BNG accounting-options - records written for operational down logical interfaces

When a logical interface (IFL) is operationally down, the accounting records for that IFL will not be written. Before this fix, the records are written without accounting info.. As part of this fix, the records are written only if the IFL is admin up which is similar to IFD behavior.

When activating security flow traceoptions, the unfiltered traffic is captured

On all SRX-Series platforms, when the flow traceoptions with the packet-filter are enabled, the traces of other sessions that are not configured in the packet-filter might be captured in the logs. However, when the packet-filters are removed, the traces are got dumped into the log file for some time <30 seconds.

error: peer_daemon: bad daemon: scpd on EX9251 running 18.1R1 and 18.1R2

the scpd process is not running in EX9251. So, the CLI throws an error while trying to fetch details from the process scpd in recent releases. 

The filter service might fail to get installed for the subscriber in a scaled BBE scenario

On MX platform enabled with enhanced subscriber management, if the subscriber profile initiates a filter service for each subscriber, and there are large scale of Broadband Edge (BBE) subscribers (e.g. 10k) logging in and out repeatedly, the filter service might fail to get installed for the subscriber due to this issue. In some rare condition, it might also lead to the Flexible PIC Concentrator (FPC) crash.

The rpd process would crash if deactivating the Autonomous-System (AS) in an EVPN scenario.

If the parameter "auto" is set to the statement "vrf-target" within an instance-type of EVPN/virtual-switch, the rpd process would crash after deactivating the Autonomous-System (AS) configured.

The rpd might crash on backup RE after switchover

If vrf-table-label is configured for VRF routing-instance, after executing GRES or ISSU, the label (VRF table) which is not be released may be reused by another VRF. This might cause an rpd core on backup RE.

BUM (Broadcast,Unknown Unicast and Multicast) traffic may get dropped on peer Fusion Aggregation Device when link between Satellite Device and local Aggregate Device goes down

BUM (Broadcast,Unknown Unicast and Multicast) traffic may get dropped on peer Fusion Aggregation Device when link between Satellite Device and local Aggregate Device goes down

The lsi binding for the IPv6 neighbor is missing.

On ACX, EX, MX, QFX and Virtual Chassis Fabric platform, if irb interface is configured under VPLS instance, after switchover the lsi binding for the IPv6 neighbor might be missing.

Unexpected packet loss might be seen for some multicast groups during failure recovery with both MoFRR and PIM automatic MBB join load-balancing features enabled

On all Junos platforms which support both Multicast-Only Fast Reroute(MoFRR) and PIM automatic Make-Before-Break(MBB) join load-balancing features, if both features are enabled, and there is an upstream link failure happening, unexpected packet loss might be seen during failure recovery for some multicast groups due to this issue.

A few VPN tunnels do not forward traffic after RG1 failover.

A few VPN tunnels do not forward traffic after RG1 failover when traffic-selector is configured in the AutoVPN.

40G/100G ports may take a long time(about 30s) to link up on SRX4600 platform.

SRX4600 platforms with 40/100 Gigabit QSFP ethernet ports link up time take long time(about 30s) after multiple times link down/up.

Fragmentation and ALG support for Power Mode IPSec

Prior to the 18.2R2-S1 release, when Power Mode IPsec feature was enabled, and fragmented traffic is received by the SRX on an IPsec tunnel, the tunnel was moved from Power Mode IPsec to regular Flow IPSec mode. Similarly, if any flow session using Power Mode IPsec required advanced services like ALG, then this tunnel would switch to regular Flow IPsec. From the Junos 18.2R2-S1 release, SRX has enhanced support for Power Mode IPsec to handle fragmentation (both pre and post frag) and advanced L7 services. When a tunnel is enabled to use Power Mode IPsec and SRX receives a fragmented IP packet, only this clear-text flow session is processed in Flow mode to merge or split the packets. After the fragmentation processing, this clear-text flow session's packets will continue to process in PMI for the non-fragmented packets. So with this design, the performance impact is isolated only to fragmented packets. The other sessions which are using this IPsec tunnel will continue processing packets in Power Mode IPsec throughout.

Extended Port (EP) LAG may go down on the Satellite Devices (SDs) if the related Cascade Port (CP) links to an Aggregation Device (AD) goes down

In a Junos Fusion Data Center if one Aggregation Device (AD) is isolated by disabling Inter Chassis Link (ICL) and all cascade ports (Link between AD and SD) and later if only ICL is reenabled on the AD then EP-LAG LACP will go down.This issue will not be seen if ICL is up and only AD-SD links go down.

The rpd soft core might be seen when L2VPN is used.

RPD provides a mechanism to validate that route selection has successfully been done. When errors in route selection are detected, a soft core is dropped: RPD remains running, a single core file is dropped, it is rate limited to not do this frequently. When running L2VPN, BGP MED selection may be inappropriately run on the routes. As a result, the route selection sanity code will notice an unexpected result and leave a soft core.

SFP-LX10 does not work on QFX5110

On QFX5110 platforms, from Junos 17.3 onwards, the interfaces with SFP-LX10 transceivers and auto-negotiation enabled(default configuration) might be down.

The subscriber route installation failed due to some interfaces states are not properly installed

On BBE subscriber scenario with subscribers built on AE interfaces, if doing some operations that trigger a great deal of interface states are published from BBE (Broadband Edge) to kernel (such as, System/FPC reboot or a massive amount of link flapping), some interfaces states could not be properly installed (with an invalid Next-Hop that has no selector). It might cause subscriber route installation failure and traffic drop.

