Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

16.1R4-S12: Software Release Notification for Junos Software Service Release version 16.1R4-S12



Article ID: TSB17470 TECHNICAL_BULLETINS Last Updated: 13 Nov 2018Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX 4300 /4600 /9200, QFX5100, MX, PTX, VMX, VRR, NA, Network Agent
Alert Description:
Junos Software Service Release version is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts

Junos Software service Release version 16.1R4-S12 is now available.

The following are incremental changes in 16.1R4-S12.

PR Number Synopsis Description

ipv6 nexthop become reject after flapping fxp0 interface

If there is an ipv6 address configured on the management interface, and then the management interface is flapped via Junos CLIs - set interface <> disable and delete interface <> disable, it is observed that the locally configured ipv6 address is not usable because Duplicate Address Detection procedure was not triggered. You can delete and add the ipv6 address on the management interface to recover from this state.


The "show system users" CLI output displays users who are not using the router

The 'show system users' CLI output displays users who are not using the router. The 'request system logout' CLI command cannot clear the stale telnet sessions. This is a cosmetic issue, because 'show system connection' and the CLI process show only the current session.


Distributed multicast may not be forwarded to a subscriber interface

Even though multicast appears to be active with "show multicast route extensive" command, it is not forwarded to the subscriber interface.


RE may crash during NH addition in race condition.

When the RE switchover is performed, the new primary performs the NH additions corresponding to the routes being programmed on the system. During the unicast NH programming, there is a potential race condition wherein we might see the memory pointer associated with the relevant NH parameters return a NULL value and trigger kernel crash.


The enhancement of reporting total SBE errors when the corrected singlebit errors threshold of 32 is exceeded for MPC7E/MPC8E/MPC9E

For MPC7E/MPC8E/MPC9E on MX platform, there is an enhancement to increase the threshold of corrected single-bit error from 32 to 1024 and change the alarm severity from Major to Minor for those error messages. There is no operational impact upon corrected single bit errors.


The rpd might crash after the primary link failure of link protection

If there are some LSPs for which a router has make link protection available and when primary link failure is caused by FPC restart, this core may occur.


The MPC with specific failure hardware might impact other MPCs in the same chassis

When certain MPC (Modular Port Concentrator) model like MPC4E has very specific hardware failure and it fails to boot up because of FPC (Flexible PIC Concentrator) internal I2C error, other FPCs may go offline.


Multiple next-hops may not be installed for IBGP multipath route after IGP route update

Multiple next-hops may not be installed for an internal BGP(IBGP) route received from a multipath-enabled peer when an active IBGP route from a non-multipath-enabled peer is changed to a new active route from a multipath-enabled peer due to interior gateway protocol(IGP) route update.


JSA10896 2018-10 Security Bulletin: Junos OS: Denial of service in telnetd (CVE-2018-0061)

A denial of service vulnerability in the telnetd service on Junos OS allows remote unauthenticated users to cause high CPU usage which may affect system performance.


[SIRT] Changing a corrupted logical interface might cause FPC crash

When interfaces involved with traffic path are irb and there is assymetic rounting for IPv6 traffic, if the IPv6 packet is egressing an irb interface that contains an MTU exceeded error or possibly an ICMP6 redirect, the "NH OUT OF SYNC" messages might be seen and traffic might drop.


The "dead" next-hop may be seen in BGP-LU scenario

In BGP Labeled Unicast (BGP-LU) scenario, if the device works as penultimate hop and receives BGP-LU routes with indirect next-hop from an egress router, after the operational next-hop interface corresponding to those labeled routes flaps, a "dead" next-hop type (discard action is performed for this type) may be set for the related clone routes (s=0) and still there even the next-hop interface is operational again.


MX Series: L2ALD daemon may crash if a duplicate MAC is learned by two different interfaces (CVE-2018-0056)

MX Series: L2ALD daemon may crash if a duplicate MAC is learned by two different interfaces (CVE-2018-0056); Refer to for more information.


JSA10892 2018-10 Security Bulletin: Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50 (Requested IP Address) (CVE-2018-0057)

Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50 (Requested IP Address) (CVE-2018-0057); For more details, please refer to for more information.


Commit error observed if box is downgraded from from 18.2/18.3 release to 17.3R3

Commit error observed if box is downgraded from from 18.2/18.3 release to 17.3R3 On loading the new image, certain stale symlinks from previous image contents need to be removed which impact mgd. In this case, the .slax script symlinks from /var/db/sripts/translation are not getting removed, which causes issues in the initial commit by mgd The issue is only seen when the previous image was having translation scripts (as part of Junos image) and the new image isn't have these translation scripts


~50% of PPPoE subscribers (PTA and L2TP) and all ESSM sub lost after post ISSU during DT CST stress test

In subscriber management scenarios with pppoe access models, during ISSU, it is possible to lose a small number of active subscribers after the ISSU is completed if certain timing conditions occur. These timing conditions may trigger session database related discrepancies between the jpppd daemon and the underlying statesync infrastructure causing the subscriber record loss. These subscribers, however, should be able reconnect right away minimizing any service outage.


The route stuck might be seen after BGP neighbor and route flapping

It is route installation failure case which is not handled properly in BGP multipath scenario. It might cause traffic loss.


Some subscriber might be stuck in terminating state in L2TP scenario

In corner case, a race condition might be simulated by multiple daemon restart (authd, jl2tpd, jpppd) which might terminate cleanup of a few subscribers leaving behind them stale. Once the stale session are found, they can be cleaned up by another jpppd restart.


Some error logs might be seen on MX2010/MX2020 routers equipped with SFB2

On MX2010/MX2020 routers equipped with SFB2 (Switch Fabric Board 2), some error messages could be occasionally seen in the logs. There is no operational impact nor an indication of a real issue caused by these messages.


