EVPN/VXLAN: MAC entry incorrectly programmed in PFE, leading to some traffic blackhole

An incorrect PE router is attached to an ESI when the router receives two copies of the same AD/ESI route (for example, one through eBGP and another one received from an iBGP neighbor). This causes a partial traffic black hole and stale MAC entries. You can confirm the issue by checking the members of the ESI: user@router> show evpn instance extensive ... Number of ethernet segments: 5 ESI: 00:13:78:00:00:00:00:00:00:01 Status: Resolved Number of remote PEs connected: 3 Remote PE MAC label Aliasing label Mode 87.233.39.102 0 0 all-active 87.233.39.1 200 0 all-active <<<< this PE is not part of the ESI 87.233.39.101 200 0 all-active

RPD core if LSP configured in 'install-nexthop' does not exist

RPD core if LSP configured in 'install-nexthop' does not exist

Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039)

Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039); Refer to https://kb.juniper.net/JSA10928 for more information.

Link flapping or staying down due to interoperation issue between MX/EX9200 and transport device

On MX204, MX10003, or MPC7E/8E/9E, or EX9200-40XS/EX9200-12QS, a 100G, 40G, or 10G interface might keep flapping or stay down due to an interoperation issue between Juniper device and the remote transport device connected.

After a MPLS LSP link flap and local repair, a new LSP instance is tried to be signaled but it may get stuck

After Resource Reservation Protocol (RSVP) Multiprotocol Label Switching (MPLS) Label Switched Path (LSP) link flaps (link goes down and comes back up), RSVP tries to create a second MPLS LSP instance, if Resv/PathErr message drops for the second MPLS LSP instance, then the second MPLS LSP instance is stuck, and no further optimizations are possible.

Configuration commit operation after policy change causes rpd crash

The rpd might crash during the policy configuration changes.

The fxpc process might use high CPU on ACX5000 after upgrade

On ACX5000 platforms with Junos 16.2 onwards, the fxpc process might use high CPU. This issue can be hit after the upgrade in some cases.

On a ACX ring topo, after link between ACX and MX flap, VPLS RI on PE (MX) have no MAC of CE over l2circuit

Issue: During the core interface flap, the specific label route is switched between SWAP and PHP mode, when there is two paths are available in the ring (core interface which is flapping is giving PHP mode and other one is in SWAP mode). In issue case, the hardware route config is in SWAP mode and the Junos/HAL routes are in PHP mode. It leads to drop the forwarding traffic for the given label. Fix: Whenever the active member of unilist NH is changed, the same is not reflected in the corresponding routes. It leads the route is working with older active NH instead of latest one. To avoid this case, whenever the existing unilist NH's active member is changed, then route update is triggered for the same using topo walk.

Traffic spikes generated by IPFIX might be seen on QFX10002

From 17.3R1, on QFX10002 platform, in a rare condition, the IPFIX flow statistics (packet/byte counters) are incorrect in the exported record. Since the stats are not collected properly, the flow might timeout and get deleted due to inactive timeout, causing the number of exported records to be sent out unexpected. Traffic spikes generated by IPFIX might be seen.

Junos OS:set system ports console insecure allows root password recovery on OAM volumes (CVE-2019-0035)

Junos OS: set system ports console insecure allows root password recovery on OAM volumes (CVE-2019-0035); Refer to https://kb.juniper.net/JSA10924 for more information.

PTX10008: error logs seen when flows are sample through aggregate bundles when jflow sampling enabled

In certain scenario's where flows are sampled through aggregate bundles when jflow sampling is enabled, the following harmless error logs can be seen: [Tue Oct 30 18:17:40.648 LOG: Info] expr_get_local_pfe_child_ifl: cannot find child ifl of agg ifl 74 for this fpc [Tue Oct 30 18:17:40.648 LOG: Info] flowtb_get_cpu_header_fields: Failed to find local child ifl for 74 [Tue Oct 30 18:17:40.648 LOG: Info] fpc0 cannot find stream on [hostname]

Protocol adjacency might flap and FPC might reboot if jlock hog happens

On all platforms and in scaling scenario, if doing some operation which causes jlock hog, the protocols adjacency might flap and all the FPCs might reboot.

Daemon dfwd might crash with DFWD_TRASHED_RED_ZONE log messages

In certain scenario with OTN options configuration, memory corruption might occur in dfwd (the firewall daemon) due to large IFL (logical interface) ifstate messages. This can lead to DFWD_TRASHED_RED_ZONE messages reported in dfwd log and occasionally dfwd crashes.

vSRX3.0 AppQos Functionality

On vSRX3.0, when using the .vmdk image to install, the AppQos feature may have unpredictable behaviour and srxpfe might core.

ARP and ethernet-table entry in pointing to ae interface which state is down

In EVPN/VXLAN scenario, after changing the mtu of an ae interface which state is down, ARP and ethernet-table entry might point to ae interface.

The rpd might crash due to a memory leak issue in route resolution code paths

There is memory leak on a couple of error processing code paths when route resolution is involved. For example, if the number of labels in nexthops exceeds the maximum-labels on outgoing interface, the memory leak will occur when BGP routes which require nexthop resolution are received. The rate of memory leak depends on the routes scale and the frequency of routing changes. More routes and routing changes, more memory leak will occur. The rpd will crash and restart once the rpd runs out of memory.

BFD flaps are seen on PTX or QFX10K platforms with inline BFD

With inline-BFD configured on the PTX or QFX10000 platforms, BFD sessions might flap continuously.

Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036)

Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036); Refer to https://kb.juniper.net/JSA10925 for more information.

WITHDRAWN: Junos OS: gRPC hardcoded credentials may allow unauthorized access to systems with Junos Network Agent installed (REJECTED)

NO RISK. CVE REJECTED. 04-11-2019: Further investigation has determined that this issue has no impact. While the credentials exist in affected releases there is no way to exploit this issue, and even if the issue were exploitable, there would be no impact. Refer to https://kb.juniper.net/JSA10923 for more information.

The best and the second-best routes might have the same weight value if BGP PIC is enabled

In BGP PIC (Prefix Independent Convergence) scenario, next-hop of unequal BGP multipath routes might have the same weight (0x1), resulting in unexpected load balance for traffic.

PTX10002-60C/QFX10002-60C: FPC might not be detected after the ukern crashes

On PTX10002-60C/QFX10002-60C platforms, if the ukern crashes for any reason, the FPC might not be detected and the dcpfe core files might be seen.

MPLSoUDP/MPLSoGRE tunnel may not come up on interface route

In MPLS over UDP or MPLS over GRE scenario, if the nexthop type of the MPLSoUDP/MPLSoGRE tunnel is interface route, the tunnel may not come up.

Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019)

Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019); Refer to https://kb.juniper.net/JSA10931 for more information.

EVPN database and bridge mac-table are out of sync due to the interface's flap

If some interface flaps up and down faster, EVPN database and bridge mac-table might be out of sync on the PE device. When this issue occurs, it may cause the impacted PE broadcasts packets to all the other PEs. And the broadcasted packets might cause traffic congestion which results in packet loss.

Scaled MPLS labels might cause slow labels allocation and high CPU utilization

On Junos platforms with scaled MPLS labels used, when the system is already running with high load, inefficient labels allocation might cause even higher CPU utilization at 100% for hours. The issue might affect traffic.

Fabric performance drop on MPC7/8/9E and SFB2 based MX2000 platform

On MPC7/8/9E and SFB2 based MX2000 Series platforms, code change done by PR 1336446 fixing MPC7/8/9E fabric re-ordering issue with SFB causes fabric performance drop. The throughput might not reach the expected value in high volume traffic scenario.

The process rpd crash may be observed once a non-forwarding path is used for re-resolution

The process rpd may crash after a non-forwarding route (i.e., a route to an indirect next-hop association is non-forwarding indirect next-hop) which is received from multiple protocols is resolved again by using the non-forwarding path.

Traffic over the AE IFD might get filtered with the filter on one child IFL on ACX Series

On ACX 1000/2000/4000/5048/5096 platforms, after a new child IFL with VLAN and filter is added on an AE IFD or changing the VLAN ID of a child IFL with filter, traffic over the AE IFD might get filtered with that filter on the child IFL. Example: ae-0/0/0 is an IFD and ae-0/0/0.100 is an IFL.

Class-of-service configuration changes might lead to traffic drop on cascade port in Junos Fusion setup

In Junos Fusion provider edge setup, if COS (class-of-service) is configured in the cascade port, when doing some COS configurations changes, such as deactivating or activating COS configurations on the cascade port, the traffic on this port would be silently dropped due to PFE mis programming for COS queue of the cascade port.

Traffic drop occurs when deleting MPLS family or disabling interface which has non-default EXP rewrite-rules

The non-VPN packets might be dropped when deleting family MPLS or disabling interface which has non-default EXP rewrite-rules. This is due to a cos-rewrite mask programming issue in Packet Forwarding Engine (PFE).

Python script might stop working due to "Too many open files" error

When Python script such as Juniper Extension Toolkit (JET) application or PyEZ op/event/commit script is used, using multiple times of netconf Command-Line Interface (CLI) connection might cause the Python script to stop working. If the Python script is used for managing routes in the device, it might cause traffic black-hole.

The CPU utilization of the rpd process is stuck at 100% if BGP multipath is configured

In BGP with the indirect next-hop scenario, if uRPF is enabled, and then enable BGP multipath, a background job loop might be formed and the CPU utilization of rpd process might be stuck at 100%.

Dynamic routing protocol flapping with vmhost RE switchover on NG-RE

In NG-RE dual RE platform, some commands for RE switchover might lead process rpd to go down/up, due to a delay that makes the process chassisd fail to update its status of mastership promptly. As the mastership status the chassisd governs determines which action the process rpd needs to take the next, if RE is rebooted and the chassisd mastership state is RE-Master then, in that case, rpd clears all the kernel states; and if chassisd mastership state for that RE is RE-Backup, then rpd just quits silently and restarts again in backup mode without any kernel states being cleaned. So that rpd cleanup of kernel states causes this issue.

The dcpfe might crash when any interface flaps

On QFX5110/QFX5200 platforms, the dcpfe might crash if any interface flaps.

Traffic loss might be seen over LDP-VPLS scenario

In LDP-VPLS setup where user-defined mesh groups are configured in a VPLS instance and the LDP-VPLS must also have at least one directly connected CE interface configured under the instance, and if all directly connected CE interfaces go down, the pseudowire for that instance will be transited to ST state and RS state. It would cause the traffic loss for one CE site to peer CE site. And if the knob 'connectivity-type permanent' is configured, this issue will not be observed as the instance will remain UP state.

Traffic blackhole might be seen due to a long LSP switchover duration in RSVP-signaled LSP scenario

In RSVP-signaled LSP scenario with LSP bypass path configured, when all interfaces on a transit node along primary LSP are brought down, the LSP might not go down on the ingress node, it will take 3-4 minutes before LSP switchover begins and cause a long traffic blackhole.

The malfunction of core isolation feature in EVPN-VXlan scenarios causes traffic blackhole

In EVPN-VXLAN (Ethernet VPN-Virtual Extensible LAN) multihomed scenarios with active-active mode, LACP (Link Aggregation Control Protocol) for AE (Aggregate Ethernet) bundle is enabled on leaf and spine devices, when the links between one leaf and all spines are brought down, the BGP peering sessions established over the links also go down, with the core isolation feature enabled by default, LACP should set the server-facing interface on that leaf to standby mode, which blocks all traffic from the server. However this feature does not work well with minimum-links configured on AE bundle.

High CPU usage on fxpc process might be seen on ACX5K platform

On ACX5K platform, the fxpc process high CPU usage might be seen under rare condition if parity errors are detected in devices. It has no direct service/traffic impact. However since CPU utilization is high during this issue, there are some side-effects. Eg, it could impact time-sensitive features like BFD.

ARP entry is still pointing to failed VTEP after PE-CE link fails for multihomed remote ESI

In EVPN/VXLAN scenario, if PE-CE link fails for multihomed remote ESI, the ARP entry is still pointing to failed VTEP interface.