Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Resolved Issues: 21.1R1

Chassis Clustering

  • Disabled node on SRX cluster sent out ARP request packets. PR1548173

  • SPU process stop might be seen under a GPRS tunneling protocol scenario. PR1559802

Flow-Based and Packet-Based Processing

  • When no logical system or tenant system flow trace is configured and no root-override is configured, the latest behavior is to not log any flow trace for that logical system or tenant system, instead of dumping all to root flow trace as before. PR1530904

  • THR capacity update on SRX Series devices. PR1538058

  • The rst-invalidate-session command does not work if configured together with the no-sequence-check command. PR1541954

  • Application fragmented traffic might get dropped on SRX Series devices. PR1543044

  • Instability with RGs on cluster. PR1550637

  • Adjust the default route change timeout value. PR1553621

  • The usp_max_tcplib_connection is not expected on SRX1500, SRX4100, and SRX4200 devices. PR1563881

General Routing

  • On the SRX1500 device, the traffic rate shown in the CLI command is not accurate. PR1527511

  • The MAC table is null in Layer 2 mode after one pass-through session is created successfully. PR1528286

  • The firewall filter SA and DA tags are not in the log messages as expected in port details. PR1539338

  • Packet drop might be seen when a packet with destination port 0 is received on the SRX380 device. PR1540414

  • Tail drops might occur on SRX Series devices if shaping-rate is configured on lt- interface. PR1542931

  • The nsd process might stop when DNS-based allowlisting is configured under SSL proxy. PR1542942

  • The Wi-Fi Mini-Physical Interface Module (Mini-PIM) does not support pure g mode with 2.4-GHz radio. PR1543824

  • The output of the show services application-identification group detail command incorrectly included Micro-Applications (Micro-Apps) in the output of every group. PR1544727

  • On SRX4100 and SRX4200 devices, if PEM0 is removed, the output of jnxOperatingDescr.2 might be incomplete. PR1547053

  • Advanced anti-malware file or e-mail statistics does not get incremented with the latest PB version. PR1547094

  • Continuous "LCC: ch_cluster_lcc_set_context:564: failed to lock chassis_vmx mutex 11" chassisd logs generated. PR1547953

  • Lcmd log "gw_cb_presence:136: PEM(slot = 0): error detecting presence ( fruid = 15, drv_id = 30, status = -11 )" generated every second on the SRX4100 and SRX4200. PR1550249

  • On SRX1500, SRX-SFP-1GE-T (Part#740-013111) for a copper cable might be corrupted after reboot. PR1552820

  • The volume displayed in traffic map are redefined. PR1553066

  • The speed mismatch error is seen while trying to commit reth0 with gigether-options. PR1553888

  • An IPFD core file might be generated when using Adaptive Threat Profiling. PR1554556

  • On an SRX550M device, the dumpdisklabel command fails with message "ERROR: Unknown platform srx550m." PR1557311

  • AppID's Unknown Packet Capture utility does not function on SRX Series devices when enhanced-services mode is enabled. PR1558812

  • The show security log report top session-close group-by application order-by risk top-number 8 where-application-risk high xml encapsulation structure changed and caused script fail. PR1559013

  • The show security log report top idp group-by threat-severity order-by count top-number 5 where-attack command display will change the idp reporting to match the threat-severity in idp log.. PR1560027

  • High CPU usage on pkid process might be seen when the device is unable to connect to a particular CRL URL. PR1560374

  • The DNS commands may not be executed and also any new configuration may not take effect on connecting the SRX Series device to Juniper ATP Cloud. PR1561169

  • There is an idpd core file at ../../../../../../../src/junos/secure/usr.sbin/idp-confd/idpd_lsys.c:771. PR1561298

  • When multiple IRB interfaces belong to the same VRRP group ID, if one of IRB intefaces goes down, it causes disruption in traffic going through another IRB interface. PR1572920

Interfaces and Chassis

  • When SRX Series devices receive proxy ARP requests on VRRP interfaces, the devices send ARP replies with the underlying interface MAC address. PR1526851

  • Backup Routing Engine or backup node may be stuck in bad status with an improper backup-router configuration. PR1530935

Intrusion Detection and Prevention (IDP)

  • The greater than or less than symbols are allowed for age-of-attack filter of dynamic attack group configuration. The age-of-attack field in signatures will be changed to CVE dates from activation dates.


