Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

18.1R3-S1: Software Release Notification for Junos Software Service Release version 18.1R3-S1

0

0

Article ID: TSB17468 TECHNICAL_BULLETINS Last Updated: 06 Nov 2018Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
All JUNOS products
Alert Description:
Junos Software Service Release version is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:

Junos Software service Release version 18.1R3-S1 is now available.

The following are incremental changes in 18.1R3-S1.

 
PR Number Synopsis Description
1149904

The half duplex mode do not support on SRX340 and SRX345

On SRX340 and SRX345 devices, half-duplex mode is not supported.

1299484

EX4300-32F MACSec session stays down on 1G/10G links after events when events are performed with traffic running

When EX4300-32F's 1/10G Ethernet ports are reset, MACSEC sessions may stay down and will not be able to re-established.

1301191

The fault "PCI Device missing" alarm might be observed during upgrade

PCI Device missing alarm may pop up when the master and backup RE run different Junos version. This PR adds the ability to verify if it is related to hardware or not before generating the alarm.

1329141

COS is wrongly applied on PFE leading to egress traffic drop

On ACX5K/EX4600/QFX5100 series platforms, in some cases, CoS (class of Service) configuration is not properly applied in PFE (Packet Forwarding Engine), leading to unexpected egress traffic drop on some interfaces.

1334850

The FXPC process might crash after adding or deleting a QinQ VLAN to an interface on EX2300/EX3400 platforms

On EX2300/EX3400 platforms, after modifing a QinQ VLAN configuration to an interface, the FXPC (dc-pfe) process might crash.

1336455

Momentary dip in traffic when a GRES is performed

On GRES the implicit filters set by DFWD are cleared by DCD. Hence we are seeing a momentary dip in traffic.

1337028

AI-script does not get auto upgrade unless it is manually done after a Junos upgrade

On all VMHost supported platform like MX240/480/960, PTX5000/3000, QFX5100/5200, after a Junos upgrade, AI-script does not get auto upgrade unless it is manually done. Perform this manually using command "request system scripts add ".

1337327

Link flapping or staying down due to interoperation issue between MX/EX9200 and transport device

On MX204, MX10003, or MPC7E/8E/9E, or EX9200-40XS/EX9200-12QS, a 100G, 40G, or 10G interface might keep flapping or stay down due to an interoperation issue between Juniper device and the remote transport device connected.

1338647

Error drops in XM/MQSS fabric streams(q-node stats) are not accounted in class-of-service fabric stats

The output of the cli command "show class-of-service fabric statistics" now includes traffic that was dropped because of internal errors in the drop counts

1342783

The fxpc process might crash when a firewall filter is applied on a VLAN

On EX2300/EX3400 platform, the Packet Forwarding Engine manager (fxpc) process might crash when a firewall filter is applied on a VLAN. As a workaround, please apply the firewall filter to interfaces that are a part of the VLAN if possible.

1344176

NFX Series: Insecure sshd configuration in Juniper Device Manager (JDM) and host OS (CVE-2018-0044)

NFX Series: Insecure sshd configuration in Juniper Device Manager (JDM) and host OS (CVE-2018-0044); Refer to https://kb.juniper.net/JSA10878 for more information.

1349675

The 40G interfaces might not forward traffic

On EX9200 Virtual Chassis, if an aggregated Ethernet (AE) interface is created with a 40G port, the 40G port might be shown as "UP" but is not able to pass LACP packets, and the corresponding AE interface might be shown as "DOWN".

1354285

Packet may be dropped by RPF during RE switchover

packet may be dropped by RPF during RE switchover when NSR was configured

1354580

The host interface may stop sending packets on PTX with FPC3 or PTX1000 when using outbound firewall filter with syslog option

If output firewall filter is configured with "syslog" option, the host interface might be wedged on PTX with FPC3 or PTX1000.

1354713

The sonet interface will go down after enabling "keep-address-and-control" in L2VPN scenario

In L2VPN (Layer 2 Virtual Private Network) scenario with sonet interface which is used for PE-CE link, that sonet interface might go down after enabling "keep-address-and-control" knob on it.

1354889

QFX5100 / 14.1X53-D46.7 / Storm control profile missing for interfaces in HW

On random initialization of QFX5100 the programming of storm control profile in missed within hardware on random interfaces. This is not visible over cli and the configuration still shows intact. This happens as a result of interface speed not properly getting detected within the hardware.

1356726

Addressing VPLS issues uncovered while performs negative testings

Addressing VPLS issues uncovered while performs negative testings. In this case, when the primary router restarts, some MAC addresses still appear on backup VPLS router and require manual removals.

1358007

Laser receive power of extended ports is higher than the output power of the peer link

On Junos Fusion aggregate device platform, the interface diagnostics optics output of the extended ports shows the laser receive power is higher than the output power from the peer link. This is due to the Rx Optical power value received by Junos from SNOS is a raw Rx value, it has to be converted to nano-watts.

1360876

The shutdown of the cascade port might lead to the invalidation of the MPC linecard

In Fusion scenario, on the MPC2E/3E NG HQoS or MPC5E 3D Q linecard, if the cascade port is down (e.g., disabled, deactivated), all the interfaces of the linecard might be unusable.

1360968

IPsec tunnel may flap when there are concurrent IKEv2 Phase 1 SA rekeys

On SRX devices in rare circumstance (e.g. vpn estabilish-immediately is configured on both ends of the tunnel), concurrent Phase 1 SA rekeys were seen in SRX devices. This may cause VPN to delete existing VPN tunnels and rebuild it, when VPN policy-manager cannot correctly process the second rekey call from the toolkit.

1361015

FPC core might be observed after GRES switchover

In the dual Routing Engine (RE) platform with telemetry sensor configured. After graceful routing engine switchover (GRES) switchover, flexible PIC concentrator (FPC) core might be observed in the master RE. This issue might impact the device traffic.

1361483

Interface flapping is seen on EX4300 switch

On EX4300 Series switches, the interface could be connected to a peer device support active and standby interface (similar to redundant trunk group RTG). The backup interface on the remote peer might become active or flapping when the active link of the interface group goes down.

1363153

ARP reply is drop when we add temporal buffer-size on the NNI interface

ARP request is getting drop and not forwarded to the NNI interface queue when we have COS with temporal buffer-size.

1363186

Log messages: kernel: tcp_timer_keep: Dropping socket connection

On QFX5110 with Junos version 17.3R1, it is possible to see the following logs in messages file: kernel: tcp_timer_keep: Dropping socket connection due to keepalive timer expiration, idle/intvl/cnt: 7200000/75000/8 kernel: tcp_timer_keep:Local(0x80000001:60287) Foreign(0x80000001:33015) These log messages are harmless.

1363935

Inter-VN across DC is NOT flowing in stitching setup

When stitching EVPN-VXLAN to EVPN-MPLS or EVPN-MPLS to EVPN-MPLS instances using the lt-interface or physical loopback, if an IRB interface is used, then "IRB ifl mac" has to be configured.

1364477

The kernel might crash after repeatedly deactivating/activating interfaces/filter/class-of-services configurations due to accessing stale memory entry

The kernel might crash with a core dump after repeatedly deleting/setting/deactivating/activating interfaces/filter/class-of-services configurations using an automated script. Since the issue is not seen in the initial 2-5 iterations, the probability of hitting this issue is very low.

1364624

vFPC may continuously crash on vMX platform

vFPC may continuously crash on vMX platform if enabling "family iso" through GREoIPSec (GRE over IPSec) tunnel.

1364930

ex2300 : show filter hw summary is showing incomplete output.

For the given config, few of the filters attached to unit 1, but the show output has taken the value only from UNIT 0. In case of a dual unit (48 port device), we need to consider UNIT 0 and UNIT 1 as well.

1365316

Traffic loss is observed when ISSU is performed with AE interfaces configured with LACP Protocol

On QFX5100 VC/VCF, while doing ISSU from 15.1R7 to 16.1R7, lag interface may flap. This may result in traffic loss of more than 5 sec, depending on how fast lag interface recovers.

1367472

The bbe-smgd process might crash during the authentication phase for L2BSA subscriber

In L2BSA (Layer 2 Bit Stream Access) subscriber scenario, if there is a misconfiguration on Radius profile for L2BSA subscriber (for example, the routing-instance returned from Radius is not configured as VPLS) or authentication part is missing in the physical interface configuration, the bbe-smgd process might crash during the L2BSA subscribers login.

1367477

The FPC might go down on some vmhost based PTX/QFX platforms

On PTX1000/PTX10001-20C/PTX10002-60C/QFX10002-60C, the Flexible PIC Concentrator (FPC) might reboot which might result in the FPC not coming up or the system becoming unresponsive.

1367939

vSRX expired free trial license cannot be deleted and generate warning messages.

Trial License after being deleted reappears after reboot.

1368067

The authd process might not be started after executing RE switchover on backup RE without GRES enabled

In a dual Routing Engine (RE) system with the enhanced subscriber management feature enabled, if Graceful Routing Engine Switchover (GRES) is not configured, the authd process might not be started after executing RE switchover on backup RE.

1368650

In rare case, there may be L2TP subscribers stuck in terminated state

In corner case, where PFED daemon is still initializing after fresh upgrade, and JPPPD is up and processing subscriber login, there may be stuck subscribers issue. This is because JPPPD ends up waiting indefinitely for PFED to respond with subscriber stats request.

1368805

About 10min traffic loss is caused by BGP flap during MX ISSU

While performing ISSU in an MXVC deployment, the MXVC system may clear TCP connections causing BGP peerings to flap.

1368845

some SNMP jnxOperating* OIDs missing in EX4300 VC

EX4300 virtual-chassis systems may fail to register some jnxOperating SNMP OIDs related to the routing-engines. This behavior is more likely if virtual-chassis members 0 and 1 (FPC0 and FPC1) are not selected as routing-engines.

1369011

The dcpfe might crash and all interfaces flap due to this

QFX5110 may generate DCPFE core and as side effect all interfaces will flap.

1369340

IPsec-VPN IKE security-associations might get stuck in "Not Matured" state

In IPsec-VPN scenario, some special peers (e.g. Huawei enodeB) might start new IPsec-VPN IKE (Internet Key Exchange) session without clearing the old session upon detecting session failure, which results in the old IKE session stuck in "Not Matured" state. There is no impact to service but these sessions might consume too many memory resources.

1369646

error: peer_daemon: bad daemon: scpd on EX9251 running 18.1R1 and 18.1R2

the scpd process is not running in EX9251. So, the CLI throws an error while trying to fetch details from the process scpd in recent releases.

1370174

The rpd might crash after RE switchover is performed or the rpd is restarted if interface-based Dynamic GRE Tunnel is configured

With interface-based Dynamic GRE Tunnel configured, there might be 2 next-hops for a single dynamic GRE tunnel when a new route is resolved over the dynamic tunnel after RE switchover is performed or the rpd is restarted. Subsequent withdrawal of the routes over that tunnel or master Routing Engine restarting will cause the rpd crash. This issue is introduced in PR 1202926 (which is fixed in 15.1F7 16.1R4 16.2R1-S6 16.2R1-S6-J1 16.2R2 17.1R2-S7 17.1R2-S8 17.1R3 17.2R1).

1370182

RSVP authentication may fail between some Junos releases and cause traffic loss during local repair

When Resource Reservation Protocol (RSVP) link or node protection is deployed and RSVP authentication is used, if the PLR (Point of Local Repair) router and the MP (Merge Point) router run different versions of Junos software during local repair, i.e. one a >= 16.1 release and the other a < 16.1 release, the RSVP authentication errors may occur for the bypass Multiprotocol Label Switching (MPLS) Label Switched Path (LSP) and cause traffic loss.

1370464

In certain routing topologies with sFlow configured, sampled packets may be duplicated and sFlow records are not sent to the collector.

In certain routing topologies with sFlow configured, sampled packets may be duplicated and sFlow records are not sent to the collector.

1370779

Packet capture feature does not work after removing the sampling configuration

If deleting all sampling configuration and then configuring the packet capture feature, the packet capture file may not be generated.

1371041

The timeout value of junos-http is improper

On all SRX Series devices, from Junos OS Release 15.1X49-D120, 17.4R1, and 18.1R1, the timeout value of junos-http (the pre-defined application setting in the junos-defaults.conf) has been changed to 1800 seconds, which is not expected, the expected value is 300 seconds.

1371115

DUT incorrectly did not send destination unreachable message_5.8

The reject code for firewall filter is incomplete according to RFC4443 3.1 return code 5 - Source address failed ingress/egress policy 6 - Reject route to destination Solution: add the cli to configure reject code 5 and 6

1371126

Pearls:Accton: First 2 characters out of 14 of AS7816-64 serial number is truncated

Accton AS7816-64X systems are shipping with 14 characters but Junos limitation is 12 characters. Accton serial number contains 781664X as first 7 characters and 78 should be added from 'show chassis hardware' output when serial number is required

1371297

ISSU could be aborted at "Timed out Waiting for protocol backup chassis master switch to complete" with MXVC confiig

Under rare circumstances, MX Series Virtual Chassis unified ISSU might abort with the message "Timed out Waiting for protocol backup chassis master switch to complete".

1371373

Traffic might drop on new added interfaces on MX after ISSU

On MX Series platforms, after a unified ISSU from Junos OS Release 14.2 to Junos OS Release 16.1, traffic drops on newly added interfaces because of unified ISSU hardware synchronize phase issue.

1371516

The Virtual IP of the VRRP on SRX4600 might not respond to host-inbound traffic

On SRX4600 with VRRP configured, it might not respond to any incoming traffic (including ARP requests) targeted to the VRRP virtual IP if the VRRP is configured. This issue is only seen on SRX4600 platform.

1372163

QFX5100 : ipv6 routed packet will be transmitted though VRRP state is in transition to master.

On QFX5100, ipv6 routed packet will be transmitted over VRRP virtual IP address though its VRRP state is in transition to master.

1372738

The logical tunnel interface might be unable to send out control packets generated by RE

On the MX platforms, if Class of Service (CoS) rewrite is enabled globally at the chassis level, and there are control packets generated locally by Routing Engine (RE) which should be sent through the Logical Tunnel (LT) interface, all the control packets will be dropped in kernel. Due to this issue, any control packets generated locally by RE could not be sent from the LT interface, and this will affect control protocol handshake on the LT interface, which thereby affects traffic. The transit control packets are not impacted.

1372761

Multiple flowd crash files are seen on node1 after an RG0 failover

In a rare condition, if running RSI and setting the configurations and then performing an RG0 failover, multiple flowd crash files are seen on node1. It may cause a traffic outage.

1372999

Mac refresh packet may not be sent out from the new primary link after RTG failover

On EX/QFX series platform, if RTG redundant trunking group (RTG) is enabled with a large-scale MAC address, MAC refresh frame may not be sent out from the new primary link after RTG failover by deactivating the former primary link on peer side.

