Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles18.2R2-S1: Software Release Notification for Junos Software Service Release version 18.2R2-S1
| PR Number | Synopsis | Category: This is for Hw & Sw issues which are special for SPC3 car |
|---|---|---|
| 1407064 | The RG1 failover does not happen immediately when the SPC3 card crashes. |
On SRX5400/5600/5800 platforms with SPC3 used, the traffic outage might last for 5-15 minutes because the RG1 failover is not triggered immediately when flowd coredump happens. |
| PR Number | Synopsis | Category: Accounting Profile |
| 1348249 | BNG accounting-options - records written for operational down logical interfaces |
When a logical interface (IFL) is operationally down, the accounting records for that IFL will not be written. Before this fix, the records are written without accounting info.. As part of this fix, the records are written only if the IFL is admin up which is similar to IFD behavior. |
| PR Number | Synopsis | Category: "agentd" software daemon |
| 1394927 | WITHDRAWN: Junos OS: gRPC hardcoded credentials may allow unauthorized access to systems with Junos Network Agent installed (REJECTED) |
NO RISK. CVE REJECTED. 04-11-2019: Further investigation has determined that this issue has no impact. While the credentials exist in affected releases there is no way to exploit this issue, and even if the issue were exploitable, there would be no impact. Refer to https://kb.juniper.net/JSA10923 for more information. |
| PR Number | Synopsis | Category: access node control protocol daemon |
| 1405318 | Configuration load override or load replace resets ANCP neighbors. |
In ANCP (Access Node Control Protocol) scenario, if executing configuration load override or replace, after the commit operation, All ANCP neighbour sessions might be restarted, even though without any ANCP configuration change. |
| PR Number | Synopsis | Category: MX Layer 2 Forwarding Module |
| 1388454 | The LSI binding for the IPv6 neighbor is missing. |
On ACX, EX, MX, QFX and Virtual Chassis Fabric platform, if irb interface is configured under VPLS instance, after switchover the lsi binding for the IPv6 neighbor might be missing. |
| PR Number | Synopsis | Category: Control Plane and Infrastructire for the B-54 program |
| 1369646 | error: peer_daemon: bad daemon: scpd on EX9251 running 18.1R1 and 18.1R2 |
the scpd process is not running in EX9251. So, the CLI throws an error while trying to fetch details from the process scpd in recent releases. |
| PR Number | Synopsis | Category: BBE interface related issues |
| 1401506 | The subscriber route installation failed because some interfaces states are not properly installed. |
On BBE subscriber scenario with subscribers built on AE interfaces, if doing some operations that trigger a great deal of interface states are published from BBE (Broadband Edge) to kernel (such as, System/FPC reboot or a massive amount of link flapping), some interfaces states could not be properly installed (with an invalid Next-Hop that has no selector). It might cause subscriber route installation failure and traffic drop. |
| 1403480 | Smg-service could become unresponsive when doing some GRE-related CLI operations. |
On BNG (Broadband Network Gateway) or subscriber scenario, when doing GRE related CLI operations and config commit, smg-service could become unresponsive and the bbe-smgd core might happen. The effect detail depends on if there is a crash and what is happening during a crash. Generally it would not cause a crash, but if the resulting concurrent access occurs, it might lead to a crash, thus the bbe-smgd would restart and restore state. In the meantime the service might be affected but it would be temporary. |
| PR Number | Synopsis | Category: Border Gateway Protocol |
| 1398685 | The rpd soft core files and inappropriate route selection might be seen when Layer 2 VPN is used |
The rpd provides a mechanism to validate that route selection has successfully been done. When errors in route selection are detected, a soft core is dropped: the rpd remains running, a single core file is dropped, it is rate limited to not do this frequently. When running L2VPN, BGP MED selection may be inappropriately run on the routes. As a result, a soft core is created, and features that rely on skipping such routes such as BGP add-paths, may advertise an alternate path that is inappropriate. |
| 1402255 | On the multi-access/broadcast network, third party BGP router might unexpectedly select RR router as next-hop to forward the IPv6 traffic. |
RFC 2545 has a limitation on third party next-hops where the next hop is propagated unchanged. Due to this limitation, BGP inet6 Route-Reflector router attaches the BGP neighbor's IPv6 global address and its own IPv6 link-local address as the next-hops while advertising the route to another BGP neighbor. This could introduce the forwarding issue on the BGP neighbor from other vendors if their device picks up the link-local address as next-hop. This would put the BGP RR router in the traffic forwarding path unexpectedly. This issue will not be seen on Juniper devices because IPv6 link-local address would not be selected as prefix's next hop. |
