Juniper JUNOS OS 10.4 - RELEASE NOTES Release Note page 153

Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On SRX650 devices, IGMP snooping does not work in q-in-q mode on a trunk port
when the Ethernet type is set to any value other than 0x8100. [PR/554992]
On SRX220 devices, on multiple reboot or restart forwarding, a link might remain in a
hard state. [PR/556389]
down
On SRX650 devices, sometimes quad T1/E1 generates a core file while the user is
configuring it in T1 mode with the traffic sent continuously over the quad T1/E1.
[PR/556716]
On SRX220 devices, when oversubscribed traffic is sent through the interface (after
gr
tunnel queuing has been enabled and the shaper has been configured), there is an
increase in tail-dropped packets at the egress of the gr interface. As a result of this,
the output packet rate at the egress of the interface is much lower compared to that
gr
of the shaper. [PR/559378]
On SRX1400 devices, the alarm indication is not available if a power supply is not
functioning normally. The system creates log messages in /var/log/chassisd to indicate
the power supply failure conditions. [PR/566210]
Intrusion Detection and Prevention (IDP)
The SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices support only
one IDP policy at any given time. When you make changes to the IDP policy and commit,
the current policy is completely removed before the new policy becomes effective.
During the update, IDP will not inspect the traffic that is passing through the device for
attacks. As a result, there is no IDP policy enforcement. [PR/392421]
On SRX210 devices, when the IDP policy contains rules that have the match criteria
for the same attacks, multiple attacks will be reported when the attacks are detected.
No errors or warnings appear during policy compilation. [PR/414416]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you configure a policy
containing more than 200 rules, with each rule containing the predefined attack groups
(Critical, Major, and Minor), the memory constraint of the Routing Engine (500 MB) is
reached. [PR/449731]
On SRX Series devices, the maximum supported sessions count is not displayed when
you run the . [PR/503721]
show security flow session idp summary command
On SRX100 and SRX210 devices, depending on configuration, peak performance level
drops up to 30 percent have been observed for IDP and UTM features. This issue
impacts only customers who deploy these devices with peak performance level
requirements for IDP and UTM services. [PR/503446, PR/506500, PR/518737]
On SRX5600 devices, when using a 4096-bit SSL private key for IDP HTTPS traffic
processing, the watchdog aborts the flowd process and reboots the SPC. This is
primarily because of the watchdog timer expiration. The IDP function takes a long time
to decrypt the session when you use a 4096-bit key.
The SSL function is known to take an exponentially large amount of time when the
key size is increased. Key sizes of 1024 bits and 2096 bits are OK to process because
their processing time is below the watchdog threshold, but the key size of 4096 bits
should not be used when sending stress traffic. Also, IDP uses SSL hardware for <=
Copyright © 2010, Juniper Networks, Inc. 153