Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Resolved Issues

The following are the issues that have been resolved in Junos OS Release 12.1X46 for Juniper Networks SRX Series Services Gateways. The identifier following the description is the tracking number in the Juniper Networks Problem Report (PR) tracking system.

Note: For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at https://www.juniper.net/prsearch.

Resolved Issues - 12.1X46-D65

Chassis Cluster

• On high-end SRX Series devices, constant stream of SPU host mbuf stall messages are seen when the multicast feature is used in the SRX chassis cluster. PR1194485

Routing Protocols

• On SRX Series devices, the reversed change that causes a problem with IPsec on the OSPF. PR1209326

J-Web

• On SRX1400 device, J-Web dashboard page, HA LED shows the wrong color and auto refresh does not work. PR1233161

Network Management and Monitoring

• On high-end SRX Series devices, in each node, there is only one Routing Engine. The RE 0 in the master node is the master Routing Engine and the RE 0 in the secondary node is the backup Routing Engine. The request system power-off both-routing-engines command powers off both the master and the backup Routing Engines simultaneously. PR1039758

Platform and Infrastructure

• On SRX Series devices, unable to rollback to a certain version when using admin users with restricted permissions. PR1206074

Unified Threat Management (UTM)

• On SRX Series devices, when UTM, Security log, or Advanced Anti-Malware Service is used, in a rare condition, a memory corruption might occur on the data-plane, which results in the flowd process crash. PR1154080

Resolved Issues - 12.1X46-D60

Application Layer Gateways (ALGs)

• On SRX Series devices, MSRPC ALG cannot decrypt encrypted EPM messages (authlevel RPC_C_AUTHN_LEVEL_PKT_PRIVACY ) and drops the encrypted EPM messages. New behavior will be to bypass such encrypted messages and generate a syslog message. PR1192477
• On high-end SRX Series devices, the flowd core might crash on Node1 and causes the ISSU failure while performing ISSU from 12.1X44-D60.2 to 12.1X46-D55.1 or above 12.1X46 build. PR1193679
• On SRX Series devices, RSH client communicates with the RSH server. The RSH ALG is enabled and the RSH client transfers the file to the RSH server. Some last packets from the RSH server are not forwarded to the RSH client. PR1202773

Chassis Cluster

• On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you simultaneously reboot both the nodes of the device, the secondary node cannot respond after reboot until the IOCs on the other node are online. After all line cards of the primary node are online, the fabric recovery procedure changes the secondary node from ineligible to the normal secondary state. PR1104249
• On SRX1400 devices in a chassis cluster with a SYSIO board of hardware revision 20 or revision 18, the first control link on port ge-0/0/10 might not come up immediately after an ungraceful power-off and power-on. PR1166549
• On SRX3600 devices, when configuring white-list for Security Screen, it might cause memory corruption in Jtree, which results in the flowd process crash. PR1172844
• On high-end SRX Series devices, constant stream of SPU host mbuf stall messages are seen when the multicast feature is used in the SRX chassis cluster. PR1194485

Flow-based and Packet-based Processing

• On high-end SRX Series devices, high CPU usage on data-plane might occur when "ipsec-performance-acceleration" is enabled. PR1097278
• On high-end SRX Series devices, if LACP is enabled on reth interface, wrong next hop interface sometimes shown in the next hop database after chassis failover. As a result, both the inbound and transited traffic might be impacted. PR1180512
• On high-end SRX Series devices, SRX does not send out icmp type 3 code 4 packet if it works in HA cluster and the SPC card is in the combo mode. By default, all high-end SRXs devices are in the combo mode, as per the perspective of the SPC (Services Processing Card), which means that the SPC acts as both the CP SPU and FLOW SPU. PR1183249
• On high-end SRX Series devices, in Layer 2 and Layer 3 mixed-mode, with flooding enabled, when there is no Layer 2 egress interface up, a packet from Layer 2 interface might be forwarded to Layer 3 interface wrongly during the flooding process. PR1189004
• On high-end SRX Series devices devices, the BGP might flap if using RETH interface to establish BGP neighbors and the control and the fabric link might flap at the same time. As a result, the traffic which is traversing it will be interrupted. PR1194548

Intrusion Detection and Prevention (IDP)

• On high-end SRX Series devices devices, the idp policy cannot be compiled in case, lsys idp-policy-combined is created. PR1187731

Interfaces and Routing

• On high-end SRX Series devices, the Software-NH value increases and causes the traffic outage. PR1190301

J-Web

• On SRX Series devices, after using J-Web, CPU utilization on the routing-engine might stay high and does not recover. PR1201267

Network Address Translation (NAT)

• On high-end SRX Series devices, the Network Security Daemon (NSD) might crash on backup node occasionally if a large configuration with 32 logical-systems and more than 10000 NAT rules are loaded and overrided by a configuration without logical system and NAT. The chassis cluster can be set up normally after the crash. PR1183342
• On high-end SRX Series devices, while using source-based NAT with egress interface translation, upon egress interface IP address change, the current NAT sessions may not be removed until the session is aged-out. Traffic loss will occur while the traffic attempts to pass on the sessions using the old egress interface NAT IP. PR1201415

Network Management and Monitoring

• On high-end SRX devices in chassis cluster, when there are both IPv4 and IPv6 traffic processed by the device, due to a timing issue in session manipulation (session installation and deletion) by multiple real-time threads, the flow entry might be leaked in the flow table. This issue might cause the flowd process crash on the backup node. PR1180162
• On all high-end SRX devices, when you run show system license usage command it may show invalid scale-subscriber license on new RG00 master node after RG0 failover. This is only a cosmetic issue and there is no impact to function/performance/traffic. PR1197211

Platform and Infrastructure

• On SRX Series devices, a vulnerability in IPv6 processing has been discovered that might allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the router rather than discarded. The crafted packet, destined to the router, will then be processed by the routing engine (RE). A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out. Refer to JSA10749 for more information. PR1191838
• On high-end SRX Series devices, secret data such as some encrypted passwords were displayed in RSI by "show configuration | except SECRET" command in RSI. PR1192579

Routing Policy and Firewall Filters

• On high-end SRX Series devices, when range-address is configured on an address-book and invoked by a security policy, an abnormal memory access might occur, which causes the flowd process crash. PR1196122

VPNs

• On high-end SRX Series devices, when the routing engine is very busy, some internal communication can be lost due to which the service processing units can generate kmd and vmcore core-dumps as a result of this lost communication. PR1036889
• On high-end SRX Series devices, the IPSec VPN with certificate based authentication might fail during IKE negotiation in very rare occasion with newly generated key-pair. PR1146279

Resolved Issues - 12.1X46-D55

Application Layer Gateways (ALGs)

• On high-end SRX Series devices, the flowd core might crash on Node 1 while performing ISSU testing from 12.1X44-D60.2 to 12.1X46-D55.1 build. PR1193679

Chassis Cluster

• On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you simultaneously reboot both the nodes of the device, the secondary node cannot respond after reboot until the IOCs on the other node are online. After all line cards of the primary node are online, the fabric recovery procedure changes the secondary node from ineligible to the normal secondary state. PR1104249
• On SRX1400 devices in a chassis cluster with a 10-Gigabit Ethernet SYSIO board of hardware revision 20, the first control link on port ge-0/0/10 might not come up after an ungraceful power-off and power-on. PR1166549
• On all SRX Series devices in chassis cluster mode, when some configuration needs to be changed, after issuing the CLI commit confirm (the time parameter value can be between 1-65535) and commit command on the primary node, the secondary node does not commit. PR1171366

Flow-Based and Packet-Based Processing

• On high-end SRX Series devices, SRX devices does not send out icmp type 3 code 4 packet if it works in HA cluster and the SPC card is in the combo mode. By default, all high-end SRXs devices are in the combo mode, as per the perspective of the SPC (Services Processing Card), which means that the SPC acts as both the CP SPU and FLOW SPU. PR1183249

Resolved Issues - 12.1X46-D50

Application Layer Gateways (ALGs)

• On all SRX Series devices with MS-RPC ALG enabled, in heavy MS-RPC traffic environment, ALG traffic might fail because of the ASL groups being used up. PR1120757

Chassis Cluster

• On all high-end SRX Series devices in chassis clusters, because of a timing issue on session operation between the SPU and central point on backup node, sessions might leak on the central point on backup node. This results in traffic dropping after the leaking session related data-plane RG1+ failover or primary node rebooting. PR1148222
• On all high-end SRX Series devices in chassis clusters, after rebooting the whole system, the directed connected route for a disabled reth interface/logical interfaces might remain in the active state in the forwarding plan because of a timing issue. This issue results in traffic being forwarded to the disabled reth interface. PR1149857

Command Line Interface (CLI)

• On all high-end SRX Series devices, system commit synchronize is not supported. Hence, when you configure it will not be committed due to a configuration lock. PR1134072

Flow and Processing

• On SRX3400 and SRX3600 Series devices, in a rare condition, SPC might get stuck and vmcore files might be generated. PR1136599

Flow-Based and Packet-Based Processing

• On high-end SRX Series devices with IPsec VPN configured with VPN session affinity enabled, the VPN traffic might loop between the central point and the SPU because of a timing issue. This issue might cause a CPU spike on the central point and the SPU. PR1154649

Resolved Issues - 12.1X46-D45

Chassis Cluster

• On SRX1400, SRX3400, or SRX3600 chassis cluster, if the chassis cluster fabric ports are connected through a switch, some random packets might come into the chassis cluster fabric ports. These packets are interpreted as chassis cluster packets (such as real-time objects) and are forwarded to an invalid SPU. For example, the packets are forwarded to a SPU that does not exist (depending on the interpretation of the invalid packets). The invalid chassis cluster packets cannot be forwarded to the invalid SPU. Hence, the packets will be queued on a certain network processor. When the network processor is full, all data traffic will be blocked on the ports associated with that network processor. PR1042676