L2TP subscriber firewall filter might not be removed from PFE when routing-services are enabled in the dynamic profile

On MX platform which support Next Generation Subscriber Management (Tomcat), when the Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) is enabled, if the dynamic-profiles are configured with the knob "routing-services" and the firewall filter, the firewall filter might not be removed from Packet Forwarding Engine (PFE) after subscriber logout. Due to this issue, the firewall filter index might be used up and then no more subscriber could login.


RSVP authentication may fail between some Junos releases and cause traffic loss during local repair

When Resource Reservation Protocol (RSVP) link or node protection is deployed and RSVP authentication is used, if the PLR (Point of Local Repair) router and the MP (Merge Point) router run different versions of Junos software during local repair, i.e. one a >= 16.1 release and the other a < 16.1 release, the RSVP authentication errors may occur for the bypass Multiprotocol Label Switching (MPLS) Label Switched Path (LSP) and cause traffic loss.


The packet which size exceeds 8k bytes might be dropped by MS-MPC in ALG scenario

ALG cannot process IP datagrams exceeding 8k bytes size, the packets are dropped by junos-alg plugin. Plugin related packet drop counter captures these drops. If IP datagram is not related to ALG sessions, then junos-alg plugin is nothing to do with them and they are ignored (ALG plugin won't drop).


BBE SMGD core on FPC restart

An FPC restart or FPC core under heavy lead would lead to bbe-smgd to core. Core is due to cleanup issues with the VLAN creations in flight.


The Routing Engine might crash after non-GRES switchover

When LAG-enhanced is disabled, one child next hop is created for each member link of a LAG interface. During the Non-GRES switchover, the kernel memory might be exhausted, which leads to the creation failure of the child next hop, hence the Routing Engine crash happens. This crash can be avoided by enabling LAG-enhanced.


JNH memory leaks in multicast scenario with MoFRR enabled

On MX platform, with Multicast-Only Fast Reroute (MoFRR) enabled, if doing any change that causes to create a new rpf nexthop, JNH memory leak might be seen.


NAT64 does not translate ICMPv6 Type 2 packet (packet is too big) correctly when MS-DPC is used for NAT64

On MX platforms with MS-DPC used for NAT64, if ICMPv6 Type 2 packet is received, NAT64 translates the source address and destination address in the packet wrongly.


Few L2BSA subscriber IFLs are left behind in SMD infra and kernel after logout

Few L2BSA subscriber IFLs are left behind in SMD infra and kernel after logout. When same subscriber (same ifd+vlan as stale IFL) attempts to login again, subscriber cannot become active unless duplicate VLAN IFL is deleted from SMD infra and kernel.


JSA10883: Junos OS: Receipt of a specifically crafted malicious MPLS packet leads to a Junos kernel crash (CVE-2018-0049)

Junos OS: Receipt of a specifically crafted malicious MPLS packet leads to a Junos kernel crash (CVE-2018-0049). Please refer to for more information.


Some subscribers fail to get SRL service as provided in Radius accept message even though the Radius messages can be sent and received

In Dual-stack PPP/PPPoE-based subscriber scenario, when V4+V6 service is installed with family v4, if some daemon (such as dfwd) fails to add family inet6 IFF during instantiation of the family inet6 portion of some services (such as SRL service), thus family activation for family inet6 would fail. But only the family inet6 portion of service should be removed. The family inet and L2 services such as CoS should be unchanged, but it does not. So some subscribers cannot get some services (such as SRL service) even though the Radius messages can be sent and received. It is a timing specific issue.


Subscribers not able to login after double GRES, after reboot, or after config.

Rarely Over GRES or RE reboot, subscribers of all access types were not able to login. bbe-smgd daemon restart potentially can solve the issue.


The ipv6 subscriber may fail to log in on LNS side

In subscriber management scenario, IPv6 subscriber, having DHCPv6 Unique Identifier (DUID) type 2 format used for identification, may not be identified, because the LNS device is not able to extract the MAC address from DUID in type 2 format.


The rpd core might be seen when the 'show krt queue' command is executed and stopped abruptly

On all Junos platforms, when there are entries in krt-queue and the 'show krt queue' command is executed and then the command output is stopped abruptly, the rpd core might be observed. Then some protocol sessions might flap and traffic may be dropped until rpd restarts and converges.


RADIUS accounting statistics are not cleared after subscriber logout

On MX platform, if static demux interface over underlying is configured, after subscriber logout, the accounting statistics are not cleared.


The bbe-smgd process generates repeated core-dumps and stops running as a result of long term session database shared memory corruption.

On MX platforms, if committing config involving changes to dynamic profiles, the bbe-smgd process might generate repeated core-dumps and stop running as a result of the corruption of database session shared memory.


IGMP group threshold exceed log message prints a wrong demux IFL

When a Subscriber sends IGMP Group memberships more than the configured threshold number, then a log message is printed with a wrong demux IFL


The BNG might not respond with PADO and create any demux interface when PPPoE PADI packet is received

In PPPoE subscriber with dynamic demux interface scenario, when the PPPoE connection was torn down and not cleaned up correctly, the BNG might not respond with PPPoE PADO (PPPoE Active Discovery Offer) and create any demux interface on incoming PPPoE PADI (PPPoE Active Discovery Initiation) packets. The issue results in the PPPoE connection fails.


All the BGP sessions will flap after switchover

With GRES and NSR enabled, if executing swithcover, all the BGP session might flap.


The bbe-smgd process might crash after commiting config changes

In enhanced subscriber management environment, the bbe-smgd process might crash after commiting config changes, especially when some parts of the dynamic-profiles are modified.

Modification History:
First publication 2018-11-13
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search