Open Issues

Use 512 antireplay window size for IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence there are no out-of-order packets with 512 antireplay window size. PR1470637

For accelerated flows such as Express Path, the packet or byte counters in the session close log and show session output take into account only the values that accumulated while traversing the NP. PR1546430

HTTP sessions takes approximately 10 minutes to re-establish after a link flap between hub and spoke. PR1577021

With SSL proxy configured along with Web proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526

HA AP mode on-box logging in logical systems and tenant systems, the intermittently security log contents of binary log file in logical systems and tenant systems are not as expected. PR1587360

Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages These messages can be seen in the RT-flow close log and these are due to JDPI not engaged for the session. This might affect the app identification for the web-proxy session traffic. PR1588139

The switch reason is being shown as nh change instead of sla violated in the best path log message. PR1602571

Advanced anti malware hash feature is deprecated. PR1604426

The issue is when we enable TCP path finder in the VPN gateway, VPN connection is established properly. After VPN connection is established, able to ping from JSC installed CLIENT to SERVER behind gateway, but unable to ping from SERVER behind gateway to Juniper Secure Connect installed CLIENT. PR1611003

The t1 interface admin status will be shown as test instead of down during FPC failover. PR1615494

On SRX345 device, Junos OS release 21.3R1 with custom application configured with matching pattern in traffic, APPQOE_APP_BEST_PATH_SELECTED is showing the custom application name instead of predefined Layer7 application name. PR1617087

FIPS mode enabling fails with self test failure and kernel process stops. PR1623128

For LTE interfaces (dl0, cl-*) on security devices, configured in a High Availability cluster mode if redundancy failover is performed then user might lose connection to the internet. If redundancy failover is not performed then no issue is seen. PR1625125

On SRX1500 devices, ISSU is getting aborted with ISSU is not supported for Clock Synchronization (SyncE). PR1632810

While executing CLI show security idp attack attack-list policy combine-policy, CLI might get stuck and only partial output gets displayed. PR1616782

LACPD generates core files sometimes when member links are swapped between two reth bundle using rollback operation given that prior to rollback each of the bundle already has maximum number of child links. PR1632371

If tunnel inspection policies are defined, VXLAN sessions are not getting established. PR1604625

On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

An IPsec policy must not have both ESP and AH proposals. The configuration will commit, but the IPsec traffic will not work. Do not configure an IPsec policy with proposals using both ESP and AH. protocols. PR1552701

Fragment packets through policy based IPsec tunnel could be dropped in some rare case when PMI is enabled. PR1624877