Flow-Based and Packet-Based Processing

• On all high-end SRX Series devices, when the number of AS paths is more than 400,000, the J-Flow configuration will not be bound to the FPC/PIC, which causes J-Flow to stop working. PR1089141
• On all high-end SRX Series devices working in transparent mode, the OSPFv3 packets are dropped when they pass through the device and are inspected by deep packet inspection (DPI). PR1094093
• On all high-end SRX Series devices, if Services Offloading is enabled, in certain cases, such as packets flowing on an LAG interface or fragmented packets processing, duplicated packets might be randomly generated and forwarded out of the device. PR1104222
• On all high-end SRX Series devices, if equal-cost multipath (ECMP) routing is configured, in a race condition of ECMP route updating, the flowd process might crash. PR1105809
• On all high-end SRX Series devices with IPsec VPN configured, if traffic is transmitted from one VPN tunnel to another VPN tunnel, and these two VPN tunnels are anchored on different SPUs, then this VPN traffic might be forwarded in a loop between these two SPUs. PR1110437
• On all high-end SRX Series devices when dynamic routing with ECMP is in use, flowd process crash might be observed.PR1125629
• On all high-end SRX Series devices with multi-threaded forwarding engines that have the tcp-session strict-syn-check feature enabled, the initial packets of a TCP session might be dropped due to a race condition. PR1130268

Interfaces and Chassis

• On all high-end SRX Series devices with enhanced fan trays equipped, Fan Tray Unable to Synch alarm may be seen. PR1013824
• On all high-end SRX Series devices, when you modify a security zone that has many interfaces (for example, when adding or deleting an interface in such a zone), an abnormally high CPU load might occur upon commit. PR1131679

Intrusion Detection and Prevention (IDP)

• On all high-end SRX Series devices with IDP SSL inspection enabled, traffic with an RSA key size of more of than 2000 might cause high CPU usage and performance degradation on the data plane. PR1125387

J-Web

• On all high-end SRX Series devices, when a logical system (LSYS) user logs in to J-Web, changes the configuration, and clicks the Compare button, the result window does not pop up. PR1115191

Layer 2 Ethernet Services

• On all SRX Series devices, if both the DHCP client and the DHCP server (using the jdhcpd process) are enabled, then changing the DHCP-related configuration might cause the jdhcpd process to be exited unexpectedly. PR1118286

Network Address Translation (NAT)

• On high-end SRX Series devices, security policies are not downloaded after ISSU from Junos OS Release 12.1X46-D40 to Junos OS Release 12.3X48-D15. PR1120951

Network Management and Monitoring

• On all SRX Series devices, when using point-to-multipoint (P2MP) automatic NHTB IPsec tunnels, routes using next-hop IP that is in the st0.x subnet are incorrectly marked as active prior to the VPN tunnel establishment. PR1042462

Platform and Infrastructure

• On all high-end SRX Series devices, the chassis cluster LED changes to amber after RG0 failover, but the CLI indicates it is green. PR1085597
• On all high-end SRX Series devices, an SPU might become inaccessible from the Routing Engine because of a memory-buffer counter corruption. Because of this issue, a service outage occurs in certain scenarios, for example, when IPsec is configured with certificate-based authentication. PR1102376
• On all high-end SRX Series devices, you cannot configure more than one lt-0/0/0.x interface per logical systems (LSYS) on the following Junos OS maintenance releases:
  12.1X44-D35 through 12.1X44-D55
  12.1X46-D25 through 12.1X46-D40
  12.1X47-D10 through 12.1X47-D25
  12.3X48-D10 through 12.3X48-D15
  15.1X49-D10 through 15.1X49-D25
  You can configure more than one lt-0/0/0.x interface per LSYS if you have no interconnect LSYS configured. If the interconnect LSYS is configured, then you can have only one lt-0/0/0.x interface per LSYS. The issue is fixed in the following Junos OS maintenance releases: 12.1X44-D60, 12.1X46-D45, 12.1X47-D30, 12.3X48-D20, and 15.1X49-D30. PR1121888

Routing Policy and Firewall Filters

• When polling the following OIDs through SNMP, file Descriptor leak might be seen during the nsd process.
  • jnxLsysSpCPSummary
  • jnxLsysSpSPUSummary
  • jnxLsysSpCPUEntry
  • jnxLsysSpCPUTable

  PR1079629

Virtual Private Networks (VPNs)

• On all high-end SRX Series devices, when the alarm-without-drop option is configured for the UDP Flood Protection screen, packets classified as attack packets might be sent out of order. This can result in performance degradation. PR1090963
• On all SRX Series devices, if redundant VPN tunnels are set up to use two different external interfaces within two different IKE gateways to connect the same VPN peer, and the RPM is configured for route failover and the VPN monitoring is configured when the primary link is down, then VPN fails to the secondary link as expected. However, when the primary link is up, VPN flapping might occur and establishment of the primary VPN tunnel might be delayed. PR1109372

Resolved Issues - 12.1X46-D40

Application Layer Gateways (ALGs)

• On all high-end SRX Series devices with NAT and SIP ALG enabled, the NOTIFY message might incorrectly arrive earlier than the 200 OK REGISTER message, which will disrupt the state machine of the REGISTER message. The subsequent 200 OK REGISTER messages are dropped and the persistent NAT entry is not refreshed, causing the persistent NAT entry to expire. As a result, the IP address in the payload of the SIP message is not translated,and the SIP call fails. PR1064708
• On all high-end SRX Series devices with H.323 ALG and NAT enabled to process H.323 traffic, if H.323 calls contain the same source IP address and port number but in different positions, then some of the unidirectional sessions of H.323 might be seen. As a result, calls related to the H.323 ALG fail. PR1069067
• On all SRX Series devices with NAT configured, a memory overwrite issue occurs when the scaling RAS or H.323 traffic passes through the device and the device fails to perform NAT for RAS or H.323 traffic. As a result, the flowd process might crash. PR1084549
• On all SRX Series devices, if the RSH ALG is enabled, the device does not drop the packets that match the port range of the RSH ALG. PR1093558

Chassis Cluster

• On high-end SRX Series devices with enhanced fan trays installed the Fan Tray Unable to Synch alarm might be seen. PR1013824
• On high-end SRX Series devices, when GPRS tunneling protocol version 2 (GTPv2) is configured, GTPv2 might fail to create control sessions. PR1029284
• On SRX5400, SRX5600, and SRX5800 devices with an SPC2 installed, after the control plane (RG0) failover, if the RG0 and data plane groups (RG1+) are active on different nodes, then the primary Routing Engine might drop the connection with the remote SPUs (the SPUs reside on an another node, which is the Routing Engine in a secondary state). As a result, traffic outage occurs. PR1059901
• On all high-end SRX Series devices in a chassis cluster, when you reboot the primary node using the request system reboot command, the secondary node might crash after a few seconds. PR1077626
• On SRX5600 and SRX5800 devices, traffic outage might occur with hardware errors (IA PIO errors). When the devices are configured in a chassis cluster, the hardware errors (IA PIO errors) do not trigger RG1+ failover. This fix is used to raise an FPC minor alarm to trigger the RG1+ to switch over for a chassis cluster. PR1080116
• On all SRX Series devices, all interfaces of the RG0 secondary node go down when the connection between the kernel of the primary node and the ksyncd of the secondary node fails. This occurs because of the memory leak in the shared-memory process (shm-rtsdbd). PR1084660

Class of Service (CoS)

• On all high-end SRX Series devices, the CoS rewrite rules do not work for VPN traffic if the rules are configured with loss priority high. This occurs when the packets are reinjected into the IPsec tunnel encapsulation process. PR1085654

CLI

• On SRX5400, SRX5600, and SRX5800 devices, ICMP Out Errors with a rate of 10,000 per second are generated when you issue the show snmp mib get decimal 1.3.6.1.2.1.5.15.0 command. PR1063472

Flow-Based and Packet-Based Processing

• On all high-end SRX Series devices, the flowd process might crash when the multicast traffic processes the route lookup failure. PR1075797
• On all high-end SRX Series devices with source NAT configured, the ICMP error packets with 0 value of MTU might be generated on the egress interface when the packets fail to match the NAT rules. PR1079123
• On all high-end SRX Series devices, if there are any configuration changes made to the interface (for example, when you add a new unit for an interface), an internal interface-related object will be freed and reallocated. However, in a rare condition, some packets queued in the system might refer to the freed object, causing the flowd process to crash. PR1082584
• On all high-end SRX Series devices, the flowd process might crash because of a 64-bit unaligned memory access. PR1085153
• On all SRX Series devices, if 1:1 sampling is configured for J-Flow and the device processes a high volume of traffic, a race condition of an infinite loop of J-Flow entry deletion might be encountered, As a result, the flowd process crashes. PR1088476
• n all SRX Series devices, if the inactivity-timeout value of an application is configured bigger than 65535, only the 16 bit value will be used to calculate the inactivity-timeout value, which causes the application sessions expired unexpectedly. PR1093629
• On all SRX Series devices configured with OSPFv3 , if the JSF DPI plugin (JDPI) enables session serialization, the device drops the OSPFv3 packets in transparent mode when the packets are reinjected.PR1094093

Infrastructure

• On all SRX Series devices, when you run the show security policies hit-count command, the Routing Engine memory is overwritten. As a result, the nsd process crashes. This issue occurs when security policies are not synchronised between the Routing Engine and the data plane.PR1069868

