Knowledge Search


×
 

18.1R3-S4: Software Release Notification for Junos Software Service Release version 18.1R3-S4

  [TSB17544] Show Article Properties


Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX, MX, PTX, QFX, SRX, NFX, VMX, VRR, Network Agent
Alert Description:
Junos Software Service Release version is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:

Junos Software service Release version 18.1R3-S4 is now available.

PRs found and not fixed in 18.1R3-S4

PR Number Synopsis Description
1442376 EX2300 platforms with some specific releases might stop forwarding traffic or responding to console On EX2300/EX2300-C/EX2300-MP platforms, if Junos software is with FreeBSD kernel version 11 with the build date on or after 2019-02-12, the switch may stop forwarding traffic or responding to console. A reboot is required to restore the service.
     

 

The following are incremental changes in 18.1R3-S4.

 
PR Number Synopsis Description
1132770

Ping does not go through device after WTR timer expires in ERPS scenario

On EX4300 series switches in Ethernet Ring Protection Switching (ERPS) scenario, control plane might assign more than one STP instance to a VLAN on ERPS ring after system reboot, this will cause Ping packets forwarding issue.

1232178

The RE-PFE out-of-sync errors might be seen in syslog

When a configuration that brings a PFE down and another configuration that brings the PFE back online, is committed in quick succession, there could be RE-PFE out of sync errors logged in syslog. Most of the time these are benign errors, but sometimes they may result in PFE crashes.

1289313

Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039)

Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039); Refer to https://kb.juniper.net/JSA10928 for more information.

1346452

Error message "STUCK_BUFF : port_sp not empty for port 35 sp 1 pkts:1"

Ingress buffers are stuck in MMU during system init. During system init we are seeing very huge amount of packets getting copied to CPU causing ddos violations and rate limiting on CPU queues. At this point of time,some default IFD COS settings are getting programmed. Before doing COS setting we are trying to drain all the packets from MMU, If not we are going ahead and doing HW programming. This is causing the stuck buffer issue. packets destined to CPU can't be drained using SDK call, we are increasing the loop wait time to 10sec.

1350733

lt- interface gets deleted with tunnel-services configuration still present.

When tunnel interface is used as anchor-port in pseudo-wire services, while deleting the set interface config causing the tunnel-services interface to get deleted. Deleting pseudo serives alone will not have an effect on tunnel-services interfaces.

1369731

Some harmless log messages are suppressed on the backup SPMB.

Unsuccessful connection attempts will not be logged on the backup SPMB.

1372875

kernel and ksyncd core after dual cb flap at rt_nhfind_params: rt_nhfind() found an nh different from that onmaster 30326.

A scaled gnf may dump live kernel cores, as well as a ksysncd core on the BU RE, when recovering from a BSYS reboot (or a disconnection and reattachment of all 4 external control board connections).

1373803

Login lockout might never expire because the timestamp of "Lockout start" and "Lockout end" are same

Because the timestamp of "Lockout start" and "Lockout end" are same, even after the lockout period is expired, the user might be locked out permanently from logging in.

1375332

RIPv2 update packets might not send with IGMP snooping enabled

RIPv2 update packets might not send with IGMP snooping enabled. It might cause the RIP protocol not to come up.

1377447

Debug log message, "expr_nh_flabel_check_overwrite: Caller nh_id params", classified as Error Log when it should be LOG_INFO.

Debug logs are printed as error logs in /var/log/messages. Debug log message, "expr_nh_flabel_check_overwrite: Caller nh_id params", classified as Error Log when it should be LOG_INFO

1379433

DNS requests with EDNS options might be dropped by DNS ALG.

On SRX/MX platforms with DNS ALG enabled, the DNS requests with Extension mechanisms for DNS (EDNS) additional options might be dropped by DNS ALG.

1380600

The routes learned over an interface will be marked as "dead" next-hop after changing the prefix-length of IPv6 address on that interface

If an interface is configured with 128 prefix length for IPv6 address, the route learned over that interface might be marked as "dead" next-hop after the prefix length is changed from 128 to any other prefix length.

1381446

Traffic blackhole caused by FPC offline in MC-LAG scenario

On a Junos device in the multichassis link aggregation group (MC-LAG) scenario with integrated routing and bridging (IRB) interface and enhanced-convergence enabled, if the MC-LAG has only one member link, after taking offline the FPC hosting that member link and then clearing ARP, the traffic which is expected to egress the interchassis link (ICL) might get dropped, due to the nexthop being incorrectly set as Discard by code in Junos kernel.

1383642

In a Junos Fusion (MC-LAG based) deployment with dual Aggregation Devices (ADs) and dual-homed Satellite Devices (SDs) it may be possible for SDs to get into a state where LACP will not transmit to attached end/client devices.

When a Satellite Device (SD) boots up (powered on) it receives the SD configuration file from the Aggregation Devices (ADs). If the SD is configured to be dual-homed to both ADs (connections from one SD to both AD1/AD2) it will receive a configuration file which instructs the SD to communicate to both ADs. If one of the ADs is offline at the time the SD receives the configuration file specifying AD Redundancy then the SD will not be able to properly transmit LACP PDUs until it communicates and synchronizes with both ADs as specified in the received configuration.

1384929

A RSVP-signaled LSP might stay in down state after a link in the path flaps

In RSVP (Resource Reservation Protocol) LSP (Label Switched Path) with loose or undefined path scenario, the LSP might stay in down state due to loop detection after the link in the path flaps.

1385454

The packets drop might be seen in lower priority queues on PTX-Series or QFX10000-Series platforms

On all PTX-Series or QFX10002/QFX10008/QFX10016 platforms with CoS deployed, all the physical member interfaces of Aggregated Ethernet (AE) might drop the packets in lower priority queues when micro-bursts are received. These micro-burst are typically due to the speed differential between ingress interface (e.g. 100G) and egress interface (e.g. 10G). Typically it occurs when a large burst of high priority traffic and lower priority traffic arrive simultaneously.

1386768

Changing the value of mac-table-size to default may lead all FPC to reboot

If the value of mac-table-size of a given VLAN which is carrying traffic is changed to default, then the layer 2 forward table ( IFL-List ) needs to be re-associated with Flush-List which keeps the newest MAC list pushed by the Route Engine ( RE ), then the IFL-List must be deleted for this re-association. However, when the MAC entries are deleted, their flags might still remain in the IFL-List, that causes the MAC deletion failure, also the update of the Flush-List might get stuck. Consequently, all FPC might reboot.

1388211

Unicast DHCP request might get misforwarded to backup RTG link

On EX4300 Virtual-Chassis platform using Redundant Trunk Group (RTG), when the active RTG link is on non-master RE member, the unicast DHCP REQ frames might get misforwarded to the backup RTG link.

1388290

IPsec IKE keys are not cleared when delete/clear notification is received

IPsec IKE keys are not cleared when delete/clear notification is received from the peer on GRES enabled device.

1388479

Certain log messages might be observed on QFX platforms

On QFX platforms, when Power budgeting is executing, log message "PEM power status has changed, run power budget again" might be seen.

1388591

Error message "portmod_port_core_access_get: Invalid parameter" seen in log messages

QFX5110 has both internal and external PHYs. The procedure to read FEC statistics from external Phys is different from the one used to read from internal phys. On using the APIs meant for internal PHYs on external PHYs, error messages are displayed.

1388811

ARP received on SP-Style interface not sent to all RVTEPs in case of QFX5100 VC only, normal BUM traffic works fine

ARP received on SP-Style interface not sent to all RVTEPs in case of QFX5100 VC only, normal BUM traffic works fine

1389809

Jlock hog might be reported at restart routing

In a scaled configuration, it is possible that a jlock_hog can be reported in the syslog after a restart routing. This message is informational and indicates contention for rpd resources.

1392575

On EVPN setups, wrong destination MAC addresses starting with 45 might show up when using the "show arp hostname" command

On EVPN setups, wrong destination MAC addresses starting with 45 might show up when using the "show arp hostname" command. This is a cosmetic issue with no impact.

1393405

Interface flap of EX-VC may cause high CPU utilization and multicast traffic delay

In the EX-VC with IGMP snooping configuring on VLAN scenario, when a VLAN interface belongs to backup switch is flapping, the IGMP query packets will be sent to all the other member ports of the VLAN on the backup switch. This issue may cause high CPU utilization and multicast traffic delay.

1393628

10G copper link flapping might happen during TISSU operation of QFX5100-48T switches

On QFX5100-48T switches, when doing TISSU (Topology Independent In-Service Software Upgrade) operation, link flaps on 10G copper interfaces might be observed on the peer device. These flaps might cause unexpected failover of the connected PC/servers, which results in service impact.

1394922

Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036)

Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036); Refer to https://kb.juniper.net/JSA10925 for more information.

1395620

The dcd crash might be seen after deleting the sub interface from VPLS routing-instance and mesh-group

If an IFL is configured under a VPLS routing-instance and also configured in a mesh-group, if it is deleted from the routing-instance and from mesh-group and these changes are done at same time (single commit), then DCD might crash. First, interface from routing-instance is deleted successfully however deleting from mesh-group is leading to the crash.

1396886

Subscriber flapping may cause SMID resident memory leak

In MX subscriber management scenario, if the subscribers keep flapping, the SMID (subscriber management infrastructure daemon) memory leak is observed. When the SMID resident memory is exhausted, SMID will crash and subscriber session can't be established.

1396935

Provide user choice whether to drop a core when we'd normally soft core.

The JUNOS RPD daemon has facilities to attempt to trap certain classes of non-fatal bugs by continuing to run, but leaving a "soft" core file. Leaving a soft core is intended to be non-disruptive to routing and forwarding. This PR implements a mechanism by which users may disable soft cores being generated.

1396967

The AGENTX session timeout between master (snmpd) and subagent triggers some daemon crash

On all platforms, after the AGENTX session timeout between master(snmpd) and sub-agent, the chassisd/nsd/mib2d might crash and restart.

1397325

The BUM traffic might not be flooded in EVPN-MPLS scenario

In EVPN-MPLS (Ethernet VPN - Multiprotocol Label Switching) scenario with bridge-domains used, any configuration change which causes a BD (Bridge Domain) reincarnation (e.g. change of vlan-id-list under bridge-domains) might break the flooding of BUM (Broadcast, Unknown-unicast, Multicast) traffic. The issue leads to BUM traffic loss. All services that relying on BUM traffic might be impacted.

1398000

BGP DMZ LINK BANDWIDTH - not able to aggregate bandwidth , when applying the policy

Due to the lack of initialization of a stack variable in our BGP protocol implementation, the location where the link-bandwidth aggregation limit is stored may be populated with a non-deterministic value. During the calculation of link-bandwidth aggregation value, if the value stored for link-bandwidth aggregation limit is non-zero, that value will be used as the link bandwidth aggregate value. Because of this, it will appear that link-bandwidth aggregation is not operating correctly.

1398256

The fxpc core might be seen if scaled number of filter-based forwarding (FBF) filters are configured

On EX2300 and EX3400 platforms, if scaled number of FBF filters are applied to interfaces, the fxpc core might be seen, and all the filters might be deleted.

1398362

MPLSoUDP/MPLSoGRE tunnel may not come up on interface route

In MPLS over UDP or MPLS over GRE scenario, if the nexthop type of the MPLSoUDP/MPLSoGRE tunnel is interface route, the tunnel may not come up.

1398502

All FPC cards might restart after L3VPN routes churn

In L3VPN network with large-scale prefixes, if the peer PE is other vendor's router (e.g. Cisco) configured with "per-prefix label", all FPC cards might restart after L3VPN routes churn multiple times.

1398888

In some newer releases firewall filter action "decapsulate gre" cannot decapsulate ip-over-ip and ipv6-over-ip traffic

The firewall filter action, "decapsulate gre", decapsulates gre, ip-over-ip and ipv6-over-ip till Junos 16.1. Later this behavior is changed and it is allowed only the decapsulation of GRE based traffic. This can cause issues in some customer deployment on newer release upgrade where "decapsulate gre" option is used to decapsulate the IPIP and IPIPv6 traffic as no decapsulation support of IPIP and IPIPv6. The fix reinstates the older behavior and makes sure "decapsulate gre" option decapsulates the additional IPIP and IPIPv6 traffic apart from GRE.

1399141

Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019)

Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019); Refer to https://kb.juniper.net/JSA10931 for more information.

1399575

EX3400 might not learn 30K MAC addresses during sending MAC learning traffic

When sending 30K MAC source traffic EX3400 might not learn 30K MAC addresses and the l2alm process is spiking.

1399744

No Alarm was generated when FPC connected to master RE via backup RE/CB

The fix produces alarm on the RE if the communication from RE to one or more FPC is failed through primary interface and establishes the communication via backup RE.

1399864

EX4300 OAM LFM might not work on extended-vlan-bridge interface with native vlan configured

On EX4300, when the 'extended-vlan-bridge' and the 'native-vlan-id' is configured, OAM link-fault-management (LFM) might not work on the interface. And sometimes the link will come down.

1400190

[Cordoba] incorrect Lane chromatic dispersion values and false positive RX power high alarm

Lane chromatic dispersion(ps/nm) on 5x100G DWDM PIC (PTX) is shown incorrectly for ports 1-4. Port 0 is showing up fine. lab@ptx> show interfaces transport pm all current et-0/0/1 <...> Physical interface: et-0/0/1, SNMP ifIndex 1114 10:45-current Suspect Flag:False Reason:Not Applicable PM CURRENT MIN MAX AVG THRESHOLD TCA-ENABLED TCA-RAISED (MIN) (MAX) (MIN) (MAX) (MIN) (MAX) Lane chromatic dispersion(ps/nm) -28 -65534 65536 24130 0 0 NA NA NA NA 'show interfaces diagnostics optics' might show RX power high alarm on interfaces hosted on 5x100G DWDM PIC (PTX) or 1x100G DWDM MIC (MX). lab@ptx> show interfaces diagnostics optics et-0/0/0 Physical interface: et-0/0/0 <...> Rx power high alarm threshold : 6.5535 mW / 8.16 dBm <<< <...> Lane 0 Tx power : 1.000 mW / 0.00 dBm Rx power (total) : 1.018 mW / 0.08 dBm <<< Rx power (signal) : 0.851 mW / -0.70 dBm <<< <...> Tx power high alarm : Off Tx power low alarm : Off Tx power high warning : Off Tx power low warning : Off Rx power high alarm : On <<< Rx power low alarm : Off Rx power high warning : Off Rx power low warning : Off Rx loss of signal alarm : Off Wavelength unlocked alarm : Off Laser end-of-life alarm : Off

1400380

PEM I2C Failure alarm might be showed incorrectly as failed

PEM I2C Failure alarm might be showed incorrectly as failed due to I2C transaction failure.

1400597

The mgd-api crash due to memory leak

Memory leak in mgd-api then core dump.

1401026

Static demux0 logical interfaces do not come up after config change if underlying interface is et.

Static demux0 logical interfaces do not come up after config change if underlying interface is et ( 100 GE ). After config change et interface gets flushed in order to reparse the config. During this DCD miss to create the dependency between demux0 logical interfaces and underlying et interface which results in flushing off the demux0 logical interfaces. This issue will be seen only if underlying interface is et. For all other interfaces this has been already taken care. This is day one issue. Workaround for this problem is Restarting DCD (or the entire RE reboot), clears the problem or else use 'commit full' instead of commit while committing new config.

1401507

The TCP connection between ppmd and ppman might be dropped due to a kernel issue

The periodic packet management process daemon (ppmd) off-loads time-sensitive periodic processing from various clients to a single daemon. It is responsible for periodic transmission of packets on behalf of its various clients. Due to a kernel issue, the TCP connection between ppmd in the Routing Engine (RE) and periodic packet manager (ppman) in the packet forwarding engine (PFE) might be dropped. It will result in the clients which use ppmd (such as LACP) flapping.

1401802

There might be unexpected packets drop in MoFRR scenario if active RPF path is disabled

On Junos platform which have Multicast Only Fast Reroute (MoFRR) and Join Load Balance (JLB) Automatic features enabled, if it's configured by scaled setup (e.g. with around 3k multicast routes), when the active Reverse Path Forwarding (RPF) path is disabled by some operations (e.g. the metric of the active interface is increased to make it not be active anymore), there might be unexpected packets drop for about 5 seconds due to this timing issue.

1401854

JET authentication does not work for usernames and passwords of certain lengths.

The authentication module for JET RPCs and Telemetry fails in authenticating usernames or passwords of certain lengths. Hence the users will be unable to execute JET APIs or Junos Streaming Telemetry.

1402140

The rpd might be stuck at 100% when auto-export and BGP add-path are configured

On all devices running Junos OS, when auto-export is configured in two VPN routing and forwarding (VRF) instances, the routes get exported from/to each other. In this case, if add-path is also configured in BGP (even in an unrelated peer group), the rpd process might be stuck at 100% CPU utilization due to the infinite loop of route flashing in VRFs.

1402175

ATT Whitebox: 'show evpn instance extensive esi' command does not filter output by esi (ATTip45090 )

To filter and see the output of desired ESI or neighbor information of an EVPN instance, we created two new choices, namely show evpn instance <> esi-info esi <> show evpn instance <> neighbor-info neighbor <>.

1403729

Syslog message is seen whenever prefix sid coincides with the node sid

In segment routing scenario, syslog message is seen whenever prefix sid coincides with the node sid. These logs are causing confusion and incorrectly reports duplicate node segment ID duplication. There is no service impact.

1404038

Continuous kernel crashes might be observed in backup RE or VC-BM

On JunOS platforms with dual REs (or MX-VC) and GRES enabled, if an unnumbered interface is configured with a subnet IPv6 address, the kernel might continuously crashes in backup RE when receiving IPv6 NS (Neighbor Solicitation) towards the unnumbered interface. In MX-VC scenario, sync problem might be observed after kernel crash in VC-BM (Master Routing Engine in the Virtual Chassis backup router), hence GRES might not work.

1404088

Incorrect mem stat message is seen in FPC logs of PTX Type 1 FPC

Incorrect mem stat message is seen in FPC logs of PTX Type 1 FPC

1404089

With MS-MPC and MS-MIC service cards SYSLOG messages for port block interim may show 0.0.0.0 for the private-IP and PBA release messages may show the NAT'd IP as the private IP.

With MS-MPC and MS-MIC service cards syslog messages for port block interim may show 0.0.0.0 for the private-IP and PBA release messages may show the NAT'd IP as the private IP. These rare events that only occur when the EIF/Endpoint Independent feature is enabled and should not be seen often. All PBA allocation messages will be accurate so there will be a way to correlate the incorrect SYSLOG messages still with the correct private IP.

1405033

Scaled MPLS labels might cause slow labels allocation and high CPU utilization

On Junos platforms with scaled MPLS labels used, when the system is already running with high load, inefficient labels allocation might cause even higher CPU utilization at 100% for hours. The issue might affect traffic.

1405168

Traffic drop is seen on EX4300 when 10G Fiber port is using 1 Gigabit Ethernet SFP optics with Auto-Negotiation enabled

Traffic drop is seen on EX4300 when 10G Fiber port is using 1 Gigabit Ethernet SFP optics with Auto-Negotiation enabled. Auto-Negotiation is enabled by default on these ports. This issue is applicable to EX4300 platforms using 10G Fiber ports supporting 1G optics in any of the applicable PIC ( PIC0 last 4 ports and PIC2 of EX4300-32F and PIC2 of EX4300-24/48 T/P ). Traffic will not egress out of these ports and the peer will not receive the traffic.

1405876

FPC crash might be seen when adding a leg to an AE bundle or FPC restarts in subscriber scenario

In subscriber scenario, when using AE bundle with active subscribers and the AE bundle is configured with a lot of interfaces within one interface-set, FPC might crash if adding a leg to an AE bundle or an existing leg is replayed (after FPC restarts). It is a timing issue. In detail, this issue happens in two scenarios. The first one is "a leg is added to an AE bundle". That can cause a FPC crash as the device may perform a long walk to install schedulers on all legs. The second one is 'a line card rebooting'. After FPC reboot, the bundle is updated locally on that line card as it is populated with all of the existing state. In this case a long walk would also be performed and FPC crash might be seen.

1406219

Junos OS: Insecure management daemon (MGD) configuration may allow local privilege escalation (CVE-2019-0061)

The Junos CLI communicates with MGD over an internal unix-domain socket and is granted special permission to open this protected mode socket. Due to a misconfiguration of the internal socket, a local, authenticated user may be able to exploit this vulnerability to gain administrative privileges.

1406757

Dvaita JDI-RCT: NGMVPN Traffic drops seen for multicast groups with "selective" provider tunnels

NGMVPN traffic is getting dropped due to the multicast route is pointing a mdiscard next hop

1407765

NPC core after daemon restart in jnh_get_oif_nh ( ) routine

During LNS subscriber with COS bring down PFE core may be observed if the corresponding pseudo IFL got deleted before this flow from PFE. Generally Pseudo IFL will get deleted only when all the subscribers using this pseudo IFL goes down. So it is IPC ordering issue which is resulting in NPC core. This is not observed during normal bring up and down of LNS subscribers. It is observed when subscriber bring up/down is coupled with daemon restarts.

1407775

Log messages "dot1xd[]: task_connect: task ESP CLIENT:...: Connection refused" might be reported in Junos 17.4 or later

Messages like the following can appear in log message on devices running Junos 17.4 or later: dot1xd[7683]: task_connect: task ESP CLIENT:33001.128.0.0.1+33001 addr 128.0.0.1+33001: Connection refused dot1xd[7683]: task_connect: task ESP CLIENT:33001.128.0.0.1+33001 addr 128.0.0.1+33001: Connection refused .. The message is cosmetic and can be ignored/filtered out.

1408012

The PFE might get disabled unexpectedly due to a auto correctable non-fatal hardware error on PTX or QFX10002/QFX10008/QFX10016

On PTX or QFX10002/QFX10008/QFX10016, a auto correctable non-fatal hardware error on PE chip (which is ASIC on PTX1000, PTX10002, QFX10002, the third-generation FPC on PTX3000/PTX5000, and the Line card on PTX10008/PTX10016/QFX10008/QFX10016) is reported as 'FATAL' error and hence the related Packet Forwarding Engine (PFE) will get disabled. The code changes have been made to change the error category from 'FATAL' to 'INFO' to avoid the PFE to be disabled unexpectedly.

1408058

Traffic forwarding failed when crossing VCF members

In VCF scenario, if one member of the VCF reboot, when transit unicast traffic across non-directly connected VCF members, traffic forwarding might fail.

1408161

The DHCP discover packets might be dropped over VXLAN tunnel if DHCP relay is enabled for other VXLAN/VLANs

On QFX10002/QFX10008/QFX10016 Series platforms, the DHCP discover packets might be dropped over VXLAN tunnel in a pure Layer2 VXLAN/VLAN when the DHCP relay is enabled for other VXLAN/VLANs, it might result in the failure of DHCP IP address assignment.

1408168

The ToS/DSCP and TTL fields might not be copied into the outer IP header in Group VPN scenario

In Group VPN scenario, on MX Series with Junos 16.1 onwards, the ToS/DSCP and TTL fields might not be copied from the original packet to the outer IP header during the IP header preservation.

1408195

Junos OS: vSRX, SRX1500, SRX4K, ACX5K, EX4600, QFX5100, QFX5110, QFX5200, QFX10K and NFX Series: console management port device authentication credentials are logged in clear text (CVE-2019-0069)

On vSRX, SRX1500, SRX4K, ACX5K, EX4600, QFX5100, QFX5110, QFX5200, QFX10K and NFX Series, when the user uses console management port to authenticate, the credentials used during device authentication are written to a log file in clear text. Refer to https://kb.juniper.net/JSA10969 for more information.

1408380

Fan failure alarms might be seen on QFX5100-96S after upgrade to 17.3R1

On QFX5100-96S, starting from Junos version 17.3R1, the QFX5100 may experience fan failure alarms and fan performance degradation. The software change in this PR address these issues.

1408443

The rpd crashes on static route configuration for multicast source

In multicast routing scenario using PIM, if configuring static route with qualified-next-hop for multicast source, process rpd might crash. This is because qualified-next-hop points to GF_DLI (Gateway Family Data Links) address which PIM is unable to process, resulting in the crash.

1408675

EX3400 PSU status is still taking "check" status even though PSU module has been removed

EX3400 PSU status is still taking "check" status even though PSU module has been removed

1408812

M/Mx/QFX:mcsnoopd core generated immediately after the commit change related to VXLAN-EVPN configuration

M/Mx/QFX:mcsnoopd core generated immediately after the commit change related to VXLAN-EVPN configuration

1408974

The kmd process might crash on MX/ACX platforms when IKEv2 is used

On MX/ACX platforms, when IKEv2 is used for IPsec VPN and Dead Peer Detection (DPD) is enabled, if IKEv2 rekey interval is very short (about 6-7 minutes), the kmd process might crash, it will lead both VPN peers to tear down the tunnel.

1409398

The misconfiguration of dynamic profile might cause the login issues of the subsequent subscribers

In an access network with dynamic profiles scenario, the race condition between dynamic profiles might cause some services of these dynamic profiles unactivated since one of the dynamic profiles configuration is misconfigured. Some login issues might happen when these unactivated services are requested by the subsequent subscribers.

1409631

Restarting line card on QFX10008/10016 with MC-LAG enhanced-convergence may cause intra-vlan traffic to go a black hole

On QFX10008/10016 platforms, when the FPC come online after a restart, the intra-VLAN traffic ingressing on the AE interface might be permanently lost if MC-LAG enhanced-convergence is configured and there is only one member link in MC-LAG on other FPC.

1409632

Indirect-next-hop pointing to unknown unilist stuck with weight 65535 may occur after a link flap

In the scenario where bgp multipath is enabled, there are multiple ecmp paths to indirect-next-hop, such as multiple lsp or ae, when forwarding chain is unilist_1->indirect-next-hop->unilist_2, any change in unilist_2 active member list will be absorbed by indirect-next-hop in the chain and the change will not be back propagated to top-level unilist_1. If a link flaps it will cause indirect-next-hop pointing to unilist_2 stuck with weight 65535 and further causing traffic blackholing.

1410439

child link missed from mib id dot3adAggPortAttachedAggID (OID - 1.2.840.10006.300.43.1.2.1.1.13)

In certain condition, child link might be missed from mib id dot3adAggPortAttachedAggID (OID - 1.2.840.10006.300.43.1.2.1.1.13)

1410465

When using SFP+, the Interface optic output might be non-zero even the interface has been disabled

When using SFP+, the Interface optic output might be non-zero even the interface has been disabled

1410970

Packets might be dropped if the traffic forward via an LT interface

On all Junos platform, if the traffic forward to IRB via an LT (Logical Tunnel) interface, packets might be dropped.

1411179

VoIP-enabled extended ports (on satellite devices) do not adjust MTU in Junos fusion for enterprise

In Junos Fusion Enterprise (JFE) setups, Voice over IP (VoIP) enabled extended ports on satellite devices (SD) are set to the default Maximum Transmission Unit (MTU) of 1514 bytes. Due to this, the maximum data size is limited to 1468 bytes beyond which packets are dropped with MTU errors (when DF bit is set).

1411376

Kernel replication failure might be seen if an ipv6 route next-hop points to an ether-over-atm-llc ATM interface

If an ipv6 route next-hop points to an ATM interface with encapsulation ether-over-atm-llc, after performing or re-enabling the graceful routing engine switchover, the ksyncd core and vmcore might be seen and the kernel replication might fail, which results in non-synchronization status of routing protocols on both REs.

1411858

Traffic loss might be observed after VXLAN configuration change

On EX4300/EX4600/QFX5100/QFX5200 platforms, when IRB is configured in VXLAN environment, traffic loss might happen after making configuration change. For example, it is observed that after VNI-id is changed, the EBGP session over the IRB goes down and does not come back up due to the ARP resolution failure.

1411874

GRE over GRE might not work for host generated traffic

If GRE (Generic Routing Encapsulation) over GRE tunnel is used for sending RE originating traffic, the traffic cannot be encapsulated properly although the GRE over GRE tunnel works for transit traffic.

1412322

MX10003: The rpd crash with switchover-on-routing-crash doesn't trigger RE switchover and the rpd on master RE goes into STOP state

If the rpd (routing protocol daemon) crashes with 'switchover-on-routing-crash' knob enabled on MX10003 platform, the RE switchover might not happen and the rpd on master RE goes into STOP state. All protocols go down and the rpd remains in STOP state until manual recovery is done.

1412534

Family inet of the unnumbered interface might be getting deleted when deleting one of the IPs of the binding interface

When an unnumbered interface is binding to an interface which has more than one IP address and one of the IPs is deleted, the family inet of the unnumbered interface might be getting deleted. The issue results in traffic loss for all the services that rely on the family inet of the unnumbered interface. Configure preferred-source-address on the unnumbered interface will prevent deletion of the IP hence avoiding the deletion of the family inet of the unnumbered interface.

1413224

The rpd memory leak might be seen due to a wrong processing of a transient event

From Junos 16.1R1, in large-scale setup (e.g. ~400 BGP peers), during routes update/links flapping, the RTSOCK (trace routing socket event, a transient event) message produced by KRT might be handled incorrectly, it will cause rpd memory leak. If the memory is exhausted, the rpd process might crash.

1413543

ICMPv6 RA packets generated by RE might be dropped on the backup member of VC if igmp-snooping is configured

In virtual-chassis scenario, on the backup member which is EX2300/3400/4300/4600 or any QFX switch, if igmp-snooping is enabled on a VLAN, ICMPv6 RA packets generated by RE might be dropped on the VLAN.

1413686

The unexpected AS prepending action for AS path might be seen after the no-attrset knob is configured or deleted with vrf-import/vrf-export configuration

If the independent AS domain (It is enabled with independent-domain knob, and attribute set messages are enabled by default) is configured for the virtual routing and forwarding (VRF) instance, the global autonomous system (AS) number in the master routing instance should be prepended to the AS path when the route prefix is imported into the VRF instance. And with no-attrset configured (which disable the attribute set messages), the global AS number in the master routing instance should not be prepended to the AS path. But the current implementation violate the above behavior when vrf-import/vrf-export policy is used in the VRF routing-instance and the no-attrset knob is configured or deleted.

1413807

Number of inet-arp policers implemented on ACX 5k has been increased from 16 to 64

Number of inet-arp policers is increased from 16 to 64 for ACX5K.

1414021

The CPU utilization of the rpd process is stuck at 100% if BGP multipath is configured

In BGP with the indirect next-hop scenario, if BGP multipath enabled, a background job loop might be formed and the CPU utilization of rpd process might be stuck at 100%. In this software issue, JUNOS RPD daemon will flash the route even if the route has not changed. This only applies for the indirect nexthop case.

1414092

jpppd core dump on LNS

jpppd core dump on LNS

1414145

FPC crash may be observed if it reaches heap utilization limit

In a subscriber management environment, FPC crash may be observed if it reaches heap utilization limit along with continuously subscriber login in, this is due to a code defect which fails to report this condition accurately, then because of this failure further subscriber login in is allowed, which further causes FPC crash.

1414418

The multicast traffic drop might be seen when 'static-umh' is configured in NGMVPN scenario

On NGMVPN (next-generation multicast virtual private network) scenario, if 'static-umh' is configured, multicast traffic might stop forwarding as the 'Forwarding state' shows 'pruned' on receiver PE. The reason is that due to the fix for PR 1315011, UMH (upstream multicast hop) selection is based on entire RT import value which includes upstream PE address and a unique value. However for the static UMH, only the address could be given and so the UMH selection could not get the correct upstream, and hence egress PE is not able to join the correct upstream.

1414496

With arp-suppression enabled, QFX5K/EX46 may not forward IPv6 Router Solicitations or Advertisements packets.

In Vxlan scenario, when arp-suppression enabled on QFX5K/EX46 platforms, the device may not pass IPv6 router Solicitation and Advertisements packets.

1414688

Some Junos releases could not be installed successfully on EX2300-C platform

Due to a problem with the install process, following Junos releases for the EX2300-C platform could not be installed successfully: 18.1R3-S3 18.2R2-S1 18.2R2-S2 18.4R1 18.4R1-S1 These releases have been removed from the download page and will not be replaced. This problem affects only the EX2300-C platform. Previous and subsequent releases are not affected.

1414706

Firewall filters are not getting programmed into PFE

In the subscriber environment, if the client profile has no filters while the service profile has filters, after a subscriber login, the ifstate compression might be seen when deleting the current filters and then adding a different filter. When this occurs, the firewall filter might be corrupted.

1414816

The MPC might crash when one MIC is pulled out during this MIC is booting up

On MX platform, the MPC might crash when one MIC is pulled out during this MIC is booting up.

1414965

LDP route is not present in inet6.3 if IPv6 interface address is not configured

LDP (Label Distribution Protocol) checks for configured IPv6 interface address before it brings up the LDP IPv6 interface. If the interface is not configured with IPv6 interface address, LDP will not bring up the LDP IPv6 interface, hence LDP fails to install the route in inet6.3.

1415042

The user might not enter configure mode due to mgd is in lockf status

If "commit confirmed " is executed, then issuing another "commit" or "commit confirmed " after around the minutes, in race condition, a rollback might be hit. At last, it may cause the mgd process to enter and to stay in lockf status. Thus, the user might not enter configure mode anymore.

1415224

PCE initiated LSPs get deleted because of wrong timer timeout

PCE initiated LSPs get deleted from PCC if PCEP session goes down and gets re-established within "delegation-cleanup-timeout" period

1415277

Local L2ALD proxy MAC+IP advertisements accidentally delete MAC+IP EVPN database state from remotely learned type 2 routes

With 'proxy-macip-advertisment' enabled on IRB ifl, the spine could learn MAC+IP from l2ald upon arp resolution or via type 2 EVPN routes from other spines. If learnt from other spine, a MAC+IP withdraw from l2ald could delete this state. proxy-macip-advertisment is needed once using virtual gateway feature.

1415297

The dcpfe might crash when any interface flaps

On QFX5110/QFX5200 platforms, the dcpfe might crash if any interface flaps.

1415450

VXLAN Encapsulation nexthop (VENH) doesnt get installed during BGP flap or restart routing.

During BGP flap, route delete and route add request to RPD might get compressed which results in VXLAN DB not getting updated with right unicast NH to stitch it with VENH. So VENH will not having unicast NH to forward the traffic. This can be seen using nhinfo in kernel or "show nhdb id <> recursive" in FPC VTY.

1415769

The traffic with triple or more 802.1Q tags might fail to forward

On ACX/EX/QFX platforms, the traffic might fail to forward if packets with triple or more 802.1Q tags.

1415898

The swap memory is not initialized on boot on ACX5048/5096

On ACX5048/5096 platforms, the swap memory is not initialized by default on boot. If SRAM is completely filled, then some inactive pages will be swapped to the swap memory. If the swap memory is not enabled then the new process might fail to start.

1415922

The bbe-smgd process might have memory leak while running "show system subscriber-management route route-type <> routing-instance <>"

On MX platforms enabled with enhanced subscriber management, if the route-type and the routing-instance are used at the same time, there might be memory leak in the bbe-smgd process while running the command "show system subscriber-management route route-type <> routing-instance <>".

1416016

L2TP LAC might fail to tunnel static pp0 subscriber to the desired LNS

In some rare situations, due to an incorrect interface Change Event compression on L2TP LAC (L2TP Access Concentrator), the static pp0 logical interface might not be added in jl2tpd database, it will cause inability to tunnel a subscriber over that interface to L2TP LNS (L2TP Network Server).

1416032

Services dependent on LDP might be impacted if committing any configuration changes

On all Junos platforms, if there is any protocol running dependent on LDP (e.g., l2circuit/L2VPN), after committing any configuration changes, even only such as changing the description on an interface, unnecessary LDP updates might be seen. Only services dependent on LDP might be impacted during the period.

1416516

LDP route might be missing in inet.3 when enabling sr-mapping-client on LDP-SR stitching node

When the sr-mapping-client knob is configured in ISIS segment routing, the LDP route might not be presented in inet.3 and routing-instance.inet.3, and also the invalid input/output label might be advertised in the LDP database.

1416941

BFD might flap when some of underlay ECMP interfaces are disabled in the leaf nodes

On QFX5000 series or EX4300/EX4600/EX2300/EX3400 platforms with Spine-Leaf scenario, when some (two or more than two) underlay interfaces with ECMP are brought down on Leaf devices, the Multi-Hop BFD overlay sessions between spines and leafs might flap. And if BFD flaps, the protocols depending on BFD (typically, IBGP Protocols) would also flap, which leads to traffic impact.

1417186

The ECMP fast reroute protection feature might not work on MX5/10/40/80/104

The Equal Cost Multipath (ECMP) fast reroute protection feature (which is enabled via 'routing-options forwarding-table ecmp-fast-reroute') might not work on MX5/10/40/80/104.

1417270

In EX4300 few ports might remain in dot1x 'connecting' state and fail to transition to 'authenticated' state.

In EX4300 where MAC RADIUS is used for supplicant authentication, some ports might get stuck in dot1x 'connecting' state and never transition to 'authenticated' state. The switch might not send RADIUS access-request packets to the RADIUS server for those connected supplicants due to which ports remain in connecting state.

1417377

Commit error while configuring firewall with term having log/syslog and accept actions.

When a firewall term is configured with log/syslog along with accept action, commit error is thrown. This is a breakage caused by PR 1359130.

1417729

The malfunction of core isolation feature in EVPN-VXlan scenarios causes traffic blackhole

In EVPN-VXLAN (Ethernet VPN-Virtual Extensible LAN) multihomed scenarios with active-active mode, LACP (Link Aggregation Control Protocol) for AE (Aggregate Ethernet) bundle is enabled on leaf and spine devices, when the links between one leaf and all spines are brought down, the BGP peering sessions established over the links also go down, with the core isolation feature enabled by default, LACP should set the server-facing interface on that leaf to standby mode, which blocks all traffic from the server. However this feature does not work well with minimum-links configured on AE bundle.

1417987

The subscriber service profile might be unable to be changed by RAR message in PCRF/Gx-Plus scenario

On MX platforms running with subscriber scenario where the subscriber service profile is activated by Policy and Charging Rules Function (PCRF), if the authd process is restarted manually by the command line after the subscribers login, all the records of the login subscribers might be lost by Gx-Plus due to this issue. When there are Re-Auth-Request (RAR) messages sent via Gx-Plus to change the service profile, it might fail to change.

1418425

Traffic loss could be seen for duration of hold-time down timer when flapping an interface with hold-time down timer configured

On PTX with FPC3 installed, traffic loss could be seen for duration of hold-time down timer when flapping an interface with hold-time down timer configured.

1418444

Routing Engine CPU utilization is high and eventd is consuming a lot of resources.

RE CPU utilization goes high with eventd consuming most CPU resource when the sampling is configured.

1418705

Syslog match filtering doesn't work if single line of /etc/syslog.conf is over 2048 bytes

If single line of /etc/syslog.conf is above 2048 bytes, syslog match filtering doesn't work for local syslog files or remote syslog servers.

1418960

The PPPoE negotiation of subscriber connection might fail when 65535 is assigned as session-id

On MX platform running with Point-to-Point over Ethernet (PPPoE), the reserved PPPoE session-id 65535 might also be assigned to the subscriber, and it's conflicted with RFC 2516. The PPPoE negotiation of subscriber connection might fail due to this issue.

1419541

CPU usage on Service PIC may spike while forming an IPSec tunnel under DEP/NAT-T scenario

On MX platform with service PIC(s), CPU may spike while forming an IPSec tunnel under DEP (Dynamic End Points)/NAT-T (Traversal) scenario. This may cause all the IKEv2 tunnels to be dropped, even the tunnels on the different service PICs. Eventually, may cause packets to be dropped.

1419816

The jdhcpd process might consistently run at 100% CPU and not provide service if the 'delay-offer' is configured for DHCP local server

If the 'delay-offer' is configured for DHCP local server, the jdhcpd process might consistently run at 100% CPU because the delay-offer implementation might cause the jdhcpd to get stuck in a recursive loop during the timer event processing. Due to the degraded jdhcpd process, the DHCP clients might not get connected and serviced, and the operations like clearing DHCP bindings or running DHCP CLI commands might fail.

1419893

EX4300 does not send Fragmentation needed message when MTU is exceeded with DF bit set

On EX4300 Destination unreachable(Fragmentation need) message is not sent in case of irb when we try to ping through the switch with a size greater than the MTU configured with the DF bit set.

1420082

Commit error will be seen but the commit is processed if adding more than o

On EX, MX and T platforms, if "automatic-site-id is configured in BGP signalled VPLS scenario, when adding more than one site under "protocols vpls" in the VPLS routing-instances, the wrong configuration commit will be processed.

1420294

ARP entry is still pointing to failed VTEP after PE-CE link fails for multihomed remote ESI

In EVPN/VXLAN scenario, if PE-CE link fails for multihomed remote ESI, the ARP entry is still pointing to failed VTEP interface.

1420976

op url command can't run a script with libs from /config/scripts

op scripts with libs import may fail to run with op url command and "load-scripts-from-flash" knob configured

1422171

IPsec SA may not come up when the Local gateway address is a VIP for a VRRP configured interface.

IPsec SA may not come up when the Local gateway address is a VIP for a VRRP configured interface.

Modification History:
2019-10-29 Update to include PR1442376 in the "Known Issue" section
Related Links: