Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Chassis Clustering

  • 10G DAC cable is not supported at CTL/FAB link at SRX4100/4200 Cluster setup. Hardware Compatibility Tool (https://apps.juniper.net/hct/home/) reports 10G DAC cables are as "supported", but CTL and FAB links are out of scope. - SRX-SFP-10GE-DAC-1M - SRX-SFP-10GE-DAC-3MPR1636365

  • In Z-mode configuration, sometimes the statistics of back-up session may not be correct on fail-over from master to back-up.PR1667098

  • After RG0 failover, node priorities are set to zero for both nodes with Relinquish monitoring failure. Expected behaviour is, RG0 Failover should happen gracefully without node priority being disturbed. Issue is seen after image upgrade and perform RG0 failover to node1 and/or fallback to node0. Issue is seen on latest 22.2R1.6 and 22.2R1.7 build. Issue is seen only when HA Link encryption feature is enabled to secure communication between primary and backup node Issue is not seen during fresh bringup of L2HA cluster Issue not seen in 22.3 releases L2HA device here is combination of RE3+SCB4+SPC3+IOC4.PR1670772

Flow-Based and Packet-Based Processing

  • For accelerated flows such as Express Path, the packet or byte counters in the session close log and show session output take into account only the values that accumulated while traversing the NP. PR1546430

  • IPSEC SA life-time kilobytes is not supported on PMI/PME datapath, when PMI is enabled globally, the rekey cannot be triggered based on life-time kilobytes.PR1669228

General Routing

  • On vSRX, SRX1500, SRX4100 and SRX4200 devices, NTP synchronization may fail after some time. PR1331444

  • In Mac-OS platforms when Juniper Secure Connect client connects successfully, the client is not getting minimized to tray icon and needs to be minimized manually.PR1525889

  • IPSec rekey fails when SRX is configured with kilobyte based lifetime in remote access solution. PR1527384

  • With Application-Based Multipath Routing enabled, HTTP sessions take approx 10 minutes to re-establish after a link flap between hub and spoke. PR1577021

  • With ssl-proxy configured along with web-proxy, the client session might not get closed on the device until session timeout, even though the proxy session ends gracefully.PR1580526

  • HA AP mode on-box logging in LSYS and Tenant, Intermittently Security log contents of binary log file in LSYS are not as expected PR1587360

  • Trigger: On SRX platform, perform ISSU from any release prior to 22.1 to 22.1 or above releases. Symptom: ISSU will be aborted / failed with the below warning. 'warn-message "ISSU is not supported for Clock Synchronization (SyncE)";''override'In '/var/tmp/paSBfY/etc/indb//config.indb' line 162included from '/var/tmp/paSBfY/etc/indb/issu.indb' line 10 'override' syntax errorISSU not supported as current image uses explicit tags for message structures\n PR1632810

  • SMTPS sessions are not getting identified when traffic is sent from IXIA (BPS) profile. PR1635929

  • Firewall-authentication with user-firewall based RADIUS access has syslog missing the username and rule.PR1654842

  • SRX cli command to show fwauth user details like "show security firewall-authentication users identifier 1" and "show security firewall-authentication users address 10.1.1.1" does not display user's group information.PR1659115

  • Device does not drop session with server certificate chain more than 6.PR1663062

  • FIPS mode is not supported in this release for SRXSME devices.PR1697999

High Availability (HA) and Resiliency

  • Trigger: Perform ISSU from any release prior to 22.1 to 22.1 or above releases. This issue is applicable to all the platforms. Symptom: ISSU will be aborted / failed with the below warning. 'warn-message "ISSU is not supported for Clock Synchronization (SyncE)";''override'In '/var/tmp/paSBfY/etc/indb//config.indb' line 162included from '/var/tmp/paSBfY/etc/indb/issu.indb' line 10 'override' syntax errorISSU not supported as current image uses explicit tags for message structures\n PR1628172

Interfaces and Chassis

  • Traffic drop might be seen on irb interface on SRX1500 for network control forwarding class when verifying dscp classification based on single and multiple code-points. PR1611623

J-Web

  • On SRX platform series, when address-book entry is added or removed by Jweb, "address-book address-book name attach zone" might be unexpectedly removed at configuration commit.PR1712454

Network Management and Monitoring

  • syslog may not be sent out via configured source address when target host exists on a custom routing-instancePR1689661

Platform and Infrastructure

  • On SRX5k and MX240/MX480/MX960 platforms,when device is powered on with multiple line cards, power might not be sufficient and few line cards fail to come into online state.PR1645817

Unified Threat Management (UTM)

  • If only EWF is configured, there can be a performance impact due to JDPI parsing overhead. In such case, to recover the performance, Web Filter can be configured in performance mode using the following CLI command: set security utm default-configuration web-filtering performance-modePR1653793

User Interface and Configuration

  • Please use "load update" instead of "load override" to prevent the error messages PR1630315

VPNs

  • Tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393

  • First time when we add this command the existing active connections are not changed, only the new connection after this command will be taken into effect. PR1608715

  • Sometimes after manual failover, IKE-SA rekey does not succeed. In order to recover from this scenario, enable dead-peer-detection with always-sendPR1690921

  • On SRX5K platforms with SPC3 card, the IPSEC (Internet Protocol Security) tunnels do not get established after the tunnels are deleted using the command 'clear security ike sa'.PR1694604