Resolved Issues: 21.2R3

Junos OS: MX Series and SRX Series: The flowd daemon will crash if the SIP ALG is enabled and specific SIP messages are processed (CVE-2022-22175). PR1604123

The authentication delay might occur upto 60 seconds if same user authenticates. PR1626667

Secondary node in a chassis cluster might go into reboot loop on SRX Series devices. PR1606724

SPU might become offline on standby node after failover in SRX Series devices with chassis cluster. PR1624262

BFD over high-availability ICL link might flap. PR1631938

Annotate ip command might bring IP monitoring down and both nodes in MNHA mode goes into INELIGIBLE state. PR1632586

Security traffic log display service-name="None" for some application. PR1619321

Cleartext fragments are not processed by flow. PR1620803

VLAN tagged packets might be dropped at TAP mode enabled interface. PR1624041

Packets might not be classified according to the CoS rewrite configuration. PR1634146

The process nsd may crash continuously due to failure in creating/reinitializing the file /var/db/ext/monitor-flow-cfg. PR1638008

When using log templates introduced in Junos OS release 21.1R1 with Unified Policies, logs were not generated in a predictable manner. A new construct has been added that allows you to define a default log profile set security log profile name default-profile command can be used to improve this behavior when multiple log profiles are defined. PR1570105

Packets with the MAC address of eth0 and macvlan0@eth0 interface might be sent out to the management interface on VMHOST platform with NG-RE. PR1571753

Changes in SNMP traps configuration and data exported for TWAMP. PR1573169

The process pkid might generate core files during local certificate enrollment. PR1573892

The fxp0 interface of an SRX550 device in cluster might become unreachable from an external network. PR1575231

On SRX Series devices with Chassis Cluster, the tcp_timer_keep:Local(0x81100001:60753) Foreign(0x8f100001:33010) is seen in messages log every 80 seconds. PR1580667

BGP adjacency might not get established in Layer 2 with IRB scenario. PR1582871

Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages. PR1588139

When combining log profiles and unified policies RT_FLOW_SESSION_DENY logs were not being generated corrected. PR1594587

DNS proxy functionality might not work on VRRP interfaces. PR1607867

DNS based SecIntel statistics were not populating correctly on SRX Series devices. PR1611071

Interface might not come up when 10G port is connected to 1G SFP. PR1613475

Enabling security-metadata-streaming DNS policy might cause a dataplane memory leak. PR1613489

The new client might not be able to connect using Juniper Secure Connect if the size of INI file content exceeds the maximum INI file size buffer. PR1613993

Packet Forwarding Engine might crash and flowd core might be observed when AppQoS is configured. PR1615797

On SRX Series devices running DNS security in secure-wire mode, DGA verdicts would not be returned to the device. PR1616075

The srxpfe process might stop when the DNS Security feature is enabled. PR1616171

On SRX Series devices using On-Box Logging, LLMD write failures may be seen under high load. The output of show security log llmd counters command can be used to view LLMD behaviour. PR1620018

Traffic might get dropped due to memory issue on some SRX Series devices. PR1620888

The flowd process might stop on SRX Series devices and NFX devices in AppQoE scenarios. PR1621495

On SRX Series devices running DNS Security, if a DGA was detected and the action in the configuration was set to permit, under rare circumstances, a log would not be generated by the device. PR1624076

A major chassis alarm for Intel NIC Tx port stuck issue is added on SRX4100 and SRX4200 devices. PR1624078

In rare circumstances, PKID could stop and generate a core file when there was limited memory available on the Routing Engine. PR1624613

Running DNS on all SRX Series devices, a memory leak on Packet Forwarding Engine might occur. PR1624655

Core files might be generated on installing IDP security package. PR1625364

The flowd process lost heartbeat for 45 consecutive seconds without alarm raised. PR1625579

The error might be seen after configuring a unified security policy allowing some app categories. PR1628202

When viewing DNS Tunnel detections in the ATP Cloud portal, the Source-IP and Destination-IP metadata is reversed. PR1629995

Depending on the configuration of the SRX Series devices, duplicate events may have been written to the on-box logging database. This fix improves LLMD performance by eliminating these duplicate write events. PR1630123

