain cases. PR1589084

Tail drops might occur on SRX Series devices if shaping-rate is configured on st-interface. PR1604039

Authentication might fail on bringing up IPsec tunnel when ECDSA is configured in the security ike. PR1605275

Traffic over IPSec tunnels might be dropped post control link failure. PR1627557