1373368

PTP timescale arbitrary feature support in mainstream releases

For arbitrary timescale , default clock-class to quality level mapping needs to be added on the slave nodes as mentioned in the workaround. The current default clock class to quality level mappings are not as required for this feature.

1373582

URL filtering might not work when the data interfaces move from one vrf to another

The url filtering feature might not work in 17.4R2 when the data interfaces participating in url filtering functionality move from one routing instance to another routing instance.

1374211

Traffic might lose for the CoS-based forwarding services if evpn is configured

When EVPN is configured with class-of-service-based forwarding (CBF), traffic might be lost for the CBF services.

1374244

Cosmetic log "warning: [---] is protected, 'protocols ---' cannot be deleted" is seen after commit using "configure private " in a configuration with "protect" flag present

Cosmetic log "warning: [---] is protected, 'protocols ---' cannot be deleted" seen After commit using "configure private " in a configuration with "protect" flag present.

1374295

Address pool does not correctly cycle to the beginning of pool when linked-pool-aggregation parameter is defined.

Address pool does not correctly cycle to the beginning of pool when linked-pool-aggregation parameter is defined. Address pool reports "Out of Addresses" even though not all addresses are in use. > show network-access aaa statistics address-assignment pool

1374478

FPC might be unable to work properly if one child interface is removed from an AE bundle in dynamic VLAN subscriber scenario

On MX platform which supports next-generation subscriber management, if the Aggregate Ethernet (AE) bundle has multiple child interfaces which are located in the same Packet Forwarding Engine (PFE) complex, e.g. ge-1/0/0 and ge-1/0/1, when dynamic VLAN subscriber gets online from the AE bundle, then one physical child interface is removed out of the AE bundle, e.g. ge-1/0/0, the Flexible PIC Concentrator (FPC) might keep reporting error logs, and the statistics on the dynamic VLAN flow also won't get incremented. Therefore PFE might be unable to work properly due to this issue.

1375189

The 802.1P rewrite may not work on inner VLAN

If a logical interface (IFL) is configured with 802.1P rewrite-rules (for both outer and inner VLAN) and fixed classification, after deactivating Class of Service (CoS) on any other IFL, the packets sent from this IFL may still have the original 802.1P bit set in the inner VLAN without being rewritten.

1375242

SFB and PDM/PSU related info is missing in jnxBoxAnatomy MIB on high end MX routers (MX2010/2020)

SFB and PDM/PSU related info is missing in jnxBoxAnatomy MIB on high end MX routers (MX2010/2020)

1375647

The ppmd process on AD might crash when using authentication key-chain with BFD

In Junos Fusion environment, when configuring "authentication key-chain" under BFD, the ppmd process might crash and restart unexpectedly on Aggregate Device (AD), some protocols will be affected during the crash.

1376057

Traffic black-hole with indirect next hop and load balancing

On EX4300/EX4600/QFX Series switches except for QFX10000, pass-through traffic might be dropped if using multiple routes with indirect next hop and load balancing.

1376134

In a rare situation, VPN tunnels may not be configured successfully and the VPN tunnels will not come up

On SRX chassis cluster, in rare situation, when VPN configuration size comes near an internal configuration processing chunk size, VPN tunnels may not be configured successfully and the VPN tunnels will not come up after rebooting/upgrading or restarting ipsec-key-management.

1376354

The rpd process might crash continuously if nsr-synchronization or all flag is used in RSVP traceoptions

Applying Resource Reservation Protocol (RSVP) traceoptions with nsr-synchronization flag or all flag on a Nonstop Active Routing (NSR) enabled device may cause the rpd process to crash due to memory corruption. The memory corruption occurs when size of received RSVP Path message being replicated from master routing engine(RE) to standby RE is greater than 768 characters.

1376504

EX4300-48MP: Syslog error ?Error in bcm_port_sample_rate_set(ifl_cmd) : Reason Invalid port ?

On EX4300-48MP, while running regression scripts, got syslog error "On EX4300-48MP, while running regression scripts, got"

1376574

Interface optic output power is not zero when the port has been disabled

The interface optic output could be non-zero value even when the port has been administratively disabled.

1376784

EVPN active/active multihomed PE occasionally prefers to route to a directly connected prefix using LSPs towards the multihomed peer instead of going directly out the IRB interface (which is up).

EVPN active/active multihomed PE occasionally prefers to route to a directly connected prefix using LSPs towards the multihomed peer instead of going directly out the IRB

1376996

Same address family [Subnet IFL or IRB IFL but not both] needs to be configured for establishing VTEPs.

On the VxLAN network side, same address families need to be used to setup VxLAN Tunnels. For example, if L3-INET IFL is configured on an IFD to be underlay for establishing VTEPs, then an IRB IFL shouldn't be configured on the same IFD to establish VTEP.

1377266

Packet loss was seen in IPsec Z-mode scenario

On all SRX platforms, in chassis cluster scenario's with a large number of BGP peers and IPSec tunnels, some traffic crossing the fabric link (Z-mode traffic) may be lost after failover of redundancy-group 0.

