Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Open Issues

Learn about open issues in this release for SRX Series Firewall.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Chassis Clustering

  • With restart-chassis control command on SRX4200/SRX4700/SRX5k, BFD ICL will flap.PR1789245

Content Security

  • Avira is not supported for SRX4700 in 24.4R1-S2PR1851627

Flow-Based and Packet-Based Processing

  • On all SRX platforms, if IPv6 traffic passes on GREoIPSec tunnel, and IPv4 traffic over same IPSEC tunnel, the path MTU of the sessions gradually decreases and might result in traffic drop and core dump.PR1876536

General Routing

  • Additional logging has been added to the primry Routing Engine. This is to help narrow down the issue which chassisd process restarted unexpectedly at snmp_init_oids( ) function on the primary Routing Engine while booting up.PR1787608

  • Right after rebooting one of SRX4600 at HA setup, CTL link might keep down.PR1802158

  • An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). Please refer to https://supportportal.juniper.net/JSA100088 for more information.PR1806872

  • On Junos SRX4100/SRX4200 platform, starting and stopping the "monitor traffic interface" or "tcpdump", causes VLAN tagged traffic to be dropped. While the "monitor traffic interface" or "tcpdump" is still running the traffic will function properly, but traffic will stop flowing when it is stopped. This issue only occurs on vlan-tagged interfaces.PR1808353

  • On Junos SRX5600 and vSRX3 platforms while upgrading from an older JUNOS version to 22.4R3-S1 or 22.4R3-S2, the upgrade process can fail as the rpd crashes as part of validation process. This is seen if the router config has Multicast/Internet Group Management Protocol (IGMP) or Broadband Edge configuration.PR1810817

  • MACSec is supported in routing mode but not in transparent mode.PR1812427

  • On all SRX platforms except for SRX5k series platforms , when Secure or Explicit Web Proxy is configured, the flowd process crasches due to a race condition causing traffic outage.PR1813355

  • On SRX1500 platform, large IP packets of size 1470 bytes or larger may be dropped when using ethernet-switching and trunk ports.PR1813536

  • As per OpenSSH 9.0/9.0p1 release notes: "This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default." In this case, since we are running OpenSSH 9.0 and above- OpenSSH_9.7p1 , this uses the "SFTP" protocol by default when scp command is invoked from shell. However, vSRX3.0 supports the "SCP" protocol by default when scp command is invoked. So to use the legacy "SCP" protocol from shell, please use the -O command line option For example: scp -O other options arguments Note: Incoming SCP connections from outside hosts that are running OpenSSH version 9.0/9.0p1 could fail since sftp-server is disabled by default in Junos OS . Hence, users should either use the -O option on remote host while initiating scp file transfer OR enable sftp-server in the Juniper configuration. To enable sftp-server in Juniper configuration, use the following hierarchy: "set system services ssh sftp-server"PR1827152

  • On Junos SRX1600, SRX2300 and SRX4300 platforms, when MVRP (Multiple VLAN registration protocol) is enabled and static vlans are also present, the dynamic vlan learning and assignment doesn't work resulting in traffic loss for the impacted vlans. This issue is observed only when the interface is converted into routing mode and rolled back to switching mode without reboot.PR1839275

  • On SRX3xx series configured with native-vlan-id, after upgrading an SRX3xx series device to Junos version 23.4R1 or higher, the native-vlan-id option disappears from the interface settings. If native-vlan-id was set before the upgrade, the device keeps the setting but it doesnt apply it to the interface. Trying to delete native-vlan-id causes a syntax error. The native-vlan-id feature doesn't work, and if a custom VLAN ID (other than 1) was used then traffic for that VLAN will be affected.PR1847366

  • On SRX and MX platforms a rare occurrence issue causes a sudden reboot of the SPC3 (Services Processing Cards) in use leading to packet loss during the card offline period in the reboot process.PR1857890

Network Address Translation (NAT)

  • The existing RSI misses out on few important information from NAT plugin, which can now be collected via a new RSI CLI command - "request support information security-components nat". This will provide more data and help in better debugging.PR1825372

Platform and Infrastructure

  • On SRX5400/SRX5600/SRX5800 platforms, if vmcore is initiated for XLP PIC ( Extreme Low Power Peripheral Interface Controller ), vmcore process crashes.PR1811765

  • An Authentication Bypass by Spoofing vulnerability in the RADIUS protocol of Juniper Networks Junos OS and Junos OS Evolved platforms allows an on-path attacker between a RADIUS server and a RADIUS client to bypass authentication when RADIUS authentication is in use. Please refer to https://supportportal.juniper.net/JSA88210 for more information.PR1850776

Services Applications

  • On SRX5K HA cluster in FIPS mode, repeated manual failovers of redundancy groups can result in SPC3 or IOC4 or both the cards going offline.PR1797468

VPNs

  • On SRX5K platforms with SPC3 installed, IPSec (Internet Protocol Security ) tunnels with iked which reuses the same IKE (Internet Key Exchange) gateway peer IP, could be observed not re-establishing.PR1877966