Knowledge Search


×
 

18.2R2-S1: Software Release Notification for Junos Software Service Release version 18.2R2-S1

  [TSB17514] Show Article Properties


Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX, MX, PTX, VMX, VRR, Vsrx, QFX, SRX, NFX, Network Agent
Alert Description:
Junos Software Service Release version is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:

Junos Software service Release version 18.2R2-S1 is now available.

PRs found and not fixed in 18.2R2-S1

PR Number Synopsis Description
1388979 On SRX5400, SRX5600, SRX5800 devices with SPC3, "show security ike security-association detail" command does not display ?local IKE-ID? field correctly. On SRX5400, SRX5600, SRX5800 devices with SPC3, "show security ike security-association detail" command does not display "local IKE-ID" field correctly.
1403037 On SRX5400, SRX5600, SRX5800 devices with SPC3, when Power Mode IPSec is enabled, the "show security flow statistics" and "show security flow session tunnel summary" will not count or display the number of packets processed within Power Mode IPsec because these packets do not go through regular flow path. On SRX5400, SRX5600, SRX5800 devices with SPC3, when Power Mode IPSec is enabled, the "show security flow statistics" and "show security flow session tunnel summary" will not count or display the number of packets processed within Power Mode IPsec because these packets do not go through regular flow path.
1405699 Tunnel flapping without doing any dynamic activity in longevity test On SRX5400, SRX5600, SRX5800 devices with SPC3, the number of DPD packets that SRX can handle is limited to 1000 per second. If we exceed this number, either because DPD always-send is configured or a large number of tunnels that have either DPD optimized mode or DPD probe-idle-tunnel configured are idle, then RG0 failover or longevity testing may see few tunnels going down.
1407251 On SRX5400, SRX5600, SRX5800 devices with SPC3, when the network topology has SRX device behind a NAT device, SRX may occasionally not initiate NAT-Traversal keepalive packets. On SRX5400, SRX5600, SRX5800 devices with SPC3, when the network topology has SRX device behind a NAT device, SRX may occasionally not initiate NAT-Traversal keepalive packets.
1407356 On SRX5400, SRX5600, SRX5800 devices with SPC3, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE-IDs. On SRX5400, SRX5600, SRX5800 devices with SPC3, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE-IDs.
1408723 On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured as an initiator to initiate IKE negotiation, sometimes if the initiated IKE negotiation fails (because of configuration mismatch with the peer), SRX might erroneously display IPsec tunnel as active and might show an incorrect count of active number of IPsec tunnels. On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured as an initiator to initiate IKE negotiation, sometimes if the initiated IKE negotiation fails (because of configuration mismatch with the peer), SRX might erroneously display IPsec tunnel as active and might show an incorrect count of active number of IPsec tunnels.
1409855 On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey IPsec tunnel index may change. In such a scenario, there might be some traffic loss for a few seconds. On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey IPsec tunnel index may change. In such a scenario, there might be some traffic loss for a few seconds.
1412316 Reauth Initiator: traffic drops on peer due to bad SPI after 1st re authentication On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured to initiate IKEv2 reauthentication, upon a successful reauthentication IPsec tunnel index may change. In such a scenario, there might be some traffic loss.
1413619 On SRX5400, SRX5600, SRX5800 devices with SPC3, if an existing IKE gateway configuration is changed from AutoVPN to Site-to-Site VPN, the IKE negotiation behavior will continue to have "responder-only" mode. On SRX5400, SRX5600, SRX5800 devices with SPC3, if an existing IKE gateway configuration is changed from AutoVPN to Site-to-Site VPN, the IKE negotiation behavior will continue to have "responder-only" mode.
1414193 On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication may fail. On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication may fail.
     


 

The following are incremental changes in 18.2R2-S1.

 
PR Number Synopsis Description
1348249

BNG accounting-options - records written for operational down logical interfaces

When a logical interface (IFL) is operationally down, the accounting records for that IFL will not be written. Before this fix, the records are written without accounting info.. As part of this fix, the records are written only if the IFL is admin up which is similar to IFD behavior.

1367124

When activating security flow traceoptions, the unfiltered traffic is captured

On all SRX-Series platforms, when the flow traceoptions with the packet-filter are enabled, the traces of other sessions that are not configured in the packet-filter might be captured in the logs. However, when the packet-filters are removed, the traces are got dumped into the log file for some time <30 seconds.

1369646

error: peer_daemon: bad daemon: scpd on EX9251 running 18.1R1 and 18.1R2

the scpd process is not running in EX9251. So, the CLI throws an error while trying to fetch details from the process scpd in recent releases. 

1374248

The filter service might fail to get installed for the subscriber in a scaled BBE scenario

On MX platform enabled with enhanced subscriber management, if the subscriber profile initiates a filter service for each subscriber, and there are large scale of Broadband Edge (BBE) subscribers (e.g. 10k) logging in and out repeatedly, the filter service might fail to get installed for the subscriber due to this issue. In some rare condition, it might also lead to the Flexible PIC Concentrator (FPC) crash.

1381940

The rpd process would crash if deactivating the Autonomous-System (AS) in an EVPN scenario.

If the parameter "auto" is set to the statement "vrf-target" within an instance-type of EVPN/virtual-switch, the rpd process would crash after deactivating the Autonomous-System (AS) configured.

1382249

The rpd might crash on backup RE after switchover

If vrf-table-label is configured for VRF routing-instance, after executing GRES or ISSU, the label (VRF table) which is not be released may be reused by another VRF. This might cause an rpd core on backup RE.

1384440

BUM (Broadcast,Unknown Unicast and Multicast) traffic may get dropped on peer Fusion Aggregation Device when link between Satellite Device and local Aggregate Device goes down

BUM (Broadcast,Unknown Unicast and Multicast) traffic may get dropped on peer Fusion Aggregation Device when link between Satellite Device and local Aggregate Device goes down

1388454

The lsi binding for the IPv6 neighbor is missing.

On ACX, EX, MX, QFX and Virtual Chassis Fabric platform, if irb interface is configured under VPLS instance, after switchover the lsi binding for the IPv6 neighbor might be missing.

1389120

Unexpected packet loss might be seen for some multicast groups during failure recovery with both MoFRR and PIM automatic MBB join load-balancing features enabled

On all Junos platforms which support both Multicast-Only Fast Reroute(MoFRR) and PIM automatic Make-Before-Break(MBB) join load-balancing features, if both features are enabled, and there is an upstream link failure happening, unexpected packet loss might be seen during failure recovery for some multicast groups due to this issue.

1394427

A few VPN tunnels do not forward traffic after RG1 failover.

A few VPN tunnels do not forward traffic after RG1 failover when traffic-selector is configured in the AutoVPN.

1397210

40G/100G ports may take a long time(about 30s) to link up on SRX4600 platform.

SRX4600 platforms with 40/100 Gigabit QSFP ethernet ports link up time take long time(about 30s) after multiple times link down/up.

1397742

Fragmentation and ALG support for Power Mode IPSec

Prior to the 18.2R2-S1 release, when Power Mode IPsec feature was enabled, and fragmented traffic is received by the SRX on an IPsec tunnel, the tunnel was moved from Power Mode IPsec to regular Flow IPSec mode. Similarly, if any flow session using Power Mode IPsec required advanced services like ALG, then this tunnel would switch to regular Flow IPsec. From the Junos 18.2R2-S1 release, SRX has enhanced support for Power Mode IPsec to handle fragmentation (both pre and post frag) and advanced L7 services. When a tunnel is enabled to use Power Mode IPsec and SRX receives a fragmented IP packet, only this clear-text flow session is processed in Flow mode to merge or split the packets. After the fragmentation processing, this clear-text flow session's packets will continue to process in PMI for the non-fragmented packets. So with this design, the performance impact is isolated only to fragmented packets. The other sessions which are using this IPsec tunnel will continue processing packets in Power Mode IPsec throughout.

1397992

Extended Port (EP) LAG may go down on the Satellite Devices (SDs) if the related Cascade Port (CP) links to an Aggregation Device (AD) goes down

In a Junos Fusion Data Center if one Aggregation Device (AD) is isolated by disabling Inter Chassis Link (ICL) and all cascade ports (Link between AD and SD) and later if only ICL is reenabled on the AD then EP-LAG LACP will go down.This issue will not be seen if ICL is up and only AD-SD links go down.

1398685

The rpd soft core might be seen when L2VPN is used.

RPD provides a mechanism to validate that route selection has successfully been done. When errors in route selection are detected, a soft core is dropped: RPD remains running, a single core file is dropped, it is rate limited to not do this frequently. When running L2VPN, BGP MED selection may be inappropriately run on the routes. As a result, the route selection sanity code will notice an unexpected result and leave a soft core.

1399878

SFP-LX10 does not work on QFX5110

On QFX5110 platforms, from Junos 17.3 onwards, the interfaces with SFP-LX10 transceivers and auto-negotiation enabled(default configuration) might be down.

1401506

The subscriber route installation failed due to some interfaces states are not properly installed

On BBE subscriber scenario with subscribers built on AE interfaces, if doing some operations that trigger a great deal of interface states are published from BBE (Broadband Edge) to kernel (such as, System/FPC reboot or a massive amount of link flapping), some interfaces states could not be properly installed (with an invalid Next-Hop that has no selector). It might cause subscriber route installation failure and traffic drop.

1402255

BGP router on the same broadcast subnet with its neighbors might cause IPv6 routing issue on the neighbor from other vendors

RFC 2545 has limitation on third-party next-hops where the next hop is propagated unchanged. Due to this limitation, Border Gateway Protocol (BGP) router attaches its own IPv6 link-local address in the next hop and advertise the route to its BGP neighbor. This could introduce the routing issue on the BGP neighbor from other vendor (e.g. Cisco) and put the BGP router itself in the traffic path unexpectedly. This issue will not be seen on Juniper devices because IPv6 link-local address is not selected as next hop.

1402342

Traffic loss seen in IGMP subscribers after GRES.

There is a chance that some subscribers may not have IPTV post GRES. This condition will be seen if subscribers are logged in before the system has initialized fully or if dynamic profiles are changed with subscriber activity.

1402834

Host outbound traffic might be dropped on MPC7/8/9

On MX platforms with enhanced subscriber management enabled, if the Junos release is 18.2X75-D10, 17.4R2, 18.1R2 and onwards, in which turbo TX is supported and enabled, when "class-of-service host-outbound-traffic" is configured, host outbound traffic (e.g. ARP, ISIS, OSPF, etc.) might be dropped on MPC7/8/9.

1402855

NFX150 device is throwing syntax error for cli command "show cli device-list"

'device-list' option in the CLI of NFX devices disappeared on 18.2 releases. This issue has been fixed.

1403480

Smg-service can become unresponsive

Issuing the cli show command "show services soft-gre tunnel" and then changing configuration of the router can make smg-service unresponsive, eg regress@leonis> show system subscriber-management statistics error: timeout communicating with smg-service daemon

1403517

Transit UDP 500/4500 traffic is not passing across SRX5k when using SPC3

On SRX5k platforms with SPC3 card, IPSec tunnels passing through the SRX may not come up, due to the IKE packets getting dropped. This issue occurs only if slot 0 does not contain an SPC3 card in CP/Flow mode.

1403881

EVPN multi-homing MAC might not be installed by remote PE.

In EVPN-MPLS multi-homing scenario, on MX series and with Junos 18.2R2, multi-homing MAC entries learnt from remote EVPN peers, may not be installed in the MAC table.

1404239

MAP-E some ICMP Types can't be encap/decap on SI interface

Support for MAP-E encapsulation and decapsulation on Inline-service interface (MX2010) - Mx routers support MAP-E encapsulation and decapsulation on the following ICMP message types on Inline-service interface: - Time Exceeded (type 11) - Destination unreachable (type 3) - Source quench (type 4) - Parameter problem (type 12) - Address mask request/reply (type 17/18) - Redirect (type 5)

1404259

Inconsistent content may be observed to the access line information between ICRQ and PPPoE message

In a subscriber management environment, ICRQ message sent from LAC (MX series) may contain inconsistent content if comparing it to the field "Access-Loop-Encapsulation" within the PPPoE message.

1404857

EVPN database and bridge mac-table are out of sync post core link flap

EVPN database and bridge mac-table are out of sync post core link flap

1404985

Syslog is not generated when ike gateway rejects duplicate IKE ID connection.

On SRX5400, SRX5600, SRX5800 devices with SPC3, when reject-duplicate-connection is configured in IKE configuration, if SRX detects the duplicate user, SRX rejects the duplicate connection as expected. Currently SRX does not generate error-message/syslog-message for this case.

1405318

Config load override or load replace resets ANCP neighbours

In ANCP (Access Node Control Protocol) scenario, if executing configuration load override or replace, after the commit operation, All ANCP neighbour sessions might be restarted, even though without any ANCP configuration change.

1406020

Not all the tunnels are deleted when authentication algorithm in ipsec proposal is changed.

On SRX5400, SRX5600, SRX5800 devices with SPC3, occasionally, when an IKE/IPSec configuration change is done for AutoVPN, SRX may not clear all IPSec SAs. 

1406210

The flowd process crashes and all cards are brought off

On all SRX platforms, in a rare condition, the flowd process might crash if there is a route change for IPSec tunnel traffic and the traffic does not go through the tunnel after reroute. This issue might cause all cards off.

1406807

In an L2 domain (eg bridge-domain, VPLS) there is unexpected flooding of unicast traffic at approx every 40 sec towards all local CE-facing interface.

The locally learned MACs are installed as DMAC on PFEs hosting the backup path. In this scenario when the backup path PFE starts carrying the traffic, the PFE will send multicast MLP Query to other PFEs. In response to MLP query the other PFE will send the MLP_ADD message with aging timer as 40s. This 40s timer does not refresh with traffic so when the timer expires it causes flooding until it relearns the MAC entry via other PFE with 40sec timer. With the fix the PFE will send a MLP query to the hostpath (l2alm+l2ald) too so MAC aging timer is updated to 300 sec which gets refreshed with traffic.

1407231 Support for LAG interface with Power Mode IPSec On SRX5400, SRX5600 and SRX5800 devices with SPC3, LAG interface as IPsec external interface for Power Mode IPsec was not previously supported. With 18.2R2-S1 release, Power-Mode-IPsec now supports LAG interface as IPsec external interface. (See also PR:1409034)
1407910

Multiple Flowd cores were observed with IPSec acceleration with fragmentation traffic

On SRX5400, SRX5600 and SRX5800 devices with SPC3, before addressing this PR, in certain scenarios the incoming packets flow context information was not reset correctly when the packet was dropped in IPsec acceleration module. This caused subsequent packets to be incorrectly processed as IPsec packets and resulted in the crash. To address this issue, SRX now resets the flow context before dropping the packet in all relevant modules including IPsec acceleration module.

1408749

RPD core dump after NSR switchover

New master RE RPD may core if there's a churn specifically with EVPN routes just before NSR switchover.

1410972

Resources might be reserved for stale RSVP LSP when RSVP is disabled on the interface

If Resource Reservation Protocol (RSVP) is disabled on the incoming interface of a transit Label-Switching Router (LSR) along Label Switched Path (LSP) requesting link protection, no PathTear message is sent downstream. Hence all LSRs downstream retain the LSP till the state ages out. As the LSRs use long refresh interval by default, it will take approximately an hour and a half for the LSP to age out on the downstream LSRs.

Modification History:
Update content date 2019-02-06
First publication date 2019-01-30
Related Links: