Open Issues

"show interfaces queue command output not correctly displaying bps values for throughput higher than 4.25Gbps. This behaviour is only present for throughput higher than 4.25Gbps per interface output queue.PR1596172

Use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

For accelerated flows such as Express Path, the packet or byte counters in the session close log and show session output take into account only the values that accumulated while traversing the NP. PR1546430

Traffic drop might be seen on irb interface on SRX1500 for network control forwarding class when verifying dscp classification based on single and multiple code-points. PR1611623

In Mac-OS platforms when Juniper Secure Connect client connects successfully, the client is not getting minimized to tray icon and needs to be minimized manually.PR1525889

IPSec rekey fails when SRX is configured with kilobyte based lifetime in remote access solution. PR1527384

With Application-Based Multipath Routing enabled, HTTP sessions take approx 10 minutes to re-establish after a link flap between hub and spoke. PR1577021

During reboot, "warning: requires 'idp-sig' license" can be seen on the screen even when the device has valid license. PR1594014

With ssl-proxy configured along with web-proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526

On MX platforms the JDM (Juniper Device Manager) server could not be created in in-chassis mode of junos node slicing, which results in mgd process crash and affects GNF's (Guest Network Function) provisioning. PR1583324

HA AP mode on-box logging in LSYS and Tenant, Intermittently Security log contents of binary log file in LSYS are not as expected PR1587360

The switch reason is being shown as nh change instead of sla violated in the best path log message. PR1602571

On SRX Series devices, if the SNMP packet (traps or polls) has to cross multiple routing-instances, it will cause the packet to be dropped due to incorrect routing-instance ID added by SRX. PR1616775

For LTE interfaces (dl0, cl-*) on security devices, configured in a High Availability cluster mode if redundancy failover is performed then user may lose connection to the internet. If redundancy failover is not performed then no issue is seen. PR1625125

On the SRX4100 and SRX4200 platforms, it can detect DPDK (data plane development kit) Tx stuck issue and trigger a major chassis alarm goes which might trigger RG1 failover to the healthy node. A DPDK reset will be triggered only to the stuck port and if the reset resolves the tx stuck issue, the major chassis alarm will go off.PR1626562

Trigger: On SRX platform, perform ISSU from any release prior to 22.1 to 22.1 or above releases. Symptom: ISSU will be aborted / failed with the below warning. 'warn-message "ISSU is not supported for Clock Synchronization (SyncE)";''override'In '/var/tmp/paSBfY/etc/indb//config.indb' line 162included from '/var/tmp/paSBfY/etc/indb/issu.indb' line 10 'override' syntax errorISSU not supported as current image uses explicit tags for message structures\n PR1632810

SMTPS sessions are not getting identified when traffic is sent from IXIA (BPS) profile. PR1635929

When SSL-Proxy service is enabled in the security policies to actively process the TLS traffic, the PFE process might crash when the traffic matches certain criteria : end-to-end traffic uses TLS 1.1 or TLS 1.2 protocol version with RSA key exchange based cipher. As a workaround, to avoid the crash the following config can be set from VTY : "plugin junos_ssl set proxy one-crypto status 0" PR1641995

remote-access-juniper-std license might not get freed up while disconnect/reconnect after RG0 failover. PR1642653

AAMW ACTION LOG are not observed when setting log-notifications sometimes. PR1644000

The SKYATP:IMAP/IMAPS Email permitted counter may have incorrect value under certain conditions.PR1646661

Firewall-authentication with user-firewall based RADIUS access has syslog missing the username and rule.PR1654842

For SOF L2 secure-wire session, if the mac move happen on an existing offloaded session, the packet sent out by SRX will carry old mac address and causing traffic drop on end-user PR1597681

Some of the OSPF neighborship might not able to establish after system bootup when the neigborship connect to SRX via different zone under transparent modePR1599891

On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

In some scenario(e.g configuring firewall filter) sometimes srx5K might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

Tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393

An IPsec policy must not have both ESP and AH proposals. The configuration will commit, but the IPsec traffic will not work. Do not configure an IPsec policy with proposals using both ESP and AH protocols. PR1552701

First time when we add this command the existing active connections are not changed, only the new connection after this command will be taken into effect. PR1608715