Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Resolved Issues: 21.3R1

Authentication and Access Control

  • Unified-access-control (UAC) authentication might not work post system reboot. PR1585158

Chassis Clustering

  • Security policies might not be synced to all Packet Forwarding Engines post upgrade. PR1591559

Flow-Based and Packet-Based Processing

  • The srxpfe process might crash during route churn. PR1572240

  • On SRX Series devices, the filter from-zone has been added to the utility monitor security packet-drop. PR1574060

  • Performance degradation might be observed when power-mode-ipsec is enabled. PR1599044


  • SSL-FP logging for non SNI session. PR1442391

  • The flowd might core dump frequently on SRX340 device. PR1463689

  • PKI CMPv2 client certificate enrollment does not work on SRX when using root-CA. PR1549954

  • Application identity unknown packet capture utility does not function on SRX Series devices when enhanced-services mode is enabled. PR1558812

  • Some transmitting packets might get dropped due to the disable-pfe action is not invoked when the fabric self-ping failure is detected. PR1558899

  • The PIC in SRX5K-SPC3 and MX-SPC3 card might get stuck in offline status after flowd crash occurs on it. PR1560305

  • The show pfe statistics traffic command shows wrong output. PR1566065

  • Packets with the MAC address of eth0 and macvlan0@eth0 interface might be sent out to the management interface on VMHOST platform with NG-RE. PR1571753

  • Traffic is dropped to or through VRRP virtual IP on SRX380 device. PR1581554

  • The ipfd process might crash with a core dump when SecProfiling thread feeds are fetched from Policy Enforcer(PE). PR1582454

  • The srxpfe process might crash on SRX1500 device. PR1582989

  • Packet drop or srxpfe core dump might be observed due to Glacis FPGA limitation. PR1583127

  • The APPID process might crash with a core if multiple commands are run simultaneously. PR1583606

  • Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed. PR1585542

  • On SRX Series devices, significant performance improvements for JDPI's micro-application identification were included in this release. PR1585683

  • The 1G interfaces might not come up after device reboot. PR1585698

  • The l2ald process might crash on issuing ethernet-switching commands. PR1586426

  • The l2ald process might crash on changing the routing-instance. PR1586516

  • On SRX Series devices, the protocol-version command which controls TLS-versions (1.1, 1.2, 1.3, etc) within SSL-Proxy has been unhidden. PR1587149

  • On SRX Series devices, the unknown packet-capture functionality will no longer record SSL. UNKNOWN flows by default. This behavior can be changed by enabling the set services application-identification packet-capture ssl-unknown command. Without configuration the ssl-unknown command, the SRX will only capture flows marked as UNKNOWN or INCONCLUSIVE. PR1587875

  • Garbage characters might be received in quarantine notification. PR1587962

  • IP packets might be dropped on SRX Series devices. PR1588627

  • The jsqlsyncd process files generation might cause device to panic crash after upgrade. PR1589108

  • SRX connection to Juniper Secure Connect might fail with IKE negotiation request from user disallowed as remote-access user license limit exceeded. PR1589865

  • Pass-through traffic might fail post reboot when Secure Web Proxy is configured. PR1589957

  • Traffic loss might be observed for interface configured in subnet PR1590040

  • The REST API does not work for SRX380 device. PR1590810

  • The issue (empty feed-name) starts with the hit returned from cache which points to the node with the parameter of feed-ID (2) inconsistent with the feeds-update (when it's 1). As a result the incorrect feed-ID points to the empty entry in the array of the feed-names. PR1591236

  • J-Web deny log nested-application="UNKNOWN" instead of specific application. PR1593560

  • System log will be generated when max-session or total memory limit is hit for packet capture. PR1594669

  • Node1 fpc0 (SPM) goes down after ISSU and RG0 failover. PR1595462

  • Network based application recognition value for IPv4 application-id are not as expected. PR1595787

  • Delay might be observed between Services Processing Card (SPC) failing and failover to other node. PR1596118

  • The flowd process might generate core files if the application-services security policy is configured. PR1597111

  • The srxpfe process might stop and generate a core file post targeted-broadcast forward-only command interface configuration commit. PR1597863

  • The flowd process might generate core files if the AppQOS module receiving two packets of a session. PR1597875

  • The flowd process might stop in AppQoE scenarios. PR1599191

  • The httpd-gk core file might be observed when IPsec VPN is configured. PR1599398

  • The flowd process might crash if the DNS inspection feature is enabled by configuring SMS policy. PR1604773

  • Memory leak at the useridd process might be observed when Integrated User Firewall is configured. PR1605933

  • When the tap mode is enabled, the packet on ge-0/0/0 is dropped on RX side. PR1606293

