Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Resolved Issues: 21.4R1

Application Layer Gateways (ALGs)

Authentication and Access Control

  • UAC authentication might not work post system reboot. PR1585158

Flow-Based and Packet-Based Processing

  • Performance degradation might be observed when power-mode-ipsec is enabled. PR1599044

  • The services offload packets processed counter not incremented in security flow statistics. PR1616875

  • Security traffic log display service-name as none for some application. PR1619321

  • Cleartext fragments are not processed by flow. PR1620803

  • On SRX4600 and SRX5000 line of devices, when an interface is configured in TAP mode, the vlan-id-range is now supported in non-default routing instances. PR1624041

General Routing

  • SSL-FP logging for non SNI session. PR1442391

  • In non-FIPS mode, the RNG in FreeBSD 12 based Junos OS versions has been changed from the default FreeBSD Fortuna RNG to the FIPS/SP800-90A&B HMAC-DRBG CSPRNG. PR1529574

  • Some transmitting packets might get dropped due to the disable-pfe action is not invoked when the fabric self-ping failure is detected. PR1558899

  • The CLI command show pfe statistics traffic shows wrong output. PR1566065

  • When using log templates with unified policies, logs were not generated in a predictable manner. A new construct has been added that allows you to define a default log profile set security log profile default-profile can be used to improve this behavior when multiple log profiles are defined. PR1570105

  • Changes in SNMP traps configuration and data exported for TWAMP. PR1573169

  • On SRX Series devices with Chassis Cluster, the tcp_timer_keep:Local(0x81100001:60753) Foreign(0x8f100001:33010) is seen in messages log every 80 seconds. PR1580667

  • Traffic is dropped to or through VRRP virtual IP on SRX380 device. PR1581554

  • The srxpfe process might stop on SRX1500 devices. PR1582989

  • Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed. PR1585542

  • On SRX Series devices, significant performance improvements for JDPI's micro-application identification were included in this release. PR1585683

  • The show security idp counters command is not having tenant command in the syntax. PR1586220

  • IP packets might be dropped on SRX Series devices. PR1588627

  • The jsqlsyncd process files generation might cause device to stop after upgrade. PR1589108

  • The REST API does not work for SRX380 devices. PR1590810

  • The issue (empty feed-name) starts with the hit returned from cache which points to the node with the parameter of feed-ID (2) inconsistent with the feeds-update (when it's 1). As a result the incorrect feed-ID points to the empty entry in the array of the feed-names. PR1591236

  • J-Web deny log nested-application as UNKNOWN instead of specific application. PR1593560

  • When combining log profiles and unified policies RT_FLOW_SESSION_DENY logs were not being generated corrected. PR1594587

  • System logs are generated when maximum session or total memory limit is hit for packet capture. PR1594669

  • The flowd process might stop when AppID marks the application as complete and the inspection limits are hit. PR1595310

  • Node1 fpc0 (SPM) goes down after ISSU and RG0 failover. PR1595462

  • Sometimes, when Jflow v9 flow record can contain wrong application id from cache, which can lead wrong identification of traffic application. PR1595787

  • On SRX Series devices with SPC3, when SPC3 fails in specific circumstances, there might be delay observed in failover to other node. PR1596118

  • The flowd process might generate core files if application services security policy is configured. PR1597111

  • The srxpfe process might stop and generate a core file post "targeted-broadcast forward-only" interface-config commit. PR1597863

  • The flowd process might generate core files if the AppQOS module receiving two packets of a session. PR1597875

  • The flowd process might stop in AppQoE scenarios PR1599191

  • The httpd-gk process generates core files when IPsec VPN is configured. PR1599398

  • CRC or align errors and fragment frames might be seen with traffic against 400G ports. PR1601151

  • Traffic might be dropped at NAT gateway if EIM is enabled. PR1601890

  • Kernel crash might be seen when static routes are configured with GRE interfaces being used as next-hop. PR1601996

  • The flowd process might stop if the DNS-inspection feature is enabled by configuring SMS policy. PR1604773

  • Memory leak at the useridd process might be observed when integrated user firewall is configured. PR1605933

  • When the tap mode is enabled, the packet on ge-0/0/0 is dropped on RX side. PR1606293

  • The flowd process might stop if the DNS-inspection feature is enabled within SMS. PR1607251

