Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

18.2R2-S1: Software Release Notification for Junos Software Service Release version 18.2R2-S1

0

0

Article ID: TSB17514 TECHNICAL_BULLETINS Last Updated: 05 Mar 2020Version: 3.0
Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX, MX, PTX, VMX, VRR, Vsrx, QFX, SRX, NFX, Network Agent
Alert Description:
Junos Software Service Release version is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:

18.2R2-S1 - List of Fixed issues

PR Number Synopsis Category: This is for Hw & Sw issues which are special for SPC3 car
1407064 The RG1 failover does not happen immediately when the SPC3 card crashes.
 
On SRX5400/5600/5800 platforms with SPC3 used, the traffic outage might last for 5-15 minutes because the RG1 failover is not triggered immediately when flowd coredump happens.
PR Number Synopsis Category: Accounting Profile
1348249 BNG accounting-options - records written for operational down logical interfaces
 
When a logical interface (IFL) is operationally down, the accounting records for that IFL will not be written. Before this fix, the records are written without accounting info.. As part of this fix, the records are written only if the IFL is admin up which is similar to IFD behavior.
PR Number Synopsis Category: "agentd" software daemon
1394927 WITHDRAWN: Junos OS: gRPC hardcoded credentials may allow unauthorized access to systems with Junos Network Agent installed (REJECTED)
 
NO RISK. CVE REJECTED. 04-11-2019: Further investigation has determined that this issue has no impact. While the credentials exist in affected releases there is no way to exploit this issue, and even if the issue were exploitable, there would be no impact. Refer to https://kb.juniper.net/JSA10923 for more information.
PR Number Synopsis Category: access node control protocol daemon
1405318 Configuration load override or load replace resets ANCP neighbors.
 
In ANCP (Access Node Control Protocol) scenario, if executing configuration load override or replace, after the commit operation, All ANCP neighbour sessions might be restarted, even though without any ANCP configuration change.
PR Number Synopsis Category: MX Layer 2 Forwarding Module
1388454 The LSI binding for the IPv6 neighbor is missing.
 
On ACX, EX, MX, QFX and Virtual Chassis Fabric platform, if irb interface is configured under VPLS instance, after switchover the lsi binding for the IPv6 neighbor might be missing.
PR Number Synopsis Category: Control Plane and Infrastructire for the B-54 program
1369646 error: peer_daemon: bad daemon: scpd on EX9251 running 18.1R1 and 18.1R2
 
the scpd process is not running in EX9251. So, the CLI throws an error while trying to fetch details from the process scpd in recent releases.
PR Number Synopsis Category: BBE interface related issues
1401506 The subscriber route installation failed because some interfaces states are not properly installed.
 
On BBE subscriber scenario with subscribers built on AE interfaces, if doing some operations that trigger a great deal of interface states are published from BBE (Broadband Edge) to kernel (such as, System/FPC reboot or a massive amount of link flapping), some interfaces states could not be properly installed (with an invalid Next-Hop that has no selector). It might cause subscriber route installation failure and traffic drop.
1403480 Smg-service could become unresponsive when doing some GRE-related CLI operations.
 
On BNG (Broadband Network Gateway) or subscriber scenario, when doing GRE related CLI operations and config commit, smg-service could become unresponsive and the bbe-smgd core might happen. The effect detail depends on if there is a crash and what is happening during a crash. Generally it would not cause a crash, but if the resulting concurrent access occurs, it might lead to a crash, thus the bbe-smgd would restart and restore state. In the meantime the service might be affected but it would be temporary.
PR Number Synopsis Category: Border Gateway Protocol
1398685 The rpd soft core files and inappropriate route selection might be seen when Layer 2 VPN is used
 
The rpd provides a mechanism to validate that route selection has successfully been done. When errors in route selection are detected, a soft core is dropped: the rpd remains running, a single core file is dropped, it is rate limited to not do this frequently. When running L2VPN, BGP MED selection may be inappropriately run on the routes. As a result, a soft core is created, and features that rely on skipping such routes such as BGP add-paths, may advertise an alternate path that is inappropriate.
1402255 On the multi-access/broadcast network, third party BGP router might unexpectedly select RR router as next-hop to forward the IPv6 traffic.
 
RFC 2545 has a limitation on third party next-hops where the next hop is propagated unchanged. Due to this limitation, BGP inet6 Route-Reflector router attaches the BGP neighbor's IPv6 global address and its own IPv6 link-local address as the next-hops while advertising the route to another BGP neighbor. This could introduce the forwarding issue on the BGP neighbor from other vendors if their device picks up the link-local address as next-hop. This would put the BGP RR router in the traffic forwarding path unexpectedly. This issue will not be seen on Juniper devices because IPv6 link-local address would not be selected as prefix's next hop.
1403881 EVPN multi-homing MAC might not be installed by remote PE.
 
In EVPN-MPLS multi-homing scenario, on MX series and with Junos 18.2R2, multi-homing MAC entries learnt from remote EVPN peers, may not be installed in the MAC table.
PR Number Synopsis Category: Firewall Filter
1394922 Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036)
 
Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036); Refer to https://kb.juniper.net/JSA10925 for more information.
PR Number Synopsis Category: EVPN control plane issues
1381940 The rpd process would crash if deactivating the Autonomous-System (AS) in an EVPN scenario.
 
If the parameter "auto" is set to the statement "vrf-target" within an instance-type of EVPN/virtual-switch, the rpd process would crash after deactivating the Autonomous-System (AS) configured.
1408749 The rpd might crash after NSR switchover in EVPN scenario
 
In BGP (Border Gateway Protocol) with EVPN (Ethernet VPN) scenario, after RE (routing engine) NSR (Nonstop active Routing) switchover, the rpd might crash on the new master RE when BGP is trying to withdraw an EVPN route which is mirrored from the old master but not yet active created in the routing table. Traffic disruption might be seen during the rpd crash.
PR Number Synopsis Category: EVPN Layer-2 Forwarding
1404857 EVPN database and bridge mac-table are out of sync due to the interface's flap
 
If some interfaces flap faster on the remote PE, EVPN database and bridge mac-table might be out of sync on the local PE device. When this issue occurs, it may cause the impacted PE broadcasts packets to all the other PEs. And the broadcasted packets might cause traffic congestion which results in packet loss.
PR Number Synopsis Category: jl2tpd daemon
1404259 Inconsistent content may be observed to the access line information between ICRQ and PPPoE message
 
In a subscriber management environment, ICRQ message sent from LAC (MX series) may contain inconsistent content if comparing it to the field "Access-Loop-Encapsulation" within the PPPoE message.
PR Number Synopsis Category: Flow Module
1367124 When activating security flow traceoptions, the unfiltered traffic is captured.
 
On SRX Series devices, when the flow traceoptions with the packet filter are enabled, the traces of other sessions that are not configured in the packet filter might be captured in the logs. However, when the packet filters are removed, the traces are dumped in to the log file for some time less than 30 seconds.
1397742 Fragmentation and ALG support for Power Mode IPSec
 
Prior to the 18.2R2-S1 release, when Power Mode IPsec feature was enabled, and fragmented traffic is received by the SRX on an IPsec tunnel, the tunnel was moved from Power Mode IPsec to regular Flow IPSec mode. Similarly, if any flow session using Power Mode IPsec required advanced services like ALG, then this tunnel would switch to regular Flow IPsec. From the Junos 18.2R2-S1 release, SRX has enhanced support for Power Mode IPsec to handle fragmentation (both pre and post frag) and advanced L7 services. When a tunnel is enabled to use Power Mode IPsec and SRX receives a fragmented IP packet, only this clear-text flow session is processed in Flow mode to merge or split the packets. After the fragmentation processing, this clear-text flow session's packets will continue to process in PMI for the non-fragmented packets. So with this design, the performance impact is isolated only to fragmented packets. The other sessions which are using this IPsec tunnel will continue processing packets in Power Mode IPsec throughout.
1397742 Fragmentation and ALG support for Power Mode IPSec
 
Prior to the 18.2R2-S1 release, when Power Mode IPsec feature was enabled, and fragmented traffic is received by the SRX on an IPsec tunnel, the tunnel was moved from Power Mode IPsec to regular Flow IPSec mode. Similarly, if any flow session using Power Mode IPsec required advanced services like ALG, then this tunnel would switch to regular Flow IPsec. From the Junos 18.2R2-S1 release, SRX has enhanced support for Power Mode IPsec to handle fragmentation (both pre and post frag) and advanced L7 services. When a tunnel is enabled to use Power Mode IPsec and SRX receives a fragmented IP packet, only this clear-text flow session is processed in Flow mode to merge or split the packets. After the fragmentation processing, this clear-text flow session's packets will continue to process in PMI for the non-fragmented packets. So with this design, the performance impact is isolated only to fragmented packets. The other sessions which are using this IPsec tunnel will continue processing packets in Power Mode IPsec throughout.
1403517 Transit UDP 500/4500 traffic might not pass across SRX5000 series devices when using SPC3/SPC2.
 