| 1403881 | EVPN multi-homing MAC might not be installed by remote PE. |
In EVPN-MPLS multi-homing scenario, on MX series and with Junos 18.2R2, multi-homing MAC entries learnt from remote EVPN peers, may not be installed in the MAC table. |
| PR Number | Synopsis | Category: Firewall Filter |
| 1394922 | Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036) |
Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036); Refer to https://kb.juniper.net/JSA10925 for more information. |
| PR Number | Synopsis | Category: EVPN control plane issues |
| 1381940 | The rpd process would crash if deactivating the Autonomous-System (AS) in an EVPN scenario. |
If the parameter "auto" is set to the statement "vrf-target" within an instance-type of EVPN/virtual-switch, the rpd process would crash after deactivating the Autonomous-System (AS) configured. |
| 1408749 | The rpd might crash after NSR switchover in EVPN scenario |
In BGP (Border Gateway Protocol) with EVPN (Ethernet VPN) scenario, after RE (routing engine) NSR (Nonstop active Routing) switchover, the rpd might crash on the new master RE when BGP is trying to withdraw an EVPN route which is mirrored from the old master but not yet active created in the routing table. Traffic disruption might be seen during the rpd crash. |
| PR Number | Synopsis | Category: EVPN Layer-2 Forwarding |
| 1404857 | EVPN database and bridge mac-table are out of sync due to the interface's flap |
If some interfaces flap faster on the remote PE, EVPN database and bridge mac-table might be out of sync on the local PE device. When this issue occurs, it may cause the impacted PE broadcasts packets to all the other PEs. And the broadcasted packets might cause traffic congestion which results in packet loss. |
| PR Number | Synopsis | Category: jl2tpd daemon |
| 1404259 | Inconsistent content may be observed to the access line information between ICRQ and PPPoE message |
In a subscriber management environment, ICRQ message sent from LAC (MX series) may contain inconsistent content if comparing it to the field "Access-Loop-Encapsulation" within the PPPoE message. |
| PR Number | Synopsis | Category: Flow Module |
| 1367124 | When activating security flow traceoptions, the unfiltered traffic is captured. |
On SRX Series devices, when the flow traceoptions with the packet filter are enabled, the traces of other sessions that are not configured in the packet filter might be captured in the logs. However, when the packet filters are removed, the traces are dumped in to the log file for some time less than 30 seconds. |
| 1397742 | Fragmentation and ALG support for Power Mode IPSec |
Prior to the 18.2R2-S1 release, when Power Mode IPsec feature was enabled, and fragmented traffic is received by the SRX on an IPsec tunnel, the tunnel was moved from Power Mode IPsec to regular Flow IPSec mode. Similarly, if any flow session using Power Mode IPsec required advanced services like ALG, then this tunnel would switch to regular Flow IPsec. From the Junos 18.2R2-S1 release, SRX has enhanced support for Power Mode IPsec to handle fragmentation (both pre and post frag) and advanced L7 services. When a tunnel is enabled to use Power Mode IPsec and SRX receives a fragmented IP packet, only this clear-text flow session is processed in Flow mode to merge or split the packets. After the fragmentation processing, this clear-text flow session's packets will continue to process in PMI for the non-fragmented packets. So with this design, the performance impact is isolated only to fragmented packets. The other sessions which are using this IPsec tunnel will continue processing packets in Power Mode IPsec throughout. |
| 1397742 | Fragmentation and ALG support for Power Mode IPSec |
Prior to the 18.2R2-S1 release, when Power Mode IPsec feature was enabled, and fragmented traffic is received by the SRX on an IPsec tunnel, the tunnel was moved from Power Mode IPsec to regular Flow IPSec mode. Similarly, if any flow session using Power Mode IPsec required advanced services like ALG, then this tunnel would switch to regular Flow IPsec. From the Junos 18.2R2-S1 release, SRX has enhanced support for Power Mode IPsec to handle fragmentation (both pre and post frag) and advanced L7 services. When a tunnel is enabled to use Power Mode IPsec and SRX receives a fragmented IP packet, only this clear-text flow session is processed in Flow mode to merge or split the packets. After the fragmentation processing, this clear-text flow session's packets will continue to process in PMI for the non-fragmented packets. So with this design, the performance impact is isolated only to fragmented packets. The other sessions which are using this IPsec tunnel will continue processing packets in Power Mode IPsec throughout. |
| 1403517 | Transit UDP 500/4500 traffic might not pass across SRX5000 series devices when using SPC3/SPC2. |
On SRX5K platforms with SPC3/SPC2 card and IKE-ESP ALG not enabled, when slot 0 does not contain an SPC3/SPC2 card in CP/Flow mode or the total number of SPC3/SPC2 cards in the chassis is more than 2, the passing through NAT-T or ESP traffic might not be transported, IPsec VPN tunnel will be broken. |
| 1406210 | The flowd process stops and all cards are brought offline. |
On all SRX platforms, in a rare condition, the flowd process might crash if there is a route change for IPSec tunnel traffic and the traffic does not go through the tunnel after reroute. This issue might cause all cards off. |
| PR Number | Synopsis | Category: IPSEC/IKE VPN |
| 1394427 | A few VPN tunnels do not forward traffic after RG1 failover. |
A few VPN tunnels do not forward traffic after RG1 failover when traffic-selector is configured in the AutoVPN. |
| 1404985 | Syslog is not generated when the IKE gateway rejects a duplicate IKE ID connection. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, when reject-duplicate-connection is configured in IKE configuration, if SRX detects the duplicate user, SRX rejects the duplicate connection as expected. Currently SRX does not generate error-message/syslog-message for this case. |
| 1406020 | Not all the tunnels are deleted when the authentication algorithm in IPsec proposal is changed. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, occasionally, when an IKE/IPSec configuration change is done for AutoVPN, SRX may not clear all IPSec SAs. |
| 1407910 | Multiple flowd process files are observed with IPsec acceleration with fragmentation traffic. |
On SRX5400, SRX5600 and SRX5800 devices with SPC3, the incoming packets flow context information is not reset correctly when the packet is dropped in IPsec acceleration module. This will cause subsequent packets to be incorrectly processed as IPsec packets and results in the crash. To address this issue, SRX now resets the flow context before dropping the packet in all relevant modules including IPsec acceleration module. |
| PR Number | Synopsis | Category: lacp protocol |
| 1391545 | The SNMP query on LACP interface might lead to lacpd crash |
If stale SNMP (Simple Network Management Protocol) index for LACP (Link Aggregation Control Protocol) interface exists and SNMP query is executed on the LACP interface, the lacpd might crash when trying to retrieve the stale SNMP index. The issue results in LACP negotiation failure during the lacpd restart. If "lacp periodic fast" is configured (which means LACP timeout is 3 seconds), the existing negotiated LACP interface might be impacted and traffic loss might be seen if the restart of the lacpd takes more than 3 seconds. |
| PR Number | Synopsis | Category: Multiprotocol Label Switching |
| 1382249 | The rpd might crash on backup Routing Engine after switchover |
If vrf-table-label is configured for VRF routing-instance, after executing GRES or ISSU, the VRF table label which is not released may be reused by another VRF. This might cause an rpd core on backup RE. |
| PR Number | Synopsis | Category: Track Mt Rainier RE platform software issues |
| 1343680 | i40e NVM upgrade support for PTX platforms |
Adding support for i40e NVM upgrade in PTX3000 platforms |
| PR Number | Synopsis | Category: Protocol Independant Multicast |
| 1389120 | Unexpected packet loss might be seen for some multicast groups during failure recovery with both MoFRR and PIM automatic MBB join load-balancing features enabled |
On all Junos platforms which support both Multicast-Only Fast Reroute(MoFRR) and PIM automatic Make-Before-Break(MBB) join load-balancing features, if both features are enabled, and there is an upstream link failure happening, unexpected packet loss might be seen during failure recovery for some multicast groups due to this issue. |
| PR Number | Synopsis | Category: Interface related issues. Port up/down, stats, CMLC , serdes |
| 1399878 | SFP-LX10 does not work on QFX5110 |
On QFX5110 platforms, from Junos 17.3 onwards, the interfaces with SFP-LX10 transceivers and auto-negotiation enabled(default configuration) might be down. |
| PR Number | Synopsis | Category: Resource Reservation Protocol |
| 1410972 | Resources might be reserved for stale RSVP LSP when RSVP is disabled on the interface |
If Resource Reservation Protocol (RSVP) is disabled on the incoming interface of a transit Label-Switching Router (LSR) along Label Switched Path (LSP) requesting link protection, no PathTear message is sent downstream. Hence all LSRs downstream retain the LSP till the state ages out. As the LSRs use long refresh interval by default, it will take approximately an hour and a half for the LSP to age out on the downstream LSRs. |
| PR Number | Synopsis | Category: SRX-1RU platfom related protocol, QoS, filtering features et |
| 1397210 | 40 Gigabit Ethernet /100 Gigabit Ethernet ports may take a long time (about 30 seconds) to link up on SRX4600 platform. |
SRX4600 platforms with 40/100 Gigabit QSFP ethernet ports link up time take long time(about 30s) after multiple times link down/up. |
| PR Number | Synopsis | Category: MX10003/MX204 SW - UI specific defects |
| 1385361 | LED mibs broken on summit platforms |
IDX2 limit for MIC FRU was wrongly updated instead of taking from PVIDB schema. This was causing GET-NEXT to fail due to index validation failure. Hence SNMP walk on all the LED MIB was broken. |
| PR Number | Synopsis | Category: Issues related to broadband edge apps (PPP, DHCP) on Trio ch |
| 1374248 | The filter service might fail to get installed for the subscriber in a scaled BBE scenario |
On MX Series platform enabled with enhanced subscriber management, if the subscriber profile initiates a filter service for each subscriber, and there are large scale of broadband edge (BBE) subscribers (for example, 10000) logging in and out repeatedly, the filter service might fail to get installed for the subscriber due to this issue. In some rare condition, it might also lead to the Flexible PIC Concentrator (FPC) crash. |
| PR Number | Synopsis | Category: Trio pfe l3 forwarding issues |
| 1402834 | Host outbound traffic might be dropped on MPC7, MPC8, and MPC9. |
On MX platforms with enhanced subscriber management enabled, if the Junos release is 18.2X75-D10, 17.4R2, 18.1R2 and onwards, in which turbo TX is supported and enabled, when "class-of-service host-outbound-traffic" is configured, host outbound traffic (e.g. ARP, ISIS, OSPF, etc.) might be dropped on MPC7/8/9. |
| PR Number | Synopsis | Category: Trio pfe sampling, services plumbing |
| 1401730 | The MAP-E IPv4 over IPv6 packets might not be balanced to multiple SI interfaces |
On MX-Series platforms with Mapping of Address and Port with Encapsulation (MAP-E) feature enabled, the MAP-E IPv4 over IPv6 packets might not be balanced to multiple SI interfaces if the equal-cost multipath (ECMP) is applied to it. |
| 1404239 | Some ICMP message types can't be encapsulated and decapsulated by MAP-E on SI interface |
On MX Series Routers with Mapping of Address and port Encapsulation (MAP-E) deployment scenario, the following ICMP message types can't be encapsulated and decapsulated by MAP-E on SI interface - type 3, 4, 5, 11, 12, 17, and 18 |
| PR Number | Synopsis | Category: Trio pfe, vpls, mesh group software |
| 1406807 | In a Layer 2 domain, there might be unexpected flooding of unicast traffic at every 32-40 seconds interval towards all local CE-facing interface |
In a Layer2 domain (e.g. bridge-domain, VPLS), unexpected flooding of unicast traffic might be seen towards all local CE-facing interface if the FPC on the primary LSP is offline and the backup path PFE starts carrying the traffic. |
| PR Number | Synopsis | Category: Ephemeral Database |
| 1407924 | Ephemeral DB might get stuck during commit |
On MX series with Junos 18.2R2, if committing configuration via the ephemeral configuration database, the ephemeral DB might get stuck and nothing is committed. |
| PR Number | Synopsis | Category: UI Infrastructure - mgd, DAX API, DDL/ODL |
| 1402855 | NFX150 device is throwing syntax error for cli command "show cli device-list" |
'device-list' option in the CLI of NFX devices disappeared on 18.2 releases. This issue has been fixed. |
| PR Number | Synopsis | Category: web filterig issues |
| 1406403 | SRX Series: srxpfe process crash while JSF/UTM module parses specific HTTP packets (CVE-2019-0052) |
SRX Series srxpfe process crash while JSF/UTM module parses specific HTTP packets (CVE-2019-0052); Refer to https://kb.juniper.net/JSA10946 for more information. |
| PR Number | Synopsis | Category: V44 Aggregation Device Infra |
| 1384440 | BUM traffic may get dropped on peer Fusion Aggregation Device when the link between Satellite Device and local Aggregate Device goes down |
In the dual AD Junos Fusion setup, BUM (Broadcast, Unknown Unicast, and Multicast) traffic may get dropped on peer Fusion Aggregation Device when the link between Satellite Device and local Aggregate Device goes down. |
| PR Number | Synopsis | Category: PFE on Satellite Device |
| 1397992 | Extended Port (EP) LAG may go down on the Satellite Devices (SDs) if the related Cascade Port (CP) links to an Aggregation Device (AD) goes down |
In a Junos Fusion Data Center if one Aggregation Device (AD) is isolated by disabling Inter Chassis Link (ICL) and all cascade ports (Link between AD and SD) and later if only ICL is reenabled on the AD then EP-LAG LACP will go down.This issue will not be seen if ICL is up and only AD-SD links go down. |
| PR Number | Synopsis | Category: Xellent Platform issues |
| 1442249 | JDI-PDT: Ping fails over interface in PTX-10002-60C , collateral damage in 18.2R2-S4.3 , Failed to get socket(-1) for index |
This is a timing issue during the sxe interface bring up (w.r.t i40e driver). This can be recovered by rebooting the complete board. |
| PR Number | Synopsis | Category: EX2300/3400 PFE |
|---|---|---|
| 1423310 | IPv6 multicast traffic received on one VC member might be dropped when egressing on other VC member if MLD snooping is enabled |
With MLD snooping enabled, IPv6 multicast traffic might be dropped on Virtual Chassis (VC) if ingress and egress interfaces are on different VC members. |
| PR Number | Synopsis | Category: Gladiator PRs |
| 1345478 | PTX5k shows chassis alarm "FPC, Consumption > 90percent of allocated Budget" after software upgrade |
After the software upgrade FPC (fully loaded with PICs and optics) might raise the Minor chassis alarm "Consumption > 90percent of allocated Budget". |
| PR Number | Synopsis | Category: This is for Hw & Sw issues which are special for SPC3 car |
| 1403000 | Chassis cluster stuck in CS state after flowd core |
On SRX5400, SRX5600, and SRX5800 devices with SPC3, it is possible that when multiple core files are generated in quick succession, the cold-sync-monitored status is displayed and cannot be removed even though cold-sync has finished. You must reboot the affected node to recover. |
| PR Number | Synopsis | Category: Accounting Profile |
| 1403182 | CE_Customer: DT_BNG: PPPoE failed to auto-logout even if timeout was set to 900 seconds |
Pl. see AT |
| PR Number | Synopsis | Category: "agentd" software daemon |
| 1401817 | The na-grpcd log file is not rotated and keeps growing until Routing Engine is out of disk space. |
In JET/Telemetry scenario, the Telemetry log file is not rotated and keep growing until Routing Engine (RE) is out of disk space, this might cause unexpected impact of RE, and eventually lead to RE crash. The fix has now been provided to set max allowable size to 50M and once the file reaches its max size, it will get rotated and compressed. |
| PR Number | Synopsis | Category: A15 specific issue |
| 1403872 | Split brain condition is experienced if the SPC2 or SPC3 card goes offline in the primary node. |
On all SRX5000 platforms, when the cluster only has a single SPC card in each node, if the SPC2/SPC3 card goes offline in the primary node, a split brain might occurs. This could cause traffic loss. Reboot both nodes can recover this issue. |
| PR Number | Synopsis | Category: A20/A40 IOC card |
| 1414460 | HA packets might be dropped on SRX5000 line of devices with IOC3 or IOC2 cards |
On SRX5K platform with IOC3 or IOC2 card installed, the HA packets (HA data plane RTOs and Z mode revenue) might be dropped by SPU and hence, HA fablink might get down. |
| PR Number | Synopsis | Category: PFE issue for flowd on australia SPU |
| 1404726 | 18.2R2-SPC3-CCL:-"FPC 1 Major Errors" alarm was seen on node0.. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, Some HA packets might get dropped during RG1 failover which triggered this alarm. This should not affect the HA functionality. |
| PR Number | Synopsis | Category: common or misc area for SRX product |
| 1354395 | ,Multiple "Monitor-failures" seen on rg1 After ISSU completion from 17.4R1-S3 to 18.1R1.9 |
,Multiple Monitor-failures errors are seen on the rg1 interface after ISSU completion from Junos OS Release 17.4R1-S3 to Junos OS Release 18.1R1.9. |
| PR Number | Synopsis | Category: BBE Autoconfigured DVLAN related issues |
| 1413004 | PPPoE subscribers might not be able to log in after ISSU. |
In a subscriber-management environment, if subscribers are flapping during In-Service Software Upgrade (ISSU), some subscribers may get stuck and not be able to connect after ISSU is finished. |
| PR Number | Synopsis | Category: BBE Resource monitoring related issues |
| 1396886 | Subscriber flapping might cause SMID resident memory leak. |
In MX subscriber management scenario, if the subscribers keep flapping, the SMID (subscriber management infrastructure daemon) memory leak is observed. When the SMID resident memory is exhausted, SMID will crash and subscriber session can't be established. |
| PR Number | Synopsis | Category: Border Gateway Protocol |
| 1406241 | AR Soft reboot causing traffic loss. |
On RE NSR-switchover, sometimes BGP-LU-traffic experiences loss of 9 seconds |
| PR Number | Synopsis | Category: PTX Chassis Manager |
| 1380056 | Remove the chassisd alarms for FPCs exceeding 90 percent of power budget and exeeding 100 percent of power budget |
Starting in Junos OS Release with this change, PTX Series Routers do not raise a chassis alarm in the following events; instead, it registers a system log. |
| PR Number | Synopsis | Category: MX Platform SW - UI management |
| 1302637 | Dvaita JDI-RCT: error messages seen jnh_loadbalance_hashkey(1087): Unsupported Hash Mode. |
User configured packet hashing options for inet family under enhanced-hash-key may not take effect for TRIO based FPCs in MX platforms. FPC would keep using default behavior for hash calculation for IPv4 packets. |
| 1411062 | Slow SNMP response time on entityMIB might be seen in the fully loaded setup with many SFPs |
In the fully loaded setup with many SFPs, some SNMP queries might experience response delay due to higher priority daemons utilizing CPU resources. |
| PR Number | Synopsis | Category: Enhanced Broadband Edge support for cos |
| 1413297 | During ISSU or merge virtual-chassis member back to the VC, CoS GENCFG writes failures may be observed |
In a subscriber management deployment, performing ISSU or merging virtual-chassis member back to VC, CoS may be invalid and CoS GENCFG writes may be failed. |
| PR Number | Synopsis | Category: JUNOS Dynamic Profile Configuration Infrastructure |
| 1402342 | Traffic loss seen in IGMP subscribers after GRES. |
There is a chance that some subscribers may not have IPTV post GRES. This condition will be seen if subscribers are logged in before the system has initialized fully or if dynamic profiles are changed with subscriber activity. |
| PR Number | Synopsis | Category: Ethernet OAM (LFM) |
| 1281073 | The cfmd process might continuously crash after upgrade |
The /var/db/cfm.db format is changed as part of PR 1249979 (which is fixed in 16.1R4-S2 16.1R5 17.1R3 17.2R1 17.3R1 trunk). With CFM configuration, if executing upgrade between releases which uses different db format, the continuous cfmd crashes might be seen after upgrade. |
| PR Number | Synopsis | Category: Express PFE L3 Features |
| 1376366 | PFE wedge may be observed if there are interfaces going to down state |
On QFX10000 or certain PTX series platform, the Packet Forwarding Engine might get wedged if there are too many interfaces (for example, more than 35) with the physical or operational state changing to down, and for which the LACP force-up parameter is enabled, while the administration state is still up. |
| PR Number | Synopsis | Category: Inline IPSEC PRs for defect & enhancement requests |
| 1405000 | RPT Services Regressions : IPSEC-All BGP peers are not coming up while testing BGP over IPSec functionality. |
To Be written. |
| PR Number | Synopsis | Category: Integrated Routing & Bridging (IRB) module |
| 1410970 | Packets might be dropped if the traffic is forwarded through an LT interface |
On all Junos platform, if the traffic forward to IRB via an LT (Logical Tunnel) interface, packets might be dropped. |
| PR Number | Synopsis | Category: jpppd daemon |
| 1413777 | LCP Echo-Replies with invalid Identifier look not to be silently discarded on MX side |
It was identified that LCP Echo-Replies with an invalid Identifier from Client are all accepted by BNG, and thereby from the outside it looks like the BNG is not completely confirming to the following statement of the PPP standard (RFC 1661) |
| PR Number | Synopsis | Category: Application aware Quality-of-Service |
| 1394085 | Packet loss might occur on unrelated traffic when AppQoS rate limiter is applied on SRX4600 and SRX5000 devices using SPC3. |
On SRX4600 and SRX5K platform using SPC3, once AppQoS rate-limiter is applied to specific traffic, packet loss occurs on unrelated traffic continuously until reboot. |
| PR Number | Synopsis | Category: Flow Module |
| 1403037 | On SRX5400, SRX5600, and SRX5800 devices with SPC3, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary commands do not count or display the number of packets processed within PowerMode IPsec, because these packets do not go through the regular flow path. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, when Power Mode IPSec is enabled, the "show security flow statistics" and "show security flow session tunnel summary" will not count or display the number of packets processed within Power Mode IPsec because these packets do not go through regular flow path. |
| 1407231 | Support for LAG interface with PowerMode IPsec. |
On SRX5400, SRX5600 and SRX5800 devices with SPC3, LAG interface as IPsec external interface for Power Mode IPsec was not previously supported. With 18.2R2-S1 release, Power-Mode-IPsec now supports LAG interface as IPsec external interface. |
| 1411486 | While PMI is on, IPsec-encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets. |
While PMI is on, IPsec-encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets. |
| PR Number | Synopsis | Category: IPSEC/IKE VPN |
| 1357402 | Tunnel flap is seen after doing RG0 failover. |
On the SRX1500, SRX4xxx, SRX5000 platforms, the IPsec VPN tunnel may flap when doing RG0 failover in the chassis cluster. |
| 1388979 | On SRX5400, SRX5600, and SRX5800 devices with SPC3, the show security ike security-association detail command does not display local IKE-ID field correctly. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, "show security ike security-association detail" command does not display "local IKE-ID" field correctly. |
| 1389607 | With a large number of IPsec tunnels established, a few tunnels might fail during rekey negotiation if the SRX Series device initiates the rekey. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, with large number of IPSec tunnels established, few tunnels may fail during rekey negotiation if SRX initiates the rekey. |
| 1405515 | Idle IPsec VPN tunnels without traffic and with ongoing DPD probes can be affected during RG0 failover. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, idle IPsec VPN tunnels without traffic and with ongoing DPD probes will be affected during the RG0 failover window. IPsec VPN daemon in the new primary routing-engine may not be initialized on-time to respond to the DPD probes. |
| 1405699 | Tunnel flapping without doing any dynamic activity in longevity test |
On SRX5400, SRX5600, SRX5800 devices with SPC3, the number of DPD packets that SRX can handle is limited to 1000 per second. If we exceed this number, either because DPD always-send is configured or a large number of tunnels that have either DPD optimized mode or DPD probe-idle-tunnel configured are idle, then RG0 failover or longevity testing may see few tunnels going down. |
| 1405840 | The IKE and IPsec configuration under groups is not supported. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, occasionally, if an IKE or IPSec configuration (under groups hierarchy) change is done for one IKE gateway, the tunnel may be cleared for unrelated IKE/IPSec gateway. |
| 1407251 | On SRX5400, SRX5600, SRX5800 devices with SPC3, when the network topology has SRX device behind a NAT device, SRX may occasionally not initiate NAT-Traversal keepalive packets. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, when the network topology has SRX device behind a NAT device, SRX may occasionally not initiate NAT-Traversal keepalive packets. |
| 1407356 | On SRX5400, SRX5600, SRX5800 devices with SPC3, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE-IDs. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE-IDs. |
| 1408723 | On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured as an initiator to initiate IKE negotiation, sometimes if the initiated IKE negotiation fails (because of configuration mismatch with the peer), SRX might erroneously display IPsec tunnel as active and might show an incorrect count of active number of IPsec tunnels. |
On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured as an initiator to initiate IKE negotiation, sometimes if the initiated IKE negotiation fails (because of configuration mismatch with the peer), SRX might erroneously display IPsec tunnel as active and might show an incorrect count of active number of IPsec tunnels. |
| 1409855 | On SRX5400, SRX5600, and SRX5800 devices with SPC3, when the SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, the IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. |
On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, when SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, the IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. |
| 1412316 | IPsec traffic might drop after an IKEv2 reauthentication on SRX5K platforms with SPC3 card |
On SRX5400, SRX5600, SRX5800 devices with SPC3 card, if IKEv2 reauthentication is configured on SRX or on the peer, upon a successful reauthentication IPsec traffic may lose. |
| 1412571 | The IKE rekey will fail if the remote peer is a device from other vendor |
On SRX5000 platforms with SPC3 cards, the IKE rekey will fail if the remote peer is a device from other vendor. This causes IPSec VPN failure and it has traffic impact. |
| 1413619 | The established tunnels may remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN |
On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, if an existing IKE gateway configuration is changed from AutoVPN to Site-to-Site VPN, the IKE negotiation behavior remains in responder-only mode and the established tunnels may remain unchanged. |
| 1414193 | The reauthentication may fail when the device is configured to initiate IKEv2 reauthentication |
On SRX5400/SRX5600/SRX5800 devices with SPC3 used, when the device is configured to initiate IKEv2 reauthentication in a NAT traversal scenario the reauthentication may fail. |
| PR Number | Synopsis | Category: mc-ae interface |
| 1409508 | ICCP goes down and never comes up when static ARP/NDP to IRB peer is getting deleted |
Starting from 15.2 mc-lag doesn't need static entry (ARP/ND) for remote IRB IP as captured in PR 1075917 (CVBC PR 1119732). If customer has already configured static entry (ARP/ND) and tries to remove the static entry on any version higher than 15.2, Remote IRB arp resolution does not happen automatically ( when the static arp configuration is present on the version and is removed). |
| PR Number | Synopsis | Category: Multiprotocol Label Switching |
| 1401813 | Backup rpd crash may be observed due to incorrect label assignment |
With NSR enabled, when master RPD is restarted, occasionally, out-of-order add and delete messages can arrive on the backup RE causing label assignment collisions leading backup RPD to crash. |
| PR Number | Synopsis | Category: FreeBSD Kernel Infrastructure |
| 1410542 | The chassisd process might crash due to a thread locking defect |
The chassisd crash with core dump file might be seen if some error happens in chassisd syslog functionality. Traffic is impacted as FPCs are restarted. |
| PR Number | Synopsis | Category: JUNOS Network App Infrastructure (for ping, traceroute, etc) |
| 1409847 | Junos OS: Insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow (CVE-2019-0053) |
