Resolved Issues: 21.3R2
Application Layer Gateways (ALGs)
-
Junos OS: MX Series and SRX Series: The flowd daemon will crash if the SIP ALG is enabled and specific SIP messages are processed (CVE-2022-22175). PR1604123
Flow-Based and Packet-Based Processing
-
The Services-offload packets processed counter not incremented in security flow statistics. PR1616875
-
Security traffic log display service-name=None for some application. PR1619321
-
Cleartext fragments are not processed by flow. PR1620803
-
VLAN tagged packets might be dropped at TAP mode enabled interface. PR1624041
General Routing
-
Some transmitting packets might get dropped due to the disable-pfe action is not invoked when the fabric self-ping failure is detected. PR1558899
-
When using log templates introduced in Junos OS release 21.1R1 with Unified Policies, logs were not generated in a predictable manner. A new construct has been added that allows you to define a default log profile set security log profile name default-profile command can be used to improve this behavior when multiple log profiles are defined. PR1570105
-
The fxp0 interface of an SRX550 device in cluster might become unreachable from an external network. PR1575231
-
HTTP sessions are not re-established fine after a link flap between hub and spoke. PR1577021
-
The error message tcp_timer_keep:Local(0x81100001:60753) Foreign(0x8f100001:33010) is seen in messages log every 80 seconds. PR1580667
-
Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages. PR1588139
-
When combining log profiles and unified policies RT_FLOW_SESSION_DENY logs were not being generated corrected. PR1594587
-
Traffic might be dropped at NAT gateway if EIM is enabled. PR1601890
-
Kernel pause might be seen when static routes are configured with GRE interfaces being used as next-hop. PR1601996
-
When the tap mode is enabled, the packet on ge-0/0/0 is dropped on RX side. PR1606293
-
DNS proxy functionality might not work on VRRP interfaces. PR1607867
-
Enabling security-metadata-streaming-policy might cause Packet Forwarding Engine stop. PR1610260
-
DNS-based SecIntel statistics were not populating correctly on SRX Series devices. PR1611071
-
On SRX Series devices running DNS Security, the notification option log-detections was not honoured. Prior to this release, a log was generated for every DNS request, regardless of its intent (malicious or benign). PR1611177
-
Interface might not come up when 10G port is connected to 1G SFP. PR1613475
-
Enabling security-metadata-streaming DNS policy might cause a dataplane memory leak. PR1613489
-
On SRX Series devices running DNS Security in secure-wire mode, DGA verdicts would not be returned to the device. PR1616075
-
The srxpfe process might stop when the DNS Security feature is enabled. PR1616171
-
On SRX Series devices using on-box logging, LLMD write failures might be seen under high load. The output of show security log llmd counters command can be used to view LLMD behavior. PR1620018
-
Traffic might get dropped due to memory issue on some SRX Series devices. PR1620888
-
Under rare circumstances, an srxpfe or flowd process generates core files when running advanced-anti-malware. PR1624124
-
Running DNS on all SRX Series devices, a memory leak on Packet Forwarding Engine might occur. PR1624655
-
Core files might be reported on installing IDP security package. PR1625364
-
The flowd process lost heartbeat for 45 consecutive seconds without alarm raised. PR1625579
-
When viewing DNS Tunnel detections in the ATP Cloud portal, the Source-IP and Destination-IP metadata is reversed. PR1629995
-
Depending on the configuration of the SRX Series devices, duplicate events might have been written to the on-box logging database. This fix improves LLMD performance by eliminating these duplicate write events. PR1630123
-
LLDP packets might be sent with incorrect source MAC for RETH or LAG child members. PR1630886
-
Reverse DNS Lookups will no longer be stored in the DNSF Cache when using DNS Security. PR1631000
Interfaces and Chassis
-
IPv4 or IPv6 address might get removed when the interface configuration is moved from tenant stanza to interface stanza. PR1605250
Intrusion Detection and Prevention (IDP)
J-Web
Platform and Infrastructure
Routing Policy and Firewall Filters
-
High CPU usage might be seen on some SRX Series devices. PR1579425
Routing Protocols
-
Observing commit error while configuring routing-options rib inet6.0 static on all Junos OS devices. PR1599273
VPNs
-
The iked process might restart and generate core during session state activation or deactivation. PR1573102
-
Certificate identifier length for PKI CMPv2 CA cert is not displayed as expected in certain cases. PR1589084
-
Tail drops might occur on SRX Series devices if shaping-rate is configured on st-interface. PR1604039
-
Authentication might fail on bringing up IPsec tunnel when ECDSA is configured in the security ike. PR1605275
-
Traffic over IPSec tunnels might be dropped post control link failure. PR1627557