Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Chassis Clustering

  • On all SRX platforms configured with Multi-Node High Availability (MNHA), a failover event triggered by ICL (Inter-Chassis) link flapping results in session state inconsistency between the nodes. During the failover, both nodes temporarily assume an Active-Active role, causing the backup node to incorrectly display a majority of sessions as active. This behavior leads to disruption of existing TCP and UDP sessions because the firewall fails to maintain correct session state during the transition.PR1888480

Content Security

  • Avira is not supported for SRX4700 in 24.4R1-S2PR1851627

General Routing

  • Multiple vulnerabilities have been resolved in MQTT (Message Queuing Telemetry Transport) included with Junos by fixing vulnerabilities found during external security research. Please refer to https://supportportal.juniper.net/JSA71655 for more information.PR1651519

  • Right after rebooting one of SRX4600 at HA setup, CTL link might keep down.PR1802158

  • An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). Please refer to https://supportportal.juniper.net/JSA100088 for more information.PR1806872

  • On SRX4600 platforms, if a few high-priority queues handle excessive traffic, those queues can become stuck, leading to packet drops.PR1823577

  • On SRX5400/SRX5600/SRX5800 with SPC3, if the file-serialization is enabled (default in releases after 24.4R1), the flowd process will miss heartbeat messages during interface failover. This results in service disruption.PR1837905

  • On SRX3xx series configured with native-vlan-id, after upgrading an SRX3xx series device to Junos version 23.4R1 or higher, the native-vlan-id option disappears from the interface settings. If native-vlan-id was set before the upgrade, the device keeps the setting but it doesnt apply it to the interface. Trying to delete native-vlan-id causes a syntax error. The native-vlan-id feature doesn't work, and if a custom VLAN ID (other than 1) was used then traffic for that VLAN will be affected.PR1847366

  • On all SRX platforms, "show security firewall-authentication users all-logical-systems-tenants" or "show security firewall-authentication history all-logical-systems-tenants" commands shows null output for all-logical-systems-tenants filter.PR1849954

  • On all SRX platforms, correct XML tag naming in advance-policy-based-routing configuration- Changed XML tag from 'policy' to 'from-zone' for consistency- Corrected Yang format (backward compatible)- Affects CLI configuration XML display output.PR1880740

  • When AE interface (member links) are configured with MACsec, the MKA session establishes successfully when the default standard MAC address is used. However, when a custom unicast MAC address is configured, the MKA session does not come up. This is not a common use case, but the workaround is to allow the MKA session to operate with the default MAC address instead of a custom unicast MAC address.PR1909930

Network Management and Monitoring

  • Issue is related to only user defined routing-instance. In this case DUT is connected to two remote-servers through the same Routing-instance. when the route for above connection is deleted and added back from the server side, stale connections are seen. This is because when routes are deleted SYN_SENT are not acknowledged but Application closes the socket. when the routes are again added, application creates new sockets and connects to the remote-server, at the same time Previous SYN_SENT got ack and moved to ESTABLISHED state. this causes stale connections. There is no impact-on functionality, Issue is seen only on Junos platform and for only user-defined RI. Infra code need to be changed to handle socket close error conditions that needs more code churn, time and thorough testing. PR1825311

Platform and Infrastructure

  • An Authentication Bypass by Spoofing vulnerability in the RADIUS protocol of Juniper Networks Junos OS and Junos OS Evolved platforms allows an on-path attacker between a RADIUS server and a RADIUS client to bypass authentication when RADIUS authentication is in use. Please refer to https://supportportal.juniper.net/JSA88210 for more information.PR1850776