Interfaces and Routing

• On all high-end SRX Series devices, when you run the show security policies hit-count command, the Routing Engine memory is overwritten. As a result, the nsd process crashes. This issue occurs when security policies are not synchronised between the Routing Engine and the data plane. PR1069371
• On all high-end SRX Series devices, you will not be able to configure a nested default application-set within a logical system. PR1075409
• On all SRX Series devices, when you use UTF-8 encoding to generate the certificate with the certificate authority (CA), certificate validation fails. PR1079429
• OOn SRX1400 devices with jumbo frames and low interpacket gaps, the interface (ge-0/0/0 to ge-0/0/5) reports Jabber or code violation errors, resulting in traffic loss. PR1080191
• On all high-end SRX Series devices, if VLAN tagging is configured on an aggregated Ethernet (ae) or a redundant ethernet (reth) interface, then deleting a logical interface of this ae or reth interface might cause the SPU crash to stop responding on the kernel level. PR1093804

Intrusion Detection and Prevention (IDP)

• On SRX1400 Series devices, the only valid value is 0 for the set security idp sensor-configuration ssl-inspection maximum-cache-size command. As expected, the valid number should be a range from 1 to 5000000. PR1091686

J-Web

• On all high-end SRX Series devices, you cannot open the Edit Radio” window if the wpa-enterprise option is configured for a virtual access point. PR945039
• On all high-end SRX Series devices, when you log in to J-Web using the logical system through Internet Explorer, the error Exception in data refresh might be displayed in the J-Web dashboard messages log. PR1096551
• On high-end SRX Series devices, security policy rules that contain the permit action do not get updated when you edit the policies using J-Web. PR1098240

Network Address Translation (NAT)

• On SRX5400, SRX5600, and SRX5800 devices with the SRX5K-SPC-4-15-320 (SPC2) installed, if a NAT IP address pool is configured with a large number of IP addresses (more than 56, 000), then running the show snmp mib walk jnxJsNatSrcNumPortInuse command causes the LACP to flap. PR1053650
• On all high-end SRX Series devices, after ISSU, the configuration might not take effect and the NAT configuration remains ineffective. However, the non-NAT configuration will take effect when you run the commit full command. PR1071819
• On all high-end SRX Series devices, the entry's timeout value of ALG is configured larger than the timer wheel's maximum timeout value (7200 seconds). However, this entry cannot be inserted into the timer wheel. As a result, an ALG persistent NAT binding leak occurs. PR1088539

Platform and Infrastructure

• On all high-end SRX Series devices, the kernel might crash when running the automatic script. PR1090549

Switching

• On all high-end SRX Series devices, when you connect to the device through wireless AP the secure access port incorrectly allows access to the MAC addresses that are not in the list of allowed MAC addresses. PR587163

Virtual Private Networks (VPNs)

• On SRX1400 devices, packets that are forwarded through the port of the SRX1K-SYSIO-GE card might be dropped due to CRC error. PR1036166
• On high-end SRX Series devices with IPsec VPN configured, the IPsec VPN tunnel might fail to be reestablished after recovery from tunnel flapping, . This occurs because an old, invalid tunnel session exists on the central point. As a result, an attempt to create the new tunnel session fails. PR1070991
• On all high-end SRX Series devices with dynamic VPN configured, the key management process (KMD) might crash when an IKE payload with a different port number is received. PR1080326
• On all high-end SRX Series devices with IPsec VPN configured, if the SRX Series device is the initiator and the other peer is from another vendor, the Internet Key Exchange (IKE) tunnel negotiation might not come up under certain conditions. PR1085657
• On all high-end SRX Series devices, when the alarm-without-drop option is configured for the UDP Flood Protection screen, packets classified as attack packets might be sent out of order. This can result in performance degradation. PR1090963
• On all high-end SRX Series devices, the output of the show system processes resource-limits process-name pki-service command cannot be shown correctly because of a missing file. PR1091233
• On all high-end SRX Series devices, if traffic selectors are configured for IPsec VPN, the data traffic of some applications in which the control session and the data session are separated will fail pass-through authentication over the IPsec VPN tunnel. For example, the data session of FTP working in active mode might fail. PR1103948
• On all high-end SRX Series devices, the IPsec tunnel might not come up on the data plane if both the st0 interface configuration and the IPsec VPN configuration, which are under the [security ike] and [security ipsec] hierarchies, are provided in one commit. PR1104466

Resolved Issues - 12.1X46-D35

Application Identification

• On all high-end SRX Series devices running Junos OS Release 12.1X46 and earlier, if application identification (AppID) is enabled, performance degradation is seen in comparison with devices running Junos OS Release 12.1X47-D10 and later. This is because the AppID function does not ignore the related sessions when AppID has reached the terminal state, and continues with the serialization processing for those sessions. It is important to note that Junos OS Release 12.1X47 and later releases use advanced AppID. PR1046509

Application Layer Gateways (ALGs)

• On all high-end SRX Series devices in a chassis cluster with TCP-based ALG enabled and the TCP keepalive mechanism used on the TCP server and client, after a data plane redundancy group (RG1+) failover, the keepalive message causes the mbuf to be held by the ALG until the session timeout. As a result, a high mbuf usage alarm is generated. Application communication failure occurs due to lack of mbuf. PR1031910
• On all high-end SRX Series devices with the SIP ALG and NAT enabled, if you place a call on hold or off hold many times, each time with different media ports, the resource in the call is used, resulting in one-way audio. Tearing down the call clears the resource, and following calls are not affected. PR1032528
• On all high-end SRX Series devices in a chassis cluster with the SCCP ALG enabled and if the SCCP state in use flag is not configured in the process of the SCCP call in the device, the related real-time object (RTO) hot synchronization might cause the flowd process to crash. PR1034722
• On all high-end SRX Series devices with the MS-RPC ALG enabled, the flowd process might crash when the MS-RPC ALG processes the crafted ISystemActivator RemoteCreateInstance Response packets. PR1036574
• On all high-end SRX Series devices with the SIP ALG and NAT enabled, the SIP ALG does not execute IP translation for the retransmitted 183 session progress messages. In this scenario, the SIP call will fail when the device receives the first 183 session progress messages without SDP information, but the retransmitted 183 session progress messages contains SDP information. PR1036650
• On all high-end SRX Series devices, the DNS ALG does not terminate the session when a truncated DNS reply is received. Hence, the session remains up until high timeout (10~50) is reached. PR1038800
• On all high-end SRX Series devices, the SIP ALG decode packet error occurs in the system log when the unsupported blank packets are used as keepalive messages. PR1057170
• On all high-end SRX Series devices, the current SIP parser does not parse the quotation marks in the mime message boundary, and the message body of the SIP messages might be cut off. PR1064869
• On all high-end SRX Series devices with the MS-RPC ALG enabled, the flowd process might crash due to incorrect MS-RPC ALG parsing for the ISystemActivator RemoteCreateInstance Response packets. PR1066697

Authentication

• On all high-end SRX Series devices with firewall authentication configured, an authentication entry leak on the data plane occurs when an authenticated user tries to re-authenticate. As a result, firewall authentication will not allow anymore authentication entries to be created. PR969085
• On all high-end SRX Series devices with firewall authentication enabled, when a firewall authentication from an authenticated IP address for a new authentication fails, and then a pass-through firewall authentication tries this entry, the firewall authentication function accesses a freed memory, which results in a flowd process crash. PR1040214
• On all high-end SRX Series devices with firewall authentication enabled, in a rare timing condition, if there are many pending sessions in a firewall authentication entry with failed state, then a packet entering and matching this failed authentication entry might cause the flowd process to crash. PR1048623

Chassis Cluster

• On SRX5400, SRX5600, and SRX5800 devices with SPC II cards installed, when IP spoofing is enabled, after the device under test (DUT) is rebooted, the address books in the Packet Forwarding Engine will be removed and not pushed back into the Packet Forwarding Engine. Due to this issue, IP spoofing does not work after the reboot. PR920216
• On all high-end SRX Series devices in chassis cluster mode, during control plane RG0 failover, a policy resynchronization operation compares the policy message between the Routing Engine and the Packet Forwarding Engine. However, some fields in the security policy data message are not processed. Data for unprocessed fields might be treated differently and cause the flowd process to crash. PR1040819

Dynamic Host Configuration Protocol (DHCP)

• On all high-end SRX Series devices configured as a DHCP server (using the jdhcpd process), when the DHCP server gets a new request from a client and applies an IP address from the authentication process (authd), the jdhcpd process communicates with authd process twice as expected (once for the DHCP discovery message and once for the DHCP request message). If the authentication fails in the first message, the authd process will indefinitely wait for the second authentication request. However, the jdhcpd process never sends the second request, because the process detects that the first authentication did not occur. This causes memory leak on the authd process, and the memory might get exhausted, generating a core file and preventing DHCP server service. High CPU usage on the Routing Engine might also be observed. PR1042818

General Packet Radio Service (GPRS)

• On all high-end SRX Series devices in a mobile packet core network, with GTPv2 enabled and the device configured as a border gateway, the GTP packets might be dropped with a missing information element drop reason message. The packets are dropped because the information element check in processing the GTPv2 modify bearer request is not accurate. The check should only exist when Tracking Area Updates (TAU), Routing Area Updates (RAU), or handover are processed with a Serving Gateway (SGW) change on the S5/8 interface. PR1065958

Flow-Based and Packet-Based Processing

• On all high-end SRX Series devices, the Network Processing Unit (NPU) TCP sequence check might cause TCP packets to be dropped if the services-offload policy permits. PR891118
• On all high-end SRX Series devices, when composite next hop is used, RSVP session flap might cause an if state mismatch between the master Routing Engine and the backup Routing Engine, leading to a kernel crash on the master Routing Engine. PR905317
• On all high-end SRX Series devices with IDP configured, in rare cases, where the device runs out of memory, the flowd process might crash if shell code detection occurs. PR985139
• On all high-end SRX Series devices, when you configure http-get RPM probes to measure the website response, the probes might fail because the HTTP server might incorrectly interpret the request coming from the device. PR1001813
• On all multiple thread-based high-end SRX Series devices, if IDP, AppSecure, ALG, GTP, or the SCTP feature, which is required for serialization flow processing is enabled, the device might encounter an issue where two flow threads work on the same session at the same time for the serialization flow processing. This issue might cause memory corruption, and then result in a flowd process crash. PR1026692
• On all high-end SRX Series devices, when a device forwards traffic, a flowd core file is generated. This is a generic issue and does not impact any feature. PR1027306
• On SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, if session distribution mode is set to hash mode, the TCP connections that are required for session serialization processing might not be established. This is because of incorrect processing of the 3-way handshake in the TCP proxy module. PR1037822
• On all high-end SRX Series devices in a chassis cluster Z mode, if static NAT or destination NAT is configured, and in the NAT rule, the IP address of the incoming interface is used as a matching condition of the destination address (for example, set security nat static <rule-set-name> rule <rule-name> match destination-address <use the IP address of incoming interface>), then the traffic matching the NAT rule is discarded. PR1040185
• On all high-end SRX Series devices with GRE tunnel configured, the carrier interface of GRE tunnel is not updated when a more accurate and new route to the tunnel destination address is added, which might cause traffic loss in some scenarios. PR1040666
• On all high end SRX Series devices, when self-generated traffic is processed by IDP, the IDP function might trigger an unmatched flow lock operation, which leads to a dead lock condition, and eventually causes the flowd process to crash. PR1046801
• On all high-end SRX Series devices in transparent mode, when the PIM register-stop message passes through the device, the device cannot match the PIM session that is created by the register packet. The PIM register-stop message tries to create a new session, and the session is dropped during the session creation process due to a session conflict. PR1049946
• On all high-end SRX Series devices running Junos OS Release 12.3X48-D10 or later, with enhanced Web filtering configured, the connection to the Websense ThreatSeeker Intelligence Cloud might time out if strict-syn-check is enabled under the [security flow tcp-session] hierarchy. PR1061064

Hardware

• On all high-end SRX Series devices, due to an I2C hardware issue, the power entry module (PEM) status register is unstable. As a result,the chassisd reports the wrong power state. PR1047547

Interfaces and Routing

• On all high-end SRX Series devices, when a router is acting as an NTP broadcast server, broadcast addresses must be in the default routing instance. NTP messages are not broadcasted when the address is configured in a VPN virtual routing and forwarding (VRF) instance. PR887646
• On all high-end SRX Series devices, LAG interface gratuitous ARP is neither generated nor sent out on the link when gratuitous-arp-on-ifup is configured. PR889851
• On all high-end SRX Series devices, the clear security dns-cache command is extended to resolve all DNS entries immediately. Similarly, the security policies containing DNS names are updated immediately to use the refreshed IP addresses after the FQDN addresses are resolved. PR970235
• On all high-end SRX Series devices, during the ISSU process, the Packet Forwarding Engine connects and sometimes disconnects the Routine Engine. Hence, the IP resolve events sent to the Packet Forwarding Engine are ignored. When you configure multiple DNS policies after the ISSU process, some of the policies will not have IP addresses in the Packet Forwarding Engine. PR985731
• On all high-end SRX Series devices, the commit synchronize command fails because the kernel socket gets stuck. PR1027898
• On SRX1400, SRX3400, and SRX3600 devices, memory leak occurs on the Control Plane Processor (CPP) logical interfaces are deleted and the interprocess communication messages are received by the CPP. High memory usage on the CPP might be seen in an interface flapping situation. PR1059127

J-Web

• On all high-end SRX Series devices, if a security policy contains a tcp-options statement, modifying this security policy by using J-Web results in the loss of the tcp-options statement. This is because the tcp-options configuration is missing in the J-Web security policy configuration. PR1063593

MIBs

• On all high-end SRX Series devices, there are compilation issues with the mib-jnx-license, mib-jnx-sp-nat, and mib-jnx-subscriber MIBs. PR794327

Network Address Translation (NAT)

• On all high-end SRX Series devices with persistent NAT enabled, if an invalid flow with the protocol value 0 creates a persistent NAT entry, then this persistent NAT entry is not cleared even when the invalid session is cleared. PR935325
• On all high-end SRX Series devices configured in chassis cluster mode, when ALG traffic performs NAT translation, in a rare condition, invalid ALG binding entries might be created on the secondary node, which results in a flowd process crash on the secondary node. PR1037617

Platform and Infrastructure

• On all high-end SRX Series devices, the packets per second (pps) and bits per second (bps) counters are not reporting accurate values while checking the monitor traffic interface interface-name command or the show interface interface-name extensive command. PR1033222
• On all high-end SRX Series devices, the configurations of group junos-defaults are lost after a configuration rollback. As a result, the commit command fails. PR1052925

Security Policy

• On all high-end SRX Series devices, when two security policies are combined and the whole address space is used, then the secondary security policy might fail to evaluate traffic. PR1052426
• On all high-end SRX Series devices, changing a dynamic address of a security policy might cause its dynamic address identification to be mismatched between the Routing Engine and the Packet Forwarding Engine due to the difference between the new and the old configuration being ignored. PR1061253
• On all high-end SRX Series devices configured in a chassis cluster, the count option in security policy might not work after failover. This is because the Packet Forwarding Engine does not resend the message with policy states to the Routing Engine after failover. The policy lookup counter might disappear when you execute the show security policies from-zone * to-zone * policy-name * detail |grep lookups command. PR1063654

Unified Threat Management (UTM)

• On all high-end SRX Series devices, when UTM Sophos antivirus is enabled and a file that is not supported by Sophos antivirus is transferred through SMTP, the device might not be able to handle the last packet, and mail will be on hold. When packets are later sent on this session, the packet that was on hold will be handled by the device and the system will return to normal state. PR1049506
• On all high-end SRX Series devices, if the name server is configured and the interface pointing to the name server is down, in a rare condition, the flowd process might crash due to a UTM internal function even though UTM is not configured. PR1066510

Virtual Private Networks (VPNs)

• On all high-end SRX Series devices with IPsec VPN configured using IKE version 1, the device can hold only two pairs of IPsec security associations (SAs) per tunnel. When the third IPsec SA rekey occurs, the oldest IPsec SA is deleted. Due to this mechanism, a looping of IPsec SA rekey might occur. For example, when a VPN peer contains incorrect configuration that has more than two proxy IDs matching only one proxy ID on a device, the rekey looping issue might cause the flowd process to crash on multiple thread-based SRX Series devices. PR996429
• On all high-end SRX Series devices, in a hub-and-spoke IPsec VPN scenario, on the hub site, when committing the static NHTBs on the multipoint secure tunnel (st0) interface, the VPN routes might become active even though the VPN tunnel is down. This issue also occurs when the system reboots with static NHTBs and the related static routes configured. PR1007235
• On all high-end SRX Series devices, the block size for Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) has been reduced from 8 to 4. Block size 8 is used for connecting to other SRX Series devices, and block size 4 is interoperable with systems from Cisco, strongSwan, and other companies. When you set the correct block size 4 for AES-GCM, it causes a problem when connecting to previous releases of Junos OS for SRX Series devices. The problem affects certain packet sizes, so it might appear to work for some traffic, such as ping, but not for other traffic. In a hub-and-spoke configuration, the upgrade causes problems with tunnels to all spokes until they are upgraded. PR1037432
• On all high-end SRX Series devices, when a primary IP address of an interface changes, some IPsec tunnels terminated on that interface might go down. PR1044620
• On all high-end SRX Series devices configured with a large number of IPsec VPN tunnels, in a very rare condition, if VPN monitoring is enabled, the kmd process might crash when you delete the partial VPN tunnels. PR1044660
• On all high-end SRX series devices, in a tunnel over route-based IPsec VPN, GRE or IP-in-IP tunnel scenario, such as IPsec VPN over GRE tunnel, after the encapsulation of the first tunnel, the next-hop in internal processing might not be set properly to point to the second tunnel, which results in packet loss. PR1051541

Resolved Issues - 12.1X46-D30

Application Layer Gateways (ALGs)

• On all high-end SRX Series devices, when the ALG processes SIP traffic, a memory corruption issue might occur, causing the flowd process to crash. PR992478
• On all high-end SRX Series devices with the MS-RPC ALG enabled, occasionally, when more than one IP and port pair exist in the MS RPC response packet, and if these IP and port pair are the same, the ALG group might leak. This issue might occur even in a Sun RPC scenario. PR1010499

Chassis Cluster

• On all high-end Series devices in a chassis cluster, the security zone is not populated properly on the J-Web interface port configuration page. PR859200
• On all high-end SRX Series devices in a chassis cluster, the SPC CPU loading of the new backup node might be higher after a data plane failover due to packets forwarded between node0 and node1, which is a dead loop. PR963033
• On all high-end SRX Series devices in a chassis cluster, the backup node should not send SNMP traps. PR982777
• On all high-end SRX Series devices in a chassis cluster, when you terminate the GRE tunnel over IPsec VPN, sessions through the GRE tunnel are deleted unexpectedly when the session that is installed on the backup node times out, which is normally at eight times the session timeout. PR982880
• On all SRX Series devices in a chassis cluster, when source NAT is configured with a port no-translation pool and a port overflow pool with address persistent feature, the port resource of the overflow NAT pool leaks on backup node when the translated IP address creates conflict on the port no-translation pool. PR991649
• On SRX3400 and SRX3600 devices in a chassis cluster, the FPC0 Minor Errors alarm is raised because of the excessive invalid pkt type errors reported by the Network Processing Card. PR1008968

Command Line Interface (CLI)

• On all high-end SRX Series devices, in a rare condition, a corrupted memory might be created in data-plane, and then executing the command show xlr pkt_mbuf, which is a part of the request support information command, results in the flowd process crash. PR1005067
• On all high-end SRX Series devices, when you configure multiple stream mode under the [security log] hierarchy and one of the stream modes is set to severity warning, the system log traffic on the other streams is stopped. PR1009428
• On all high-end SRX Series devices, system commit synchronize is not supported. Hence, when you configure it will not be committed due to a configuration lock. PR1012692
• On all high-end SRX Series devices, the CLI auto-complete does not work for any key words after set system login class <name> permissions command. PR1032498

