Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Resolved Issues: 21.3R2

Application Layer Gateways (ALGs)

  • Junos OS: MX Series and SRX Series: The flowd daemon will crash if the SIP ALG is enabled and specific SIP messages are processed (CVE-2022-22175). PR1604123

Flow-Based and Packet-Based Processing

  • The Services-offload packets processed counter not incremented in security flow statistics. PR1616875

  • Security traffic log display service-name=None for some application. PR1619321

  • Cleartext fragments are not processed by flow. PR1620803

  • VLAN tagged packets might be dropped at TAP mode enabled interface. PR1624041

General Routing

  • Some transmitting packets might get dropped due to the disable-pfe action is not invoked when the fabric self-ping failure is detected. PR1558899

  • When using log templates introduced in Junos OS release 21.1R1 with Unified Policies, logs were not generated in a predictable manner. A new construct has been added that allows you to define a default log profile set security log profile name default-profile command can be used to improve this behavior when multiple log profiles are defined. PR1570105

  • The fxp0 interface of an SRX550 device in cluster might become unreachable from an external network. PR1575231

  • HTTP sessions are not re-established fine after a link flap between hub and spoke. PR1577021

  • The error message tcp_timer_keep:Local(0x81100001:60753) Foreign(0x8f100001:33010) is seen in messages log every 80 seconds. PR1580667

  • Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages. PR1588139

  • When combining log profiles and unified policies RT_FLOW_SESSION_DENY logs were not being generated corrected. PR1594587

  • Traffic might be dropped at NAT gateway if EIM is enabled. PR1601890

  • Kernel pause might be seen when static routes are configured with GRE interfaces being used as next-hop. PR1601996

  • When the tap mode is enabled, the packet on ge-0/0/0 is dropped on RX side. PR1606293

  • DNS proxy functionality might not work on VRRP interfaces. PR1607867

  • Enabling security-metadata-streaming-policy might cause Packet Forwarding Engine stop. PR1610260

  • DNS-based SecIntel statistics were not populating correctly on SRX Series devices. PR1611071

  • On SRX Series devices running DNS Security, the notification option log-detections was not honoured. Prior to this release, a log was generated for every DNS request, regardless of its intent (malicious or benign). PR1611177

  • Interface might not come up when 10G port is connected to 1G SFP. PR1613475

  • Enabling security-metadata-streaming DNS policy might cause a dataplane memory leak. PR1613489

  • On SRX Series devices running DNS Security in secure-wire mode, DGA verdicts would not be returned to the device. PR1616075

  • The srxpfe process might stop when the DNS Security feature is enabled. PR1616171

  • On SRX Series devices using on-box logging, LLMD write failures might be seen under high load. The output of show security log llmd counters command can be used to view LLMD behavior. PR1620018

  • Traffic might get dropped due to memory issue on some SRX Series devices. PR1620888

  • Under rare circumstances, an srxpfe or flowd process generates core files when running advanced-anti-malware. PR1624124

  • Running DNS on all SRX Series devices, a memory leak on Packet Forwarding Engine might occur. PR1624655

  • Core files might be reported on installing IDP security package. PR1625364

  • The flowd process lost heartbeat for 45 consecutive seconds without alarm raised. PR1625579

  • When viewing DNS Tunnel detections in the ATP Cloud portal, the Source-IP and Destination-IP metadata is reversed. PR1629995

  • Depending on the configuration of the SRX Series devices, duplicate events might have been written to the on-box logging database. This fix improves LLMD performance by eliminating these duplicate write events. PR1630123

  • LLDP packets might be sent with incorrect source MAC for RETH or LAG child members. PR1630886

  • Reverse DNS Lookups will no longer be stored in the DNSF Cache when using DNS Security. PR1631000

Interfaces and Chassis

  • IPv4 or IPv6 address might get removed when the interface configuration is moved from tenant stanza to interface stanza. PR1605250

Intrusion Detection and Prevention (IDP)

  • High Routing Engine CPU usage occurs when routing-instance is configured under security idp security-package hierarchy level. PR1614013

  • IDP signature install taking longer time. PR1615985

  • AppID database update failing to download when used through IDP offline method. PR1623857


  • Your session has expired. Click ok to re-login when using root user. PR1611448

  • The AM or PM time format is displayed in customize for last field at Monitor > Logs > All Events. PR1628649

Platform and Infrastructure

  • SRX Accounting and auditd process might not work on secondary node. PR1620564

  • Error message "gencfg_cfg_msg_gen_handler drop" is seen after running commit command. PR1629647

Routing Policy and Firewall Filters

  • High CPU usage might be seen on some SRX Series devices. PR1579425

Routing Protocols

  • Observing commit error while configuring routing-options rib inet6.0 static on all Junos OS devices. PR1599273


  • The iked process might restart and generate core during session state activation or deactivation. PR1573102

  • Certificate identifier length for PKI CMPv2 CA cert is not displayed as expected in certain cases. PR1589084

  • Tail drops might occur on SRX Series devices if shaping-rate is configured on st-interface. PR1604039

  • Authentication might fail on bringing up IPsec tunnel when ECDSA is configured in the security ike. PR1605275

  • Traffic over IPSec tunnels might be dropped post control link failure. PR1627557