Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Chassis Clustering

  • On SRX platform with chassis cluster enabled, chassis cluster IP monitoring on the secondary node might fail after system rebootPR1691071

Flow-Based and Packet-Based Processing

  • Use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

  • For accelerated flows such as Express Path, the packet or byte counters in the session close log and show session output take into account only the values that accumulated while traversing the NP. PR1546430

High Availability (HA) and Resiliency

  • Trigger: Perform ISSU from any release prior to 22.1 to 22.1 or above releases. This issue is applicable to all the platforms. Symptom: ISSU will be aborted / failed with the below warning. 'warn-message "ISSU is not supported for Clock Synchronization (SyncE)";''override'In '/var/tmp/paSBfY/etc/indb//config.indb' line 162included from '/var/tmp/paSBfY/etc/indb/issu.indb' line 10 'override' syntax errorISSU not supported as current image uses explicit tags for message structures\n PR1628172

Interfaces and Chassis

  • Traffic drop might be seen on irb interface on SRX1500 for network control forwarding class when verifying dscp classification based on single and multiple code-points. PR1611623

Platform and Infrastructure

  • In Mac-OS platforms when Juniper Secure Connect client connects successfully, the client is not getting minimized to tray icon and needs to be minimized manually.PR1525889

  • IPSec rekey fails when SRX is configured with kilobyte based lifetime in remote access solution. PR1527384

  • With Application-Based Multipath Routing enabled, HTTP sessions take approx 10 minutes to re-establish after a link flap between hub and spoke. PR1577021

  • With ssl-proxy configured along with web-proxy, the client session might not get closed on the device until session timeout, even though the proxy session ends gracefully.PR1580526

  • On MX platforms the JDM (Juniper Device Manager) server could not be created in in-chassis mode of junos node slicing, which results in mgd process crash and affects GNF's (Guest Network Function) provisioning. PR1583324

  • HA AP mode on-box logging in LSYS and Tenant, Intermittently Security log contents of binary log file in LSYS are not as expected PR1587360

  • On the SRX4100 and SRX4200 platforms, it can detect DPDK (data plane development kit) Tx stuck issue and trigger a major chassis alarm goes which might trigger RG1 failover to the healthy node. A DPDK reset will be triggered only to the stuck port and if the reset resolves the tx stuck issue, the major chassis alarm will go off.PR1626562

  • A Missing Release of Memory after Effective Lifetime vulnerability in the Application Quality of Experience (appqoe) subsystem of the PFE of Juniper Networks Junos OS on SRX Series allows an unauthenticated network based attacker to cause a Denial of Service (DoS). Please refer to https://kb.juniper.net/JSA69709 for more information.PR1628090

  • Trigger: On SRX platform, perform ISSU from any release prior to 22.1 to 22.1 or above releases. Symptom: ISSU will be aborted / failed with the below warning. 'warn-message "ISSU is not supported for Clock Synchronization (SyncE)";''override'In '/var/tmp/paSBfY/etc/indb//config.indb' line 162included from '/var/tmp/paSBfY/etc/indb/issu.indb' line 10 'override' syntax errorISSU not supported as current image uses explicit tags for message structures\n PR1632810

  • SMTPS sessions are not getting identified when traffic is sent from IXIA (BPS) profile. PR1635929

  • On SRX5000 line of devices and MX240, MX480, MX960 platforms,when device is powered on with multiple line cards, power might not be sufficient and few line cards fail to come into online state.PR1645817

  • The SKYATP:IMAP/IMAPS Email permitted counter may have incorrect value under certain conditions.PR1646661

  • File submission success counter is not changed when file is submitted to cloud. PR1651101

  • Firewall-authentication with user-firewall based RADIUS access has syslog missing the username and rule.PR1654842

  • File archive command under non-root account may not archive all files under /var/log.PR1657958

  • On SRX series platform with chassis cluster enabled, reth interface might not go up due to speed mismatch when reth interface speed is changed afger RG0 failoverPR1658276

  • SRX cli command to show fwauth user details like "show security firewall-authentication users identifier 1" and "show security firewall-authentication users address 10.1.1.1" does not display user's group information.PR1659115

  • Device does not drop session with server certificate chain more than 6.PR1663062

User Interface and Configuration

  • Please use "load update" instead of "load override" to prevent the error messages PR1630315

VPNs

  • In some scenario(e.g configuring firewall filter) sometimes srx5K might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

  • Tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393

  • First time when we add this command the existing active connections are not changed, only the new connection after this command will be taken into effect. PR1608715

  • Sometimes after manual failover, IKE-SA rekey does not succeed. In order to recover from this scenario, enable dead-peer-detection with always-sendPR1690921