Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

17.3R3-S4: Software Release Notification for Junos Software Service Release version 17.3R3-S4



Article ID: TSB17558 TECHNICAL_BULLETINS Last Updated: 20 Apr 2019Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
Alert Description:
Junos Software Service Release version is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts

Junos Software service Release version 17.3R3-S4 is now available.

The following are incremental changes in 17.3R3-S4.

PR Number Synopsis Description

SNMP MIB walk/get/set on jnxDomCurrentTable and jnxDomNotifications might fail on ACX platforms

SNMP MIB walk/get/set on jnxDomCurrentTable and jnxDomNotifications might fail on ACX platforms while relevant CLI shows proper output.


Ping does not go through device after WTR timer expires in ERPS scenario

On EX4300 series switches in Ethernet Ring Protection Switching (ERPS) scenario, control plane might assign more than one STP instance to a VLAN on ERPS ring after system reboot, this will cause Ping packets forwarding issue.


ACX5K platform - the maximum number of logical interface on a ACX5K series has been increased from 1000 to 4000

ACX5K platform - the maximum number of logical interfaces (IFLs) on a ACX5K series has been increased from 1000 to 4000.


BGP might not advertise routes on the existing BGP peer after adding Layer 3 VPN instance

If rib-group is configured under BGP, BGP might not advertise routes on the existing BGP peer after adding Layer 3 VPN instance. The "show bgp neighbor" shows that the neighbor state is stuck in "Send state: not advertising".


Common software fix for PR1204589 and PR1256073 that addresses Traceroute behavior while selecting the source address and adding CLI command for the same to configure the same

Providing software changes fixing PR1204589 and PR1256073 that addresses the following.
PR 1204589 - an ACX chooses the highest IPv6 address when responding to IPv6 TTL expired over MPLS tunnel
PR 1256073 - The above feature was disabled by default. It can be enabled with the fix of this PR via a CLI command "set system allow-6vpe-traceroute-src-select" in operational mode.


Syslogs contain messages with : %PFE-3: fpc0 ifd null, port 28 dc-pfe: %USER-3: ifd null, port 28 : %PFE-3: fpc0 ifd null, port 29 dc-pfe: %USER-3: ifd null, port 29

On an EX2300-48 port switch the syslog messages might contain messages like "fpc0 ifd null, port 28". These messages do not have any functional impact since port 28 is not the front panel port but the internal port on each forwarding ASIC.


The mgd process might crash and sessions will be terminated when using netconf to perform configuration load override

Every load override and rollback operation increases the refcount by 1 and after it reaches the max value of it (65,535), the mgd process is terminated. When mgd terminated, the active lock may remain preventing any further commits.


The rpd might crash if RIP neighbor is configured with the same IP address as the local interface

If Routing Information Protocol (RIP) neighbor is mistakenly configured with the same IP address as the local interface, the rpd process might crash. It is a timing issue. Normally the rpd process will recover after crash.


The rpd process might crash after clearing ISIS database with link-protection configured

When ISIS database is cleaned, rpd crash might be observed if loop free alternative is configured. ISIS database can be cleaned even when isis is deactivated.


After zeroizing, QFX5100 is treating 40G AOC uplink as 4x10g breakout with auto-channelization enabled

The initial implementation of auto-channelization relied upon the success or failure of certain timing related state machines. In some instances such as when an upstream device is rebooting, or in the process of initializing interfaces this can result in incorrectly (auto)channelizing a native 40G link. Once channelized the port must be manually reconfigured to restore native 40G connectivity which can impact some ZTP boot scenarios. This change modifies the decision tree to include reading of the applicable EEPROM register of the inserted qSFP to determine if the cable is capable of breakout before performing auto-channelization.


PTX10K: For 100G LR4 Optics with part number 740-061409 change 'show chassis hardware' display to QSFP-100G-LR4-T2.

On PTX10K 100G LR4 optics with Part Number 740-061409 will show as QSFP-100G-LR4-T2 instead of QSFP-100G-LR4 and optics which shows as QSFP-100G-LR4 is not supported on PTX10K


bcmDPC task is high eventhough Interuppt START_BY_START flag set to 0

START_BY_START_ERR interrupt handler was not available with the previous version of bcm sdk code. This lead to the status checking of this flag continously by bcmDPC process leading to high CPU utilization. This has been fixed in this release by adding a handler for this interrupt.


The FXPC process might crash after adding or deleting a Q-in-Q VLAN to an interface on EX2300 and EX3400 platforms.

On EX2300/EX3400 platforms, after modifing a QinQ VLAN configuration to an interface, the FXPC (dc-pfe) process might crash.


On QFX5100 platforms, LR4 QSFP can take up to 15 min to come up after VC reboot

On QFX5100 platforms, LR4 QSFPs might take take longer to come up than others (up to 15 minutes). This is a intermittent occurrence.


lt- interface gets deleted with tunnel-services configuration still present.

When tunnel interface is used as anchor-port in pseudo-wire services, while deleting the set interface config causing the tunnel-services interface to get deleted. Deleting pseudo serives alone will not have an effect on tunnel-services interfaces.


QFX10000 platform drops Aruba wireless AP heartbeat packets

QFX10000 platform drops the Aruba wireless Access Point (AP) heartbeat packets, as result the Aruba wireless AP cannot work.


The ae interface might flap when the link speed of the ae bundle is configured to oc192

When the link speed of the ae (Aggregated Ethernet) bundle is configured to oc192, certain sequence operation might lead to the ae interface flap which will affect traffic. First, configure the member links. And then, remove a member link from the bundle. At last, add a member link back.


Configuration commit might be delayed by 30 seconds.

In Junos releases that support ephemeral configuration databases, the configuration commit time might be delayed by ~30 seconds as "Routing protocols process" (rpd) validates the new configuration. If the synchronized commit is used, the delay time is therefore ~1 min.


ACX5k: fpc0 (acx_rt_ip_uc_lpm_install:LPM route add failed) Reason : Invalid parameter after configuring lpm-profile.

In ACX5000, some next-hop routes not getting installed properly, reporting message "Failed to h/w update ip uc route entry" In LPM mode, for default route if route changes from ecmp to non-ecmp HOLD nexthop, PFE gets into a corrupted ecmp nexthop. We fix the NH index issue and fixed some issues related to handling ipv4 vs ipv6 default routes for LPM.


Unexpected incrementing of counters on the interface

On PTX Series platforms, if the AE child interfaces are across different PFEs and "nexthop-learning" is configured, the MAC filter statistics of the child interface might be abnormal.


The dot1xd might crash when dot1xd receives incorrect reply length from the authd

On Junos OS platforms with supporting dot1x, the dot1xd core-dumps might be seen when it receives the reply from the authd and reply length is less than 28 Bytes.


The LLDP TLV with the wrong switch port capabilities might be sent

On EX4300 platform with LLDP enable, LLDP TLV with the wrong switch port capabilities might be sent and it might cause IP phones not work properly.


MS-MPC might have performance degradation under scaled fragmented packets

On MX Series platforms with MS-MPC, it might have performance degradation if the MS-MPC receives scaled fragmented packets.


The auto-negotiation interface might go down if the opposite device supports only 10/100M auto-negotiation

On the QFX5100 platform, the auto-negotiation interface might go down if the peer device supports only 10/100M auto-negotiation


ARP request packets might be sent out with 802.1Q VLAN tag

ARP request packets might be sent out with 802.1Q VLAN tag even though the outgoing interface is access port.


CoA updates subscriber with original dynamic-profile if radius has returned different dynamic-profile name

When radius sends CoA (Change of Authorization) for the subscriber after radius has returned different dynamic-profile name in access-accept, the subscriber will be updated with original dynamic-profile. The issue is because the new dynamic-profile name which sent by the radius is not saved in the subscriber's table, hence when the CoA message arrives, the old dynamic-profile name is used. The issue results in CoA updates subscriber with unexpected values (The old dynamic-profile instead of the new dynamic-profile is used).


Traffic blackhole caused by FPC offline in MC-LAG scenario

On a Junos device in the multichassis link aggregation group (MC-LAG) scenario with integrated routing and bridging (IRB) interface and enhanced-convergence enabled, if the MC-LAG has only one member link, after taking offline the FPC hosting that member link and then clearing ARP, the traffic which is expected to egress the interchassis link (ICL) might get dropped, due to the nexthop being incorrectly set as Discard by code in Junos kernel.


The unicast traffic from IRB interface towards LSI might be dropped due to PFE mismatching at egress processing

On all Junos with Trio platforms, the unicast traffic might get dropped when it is passed from an Integrated Routing and Bridging (IRB) interface towards label switch interface (LSI) if the Aggregation Ethernet (AE) load balancing adaptive or per-packet is configured.


SSD lifetime might be shorten in OVSDB environment

In Open vSwitch Database (OVSDB) environment with Solid State Drive (SSD) installed on the backup RE side, primary RE copies /var/db/ovsdatabase to backup RE in very short interval (e.g. every 10 seconds), and the backup RE might write the whole ovsdatabase file to the SSD card frequently. Therefore, the SSD lifetime might be shorten due to the exceeded amount of read/write. Due to this issue, the SSD card failure might be observed.


The static route might persist even after its BFD session goes down

On all Junos OS platforms with BFD for the static route configured, when the BFD session is brought down by changing the VLAN ID of the local interfaces, the static route might persist in the routing table.


Changing the value of mac-table-size to default may lead all FPC to reboot

If the value of mac-table-size of a given VLAN which is carrying traffic is changed to default, then the layer 2 forward table ( IFL-List ) needs to be re-associated with Flush-List which keeps the newest MAC list pushed by the Route Engine ( RE ), then the IFL-List must be deleted for this re-association. However, when the MAC entries are deleted, their flags might still remain in the IFL-List, that causes the MAC deletion failure, also the update of the Flush-List might get stuck. Consequently, all FPC might reboot.


Some SFBs might go down when one of the PSMs in the chassis generates a bad output voltage which is out-of-range

On MX2010/MX2020, some Switch Fabric Boards (SFBs) might go down due to one of the Power Supply Modules (PSMs) in the chassis generates a bad output voltage which is out-of-range.


Penultimate-hop router does not install BGP LU label causing traffic blackhole.

On the penultimate-hop router in BGP LU (labeled unicast) scenario using PHP (penultimate-hop popping), when a link flap causes the next-hop of a label received from the egress router to change, once the link comes back, the penultimate-hop router might fail to install the clone route (S=0) entry for that label and result in traffic blackhole.


FPC card might reboot when changing CoS mode from hierarchical-scheduler to per-unit-scheduler

The CoS (Class of Service) mode per-unit-scheduler is not supported on interface that is an interface-set member, if CoS mode is changed from hierarchical-scheduler to per-unit-scheduler for the interface, the FPC (Flexible PIC Concentrator) card of the interface might crash.


firewall flexible match syntax clarification

This PR is to fix some hints for the cli commands to avoid confusion. With the fix, it will be like this: {MASTER}[edit] labroot@beltway-re1# set firewall flexible-match source-ipv6-match bit-length ? Possible completions: Length of integer input (1..32 bits), Optional length of string input (1..128 bits) <<<< added information that for integer the limit is 32bit {MASTER}[edit] labroot@beltway-re1# set firewall flexible-match source-ipv6-match bit-length 120 {MASTER}[edit] labroot@beltway-re1# commit check re1: commit-check failed commit-check failed error: configuration check-out failed <<<<<< for range, added the syntax check that no "," "or" is supported. {MASTER}[edit] labroot@beltway-re1# set firewall family inet6 filter flex-match-v6 term source-ipv6 from flexible-match-range range 0x00000001-0x00010001, 0x00010001-0x00010070 ^ syntax error. {MASTER}[edit] labroot@beltway-re1# set firewall family inet6 filter flex-match-v6 term source-ipv6 from flexible-match-range range 0x00000001-0x00010001 ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups bit-length Length of the data to be matched in bits (1..32) bit-offset Bit offset after the (match-start + byte) offset (0..7) byte-offset Byte offset after the match start point flexible-range-name Select a flexible match from predefined template field match-start Start point to match in packet | Pipe through a command {MASTER}[edit] labroot@beltway-re1# set firewall family inet6 filter flex-match-v6 term source-ipv6 from flexible-match-range range 0x00000001-0x00010001 or ^ syntax error.


jlock hog reported at restart routing

In a scaled configuration its possible that a jlock_hog can be reported in the syslog after a restart routing. This message is informational and indicates contention for RPD resources.


Traffic being dropped when passing through MS-DPC to MPC

On MX series platform, when traffic passes through MS-DPC service card and then egresses the router through an AE interface on MPC, partial traffic loss might be seen due to a memory initializing issue.


Usage-Monitoring-Information AVP maybe activate service accounting.

Usage-Monitoring-Information AVP as part of PCRF gx-plus provisioning is causing service accounting activation.


On EVPN setups, wrong destination MAC addresses starting with 45 might show up when using the "show arp hostname" command

On EVPN setups, wrong destination MAC addresses starting with 45 might show up when using the "show arp hostname" command. This is a cosmetic issue with no impact.


Flow label is still used by ingress PE though the Egress PE is not configured/supporting for Flow label in a vpls multihomed Scenario

if a LDP-VPLS routing instance is configured with active and backup neighbors, and flow label capability is enabled on active neighbor but not on backup neighbor, upon switching to the PW to backup neighbor, Junos on the VPLS PE will continue to send traffic with flow label based on the capability learnt from previously active neighbor.


JUNOS enhancement configuration knob to modify mcontrol watchdog timeout

Junos CLI enhancement to configure mastership refresh timeout value 9 to 30 via the chassis CLI command 'set chassis redundancy mastership-refresh-timeout'.


Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036)

Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036); Refer to for more information.


The dcd crash might be seen after deleting the sub interface from VPLS routing-instance and mesh-group

If an IFL is configured under a VPLS routing-instance and also configured in a mesh-group, if it is deleted from the routing-instance and from mesh-group and these changes are done at same time (single commit), then DCD might crash. First, interface from routing-instance is deleted successfully however deleting from mesh-group is leading to the crash.


MPC card/afeb/tfeb with Channalized OC MIC can crash with core dump

MPC card/afeb/tfeb with Channelized OC MIC can crash with core dump


The BUM traffic might not be flooded in EVPN-MPLS scenario

In EVPN-MPLS (Ethernet VPN - Multiprotocol Label Switching) scenario with bridge-domains used, any configuration change which causes a BD (Bridge Domain) reincarnation (e.g. change of vlan-id-list under bridge-domains) might break the flooding of BUM (Broadcast, Unknown-unicast, Multicast) traffic. The issue leads to BUM traffic loss. All services that relying on BUM traffic might be impacted.


Extended Port (EP) LAG may go down on the Satellite Devices (SDs) if the related Cascade Port (CP) links to an Aggregation Device (AD) goes down

In a Junos Fusion Data Center if one Aggregation Device (AD) is isolated by disabling Inter Chassis Link (ICL) and all cascade ports (Link between AD and SD) and later if only ICL is reenabled on the AD then EP-LAG LACP will go down.This issue will not be seen if ICL is up and only AD-SD links go down.


All FPC cards might restart after L3VPN routes churn

In L3VPN network with large-scale prefixes, if the peer PE is other vendor's router (e.g. Cisco) configured with "per-prefix label", all FPC cards might restart after L3VPN routes churn multiple times.


IPSEC tunnel can not be established because that the tunnel SA and rule are not installed in the PIC

On MX-Series platforms, when IPSEC is used in an interoperability scenario with other verndor`s devices (such as CISCO/HUAWEI) and peer device sends IPSEC tunnel establishment request using the port and protocol as Traffic/Flow distinguisher, the SA for the tunnel is not installed in the PIC, namely the impacted tunnels are up on the RE but these are not programmed in the PFE. It would cause that IPSEC tunnel can not be established and traffic failure.


In 13.3R9.13, firewall filter action, "decapsulate gre", decapsulates gre, ip-over-ip and ipv6-over-ip, but in 17.3R3.9, it only decapsulates gre.

The feature fbt based "gre decap" used to decap GRE, IPIP and IPIPV6 traffic till 16.1 . Later PR-1226830 changed this behavior and allowed only the decapsulation of GRE based traffic. This can cause issues in some customer deployment on newer release upgrade where "gre decap" option was used to decap the IPIP and IPIPv6 traffic as no decap support of IPIP/IPv6 The fix in this PR reinstates the older behavior and makes sure GRE decap option decapsulates the additional IPIP and IPIPv6 traffic apart from Gre.