Flow and Processing

• On all high-end SRX Series devices, under certain conditions, the creation of a multicast leaf session might result in an invalid multicast next hop, which crashes the flow module. PR921438
• On all high-end SRX Series devices, for IDP, AppSecure, ALG, GTP, or SCTP, the flow serialization impacts session performance. This flow serialization continues even after Layer 7 processing is completed. PR986326
• On all high-end SRX Series devices, the logical tunnel interface encapsulated Frame Relay is not supported. When you configure logical tunnel interface encapsulated Frame Relay, the flowd process crashes. PR996072
• On SRX1400 devices, datapath debugging does not capture the system-generated packets. PR1004074
• On SRX5400, SRX5600, and SRX5800 devices with an SRX5K IOC II, the SRX5K IOC II might send packets out of order, causing end-to-end performance degradation. PR1007455
• On all high-end SRX Series devices (except SRX1400), fragmented IPsec packets might be out of order after decryption, causing TCP packet retransmission and performance degradation. PR1013223
• On SRX1400 devices, in a rare condition, SPUs might run into dead loop situation. High CPU usage on SPUs will be seen, and the flowd process will crash in the end. PR1017665
• On all high-end SRX Series devices, when the central point runs in combo mode on an SPC I card, and when enable-utm-memory and in-line-tap IDP mode are enabled concurrently, the flowd process crashes continuously. PR1019568
• On all high-end SRX Series devices, in some scenarios, the flowd process might generate core files due to stack overflow while running a log collection script on the device. PR1020739
• On all high-end SRX Series devices, when heavy load is on the Packet Forwarding Engine management CPU, the speed of IPC sending and receiving between the Routing Engine and the Packet Forwarding Engine might not match, causing security policies to become out-of-sync between RE and PFE. PR1022351
• On SRX5400, SRX5600, and SRX5800 devices with an SRX5K IOC II, configuring a sampling feature (flow monitoring) might cause high kernel heap memory usage. PR1033359

General Packet Radio Service (GPRS)

• On all high-end SRX Series devices with GTP enabled, some GTP traffic might be dropped due to the reason message Reason zero TID/TEID. This is because some GTP messages do not contain a TEID value in the GTP message header (such as Identification Response messages), and these messages are dropped incorrectly. PR999468

Infrastructure

• On SRX1400, SRX3400, and SRX3600 devices configured with firewall simple filters, if you change the simple filter terms, some terms might not be installed properly in the data plane. As a result, the simple filter might not work as expected. PR1012606

Interfaces and Routing

• On all high-end SRX Series devices, CoS buffer sizes are not recalculated after you delete the interface units. This might result in suboptimal CoS behavior. PR953924
• On SRX5400, SRX5600, and SRX5800 devices configured with SPC II cards, memory leak might occur on the SPC II Control Plane Processor (CPP), causing the SPC II CPP to reboot. PR975345
• On SRX5400, SRX5600 and SRX5800 devices, the egress packets delay bandwidth in queue 4 to queue 7 might be dropped when traffic bursts. PR1007778
• On all high-end SRX Series devices, when a new user is created, the home directory for the user is not created. PR1015156
• On all high-end SRX Series devices, during route deletion on Packet Forwarding Engine, next-hop entries might not be deleted, these stale next-hops may continue to be used by sessions resulting in flowd process crash. PR1017037

Intrusion Detection and Prevention (IDP)

• On all high-end SRX Series devices, due to a software defect in XML parsing failure cases, the idpd process might crash during the updating of IDP security packages. PR1011610

J-Web

• On all high-end SRX Series devices in a chassis cluster, when the switch to Layer 2 mode button is pressed in J-Web, it does not ask for any confirmation and converts to transparent mode immediately and reboots the device. PR1007740
• On all high-end SRX Series devices, on the Dashboard page, the serial number and the system uptime are not displayed. PR1009371

Network Address Translation (NAT)

• On all high-end SRX Series devices, when source NAT is configured, the ports are allocated randomly by default. In rare circumstances, the global random port table of source pools or interfaces becomes damaged by certain services or traffic. This damage can result in low-range ports being assigned a higher priority in sessions. Ports might be reused quickly, causing application access failure. PR1006649

Platform and Infrastructure

• On all high-end SRX Series devices, there is some buffer leak in Application Delivery Controller (ADC) and Transparent Load Balancer (TLB) services due to the malfunction of atomic functions. PR934768

Security

• On all high-end SRX Series devices, when you swap the sequence of security policies or when security policies are disabled by scheduler, the applications configured in these security policies might be added to other enabled security policies, causing unexpected applications to be evaluated by other security policies, and traffic to be permitted or denied unexpectedly. PR1033275
• OpenSSL released a Security Advisory that included CVE-2014-3566 known as the "POODLE" vulnerability. The SSL protocol 3.0 (SSLv3) uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data through a padding oracle attack. OpenSSL is upgraded to support for SSL 3.0 fallback protection (TLS_FALLBACK_SCSV). Refer to JSA10656 for more information. PR1033938

System Logging

• On all high-end SRX Series devices, the custom dynamic group with the service TCP filter or UDP filter does not include TCP or UDP port-bound attack signatures. The following error message is displayed:

  'dynamic-attack-group OTHER-PROTO-REC-CTS'
  Attack TCP-PROTO-REC-CTS: No matching members found. Group is empty error: configuration check-out failed

  The group should not be empty, because of the configured queries of the custom dynamic group. PR1002526

• On all high-end SRX Series devices, RT_PFE errors might be generated due to reroute failure when a more specific route entry is added or deleted. PR1009947
• On all high-end SRX Series devices, the flowd_octeon_hm: pconn_client_connect: Failed to connect to the server after 0 retries message repeats in the log. PR1035936

Unified Threat Management (UTM)

• On all high-end SRX Series devices, due to a memory leak issue in the utmd process, the utmd process might cause control plane CPU utilization that is higher than expected even when the Unified Threat Management (UTM) feature is not enabled. The memory leak can only be triggered if there is a UTM license installed on the system. PR1027986
• On all high-end SRX series devices with Web Trends Enhanced Log File (WELF) format configured for security log, when system generates very long WELF formatted logs (such as, more than 1k bytes), and it is truncated on Packet forwarding engine (PFE) and sent to Routing Engine (RE), a memory corruption issue might occur in this situation, resulting in the flowd process to crash. This issue occurs more when Unified Threat Management (UTM) Web Filtering is configured. PR1038319

VPN

• On all high-end SRX Series devices, the IPv6 traffic is reordered during the encryption of IPsec VPN because the fragment order is not maintained for the IPv6 traffic. PR962600
• On all high-end SRX Series devices, dynamic VPN user groups are not able to access certain remote resources. In this scenario, there are two policies referring to the same dynamic VPN and one of the policy directions is not set. Hence, the lookup fails in the null policy at the end. PR988263
• On all high-end SRX Series devices with IPsec VPN configured, due to a rare timing issue, IPsec VPN traffic might be dropped as the reason of "bad SPI" on the traffic receiving side during IPsec Security Association (SA) rekey. PR1031890
• On all high-end SRX Series devices with policy-based IPsec VPN configured, deleting security policies that are associated with a VPN tunnel might result in a stale VPN tunnel remaining. In addition, the stale VPN tunnel might be associated with the newly added security policies. PR1034049

Resolved Issues - 12.1X46-D25

Application Layer Gateways (ALGs)

• On all high-end SRX Series devices, when RTSP ALG traffic passes through the routing instance type virtual router, under some conditions the traffic is dropped. PR979899
• On all SRX Series devices, when there is heavy SIP traffic through the device, high CPU usage is seen on one or more SPUs. This issue occurs due to a certain type of SIP-handling logic, which dumps payload packets to the internal buffer. This logic has been optimized to reduce load on the SPU. PR985932

Chassis Cluster

• On all high-end SRX Series devices in a chassis cluster with multicast configuration, when the Redundancy Group 0 (RG0, a Redundancy Group for RE) failover, it might cause too many memory fragments in kernel, and result in some control operation failure due to lack of continuous memory. PR944604
• On all high-end SRX Series devices in a chassis cluster, when the secondary node becomes ineligible due to control link failure it might still forward the traffic. This causes the reth interface to flap and the related traffic to drop when the secondary node is in ineligible state. PR959280
• On all SRX Series devices in a chassis cluster with the PPTP ALG enabled and the PPTP session closed, a memory corruption might occur on the secondary node, which causes the flowd process to crash. PR993447
• On all high-end SRX Series devices in a chassis cluster with interface monitoring enabled, interfaces might be incorrectly monitored as down due to a memory allocation issue. PR1006371

Command-Line Interface (CLI)

• On all high-end SRX Series devices, the show interface extensive command is cut short with the error message error: route rpf stats get for interface. PR930630

Dynamic Host Configuration Protocol (DHCP)

• On all high-end SRX Series devices, you cannot get the DHCP relay information through SNMP if DHCP relay is configured under the logical system. For example: bash-3.2# snmpwalk -c lsys1/default@junos -t 5 -v 1 -Os -Oq -Oe -Pu -m /tmp/jnx-smi.mib:/tmp/jnx-jdhcp.mib 10.208.131.136 jnxJdhcpRelayStatistics bash-3.2#

  PR909906

• On all high-end SRX Series devices, DHCPv6 does not work in IPv6 mode. PR942246
• On all high-end SRX Series devices which work as a DHCP server, if the server receives a DHCP INFORM packet from a binding client, and then this binding entry is released by issuing clear system services dhcp binding command, or the server receives a DHCP RELEASE packet from the same client, this will cause the IP address not get released and the same IP address might assign to a different client in the subsequent assignment. PR969929