In Junos OS, insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow (CVE-2019-0053); Refer to https://kb.juniper.net/JSA10947 for more information. |
| PR Number | Synopsis | Category: Path computation client daemon |
| 1395205 | Junos OS: Upon receipt of certain types of malformed PCEP packets the pccd process may crash. [CVE-2020-1601] |
Certain types of malformed Path Computation Element Protocol (PCEP) packets when received and processed by a Juniper Networks Junos OS device serving as a Path Computation Element (PCE) in a PCEP environment using Juniper's path computational element protocol daemon (pccd) process allows an attacker to cause the pccd process to crash and generate a core file thereby causing a Denial of Service (DoS). Refer to https://kb.juniper.net/JSA10980 for more information. |
| PR Number | Synopsis | Category: VMX PFE/RIOT related issues on BBE application |
| 1404595 | The L2TP packets are dropped by the vMX router |
There are two issues in the L2TP for subscriber access scenario with vMX (virtual MX) router used as a vLNS (virtual L2TP network server). Issue 1, if the firewall filter is enabled with syslog/log action, the L2TP packets will be dropped. Issue 2, if the receiving packets is larger than the interface MTU, they will be dropped by the vLNS. |
| PR Number | Synopsis | Category: Interface related issues. Port up/down, stats, CMLC , serdes |
| 1388591 | Error message "portmod_port_core_access_get: Invalid parameter" seen in log messages |
QFX5110 has both internal and external PHYs. The procedure to read FEC statistics from external Phys is different from the one used to read from internal phys. On using the APIs meant for internal PHYs on external PHYs, error messages are displayed. |
| PR Number | Synopsis | Category: QFX Platform related (SYSLOG/ALARMS/miscellaneous) |
| 1405495 | DHCP Not working for some clients in dual AD fusion setup on EP ports. |
DHCP Not working for some clients in dual AD fusion setup on EP ports. When the SD is not reachable to the peer AD sdpd sends color 0 for color type MCAE and kernel is sending 0 to AD PFE. kernel has to convert this color to 0xFF before sending it to AD PFE. |
| PR Number | Synopsis | Category: QFX PFE Class of Services |
| 1393646 | QFX5100: [cos] [peak_stats] Peak buffer occupancy shown in wrong PG for lossless traffic after ISSU |
Due to BCM SDK limitation Peak Buffer occupancy not displayed properly after ISSU. |
| PR Number | Synopsis | Category: RPD Next-hop issues including indirect, CNH, and MCNH |
| 1407837 | MPLSoGRE/MPLSoUDP failed to create next-hop-based-tunnel when next-hop is directly connected interfaces. |
MPLSoGRE/MPLSoUDP failed to create next-hop-based-tunnel when next-hop is directly connected interfaces. |
| PR Number | Synopsis | Category: SRX-1RU platfom related protocol, QoS, filtering features et |
| 1381653 | During SRX1500, SRX4100, SRX4200, SRX4600 and vSRX platforms reboot, users are not able to enter boot menu to select option to recover password. |
During SRX1500, SRX4100, SRX4200, SRX4600 and vSRX platforms reboot, users are not able to enter boot menu to select option to recover password |
| PR Number | Synopsis | Category: Issues related to broadband edge apps (PPP, DHCP) on Trio ch |
| 1401808 | FPC core files due to a corner case scenario (race condition between RPF, IP flow). |
In a subscriber management deployment where the Reverse-Path-Forwarding (RPF) check and MAC check is enabled, a race condition might cause software failure and resulted in a Flexible PIC Concentrator (FPC) to restart. |
| PR Number | Synopsis | Category: Trio pfe l3 forwarding issues |
| 1378439 | PFE Lookup loop happens when firewall based re-direction under "forwarding-options" is used to perform route-lookup in non-default routing instance for destinations reachable over MPLSoUDP tunnels. |
PFE Lookup loop happens when firewall based re-direction under "forwarding-options" is used to perform route-lookup in non-default routing instance for destinations reachable over MPLSoUDP tunnels. |
| PR Number | Synopsis | Category: PFE on Satellite Device |
| 1397992 | Extended Port (EP) LAG may go down on the Satellite Devices (SDs) if the related Cascade Port (CP) links to an Aggregation Device (AD) goes down |
In a Junos Fusion Data Center if one Aggregation Device (AD) is isolated by disabling Inter Chassis Link (ICL) and all cascade ports (Link between AD and SD) and later if only ICL is reenabled on the AD then EP-LAG LACP will go down.This issue will not be seen if ICL is up and only AD-SD links go down. |
| PR Number | Synopsis | Category: PTX10016 platform software |
| 1412243 | The Native VLAN ID configured under L3 subinterface does not work on PTX |
On PTX-series platforms, if the Native VLAN ID is configured and used under L3 subinterface, it might be unable to work normally. The Untagged Frames received will not be mapped correctly to L3 subinterface. As a result, the protocols/ping would not work on such L3 subinterface. |
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search