BGP router on the same broadcast subnet with its neighbors might cause IPv6 routing issue on the neighbor from other vendors

RFC 2545 has limitation on third-party next-hops where the next hop is propagated unchanged. Due to this limitation, Border Gateway Protocol (BGP) router attaches its own IPv6 link-local address in the next hop and advertise the route to its BGP neighbor. This could introduce the routing issue on the BGP neighbor from other vendor (e.g. Cisco) and put the BGP router itself in the traffic path unexpectedly. This issue will not be seen on Juniper devices because IPv6 link-local address is not selected as next hop.

Traffic loss seen in IGMP subscribers after GRES.

There is a chance that some subscribers may not have IPTV post GRES. This condition will be seen if subscribers are logged in before the system has initialized fully or if dynamic profiles are changed with subscriber activity.

Host outbound traffic might be dropped on MPC7/8/9

On MX platforms with enhanced subscriber management enabled, if the Junos release is 18.2X75-D10, 17.4R2, 18.1R2 and onwards, in which turbo TX is supported and enabled, when "class-of-service host-outbound-traffic" is configured, host outbound traffic (e.g. ARP, ISIS, OSPF, etc.) might be dropped on MPC7/8/9.

NFX150 device is throwing syntax error for cli command "show cli device-list"

'device-list' option in the CLI of NFX devices disappeared on 18.2 releases. This issue has been fixed.

Smg-service can become unresponsive

Issuing the cli show command "show services soft-gre tunnel" and then changing configuration of the router can make smg-service unresponsive, eg regress@leonis> show system subscriber-management statistics error: timeout communicating with smg-service daemon

Transit UDP 500/4500 traffic is not passing across SRX5k when using SPC3

On SRX5k platforms with SPC3 card, IPSec tunnels passing through the SRX may not come up, due to the IKE packets getting dropped. This issue occurs only if slot 0 does not contain an SPC3 card in CP/Flow mode.

EVPN multi-homing MAC might not be installed by remote PE.

In EVPN-MPLS multi-homing scenario, on MX series and with Junos 18.2R2, multi-homing MAC entries learnt from remote EVPN peers, may not be installed in the MAC table.

MAP-E some ICMP Types can't be encap/decap on SI interface

Support for MAP-E encapsulation and decapsulation on Inline-service interface (MX2010) - Mx routers support MAP-E encapsulation and decapsulation on the following ICMP message types on Inline-service interface: - Time Exceeded (type 11) - Destination unreachable (type 3) - Source quench (type 4) - Parameter problem (type 12) - Address mask request/reply (type 17/18) - Redirect (type 5)

Inconsistent content may be observed to the access line information between ICRQ and PPPoE message

In a subscriber management environment, ICRQ message sent from LAC (MX series) may contain inconsistent content if comparing it to the field "Access-Loop-Encapsulation" within the PPPoE message.

EVPN database and bridge mac-table are out of sync post core link flap

EVPN database and bridge mac-table are out of sync post core link flap

Syslog is not generated when ike gateway rejects duplicate IKE ID connection.

On SRX5400, SRX5600, SRX5800 devices with SPC3, when reject-duplicate-connection is configured in IKE configuration, if SRX detects the duplicate user, SRX rejects the duplicate connection as expected. Currently SRX does not generate error-message/syslog-message for this case.

Config load override or load replace resets ANCP neighbours

In ANCP (Access Node Control Protocol) scenario, if executing configuration load override or replace, after the commit operation, All ANCP neighbour sessions might be restarted, even though without any ANCP configuration change.

Not all the tunnels are deleted when authentication algorithm in ipsec proposal is changed.

On SRX5400, SRX5600, SRX5800 devices with SPC3, occasionally, when an IKE/IPSec configuration change is done for AutoVPN, SRX may not clear all IPSec SAs. 

The flowd process crashes and all cards are brought off

On all SRX platforms, in a rare condition, the flowd process might crash if there is a route change for IPSec tunnel traffic and the traffic does not go through the tunnel after reroute. This issue might cause all cards off.

In an L2 domain (eg bridge-domain, VPLS) there is unexpected flooding of unicast traffic at approx every 40 sec towards all local CE-facing interface.

The locally learned MACs are installed as DMAC on PFEs hosting the backup path. In this scenario when the backup path PFE starts carrying the traffic, the PFE will send multicast MLP Query to other PFEs. In response to MLP query the other PFE will send the MLP_ADD message with aging timer as 40s. This 40s timer does not refresh with traffic so when the timer expires it causes flooding until it relearns the MAC entry via other PFE with 40sec timer. With the fix the PFE will send a MLP query to the hostpath (l2alm+l2ald) too so MAC aging timer is updated to 300 sec which gets refreshed with traffic.

Multiple Flowd cores were observed with IPSec acceleration with fragmentation traffic

On SRX5400, SRX5600 and SRX5800 devices with SPC3, before addressing this PR, in certain scenarios the incoming packets flow context information was not reset correctly when the packet was dropped in IPsec acceleration module. This caused subsequent packets to be incorrectly processed as IPsec packets and resulted in the crash. To address this issue, SRX now resets the flow context before dropping the packet in all relevant modules including IPsec acceleration module.

RPD core dump after NSR switchover

New master RE RPD may core if there's a churn specifically with EVPN routes just before NSR switchover.

Resources might be reserved for stale RSVP LSP when RSVP is disabled on the interface

If Resource Reservation Protocol (RSVP) is disabled on the incoming interface of a transit Label-Switching Router (LSR) along Label Switched Path (LSP) requesting link protection, no PathTear message is sent downstream. Hence all LSRs downstream retain the LSP till the state ages out. As the LSRs use long refresh interval by default, it will take approximately an hour and a half for the LSP to age out on the downstream LSRs.