1377298

The auto-negotiation interface might go down if the opposite device supports only 10/100M auto-negotiation

On the QFX5100 platform, the auto-negotiation interface might go down if the peer device supports only 10/100M auto-negotiation

1377500

Packets might be dropped on data plane in the inline Jflow scenario

On MX series with MPC, in the inline Jflow scenario, due to a software defect, the data structure associated with inline Jflow feature may not be initialized correctly. This leads to not being able to forward traffic correctly on the affected MPC.

1377521

DHCP Discover packets might be dropped if there is VXLAN configured

On QFX5000/EX4600 platforms, if changing an interface from Virtual Extensible Local Area Network (VXLAN) to a member of an Aggregated Ethernet (AE) interface, the Dynamic Host Configuration Protocol (DHCP) relay would not work and the DHCP client would not get IP address normally.

1377690

Duplicate IP cannot be configured on both SONET (so-) interface and other interfaces

On MX platform, if configuring duplicate IP on both SONET (so-) interface between other type interface, other type interface might not get the IP address.

1378155

The fxpc might crash after interface change on ACX5000

On ACX5000 platforms, if a GE (Gigabit Ethernet) interface is replaced with an XE (10-Gigabit Ethernet) interface or vice versa, or configuration is changed after the interface change, the fxpc might crash.

1378272

The interface ae480 or above may be in STP discarding state on EX9200 Series

In aggregated interfaces and STP scenario, on EX9200 Series, if the 'ae interfaces' is configured with a value of 480 or above and configured by STP, such interface will remain in incorrect STP discarding state, resulting in not forwarding packets.

1378295

PIM register message might be dropped on SRX Series devices

On all SRX Series devices working in a PIM sparse mode network located between an FHR (First Hop Router) and an RP (Rendezvous Point), if a PIM control session is created via the PIM register stop message by any reason, only the next one PIM register message (which matches the above PIM control session) can be forwarded expectedly, after this one, the subsequent PIM register message (also matches the above PIM control session) will be wrongly dropped.

1378392

Traffic might be dropped on third-generation FPCs on PTX

On PTX with third-generation FPCs, if optics not certified by Juniper Networks (NON-JNPR) are used and there is specific traffic pattern with congestion, traffic might be dropped.

1378747

FEB restarted after commit "delete interfaces e1-0/0/*"

Due to a race condition, on which class-of-service configuration request for interface is coming before e1 interface creation, we create a circuit with specified class-of-service parameters, and due to this, interface creation failed inducing to traffic not flowing on e1-interface an then (if further deactivate/active of e1) a core-dump.

1378852

The ICMPv6 packets larger than 1024 might be dropped if "icmp-large-packet-check" is configured on ids service

On MX platform with MS-MPC/MS-MIC installed, the ICMPv6 packets larger than 1024 might be dropped if "icmp-large-packet-check" is configured on ids service.

1378901

Unable to commit with a configuration of packet-length in egress firewall filter on EX9200

On EX9200 Series platform, if there is 'packet-length' keyword under 'firewall filter' which is applied on interface egress, such configuration is not able to be committed due to commit-check failure.

1378912

Some error logs (Tx unknown LCP packet) might be reported by the bbe-smgd daemon on MX-Series platforms

On MX-Series platforms, the bbe-smgd (bbe-subscriber management daemon) reports some error logs due to jpppd sent out LCP (Link Control Protocol) Config-Reject message, but the bbe-smgd misses such type message code in Tx direction. It has no service impact.

1379305

Sec-PDT:lcore-slave after RG0 failover and the HA abnormal with FL

In SRX cluster, if reroute happen on the ipv4 wings of a NAT64 or NAT46 session, the active node will send RTO message to backup session to update the rerouted interface, there is a bug that the coredump will happen on the backup node when processing this message.

1379309

Subscriber service-activation failure on mx80/mx104 if configured file-based shmlog with filtering enabled

On small MX platform, such as mx104 and mx80, running Enhanced JUNOS subscriber management feature, the subscriber service session couldnt be established once file-based shmlog with filtering enabled is configures.

1379530

Traffic might get into blackhole when CoS configuration is changed on a PS interface

In CoS scenario, if PS interface uses RLT as PS anchor, all traffic might be dropped on PS interface when deactivating or activating rewrite rules.

1379558

The rpd process might crash after executing commit the configuration related to mapping-server-entry

In a LDP (Label Distribution Protocol) network with gradual deployment of segment routing (a.k.a. LDP mapping server feature), the rpd process might crash after executing commit the configuration related to "mapping-server-entry prefix-segments/prefix-segment-ranges" with the maximum number of entries exceeded (16 for 17.4 and 64 for 17.4R2 onwards).

1379790

All interfaces belonging to certain FPC might be lost after multiple GRES in VC

In EX2300/EX3400 Virtual-Chassis (VC) environment, all interfaces belonging to certain FPC might go down after multiple GRES. When this happens, all the ports on the FPC are not seen or usable.

