Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Known Issues

The following problems currently exist in Juniper Networks SRX Series Services Gateways. The identifier following the descriptions is the tracking number in the Juniper Networks Problem Report (PR) tracking system.

Note: For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at https://www.juniper.net/prsearch.

Access Point Network

• On high-end SRX Series devices, if the SGSN and the GGSN are using the same IP address then the device cannot detect it and a conflict GSN entry will be installed on a different SPU. PR893436
• On high-end SRX Series devices, one IP address cannot be configured as a private IP and public IP. The GTP framework cannot detect this conflict. The conflict GSN entries will be installed on a different SPU. PR893460

Application Identification (AppID)

• On high-end SRX Series devices, in certain cases, configuring AppQoS rules causes the application system cache not to be populated with entries from the application identification results. PR755979

Application Layer Gateways (ALGs)

• On high-end SRX Series devices, there can be two reasons that might cause the ASL session synchronization failure:
  • Flow session is destroyed before the ASL session is received.
  • ASL resource or session synchronization RTO is lost.

  PR920540

Authentication and Access Control

• On high-end SRX Series devices, during firewall HTTP/HTTPS pass-through authentication, the device incorrectly removes the preceding colon in the password string. Due to this the authentication fails and the authentication entry cannot be created in case there is a preceding colon in the password string. PR1187162

Chassis Cluster

• On SRX5600 virtual chassis, when you swap the members of a LAG interface, a vmcore or ksyncd core file might be generated on the backup Routing Engine. PR711679
• On SRX1400 devices in a chassis cluster, after you commit a configuration, the LED changes from green state to off. PR749672
• On high-end SRX Series devices in a chassis cluster, if the secondary node is rebooted with new web authentication requests coming into the chassis cluster continuously, the web authentication entry ID is not the same between the two nodes when testing in-service hardware upgrade (ISHU). PR826100
• On SRX5600 and SRX5800 devices, when you reboot the device, cyclic redundancy check (CRC) error logs recorded in chassis log file might appear. However, this does not affect the normal operation of the device and can be ignored. PR877722
• On high-end SRX devices, for GTPv0 and GTPv1, if the time interval between the primary PDP activation message and the secondary PDP activation message is too small, the secondary GTP-U tunnel on the chassis cluster backup node will not be established. The no control tunnel error counters are also detected on the chassis cluster backup node. Due to this error, the secondary GTP-U tunnel creation fails on the backup node leading to the failure of the related secondary GTP-U tunnels on the backup nodes. PR924791
• On high-end SRX Series devices, when U tunnel conflicts happen (two U tunnels have the same GSN IP and TEID) and its C tunnel locates on another SPU board, users delete related NAT rules or execute clear security gprs gtp tunnel al command. The GSN entry for the C tunnel goes to obsolete status, but its tunnel number might not go to zero, which causes this GSN entry not be cleared finally. PR937464
• On high-end SRX Series devices, the CLI commands for security intelligence and dynamic address are supported only on primary node. If you get the following error message: the security-intelligence subsystem is not responding to management requests, run the commands again on the primary node. PR961840
• On high-end SRX Series devices, it is strongly recommended that the device is running below 50% of CPU at control plane and data plane before starting ISSU. If the primary device is running more than 70% CPU, ISSU will fail in most cases because of cold synchronization failures. Use the show chassis routing-engine (RE CPU) and show security monitoring (SPC CPU) commands to check CPU utilization. If the device is running in high CPU, it is strongly recommend to disable the traceoptions or only allow critical level logging using set deactivate chassis cluster traceoptions and security policy log commands. If CPU usage is high because of heavy traffic then redirect the traffic to other security device or wait till the traffic comes down. PR1016437

Flow-based and Packet-based Processing

• On high-end SRX Series devices, when end-to-end debugging is enabled, if the traffic rate is 1000 packets per second (pps) or higher, packet loss is observed. PR786406
• On high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply the rate limiter for egress traffic. PR918942
• On SRX Series 5000 devices using SPC II, the flowd process crashes due to a cache error. PR1005195
• On high-end SRX Series devices, if the fireware runs for a very long time, some counters might round back and show huge numbers because we add the number in mixture of int32_t and u_int64_t. This would not cause any functional outage, only affect the showing number for debug. PR1175469
• On SRX3400 devices, it is observed that TP and CPS in SSL-FP (enabled with IDP-REC policy, 1K key) drops by 15% to 18%. This issue has no impact on SRX5000 and SRX550 devices. The root-cause of the drop is traced to an openSSL fix, where openSSL got upgraded to version 1.0.1p in Junos OS Release 12.1X46-D55. The upgrade was essential so as to address several security vulnerabilities in SSL. PR1198833
• On high-end SRX devices, packet-filter with destination-prefix/destination-port only matches traffic for one direction. PR1227357

GRPS

• On high-end SRX Series devices, for GTPv0 and GTPv1, if the time interval between the primary PDP activation message and the secondary PDP activation message is too small, then secondary GTP-U tunnel on the chassis cluster backup node will not be established and the no control tunnel error counters are detected on the chassis cluster backup node. Due to this error, the secondary GTP-U tunnel creation fails on the backup node leading to the failure of the related secondary GTP-U tunnels on the backup nodes. PR929042
• On high-end SRX Series devices, if the SRX Series device receives delete PDP response messages simultaneously for both secondary and primary PDP, the primary PDP message might be processed first. When the primary PDP tunnels are deleted, all the related secondary PDP tunnels are also deleted. As a result, some of the deleted PDP response messages might drop with no control tunnel errors, but all the requested PDP tunnels are deleted and there is no impact on the GTP tunnels. PR929355

High Availability (HA) and Resiliency

• On SRX Series devices, when you upgrade a Junos OS release from one version to another, the following error messages are displayed:

  Network security daemon: rtslib: ERROR kernel does not support all messages: expected 102 got 98, a reboot or software upgrade may be required

  Network security daemon: rtslib: WARNING version mismatch for message unknown: expected 98 got 0, a reboot or software upgrade may be required

  These messages do not affect the unified ISSU. PR926661

Interfaces

• On SRX Series devices, the loop back CLI configurations shdsl-options for pt interface are not working as expected. PR798180
• On SRX Series devices, the SHDSL media and statistics counters are not incrementing after the introduction of micro-interruption to the line. The counters are also not cleared even after explicitly using the clear command. PR810334
• On SRX Series devices, SFP interfaces ge-0/0/7, ge-0/0/8, and ge-0/0/9 on the 1-Gigabit Ethernet SYSIO card auto-negotiate to 10 gigabits per second when the port is down. PR946581
• On high-end SRX Series devices, as per current design of ip-monitoring, reth interfaces with more than one child interface per node (RLAG - redundant LAG) is not supported. PR996783

Intrusion Detection and Prevention (IDP)

• On SRX Series devices, in the output of the show services application-identification application-system-cache command, the application-system-cache table for P2P encrypted traffic is incorrectly marked as Encrypted: No instead of Encrypted:Yes. PR704023
• On high-end SRX Series devices, the all attacks policy is not supported. The current IDP policy templates supported are dynamic, based on the attack signatures being added. Therefore, the supported templates might eventually grow past the policy size limit. PR876449
• On high-end SRX Series devices, when both the Gn and Gp interface pass through the device, and the Gn interface is NAT-enabled, the restart counter only takes effect on the Gn interface. PR893379
• On high-end SRX Series devices, when IDP SSL inspection feature is enabled and processes traffic, in a race condition of multiple threads updating a reference count concurrently, a corrupted data might be created and cause the idpd process crash. PR1149604

J-Web

• On high-end SRX Series devices, all fields in the edit policy window are empty in the logical systems. PR900975

Layer 2 Features

• On high-end SRX Series devices, in the SNMP jnxJdhcpRelayBindings table, the oid value for the IP address and time have format errors. Hence, the oid value for the interface is lost. PR908619

Network Address Translation (NAT)

• On high-end SRX Series devices in a chassis cluster, some persistent NAT table entries cannot be removed on the SPU when the device is under heavy traffic with multiple failovers. PR834823

Network Management and Monitoring

• On SRX5400, SRX5600, and SRX5800 devices, the flowd process might crash when services offload (SOF) is enabled. PR1084123
• On SRX3400 and SRX3600 Series devices, in a rare condition, SPC might be stuck and generate a vmcore. PR1136599

Platform and Infrastructure

• On high-end SRX Series devices, in Junos OS Release 11.2R7, CL73-AN was inadvertently enabled for ports 7, 8, and 9 on the 1 Gigabit Ethernet SYSIO card. As a result, links failed to come up on these ports. PR787010
• On high-end SRX Series devices, when you try to reload a kernel module that is already linked to the kernel, an error message is displayed because the module is already present. No functionality is impacted by the error message. PR817861
• On high-end SRX Series devices, when all the input parameters for the command show security match-policies global source-ip destination-ip source-port destination-port protocol are not provided, then the management process might be triggered into an infinite loop. This results in high CPU utilization on the Routing Engine. PR893721
• On high-end SRX devices, flowd process might crash and cause traffic outage if the SPU (Services Processing Unit) CPU usage is higher than 80%. Therefore, some threads are in waiting status and the watchdog cannot be toggled timely causing the flowd process to crash. PR1162221
• On SRX5400, SRX5600, and SRX5800 devices with FIOC, the device stops working after broadcast storm and this situation lasts for nearly 12 hours. PR1192536

System Logs

• On high-end SRX Series devices, I2C related error messages in the log file are seen during run-time. This error message is harmless, this issue does not impact production traffic. PR937357

Unified Threat Management (UTM)

• On high-end SRX Series devices, under high CPS and UTM SAV interested traffic, SRX devices might ramp up to 99% CPU usage due to central lock of object cache memory allocation. There is no clear boundary since allocation race condition is varying. Basically, reducing traffic CPS could lower high CPU usage. PR967739
• On SRX550 and SRX650 devices with Sophos Antivirus (SAV) configured, some files whose size is larger than the max-content-size might not go into fallback state. Instead, some protocols do not predeclare the content size. PR1005086
• On high-end SRX Series devices in a High-availability (HA) cluster, the event message LIBJNX_REPLICATE_RCP_ERROR would be generated when the secondary node fails to synchronize the SAV database from the primary node in the scenario of disabling UTM. PR1071708

User Interface and Configuration

• On SRX Series devices under certain condition, if the configuration of interface and security zone are out of synchronization between the Routing Engine and Packet Forwarding Engine, the interfaces might be bound to NULL security zone. As a result, the network security daemon (NSD) process would crash. PR1000309

VPNs

• On high-end SRX Series devices, IPsec replay errors might be observed after RG1 failovers. PR832834
• On high-end SRX Series devices, traffic selectors are not supported in IPsec VPN when the bound tunnel interface (st0.x) belongs to a user logical system (LSYS). PR960097
• On SRX Series devices with IPsec VPN configured using IKEv2, the IKEv2 responder does not respond to retransmissions if its external-interface is inside a custom routing instance. PR1103027
• On SRX Series device, if there are lots of IPsec VPNs configured, any configuration commit related to IPsec VPN might cause a pause in the kmd process, which might cause Dead-Peer-Detection (DPD) timeout and VPN tunnel renegotiation. PR1129848

Related Documentation

• New and Changed Features
• Known Behavior
• Documentation Updates