Table of Contents
Navigation
Back up to About Overview [+] Expand All
[-] Collapse All
Download This Guide
Resolved Issues
The following are the issues that have been resolved in Junos OS Release 12.1X46 for Juniper Networks SRX Series Services Gateways. The identifier following the description is the tracking number in the Juniper Networks Problem Report (PR) tracking system.
 | Note: For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at https://www.juniper.net/prsearch. |
Resolved Issues - 12.1X46-D65
Application Layer Gateways (ALGs)
- On SRX Series devices, the flowd core dump which is caused by Null pointer from incorrect ALG map entry allocation is fixed in 12.1X46-D65, 12.3X48-D45 and 15.1X49-D70. PR1234553
Authentication and Access Control
- On branch SRX Series devices, with pass-through authentication the firewall client access destination server by old browser (like MS-IE4/MS-IE5), the flowd process might crash on SRX Series devices when pass-through http traffic which matches thefwauth-policy. PR1203294
Chassis Cluster
- On SRX Series devices, when firewall filter is used on GRE interface (gr-), it will be applied to packets which are crossing the interface (will not be applied to packets which are destined to the SRX). This issue only occurs under HA mode. On standalone devices the filter is working. PR1182267
- On SRX Series devices with dual fabric link chassis cluster, one of fabric link sometimes shows as down after RG0 failover or node reboot even there is fabric probe on the link. PR1207919
- On branch SRX Series devices, when using In-band cluster upgrade (ICU) to upgrade a chassis cluster, longer downtime might occur than the one published. This is caused due to timer issue when sending the GARP packets. PR1219788
Flow-based and Packet-based Processing
- On SRX200 device, the flowd process might crash and generate core dump after upgrade to 12.1x46-D55 and above. PR1211282
Interfaces
- On SRX210, and SRX220 devices with 1x Gigabit Ethernet high-performance SFP configured, the traffic forwarding stops through 1x GE High-Perf SFP. PR1222648
J-Web
- On SRX550M device, J-Web dashboard page, HA LED shows the wrong color. PR1227908
- On SRX Series devices, J-Web dashboard page, the refresh button does not work properly. PR1232076
Platform and Infrastructure
- On SRX Series devices, unable to rollback to a certain version when using admin users with restricted permissions. PR1206074
- On SRX Series devices, packets passing and arriving on MPLS LSP might send out-of-order post SRX processing. PR1213699
- On SRX Series devices, when using the request system software command along with the partition and validate options, the current configuration is not validated with the upgrading Junos OS version as part of upgrade process.PR1223443
Resolved Issues - 12.1X46-D60
Application Layer Gateways (ALGs)
- On branch SRX Series devices, the flowd process crashes and generates a core dump while processing MS-RPC or SUN-RPC traffic on the secondary node. PR1190929
- On SRX Series devices, MSRPC ALG cannot decrypt encrypted EPM messages (authentication level RPC_C_AUTHN_LEVEL_PKT_PRIVACY ) and drops the encrypted EPM messages. The new behavior bypasses such encrypted messages and generates a syslog message. PR1192477
- On branch SRX Series devices, when the RSH ALG is enabled manually, the RSH ALG receives a message whose stderr port is 0, RSH ALG will drop packets and will not open gate for it. PR1196530
- On SRX Series devices, RSH client communicates with the RSH server. The RSH ALG is enabled and the RSH client transfers the file to the RSH server. Some last packets from the RSH server are not forwarded to the RSH client. PR1202773
Chassis Cluster
- On branch SRX Series devices in chassis cluster, when the 1-Port GE High-Perf SFP mPIM is used as the fabric port, the port is reported as up but traffic is not forwarded. PR1184731
- On branch SRX Series devices, under the output of show chassis craft-interface node 0/1 command , the Front Panel HA Indicator: does not show the correct LED status. PR1189006
- On branch SRX Series devices in chassis cluster, the fabric link flaps randomly after upgrading to the Junos OS Release 12.1X46 and higher. PR1197954
Flow-based and Packet-based Processing
- On branch SRX Series devices, the RSH client communicates with RSH server. RSH ALG is enabled. RSH client transfers file to RSH server. Some last packets from the RSH server are not forwarded to the RSH client. PR1202773
Interfaces and Routing
- On SRX210, SRX220, SRX240, and SRX650 devices, the flowd process might crash while configuring the 1x Gigabit Ethernet high-performance SFP Mini-PIM interface on the reth interface. PR1182981
Intrusion Detection and Prevention (IDP)
- On branch SRX Series devices, the flowd process might crash on both the nodes after the IDP database update and causes the traffic to be interrupted. PR1202319
J-Web
- On SRX Series devices, after using J-Web, CPU utilization on the routing engine might stay high and does not recover. PR1201267
- On branch SRX Series devices in a chassis cluster, J-Web does not show correct chassis cluster status in the following page: J-Web: Monitor->System view->cluster status. PR1208901
Platform and Infrastructure
- On branch SRX Series devices, one or multiple J-Web sessions are established in the browser. After navigating different tabs and multiple PHP processes are remained. This causes high CPU usage on RE. PR1186172
- On SRX Series devices, a vulnerability in IPv6 processing has been discovered that might allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the router rather than discarded. The crafted packet, destined to the router, will then be processed by the routing engine (RE). A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer might start dropping legitimate IPv6 neighbors as legitimate ND times out. Refer to JSA10749 for more information. PR1191838
- On branch SRX Series devices, packets passing arriving on MPLS LSP may be sent out-of-order post SRX processing. PR1213699
Resolved Issues - 12.1X46-D55
Chassis Cluster
- On all SRX Series devices in chassis cluster mode, when some configuration needs to be changed, after issuing the CLI commit confirm (the time parameter value can be between 1-65535) and commit command on the primary node, the secondary node does not commit. PR1171366
Class of Service (CoS)
- On multi-thread SRX Series devices, when an interface is down, a timing issue in which one thread releases the interface resource (because the interface is down), but another thread tries to access this interface resource might occur, which results in a flowd process crash. PR1148796
Flow-based and Packet-based Processing
- On branch SRX Series devices, in certain situations, flow sessions do not correctly timeout. This leads to the flow sessions being set to an abnormally high value increasing invalidate session counts, which eventually leads to the session table becoming full. PR1110256
IP Monitoring
- On SRX240 devices, when you use the 1-Port GE High-Perf SFP Mini-PIM, the port is reported as up but traffic is not forwarded. PR1184731
Resolved Issues - 12.1X46-D50
Application Layer Gateways (ALGs)
- On all SRX Series devices with MS-RPC ALG enabled, in heavy MS-RPC traffic environment, ALG traffic might fail because of the ASL groups being used up. PR1120757
- On all branch SRX Series devices in a chassis cluster, when SCCP traffic is processed by SCCP ALG, the flowd process might crash. PR1154987
Chassis Cluster
- On all SRX Series devices in chassis clusters, when you configure the MAC address on the reth interface using the set interfaces reth* mac * command, all reth member interfaces use the manually specified MAC address. When you use the deactivate interfaces reth* mac command, the reth interface will change to the default MAC address, but the reth member interfaces will remain in the manually specified MAC address. This scenario causes traffic issues on the reth interface. PR1115275
- On all branch SRX Series devices in a chassis cluster, the Link Layer Discovery Protocol (LLDP) is not supported on reth interfaces. PR1146382
- On all branch SRX Series devices in a chassis cluster, if the control plane RG0 and data plane RG1+ failover simultaneously, the reth interface on the new master node might send Generic Attribute Registration Protocol (GARP) packets in an unexpected delay of approximate 11 seconds. This causes a temporary traffic outage. PR1148248
General Routing
- On SRX Series device configured as a DHCP server, the device will not send DHCP option 125 unless the DHCP client requests it. This behavior does not comply to the RFC definition. According to RFC 3925, the DHCP server should send option 125 without the client's request. PR1116940
Interfaces and Routing
- On branch SRX Series devices, if a configuration pertaining to a 3G interface is present and if a 3G modem is not connected to the device, Junos OS might try to access the 3G thread. As a result, the device might crash when the device cannot find the 3G thread. PR1151904
- On SRX550 devices, some LLC frames might get dropped if they are received on a VPLS-enabled interface. PR1160561
Virtual Private Networks (VPNs)
- The vrf-table-label statement makes it possible to map the inner label to a specific Virtual Routing and Forwarding (VRF), such mapping allows the examination of the encapsulated IP header at an egress VPN router. But on all J Series and SRX Series devices, the vrf-table-label statement is supported only on physical interfaces. As requested, it will be supported over aggregated interfaces. PR1131215
Resolved Issues - 12.1X46-D45
Application Layer Gateways (ALGs)
- On all SRX Series devices with the H.323 ALG enabled, if dual NAT (the packets in the same call receive different NAT rules bidirectionally) is enabled, then the destination NAT for the payload is skipped during ALG processing. For example, the address payload in the H.225 gatekeeper confirm packet is not translated by the H.323 ALG. PR1100638