Flow and Processing

• On all SRX Series devices, when you run the clear security flow session command with a prefix or port filter, some of the sessions are not matched with the filter, causing a traffic drop or delay. This issue is triggered by any of the filters. PR925369
• On all high-end SRX Series devices, in certain situations, flow sessions time out and get corrupted. This leads to the flow sessions being set to an abnormally high value, which eventually leads to the session table becoming full. PR955630
• On all high-end SRX Series devices, when you configure an ICMP probe-server option under the [services rpm] hierarchy for a specific interface (for example, ge-0/0/0), the device does not respond to ICMP requests from this interface. Other interfaces are not affected and continue to respond to ICMP requests. PR960932
• On all high-end SRX Series devices, when you reboot the passive node, the CPU usage increases on flow SPUs of the primary node and this lasts for a few seconds when the traffic latency is increased. PR962401
• On all high-end SRX Series devices, filter-based forwarding (FBF) rules are ignored when existing sessions are rerouted. PR962765
• On all high-end SRX Series devices deployed in a multicast scenario, a memory leak on the fwdd process might occur when the multicast routes change. PR963116
• On all high end SRX devices, when it processes fragmented packets, the first fragment (the fragment contains layer 4 information) will be used to create session, and the subsequent fragments will be queued on a memory block. When in session creation stage, the queued fragments might be processed for flow processing even though the session is still in pending state, this results in the order information lost and the fragmented packets forwarded out of order. PR993925

Hardware

• On SRX5400, SRX5600, and SRX5800 devices configured with SPC II cards, memory leak might occur on the SPC II Control Plane Processor (CPP), causing the SPC II CPP to reboot. PR975345
• On SRX5400, SRX5600, and SRX5800 Series devices with SPC used, in certain condition, SPUs might hang due to memory unaligned accessing. Memory unaligned accesses is supported by default. PR980122
• On SRX5400, SRX5600, and SRX5800 devices, after fabric reconnect (it can be reconnected by issue the restart chassis-control immediately command), setting the fabric plane to offline and then setting it to online will fail. The fabric plane link error message will be seen by issue the show chassis fabric fp command. PR990679

  On all high-end SRX devices, session ager might gets stuck due to a memory corruption, causing maximum session limitation to be reached on services processing units (SPUs). PR991011

Interfaces and Routing

• On SRX5400, SRX5600, and SRX5800 devices, there are incorrect counters on reth interface. PR978421

Intrusion Detection and Prevention (IDP)

• On all high-end SRX Series devices, when the LACP mode is fast and the IDP is in inline-tap mode, a LACP flap might occur when you commit the configuration. PR960487
• On all high-end SRX Series devices, when the IDP security package update contains a detector version change, the configured detector kconst values are not pushed from the idpd process to the Packet Forwarding Engine. Hence, the newly loaded detector takes default values. PR971010
• On all SRX Series devices, when you configure an automatic security package update without configuring the schedule interval and start time, high CPU usage on the idpd process is seen. PR973758

Network Address Translation (NAT)

• On all high-end SRX Series devices, in rare cases, the device starts using sequential source ports for source NAT because of random function memory corruption. PR982931

Screens

• On all high-end SRX Series devices with flooding type screens configured, if multiple logical interfaces on the same Network process Unit (NPU) have been configured in the same zone, then changing the flooding thresholds might cause each of these logical interfaces to have inconsistent thresholds, and sometimes some logical interfaces might not have any screen flood protection at all. PR972812

System Log

• On all high-end SRX Series devices, every time a user logs in with SSH, a veriexec: fingerprint mismatch message is reported in the log. PR929612
• On all high-end SRX Series devices, the new entry or flag representing an alert notification is seen in the system log message. If the alert is configured in the IDP rules, the flag is set to yes; otherwise, it is set to no. PR948401
• On all high-end SRX Series devices, Duplicate FLOW_IP_ACTION logs are generated while sending traffic. PR959512
• On all high-end SRX Series devices, the SNMP walk for the jnxPicType2ASPCXLP object might fail and show the jnxPicType2ASPCXLP (could not resolve 'jnxPicType2ASPCXLP' to an OID) error message in the logs, and fails to receive information from the device. PR974463

Virtual Private Networks (VPNs)

• On all high-end SRX Series devices, in certain situations when the device has more than one IKE Security Association (SA) installed for the same peer device and DPD is triggered, the messages are not sent out from the device to the peer device, causing the IKE SA to be installed on the device until the IKE SA expires. PR967769
• On all high-end SRX Series devices, when the device is configured with similarly named CA profiles (example: caprofile, caprofile_1, caprofile_3 and so on) and CA certificates are loaded to these profiles, when first CA certificate is cleared other certificates which has the CA profile that starts with the same keyword will be cleared as well. PR975125

Resolved Issues - 12.1X46-D20

Application Layer Gateways (ALGs)

• On all high-end SRX Series devices, the Microsoft Active directory or Microsoft Outlook client might get disconnected from the server because the MS-RPC ALG incorrectly drops the data connections under heavy load. PR958625

AppSecure

• On all high-end SRX Series devices, the application firewall module might cause the Network Security Daemon (NSD) to create up to 4 KB of memory leak when you commit each configuration. PR969107

Dynamic Host Configuration Protocol (DHCP)

• On all high-end SRX Series devices, DHCPv6 does not work in the IPv6 mode. PR942246

Flow and Processing

• On all high-end SRX Series devices, the flowd process might crash during the session installation. PR956775

J-Web

• On all high-end SRX Series devices, J-Web does not accept the keyword “any” in the address-book object name. PR944952

Network Address Translation (NAT)

• In Junos OS Release 12.1X46-D10 and earlier, the device could not send the SNMP trap for the NAT pool with logical systems configured. Starting in Junos OS Release 12.1X46-D20, the SNMP trap for the NAT pool with logical systems configuration can be sent from the device. PR959219

Platform and Infrastructure

• On all high-end SRX Series devices, if the NTP server is not a stratum 1 server, the NTP synchronization process cannot be completed.To confirm this issue is occurring, use the show ntp status command. PR864223
• On all high-end SRX Series devices, the nsd process might hold a buffer related to the NAT proxy-arp process, and it does not release the buffer. This causes a memory leak on the nsd process when you commit a configuration. PR931329
• On all high-end SRX Series devices, in certain circumstances, the high CPU consumption on the data plane and an eventual exhaustion of the internal system buffers might corrupt the forwarding table, which causes the traffic to drop partially. PR938742
• On SRX5600 and SRX5800 devices, during the LICU code upgrade for the control port, the FPCx (DPC) changes to any erroneous number and needs to use the non-IOC port (SPC, existing or not) on the chassis.

  Refer to KB17947 for additional information. PR953029

System Log

• On all high-end SRX Series devices, the error OpenSSL: error:14090086:lib(20):func(144):reason(134) means that server certificate verification has failed. The certificate might be a self-signed certificate or an expired certificate. PR932274

Unified Threat Management (UTM)

• On all high-end SRX Series devices, when you install a license, you might see the message license not valid for this product add license failed. Even though the message appears, the feature still functions normally. In addition, the show system license command does not display the Sophos antivirus, antispam, or Web filtering licenses. PR948347
• On all high-end SRX Series devices, UTM blacklists and whitelists should work without an EWF license. PR970597

Virtual Private Networks (VPNs)

• On all high-end SRX Series devices, during VPN configuration change with an interface configuration change at the same commit, or after rebooting the device with VPN and interface configured together, the tunnel sessions created in flowd are missing. This impacts the traffic flow on that tunnel. The invalid bind interface counter returns a nonzero value when you run the show usp ipsec global-stat command. PR928945
• On SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, high CPU usage occurs after installing additional SPC cards without a full cluster reboot and IPsec tunnels carry the SCTP traffic anchored on the device. PR945162
• On all SRX Series devices, any configuration changes to the st0.x interface might delete the NHTB entries for unrelated st0 interfaces. PR958190

Resolved Issues - 12.1X46-D15

Application Layer Gateways (ALGs)

• On SRX Series devices with the VoIP-related ALG (either H.323 or SIP) and NAT enabled for the VoIP traffic, the corresponding ALG creates persistent-nat-binding entries for the reverse VoIP traffic (even though the persistent NAT feature is not configured in the source NAT rule) when VoIP traffic is transmitted into a custom routing instance. Hence, the system does not apply the custom routing instance information to the persistent-nat-binding entries, and the reverse traffic that matches the persistent-nat-binding entries is forwarded to the default routing instance instead of to the custom routing instance. The reverse traffic is dropped or forwarded to the wrong place. PR924553

Chassis Cluster

• On devices in a chassis cluster working as a Unified Access Control (UAC) enforcer, when RG0 failover occurs, the Packet Forwarding Engine might connect to the uac process before the uac process connects to the UAC server. In this condition, the uac process conveys to the Packet Forwarding Engine that the UAC server is disconnected. When the Packet Forwarding Engine receives this information, it denies new traffic that matches the UAC policies. The traffic is resumed after the connection of the uac process and UAC server is established. PR946655

Dynamic Host Configuration Protocol (DHCP)

• On all high-end SRX Series devices, after you configure DHCPv6 in IPv6 mode, the dhcpv6 process crashes. PR940078

Flow and Processing

• For SCTP IPv6 traffic in traffic logs, all the source and destination ports are marked as using port 1. PR928916
• When IKE packets are received before Junos OS default applications are pushed to the Packet Forwarding Engine, the IKE sessions will be established without the IKE application having been marked. As a result, the fragmented IKE packet cannot be sent to iked, because the IKE session has not used IKE applications. PR942730
• On devices with 1 GB of memory, if the advanced services license is configured with the reduce-dp-memory option, memory is not released from the data plane to the control plane. PR895648