1380298

Routing Protocol Daemon may restart unexpectedly when performing GRES

RPD core may happen with GRES and BGP configurations - with reference to task_kevent_udata_task (ev=) at ../../../../../../src/junos/lib/libjtask/base/platform/bsd/task_io_bsd.c:127

1380459

LOC and Diag System LED's on the front panel are not defined yet.

LOC and Diag System LED's on the front panel are not defined yet.

1380527

FPC crash might be seen after FPC restarts

If scaling IFLSet members and AE members are configured on the same FPC, the FPC might crash when it restarts.

1380590

lsi binding missing upon nd6 entry refresh after l2ifl flap.

lsi binding missing upon nd6 entry refresh after l2ifl flap

1380783

L3VPN traffic might be dropped due to one core-facing interface down

On QFX10000/PTX Series platforms, the L3VPN traffic might be dropped if one core-facing interface gets down in the L3VPN multipath scenario.

1380795

A QFX5xxx packet forwarding engine (PFE) may shows DISCARD next-hop for overlay-bgp-lo0-ip in a leave-spine topology

A QFX5xxx packet forwarding engine (PFE) may show DISCARD next-hop for overlay-bgp-lo0-ip when the QFX5xxxx is the leave in a leave-spine topology

1380799

Higher level OAM CFM between CE might not work in VPLS scenario

In VPLS scenario, if the OAM CFM (connectivity-fault-management, i.e., 802.1AG) level between CE and CE is higher than the level 3 between CE and PE, and 'action profile' is configured between CE and PE, the PDU (protocol data unit) of OAM CFM between CE might be dropped in PE, resulting in failure in Ethernet OAM between CE.

1380862

JSA10883: Junos OS: Receipt of a specifically crafted malicious MPLS packet leads to a Junos kernel crash (CVE-2018-0049)

Junos OS: Receipt of a specifically crafted malicious MPLS packet leads to a Junos kernel crash (CVE-2018-0049). Please refer to https://kb.juniper.net/JSA10883 for more information.

1381017

The dot1x does not work with Microsoft NPS server

On EX series platforms, if Protected Extensible Authentication Protocol (PEAP) is configured in dot1x, and the authentication server is Microsoft Network Policy Server (NPS), then the dot1x authentication will fail.

1381230

CoA updates subscriber with original dynamic-profile if radius has returned different dynamic-profile name

When radius sends CoA (Change of Authorization) for the subscriber after radius has returned different dynamic-profile name in access-accept, the subscriber will be updated with original dynamic-profile. The issue is because the new dynamic-profile name which sent by the radius is not saved in the subscriber's table, hence when the CoA message arrives, the old dynamic-profile name is used. The issue results in CoA updates subscriber with unexpected values (The old dynamic-profile instead of the new dynamic-profile is used).

1381272

EX/QFX: irb interface does not turn down when master chassis rebooted or halted

On Virtual Chassis (VC) based on EX4300/EX4600/EX9200/QFX3500/QFX3600/QFX5100, irb interface which is only associated with master chassis interface may not turn down when master chassis rebooted or halted.

1381316

Encryption and Decryption is not happening due to pfe discards while testing that group-vpn member established using authentication-method pre shared key ascii-text.

Encryption and Decryption is not happening due to pfe discards while testing that group-vpn member established using authentication-method pre shared key ascii-text

1381383

Some subscribers fail to get SRL service as provided in Radius accept message even though the Radius messages can be sent and received

In Dual-stack PPP/PPPoE-based subscriber scenario, when V4+V6 service is installed with family v4, if some daemon (such as dfwd) fails to add family inet6 IFF during instantiation of the family inet6 portion of some services (such as SRL service), thus family activation for family inet6 would fail. But only the family inet6 portion of service should be removed. The family inet and L2 services such as CoS should be unchanged, but it does not. So some subscribers cannot get some services (such as SRL service) even though the Radius messages can be sent and received. It is a timing specific issue.

1381527

Constant memory leak might lead to FPC memory exhaustion

On MX/EX9200 platforms, constant memory leak might occur on a Flexible PIC Concentrator (FPC), and such condition might finally lead to memory exhaustion and the FPC would core.

1381868

The kmd daemon might crash and cause VPN traffic outage after executing 'show security ipsec next-hop-tunnels'

Executing 'show security ipsec next-hop-tunnels' might cause the kmd daemon crash if the point to multi-point IPSec VPN is configured and some of the VPNs are not active. This issue will affect all SRX platforms and may cause VPN traffic outage.

1381888

VC master is copying /var/db/ovsdatabase to backup every 10 seconds which causes a high write IO and shorten the SSD lifetime in Open vSwitch Database (OVSDB) environment.

In Open vSwitch Database (OVSDB) environment, VC master is copying /var/db/ovsdatabase to backup every 10 seconds and VC backup is writing the whole ovsdatabase to SSD frequently. This causes a high write IO and shorten the SSD lifetime.

1382050

Subscribers not able to login after double GRES, after reboot, or after config.

Rarely Over GRES or RE reboot, subscribers of all access types were not able to login. bbe-smgd daemon restart potentially can solve the issue.