  • The flowd process might stop if the DNS inspection feature is enabled within SMS. PR1607251

  • Enabling dnsf traceoptions on SRX300 lines of devices might result in flowd crash. PR1608669

  • Enabling security-metadata-streaming-policy might cause Packet Forwarding Engine pause. PR1610260

  • On the SRX4600, when you connect a 1G SFP to the 10G port, a reboot is required. A new critical log will now be introduced so the requirement is more visible. In chassis clusters of SRX4600, both nodes need to be rebooted at the same time. PR1613475


  • VM might crash if file is shared between host operating system and guest operating system using virtFS. PR1551193

Interfaces and Chassis

  • Facing configuration check-out failed with error message, the identical local address found on rt_inst [default] and intfs. PR1581877

  • The IPv4 or IPv6 address from the configuration on the interface might not be applied when the interface is moved from tenants to interface stanza in the configuration. PR1605250

Intrusion Detection and Prevention (IDP)

  • Adding signature in packet drop reason and sending to record packet drops module. PR1574603

  • IDP policy compilation failure for over 1000 custom signatures. PR1589399

  • IDP signature DB update fails. PR1594283

  • Custom attack IDP policies might fail to compile. PR1598867

  • IDP policy compilation is not happening when a commit check is issued prior to a commit. PR1599954

  • The srxpfe might stop while the IDP security package contains a new detector. PR1601380

  • This release includes optimizations made to IDP that help improve its performance and behavior under load. PR1601926


  • Junos OS: J-Web allows a locally authenticated attacker to escalate their privileges to root. (CVE-2021-0278) PR1511853

  • The zone info disappears when functional zone is configured. PR1594366

  • A custom application name contains "any" is listed under predefined applications. PR1597221

  • J-Web might not display customer defined application services if one new policy is created. PR1599434

  • J-Web application might stop and generates httpd core files. PR1602228

  • Radius users might not be able to view or modify configuration through J-Web. PR1603993

  • On all SRX Series devices, some widgets in J-Web might not load properly for logical systems users. PR1604929

Network Address Translation (NAT)

  • Incorrect IPv6 UDP checksum inserted after translation of packet from IPv4 to IPv6 addresses. PR1596952

Platform and Infrastructure

  • Junos OS: Upon receipt of specific sequences of genuine packets destined to the device the kernel will crash and restart (vmcore) (CVE-2021-0283, CVE-2021-0284). PR1557881

Routing Policy and Firewall Filters

  • The dns-name cannot be resolved if customer-defined routing instance is configured under name-server. PR1539980

Routing Protocols

  • Short multicast packets drop using PIM when multicast traffic received at a non-RPT or SPT interface PR1579452

  • BGP session carrying VPNv4 prefix with IPv6 next-hop might be dropped. PR1580578

  • The fwauthd process generates core files when upgrading to Junos OS release 21.2R1. PR1588393

Services Applications

  • Extra data plane CPU cycles for processing GTP traffic on SRX5000 line of devices. PR1586367

Unified Threat Management (UTM)

  • There is no counter for juniper-local default action. PR1570500

User Interface and Configuration

  • During rare circumstances, the mgd process might stop and generate a core file on Junos devices connected with Contrail Service Orchestration (CSO). PR1569903

  • The juniper.conf.gz file creates with empty data when we create an tenant system. PR1584850

  • After image upgrade device might fail to come up due to certain configurations. PR1585479

  • IS-SU upgrade aborted from Junos OS release 21.1R1.11 to Junos OS release 21.2I-20210415.0.0138 on SRX5000 lines of devices with chassis cluster. PR1590099


  • The pkid core dumping while auto-enrollment of local certificates. PR1564300

  • The srxpfe process might stop and generate a core file when IPsec VPN is used. PR1574409

  • IKEv2 soft-lifetime timer might expire later than expected time. PR1574717

  • The iked process might crash when IKEv2 negotiation fails on MX and SRX Series devices. PR1577484

  • The from-self packet might be dropped when it forwards through an IPsec VPN tunnel. PR1577550

  • The ikemd process might crash when SNMP get is performed on jnxIpSecTunnelMonTable. PR1582036

  • Memory leaks on the iked process on SRX5000 line of devices with SRX5K-SPC3 installed. PR1586324

  • The IPSec tunnel might not come up if configured with configuration payload in a certain scenario. PR1593408

  • The kmd process might crash when VPN peer initiates using source-port other than 500. PR1596103

  • Tail drops might occur on SRX Series devices if shaping-rate is configured on st-interface. PR1604039

  • Authentication fails on bringing up IPsec tunnel between DUT and Strongswan-peer with IKE (group21 sha-512 aes-192-cbc) proposal. PR1605275