Open Issues
Learn about open issues in this release for SRX Series devices.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
- Application Layer Gateways (ALGs)
- Chassis Clustering
- Flow-Based and Packet-Based Processing
- High Availability (HA) and Resiliency
- Interfaces and Chassis
- Platform and Infrastructure
- Unified Threat Management (UTM)
- User Interface and Configuration
- VPNs
Application Layer Gateways (ALGs)
-
On all SRX platforms, some SIP calls might get dropped when NAT is needed and the SIP ALG is enabledPR1686613
Chassis Clustering
-
10G DAC cable is not supported at CTL/FAB link at SRX4100/4200 Cluster setup. Hardware Compatibility Tool (https://apps.juniper.net/hct/home/) reports 10G DAC cables are as "supported", but CTL and FAB links are out of scope. - SRX-SFP-10GE-DAC-1M - SRX-SFP-10GE-DAC-3MPR1636365
-
In Z-mode configuration, sometimes the statistics of back-up session may not be correct on fail-over from master to back-up.PR1667098
-
After RG0 failover, node priorities are set to zero for both nodes with Relinquish monitoring failure. Expected behaviour is, RG0 Failover should happen gracefully without node priority being disturbed. Issue is seen after image upgrade and perform RG0 failover to node1 and/or fallback to node0. Issue is seen on latest 22.2R1.6 and 22.2R1.7 build. Issue is seen only when HA Link encryption feature is enabled to secure communication between primary and backup node Issue is not seen during fresh bringup of L2HA cluster Issue not seen in 22.3 releases L2HA device here is combination of RE3+SCB4+SPC3+IOC4.PR1670772
Flow-Based and Packet-Based Processing
-
IPSEC SA life-time kilobytes is not supported on PMI/PME datapath, when PMI is enabled globally, the rekey cannot be triggered based on life-time kilobytes.PR1669228
High Availability (HA) and Resiliency
-
Trigger: Perform ISSU from any release prior to 22.1 to 22.1 or above releases. This issue is applicable to all the platforms. Symptom: ISSU will be aborted / failed with the below warning. 'warn-message "ISSU is not supported for Clock Synchronization (SyncE)";''override'In '/var/tmp/paSBfY/etc/indb//config.indb' line 162included from '/var/tmp/paSBfY/etc/indb/issu.indb' line 10 'override' syntax errorISSU not supported as current image uses explicit tags for message structures\n PR1628172
Interfaces and Chassis
-
Traffic drop might be seen on irb interface on SRX1500 for network control forwarding class when verifying dscp classification based on single and multiple code-points. PR1611623
Platform and Infrastructure
-
In Mac-OS platforms when Juniper Secure Connect client connects successfully, the client is not getting minimized to tray icon and needs to be minimized manually.PR1525889
-
With Application-Based Multipath Routing enabled, HTTP sessions take approx 10 minutes to re-establish after a link flap between hub and spoke. PR1577021
-
With ssl-proxy configured along with web-proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526
-
HA AP mode on-box logging in LSYS and Tenant, Intermittently Security log contents of binary log file in LSYS are not as expected PR1587360
-
Trigger: On SRX platform, perform ISSU from any release prior to 22.1 to 22.1 or above releases. Symptom: ISSU will be aborted / failed with the below warning. 'warn-message "ISSU is not supported for Clock Synchronization (SyncE)";''override'In '/var/tmp/paSBfY/etc/indb//config.indb' line 162included from '/var/tmp/paSBfY/etc/indb/issu.indb' line 10 'override' syntax errorISSU not supported as current image uses explicit tags for message structures\n PR1632810
-
SMTPS sessions are not getting identified when traffic is sent from IXIA (BPS) profile. PR1635929
-
On SRX5k and MX240/MX480/MX960 platforms,when device is powered on with multiple line cards, power might not be sufficient and few line cards fail to come into online state.PR1645817
-
The SKYATP:IMAP/IMAPS Email permitted counter may have incorrect value under certain conditions.PR1646661
-
Firewall-authentication with user-firewall based RADIUS access has syslog missing the username and rule.PR1654842
-
SRX cli command to show fwauth user details like "show security firewall-authentication users identifier 1" and "show security firewall-authentication users address 10.1.1.1" does not display user's group information.PR1659115
-
SRX CLI command to show auth entry user detail "show services user-identification authentication-table ip-address" is failing when auth entry boundary testing with auth entry containing maximum length group-name and resource-group-name is used.PR1665691
-
On SRX4600 platform, when using a cluster-id of 16 or higher post cluster node reboot, the fabric link will stay monitored down.PR1684756
-
On SRX platform, when event mode logging is used without event-rate option, the logging rate was unexpectedly set to 100 although the default event rate is 1500PR1687244
Unified Threat Management (UTM)
-
If only EWF is configured, there can be a performance impact due to JDPI parsing overhead. In such case, to recover the performance, Web Filter can be configured in performance mode using the following CLI command: set security utm default-configuration web-filtering performance-modePR1653793
User Interface and Configuration
-
Please use "load update" instead of "load override" to prevent the error messages PR1630315
VPNs
-
On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334
-
In some scenario(e.g configuring firewall filter) sometimes srx5K might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925
-
Tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393