LLDP packets might be sent with incorrect source MAC for RETH or LAG child members. PR1630886

The srxpfe process might stop on SRX4600 device. PR1630990

Reverse DNS Lookups will no longer be stored in the DNSF Cache when using DNS security. PR1631000

Tasks of download manager might not be resumed post reboot. PR1633503

On SRX Series devices running DNS Security, a dataplane memory leak may occur within the DNSF plugin when entries age-out of the DNSF cache. PR1633519

Unable to connect to domain controller on installing Microsoft KB update. PR1637548

The error is seen during the NON-ISSU upgrade from Junos OS 15.1 release to Junos OS 18.2 and later releases PR1639610

Configuration change during AppQoS session might result in Packet Forwarding Engine stop with flowd process core file. PR1640768

The KRT queue might get stuck with the error- ENOMEM -- Cannot allocate memory. PR1642172

The Packet Forwarding Engine might stop on Junos OS SRX Series devices. PR1642914

On-Box security logs might be not storing the session-id as a 64-bit integer, resulting in incorrect session-id's being present in the on-box logs. PR1644867

Issue with the command clear security idp counters packet-log logical-system all. PR1648187

Members MAC might be different from parent reth0 interface, resulting loss of traffic. PR1583702

IPv4 or IPv6 address might get removed when the interface configuration is moved from tenant stanza to interface stanza. PR1605250

High Routing Engine CPU usage occurs when routing-instance is configured under security idp security-package hierarchy level. PR1614013

SRX Series devices pause while checking the CLI show security idp attack attack-list policy combine-policy command. PR1616782

On SRX Series devices, the request security idp pcap-analysis tool has had usability improvements. PR1617390

Updating the IDP signature DB may get the upgrade stuck in the state In progress:Performing Offline download. PR1623857

The error displays your session has expired. click ok to re-login with root user. PR1611448

The AM or PM time format is displayed in customize for Last field at Monitor > Logs > All Events. PR1628649

The reboot or halt from J-Web might fail on SRX Series devices. PR1638370

New persistent NAT or normal source NAT sessions might fail due to noncleared aged out sessions. PR1631815

The ppmd process might stop after an upgrade on SRX Series devices. PR1335526

Traffic through one SPU may stop with potential packet drop issue with alarm as FPC Major Errors raised due to the PIC_CMERROR_TALUS_PKT_LOSS error.PR1600216

SRX accounting and auditd process might not work on secondary node. PR1620564

Error message gencfg_cfg_msg_gen_handler drop might be seen after running commit command. PR1629647

When route preferred-metric is different for different RPM policies, the same metric is not reflected in routing records. PR1634129

SCB reset with Error : zfchip_scan line = 844 name = failed due to PIO errors. PR1648850

SSL proxy might not be performed when SSL Proxy profile is referenced in the zone or global policy PR1608029

All feeds of category IPFilter might be removed after committing SecIntel related configurations.PR1611073

Redundancy might get affected in SRX Chassis Cluster scenario. PR1618025

The rpd process might stop in a corner case in PIM-SM scenarios. PR1574731

Observing commit error while configuring routing-options rib inet6.0 static on all Junos OS platforms. PR1599273

Junos OpenSSH leaves a dangling pointer. PR1612947

The wrong BGP path might get selected even when a better or preferred route is available. PR1616595

MGD core might be observed upon ISSU upgrade. PR1632853

The iked process might restart and generate core during session state activation or deactivation. PR1573102

The srxpfe process might stop and generate a core file when IPsec VPN is used. PR1574409

Certificate identifier length for PKI CMPv2 CA cert is not displayed as expected in certain cases. PR1589084

The kmd process might stopwith IPsec tunnel enabled on SRX Series devices and vSRX. PR1599639

Flowd process might crash and generate a corefile after upgrade. PR1603670

Uneven IPsec tunnel distribution might be seen post tunnels re-establishment. PR1615763

Traffic over IPsec tunnels may be dropped post control link failure. PR1627557

Traffic loss over IPsec tunnel might be seen on SRX Series devices. PR1628007

SRX Series devices devices generates core files after upgrading to any Junos OS release. PR1628947

The kmd process might stop if the IKE negotiation fragment packets are missed during initiating an IKE SA rekey. PR1638437