Interfaces and Routing

• When IS-IS is configured between the SRX device and some third-party devices, after the SRX device is rebooted and the IS-IS adjacency is reestablished, the routes advertised by the third-party devices might not install into the routing table in some cases. PR935109

Intrusion Detection and Prevention (IDP)

• On SRX Series devices configured with IDP, for the AppSecure, ALG, GTP, or SCTP features that require the serialization flow processing, the memory buffer might leak, causing the flowd process to crash. PR930728

J-Web

• J-Web does not accept the address if the object name includes the word “any”. PR944952

Network Address Translation (NAT)

• In Junos OS Release 12.1X46-D10 and earlier, the device could not send the SNMP trap for the NAT pool with logical systems configured. Starting in Junos OS Release 12.1X46-D15, the SNMP trap for the NAT pool with logical systems configuration can be sent from the device. PR959219

System Log

• An illegal pointer address generates eventd core files. PR784037

Unified Threat Management (UTM)

• EWF logs are not marked with user role information. PR936799

Virtual Private Networks (VPNs)

• On all SRX Series devices configured with IPsec VPN and the VPN monitoring is enabled, the VPN monitoring function triggers socket leak, and it might result in some critical issue, such as SPUs unresponsive. PR940093
• On all SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link increases. PR941999
• On all SRX Series devices with multiple proxy-identity (MPID), the dead routes are seen while moving the st0 interface from one virtual router to another. PR943577
• After traffic-selector configuration is deleted from the VPN configuration object, the data traffic stops passing through the tunnel. PR944598
• SRX Series devices cannot proceed to automatic certificate reenrollment through SCEP. The certificate validity period is incorrectly calculated during the autorenewal process. Also, when the CRL is downloaded through LDAP, it can be partially received from the CA server and the pkid process goes up. PR946619
• When there are more than 100 traffic selectors configured on a VPN configuration object along with configured, established, tunnels, if all IPsec SAs for this VPN configuration object are cleared at the same time (because of a configuration change on a peer or the use of the clear operational command), the bind-interface associated with that VPN configuration object might be marked as down. PR947103

Resolved Issues - 12.1X46-D10

Application Layer Gateways (ALGs)

• The b attribute (pertaining to bandwidth) in a SIP Session Description Protocol (SDP) message was not carried forward after SIP ALG processed the packet. PR875211
• When an RTSP TCP segment cannot be processed because it is too small or incomplete, the RTSP ALG holds it and waits for the next segment. An RTSP endpoint does not receive an ACK for segments that are too small, so it retransmits the segment several times. Eventually, the RTSP endpoint resets the TCP connection. PR887601
• With RTSP ALG traceoption enabled, if failover occurs on the device, it will trigger flowd crash that RTSP ALG receiving interleave RTSP traffic before the RTSP objects are synchronized completely. PR893136
• In rare cases when ALG is used for flow processing MSS (Maximum Segment Size) in TCP 3-way, handshake is announced in one direction with value higher than 32,120, the next packets in opposite direction gets window size value reduced to 0. PR895498
• In certain circumstances, if the OPTIONS method is used to create a call, and the INVITE method is used to reuse the call, the SIP ALG would apply an incorrect state. As a result, the device might drop the ACK of 200-OK. PR898956
• The SCTP module drops the SCCP packet when the received SCCP pointer goes out of order. PR901584
• On devices enabled with the MS-RPC ALG, the flowd process might crash frequently when heavy MS RPC traffic is processed by the MS-RPC ALG. PR907288

AppSecure

• AppID is using order to selectively report nested applications that it has matched in different transactions on the same session. This means that only nested applications with a higher order are reported. The expected behavior is that it should report nested applications as and when it detects them in the transaction. PR914567

BGP

• Under specific time-sensitive circumstances, if BGP determines that an UPDATE is too big to be sent to a peer, and immediately attempts to send a withdraw message, the routing daemon (rpd) may crash. An example of an oversized BGP UPDATE is one where a very long AS_PATH would cause the packet to exceed the maximum BGP message size (4096 bytes). The use of a very large number of BGP Communities can also be used to exceed the maximum BGP message size.

  Please refer to JSA10609 for additional information. PR918734

Certificate Authority (CA) Profile

• When you run the show security pki *-certificate command, the result displays time without a time zone. PR746785

Chassis Cluster

• On devices in a chassis cluster with the second control link connected, when CRM is installed, and the primary node is power-cycled, the primary node takes over RG-0 ownership when the primary node is rebooted. PR679634
• On devices in a chassis cluster, if a reth Layer 3 logical interface is disabled, the reth interface remains active and the direct route for this logical interface is not removed from the forwarding table. All the traffic destined for the disable network still gets routed out to the disabled reth interface. PR740856
• On devices in a chassis cluster, when you execute the clear system commit command, it clears commit only from the local node. PR821957
• On devices in a chassis cluster, during a control link failure, if the secondary node is rebooted by control link failure recovery, the rebooted node goes into disabled state even after startup. PR828558
• On SRX1400, SRX3400, and SRX3600 Series devices, under certain conditions, the em0 (tsec1) detection and recovery mechanism is not working as expected. This might cause the chassis cluster to fail, a “split-brain” condition to occur, or all FPCs to be reset on the local node.

  Note: Do not use the security policy count and make sure trace options are disabled. Do not use set security log mode event command; instead use mode stream (default mode).

  PR877604

• On devices in a chassis cluster, the chassisd log outputs are flooded with the following message: LCC: fru_is_present: out of range slot -1 for SCB. PR889776
• On devices in a chassis cluster, in certain IPv6 configurations, the SPU sends out packets with an invalid header on the secondary node, which in turn triggers the hardware monitoring failure on the secondary node. PR935874

Command-Line Interface (CLI)

• There is no specific CLI command to display the count of sessions allowed, denied, or terminated because of UAC enforcement. PR733995
• The show security pki *-certificate shows the time without a time zone. PR746785
• The output of the show security pki ca-certificate detail command includes the Auto-re-enrollment section. This is incorrect because automatic reenrollment is not supported for CA certificates. PR877574
• Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow root access to the operating system. This may allow any user with permissions to run these CLI commands the ability to achieve elevated privileges and gain complete control of the device.

  Please refer to JSA10608 for additional information. PR912707, PR913328, PR913449, PR913831, PR915313, PR915957, PR915961, PR921219, PR921499

Flow and Processing

• When DNS ALG was enabled, the rewrite rules applied on the egress interface might not work for DNS messages. PR785099
• On all high-end SRX Series devices, when plugins that use TCP proxy (such as ALGs or UTM) are configured, a certain sequence of valid TCP packets crashed the flow daemon (flowd). Repeated crashes of flowd represented an extended denial of service condition for the device. PR791201
• On all high-end SRX Series devices, when fragmented jumbo frames are reassembled in the SPU (reassembling might be required by IDP feature, ALG feature, ESP/AH packets, and L2TP packets) and if the size of the reassembled packet becomes larger than 9712 bytes, the packet is dropped in the internal device, and the device reports XLR egress packets corruption issues. PR819621
• On all high-end SRX Series devices, the SPU level kernel crashed and generated vmcore files when processing traffic that required serialized packet processing in some application modules such as IDP, ALGs, application security, and so on. PR855397
• Current implementation of timeout for http is 1800s, the default timeout should be 300s. PR858621
• Periodic multicast packets such as NTP do not refresh the route, and packets are dropped intermittently. PR869291
• On SRX Series devices, during ARP floods of the data plane Packet Forwarding Engine, the CPU spikes might impact transit and host-bound traffic. PR871704
• On devices in a chassis cluster, after data plane RG1 failover, the RTSP data packet is queued, and a duplicate RTSP data packet is processed by the device; the flowd process crashes and generates core files. PR883397
• When TCP SYN flood protection is enabled and triggered, and if the Window Scaling option is used between a TCP client and server, TCP communication is reset abnormally. PR886204
• On all high-end SRX Series devices, due to incorrect computation of central point IPv6 sessions, the output of the total central point sessions is incorrect for the show security monitoring fpc number command. This is only a display issue and does not affect actual central point sessions or the traffic passing through. PR888890
• On SRX1400 devices, the egress packets are dropped. There is an increase in the number of egress packets dropped when the traffic passes through the ports of the SRX1K-SYSIO card. PR899184
• When flow traceoptions are used to debug source NAT traffic, packet filter did not work. This resulted in a large amount of unexpected traces. PR905568
• The CRL download fails for fragmented LDAP packets. PR910947
• On all high-end SRX Series devices, when you delete a large number of interfaces and commit, and immediately add a large number of interfaces and commit, the session scan might fail. The session related to the deleted interface might still be active, in which case the subsequent traffic drops if it matches the old session. This occurs in a scenario when the deleted interface is added back on the “immediately add” action, and the remote host still generates the traffic matching the session. This issue occurs as the session interface is detected in invalid state in flow checking. PR915422
• J-Flow might not work as expected; the cflowd packets are not seen for version 5 and version 8 sampled flows. PR916986

General Packet Radio Service (GPRS)

• If a GTPv1 user plane (GTPv1-U) tunnel update conflicts with a secondary tunnel, then core files are generated. PR888067
• When there is inconsistency in the NAT rule configuration for the IP address in the IP header and in the GTP payload, packets are dropped.
  • When there is a NAT rule for the IP address in the GTP payload and no NAT rule for the IP address in the IP header, the tunnel is set up on a wrong SPU, and the control and data traffic on the tunnel might be dropped.
  • When there is a NAT rule for the IP address in the IP header and no NAT rule for the IP address in the GTP payload, the packet is dropped to keep the consistency of the NAT rule configuration.