On SRX5K platforms with SPC3/SPC2 card and IKE-ESP ALG not enabled, when slot 0 does not contain an SPC3/SPC2 card in CP/Flow mode or the total number of SPC3/SPC2 cards in the chassis is more than 2, the passing through NAT-T or ESP traffic might not be transported, IPsec VPN tunnel will be broken.
1406210 The flowd process stops and all cards are brought offline.
 
On all SRX platforms, in a rare condition, the flowd process might crash if there is a route change for IPSec tunnel traffic and the traffic does not go through the tunnel after reroute. This issue might cause all cards off.
PR Number Synopsis Category: IPSEC/IKE VPN
1394427 A few VPN tunnels do not forward traffic after RG1 failover.
 
A few VPN tunnels do not forward traffic after RG1 failover when traffic-selector is configured in the AutoVPN.
1404985 Syslog is not generated when the IKE gateway rejects a duplicate IKE ID connection.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, when reject-duplicate-connection is configured in IKE configuration, if SRX detects the duplicate user, SRX rejects the duplicate connection as expected. Currently SRX does not generate error-message/syslog-message for this case.
1406020 Not all the tunnels are deleted when the authentication algorithm in IPsec proposal is changed.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, occasionally, when an IKE/IPSec configuration change is done for AutoVPN, SRX may not clear all IPSec SAs.
1407910 Multiple flowd process files are observed with IPsec acceleration with fragmentation traffic.
 
On SRX5400, SRX5600 and SRX5800 devices with SPC3, the incoming packets flow context information is not reset correctly when the packet is dropped in IPsec acceleration module. This will cause subsequent packets to be incorrectly processed as IPsec packets and results in the crash. To address this issue, SRX now resets the flow context before dropping the packet in all relevant modules including IPsec acceleration module.
PR Number Synopsis Category: lacp protocol
1391545 The SNMP query on LACP interface might lead to lacpd crash
 
If stale SNMP (Simple Network Management Protocol) index for LACP (Link Aggregation Control Protocol) interface exists and SNMP query is executed on the LACP interface, the lacpd might crash when trying to retrieve the stale SNMP index. The issue results in LACP negotiation failure during the lacpd restart. If "lacp periodic fast" is configured (which means LACP timeout is 3 seconds), the existing negotiated LACP interface might be impacted and traffic loss might be seen if the restart of the lacpd takes more than 3 seconds.
PR Number Synopsis Category: Multiprotocol Label Switching
1382249 The rpd might crash on backup Routing Engine after switchover
 
If vrf-table-label is configured for VRF routing-instance, after executing GRES or ISSU, the VRF table label which is not released may be reused by another VRF. This might cause an rpd core on backup RE.
PR Number Synopsis Category: Track Mt Rainier RE platform software issues
1343680 i40e NVM upgrade support for PTX platforms
 
Adding support for i40e NVM upgrade in PTX3000 platforms
PR Number Synopsis Category: Protocol Independant Multicast
1389120 Unexpected packet loss might be seen for some multicast groups during failure recovery with both MoFRR and PIM automatic MBB join load-balancing features enabled
 
On all Junos platforms which support both Multicast-Only Fast Reroute(MoFRR) and PIM automatic Make-Before-Break(MBB) join load-balancing features, if both features are enabled, and there is an upstream link failure happening, unexpected packet loss might be seen during failure recovery for some multicast groups due to this issue.
PR Number Synopsis Category: Interface related issues. Port up/down, stats, CMLC , serdes
1399878 SFP-LX10 does not work on QFX5110
 
On QFX5110 platforms, from Junos 17.3 onwards, the interfaces with SFP-LX10 transceivers and auto-negotiation enabled(default configuration) might be down.
PR Number Synopsis Category: Resource Reservation Protocol
1410972 Resources might be reserved for stale RSVP LSP when RSVP is disabled on the interface
 
If Resource Reservation Protocol (RSVP) is disabled on the incoming interface of a transit Label-Switching Router (LSR) along Label Switched Path (LSP) requesting link protection, no PathTear message is sent downstream. Hence all LSRs downstream retain the LSP till the state ages out. As the LSRs use long refresh interval by default, it will take approximately an hour and a half for the LSP to age out on the downstream LSRs.
PR Number Synopsis Category: SRX-1RU platfom related protocol, QoS, filtering features et
1397210 40 Gigabit Ethernet /100 Gigabit Ethernet ports may take a long time (about 30 seconds) to link up on SRX4600 platform.
 
SRX4600 platforms with 40/100 Gigabit QSFP ethernet ports link up time take long time(about 30s) after multiple times link down/up.
PR Number Synopsis Category: MX10003/MX204 SW - UI specific defects
1385361 LED mibs broken on summit platforms
 
IDX2 limit for MIC FRU was wrongly updated instead of taking from PVIDB schema. This was causing GET-NEXT to fail due to index validation failure. Hence SNMP walk on all the LED MIB was broken.
PR Number Synopsis Category: Issues related to broadband edge apps (PPP, DHCP) on Trio ch
1374248 The filter service might fail to get installed for the subscriber in a scaled BBE scenario
 
On MX Series platform enabled with enhanced subscriber management, if the subscriber profile initiates a filter service for each subscriber, and there are large scale of broadband edge (BBE) subscribers (for example, 10000) logging in and out repeatedly, the filter service might fail to get installed for the subscriber due to this issue. In some rare condition, it might also lead to the Flexible PIC Concentrator (FPC) crash.
PR Number Synopsis Category: Trio pfe l3 forwarding issues
1402834 Host outbound traffic might be dropped on MPC7, MPC8, and MPC9.
 
On MX platforms with enhanced subscriber management enabled, if the Junos release is 18.2X75-D10, 17.4R2, 18.1R2 and onwards, in which turbo TX is supported and enabled, when "class-of-service host-outbound-traffic" is configured, host outbound traffic (e.g. ARP, ISIS, OSPF, etc.) might be dropped on MPC7/8/9.
PR Number Synopsis Category: Trio pfe sampling, services plumbing
1401730 The MAP-E IPv4 over IPv6 packets might not be balanced to multiple SI interfaces
 
On MX-Series platforms with Mapping of Address and Port with Encapsulation (MAP-E) feature enabled, the MAP-E IPv4 over IPv6 packets might not be balanced to multiple SI interfaces if the equal-cost multipath (ECMP) is applied to it.
1404239 Some ICMP message types can't be encapsulated and decapsulated by MAP-E on SI interface
 
On MX Series Routers with Mapping of Address and port Encapsulation (MAP-E) deployment scenario, the following ICMP message types can't be encapsulated and decapsulated by MAP-E on SI interface - type 3, 4, 5, 11, 12, 17, and 18
PR Number Synopsis Category: Trio pfe, vpls, mesh group software
1406807 In a Layer 2 domain, there might be unexpected flooding of unicast traffic at every 32-40 seconds interval towards all local CE-facing interface
 
In a Layer2 domain (e.g. bridge-domain, VPLS), unexpected flooding of unicast traffic might be seen towards all local CE-facing interface if the FPC on the primary LSP is offline and the backup path PFE starts carrying the traffic.
PR Number Synopsis Category: Ephemeral Database
1407924 Ephemeral DB might get stuck during commit
 
On MX series with Junos 18.2R2, if committing configuration via the ephemeral configuration database, the ephemeral DB might get stuck and nothing is committed.
PR Number Synopsis Category: UI Infrastructure - mgd, DAX API, DDL/ODL
1402855 NFX150 device is throwing syntax error for cli command "show cli device-list"
 
'device-list' option in the CLI of NFX devices disappeared on 18.2 releases. This issue has been fixed.
PR Number Synopsis Category: web filterig issues
1406403 SRX Series: srxpfe process crash while JSF/UTM module parses specific HTTP packets (CVE-2019-0052)
 
SRX Series srxpfe process crash while JSF/UTM module parses specific HTTP packets (CVE-2019-0052); Refer to https://kb.juniper.net/JSA10946 for more information.
PR Number Synopsis Category: V44 Aggregation Device Infra
1384440 BUM traffic may get dropped on peer Fusion Aggregation Device when the link between Satellite Device and local Aggregate Device goes down
 
In the dual AD Junos Fusion setup, BUM (Broadcast, Unknown Unicast, and Multicast) traffic may get dropped on peer Fusion Aggregation Device when the link between Satellite Device and local Aggregate Device goes down.
PR Number Synopsis Category: PFE on Satellite Device
1397992 Extended Port (EP) LAG may go down on the Satellite Devices (SDs) if the related Cascade Port (CP) links to an Aggregation Device (AD) goes down
 
In a Junos Fusion Data Center if one Aggregation Device (AD) is isolated by disabling Inter Chassis Link (ICL) and all cascade ports (Link between AD and SD) and later if only ICL is reenabled on the AD then EP-LAG LACP will go down.This issue will not be seen if ICL is up and only AD-SD links go down.
PR Number Synopsis Category: Xellent Platform issues
1442249 JDI-PDT: Ping fails over interface in PTX-10002-60C , collateral damage in 18.2R2-S4.3 , Failed to get socket(-1) for index
 
This is a timing issue during the sxe interface bring up (w.r.t i40e driver). This can be recovered by rebooting the complete board.


18.2R2-S1 - List of Open issues

PR Number Synopsis Category: EX2300/3400 PFE
1423310 IPv6 multicast traffic received on one VC member might be dropped when egressing on other VC member if MLD snooping is enabled
 
With MLD snooping enabled, IPv6 multicast traffic might be dropped on Virtual Chassis (VC) if ingress and egress interfaces are on different VC members.
PR Number Synopsis Category: Gladiator PRs
1345478 PTX5k shows chassis alarm "FPC, Consumption > 90percent of allocated Budget" after software upgrade
 
After the software upgrade FPC (fully loaded with PICs and optics) might raise the Minor chassis alarm "Consumption > 90percent of allocated Budget".
PR Number Synopsis Category: This is for Hw & Sw issues which are special for SPC3 car
1403000 Chassis cluster stuck in CS state after flowd core
 
On SRX5400, SRX5600, and SRX5800 devices with SPC3, it is possible that when multiple core files are generated in quick succession, the cold-sync-monitored status is displayed and cannot be removed even though cold-sync has finished. You must reboot the affected node to recover.
PR Number Synopsis Category: Accounting Profile
1403182 CE_Customer: DT_BNG: PPPoE failed to auto-logout even if timeout was set to 900 seconds
 
Pl. see AT
PR Number Synopsis Category: "agentd" software daemon
1401817 The na-grpcd log file is not rotated and keeps growing until Routing Engine is out of disk space.
 
In JET/Telemetry scenario, the Telemetry log file is not rotated and keep growing until Routing Engine (RE) is out of disk space, this might cause unexpected impact of RE, and eventually lead to RE crash. The fix has now been provided to set max allowable size to 50M and once the file reaches its max size, it will get rotated and compressed.
PR Number Synopsis Category: A15 specific issue
1403872 Split brain condition is experienced if the SPC2 or SPC3 card goes offline in the primary node.
 
On all SRX5000 platforms, when the cluster only has a single SPC card in each node, if the SPC2/SPC3 card goes offline in the primary node, a split brain might occurs. This could cause traffic loss. Reboot both nodes can recover this issue.
PR Number Synopsis Category: A20/A40 IOC card
1414460 HA packets might be dropped on SRX5000 line of devices with IOC3 or IOC2 cards
 
On SRX5K platform with IOC3 or IOC2 card installed, the HA packets (HA data plane RTOs and Z mode revenue) might be dropped by SPU and hence, HA fablink might get down.
PR Number Synopsis Category: PFE issue for flowd on australia SPU
1404726 18.2R2-SPC3-CCL:-"FPC 1 Major Errors" alarm was seen on node0..
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, Some HA packets might get dropped during RG1 failover which triggered this alarm. This should not affect the HA functionality.
PR Number Synopsis Category: common or misc area for SRX product
1354395 ,Multiple "Monitor-failures" seen on rg1 After ISSU completion from 17.4R1-S3 to 18.1R1.9
 
,Multiple Monitor-failures errors are seen on the rg1 interface after ISSU completion from Junos OS Release 17.4R1-S3 to Junos OS Release 18.1R1.9.
PR Number Synopsis Category: BBE Autoconfigured DVLAN related issues
1413004 PPPoE subscribers might not be able to log in after ISSU.
 
In a subscriber-management environment, if subscribers are flapping during In-Service Software Upgrade (ISSU), some subscribers may get stuck and not be able to connect after ISSU is finished.
PR Number Synopsis Category: BBE Resource monitoring related issues
1396886 Subscriber flapping might cause SMID resident memory leak.
 
In MX subscriber management scenario, if the subscribers keep flapping, the SMID (subscriber management infrastructure daemon) memory leak is observed. When the SMID resident memory is exhausted, SMID will crash and subscriber session can't be established.
PR Number Synopsis Category: Border Gateway Protocol
1406241 AR Soft reboot causing traffic loss.
 
On RE NSR-switchover, sometimes BGP-LU-traffic experiences loss of 9 seconds
PR Number Synopsis Category: PTX Chassis Manager
1380056 Remove the chassisd alarms for FPCs exceeding 90 percent of power budget and exeeding 100 percent of power budget
 
Starting in Junos OS Release with this change, PTX Series Routers do not raise a chassis alarm in the following events; instead, it registers a system log.
PR Number Synopsis Category: MX Platform SW - UI management
1302637 Dvaita JDI-RCT: error messages seen jnh_loadbalance_hashkey(1087): Unsupported Hash Mode.
 
User configured packet hashing options for inet family under enhanced-hash-key may not take effect for TRIO based FPCs in MX platforms. FPC would keep using default behavior for hash calculation for IPv4 packets.
1411062 Slow SNMP response time on entityMIB might be seen in the fully loaded setup with many SFPs
 
In the fully loaded setup with many SFPs, some SNMP queries might experience response delay due to higher priority daemons utilizing CPU resources.
PR Number Synopsis Category: Enhanced Broadband Edge support for cos
1413297 During ISSU or merge virtual-chassis member back to the VC, CoS GENCFG writes failures may be observed
 
In a subscriber management deployment, performing ISSU or merging virtual-chassis member back to VC, CoS may be invalid and CoS GENCFG writes may be failed.
PR Number Synopsis Category: JUNOS Dynamic Profile Configuration Infrastructure
1402342 Traffic loss seen in IGMP subscribers after GRES.
 
There is a chance that some subscribers may not have IPTV post GRES. This condition will be seen if subscribers are logged in before the system has initialized fully or if dynamic profiles are changed with subscriber activity.
PR Number Synopsis Category: Ethernet OAM (LFM)
1281073 The cfmd process might continuously crash after upgrade
 
The /var/db/cfm.db format is changed as part of PR 1249979 (which is fixed in 16.1R4-S2 16.1R5 17.1R3 17.2R1 17.3R1 trunk). With CFM configuration, if executing upgrade between releases which uses different db format, the continuous cfmd crashes might be seen after upgrade.
PR Number Synopsis Category: Express PFE L3 Features
1376366 PFE wedge may be observed if there are interfaces going to down state
 
On QFX10000 or certain PTX series platform, the Packet Forwarding Engine might get wedged if there are too many interfaces (for example, more than 35) with the physical or operational state changing to down, and for which the LACP force-up parameter is enabled, while the administration state is still up.
PR Number Synopsis Category: Inline IPSEC PRs for defect & enhancement requests
1405000 RPT Services Regressions : IPSEC-All BGP peers are not coming up while testing BGP over IPSec functionality.
 
To Be written.
PR Number Synopsis Category: Integrated Routing & Bridging (IRB) module
1410970 Packets might be dropped if the traffic is forwarded through an LT interface
 
On all Junos platform, if the traffic forward to IRB via an LT (Logical Tunnel) interface, packets might be dropped.
PR Number Synopsis Category: jpppd daemon
1413777 LCP Echo-Replies with invalid Identifier look not to be silently discarded on MX side
 
It was identified that LCP Echo-Replies with an invalid Identifier from Client are all accepted by BNG, and thereby from the outside it looks like the BNG is not completely confirming to the following statement of the PPP standard (RFC 1661)
PR Number Synopsis Category: Application aware Quality-of-Service
1394085 Packet loss might occur on unrelated traffic when AppQoS rate limiter is applied on SRX4600 and SRX5000 devices using SPC3.
 
On SRX4600 and SRX5K platform using SPC3, once AppQoS rate-limiter is applied to specific traffic, packet loss occurs on unrelated traffic continuously until reboot.
PR Number Synopsis Category: Flow Module
1403037 On SRX5400, SRX5600, and SRX5800 devices with SPC3, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary commands do not count or display the number of packets processed within PowerMode IPsec, because these packets do not go through the regular flow path.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, when Power Mode IPSec is enabled, the "show security flow statistics" and "show security flow session tunnel summary" will not count or display the number of packets processed within Power Mode IPsec because these packets do not go through regular flow path.
1407231 Support for LAG interface with PowerMode IPsec.
 
On SRX5400, SRX5600 and SRX5800 devices with SPC3, LAG interface as IPsec external interface for Power Mode IPsec was not previously supported. With 18.2R2-S1 release, Power-Mode-IPsec now supports LAG interface as IPsec external interface.
1411486 While PMI is on, IPsec-encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets.
 
While PMI is on, IPsec-encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets.
PR Number Synopsis Category: IPSEC/IKE VPN
1357402 Tunnel flap is seen after doing RG0 failover.
 
On the SRX1500, SRX4xxx, SRX5000 platforms, the IPsec VPN tunnel may flap when doing RG0 failover in the chassis cluster.
1388979 On SRX5400, SRX5600, and SRX5800 devices with SPC3, the show security ike security-association detail command does not display local IKE-ID field correctly.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, "show security ike security-association detail" command does not display "local IKE-ID" field correctly.
1389607 With a large number of IPsec tunnels established, a few tunnels might fail during rekey negotiation if the SRX Series device initiates the rekey.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, with large number of IPSec tunnels established, few tunnels may fail during rekey negotiation if SRX initiates the rekey.
1405515 Idle IPsec VPN tunnels without traffic and with ongoing DPD probes can be affected during RG0 failover.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, idle IPsec VPN tunnels without traffic and with ongoing DPD probes will be affected during the RG0 failover window. IPsec VPN daemon in the new primary routing-engine may not be initialized on-time to respond to the DPD probes.
1405699 Tunnel flapping without doing any dynamic activity in longevity test
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, the number of DPD packets that SRX can handle is limited to 1000 per second. If we exceed this number, either because DPD always-send is configured or a large number of tunnels that have either DPD optimized mode or DPD probe-idle-tunnel configured are idle, then RG0 failover or longevity testing may see few tunnels going down.
1405840 The IKE and IPsec configuration under groups is not supported.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, occasionally, if an IKE or IPSec configuration (under groups hierarchy) change is done for one IKE gateway, the tunnel may be cleared for unrelated IKE/IPSec gateway.
1407251 On SRX5400, SRX5600, SRX5800 devices with SPC3, when the network topology has SRX device behind a NAT device, SRX may occasionally not initiate NAT-Traversal keepalive packets.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, when the network topology has SRX device behind a NAT device, SRX may occasionally not initiate NAT-Traversal keepalive packets.
1407356 On SRX5400, SRX5600, SRX5800 devices with SPC3, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE-IDs.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE-IDs.
1408723 On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured as an initiator to initiate IKE negotiation, sometimes if the initiated IKE negotiation fails (because of configuration mismatch with the peer), SRX might erroneously display IPsec tunnel as active and might show an incorrect count of active number of IPsec tunnels.
 
On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured as an initiator to initiate IKE negotiation, sometimes if the initiated IKE negotiation fails (because of configuration mismatch with the peer), SRX might erroneously display IPsec tunnel as active and might show an incorrect count of active number of IPsec tunnels.
1409855 On SRX5400, SRX5600, and SRX5800 devices with SPC3, when the SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, the IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds.
 
On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, when SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, the IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds.
1412316 IPsec traffic might drop after an IKEv2 reauthentication on SRX5K platforms with SPC3 card
 
On SRX5400, SRX5600, SRX5800 devices with SPC3 card, if IKEv2 reauthentication is configured on SRX or on the peer, upon a successful reauthentication IPsec traffic may lose.
1412571 The IKE rekey will fail if the remote peer is a device from other vendor
 
On SRX5000 platforms with SPC3 cards, the IKE rekey will fail if the remote peer is a device from other vendor. This causes IPSec VPN failure and it has traffic impact.
1413619 The established tunnels may remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN
 
On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, if an existing IKE gateway configuration is changed from AutoVPN to Site-to-Site VPN, the IKE negotiation behavior remains in responder-only mode and the established tunnels may remain unchanged.
1414193 The reauthentication may fail when the device is configured to initiate IKEv2 reauthentication
 
On SRX5400/SRX5600/SRX5800 devices with SPC3 used, when the device is configured to initiate IKEv2 reauthentication in a NAT traversal scenario the reauthentication may fail.
PR Number Synopsis Category: mc-ae interface
1409508 ICCP goes down and never comes up when static ARP/NDP to IRB peer is getting deleted
 
Starting from 15.2 mc-lag doesn't need static entry (ARP/ND) for remote IRB IP as captured in PR 1075917 (CVBC PR 1119732). If customer has already configured static entry (ARP/ND) and tries to remove the static entry on any version higher than 15.2, Remote IRB arp resolution does not happen automatically ( when the static arp configuration is present on the version and is removed).
PR Number Synopsis Category: Multiprotocol Label Switching
1401813 Backup rpd crash may be observed due to incorrect label assignment
 
With NSR enabled, when master RPD is restarted, occasionally, out-of-order add and delete messages can arrive on the backup RE causing label assignment collisions leading backup RPD to crash.
PR Number Synopsis Category: FreeBSD Kernel Infrastructure
1410542 The chassisd process might crash due to a thread locking defect
 
The chassisd crash with core dump file might be seen if some error happens in chassisd syslog functionality. Traffic is impacted as FPCs are restarted.
PR Number Synopsis Category: JUNOS Network App Infrastructure (for ping, traceroute, etc)
1409847 Junos OS: Insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow (CVE-2019-0053)
 
In Junos OS, insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow (CVE-2019-0053); Refer to https://kb.juniper.net/JSA10947 for more information.
PR Number Synopsis Category: Path computation client daemon
1395205 Junos OS: Upon receipt of certain types of malformed PCEP packets the pccd process may crash. [CVE-2020-1601]
 
Certain types of malformed Path Computation Element Protocol (PCEP) packets when received and processed by a Juniper Networks Junos OS device serving as a Path Computation Element (PCE) in a PCEP environment using Juniper's path computational element protocol daemon (pccd) process allows an attacker to cause the pccd process to crash and generate a core file thereby causing a Denial of Service (DoS). Refer to https://kb.juniper.net/JSA10980 for more information.
PR Number Synopsis Category: VMX PFE/RIOT related issues on BBE application
1404595 The L2TP packets are dropped by the vMX router
 
There are two issues in the L2TP for subscriber access scenario with vMX (virtual MX) router used as a vLNS (virtual L2TP network server). Issue 1, if the firewall filter is enabled with syslog/log action, the L2TP packets will be dropped. Issue 2, if the receiving packets is larger than the interface MTU, they will be dropped by the vLNS.
PR Number Synopsis Category: Interface related issues. Port up/down, stats, CMLC , serdes
1388591 Error message "portmod_port_core_access_get: Invalid parameter" seen in log messages
 
QFX5110 has both internal and external PHYs. The procedure to read FEC statistics from external Phys is different from the one used to read from internal phys. On using the APIs meant for internal PHYs on external PHYs, error messages are displayed.
PR Number Synopsis Category: QFX Platform related (SYSLOG/ALARMS/miscellaneous)
1405495 DHCP Not working for some clients in dual AD fusion setup on EP ports.
 
DHCP Not working for some clients in dual AD fusion setup on EP ports. When the SD is not reachable to the peer AD sdpd sends color 0 for color type MCAE and kernel is sending 0 to AD PFE. kernel has to convert this color to 0xFF before sending it to AD PFE.
PR Number Synopsis Category: QFX PFE Class of Services
1393646 QFX5100: [cos] [peak_stats] Peak buffer occupancy shown in wrong PG for lossless traffic after ISSU
 
Due to BCM SDK limitation Peak Buffer occupancy not displayed properly after ISSU.
PR Number Synopsis Category: RPD Next-hop issues including indirect, CNH, and MCNH
1407837 MPLSoGRE/MPLSoUDP failed to create next-hop-based-tunnel when next-hop is directly connected interfaces.
 
MPLSoGRE/MPLSoUDP failed to create next-hop-based-tunnel when next-hop is directly connected interfaces.
PR Number Synopsis Category: SRX-1RU platfom related protocol, QoS, filtering features et
1381653 During SRX1500, SRX4100, SRX4200, SRX4600 and vSRX platforms reboot, users are not able to enter boot menu to select option to recover password.
 
During SRX1500, SRX4100, SRX4200, SRX4600 and vSRX platforms reboot, users are not able to enter boot menu to select option to recover password
PR Number Synopsis Category: Issues related to broadband edge apps (PPP, DHCP) on Trio ch
1401808 FPC core files due to a corner case scenario (race condition between RPF, IP flow).
 
In a subscriber management deployment where the Reverse-Path-Forwarding (RPF) check and MAC check is enabled, a race condition might cause software failure and resulted in a Flexible PIC Concentrator (FPC) to restart.
PR Number Synopsis Category: Trio pfe l3 forwarding issues
1378439 PFE Lookup loop happens when firewall based re-direction under "forwarding-options" is used to perform route-lookup in non-default routing instance for destinations reachable over MPLSoUDP tunnels.
 
PFE Lookup loop happens when firewall based re-direction under "forwarding-options" is used to perform route-lookup in non-default routing instance for destinations reachable over MPLSoUDP tunnels.
PR Number Synopsis Category: PFE on Satellite Device
1397992 Extended Port (EP) LAG may go down on the Satellite Devices (SDs) if the related Cascade Port (CP) links to an Aggregation Device (AD) goes down
 
In a Junos Fusion Data Center if one Aggregation Device (AD) is isolated by disabling Inter Chassis Link (ICL) and all cascade ports (Link between AD and SD) and later if only ICL is reenabled on the AD then EP-LAG LACP will go down.This issue will not be seen if ICL is up and only AD-SD links go down.
PR Number Synopsis Category: PTX10016 platform software
1412243 The Native VLAN ID configured under L3 subinterface does not work on PTX
 
On PTX-series platforms, if the Native VLAN ID is configured and used under L3 subinterface, it might be unable to work normally. The Untagged Frames received will not be mapped correctly to L3 subinterface. As a result, the protocols/ping would not work on such L3 subinterface.
Modification History:
Update format and content 2020-03-05
Update content date 2019-02-06
First publication date 2019-01-30
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search