Limitations and restrictions
Security improvements have been made in this release, however some limitations still exist.
IPv6 is not supported on the 40G Fortville NIC.
VXLAN tunnels do not currently work with a multicast transport. That is the command set interfaces VXLAN xxx transport multicast-group does not work.
VXLAN-gpe tunnel cannot be added to a bridge-group due to an underlying kernel issue.
While the OS does support IKEv1, we strongly recommend that IKEv2 is used to avoid security vulnerabilities associated with IKEv1, such as reflector and Amplifier DoS attacks.
VRRP in RFC Compatibility mode does not work fully on VRFs. Without RFC compatibility mode, VRRP will work with VRFs and this should be used as the solution.
IPsec VTI Performance: There is a major IPsec dataplane performance degradation which makes the usage of IPsec VTI not suitable for production deployment in this initial GA release. This performance degradation will be addressed in a follow on patch release.
FRAGMENT ANY filter issue - When deploying the Qumran AX whitebox platform, do not use fragment any as part of an ip-packet-filter rule match condition, for example:
set security ip-packet-filter group FW1 rule 10 match fragment any, as It will prevent the rule ever matching a packet.