The DHCPv6 relay packets are dropped when both the UDP source and destination ports are 547

In DHCPv6 (Dynamic Host Configuration Protocol version 6) relay scenario when QFX5000 works as DHCPv6 relay agent, if DHCPv6 packets with both UDP (User Datagram Protocol) source and destination ports are 547 are received, they are dropped and not forwarded to the DHCPv6 server. The issue results in the DHCPv6 process failure.


Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019)

Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019); Refer to for more information.


EVPN Type 2 MAC+IP route is stuck when the route Advertisement has 2 MPLS labels and Withdrawal has 1 label

In EVPN (Ethernet VPN) scenario, if the router receives a Type 2 MAC+IP route Advertisement having 2 MPLS labels, and then Withdrawal of the same route with only 1 label, the Withdrawal will not be processed and that route will be stuck.


QFX5100 - VXLAN - Traffic is queued in the wrong queue when interface configuration is changed from a layer 2 with VXLAN configured on the VLAN to a family inet configuration

On QFX5100, traffic initiated from a server connected to an interface will be dropped at the interface on the switch if the interface was configured with family ethernet-switching with VXLAN and the configuration is changed to family inet.


The subscriber route installation failed due to some interfaces states are not properly installed

On BBE subscriber scenario with subscribers built on AE interfaces, if doing some operations that trigger a great deal of interface states are published from BBE (Broadband Edge) to kernel (such as, System/FPC reboot or a massive amount of link flapping), some interfaces states could not be properly installed (with an invalid Next-Hop that has no selector). It might cause subscriber route installation failure and traffic drop.


RPD core upon RE switchover with scaled EVPN configuration.

on MX or QFX10k with dual RE/NSR enabled and a scaled EVPN configuration, RPD could core upon RE switchover due to a bug that corrupts the EVPN instance tree. Not seen with limited or few EVPN instances.


There might be unexpected packets drop in MoFRR scenario if active RPF path is disabled

On Junos platform which have Multicast Only Fast Reroute (MoFRR) and Join Load Balance (JLB) Automatic features enabled, if it's configured by scaled setup (e.g. with around 3k multicast routes), when the active Reverse Path Forwarding (RPF) path is disabled by some operations (e.g. the metric of the active interface is increased to make it not be active anymore), there might be unexpected packets drop for about 5 seconds due to this timing issue.


JET authentication does not work for usernames and passwords of certain lengths.

The authentication module for JET RPCs and Telemetry fails in authenticating usernames or passwords of certain lengths. Hence the users will be unable to execute JET APIs or Junos Streaming Telemetry.


Certain otn-options cause interface flapping during commit.

With following configuration present, the interface flaps after a commit where an AE interface is being added. set interfaces otn-options trigger oc-tsf hold-time up <> down <> set interfaces otn-options trigger odu-bei hold-time up <> down <>


BGP router on the same broadcast subnet with its neighbors might cause IPv6 routing issue on the neighbor from other vendors

RFC 2545 has limitation on third party next-hops where the next hop is propagated unchanged. Due to this limitation, Border Gateway Protocol (BGP) router attaches its own IPv6 link local address in the next hop and advertise the route to its BGP neighbor. This could introduce the routing issue on the BGP neighbor from other vendor (e.g. Cisco) and put the BGP router itself in the traffic path unexpectedly. This issue will not be seen on Juniper devices because IPv6 link local address is not selected as next hop.


Traffic loss seen in IGMP subscribers after GRES.

There is a chance that some subscribers may not have IPTV post GRES. This condition will be seen if subscribers are logged in before the system has initialized fully or if dynamic profiles are changed with subscriber activity.


MPLS LSP traffic loss might be seen under rare conditions if CSPF is enabled

When make-before-break (MBB) new instance signaling experiences error and before retry is finished, other triggers such as auto bandwidth adjustment timer expiration have to be blocked until MBB finishes. Once the MBB finishes instance switching, blocked trigger needs to be scheduled, but should only be triggered after optimize-adaptive-teardown timer expires. In the affected releases, the blocked trigger is scheduled immediately after instance switching without taking optimize-adaptive-teardown timer into account, it causes old instance to be torn down before whole system finishes changing routes using the new instance, this leads to traffic loss.


FPC might crash after offline/online MIC-3D-16CHE1-T1-CE-H.

On MX and ACX platforms, after offline and then online MIC-3D-16CHE1-T1-CE-H card, the related FPC might crash.