1382074

The value of 'predefined-variable-defaults routing-instances' overrides the RADIUS-supplied VSA (26-1 Virtual-Router)

If the default value for the $junos-routing-instance predefined variable is configured (i.e. 'dynamic-profiles <> predefined-variable-defaults routing-instances <>'), the subsciber will come up in the configured default routing-instance even if RADIUS has already supplied the VSA of '26-1 Virtual-Router'.

1382219

Chassis image did not show from JWEB Dashboard

Chassis image did not show from JWEB Dashborad, this is specific to SRX320 with part number 650-077892.

1382694

Adding/deleting site-to-site manual-nhtb VPN tunnels to an existing st0 unit will cause existing manual-NHTB VPN tunnels under the same st0 unit to flap

On all SRX Series devices, since 12.3X48 SRX release, adding/deleting a site-to-site manual-NHTB (Next-Hop Tunnel Binding) VPN tunnel to an existing st0 unit will cause existing manual-NHTB VPN tunnels under the same st0 unit to flap.

1382727

The PFE might crash if the GRE destination IP is resolved over another GRE tunnel

On QFX10k Series platforms, the Packet Forwarding Engine (PFE) might crash if the Generic Routing Encapsulation (GRE) tunnel destination IP is resolved over another GRE tunnel.

1382857

dcd restarted unexpectedly after committing a configuration with static demux interface stacking over ps interface

The static demux interface stacking over ps interface is not supported and can cause the dcd process to restart. The commit process should not allow such configuration.

1382966

MAC addresses might disappear if the interface MTU of EVPN PE is changed

In EVPN Multihoming scenario, if the MTU of CE facing interface on PE (i.e., configured with ESI, 'set interfaces ae0 unit 1 esi 00:11:22:33:44:55:66:77:88:99') is changed, the MAC addresses learned from remote PE might be deleted and not added back, resulting in EVPN traffic loss.

1383265

RADIUS accounting statistics are not cleared after subscriber logout

On MX platform, if static demux interface over underlying is configured, after subscriber logout, the accounting statistics are not cleared.

1383274

The functionality under the license "JUNOS-FP-C2" may take effect even it doesn't get installed properly

On white box series platform, the Junos license "JUNOS-FP-C2" may not get installed properly, reporting errors and indicating it's not installed successfully, however, the base functionality under this license still takes effect.

1383295

Domain name is not reported as part of the LLDP sysname in "show lldp neighbor" command

With this fix system name tlv will include configured domain name with host-name.

1383567

The configuration through NETCONF session might fail

NETCONF session may fail when issuing 'protocols vstp interfaces ' in XML format through NETCONF

1383655

The flowd/srxpfe process might crash when SSL proxy is used

On SRX Series devices, starting from Junos OS Release 15.1X49-D120, the flowd/srxpfe process might crash when SSL proxy is used. Note, this issue does not affect 17.3 and 17.4 Junos OS Releases.

1383964

FTP ALG is not supported with twice-nat

FTP ALG is not supported with twice-nat.when even we have a unsupported translation type with FTP ALG, in watched function we were coring. Making changes to display a syslog message instead of coring

1384144

The L3 unit interface might stop pinging directly connected link address after deleting l2 unit on IFD

On QFX5100/QFX5110/QFX5200 series platforms or AS7816-64X (White box), the L3 traffic might be dropped if the L2 unit is deleted on the IFD (Physical port) having both L2 and L3 logical unit.

1384205

The kmd crashes with corefile after bringing up IPSec connection

On ACX, M, MX and T platforms, after bringing up IPSec tunnels, if issuing show command, kmd crash might be seen.

1384319

JUNOS upgrade might fail with validate option after the /cf/var/sw directory is accidentally deleted

If the directory /cf/var/sw is deleted by mistake, it may cause the future JUNOS upgrade failure when validate option is used.

1384473

MBFD flaps because clksync congest the scheduler for 100ms

With PTP configured, MBFD flaps may be seen in a BFD scale scenario. Issue applicable only for MPC5/6/7/8/9, MX204, MX100003 platforms.

1384491

Multiple bbe-smgd cored with reference to bbe_mcast_vbf_dist_policy_service_encoder( )

When commit, any changed policy was being pushed to PFE even if the policy is not used (installed in the PFE). This caused bbe-smgd process to restart unexpectedly at the bbe_mcast_vfb_dist_policy_service_encoder() routine.

1384574

The RA packets may be sent out without using the configured virtual gateway address

In an EVPN scenario, if an IPv6 "virtual-gateway-address" is configured on "irb" interface, the router advertisement (RA) packets may be sent out still using the physical interface/link-local IPv6 address.

1384599

Log Message: authd: gx-plus: logout: wrong state for request session-id

When a Subscriber is Manually Logged out using CLI "clear network-access aaa subscriber username ", Following Log Message gets Printed (messages file) in process of when GX-Plus Module is Clearing/Freeing up the Subscriber Session-id from its Table. Aug 28 12:11:50 jtac-test-node: authd [XXXX]: %DAEMON-3: gx-plus: logout: wrong state for request session-id:

1384601

BFD sessions might flap consistently

On QFX10000/PTX Series platforms, the BFD sessions flapping might be seen during the device init itself.