- On all branch SRX Series device with DNS proxy enabled, any configuration change related to DNS service will trigger the named process restart. There is a timing issue such that the configuration at the system services dns dns-proxy hierarchy might not be loaded after the named process restart. PR1113056
Chassis Cluster
- On all branch SRX Series devices in a chassis cluster, the command set protocols lldp interface all will configure LLDP protocol on reth interface as well. While reth interface is not supported. PR1127960
Flow-Based and Packet-Based Processing
- On SRX240, SRX550, and SRX650 devices with integrated user firewall authentication configured, when you attempt to remove the user entry from the authentication table, the flowd process might crash. PR1078801
- On all branch SRX Series devices in a GRE over IPsec VPN scenario, if the VPN is deactivated on one side, the out interface of the GRE session on the other side changes to the default route out interface and does not resume to the secure tunnel (st0) interface even though the VPN is activated. PR1113942
- On all J-Series devices, in a rare condition, the system might access inappropriate pointer during a forwarding table update, which results in the flowd process crash. PR1140188
J-Web
- On all branch SRX Series devices, when you add multiple address books in one commit using J-Web, if a subsequently added address book matches the substring of a previously added address book, then the subsequently added address book is considered to be a duplicate of the previously added address book. . As a result, the subsequently added address book overwrites the previously added address book. PR1121743
- On all branch SRX Series devices in a J-Web configuration, the statuses of the RSH ALG and the SQL ALG are incorrect, They are inconsistent with the correct statuses confirmed by CLI. PR1128789
Layer 2 Ethernet Services
- On all SRX Series devices, if the device acts as the interface of the DHCP server using the jdhcpd process (JDHCP) and if the DHCP client sends a discover message with a requested IP address, then the authd process uses the requested IP address to find the pool with priority. This causes the device to assign an IP address from an incorrect DHCP pool to the DHCP client when there is a DHCP pool that shares the same subnet with the requested IP address. However, it is not the expected pool of the DHCP client. PR1097909
- On all branch SRX Series devices, if both the DHCP client and DHCP server (using the jdhcpd process) are enabled, changing the DHCP related configuration might cause the jdhcpd process to be exited unexpectedly. PR1118286
Network Management and Monitoring
- On all SRX Series devices, using point-to-multipoint (P2MP) VPN and static routes with next-hop IP that is in the st0.x subnet, are incorrectly marked as active before the VPN tunnel establishment. PR1042462
Platform and Infrastructure
- On all SRX Series devices, when SNMPv3 privacy and authentication passwords are set and updated, NSM fails to push the update to the device that is managed by NSM. PR1075802
- On all branch SRX Series devices, the setting of Real-time Performance Monitoring (RPM) next-hop metric value does not take effect. PR1087753
Switching
- On all branch SRX Series devices in a chassis cluster, if Ethernet switching is configured, because of a timing issue on the swfab interface initialization, the Layer 2 traffic might be dropped after a Redundancy Group 0 (RG0) failover. PR1103227
User Interface and Configuration
- On all SRX Series devices, when you commit the traffic selector (TS) configuration, it might fail and an ffp core file might be generated. PR1089676
Virtual Private Networks (VPNs)
- On all branch SRX Series devices, in group VPN setups, memory might leak during the gksd and gkmd processes. PR1098704
- On all branch SRX Series devices, IPsec VPN using ESP encapsulation over group VPN is not supported. As a result, the IPsec VPN traffic will be dropped as bad SPI packets in the group VPN. PR1102816
- On all branch SRX Series devices, if redundant VPN tunnels are set up to use two different external interfaces within two different IKE gateways to connect to the same VPN peer, and RPM is configured for route failover, and VPN monitoring is configured, the following scenario occurs: When the primary link is down, the VPN fails over to the secondary link as expected. However, when the primary link comes back up, VPN flapping might occur and there might be a delay in establishing the primary VPN tunnel. PR1109372
Resolved Issues - 12.1X46-D40
Application Layer Gateways (ALGs)
- On all branch SRX Series devices with NAT configured, a memory overwrite issue occurs when the scaling RAS or H.323 traffic passes through the device and the device fails to perform NAT for RAS or H.323 traffic. As a result, the flowd process might crash. PR1084549
- On all SRX Series devices, if the RSH ALG is enabled, the device does not drop the packets that match the port range of the RSH ALG.PR1093558
Chassis Cluster
- On SRX550 and SRX650 devices, 20 to 40 percent traffic loss is seen on the port of the SRX-GP-2XE-SFP-PTX after changing the speed from 10 GB to 1 GB. This issue is seen in both fiber and copper mode. When you switch between fiber and copper mode on the port of the SRX-GP-2XE-SFP-PTX, the speed might vary within the configuration. PR1033369
- On SRX550, if non-chassis cluster traffic is received on chassis cluster control port (fxp1), the traffic will be incorrectly forwarded out of the fabric port (fab) and the management port (fxp0). PR1041085
- On all branch SRX Series devices in a chassis cluster, if sampling is configured with the input option on an interface, the non-first fragmented packets are dropped on the secondary node. This occurs when the fragmented packets enter the interface, traverse through the fabric interface, and finally are sent out through the secondary node (z mode). PR1054775
- On SRX100, SRX110, and SRX210 devices, when you use Sierra Wireless USB 3G modem to connect to the network, Junos Space (or other Network Management devices) might fail to discover the SRX Series devices. This is because the Sierra Wireless USB 3G modem generates a duplicate address that causes the failure. PR1070898
- On SRX650 Series devices, if the Copper SFP-T connector is inserted in 8-Port Gigabit Ethernet SFP XPIM (8xSFP GPIM), the link state might not come up. PR1074937
- On all branch SRX Series devices in a chassis cluster, the H.323 ALG might not work properly after the chassis cluster failover. This is because the ALG binding synchronization message fails to synchronize the secondary device. PR1082934
- On all branch SRX Series devices, when any of the two possible power supplies (PS) is missing on the SRX650 device, it does not generate the alarm. In addition, the device is checking if any of the two power supplies is functioning correctly to provide the result in the output of the show chassis craft-interface command. However, for the status of the power supply, the output of the show chassis craft-interface is PS 0 instead of PS. PR1104842
Class of Service (CoS)
- On all branch SRX Series devices with CoS configured on a high-speed interface for multiple queues, if one queue is oversubscribed, the traffic on this queue is not dropped. However, traffic is dropped for other queues that have a specific bandwidth available. PR1068288
Dynamic Host Configuration Protocol (DHCP)
- On all branch SRX Series devices with a DHCPv6 client configured, when the device tries to obtain an IPv6 address through the DHCPv6 prefix delegation, the device forms an incorrect IPv6 address format. As a result, the IPv6 address allocation fails. PR1084269
Flow-Based and Packet-Based Processing
- On all branch SRX Series devices with IP-in-IP tunnel configured, due to incorrect configuration (routing loop caused by route change and so on), packets might be encapsulated by the IP-in-IP tunnel several times. As a result, packets are corrupted and the flowd process might crash. PR1055492
- On SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, in a rare condition, the session might be doubly released by multiple threads during internal processing by the NAT module. As a result, the flowd process crashes. PR1058711
- On all branch SRX Series devices, the link-local packets of IPv4 (169.254.0.0/16) and IPv6 (fe80::/10) will be dropped. And there is no configuration option to change this behavior to forward the link-local packets. PR1078931
- On all branch SRX Series devices, if 1:1 sampling is configured for J-Flow and the device processes a high volume of traffic, a race condition of an infinite loop of J-Flow entry might be encountered. As a result, the flowd process crashes. PR1088476
- On all branch RX Series devices, the inactivity-timeout value of predefined junos-defaults applications cannot be changed, although it is configured with a value of approximately 10,000.PR1093629
- On all branch SRX Series devices, the maximum-sessions value is not displayed correctly. PR1094721
Infrastructure
- On all branch SRX Series devices with health monitor configured for routing-engine, the system health management process (syshmd) might crash due to a memory corruption in some rare conditions, such as in the scenario that concurrent conflicting manipulation of the file system occurs. PR1069868
Interfaces and Routing
- On all branch SRX Series devices, the 4G USB modem would not redial automatically while it is used to connect to the internet. PR1040125
- On SRX550 and SRX650 devices, when you insert an SFP into a GPIM, the self-traffic is delayed while the chassis reads the SFP data. This might cause a flap for protocols with aggressive timers, such as BGP. PR1043983