Continuous kernel crashes might be observed in backup RE or VC-BM

On JunOS platforms with dual REs (or MX-VC) and GRES enabled, if an unnumbered interface is configured with a subnet IPv6 address, the kernel might continuously crashes in backup RE when receiving IPv6 NS (Neighbor Solicitation) towards the unnumbered interface. In MX-VC scenario, the kernel crash in VC-BM (primary Routing Engine in the Virtual Chassis backup router) might cause sync problem.


Incorrect mem stat message is seen in FPC logs of PTX Type 1 FPC

Incorrect mem stat message is seen in FPC logs of PTX Type 1 FPC


The FPC might crash in a CoS scenario

If MPC1/MPC2 are used ("Trio" based MPCs) in HCoS scenario, the FPCs might crash due to an invalid IFL referred by the dynamic BBE subscriber interface.


The rpd crash due to memory corruption in EVPN

In Ethernet VPN (EVPN) active/active multi-homing scenario with MPLS encapsulation, toggling of multi-homed interface might cause memory corruption leading to rpd crash.


The subscriber may not access the device due to the conflicted assigned address

In a subscriber management environment, the subscriber (say, subscriber A) may not access the device (A can get IP address x.x.x.x but then the connection will be terminated), because the address x.x.x.x is previously assigned to another subscriber B and then re-assigned to A before confirming whether the respective access route for address x.x.x.x is removed.


Traffic drop is seen on EX4300 when 10G Fiber port is using 1 Gigabit Ethernet SFP optics with Auto-Negotiation enabled

Traffic drop is seen on EX4300 when 10G Fiber port is using 1 Gigabit Ethernet SFP optics with Auto-Negotiation enabled. Auto-Negotiation is enabled by default on these ports. This issue is applicable to EX4300 platforms using 10G Fiber ports supporting 1G optics in any of the applicable PIC ( PIC0 last 4 ports and PIC2 of EX4300-32F and PIC2 of EX4300-24/48 T/P ). Traffic will not egress out of these ports and the peer will not receive the traffic.


EX-SFP-1FE-LX SFP does not work on MIC-3D-20GE-SFP-E

On MX Series platforms, EX-SFP-1FE-LX SFP does not initialize with MIC-3D-20GE-SFP-E(EH).


The rpd might crash on a leaf node when handling the withdrawal of remote or local MAC address in an EVPN-VXLAN scenario

On all Junos OS platforms that are running Ethernet VPN (EVPN) with Virtual Extensible LAN (VXLAN) on the device, when handling the withdrawal of remote or local MAC address, it may cause stack corruption and may subsequently result in rpd crash on the leaf node.


MPC might core dump after restarting FPC that belongs to targeting AE and host subscribers

MPC might core dump after restarting FPC that belongs to targeting AE and host subscribers


[QFX10002] SNMP trap for PSU removal/insertion is not generated

SNMP trap for PSU removal is under Virtual Chassis module. Since, QFX10002 is a non-VC device, the code to generate SNMP trap for a PSU removal is move to the non-VC module.


The cfmd might fail to start after it is restarted

If connectivity fault management (CFM) is enabled with the name-format for maintenance-domain set to 'none' and iterator configuration, and the sum of the length of maintenance-domain name and maintenance-association name exceeds the maximum allowed size (i.e. 44 octets), the initial configuration commit would be passed and CFM is working. But once the cfmd is restarted, the cfmd process cannot start with coredump file generated.


IPv6 traffic might be dropped between VXLAN bridge-domain and IP/MPLS network

On Trio-based platforms, when an IPv6 host located in VXLAN bridge-domain tries to communicate with another IPv6 host located in IP/MPLS network via irb gateway, the IPv6 traffic might be dropped.


The process rpd crash may be observed once a non-forwarding path is used for re-resolution

The process rpd may crash after a non-forwarding route (i.e., a route to an indirect next-hop association is non-forwarding indirect next-hop) which is received from multiple protocols is resolved again by using the non-forwarding path.


NPC core after daemon restart in jnh_get_oif_nh ( ) routine

During LNS subscriber with COS bring down PFE core may be observed if the corresponding pseudo IFL got deleted before this flow from PFE. Generally Pseudo IFL will get deleted only when all the subscribers using this pseudo IFL goes down. So it is IPC ordering issue which is resulting in NPC core. This is not observed during normal bring up and down of LNS subscribers. It is observed when subscriber bring up/down is coupled with daemon restarts.


continuous log message 'authd[18454]: %DAEMON-3-LI: liPollTimerExpired returned 0'

The log message 'authd[18454]: %DAEMON-3-LI: liPollTimerExpired returned 0' can be seen after any LI activity. The messages are cosmetic. The log was removed to hide LI activity.


Traffic forwarding failed when crossing VCF members

In VCF scenario, if one member of the VCF reboot, when transit unicast traffic across non-directly connected VCF members, traffic forwarding might fail.


The DHCP discover packets might be dropped over VXLAN tunnel if DHCP relay is enabled for other VXLAN/VLANs

On QFX10002/QFX10008/QFX10016 Series platforms, the DHCP discover packets might be dropped over VXLAN tunnel in a pure Layer2 VXLAN/VLAN when the DHCP relay is enabled for other VXLAN/VLANs, it might result in the failure of DHCP IP address assignment.


Fan failure alarms might be seen on QFX5100-96S after upgrade to 17.3R1

On QFX5100-96S, starting from Junos version 17.3R1, the QFX5100 may experience fan failure alarms and fan performance degradation. The software change in this PR address these issues.


The FPC/dcpfe process may crash due to interface flap

On QFX5200/QFX5110 platform, the FPC/dcpfe process may crash due to interface flap, as a result, parietal traffic impact may be observed at that time.


MX-Service templates are not cleaned up

MX-Service templates are not cleaned up


Restarting line card on QFX10008/10016 with MC-LAG enhanced-convergence may cause intra-vlan traffic to go a null route

On QFX10008/10016 platforms, when the FPC come online after a restart, the intra-VLAN traffic ingressing on the AE interface might be permanently lost if MC-LAG enhanced-convergence is configured and there is only one member link in MC-LAG on other FPC.


The rpd process might crash when "routing-options flow" configuration is removed

In BGP FlowSpec scenario, when configuration hierarchy "routing-options flow" is removed, the rpd process might crash due to a deleted data structure being called in code.


FPC might crash during next hop change when using MPLS inline-jflow

On MX platforms with MPLS inline-jflow configured, FPC might crash during next hop change due to another FPC reboot or an interface flap, some traffic will be blackholed during the crash.


The FPC may crash and could not come up if interface-num or next-hop is set to maximum value under vxlan-routing on QFX platforms

On QFX 5100/5110/5120/5200/5210 platforms, when either of following configurations is present, the FPC may crash and could not come up even after reboot, the issue can be avoided by setting interface-num or next-hop to lesser values instead of maximum values. "set forwarding-options vxlan-routing interface-num 12288" or "set forwarding-options vxlan-routing next-hop 49152".


ACX drops DNS responses which contain an underscore.

ACX drops DNS responses which contain an underscore.


FPC might crash if the pointer value assigned to aggregate next-hop is only for unilist next-hop but not for aggregate next-hop

If ECMP is present, a next-hop type called unilist next-hop will be generated for load balancing. If AE is configured, another next-hop type called aggregate next-hop will be generated for the traffic forwarding to the AE interface. On the PTX platform, when ECMP and AE are present at the same time, aggregate next-hop might be given a random pointer value which is the same as the unilist next-hop pointer value. In this case, the FPC might crash because the unilist next-hop pointer should get accessed only for unilist next-hop but not for aggregate.


Extended ports in JFE do not adjust MTU when VoIP is enabled

In Junos Fusion Enterprise (JFE) setups, Voice over IP (VoIP) enabled extended ports on satellite devices (SD) are set to the default Maximum Transmission Unit (MTU) of 1514 bytes. Due to this, the maximum data size is limited to 1468 bytes beyond which packets are dropped with MTU errors (when DF bit is set).


The rpd memory leak might be seen due to a wrong processing of a transient event

From Junos 16.1R1, in large-scale setup (e.g. ~400 BGP peers), during routes update/links flapping, the RTSOCK (trace routing socket event, a transient event) message produced by KRT might be handled incorrectly, it will cause rpd memory leak. If the memory is exhausted, the rpd process might crash.


The rpd may crash if longest-match is configured for LDP

With "protocols ldp longest-match" configured, the processing of a new FEC (Forwarding Equivalence Class) is put on a queue to be processed later. If LDP creates label binding for the FEC and advertises label mapping to its neighbor before the FEC is processed, rpd may crash when the FEC is processed. It is a timing issue.


Number of inet-arp policers implemented on ACX 5k has been increased from 16 to 64

Number of inet-arp policers is increased from 16 to 64 for ACX5K.


The CPU utilization of the rpd process is stuck at 100% if BGP multipath is configured

In BGP with the indirect next-hop scenario, if uRPF is enabled, and then enable BGP multipath, a background job loop might be formed and the CPU utilization of rpd process might be stuck at 100%.


LDP route is not present in inet6.3 if IPv6 interface address is not configured

LDP (Label Distribution Protocol) checks for configured IPv6 interface address before it brings up the LDP IPv6 interface. If the interface is not configured with IPv6 interface address, LDP will not bring up the LDP IPv6 interface, hence LDP fails to install the route in inet6.3.


PCE initiated LSPs get deleted because of wrong timer timeout

PCE initiated LSPs get deleted from PCC if PCEP session goes down and gets re-established within "delegation-cleanup-timeout" period


The dcpfe might crash when any interface flaps

On QFX5110/QFX5200 platforms, the dcpfe might crash if any interface flaps.


The L2circuit egress PE might drop the traffic in FAT+CW enabled L2circuit scenario when another FAT+CW enabled L2circuit PW flaps

On PTX1000/PTX10002/PTX10008/PTX10016 platforms, when multiple FAT+CW (FAT->flow-aware transport, CW->control-word) are enabled in L2circuit PWs (pseduo-wires) scenario, the L2circuit egress PE might drop the traffic (the affected PW is unsure/unkown) and also corrupt the PW traffic/packet received from MPLS core when another FAT+CW enabled L2circuit PW flaps (such as, link down, FPC crashes, do enable/disable of flow label on PW, etc).


swap memory is not initialized on boot on ACX5048

Swap memory is not initialized by default on boot. This can be verified by "show system process extensive" output. Example: Mem: 488M Active, 166M Inact, 433M Wired, 648M Cache, 69M Buf, 114M Free Swap: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No swap memory After the fix of this PR swap memory will be initialized on boot. Mem: 508M Active, 166M Inact, 434M Wired, 648M Cache, 69M Buf, 92M Free Swap: 1106M Total, 1106M Free >>>>>>>>>>>>>>>>>>>>>>||$$ initialised


The bbe-smgd process might have memory leak while running "show system subscriber-management route route-type <> routing-instance <>"

On MX platforms enabled with enhanced subscriber management, if the route-type and the routing-instance are used at the same time, there might be memory leak in the bbe-smgd process while running the command "show system subscriber-management route route-type <> routing-instance <>".


The malfunction of core isolation feature in EVPN-VXlan scenarios causes traffic blackhole

In EVPN-VXLAN (Ethernet VPN-Virtual Extensible LAN) multihomed scenarios with active-active mode, LACP (Link Aggregation Control Protocol) for AE (Aggregate Ethernet) bundle is enabled on leaf and spine devices, when the links between one leaf and all spines are brought down, the BGP peering sessions established over the links also go down, with the core isolation feature enabled by default, LACP should set the server-facing interface on that leaf to standby mode, which blocks all traffic from the server. However this feature does not work well with minimum-links configured on AE bundle.


failed to reload keyadmin database for /var/etc/keyadmin.conf

During commit of the configuration change the following warning message can appear: warning: Command exited: PID 7527, status 255, command keyadmin error: failed to reload keyadmin database for /var/etc/keyadmin.conf


Traffic may loss when one of logical interfaces on LAG was deactivated or deleted

If SP style config is used in EX4300, deactivated or deleted one of logical interfaces on LAG would cause traffic failure passing through the same LAG interface. Using EP style config will be a workaround.


[EVPN] Aggregate-Ethernet interface flaps followed by commit

In EVPN, Aggregate-Ethernet interface having configured with ESI might flap followed by commit due to a software defect


The rpd process might crash and core dump during mpls ping command on l2circuit

When end-interface, backup-interface for end-interface and protect-interface for end-interface is used as an interface for "ping mpls l2circuit interface" command, the rpd process might crash and core dump.

Modification History:
First publication date 2019-04-20
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search