Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

16.2R2-S7: Software Release Notification for Junos Software Service Release version 16.2R2-S7

0

0

Article ID: TSB17455 TECHNICAL_BULLETINS Last Updated: 16 Oct 2018Version: 2.0
Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, ACX5K, EX9200, MX, T, PTX, VMX, VRR
Alert Description:
Junos Software Service Release version is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:

Junos Software service Release version 16.2R2-S7 is now available.

The following are incremental changes in 16.2R2-S7.

 
PR Number Synopsis Description
1099998 MX5/10/40/80 may restart when the Routing Engine (RE) memory utilization is high This patch fixes problem seen on MX80 platforms, which is when the Routing Engine memory utilization is high (for example, 95%), kernel can crash. Now, on MX5, MX10, MX40, and MX80 routers, router will restart. This restart can manifest in one of two ways: - A kernel core is generated after restart; - The watchdog restart is triggered and no kernel core is generated; In both cases the system will restart.
1202133 AE interface MAC addresses might get reordered after RE switchover or restart MAC addresses are assigned to interfaces (Junos IFDs) to provide link layer addressability with a peer interface. Interfaces created for AE are virtual, and MAC address assignments are done by chassisd using the pool of available addresses for the router, which is then applied to each of the child interfaces to provide the aggregation feature, allowing the collection of interfaces to be addressed using a single MAC. In Junos 14.2, the allocation of AE MACs was changed to be done on-demand. While saving resources, this broke an implicit assumption for some customers that MAC assignments would be persistent across reboots and Junos upgrades, as the changes caused assignments to be dependent on the order of addition/deletion of AEs. In this case, after a reboot, AE MACs were reassigned in numeric order, with ae0 receiving the first assignable MAC, etc. Any external dependency or filtering on the MAC assigned before the reboot will no longer be valid when the MAC changes.
1220671 Tacacs access does not work after upgrade. The /etc/passwd file is created in the process of the first commit when a pristine jinstall image is used to boot for the first time. If event-options is configured, the system will try to read the configuration from the available event scripts, which requires privileges obtained from the /etc/passwd file. That causes a circular dependency because the commit will not pass if the configuration includes event-options the first time a pristine image boots up, which is the case of an upgrade performed with virsh create.
1242243 VRRP mastership does not change after priority is changed VRRP mastership does not change after priority is changed for certain VRRP groups.
1259379 The wrong TBB PFE component's temperature might be reported on MX80 Temperature reading for TFEB components jumps up and down frequently on MX80. There is no particular trigger needed. By default, the FPC reports temperatures of some components to the RE/chassisd (every 10 seconds). As part of this periodic polling, we can see the issue of the temperature reading for the TBB PFE component showing occasional jumps.
1261423 The MRU of aggregated Ethernet interface might reset to default value When configuring an aggregated Ethernet interface and after commit, some harmless log messages might appear. But with a certain configuration such as VRRP, the child links of the aggregated Ethernet interface get reset to the default MRU and cause traffic loss.
1265548 Traffic drop on MPC with "Link sanity checks" and "Cell underflow" errors When certain hardware transient failures occur on an MQ-chip based MPC, traffic might be dropped on the MPC, and syslog errors "Link sanity checks" and "Cell underflow" are reported. There is no major alarm or self-healing mechanism for this condition.
1272202 The rpd might crash after deactivating or activating BGP. When the policy with damping is applied on BGP, the rpd might crash after deactivate/activate protocol bgp, which can result in protocol flap or traffic drop.
1276156 When the static link protection mode configured backup state is down, the primary port goes to down state instead of the secondary port, and the secondary remains in up state. When static Link protection mode configured back up state as down, primary port is going to down state instead of secondary port while secondary is at up state .
1277079 The RPD KRT asynchronous queue might stall, impacting synchronization between RIB and FIB Starting with JUNOS 16.1, the KRT (Kernel Routing Table) asynchronous queue might stall, preventing new routes from being propagated to the forwarding table.
1278741 With NSR enabled, rpd may crash on master RE during kernel-id change With OSPF (Open Shortest Path First) and NSR (Non-Stop Active Routing) enabled, process rpd might crash on master RE (Routing Engine) when there is a change in kernel-id. This is a timing issue and not always observed.
1282573 The kernel might crash when NSR enabled device has BGP peer flapping On Junos platform with NSR (Nonstop active routing) enabled, when BGP peer is flapping, the kernel might crash and a core file will be generated afterwards.
1284264 The traffic might be classified into the wrong queue when aggregated Ethernet interfaces with child legs are anchored on an MQ-based MPC without a queuing chip From 15.1, if Aggregated Ethernet Interfaces (AE) with child legs are anchored on MQ based MPC without queuing chip (that is MPC(E)-3D-16XGE-SFPP, MPC1(E)/MPC2(E) without Q on MX, and EX9200-40T, EX9200-40F, EX9200-40F-M on EX9200), the AE bundle might operate in the restricted-queue mode due to a wrong code. The restricted mode results in the upper queue numbers (#4 - #7) being mapped back up to queues (#0 - #3). So the traffic that is destined to queue #4 might be actually sent out on queue #0 and so on.
1286393 Line Card reboots after GRES. After the MX/QFX router finished graceful Routing Engine switchover, line card reboot may be observed.
1291079 BGP-RR sends full route updates to its RR-Clients when any family mpls interface gets bounced due to any fiber cut or manual events causing high CPU spike BGP-RR sends full route updates to its RR clients when any of the interfaces with the family-mpls interface bounces because of any fiber cut or manual events, causing high CPU spike. This happens when the process generates outbound soft-route-refresh through route update messages to the network peers.
1291917 Kernel is not installing the route and throwing the error The kernel might not install the route when static route or static LSP nexthop address is the same as address on outgoing interface.
1293543 "DDR3 TEMP ALARM" messages are logged in chassisd log Junos OS releases with a fix committed in Junos OS Releases 15.1R5-S4, 16.1R4-S3, 16.1R5, and 17.3R1 with XM-based linecards(MPC3E/4E/5E/6E/2E-NG/3E-NG) might report "DDR3 TEMP ALARM" chassisd's error log message.
1294957 The rpd might crash after interface or BGP flapping When interface flaps or BGP session flaps, the system will receive a response from kernel for a generic next-hop object. After the response is received for the current child object, all parent objects are walked. In some situations, the parent object may also be of type generic next-hop and may also be waiting for a kernel response. If both the parent and the child object are being programmed to kernel simultaneously, an rpd crash will occur.
1295756 The krt queue might be stuck with the error of "RPD_KRT_Q_RETRIES: chain nexthop add: Unknown error: 0" With Resource Reservation Protocol (RSVP) / Label Distribution Protocol (LDP) label-switched paths (LSPs) configured, the krt queue might be stuck when RSVP/LDP LSPs flaps or optimizes. This is a timing issue due to a race condition.
1298259 ISSU might take more time to complete and the FPC might go offline during ISSU reboot. If LACP, link fault management (LFM), CFM, or STP is configured, the unified ISSU might take more time to complete and the FPC might go offline.
1299054 The rpd cored multiple times when receive an OPEN message from an existing BGP peer If Border Gateway Protocol (BGP) is enabled and router is operating at Graceful Restart (GR) helper mode (by default). RPD might crash when the device receives an OPEN message from an existing established BGP peer.
1301723 Classifier does not get applied on the aggregated Ethernet member links on DPC (I-chip) based platforms with CoS configured. On DPC (I-chip)-based platforms, with CoS configured, if the fixed classifier is configured explicitly (or through a wildcard) over both aggregated Ethernet interfaces and member links, and a DPC leg (or a bundle of DPC legs) is present in the aggregated Ethernet nterface, the classifier might not be applied.
1301849 The rpd might crash by executing the command of "show route extensive" during deleting ISIS configuration The rpd might crash by executing the command of "show route extensive" during deleting ISIS configuration
1301986 The rpd might crash when NSR is enabled and routing-instance specific configurations are committed If NSR (nonstop active routing) is enabled, BGP will use Rsync (a TCP based protocol for synchronizing files) to synchronize data between the rpd on master RE and backup RE. When some routing-instance specific configurations (such as auto-RD, route targets, etc) are committed and BGP Rsync error happens (such as transport error leads to BGP Rsync connection goes down) at the same time, a timing issue might happen which leads to rpd crash.
1303239 The rpd process might crash in rare conditions where traffic-engineering is configured In rare conditions, where traffic-engineering is configured and there are more than 4 addresses configured for the loopback interface, rpd process might crash when there are multiple IGP (Interior Gateway Protocol) flaps.
1305964 Message "system reaching processes ceiling low watermark" might be seen When an "auditd" child process is terminated, the process is still having a pid and an entry in the process table. When the number of defunct processes reaches the limit, you will see "jlaunchd" error messages.
1305994 The resource monitor (RSMON) thread might be stuck in a loop consuming 100% of FPC CPU On Trio-based platforms, RSMON (resource monitor) thread might be stuck in a loop consuming 100% of FPC CPU due to a race condition.
1306650 Bbe-smgd may fail to properly add access-internal routes when the router is extremely busy In a subscriber-management environment, bbe-smgd process may encounter an error while trying to add next-hop or route to rpd and kernel. The problem can manifest itself in different ways depending on the exact failure, and the following symptoms were seen in the field: 1) L2TP subscribers on LAC that are able to connect, but long /136 route missing on the PFE. Traffic forwarding for such subscribers is not possible because PFE is not programmed properly. 2) Subscribers are able to connect, but rpd is not able to add access-internal routes to kernel due to invalid next-hop.
1306930 The RSVP node-hello packet might not work correctly after the next-hop for remote destination is changed An unexpected error such as an RSVP authentication failure, or an RSVP node-hello packet is rejected when the next-hop for remote node's loopback is changed.
1307690 BGP traceoption logs are still written when it is deactivated BGP traceoption logs are still written after it is deactivated. This BGP-trace logging issue may affect its RE CPU utilization.
1311224 The BGP session might flap when the connection between the master RE and the backup RE keeps flapping with NSR configured With NSR (nonstop routing) and BGP (Border Gateway Protocol) configured, if the connection between master RE and backup RE keeps flapping, it may result in the main rpd thread sending multiple read request messages. If the main rpd thread sends multiple read request messages, the BGP I/O read request queue might be full, which may lead to BGP session flapping.
1312117 The rpd process might crash if LDP updates the label for BGP route When LDP egress-policy is configured for the BGP route and a label is received for a BGP route in inet.0 table from LDP, if BGP receives a new label for the same BGP route matching the LDP egress-policy, rpd might crash because of updating the new label.
1312169 RPD Core Observed after multiple Session flaps on scale setup Race condition causing RPD coredump observed in scale setup scenarios with continuous BFD Session flaps (causing OSPF/RSVP Session flaps). This is related to a software memory corruption caused by RSVP PSB is holding stale pointer causing this memory overwrite.
1314070 mspmand core due to flow-control seen while clearing CGNAT+SFW sessions. If there is frequent deletion of sessions, in a long run, this can happen due to internal memory arena churn taking more time. Fix is added to optimize memory arena free and avoids flow-control exertion by service pic.
1315066 The rpd might constantly consume high CPU in BGP setup On all platforms with Border Gateway Protocol (BGP), simply having network churn will cause rpd constantly consume high CPU (98%).
1315798 On a chassis with BMP configured, the rpd might crash when the rpd process is gracefully terminated. On a chassis with BMP configured, if the rpd termination timeout is happening while the BMP main task has failed to terminate and delete itself (seen when rpd is gracefully terminated), the rpd might crash.
1316861 The primary path of MPLS LSP might switch to other address When Junos interworks with other vendors' device, the primary path of MPLS LSP might switch to other address even though strict is configured for primary path.
1317132 The policy configuration might not be evaluated if policy expression is changed If Border Gateway Protocol (BGP) import policy is configured with a policy expression, the configuration might not be evaluated after the policy expression is changed later.
1317536 The rpd might crash after the primary link failure of link protection If there are some LSPs for which a router has make link protection available and when primary link failure is caused by FPC restart, this core may occur.
1319631 Traffic might get blackholed temporarily when BGP GR is triggered and the direct interface flaps After BGP session is established, if Graceful Restart (GR) is triggered and the direct connected interface flaps at the same time, traffic might get blackholed until the routes are flushed. GR helper mode is wrongly being triggered.
1322535 The rpd might crash when two nexthops are installed with the same Next hop index When two nexthops are installed and they have the same Next hop index in kernel, an rpd crash on the master RE might happen.
1323601 The rpd crash is seen when deactivating static route if the next-hop interface is type of P2P The rpd crash might happen when deactivating static route if the next-hop interface is type of point-to-point (P2P), for example, ip- or gr-.
1324531 The memory leakage seen in mosquitto-nossl daemon In Message Queue Telemetry Transport (MQTT) scenario, the memory leakage (about 4k memory leakage every 30 seconds) might be seen. However, on very long runs, this uses up high memory which can indirectly impact other daemons running.
1325271 MPC cards might drop traffic under high temperature When some specific MPC cards (MPC3E/4E/5E/6E/2E-NG/3E-NG) work under high temperature (around 67C or higher), XM-DDR3 memory refresh interval will be reduced and hence DDR bandwidth and Packet Forwarding Engine (PFE) forwarding capacity will be reduced. As a result, traffic might get dropped.
1326394 Junos OS: Denial of Service vulnerability in MS-PIC MS-MIC MS-MPC MS-DPC and SRX flow daemon (flowd) related to SIP ALG (CVE-2018-0051) Junos OS: Denial of Service vulnerability in MS-PIC MS-MIC MS-MPC MS-DPC and SRX flow daemon (flowd) related to SIP ALG (CVE-2018-0051); Refer to https://kb.juniper.net/JSA10885 for more information.
1327904 Multiple next-hops may not be installed for IBGP multipath route after IGP route update Multiple next-hops may not be installed for an internal BGP(IBGP) route received from a multipath-enabled peer when an active IBGP route from a non-multipath-enabled peer is changed to a new active route from a multipath-enabled peer due to interior gateway protocol(IGP) route update.
1329276 The ksyncd process might crash continuously on the new backup RE after performing GRES On MX platforms with MS-DPC, if sampling or flow-monitoring is configured, the ksyncd on the new backup Routing Engine (RE) might crash continuously after performing a Graceful Routing Engine Switchover (GRES). This may cause GRES to be not ready, the ksyncd becomes unrecoverable until reboot backup RE.
1329843 new versions of junos does not have the tool for accessing aux port - /usr/libexec/interposer new versions of junos does not have the tool for accessing aux port - /usr/libexec/interposer JunOS permit to use the AUX port to connect to another device's console. By connecting Rollover cable to the Aux of the local device to the console of other device. However the feature in not available in from 15.x trains Working in 14.2 % /usr/libexec/interposer You are now connected to the console of the device attached to the AUX port. Press CTRL-^ to disconnect. Not working in 15.1 % % /usr/libexec/interposer /usr/libexec/interposer: Command not found.
1331185 The dcd process might crash due to memory leak and causing commit failure In some situations, like multiple commit in a short time with scaled configuration, dcd memory leak might occur. This could cause commit to fail.
1331234 JSA10896 2018-10 Security Bulletin: Junos OS: Denial of service in telnetd (CVE-2018-0061) A denial of service vulnerability in the telnetd service on Junos OS allows remote unauthenticated users to cause high CPU usage which may affect system performance.
1332260 The rpd core-dump might be seen in l2circuit or l2vpn environment The rpd core-dump might be generated in a rare condition in l2circuit or l2vpn environment.
1333570 The "dead" next-hop may be seen in BGP-LU scenario In BGP Labeled Unicast (BGP-LU) scenario, if the device works as penultimate hop and receives BGP-LU routes with indirect next-hop from an egress router, after the operational next-hop interface corresponding to those labeled routes flaps, a "dead" next-hop type (discard action is performed for this type) may be set for the related clone routes (s=0) and still there even the next-hop interface is operational again.
1335302 Traffic loss may be seen for some flows due to network churn In the scenario where the device has ECMP paths and P2MP enabled, rpd may not send all the address family information with next-hop types UNICAST/UNILIST during network churn, which leads PFEs to be in a race condition and have the different view of UNILIST load-balance selectors for P2MP traffic flows. This causes different PFEs to select the different outgoing interface and the traffic loss may be observed if the outgoing interface is not the local on the egress PFE for the corresponding traffic flow.
1338688 MX Series: L2ALD daemon may crash if a duplicate MAC is learned by two different interfaces (CVE-2018-0056) MX Series: L2ALD daemon may crash if a duplicate MAC is learned by two different interfaces (CVE-2018-0056); Refer to https://kb.juniper.net/JSA10890 for more information.
1338854 Route corruption in PFE with CFM enabled on AE On MX platform with Network Services in IP mode and CFM (Connectivity Fault Management) configured on AE (Aggregated Ethernet) interface, route programming in PFE (Packet Forwarding Engine) might get corrupted after the member link of AE flaps, leading to packet drop.
1340379 The rpd might crash after the remote BGP peer closes the TCP session On certain rare condition, if remote BGP peer closes the TCP session, the rpd process might crash.
1341336 The rpd crash might occur when receiving BGP updates From Junos 16.1R1 onwards, there might be a mismatch in the length of BGP update message between BGP main thread and I/O thread when receiving BGP updates. If this issue happens, rpd crash might be seen.
1343535 The 100G DWDM interface might be going down for 15 seconds after a loss of signal event The 100G DWDM (Dense Wavelength Division Multiplexing) interface might be going down for 15 seconds after a loss of signal event.
1348107 The FPC might crash due to MIC error interrupt hogging The MPC might crash due to ISR 2 MIC error interrupt hogging. And the core files could be seen by executing CLI command "show system core-dumps".
1351334 Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50 (Requested IP Address) (CVE-2018-0057) Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50 (Requested IP Address) (CVE-2018-0057); Refer to https://kb.juniper.net/JSA10892 for more information.
1351705 After GRES, the BGP neighbors at Master RE might reset and the BGP neighbors at Backup RE take long time to establish When BGP and NSR (Nonstop-Routing) is configured, after GRES (Graceful Routing Engine switchover) from RE1 to RE0 and then rebooting the backup immediately, all BGP neighbors might reset. And at Backup RE, the BGP Idle state lasts 1 minute or 7 minutes, which means the BGP neighbors at Backup RE take around 1 minute or 7 minutes to establish once Backup RE boots up.
1357427 RE switchover during backup RE being not GRES ready might cause linecard restart, RE kernel crash and multiple chassisd crashes On all Junos platforms with dual Routing Engines (RE), if Graceful Routing Engine Switchover (GRES) is enabled to provide High Availability (HA) protection, the backup RE (RE1) might be out of synchronization with the master RE (RE0), and the kernel state in the backup RE (RE1) is not cleaned due to a software defect. After staying in such status for a long time, once the keepalive timeout is detected between the master and backup RE, the backup RE (RE1) will take over the mastership. All the line cards will be restarted when they are connected to the new master RE (RE1) after switchover due to the missing of master-backup synchronization. Then the new master RE (RE1) might crash due to some data structure field overflows in the kernel since the kernel state has not been cleaned for a long time. After that the original master RE will take the mastership back again. The issue will cause complete traffic loss.
1362560 The route stuck might be seen after BGP neighbor and route flapping It is route installation failure case which is not handled properly in BGP multipath scenario. It might cause traffic loss.
1363641 Traceroute MPLS from Juniper to Huawei routers does not work as expected Traceroute MPLS from Juniper to Huawei routers does not work as expected due to unsupported TLV.
1366562 The next-hop of MPLS path might be stuck in hold state which could cause traffic loss If an MPLS path uses an IPv6 next-hop, the next-hop might be stuck in hold state in the following scenario: Initially the router triggers the IPv6 Neighbor Discovery (ND) but the neighbor advertisement from peer is not received. Eventually the neighbor state moves to 'unreachable' state and the next-hop of MPLS path using this neighbor will become rejected. After this, if the router receives a neighbor solicitation message from the peer, the neighbor state will move to reachable state in IPv6 neighbor table. The IPv6 module should notify the change to MPLS module, but somehow, the notification is missed. This cause the next-hop of the MPLS path to be stuck in hold state.
1368377 Junos OS: jdhcpd process crash during processing of specially crafted DHCPv6 message (CVE-2018-0055) Junos OS: jdhcpd process crash during processing of specially crafted DHCPv6 message (CVE-2018-0055); Refer to https://kb.juniper.net/JSA10889 for more information.
1370582 The packet which size exceeds 8k bytes might be dropped by MS-MPC in ALG scenario ALG cannot process IP datagrams exceeding 8k bytes size, the packets are dropped by junos-alg plugin. Plugin related packet drop counter captures these drops. If IP datagram is not related to ALG sessions, then junos-alg plugin is nothing to do with them and they are ignored (ALG plugin won't drop).
1372924 The traceroute mpls might fail when traceroute is executed from Juniper device to other device not supporting RFC6424 Enhance MPLS LDP traceroute process to accommodate devices which do not support RFC6424 - LSP ping with TLV 20, DDMT. While traceroute is sent from Juniper to Huawei, Huawei replies with 'One or more of the TLVs was not understood (2)'. Huawei does not support the TLV 20 (DDMT) and they expect TLV 2 (DSMAP). Juniper devices will start sending DSMAP TLV in the request, if received 'One or more of the TLVs was not understood (2)'. Also note, juniper router donot validate the error tlvs received in the response, there can be cases where some other TLV is not understood and juniper receive 'One or more of the TLVs was not understood (2)', but error tlvs will be sent only for mandatory tlvs that are not understood/supported in the request. Here DDMT TLV is not a mandatory TLV. So, Juniper router cannot expect this TLV getting encoded in the error TLV from other vendors. Hence, Juniper router do not validate or check the presence of DDMT TLV in error TLV. Juniper router tries to sending DSMAP, it may or may not get a reply, but traceroute will proceed by incrementing the ttl after sending DSMAP TLV in the request.
1376354 The rpd process might crash continuously if nsr-synchronization or all flag is used in RSVP traceoptions Applying Resource Reservation Protocol (RSVP) traceoptions with nsr-synchronization flag or all flag on a Nonstop Active Routing (NSR) enabled device may cause the rpd process to crash due to memory corruption. The memory corruption occurs when size of received RSVP Path message being replicated from master routing engine(RE) to standby RE is greater than 768 characters.
1380862 Junos OS: Receipt of a specifically crafted malicious MPLS packet leads to a Junos kernel crash (CVE-2018-0049) Junos OS: Receipt of a specifically crafted malicious MPLS packet leads to a Junos kernel crash (CVE-2018-0049); Refer to https://kb.juniper.net/JSA10883 for more information.
Modification History:
First publication date 2018-10-16
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search