  • The flowd or srxpfe process might generate core files during the idpd process commit on SRX Series devices. PR1521682

  • IDP now supports the ability to create dynamic-attack-groups based on attack-prefix wildcards. For example, you can include all of the Metasploit-based scans by applying this filter to a dynamic-attack-group: set attack-prefix values SCAN:METASPLOIT:*. PR1537195

  • SOF support for partial packet plugins on traditional or unified policy. PR1542497

  • Need syslog to indicate signature download completion. PR1543571

  • IDP policy load might fail post image upgrade for Junos OS Release 15.1X49 releases. PR1546542

  • The idpd process crashes and generates a core file. PR1547610


  • Sometimes, when you edit the local gateway in the remote access VPN workflow under VPN>IPsec VPN, J-web might not display one or more drop-down values. PR1521788

  • J-Web browser tab title to include product model name and hostname. PR1523760

  • J-Web GUI does not allow you to save the rules with more than 2500 cumulative shared objects. PR1540047

  • After commit pending changes message is shown, the contents of other messages, landing page, or pop-ups will not be visible completely. PR1554024

Layer 2 Ethernet Services

  • The RG1 interface failover occurs when RG0 failover is triggered. PR1366825

Platform and Infrastructure

  • Syslog reporting PFE_FLOWD_SELFPING_PACKET_LOSS: Traffic impact: Selfping packets loss/err: 300 within 600 second error messages in node 0 and node 1 control panel. PR1522130

  • The commit might not fail as expected when reth interface is deleted. PR1538273

Routing Policy and Firewall Filters

  • Traffic might be dropped unexpectedly when the url-category match condition is used on a security policy. PR1546120

  • Global policies working with multi-zones cause high Packet Forwarding Engine CPU utilization. PR1549366

  • Policy configured with the route-active-on condition may work incorrectly for local routes. PR1549592

  • NSD process stops when the secprofiling feed name is 64 bytes. PR1549676

  • The junos-defaults construct within a unified-policies application match criteria now restricts the ports and protocols of a flow on a per-dynamic-application basis. PR1551984

  • Unified policies in global zone contexts do not work when from-zone or to-zone is defined. PR1558009

  • On the SRX5000 line of devices, the secondary node might get stuck in performing ColdSync after a reboot or upgrade, or if ISSU is performed. PR1558382

  • The traffic may be dropped if you insert one global policy above others on SRX Series devices. PR1558827

Subscriber Access Management

  • Incorrect counter type (counter instead of gauge) specified for some values in MIB jnxUserAAAMib. PR1533900

Unified Threat Management (UTM)

  • Stream buffer memory leak might happen when UTM is configured under unified policies. PR1557278

  • UTM license expiry event lost may cause the device can't quit advance service mode and maximum-sessions decreased by half. PR1563874

User Interface and Configuration

  • The outbound-ssh routing-instance is shown as unsupported. PR1558808


  • The output of show security ipsec security-associations command might display empty space instead of keyword null for encryption algorithm. PR1507270

  • On all SRX Series devices using IPsec with NAT traversal, MTU size for the external interface might be changed after IPsec SA is reestablished. PR1530684

  • After IPsec tunnel using policy-based VPN is overwritten by another VPN client, traffic using this IPsec tunnel will be dropped. PR1546537

  • Traffic going through a policy-based IPsec tunnel might be dropped after RG0 failover. PR1550232

  • The iked process may crash with L3HA setup. PR1559121

  • The iked process might crash by operational commands on the SRX5000 line of devices with SRX5000-SPC3 card installed. PR1566649