  • DNS proxy functionality might not work on VRRP interfaces. PR1607867

  • Enabling dnsf traceoptions on SRX300 line of devices might result in flowd process to stop. PR1608669

  • Enabling security-metadata-streaming-policy command might cause Packet Forwarding Engine stop. PR1610260

  • DNS-based SecIntel statistics were not populating correctly on SRX Series devices. PR1611071

  • On SRX Series devices running DNS security, the notification option 'log-detections' was not honoured. Prior to this release, a log was generated for every DNS request, regardless of its intent. PR1611177

  • Interface might not come up when 10G port is connected to 1G SFP. PR1613475

  • Enabling security-metadata-streaming DNS policy might cause a data plane memory leak. PR1613489

  • On SRX Series devices running DNS Security in secure-wire mode, DGA verdicts would not be returned to the device. PR1616075

  • The srxpfe process might stop when the DNS security feature is enabled. PR1616171

  • Traffic might get dropped due to memory issue on some SRX Series devices. PR1620888

  • Running DNS on all SRX Series devices, a memory leak on Packet Forwarding Engine might occur. PR1624655

  • When viewing DNS Tunnel detections in the ATP Cloud portal, the Source-IP and Destination-IP metadata is reversed. PR1629995


  • Upgrade might fail when upgrading from previous releases. PR1602005

Interfaces and Chassis

  • IPv4 or IPv6 address from the config on the interface might not be applied when the interface is moved from tenants to interface stanza in the configuration. PR1605250

Intrusion Detection and Prevention (IDP)

  • IDP signature DB update fails. PR1594283

  • Custom attack IDP policies might fail to compile. PR1598867

  • IDP policy compilation is not happening when a commit check is issued prior to a commit. PR1599954

  • The srxpfe process might stop while the IDP security package contains a new detector. PR1601380

  • This release includes optimizations made to IDP that help improve its performance and behavior under load. PR1601926

  • High Routing Engine CPU usage occurs when routing instance is configured under security idp security-package hierarchy level. PR1614013

  • IDP signature install taking longer time. PR1615985

  • Application identification DB update failing to download when used through IDP offline method. PR1623857


  • J-Web a custom application name contains "any" is listed under pre-defined applications. PR1597221

  • J-Web might not display customer defined application services if one new policy is created. PR1599434

  • J-Web application might stop and generate the httpd process core files. PR1602228

  • Radius users might not be able to view or modify configuration through J-Web. PR1603993

  • On all SRX Series devices, some widgets in J-Web might not load properly for logical systems users. PR1604929

  • The error displays "your session has expired. click ok to re-login" when using root user. PR1611448

  • The AM or PM time format is displayed in customize for last field at Monitor > Logs > All Events. PR1628649

Network Address Translation (NAT)

  • Incorrect IPv6 UDP checksum inserted after translation of packet from IPv4 to IPv6. PR1596952

Platform and Infrastructure

  • Junos OS: Upon receipt of specific sequences of genuine packets destined to the device the kernel will crash and restart (vmcore) (CVE-2021-0283, CVE-2021-0284). PR1595649

  • The process mgd might stop with authentication setup. PR1600615

  • SRX accounting and auditd process might not work on secondary node. PR1620564

Routing Policy and Firewall Filters

  • High CPU usage might be seen on some SRX Series devices. PR1579425

Routing Protocols

  • Short multicast packets drop using PIM when multicast traffic received at a non-RPT/SPT interface. PR1579452

  • The fwauthd process generates core file when upgrading to Junos OS 21.2R1 release. PR1588393

  • While testing pppoe_dhcpv6, observing commit error while configuring routing-options rib inet6.0 static. PR1599273

Unified Threat Management (UTM)

  • There is no counter for juniper-local default action. PR1570500


  • The iked process might restart and generate core during session state activation or deactivation PR1573102

  • The iked process might stop when IKEv2 negotiation fails on MX or SRX Series devices. PR1577484

  • Memory leaks on the iked process on SRX5000 line of devices with SRX5K-SPC3 installed. PR1586324

  • Certificate identifier length for PKI CMPv2 CA cert is not displayed as expected in certain cases. PR1589084

  • The IPsec tunnel might not come up if configured with configuration payload in a certain scenario. PR1593408

  • The kmd process might crash when VPN peer initiates using source-port other than 500. PR1596103

  • Tail drops might occur on SRX Series devices if shaping-rate is configured on st-interface. PR1604039