- play_arrow Junos OS Release Notes for ACX Series
- play_arrow Junos OS Release Notes for cSRX
- play_arrow Junos OS Release Notes for EX Series
- play_arrow Junos OS Release Notes for JRR Series
- play_arrow Junos OS Release Notes for MX Series
- play_arrow Junos OS Release Notes for NFX Series
- play_arrow Junos OS Release Notes for PTX Series
- play_arrow Junos OS Release Notes for QFX Series
- play_arrow Junos OS Release Notes for vMX
- play_arrow Junos OS Release Notes for vRR
- play_arrow Junos OS Release Notes for vSRX
- Licensing
- Finding More Information
- Requesting Technical Support
- Revision History
Open Issues
Learn about open issues in this release for SRX Series devices.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
- Chassis Clustering
- Flow-Based and Packet-Based Processing
- High Availability (HA) and Resiliency
- Interfaces and Chassis
- Platform and Infrastructure
- User Interface and Configuration
- VPNs
Chassis Clustering
On SRX platform with chassis cluster enabled, chassis cluster IP monitoring on the secondary node might fail after system rebootPR1691071
Flow-Based and Packet-Based Processing
Use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637
For accelerated flows such as Express Path, the packet or byte counters in the session close log and show session output take into account only the values that accumulated while traversing the NP. PR1546430
High Availability (HA) and Resiliency
Trigger: Perform ISSU from any release prior to 22.1 to 22.1 or above releases. This issue is applicable to all the platforms. Symptom: ISSU will be aborted / failed with the below warning. 'warn-message "ISSU is not supported for Clock Synchronization (SyncE)";''override'In '/var/tmp/paSBfY/etc/indb//config.indb' line 162included from '/var/tmp/paSBfY/etc/indb/issu.indb' line 10 'override' syntax errorISSU not supported as current image uses explicit tags for message structures\n PR1628172
Interfaces and Chassis
Traffic drop might be seen on irb interface on SRX1500 for network control forwarding class when verifying dscp classification based on single and multiple code-points. PR1611623
Platform and Infrastructure
In Mac-OS platforms when Juniper Secure Connect client connects successfully, the client is not getting minimized to tray icon and needs to be minimized manually.PR1525889
IPSec rekey fails when SRX is configured with kilobyte based lifetime in remote access solution. PR1527384
With Application-Based Multipath Routing enabled, HTTP sessions take approx 10 minutes to re-establish after a link flap between hub and spoke. PR1577021
With ssl-proxy configured along with web-proxy, the client session might not get closed on the device until session timeout, even though the proxy session ends gracefully.PR1580526
On MX platforms the JDM (Juniper Device Manager) server could not be created in in-chassis mode of junos node slicing, which results in mgd process crash and affects GNF's (Guest Network Function) provisioning. PR1583324
HA AP mode on-box logging in LSYS and Tenant, Intermittently Security log contents of binary log file in LSYS are not as expected PR1587360
On the SRX4100 and SRX4200 platforms, it can detect DPDK (data plane development kit) Tx stuck issue and trigger a major chassis alarm goes which might trigger RG1 failover to the healthy node. A DPDK reset will be triggered only to the stuck port and if the reset resolves the tx stuck issue, the major chassis alarm will go off.PR1626562
A Missing Release of Memory after Effective Lifetime vulnerability in the Application Quality of Experience (appqoe) subsystem of the PFE of Juniper Networks Junos OS on SRX Series allows an unauthenticated network based attacker to cause a Denial of Service (DoS). Please refer to https://kb.juniper.net/JSA69709 for more information.PR1628090
Trigger: On SRX platform, perform ISSU from any release prior to 22.1 to 22.1 or above releases. Symptom: ISSU will be aborted / failed with the below warning. 'warn-message "ISSU is not supported for Clock Synchronization (SyncE)";''override'In '/var/tmp/paSBfY/etc/indb//config.indb' line 162included from '/var/tmp/paSBfY/etc/indb/issu.indb' line 10 'override' syntax errorISSU not supported as current image uses explicit tags for message structures\n PR1632810
SMTPS sessions are not getting identified when traffic is sent from IXIA (BPS) profile. PR1635929
On SRX5000 line of devices and MX240, MX480, MX960 platforms,when device is powered on with multiple line cards, power might not be sufficient and few line cards fail to come into online state.PR1645817
The SKYATP:IMAP/IMAPS Email permitted counter may have incorrect value under certain conditions.PR1646661
File submission success counter is not changed when file is submitted to cloud. PR1651101
Firewall-authentication with user-firewall based RADIUS access has syslog missing the username and rule.PR1654842
File archive command under non-root account may not archive all files under /var/log.PR1657958
On SRX series platform with chassis cluster enabled, reth interface might not go up due to speed mismatch when reth interface speed is changed afger RG0 failoverPR1658276
SRX cli command to show fwauth user details like "show security firewall-authentication users identifier 1" and "show security firewall-authentication users address 10.1.1.1" does not display user's group information.PR1659115
Device does not drop session with server certificate chain more than 6.PR1663062
User Interface and Configuration
Please use "load update" instead of "load override" to prevent the error messages PR1630315
VPNs
In some scenario(e.g configuring firewall filter) sometimes srx5K might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925
Tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393
First time when we add this command the existing active connections are not changed, only the new connection after this command will be taken into effect. PR1608715
Sometimes after manual failover, IKE-SA rekey does not succeed. In order to recover from this scenario, enable dead-peer-detection with always-sendPR1690921