Knowledge Search


×
 

18.2R1-S5: Software Release Notification for Junos Software Service Release version 18.2R1-S5

  [TSB17586] Show Article Properties


Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX, PTX, MX, QFX, vMX, vRR, Network Agent, NFX, SRX, vSRX
Alert Description:
Junos Software Service Release version is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:

Junos Software service Release version 18.2R1-S5 is now available.

The following are incremental changes in 18.2R1-S5.

 
PR Number Synopsis Description
1231402

EVPN/VXLAN: MAC entry incorrectly programmed in PFE, leading to some traffic blackhole

An incorrect PE router is attached to an ESI when the router receives two copies of the same AD/ESI route (for example, one through eBGP and another one received from an iBGP neighbor). This causes a partial traffic black hole and stale MAC entries. You can confirm the issue by checking the members of the ESI: user@router> show evpn instance extensive ... Number of ethernet segments: 5 ESI: 00:13:78:00:00:00:00:00:00:01 Status: Resolved Number of remote PEs connected: 3 Remote PE MAC label Aliasing label Mode 87.233.39.102 0 0 all-active 87.233.39.1 200 0 all-active <<<< this PE is not part of the ESI 87.233.39.101 200 0 all-active

1276044

RPD core if LSP configured in 'install-nexthop' does not exist

RPD core if LSP configured in 'install-nexthop' does not exist

1289313

Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039)

Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039); Refer to https://kb.juniper.net/JSA10928 for more information.

1337327

Link flapping or staying down due to interoperation issue between MX/EX9200 and transport device

On MX204, MX10003, or MPC7E/8E/9E, or EX9200-40XS/EX9200-12QS, a 100G, 40G, or 10G interface might keep flapping or stay down due to an interoperation issue between Juniper device and the remote transport device connected.

1338559

After a MPLS LSP link flap and local repair, a new LSP instance is tried to be signaled but it may get stuck

After Resource Reservation Protocol (RSVP) Multiprotocol Label Switching (MPLS) Label Switched Path (LSP) link flaps (link goes down and comes back up), RSVP tries to create a second MPLS LSP instance, if Resv/PathErr message drops for the second MPLS LSP instance, then the second MPLS LSP instance is stuck, and no further optimizations are possible.

1357802

Configuration commit operation after policy change causes rpd crash

The rpd might crash during the policy configuration changes.

1360452

The fxpc process might use high CPU on ACX5000 after upgrade

On ACX5000 platforms with Junos 16.2 onwards, the fxpc process might use high CPU. This issue can be hit after the upgrade in some cases.

1360967

On a ACX ring topo, after link between ACX and MX flap, VPLS RI on PE (MX) have no MAC of CE over l2circuit

Issue: During the core interface flap, the specific label route is switched between SWAP and PHP mode, when there is two paths are available in the ring (core interface which is flapping is giving PHP mode and other one is in SWAP mode). In issue case, the hardware route config is in SWAP mode and the Junos/HAL routes are in PHP mode. It leads to drop the forwarding traffic for the given label. Fix: Whenever the active member of unilist NH is changed, the same is not reflected in the corresponding routes. It leads the route is working with older active NH instead of latest one. To avoid this case, whenever the existing unilist NH's active member is changed, then route update is triggered for the same using topo walk.

1365864

Traffic spikes generated by IPFIX might be seen on QFX10002

From 17.3R1, on QFX10002 platform, in a rare condition, the IPFIX flow statistics (packet/byte counters) are incorrect in the exported record. Since the stats are not collected properly, the flow might timeout and get deleted due to inactive timeout, causing the number of exported records to be sent out unexpected. Traffic spikes generated by IPFIX might be seen.

1368998

Junos OS:set system ports console insecure allows root password recovery on OAM volumes (CVE-2019-0035)

Junos OS: set system ports console insecure allows root password recovery on OAM volumes (CVE-2019-0035); Refer to https://kb.juniper.net/JSA10924 for more information.

1379227

PTX10008: error logs seen when flows are sample through aggregate bundles when jflow sampling enabled

In certain scenario's where flows are sampled through aggregate bundles when jflow sampling is enabled, the following harmless error logs can be seen: [Tue Oct 30 18:17:40.648 LOG: Info] expr_get_local_pfe_child_ifl: cannot find child ifl of agg ifl 74 for this fpc [Tue Oct 30 18:17:40.648 LOG: Info] flowtb_get_cpu_header_fields: Failed to find local child ifl for 74 [Tue Oct 30 18:17:40.648 LOG: Info] fpc0 cannot find stream on [hostname]

1379657

Protocol adjacency might flap and FPC might reboot if jlock hog happens

On all platforms and in scaling scenario, if doing some operation which causes jlock hog, the protocols adjacency might flap and all the FPCs might reboot.

1380798

Daemon dfwd might crash with DFWD_TRASHED_RED_ZONE log messages

In certain scenario with OTN options configuration, memory corruption might occur in dfwd (the firewall daemon) due to large IFL (logical interface) ifstate messages. This can lead to DFWD_TRASHED_RED_ZONE messages reported in dfwd log and occasionally dfwd crashes.

1381937

vSRX3.0 AppQos Functionality

On vSRX3.0, when using the .vmdk image to install, the AppQos feature may have unpredictable behaviour and srxpfe might core.

1385199

ARP and ethernet-table entry in pointing to ae interface which state is down

In EVPN/VXLAN scenario, after changing the mtu of an ae interface which state is down, ARP and ethernet-table entry might point to ae interface.

1386755

The rpd might crash due to a memory leak issue in route resolution code paths

There is memory leak on a couple of error processing code paths when route resolution is involved. For example, if the number of labels in nexthops exceeds the maximum-labels on outgoing interface, the memory leak will occur when BGP routes which require nexthop resolution are received. The rate of memory leak depends on the routes scale and the frequency of routing changes. More routes and routing changes, more memory leak will occur. The rpd will crash and restart once the rpd runs out of memory.

1389569

BFD flaps are seen on PTX or QFX10K platforms with inline BFD

With inline-BFD configured on the PTX or QFX10000 platforms, BFD sessions might flap continuously.

1394922

Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036)

Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036); Refer to https://kb.juniper.net/JSA10925 for more information.

1394927

WITHDRAWN: Junos OS: gRPC hardcoded credentials may allow unauthorized access to systems with Junos Network Agent installed (REJECTED)

NO RISK. CVE REJECTED. 04-11-2019: Further investigation has determined that this issue has no impact. While the credentials exist in affected releases there is no way to exploit this issue, and even if the issue were exploitable, there would be no impact. Refer to https://kb.juniper.net/JSA10923 for more information.

1395098

The best and the second-best routes might have the same weight value if BGP PIC is enabled

In BGP PIC (Prefix Independent Convergence) scenario, next-hop of unequal BGP multipath routes might have the same weight (0x1), resulting in unexpected load balance for traffic.

1396507

PTX10002-60C/QFX10002-60C: FPC might not be detected after the ukern crashes

On PTX10002-60C/QFX10002-60C platforms, if the ukern crashes for any reason, the FPC might not be detected and the dcpfe core files might be seen.

1398362

MPLSoUDP/MPLSoGRE tunnel may not come up on interface route

In MPLS over UDP or MPLS over GRE scenario, if the nexthop type of the MPLSoUDP/MPLSoGRE tunnel is interface route, the tunnel may not come up.

1399141

Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019)

Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019); Refer to https://kb.juniper.net/JSA10931 for more information.

1404857

EVPN database and bridge mac-table are out of sync due to the interface's flap

If some interface flaps up and down faster, EVPN database and bridge mac-table might be out of sync on the PE device. When this issue occurs, it may cause the impacted PE broadcasts packets to all the other PEs. And the broadcasted packets might cause traffic congestion which results in packet loss.

1405033

Scaled MPLS labels might cause slow labels allocation and high CPU utilization

On Junos platforms with scaled MPLS labels used, when the system is already running with high load, inefficient labels allocation might cause even higher CPU utilization at 100% for hours. The issue might affect traffic.

1406030

Fabric performance drop on MPC7/8/9E and SFB2 based MX2000 platform

On MPC7/8/9E and SFB2 based MX2000 Series platforms, code change done by PR 1336446 fixing MPC7/8/9E fabric re-ordering issue with SFB causes fabric performance drop. The throughput might not reach the expected value in high volume traffic scenario.

1407408

The process rpd crash may be observed once a non-forwarding path is used for re-resolution

The process rpd may crash after a non-forwarding route (i.e., a route to an indirect next-hop association is non-forwarding indirect next-hop) which is received from multiple protocols is resolved again by using the non-forwarding path.

1407855

Traffic over the AE IFD might get filtered with the filter on one child IFL on ACX Series

On ACX 1000/2000/4000/5048/5096 platforms, after a new child IFL with VLAN and filter is added on an AE IFD or changing the VLAN ID of a child IFL with filter, traffic over the AE IFD might get filtered with that filter on the child IFL. Example: ae-0/0/0 is an IFD and ae-0/0/0.100 is an IFL.

1408159

Class-of-service configuration changes might lead to traffic drop on cascade port in Junos Fusion setup

In Junos Fusion provider edge setup, if COS (class-of-service) is configured in the cascade port, when doing some COS configurations changes, such as deactivating or activating COS configurations on the cascade port, the traffic on this port would be silently dropped due to PFE mis programming for COS queue of the cascade port.

1408817

Traffic drop occurs when deleting MPLS family or disabling interface which has non-default EXP rewrite-rules

The non-VPN packets might be dropped when deleting family MPLS or disabling interface which has non-default EXP rewrite-rules. This is due to a cos-rewrite mask programming issue in Packet Forwarding Engine (PFE).

1408936

Python script might stop working due to "Too many open files" error

When Python script such as Juniper Extension Toolkit (JET) application or PyEZ op/event/commit script is used, using multiple times of netconf Command-Line Interface (CLI) connection might cause the Python script to stop working. If the Python script is used for managing routes in the device, it might cause traffic black-hole.

1414021

The CPU utilization of the rpd process is stuck at 100% if BGP multipath is configured

In BGP with the indirect next-hop scenario, if uRPF is enabled, and then enable BGP multipath, a background job loop might be formed and the CPU utilization of rpd process might be stuck at 100%.

1415077

Dynamic routing protocol flapping with vmhost RE switchover on NG-RE

In NG-RE dual RE platform, some commands for RE switchover might lead process rpd to go down/up, due to a delay that makes the process chassisd fail to update its status of mastership promptly. As the mastership status the chassisd governs determines which action the process rpd needs to take the next, if RE is rebooted and the chassisd mastership state is RE-Master then, in that case, rpd clears all the kernel states; and if chassisd mastership state for that RE is RE-Backup, then rpd just quits silently and restarts again in backup mode without any kernel states being cleaned. So that rpd cleanup of kernel states causes this issue.

1415297

The dcpfe might crash when any interface flaps

On QFX5110/QFX5200 platforms, the dcpfe might crash if any interface flaps.

1415522

Traffic loss might be seen over LDP-VPLS scenario

In LDP-VPLS setup where user-defined mesh groups are configured in a VPLS instance and the LDP-VPLS must also have at least one directly connected CE interface configured under the instance, and if all directly connected CE interfaces go down, the pseudowire for that instance will be transited to ST state and RS state. It would cause the traffic loss for one CE site to peer CE site. And if the knob 'connectivity-type permanent' is configured, this issue will not be observed as the instance will remain UP state.

1416487

Traffic blackhole might be seen due to a long LSP switchover duration in RSVP-signaled LSP scenario

In RSVP-signaled LSP scenario with LSP bypass path configured, when all interfaces on a transit node along primary LSP are brought down, the LSP might not go down on the ingress node, it will take 3-4 minutes before LSP switchover begins and cause a long traffic blackhole.

1417729

The malfunction of core isolation feature in EVPN-VXlan scenarios causes traffic blackhole

In EVPN-VXLAN (Ethernet VPN-Virtual Extensible LAN) multihomed scenarios with active-active mode, LACP (Link Aggregation Control Protocol) for AE (Aggregate Ethernet) bundle is enabled on leaf and spine devices, when the links between one leaf and all spines are brought down, the BGP peering sessions established over the links also go down, with the core isolation feature enabled by default, LACP should set the server-facing interface on that leaf to standby mode, which blocks all traffic from the server. However this feature does not work well with minimum-links configured on AE bundle.

1419761

High CPU usage on fxpc process might be seen on ACX5K platform

On ACX5K platform, the fxpc process high CPU usage might be seen under rare condition if parity errors are detected in devices. It has no direct service/traffic impact. However since CPU utilization is high during this issue, there are some side-effects. Eg, it could impact time-sensitive features like BFD.

1420294

ARP entry is still pointing to failed VTEP after PE-CE link fails for multihomed remote ESI

In EVPN/VXLAN scenario, if PE-CE link fails for multihomed remote ESI, the ARP entry is still pointing to failed VTEP interface.

Modification History:
First publication date 2019-06-03
Related Links: