Open Issues

In Z-mode configuration, sometimes the statistics of back-up session may not be correct on fail-over from master to back-up.PR1667098

Use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

ISSU is getting aborted with ISSU is not supported for Clock Synchronization (SyncE). PR1652838

Traffic drop might be seen on irb interface on SRX1500 for network control forwarding class when verifying dscp classification based on single and multiple code-points. PR1611623

In Mac-OS platforms when Juniper Secure Connect client connects successfully, the client is not getting minimized to tray icon and needs to be minimized manually.PR1525889

With Application-Based Multipath Routing enabled, HTTP sessions take approx 10 minutes to re-establish after a link flap between hub and spoke. PR1577021

With ssl-proxy configured along with web-proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526

HA AP mode on-box logging in LSYS and Tenant, Intermittently Security log contents of binary log file in LSYS are not as expected PR1587360

If a device is rebooted manually or reboots for any other reason, The following messages can be seen on the boot up screen even when the device has valid license and proper configuration to use the features like IDP/UTM PR1594014

On the SRX4100 and SRX4200 platforms, it can detect DPDK (data plane development kit) Tx stuck issue and trigger a major chassis alarm goes which might trigger RG1 failover to the healthy node. A DPDK reset will be triggered only to the stuck port and if the reset resolves the tx stuck issue, the major chassis alarm will go off.PR1626562

SMTPS sessions are not getting identified when traffic is sent from IXIA (BPS) profile. PR1635929

remote-access-juniper-std license might not get freed up while disconnect/reconnect after RG0 failover. PR1642653

The SKYATP:IMAP/IMAPS Email permitted counter may have incorrect value under certain conditions.PR1646661

Firewall-authentication with user-firewall based RADIUS access has syslog missing the username and rule.PR1654842

SRX cli command to show fwauth user details like "show security firewall-authentication users identifier 1" and "show security firewall-authentication users address 10.1.1.1" does not display user's group information. PR1659115

Device does not drop session with server certificate chain more than 6.PR1663062

When client tries to do a TLS 1.3 session resumption and the proxy is not able to honor the resumption request, ideally the cache miss counter has to be incremented once. But due to this bug, it gets incremented twice.PR1663678

Please use "load update" instead of "load override" to prevent the error messages PR1630315

For SOF L2 secure-wire session, if the mac move happen on an existing offloaded session, the packet sent out by SRX will carry old mac address and causing traffic drop on end-user PR1597681

On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

In some scenario(e.g configuring firewall filter) sometimes srx5K might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

Tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393

On SRX platforms, packets through policy-based IPsec tunnel could be dropped in some case when power-mode is enabled.PR1663364