  PR921313

Hardware

• When the device is rebooted, the next-generation SPC card might not boot up due to I2C bus hang. Error messages related to “I2C” errors also appear in the log. PR923255

Infrastructure

• On all high-end SRX Series devices, when the device authentication is through RADIUS server and the password protocol is Microsoft CHAP version 2, the password change operation fails as the user password change is enforced through Microsoft Active Directory server. PR740869
• After an upgrade, you cannot copy files between nodes in a cluster using the file copy command. PR817228
• In a DHCP-relay subscriber management environment, with an output firewall filter configured on an IRB interface to discard the DHCP offer packets, while DHCP-relay subscribers log in, the Junos OS kernel tries to free an already freed memory buffer, which causes the kernel to crash and generate core files. PR824470
• When the backup Routing Engine kernel fails, some devices send a message to the master Routing Engine to generate a core file. PR854501
• On SRX1400 devices with 10-Gigabit Ethernet, when the system I/O card is inserted on SFP-T of ge-0/0/7, ge-0/0/8, or ge-0/0/9 interface, the device interface LEDs light immediately. PR865899
• If the secondary control link (em1) interface uses SFP-T, the interface is down when you add node 1 to the cluster. PR873253
• On devices in a chassis cluster, after control plane Redundancy Group (RG0) failover, SPUs might have more if states than the new master Routing Engine. This difference leads to sequence number mismatch and causes cold synchronization failure, and all FPCs might reboot. After the FPCs reboot, a "split brain" situation occurs in which both nodes become primary. PR885889
• E2edebug traces are not generated for all the events. PR919471

Interfaces and Routing

• On the K2-Routing Engine (64-bit Routing Engine) when speed or link mode are statically configured on the device for the fxp0 interface, the driver for fxp0 accepts the configuration from DCD process. The K2-Routing Engine does not propagate the setting to the hardware driver. Instead, the driver setting is forced to auto-negotiate. Thus, as the fxp0 interface is auto-negotiating, and the far end device is forced to 100/full, the auto-negotiation on fxp0 will detect the speed but will not detect the duplex and hence, defaults that duplex to half-duplex. PR704740
• On VLAN tagged Ethernet frames (802.1p), you cannot modify the VDSL priority bits. PR817939
• Multicast stream is redirected to other member links on the ae interface or on the reth LAG even when the link in use is disabled. PR867529
• When a SHDSL Mini-PIM is configured in 2-wire mode with annex mode as Annex B/G, one of the physical interfaces does not come up. PR874249, PR882035
• On devices in a chassis cluster, when a session created as the incoming interface is a VPN secure tunnel interface (ST interface) and the outgoing interface is a logical tunnel interface (LT interface), this session is incorrectly marked as active on the secondary node. When this session expires on the secondary node, the sessions on both cluster nodes might get deleted and interrupt the traffic. PR896299
• When multiple routing instances are defined, DNS names in the address-book entries might not get resolved. This results in corresponding security policies to be nonoperational. PR919810
• When multiple IP addresses from an overlapping subnet are configured on a single interface, the interface enable-related or disable-related changes might not work. PR920993

Intrusion Detection and Prevention (IDP)

• On XLP platforms, setting the max-sessions option in an application identification configuration did not impact the attack traffic. PR809384
• After the Junos image is upgraded, we recommend that you download a completely updated IDP security package and then perform the installation. Subsequent incremental updates (default) work fine. If a complete update is not performed, the device might end up adding only the new signatures downloaded in incremental order, leaving the device unprotected from a large set of signatures. PR876764
• On SRX Series devices with IDP enabled, if IDP exempt rule is configured, a change of the IDP rule configuration (such as a change to source or destination, action, or signature) might cause the flowd process to crash and core files are generated. PR877865
• When there are a large number of ASC entries (100,000 or more), and the entries are listed using CLI command, the flowd process might crash. PR886173
• On all high-end SRX Series devices, maximize sessions inline-tap equal mode is not supported in Junos OS Release 12.1X46-D10. If the maximize sessions inline-tap equal mode is configured in a release earlier than Junos OS Release 12.1X46-D10, when you upgrade to Junos OS Release 12.1X46-D10, the configuration changes to maximize sessions inline-tap firewall mode. PR889597
• On SRX Series devices, the flowd process might crash when IDP is enabled using software based pattern matching and detects more than one attack entry for the same attack. PR907703

J-Web

• The J-Web interface was vulnerable to HTML cross-site scripting attacks, also called XST or cross-site tracing. PR752398
• In J-Web, SRX Series devices fail to downgrade from Junos OS Release 12.1X46-D10 through HTTP file upload. PR918112
• In J-Web, if the policy name was “0”, the penultimate-hop popping (PHP) function treated it as empty, and traffic log output could not be viewed. PR853093
• In J-Web, the LSYS operation might cause MGD to generate a core file, and compare before commit does not work. PR889029

Network Address Translation (NAT)

• Under certain conditions, a duplicate SNMP index might be assigned to different interfaces by the kernel to the mib2d (Management Information Base II daemon). This might cause mib2d and other processes such as lacpd (LACP daemon) to crash and generate core files. PR836823
• On devices enabled with the PIM protocol, the flowd process crashed and generated core files, when there was a unicast PIM register message received with encapsulated multicast data; and if NAT process was involved in the session for the received PIM packet. This issue was observed on standalone high-end SRX Series devices, and on devices in a chassis cluster. In the case of devices in a chassis cluster, the flowd process crashed on both node 0 and node 1. PR842253
• In a root system, the destination and static NAT rule cannot send system log and trap messages when the number of sessions reaches the threshold value. In a logical-system, the source, destination, and static NAT rule cannot send system log and trap messages when the number of sessions reaches the threshold value. PR905359
• On devices in a chassis cluster, the chassis cluster rule number of sessions in the SNMP query or walk result is the sum of the real number of sessions of the primary node and the secondary node. PR908206
• On all high-end SRX Series devices, when source NAT is configured with persistent NAT enabled, sometimes the persistent NAT bindings leak on the central point. PR910116

Routing Policy and Firewall Filters

• If more than 10 virtual routers (routing instances) or logical systems (LSYS) are configured on a device, DNS fails to resolve addresses. A maximum of only 10 routing instances and LSYS can be configured per DNS name server. PR896174

Screen

• On all high-end SRX Series devices with IP spoofing screen enabled, the routing table search fails when it is locked by the system. As a result, false positives occur on IP spoofing detection. PR901507
• On all high-end SRX Series devices, security screen are not allocated for more than 165 zones due to memory limitation. If a security screen is enabled for more than 165 zones, only 165 zones are actually enabled and the memory is exhausted by the screen allocation, resulting in traffic interruption. PR913052

Security

• The glob implementation in libc allows authenticated remote users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames. This vulnerability can be exploited against a device running Junos OS with FTP services enabled to launch a high CPU utilization partial denial of service attack.

  Please refer to JSA10598 for additional information. PR558494

• If Proxy ARP is enabled on an unnumbered interface, an attacker can poison the ARP cache and create a bogus forwarding table entry for an IP address, effectively creating a denial of service for that subscriber or interface. When Proxy ARP is enabled on an unnumbered interface, the router will answer any ARP message from any IP address which could lead to exploitable information disclosure.

  Please refer to JSA10595 for additional information. PR842092

System Log

• On SRX3400 and SRX3600 devices, the following system logs are seen in the messages file:

  sfchip_show_rates_pfe: Fchip Plane 0, dpc 0, pfe <1/2/3>: Invalid dpc

  These system logs do not affect the device. PR738199

• Fetching ppX interface statistics leaks in pfestat_table leads to the following error logs:

  pfestat_req_add: pfestat table out of ids

  During this state it is not possible to fetch any interface statistics. PR751366

• On all high-end SRX Series devices, when a Routing Engine card is removed and placed again, swapped, or rebooted, the following error message appears in the system log for an hour:

  No response from the other routing engine for the last 300 seconds

  PR875189

• SRX5600 and SRX5800 devices with an SRX5K-SPC-4-15-320 (next-generation SPC) might generate one of the following system logs on the messages file:

  spu_mac_get_linkstate:spu (<fpc#>/<pic#>) – phy link<link#> failed

  spu_mac_get_linkstate:%PFE-3:(<fpc#>/<pic#>) –MAC layer link failed

  In this condition, the affected SPU cannot do any flow processing until the system is rebooted. PR914736

• On SRX1400 devices in some cases, the traffic gets interrupted for about 5 seconds occasionally and the following log message appears:

  XLR ingress pause

  PR921692

• The session ID of AppTrack logs does not include the SPU ID. Hence, there is a mismatch with firewall log session ID and AppTrack log session ID of the same session. The AppTrack log now has the same session id used in the firewall logs.PR924941

Unified Threat Management (UTM)

• The enhanced Web filter parser mishandles the URL and host from the HTTP header. This results in an “uncategorized” EWF reply. PR862602

Virtual Private Networks (VPNs)

• On a SRX Series device, when a session is closed because the user for that session has signed out from the Junos Pulse, the session close log shows the role information as “N/A”. PR689607
• An IPsec policy for a VPN can contain proposals with different protocol types (ESP or AH). This means that an IPsec SA can be established with either ESP or AH, depending on the protocol type of the peer’s proposal. PR843281
• When IPsec VPN Internet Key Exchange (IKE) traffic passed through the device, memory leaks were observed and the VPN connection could not be established. PR857013
• On all high-end SRX Series devices, the Junos Pulse client has been updated from Release 2.0R3 to 4.0R2. PR868101
• File Descriptor leak occurs during the network-security-trace process when commit configuration changes are made in the edit security ike configuration. Eventually, the system reaches the maximum file limit, which results in a system-unmanageable condition. PR893017
• In a site-to-site IPsec VPN deployments using IKEv2, when tunnels are removed through configuration change, the information is not propagated to the remote peer. Later, when the peer initiates a normal Phase-1 re-key process, the kmd process crashes and core files are generated. PR898198

Related Documentation

• New and Changed Features
• Known Behavior
• Documentation Updates