Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Open Issues

Learn about open issues in Junos OS Release 21.4R1 for vSRX Virtual Firewall.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • The traffic in the power mode still passthrough when the ingress logic interface is manually disabled. PR1604144

  • You must keep 1 to 2 minutes gap between two configuration commits if there are lots of security policies which need time to be processed. PR1625531

General Routing

  • Tag "RT_FLOW_SESSION_XXX" is missing in stream mode. PR1565153

  • During auto reenrollment of cmpv2 certificates, if the CA server is unresponsive and cmpv2 request retries has reached the maximum limit, then pkid core might occur. PR1580442

  • With SSL proxy configured along with web-proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526

  • Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages These messages can be seen in the RT-flow close log and these are due to JDPI not engaged for the session. This may affect the application identification for the web-proxy session traffic. PR1588139

  • The prerformance will be improved by set security forwarding-options no-allow-dataplane-sleep command. PR1602564

  • The switch reason is being shown as nh change instead of sla violated in the best path log message. PR1602571

  • One needs to configure set security forwarding-options no-allow-dataplane-sleep for high traffic rate use cases. PR1602606

  • The advanced anti-malware Hash feature is deprecated. PR1604426

Intrusion Detection and Prevention (IDP)

  • While executing CLI show security idp attack attack-list policy combine-policy, CLI might get stuck and only partial output gets displayed. CLI recovers in its own. PR1616782

Routing Policy and Firewall Filters

  • When SSL proxy global configuration is set with enable-proxy-on-default-fw-policy-match, the traffic is hitting pre-id policy instead of default policy for Yahoo traffic. PR1542790

  • For Junos OS 21.4R1 release, policy rematch capability for src-tenant, dest-service dimensions won't be supported due to high risk . PR1625172


  • In certain cases, the PUSH ACK message from the group member to the group key server may be lost. The group member can still send rekey requests for the TEK SAs before the hard lifetime expiry. Only if the key server sends any new PUSH messages to the grooup members, those updates would not be received by the group member since the key server would have removed the member from registered members list. PR1608290