1384732

Port-mirroring-instance/Analyzer based mirroring does not work with input as VLAN ingress when VLAN is mapped to VXLAN

1.Ingress vlan based mirroring is supported only using analyzer stanza and does not work with firewall based configuration. 2.Ingress vlan mirroring is not supported with other firewall filters using vlan on which vxlan enabled as match condition. 3.Ingress vlan mirroring has to be configured again if the vlans are deleted or evpn-vxlan configuration is deleted.

1385062

All 1G SFP copper and 1G fiber optic links remain UP on QFX10008 after all SIBs/FPCs are offline

On QFX10008 devices, 1G SFP copper and 1G fiber optic interfaces remain UP after all SIBs/FPCs go offline.

1385204

Ingress LSPs down due to CSPF failure

Ingress LSPs down due to CSPF failure if the higher priority protocol does not have a route. (But lower priority protocol has a route).

1385409

The LACP might be detached state when deleting native-vlan-id on AE interface with flexible-vlan-tagging configured

If AE interface is configured with LACP, flexible-vlan-tagging and native-vlan-id, then after deleting the native-vlan-id option, the LACP state will be detached state.

1386011

IPSec VPN traffic might fail when passing through MS-MPC of MX with CGNAT enabled

While dynamic IP Security (IPSec) virtual private network (VPN) is re-keyed due to lifetime expiration, IPSec internet key exchange (IKE) phase 1 user datagram protocol (UDP) port 500 and phase 2 UDP port 4500 sessions would be translated into two different public internal protocol (IP) addresses while passing through carrier-grade network address translation (CGNAT), which causes IPSec VPN traffic to fail. This behavior does not cause issue for Juniper MX devices with MS-MIC or SRX devices since for such devices identify key is used to authenticate the sessions and it is allowed for private IP address to be translated into two different public IP addresses.

1387360

DCPFE code observed when "restart routing" or BGP neighbors flapped when EVPN-TYPE 5 Routes are present

A DCPFE core dump may be experienced if a QFX has EVPN-TYPE 5 Routes present AND a BGP session to a neighbor device flaps.

1387419

The pccd might crash when changing delegation-priority

In Path Computation Client Protocol (PCEP) scenario, the pccd process might crash when changing delegation-priority for a PCE server.

1387712

Output of "show class-of-service interface" command incorrectly shows adjusting application as PPPoE IA tags for DHCP subscribers

In a subscriber management environment, if CoS adjustment is performed for DHCP subscribers based on DHCP tags, output of "show class-of-service interface" command for a DHCP subscriber interface will incorrectly show adjusting application as PPPoE IA tags instead of DHCP tags.

1387713

It might fail to update NH in HW for existing ECMP route when "ecmp-resilient-hash" is configured

If a QFX device has a host route with ECMP (equal-cost multipath) next-hops and receives a better path with single next-hop then next-hop in HW (hardware) will not be changed.

1387724

Default route configured gets deleted during ZTP

During Zero Touch Provisioning (ZTP) process, default route is being cleaned up by code. Due to this if a static default route is configured in the initial configuration (configuration file downloaded from the file server for ZTP), the route will fail to work. This might lead to ZTP failure or device access issue after ZTP.

1387987

FPC card might reboot when changing CoS mode from hierarchical-scheduler to per-unit-scheduler

The CoS (Class of Service) mode per-unit-scheduler is not supported on interface that is an interface-set member, if CoS mode is changed from hierarchical-scheduler to per-unit-scheduler for the interface, the FPC (Flexible PIC Concentrator) card of the interface might crash.

1389461

The interface-control process thrashes and dcd does not restart after adding an invalid demux interface to the configuration

On M120 and MX platform, if an invalid non demux0 interface, such as demux1, is committed to the configuration, the interface-control process will thrash and the dcd process will not restart.

1389695

RTG MAC refresh packets will be sent out from non-RTG ports if the RTG interface belonging to VC master flaps

On EX4300/EX4600/QFX Series switches except for QFX10000, in Virtual-Chassis and RTG scenario, if the RTG (redundant trunk group) interface on VC master gets down or up, RTG MAC refresh packets will be sent out from all ports in the VLAN besides the RTG redundant port. Normally, the MAC refresh packets are used to refresh MAC entries on the peer L2 device connected to the RTG redundant port.

1390428

The rpd might continuously crash when IPv6 prefix with IPv4 next-hop exists without proper configuration

After 16.1, if import/export policy modifies IPv6 routes to have IPv4 next-hop due to mis-configuration, the rpd might continuously crash.

1391160

RADIUS not working using management instance for IPv6 family

AAA with radius authentication not working for IPv6 family when using management instance [mgmt_junos] set system radius-server routing-instance mgmt_junos system management-instance

1391562

The bbe-smgd process might crash after commiting config changes

In enhanced subscriber management environment, the bbe-smgd process might crash after commiting config changes, especially when some parts of the dynamic-profiles are modified.

Modification History:
First publication 2018-11-06
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search