- On all branch SRX Series devices, when the underlying interface of the PPPoE interface is a reth interface, there is a delay of 10 seconds in displaying the PPPoE interface information when you run the show interfaces pp*.* command. As a result, a slower response time for the SNMP command related to the PPPoE interface is also observed. PR1068025
- On all branch SRX Series devices, in the scenario of MPLS over GRE, the MPLS traffic might fail to pass through the GRE tunnel after a system reboot. PR1073733
- On all branch SRX Series devices, if an aggregated Ethernet interface (ae) is configured as a Layer 2 interface, traffic might only be forwarded on one child interface of the ae interface. PR1074097
- On all branch SRX Series devices, the flowd process might crash when the port of the Mini-Physical Interface Module (Mini-PIM) is enabled and configured as a trunk. PR1076843
- On all branch SRX Series devices, when you use UTF-8 encoding to generate the certificate with the certificate authority (CA), certificate validation fails. PR1079429
- On all SRX Series devices, the security policy scheduler fails to activate or deactivate policies when the daylight saving time (DST) change occurs. PR1080591
- On SRX550 and SRX650 devices, if a port of an 8-Port Gigabit Ethernet SFP XPIM card is set to the Ethernet switching family, locally generated packets might be dropped by the port. PR1082040
- On all branch SRX Series devices, all interfaces of the RG0 secondary node go down when the connection between the kernel of the primary node and the ksyncd of the secondary node fails. This occurs because of the memory leak in the shared-memory process (shm-rtsdbd). PR1084660
J-Web
- On all branch SRX Series devices, you cannot open “Edit Radio” window if there is a wpa-enterprise configured for virtual-access-point. PR945039
- On all branch SRX Series devices, the packet capture function cannot be displayed through J-Web. However, the packet capture function can be disabled by using the CLI. PR1023944
- On all branch SRX Series devices, changing another ALG configuration through J-Web causes the IKE-ESG ALG configuration to be changed. PR1104346
- On all branch SRX Series devices, in J-Web, the default option under Security > Logging > Application tracking is selected. This causes application tracking to get enabled if any system log configuration is saved. PR1106629
Network Address Translation (NAT)
- On all branch SRX Series devices, when the NAT configuration changes are made, the flowd process might crash. As a result, the memory allocation is affected. PR1084907
- On all branch SRX Series devices, the entry timeout value of ALG is configured larger than the timer wheel's maximum timeout value (7200 seconds). However, this entry cannot be inserted into the timer wheel. As a result, an ALG persistent NAT binding leak occurs. PR1088539
- On all branch SRX Series devices, when domain names are used as a matching condition on security policies, the SRX Series device sends the resolved request to the DNS server. If the DNS server is unreachable, the SRX Series device will keep trying to resend the request to the DNS server. As a result, all the file descriptors on the nsd process become exhausted. PR1089730
Platform and Infrastructure
- On all branch SRX Series devices, the secondary node in a chassis cluster environment might crash or go into DB mode, displaying the panic: rnh_index_alloc message. This issue is sometimes observed in a chassis cluster environment with multipoint st0.x interface configured, and the tunnel interfaces flaps according to IPsec idle-timeout or IPsec vpn-monitor. PR1035779
- On SRX240 devices, after a system reboot, the link state of the VLAN interface might go down. PR1041761
- On all branch SRX Series devices, the u-boot update fails as a result of flash corruption. PR1071560
- On all branch SRX Series devices, if the destination interface and the next hop are configured for HTTP probes for real-time performance monitoring, the HTTP probes might not work. PR1086142
- On all branch SRX Series devices, the system log utility of the rtlogd process might crash when the WebTrends Enhanced Log File (WELF) format is configured for the security log. PR1086738
- On all branch SRX Series devices, upgrade to certain Junos OS versions might fail when a commit script is configured. PR1096576
Switching
- On all branch SRX Series devices, when you connect to the device through wireless AP the secure access port incorrectly allows access to the MAC addresses that are not in the list of allowed MAC addresses. PR587163
Unified Threat Management (UTM)
- On all branch SRX Series devices with UTM Web filtering configured and if multiple websense-redirect profiles are configured with different Websense servers, only one Websense server is available and seen in the up state. PR1077779
Virtual Private Networks (VPNs)
- On all branch SRX Series devices with dynamic VPN configured, the KMD process restarts or crashes, causing an IP address leak on the dynamic VPN address pool. PR1063085
- On all branch SRX Series devices with IPsec VPN configured, the IPsec VPN tunnel might fail to be reestablished after recovery tunnel flapping. This occurs because an old, invalid tunnel session exists on the central point. As a result, an attempt to create the new tunnel session fails. PR1070991
- On all SRX Series devices, the maximum number of characters allowed for an IKE policy name is limited to 31 bytes. Although you can configure more than 31 bytes by using the CLI, the bytes in excess of the limit are ignored on the data plane. PR1072958
- On all branch SRX Series devices with site-to-site IPsec VPN configured using IKEv2, if an active tunnel existed and the SRX Series device acted as the responder of IKEv2 negotiation, then the VPN peer initiating a duplicate IKEv2 Phase 2 negotiation request will cause the IPsec VPN tunnel to go to inactive state on the data plane side of the SRX Series device. PR1074418
- On all branch SRX Series devices with dynamic VPN configured, the key management process (KMD) might crash when an IKE payload with a different port number is received. PR1080326
- On all branch SRX Series devices with IPsec VPN configured, if the SRX Series device is the initiator and the other peer is from another vendors, the Internet Key Exchange (IKE) tunnel negotiation might not come up under certain conditions. PR1085657
Resolved Issues - 12.1X46-D35
Application Identification
- On all branch SRX Series devices running Junos OS Release 12.1X46 and earlier, if application identification (AppID) is enabled, performance degradation is seen in comparison with devices running Junos OS Release 12.1X47-D10 and later. This is because the AppID function does not ignore the related sessions when AppID has reached the terminal state, and continues with the serialization processing for those sessions. It is important to note that Junos OS Release 12.1X47 and later releases use advanced AppID. PR1046509
Application Layer Gateways (ALGs)
- On all branch SRX Series devices (except SRX110) in a chassis cluster with TCP-based ALG enabled and the TCP keepalive mechanism used on the TCP server and client, after a data plane Redundancy Group (RG1+) failover, the keep-alive message causes the mbuf to be held by the ALG until the session timeout. As a result, a high mbuf usage alarm is generated. Application communication failure occurs due to lack of mbuf. PR1031910
- On all branch SRX Series devices with the SIP ALG and NAT enabled, if you place a call on hold or off hold many times, each time with different media ports, the resource in the call is used, resulting in one-way audio. Tearing down the call clears the resource, and following calls are not affected. PR1032528
- On all branch SRX Series devices (except SRX110) in a chassis cluster with the SCCP ALG enabled and if the SCCP state in use flag is not configured in the process of the SCCP call in the device, the related real-time object (RTO) hot synchronization might cause the flowd process to crash. PR1034722
- On all branch SRX Series devices with the MS-RPC ALG enabled, the flowd process might crash when the MS-RPC ALG processes the crafted ISystemActivator RemoteCreateInstance Response packets. PR1036574
- On all branch SRX Series devices with the SIP ALG and NAT enabled, the SIP ALG does not execute IP translation for the retransmitted 183 session progress messages. In this scenario, the SIP call will fail when the device receives the first 183 session progress messages without SDP information, but the retransmitted 183 session progress messages contains SDP information. PR1036650
- On all branch SRX Series devices, the DNS ALG does not terminate the session when a truncated DNS reply is received. Hence, the session remains up until high timeout (10~50) is reached. PR1038800
- On all branch SRX Series devices, SIP ALG code has been enhanced to support RFC 4566 regarding the SDP lines order and to avoid issues of no NAT in owner filed (O line) in some circumstances. PR1049469
- On all branch SRX Series devices with the MS-RPC ALG enabled, the flowd process might crash due to incorrect MS-RPC ALG parsing for the ISystemActivator RemoteCreateInstance Response packets. PR1066697
Authentication
- On all branch SRX Series devices with firewall authentication enabled, when a firewall authentication from an authenticated IP address for a new authentication fails, and then a pass-through firewall authentication tries this entry, the firewall authentication function accesses a freed memory, which results in a flowd process crash. PR1040214
Chassis Cluster
- On all branch SRX Series devices in chassis cluster mode, during control plane RG0 failover, a policy resynchronization operation compares the policy message between the Routing Engine and the Packet Forwarding Engine. However, some fields in the security policy data message are not processed. Data for unprocessed fields might be treated differently and cause the flowd process to crash. PR1040819
- On all branch SRX Series devices in a chassis cluster, if the switching fabric (swfab) interface is configured, the swfab interface incorrectly updates the state of the fabric (fab) interface. As a result, the fab interface might be stuck in the down state. PR1064005
Dynamic Host Configuration Protocol (DHCP)
- On all branch SRX Series devices configured as a DHCP server (using the jdhcpd process), when the DHCP server gets a new request from a client and applies an IP address from the authentication process (authd), the jdhcpd process communicates with authd process twice as expected (once for the DHCP discovery message and once for the DHCP request message). If the authentication fails in the first message, the authd process will indefinitely wait for the second authentication request. However, the jdhcpd process never sends the second request, because the process detects that the first authentication did not occur. This causes memory leak on the authd process, and the memory might get exhausted, generating a core file and preventing DHCP server service. High CPU usage on the Routing Engine might also be observed. PR1042818
Flow-Based and Packet-Based Processing
- On all branch SRX Series devices, when composite next hop is used, RSVP session flap might cause an if state mismatch between the master Routing Engine and the backup Routing Engine, leading to a kernel crash on the master Routing Engine. PR905317
- On all branch SRX Series devices with IDP configured, in rare cases, where the device runs out of memory, the flowd process might crash if shell code detection occurs. PR985139
- On all branch SRX Series devices, when you configure http-get RPM probes to measure the website response, the probes might fail because the HTTP server might incorrectly interpret the request coming from the device. PR1001813
- On all branch SRX Series devices, IPsec tunnel reconnection might cause a memory leak. PR1002738
- On all multiple thread-based branch SRX Series devices (SRX240, SRX550, and SRX650), if IDP, AppSecure, ALG, GTP, or the SCTP feature, which is required for serialization flow processing is enabled, the device might encounter an issue where two flow threads work on the same session at the same time for the serialization flow processing. This issue might cause memory corruption, and then result in a flowd process crash. PR1026692
- On all branch SRX Series devices, when you enable flexible-vlan-tagging, the return traffic might be dropped on the tagged interface with the following message: packet dropped, pak dropped due to invalid l2 broadcast/multicast addr. PR1034602
- On all branch SRX Series devices in a chassis cluster Z mode, if static NAT or destination NAT is configured, and in the NAT rule, the IP address of the incoming interface is used as a matching condition of the destination address (for example, set security nat static <rule-set-name> rule <rule-name> match destination-address <use the IP address of incoming interface>), then the traffic matching the NAT rule is discarded. PR1040185
- On all branch SRX Series devices with GRE tunnel configured, the carrier interface of GRE tunnel is not updated when a more accurate and new route to the tunnel destination address is added, which might cause traffic loss in some scenarios. PR1040666
- On all branch SRX Series devices, after IDP drop action is performed on a TCP session, the TCP session timeout is not accurate. PR1052744
- On all branch SRX Series devices running Junos OS Release 12.3X48-D10 or later, with enhanced Web filtering configured, the connection to the Websense ThreatSeeker Intelligence Cloud might time out if strict-syn-check is enabled under the [security flow tcp-session] hierarchy. PR1061064
- On SRX550 devices, traffic processed by the serialization process is dropped when the maximum limit of serialization sessions (32,000) is exceeded. As a result, advanced services such as IDP, ALG, and AppSecure are impacted. PR1061524
Hardware
- On all branch SRX Series devices, the message twsi0: Device timeout on unit 1 fills the console on soft reboot. PR1050215
Interfaces and Routing
- On all branch SRX Series devices, the clear security dns-cache command is extended to resolve all DNS entries immediately. Similarly, the security policies containing DNS names are updated immediately to use the refreshed IP addresses after the FQDN addresses are resolved. PR970235
- On SRX100H2, SRX110H2, SRX210H2, SRX220H2, and SRX240H2 devices, when you enable vlan tagging on interfaces and commit the configuration, the interface speed and duplex mode might cause the interface to stop processing traffic. PR1003423
- On SRX240, SRX550, and SRX650 devices, a delay of several seconds (maximum 4 seconds) might occur to detect that the link is down. PR1008324
- On all branch SRX Series devices configured as a CHAP authentication client, in a PPPoE over ATM LLC encapsulation scenario, the connection might not be established because of an incorrect sequence of messages being exchanged with the second LNS. PR1027305
- On all branch SRX Series devices, the commit synchronize command fails because the kernel socket gets stuck. PR1027898
- On all branch SRX Series devices, multiple CoS rewrite rules are applied to a single interface where only one rewrite rule is allowed. PR1034173
- On all branch SRX Series devices in a chassis cluster with PPPoE configured on a redundant Ethernet (reth) interface, when both nodes reboot, the PPPoE interface (pp0.x) sometimes is not prepared, despite the PPPoE session being up. PR1050264
- On all branch SRX Series devices with PPPoE configured, when PPPoE fails to authenticate, the software next-hop entry will leak in the data plane, gradually consuming all 64,000 software next-hop entries. When the software next-hop table is full, the following next-hop error pops up: RT_PFE: NH IPC op 2 (CHANGE NEXTHOP) failed, err 6 (No Memory) peer_class 0, peer_index 0 peer_type 10. PR1055882
- On all branch SRX Series devices, the very-high-bit-rate digital subscriber line (VDSL) firmware upgrade fails due to a permission issue, and the error message No applicable firmware present is displayed. PR1066032
Installation and Upgrade
- On SRX650 devices, if the u-boot revision is 2.5 or later, installing the Junos OS release image from TFTP in loader mode fails. PR1016954
Intrusion Detection and Prevention (IDP)
- On SRX210 and SRX220 devices, due to memory constraints, the combination of large IDP policies (that is, IDP_Default) along with express antivirus (EAV) might not compile successfully. PR974851
- On all branch SRX Series devices, when IDP and Express Anitvirus (EAV) are configured under very high stress, application traffic might coredump. PR1019401
J-Web
- On all branch SRX Series devices, J-Web sets a limitation on the size of the configuration fetched from a device to avoid memory exhaustion. When the configuration size exceeds this limitation, J-Web fails to load the configuration on Junos OS Release 12.3X48-D10. PR1037073
- On all branch SRX Series devices, J-Web does not display all the member link interfaces for aggregate Ethernet (ae) interface. PR1038850
- On all branch SRX Series devices, security policy log or security policy count is not displayed when the match condition is RT_FLOW_SESSION. PR1056947
- On all branch SRX Series devices, when you use a configuration encryption, the missing rescue configuration alarm is set even when there is a saved rescue configuration. PR1057473
- On all branch SRX Series devices, if a security policy contains a tcp-options statement, modifying this security policy by using J-Web results in the loss of the tcp-options statement. This is because the tcp-options configuration is missing in the J-Web security policy configuration. PR1063593
Network Address Translation (NAT)
- On all branch SRX Series devices with persistent NAT enabled, if an invalid flow with the protocol value 0 creates a persistent NAT entry, then this persistent NAT entry is not cleared even when the invalid session is cleared. PR935325
Platform and Infrastructure
- On all branch SRX Series devices, after enabling IEEE 802.1X, the connected devices on some ports might fail to be authenticated. This is because MAC authentication requests might get stuck on the eswd process, therefore this issue might be seen on certain random ports, not all ports. PR1042294
- On all branch SRX Series devices, the configurations of group junos-defaults are lost after a configuration roll back. As a result, the commit command fails. PR1052925
- On SRX100 devices, when you run the show snmp mib walk jnxMibs command, the chassisd log repeatedly generates the fru is present: out of range slot -1 for FAN message. PR1062406
- On all branch SRX Series devices, the log displays the message log: /kernel: veriexec: fingerprint for dev. This is a cosmetic issue. PR1064166
- On SRX100 devices, when the device is configured as an authentication enforcer of 802.1x, authentication from certain special supplicants might fail. This is because the software engine that processes the next-hops in the device incorrectly processes the packet coming from the supplicant with a special source MAC address. As a result, the packets are dropped. PR1067588
Security Policy
- On all branch SRX Series devices, when two security policies are combined and the whole address space is used, then the secondary security policy might fail to evaluate traffic. PR1052426
- On all branch SRX Series devices, changing a dynamic address of a security policy might cause its dynamic address identification to be mismatched between the Routing Engine and the Packet Forwarding Engine due to the difference between the new and the old configuration being ignored. PR1061253
Unified Threat Management (UTM)
- On all branch SRX Series devices, when UTM Sophos antivirus is enabled and a file that is not supported by Sophos antivirus is transferred through SMTP, the device might not be able to handle the last packet, and mail will be on hold. When packets are later sent on this session, the packet that was on hold will be handled by the device and the system will return to normal state. PR1049506
- On all branch SRX Series devices, if the name server is configured and the interface pointing to the name server is down, in a rare condition, the flowd process might crash due to a UTM internal function even though UTM is not configured. PR1066510
Virtual Private Networks (VPNs)
- On SRX240, SRX550, and SRX650 devices with IPsec VPN configured using IKE version 1, the device can hold only two pairs of IPsec security associations (SAs) per tunnel. When the third IPsec SA rekey occurs, the oldest IPsec SA is deleted. Due to this mechanism, a looping of IPsec SA rekey might occur. For example, when a VPN peer contains incorrect configuration that has more than two proxy IDs matching only one proxy ID on a device, the rekey looping issue might cause the flowd process to crash on multiple thread-based SRX Series devices. PR996429
- On all branch SRX Series devices, in a hub-and-spoke IPsec VPN scenario, on the hub site, when committing the static NHTBs on the multipoint secure tunnel (st0) interface, the VPN routes might become active even though the VPN tunnel is down. This issue also occurs when the system reboots with static NHTBs and the related static routes configured. PR1007235
- On all branch SRX Series devices, in group VPN setups, all the already registered members might suddenly disappear from the key server due to memory leak. PR1023940
- On all branch SRX Series devices, when IPsec VPN is enabled using IKE version 2 and a distinguished name is used to verify the IKE version 2 Phase 1 remote identity, a remote peer initiates IKE version 2 Phase 1 security association (SA) renegotiation (SRX Series devices work as responders), the new negotiated VPN tunnel might stay in "inactive" state on the data plane, causing IPsec VPN traffic loss. PR1028949
- On all branch SRX Series devices, the block size for Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) has been reduced from 8 to 4. Block size 8 is used for connecting to other SRX Series devices, and block size 4 is interoperable with systems from Cisco, strongSwan, and other companies. When you set the correct block size 4 for AES-GCM, it causes a problem when connecting to previous releases of Junos OS for SRX Series devices. The problem affects certain packet sizes, so it might appear to work for some traffic, such as ping, but not for other traffic. In a hub-and-spoke configuration, the upgrade causes problems with tunnels to all spokes until they are upgraded. PR1037432
- On all branch SRX Series devices, when a primary IP address of an interface changes, some IPsec tunnels terminated on that interface might go down. PR1044620
- On all branch SRX Series devices configured with a large number of IPsec VPN tunnels, in a very rare condition, if VPN monitoring is enabled, the kmd process might crash when you delete the partial VPN tunnels. PR1044660
Resolved Issues - 12.1X46-D30
Application Layer Gateways (ALGs)
- On all branch SRX Series devices with SIP ALG enabled, when either retain-hold-resource and NAT are configured or retransmission of 183 session progress messages with SDP occurs (the first transmission did not have SDP), the SIP ALG incorrectly changes the IP address that is embedded inside the media payload to zero, causing a call failure. PR1016969
- On all branch SRX Series devices, in certain situations, the H.323 ALG incorrectly handles translation because the stored position is not initialized properly. As a result, H.323 endpoints registration failure and call failure occur. PR1023528
Chassis Cluster
- On all branch Series devices in a chassis cluster, the security zone is not populated properly on the J-Web interface port configuration page. PR859200
- On all branch SRX Series devices, in dual fabric link chassis clusters, when the control link and one fabric link go down, the chassis cluster goes into a split brain condition in which both nodes become primary. With one fabric link up, the secondary node of the chassis cluster goes into an ineligible state and then into the disabled state. PR989548
- On SRX100, SRX110, and SRX210 devices, no events are displayed when the temperature of the chassis exceeds the thermal threshold value. PR999888
- On all branch SRX Series devices configured in a chassis cluster, VLAN interfaces on the primary node might flap or become down. PR1001162
- On all branch SRX Series devices in a chassis cluster, when the “switch to L2 mode” button is pressed in J-Web, it does not ask for any confirmation and converts to transparent mode immediately and reboots the device. PR1007740
Command Line Interface (CLI)
- On all branch SRX Series devices, the Network Security Daemon (NSD) process might crash, causing the show security match-policies command to generate multiple core files. This event occurs because, the policy database does not synchronize between the Routine Engine and the Packet Forwarding Engine. PR1003099
- On all branch SRX Series devices, the CLI auto-complete does not work for any key words after set system login class <name> permissions command. PR1032498
Dynamic Host Configuration Protocol (DHCP)
- On all branch SRX Series devices, if the DHCPv6 client is configured for the PPPoE interface and the pp0 interface is disabled and again enabled, the pp0 interface does not acquire the IPv6 address from the DHCPv6 server. PR998712
- On all branch SRX Series devices, in DHCP requests, the IP TTL value is set to 1 and the DHCP option 12 is missing. PR1011406
- When a branch SRX Series device is configured as a DHCP server (using JDHCP), inspite of explicitly configuring next-server (siaddr) and tftp boot-server option, the siaddr and tftp boot server are set as 0.0.0.0 in DHCP reply packets. PR1034735
Flow and Processing
- On all branch SRX Series devices, under certain conditions, the creation of a multicast leaf session might result in an invalid multicast next hop, which crashes the flow module. PR921438
- On all branch SRX Series devices, the temporary flowd process crashes while you run the get-software-information level=detail command using a NETCONF client. This type of flowd crash is harmless. PR937450
- On all branch SRX Series devices, CoS buffer sizes are not recalculated after you delete the interface units. This might result in suboptimal CoS behavior. PR953924
- On SRX240, SRX550, and SRX650 devices, in multithreaded, mixed traffic (TCP or UDP) environments, packets might go out of order or get dropped by the device. PR977614
- On all branch SRX Series devices, for IDP, AppSecure, ALG, GTP, or SCTP, the flow serialization impacts session performance. This flow serialization continues even after Layer 7 processing is completed. PR986326
- On all branch SRX Series devices in Layer 2 transparent mode, the flowd process might crash when two packets with the same connections are received in a short time before the flow session is created, and destination MAC address lookup succeeds for these two packets. PR1025983
Interfaces and Routing
- On SRX220 and SRX550 devices, you can configure a maximum of 250 connections as connection-limit. However, 250 connections cannot be established. To set the maximum-connection-limit, use the set system services telnet connection-limit command. PR976318
- On all branch SRX Series devices, when the packet-capture option is configured on the egress interface and a multicast stream is sent through the device, the multicast traffic might not be captured. PR1005116
- On all branch SRX Series devices, when a new user is created, the home directory for the user is not created. PR1015156
- On all branch SRX Series devices, in a rare condition, during a failure of routing update, a free memory might be accessed again, which results in the flowd process crash. PR1017148
- On all branch SRX Series devices, the flowd process might crash while applying a CoS filter for the host outbound traffic. PR1021150
- On all branch SRX Series devices with First Hop Router (FHR) in multicast scenario, after the device reboots, the PIM tunnel selects loopback0.0 as the outgoing interface due to a timing issue where the route is not ready. If the loopback0.0 and the downstream interface are not in the same security zone, the PIM register packets will be dropped because of reroute failure. PR1031185
Intrusion Detection and Prevention (IDP)
- On SRX240H2, SRX240H2-POE, and SRX240H2-DC devices, the IDP cannot process any traffic due to incorrect setting of flow sessions. PR1011057
J-Web
- On all branch SRX Series devices, on the Dashboard page, the serial number and the system uptime are not displayed. PR1009371
- On all branch SRX Series devices, the PKI certificate issued by J-Web GUI HTTPs will not be used when DVPN is configured in the same device. This is because the device will use the self-signed PKI certificate for both J-Web GUI HTTPs and DVPN URL access. PR1017747
Network Address Translation (NAT)
- On J Series devices, multicast traffic is not forwarded if source NAT is used on the traffic. PR782159
- On all branch SRX Series devices, when source NAT is configured, the ports are allocated randomly by default. In rare circumstances, the global random port table of source pools or interfaces becomes damaged by certain services or traffic. This damage can result in low-range ports being assigned a higher priority in sessions. Ports might be reused quickly, causing application access failure. PR1006649
Platform and Infrastructure
- On SRX100B, SRX210B, and SRX240B devices, high control plane memory usage is expected after you upgrade to Junos OS Release 12.1X45 or 12.1X46. PR985479
Security
- OpenSSL released a Security Advisory that included CVE-2014-3566 known as the "POODLE" vulnerability. The SSL protocol 3.0 (SSLv3) uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data through a padding oracle attack. OpenSSL is upgraded to support for SSL 3.0 fallback protection (TLS_FALLBACK_SCSV). Refer to JSA10656 for more information. PR1033938
System Log
- On all branch SRX Series devices, the “flowd_octeon_hm: pconn_client_connect: Failed to connect to the server after 0 retries" message repeats in the log. PR1035936
Unified Threat Management (UTM)
- On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) feature enabled, the chunked HTTP traffic might be terminated unexpectedly by the client due to incorrect content sent by the SRX Series devices. As a result, the whole page or partial content is not displayed in the client browser. PR971895
- On all branch SRX Series devices with UTM content filtering enabled, when the filename extension value is set to .com to block the URLs, the content filtering feature incorrectly treats the <searchpart> as a path and blocks the URLs that ends with .com. PR1008108
VPN
- On all branch SRX Series devices, the certificate-based IKEv2 tunnel might not be established if the wildcard (*) is configured as a remote identity for the IKE gateway. PR968614
- On all branch SRX Series devices, dynamic VPN user groups are not able to access certain remote resources. In this scenario, there are two policies referring to the same dynamic VPN and one of the policy directions is not set. Hence, the lookup fails in the null policy at the end. PR988263
- On all branch SRX Series devices, in group VPN member, the KMD_PM_IKE_SERVER_NOT_FOUND message appears repeatedly in the kmd log after rekey. PR991306
- On all branch SRX Series devices deployed in a hub-and-spoke VPN scenario with a hub point with dynamic endpoint VPN (DEP VPN) spokes, if manual NHTBs are configured, changing (adding or deleting) the NHTBs might cause other NHTBs to be deleted and existing tunnels to go down. PR1001692
- On all branch SRX Series devices in a Dynamic End Point (DEP) VPN scenario, the VPN tunnel might stay in down state after you change the user-at-hostname value. PR1029687
- On all branch SRX Series devices, in AutoVPN configuration after reboot, the VPN tunnel might not come up and an error with the private key is reported. PR1032840
Resolved Issues - 12.1X46-D25
Application-Aware Quality of Service (AppQoS)
- On all branch SRX Series devices, application traffic control rate limiters are not supported on model H2. PR979901
Dynamic Host Configuration Protocol (DHCP)
- On all branch SRX Series devices, when the DHCP client (a windows PC) only sends one DISCOVER packet, the DHCP server (an SRX Series device) receives two DISCOVER packets and replies with two OFFER packets. However, although it is not a problem to allocate the IP address of the DHCP client. PR894760
Flow and Processing
- On SRX Series devices, multicast traffic might cause memory leak on the data plane. PR947894
- On all branch SRX Series devices, the G-ARP replies do not update the existing MAC address entry. When the MAC address timer expires, a new MAC address is updated. PR953879
- On SRX240, SRX550, and SRX650 devices, in certain situations, flow sessions time out and get corrupted. This leads to the flow sessions being set to an abnormally high value, which eventually leads to the session table becoming full. PR955630
- On all branch SRX Series devices, the packets through IPsec VPN fail in chassis cluster Z mode when there is a fragmentation required. PR956808
- On all branch SRX Series devices deployed in a multicast scenario, a memory leak on the fwdd process might occur when the multicast routes change. PR963116
- On all branch SRX Series devices, the GRE tunnel does not change the outbound interface when the route changes. PR965890
- On all branch SRX Series devices with selective stateless packet-based services configured, self-traffic generated on custom routing instances will be dropped if it is forwarded in packet-based mode. PR968631
- On SRX550 devices, the maximum flow sessions are configured incorrectly. The devices have larger session capacities than the configured session values. PR977169
- On all branch SRX Series devices, due to an indirect next-hop change, memory corruption occurs in the flow route lookup table, which causes the flowd process to crash. PR988659
Interfaces and Routing
- On all branch SRX Series devices with 3G wireless modems, the 3G dialer interface dl0.0 might get stuck in the down link state. PR855897
- On all branch SRX Series devices, when you configure an ICMP probe-server option under the [services rpm] hierarchy for a specific interface (for example, ge-0/0/0), the device does not respond to ICMP requests from this interface. Other interfaces are not affected and continue to respond to ICMP requests. PR960932
- On SRX650 devices, the VLAN interface is down after a reboot due to a timing issue. PR969079
- On SRX550 and SRX650 devices with WAN cards installed, if an interface is configured for Ethernet switching mode and forwarding traffic, traffic processing might exhaust the mbuf pool. As a result, an interprocess communication (IPC) issue can occur, causing the WAN cards to go offline randomly. . PR972332
Intrusion Detection and Prevention (IDP)
- On all branch SRX Series devices, when you disable the idp policy-optimizer option using the set security idp sensor-configuration no-policy-optimizer command, the policy fails to load after reboot. PR883258
J-Web
- In J-Web, the App-FW page does not show the counter information. PR972473
- On all branch SRX Series devices, when you open several connections to J-Web from the same IP address, the HTTP process might hang and J-Web becomes unresponsive. PR974042
Network Address Translation (NAT)
- On all branch SRX Series devices, when the proxy-ndp feature is enabled on the interface, the entries in the IPv6 neighbor table from the interface might flap. PR970281
Platform and Infrastructure
- When all branch SRX Series devices are configured to use RADIUS authentication, and if the user-permission string sent from the RADIUS server is longer than 129 characters, the devices fail to process this user-permission string. This results in user permissions not being set correctly. PR736331
Switching
- On SRX210HE devices, after reboot, sometimes the VLAN interface is down while its member physical interface is up. PR791610
System Log
- On SRX650 devices, when you execute the show security nat static rule all command continuously, the following message
is displayed:
kern.maxfiles limit exceeded by uid 0
- On all branch SRX Series devices, every time a user logs in with SSH, a veriexec: fingerprint mismatch message is reported in the log. PR929612
Unified Threat Management (UTM)
- On branch SRX Series devices with UTM Sophos antivirus (SAV) service enabled, if source NAT for self-generated traffic is configured, the DNS queries from the UTM SAV service fail as timeout. PR963978
Virtual Private Networks (VPNs)
- On all branch SRX Series devices, in a hub-and-spoke IPsec VPN scenario, on the hub site, when you commit the static NHTBs on the multipoint secure tunnel (st0) interface, the VPN routes might become active even though the VPN tunnel is down. This issue also occurs when you reboot the system with static NHTBs and the related static routes configured. PR947149
- On all branch SRX Series devices, IPsec VPN tunnels could not come up due to unavailability of buffer space. PR985494
Resolved Issues - 12.1X46-D20
Chassis Cluster
- On all branch SRX Series devices in a chassis cluster, the counter for incoming traffic on a fabric interface always shows zero (0). PR949962
- On all branch SRX Series devices (except the SRX110), in an asymmetric chassis cluster, the secondary node (node1) uses a local interface to back up the interface in the primary node (for example, node 0). If there is a route change, then the traffic is sent to the egress from the backup interface, which is the local interface of node 1. After the route resumes, the traffic is sent back to the egress from the primary interface, which is the local interface of node 0. The session related to the route change is in active state on both the nodes. Traffic might be interrupted when the session times out on the backup node and the session on the primary node is deleted.PR951607
Flow and Processing
- On SRX240, SRX550, and SRX650 devices, when the device receives a TCP rest (RST) and a FIN (the second FIN of the session) at the same time for a session, the RST and the FIN packet might get processed by different threads. As a result, the session timeout updates incorrectly, and the session remains on the session table for 150 seconds. PR950799
- On all branch SRX Series devices in a site-to-site VPN scenario, when the device is configured as an IPsec initiator, the flow session timeout is refreshed by the reroute packet. This causes an old session to remain in the session table, the VPN connection not to recover, and packet drops to occur. PR959559
- On all branch SRX Series devices with the IP spoofing screen enabled, the routing table search fails when it is locked by the system. As a result, false positives occur on IP spoofing detection. PR967406
Hardware
- On SRX100, SRX210, and SRX240 model B and H devices with 1 GB of RAM, the predefined IPS templates other than the recommended template might not compile successfully. PR925337
Interfaces and Routing
- On all branch SRX Series devices, because of a timing issue, the VLAN interface might fail to add security zone information after the RG0 failover. PR944017
- On all branch SRX Series devices with interfaces encapsulated with ethernet-ccc, when you connect to an ae interface with Link Aggregation Control Protocol (LACP) enabled, the LACP packets do not pass through the ethernet-ccc encapsulated interface. PR945004
- On all branch SRX Series devices, when RG0 failover is triggered, the old RG0 primary device reboots or sometimes both the devices reboot. PR953723
- On SRX100B2, SRX100H2, SRX210B, SRX210HE2, SRX210HE2POE, SRX220H2, SRX220H2POE, SRX240B, SRX240B2, SRX240H2, and SRX240H2POE devices, the PPPoE feature session is disconnected or the connection is not available. PR956307
J-Web
- When you change the password minimum-length characters from 6 to 8, J-Web shows the error message minimum-length is 6. PR942219
- On all branch SRX Series devices, J-Web does not display the log sessions. PR962892
Platform and Infrastructure
- On all branch SRX Series devices, when using JDHCP, the server does not respond to the client with the DHCPOFFER packet when it receives the DHCPDISCOVER packet from the client. This causes the authd process to consume a large amount of CPU usage and increases the /mfs partition storage capacity. PR925111
- On all branch SRX Series devices, SSH connection is not possible between Cisco devices running IOS version 15 or later and SRX Series devices running Junos OS Release 11.2 or later. PR957483
- On J Series devices, kernel warnings about kern.maxproc nearing the limit value might appear in the log. PR958358
System Log
- On all branch SRX Series devices, the following error message is displayed on system or event logs after you upgrade to Junos OS Release 12.1X46-D10: Can't find ifa on e1-x/0/x.y. This message is harmless and does not affect the E1 interfaces and can be ignored. PR971503
Unified Threat Management (UTM)
- On all branch SRX Series devices, the test security utm anti-virus command for the antivirus feature does not work. PR951124
Virtual Private Networks (VPNs)
- Certificate-based authentication would fail when the RSA signature from the remote peer used SHA-256 as the message digest algorithm. PR936141
- On all branch SRX Series devices configured as a route-based IPsec Dynamic End Point (DEP) VPN node, the VPN tunnel interface st0.X link incorrectly remains up when IPsec Security Association (SA) is not established, even though VPN monitoring or establish-tunnels immediately is configured. PR947552
- On all SRX Series devices, in some situations, if the CRL server is not reachable, a memory leak might occur and show the message kern.maxfiles limit exceeded by uid 0 in the console mode. Hence, the device administrator is not able to log in to the device anymore. PR959194
- On all branch SRX Series devices, when dynamic VPN is configured, it is not possible to use local-certificate or pki-local-certificate for Web management. A commit error is displayed when these options are configured. Only the self-signed certificate option can be configured. PR969672
Resolved Issues - 12.1X46-D15
Application-Aware Quality of Service (AppQoS)
- When GRE is enabled, AppQoS classification, marking, or rate limit does not work for fragmented packets in the client-to-server direction. PR924932
Dynamic Host Configuration Protocol (DHCP)
- In the DHCPv6 client command description, the word stateful was misspelled as statefull. It is changed to stateful in the description; however, the keyword is retained as stateful to avoid incompatibility. PR924692
Flow and Processing
- On SRX240, SRX550, and SRX650 devices, when the device receives out-of-order packets while transferring large TCP files, the throughput might be heavily impacted. PR881761
- On devices with 1 GB of memory, if the advanced services license is configured with the reduce-dp-memory option, memory is not released from the data plane to the control plane. PR895648
- On all SRX Series devices, if GRE tunnel configuration is committed without a correct route to the tunnel destination, the GRE tunnel session will bind the wrong anchor interface (the GRE tunnel outgoing interface) by route lookup. This anchor interface will not be updated even after the route is corrected when you commit the subsequent configuration. PR933591
- On all branch SRX devices, when the device is in packet mode, after you change an interface configuration, the warning message "warning: You have changed inet flow mode; You must reboot the system for your change to take effect" is displayed. The same message is displayed on every commit until the next reboot. This message can be safely ignored. PR949472
- On SRX210 devices running in packet mode, when DSCP marking (32 - 63) is on and the destination MAC in the packet header is present in the SRX ARP table, the devices reply to packets that are not destined to them. On devices in a chassis cluster, you must ensure that packets not destined to the SRX210 do not reach the device. PR950486
Hardware
- On the B and H versions of SRX100, SRX210, and SRX240 devices with 1 GB of RAM, the predefined IPS templates other than the recommended template might not compile successfully. PR925337
- On SRX550 and SRX650 devices, the SRX-GP-DUAL/QUAD-T1-E1 GPIM might have interoperability issues with the remote CSU using national standard feature due to the violation of ITU-T recommendation G.704. PR939944
Interfaces and Routing
- On SRX550 devices, the T3/E3 FPC goes offline after provisioning a switched port. PR919617
- On SRX Series devices with the 3G USB wireless modem, when the signal is low, the 3G cellular modem interface (cl-0/0/*) displays the status as Connected even though there is no signal or there is a low signal with no network connection. This is because there is no mechanism for the wireless WAN process to notify the Routing Engine status change even though the Packet Forwarding Engine is notified. After the signal recovers, the 3G cellular modem interface is not able to dial again. PR923056
- On SRX550 devices with DS3/E3 interfaces, the external clocking option is disabled to support the clocking option. PR936356
Screens
- When you use the screen ids-option limit-session destination-ip-based command, the session synchronization is not correct. PR940029
Unified Threat Management (UTM)
- On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option enabled, and the intelligent-prescreening option configured, the chunked packet that only contains chunk-size data without any actual data is recognized as an invalid data packet, and the packet is dropped before it passes to the KAV engine in the KAV HTTP proxy processing. PR937539
Virtual Private Networks (VPNs)
- Certificate-based authentication would fail when the RSA signature from the remote peer used SHA-256 as the message digest algorithm. PR936141
- On all SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link increases. PR941999
- On devices in a chassis cluster, during RG0 failover to new primary node, if a route-based VPN does not have IPsec SAs associated with the tunnel, then the bind interface (st0) associated with the tunnel is marked as down. PR944478
- After the traffic-selector configuration is deleted from the VPN configuration object, the data traffic stops passing through the tunnel. PR944598
Resolved Issues - 12.1X46-D10
Application Layer Gateways (ALGs)
- The total SIP call values were incorrect, and the ALG feature could not be verified. PR839190
- On all branch SRX Series devices in a chassis cluster, the flowd process might crash when the ALG is enabled and the security policy is configured with the log option for ALG traffic. PR889097
- The Sun RPC ALG cannot open the gate as expected if the port string in get-address message is longer than 6, because current Sun RPC ALG can only parse the uaddr port string which is lesser than 6. PR901205
Authentication
- On all branch SRX Series devices configured with firewall authentication, if a user was already authenticated, and then when a subsequent user initiated authentication using the same IP address as the first user, the subsequent user inherited the first authenticated user’s “Access time remaining” value. PR843591
BGP
- Under specific time-sensitive circumstances, if BGP determines
that an UPDATE is too big to be sent to a peer, and immediately attempts
to send a withdraw message, the routing daemon (rpd) may crash. An
example of an oversized BGP UPDATE is one where a very long AS_PATH
would cause the packet to exceed the maximum BGP message size (4096
bytes). The use of a very large number of BGP Communities can also
be used to exceed the maximum BGP message size.
Please refer to JSA10609 for additional information. PR918734
Chassis Cluster
- On devices in a chassis cluster, when you execute the clear system commit command, it clears commit only from the local node. PR821957
- On devices in a chassis cluster, during a control link failure, if the secondary node is rebooted by control link failure recovery, the rebooted node goes into disabled state even after startup. PR828558
- On all branch SRX Series devices in a chassis cluster, when you download IDP Signature Database from the primary node, the sig-db is not synchronized to the secondary node. PR914987
Command-Line Interface (CLI)
- There is no specific CLI command to display the count of sessions allowed, denied, or terminated because of UAC enforcement. PR733995
- AppQoS does not display the correct application identification name when you run the show class-of-service application-traffic-control statistics rate-limiter CLI command. PR751490
- Certain combinations of Junos OS CLI commands and arguments
have been found to be exploitable in a way that can allow root access
to the operating system. This may allow any user with permissions
to run these CLI commands the ability to achieve elevated privileges
and gain complete control of the device.
Please refer to JSA10608 for additional information. PR912707, PR913328, PR913449, PR913831, PR915313, PR915957, PR915961, PR921219, PR921499
Dynamic Host Configuration Protocol (DHCP)
- On all branch SRX Series devices, when there are multiple interfaces configured as DHCP client, if one of DHCP client interface is from down state to up state, the IP address acquired by other DHCP client interfaces will be deleted unexpectedly and are added back after sometime. There is temporary traffic interruption until the deleted IP address is recovered automatically. PR890124
- Prior to Junos OS Release 11.4R9, DHCP option 125 cannot be configured for use as the byte-stream option. With Junos OS Release 11.4R9 and later releases, DHCP option 125 can be used for the byte-stream option. PR895055
- On all branch SRX Series devices working as DHCP clients, when the connection with the primary DHCP server is lost, the device tries to renew the lease. The device then drops the DHCP rebind ACK from the other DHCP server, which tries to assign the same IP address to it. PR911864
Flow and Processing
- When DNS ALG was enabled, the rewrite rules applied on the egress interface might not work for DNS messages. PR785099
- After enabling IPv6 in flow mode, IPv6 routes are not active. PR824563
- Current implementation of timeout for http is 1800s, the default timeout should be 300s. PR858621
- The RPM script triggers twice when the RPM probe-test fails. PR869519
- On J Series devices, the self-originating outbound traffic always uses the first logical unit queue. PR887283
- On all branch SRX Series devices with the MS-RPC ALG enabled, when the junos-ms-rpc application is not configured in the security policy and if the MS RPC control session is permitted by the security policy that matched the application “any”, then the MS-RPC ALG should not check the MS RPC data session and be permitted by the security policy. If the MS-RPC data session is configured to be processed by one or more other services such as IDP, UTM, AppID, or AppFW, then the MS-RPC ALG incorrectly checks the MS RPC data session and discards the MS RPC data session. PR904682
- On SRX100, SRX110, SRX210, and SRX220 devices with the FTP Application Layer Gateway (ALG) enabled, ICMP redirect might not work for FTP traffic. PR904686
- The memory allocated for multicast session might not release when multicast reroute occurs, this leads to memory leak. PR905375
- When you use a classifier based on EXP bits on a PE router, the CoS marked MPLS traffic is forwarded to the default egress queues instead of the custom configured queues. PR920066
Hardware
- On SRX210 devices, after you upgrade to Junos OS 12.1X46-D10 or later, the fan speed in relation to the Routing Engine temperature does not follow the temperature threshold table. PR910977
Infrastructure
- On all branch SRX Series devices, when the device authentication is through RADIUS server and the password protocol is Microsoft CHAP version 2, the password change operation fails as the user password change is enforced through Microsoft Active Directory server. PR740869
- After an upgrade, you cannot copy files between nodes in a cluster using the file copy command. PR817228
- On SRX240 devices, when a nonstandard HTTPS port is set, the URI changes to the IP address and port. PR851741
- On SRX100B and SRX100H devices unexpected system reboot is observed, and multiple core files are generated due to a double data rate2 (DDR2) memory timing issue between DRAM and CPU. The symptoms include flowd core files, core files from other daemons (such as snmpd, ntpd, rtlogd and so on) and silent reboot without core files are generated. These core files are related to random memory access (example: pointer corruption in session ager ring entry). PR909069
Interfaces and Routing
- The Routing Protocol Daemon (RPD) might crash with the following error: /kernel: BAD_PAGE_FAULT: pid 1472 (rpd), uid 0: pc 0x86ff81c got a read fault at 0x15,x86 fault flags = 0x4, when the OSPF switches from the primary path to the secondary path when loop-free alternates (LFA) and LDP-SYNC are enabled. The corruption is caused when OSPF does not completely free a memory location that is later reused by LDP. PR737141
- On VLAN tagged ethernet frames (802.1p), you cannot modify the VDSL priority bits. PR817939
- On SRX550 devices, the VRRP does not work when it is connected through IRB. PR834766
- On J Series devices, a Layer 2 loop might occur for a short time when you run the request system power-off, request system reboot, or request system halt command. PR856457
- The RPM script is triggered twice when the RPM probe-test fails. PR869519
- When a SHDSL Mini-PIM is configured in 2-wire mode with annex mode as Annex B/G, one of the physical interfaces does not come up. PR874249, PR882035
- The point-to-multipoint (P2MP) interface does not accept any multicast packets, this leads to interoperability issues with the Secure Services Gateway (SSG). PR895090
- When there is a configuration change in the VDSL profile from one to another, the VDSL line does not retrain and comes up with the newly configured VDSL profile. PR898775
- When the virtual routers (routing instances) are connected with a looped cable and if one of the interfaces is VLAN, the unicast communication is unsuccessful. PR909190
- When multiple routing-instances are defined, DNS names in the address-book entries might not get resolved. This results in corresponding security policies to be nonoperational. PR919810
J-Web
- On SRX550 devices, the “External storage” option is not supported. Hence, do not select the "External storage" option from the list on the Maintain > reboot and snapshot page. PR741593
- The J-Web interface was vulnerable to HTML cross-site scripting attacks, also called XST or cross-site tracing. PR752398
- The Layer 2 Transparent Mode feature does not work with group configurations. PR815225
- In J-Web, if the policy name was “0”, the penultimate-hop popping (PHP) function treated it as empty, and traffic log output could not be viewed. PR853093
- J-Web fails to display the member in the application set after adding it to the nested application set. PR883391
- On J-Web, when you configure policy, the address set is seen as undefined in the Policy wizard. But, if a policy is created from Security > Policy > Apply policy, the address set is seen. PR892766
- On J-Web, the configured maximum flow memory value key max-flow-mem is marked as deprecated and hidden. Therefore, the maximum flow memory value cannot be fetched or displayed in J-Web. PR894787
- J-Web fails to display all policies under the from or to zone if one of them has the ## string in the description field. PR917136
License
- On SRX100 High Memory devices, after returning to zero the system licenses are deleted and the device reverts to an SRX100B device. PR863962
Network Address Translation (NAT)
- NAT-T might not work when the VPN is with Cisco and if the VPN is initiated from a Cisco peer. The VPN negotiates using port UDP 500 instead of UDP 4500 when NAT is involved. PR869458
- On devices in a chassis cluster, the chassis cluster rule number of sessions in the SNMP query or walk result is the sum of the real number of sessions of the primary node and the secondary node. PR908206
Security
- The glob implementation in libc allows authenticated remote
users to cause a denial of service (CPU and memory consumption) via
crafted glob expressions that do not match any pathnames. This vulnerability
can be exploited against a device running Junos OS with FTP services
enabled to launch a high CPU utilization partial denial of service
attack.
Please refer to JSA10598 for additional information. PR558494
- If Proxy ARP is enabled on an unnumbered interface, an
attacker can poison the ARP cache and create a bogus forwarding table
entry for an IP address, effectively creating a denial of service
for that subscriber or interface. When Proxy ARP is enabled on an
unnumbered interface, the router will answer any ARP message from
any IP address which could lead to exploitable information disclosure.
Please refer to JSA10595 for additional information. PR842092
Switching
- On SRX650 devices, the dot1x:mode:Multiple:Supplicants were authenticated even after a disconnect message was sent from the RADIUS server. PR786731
Unified Threat Management (UTM)
- The antivirus fallback block notification displays invalid notification option. PR787063
- When full file-based scanning of antivirus is enabled with Kaspersky scanning, some websites are not accessible. PR853516
- The flowd process might crash when traffic is processed by UTM. PR854880
- The device tries to resolve and connect to cpa.surfcpa.com and update.juniper-updates.net even if there are no licenses or configuration related to UTM. PR856128
- On all branch SRX Series devices using EWF, a small percentage of the connections to the Websense ThreatSeeker Intelligence Cloud might time out. PR860514
- The EWF parser mishandled URL and hosts from the HTTP header. This results in an uncategorized EWF reply. PR862602
- On all branch SRX Series devices with UTM content filtering configured, a long file name encoded with the ISO-2022 might incorrectly match the content filtering extension blocking policy even if the extension blocking list does not contain the type of file extension. As a result, the file is dropped. PR865607
- On all branch SRX Series devices, new categories for EWF have been added. PR866160
User Interface and Configuration
- On SRX240 devices (with H2 and B2 model numbers) running
Junos OS Release 11.4R8 or 11.4R9, you cannot upgrade to Junos OS
Release 11.4R10 or later.
You can upgrade from Junos OS Release 11.4R8 or 11.4R9 to Junos OS Release 12.1X44-D10, 12.1X45-D10, and 12.1X46-D10. PR934393
Virtual Private Networks (VPNs)
- On an SRX Series device, when a session is closed because the user for that session has signed out from the Junos Pulse, the session close log shows the role information as “N/A”. PR689607
- The SRX Series cluster is used as a VPN concentrator that is connected to remote VPN clients. The Internet key exchange process (daemon) tries to reuse the IP address that was previously assigned to an XAuth client. But the IKEd Xauth attributes are overwritten when the authentication reply is received from Authd. This causes the IKEd to assign a new IP address every time a Phase 1 Security Association (SA) is negotiated. As a result, multiple remote clients cannot connect through VPN. PR854922
- On all branch SRX Series devices, the Junos Pulse client has been updated from Release 2.0R3 to 4.0R2. PR868101
- On all branch SRX Series devices, a memory leak occurs on the data plane during continuous interface flapping, such as when interfaces are continuously added or deleted. PR898731
- For IKEv2, if an SRX Series device running Junos OS Release 12.1X46-D10 is in negotiation with a peer SRX Series device running Junos OS Release 11.4 or 12.1X44, a kmd core file might be generated on the peer device during IPsec child SA rekey. This does not impact any IKEv1 scenarios. PR915376
- On all branch SRX Series devices configured with group VPN, the flowd process might crash when group VPN Security Association (SA) rekeys and swaps to the new VPN tunnel. PR925107
