EX4500 logs tacacs failure messages without much details

On EX4500 switches running TACACS, you might notice the following log message: mgd[65984]: %DAEMON-5-UI_TACPLUS_ERROR: TACACS+ failure: .

ACX PFE reports acx_nh_mpls_tunnel_uninstall "Operation still running" and acx_nh_tag_hw_install : "Table full" messages

On ACX series routers, in a scaled environment with link protection/FRR, frequent LDP route flaps/NH flaps or route churn due to some activity may lead to the "Operation still running" messages.

The traffic might not be transmitted correctly after a logical interface is deleted from one VLAN and added to another VLAN

On all Junos platforms, if one logical interface is configured in one VLAN and then is deleted and added to another VLAN, traffic might not be transmitted correctly.

The RE-PFE out-of-sync errors might be seen in syslog

When a configuration that brings a PFE down and another configuration that brings the PFE back online, is committed in quick succession, there could be RE-PFE out of sync errors logged in syslog. Most of the time these are benign errors, but sometimes they may result in PFE crashes.

IPv6 neighbor state does not recover from unreachable to Stale state

IPv6 neighbor state does not recover from unreachable to Stale state, until a unicast IPv6 ping is initiated to the device. Once the unicast ping6 is initiated the state of the neighbor is changed to Stale.

MTU configuration for vt interface causes vt interfaces should be removed because the MTU on this interface is already set to unlimited.

MTU (Maximum Transmission Unit) configuration for tunnel interfaces (e.g. vt/lt/mt/pd/pe/ud interface) might cause interface flapping and packet loss on every commit. MTU configuration option for tunnel interfaces will be removed after fixing this PR because the MTU on these interfaces is already set to unlimited and there is no need for configuring MTU on these interfaces.

The mgd process might crash and sessions will be terminated when using netconf to perform configuration load override

Every load override and rollback operation increases the refcount by 1 and after it reaches the max value of it (65,535), the mgd process is terminated. When mgd terminated, the active lock may remain preventing any further commits.

jdhcpd core dump after making DHCP config changes

jdhcpd core dump after making DHCP config changes

The validation replication database sometimes shows much more entries than the validation database after restarting the RPKI cache server

In RPKI (Resource Public Key Infrastructure) scenario, the validation replication database might have much more entries than the validation database after restarting RPKI cache server and the validation session is reestablished.

GRE interface might not come up after deactivate/activating the routing-instances

GRE interface might not come up after deactivating/activating the routing-instances or related changes that might result in route table change.

MPLS LSP statistics are not shown in cli command "show mpls lsp ingress statistics"

when using LSP to forward traffic, the statistics are not displayed in the command "show mpls lsp ingress statistics" output, whereas the interface displays the traffic sent out properly. This behavior can be seen when you have the logical system on the same router used as Provider where the kernel will be in sync with the Self ID allocation between master and logical system to display the stats properly. This got fixed here The cli command "show mpls lsp ingress statistics" lose MPLS LSP statistics in the output.

lt- interface gets deleted with tunnel-services configuration still present.

When tunnel interface is used as anchor-port in pseudo-wire services, while deleting the set interface config causing the tunnel-services interface to get deleted. Deleting pseudo serives alone will not have an effect on tunnel-services interfaces.

Interface flapping is seen on EX4300 switch

On EX4300 Series switches, the interface could be connected to a peer device support active and standby interface (similar to redundant trunk group RTG). The backup interface on the remote peer might become active or flapping when the active link of the interface group goes down.

PFE may crash if encountering frequent MAC move

On EX4300 platform, PFE may crash, after frequent MAC move happens or continuously performing the sequence of MAC learning/deleting, which eventually causes memory exhaustion.

IRB interface does not turn down when master of VC is rebooted or halted

On Virtual Chassis (VC) based on EX4300/EX4600/EX9200/QFX3500/QFX3600/QFX5100, IRB interface which is associated with AE interfaces having member interfaces only from master chassis may not turn down when master chassis is rebooted or halted.

The dcd memory leak might be seen when committing configuration change on static route tag

After committing configuration change on static route tag (see below example), the memory consumed by device control daemon (dcd) might increase. The leak rate is slow (200KB for every commit with one tag change). [edit routing-instances TEST routing-options static route xx.xx.xx.xx/25] - tag 10; + tag 11;

The dcd crash might be seen after deleting the sub interface from VPLS routing-instance and mesh-group

If an IFL is configured under a VPLS routing-instance and also configured in a mesh-group, if it is deleted from the routing-instance and from mesh-group and these changes are done at same time (single commit), then DCD might crash. First, interface from routing-instance is deleted successfully however deleting from mesh-group is leading to the crash.

Switch encapsulate protocol PDUs even if it is not configured for L2PT tunneling

On EX4550/EX4500/EX4200/EX3300/EX2200 in VC scenario during VC split/restart the l2pt may be programmed incorrectly leading to wrong encapsulation of the protocols that should not be encapsulated.

When using ifconfig utility to bring down PS interface IFL , its Admin status is not going down as expected.

When ifconfig utility is used to bring down any PS interface IFL ,its Admin status is not going down. This is unexpected behavior for PS IFLs. At the same time, PS IFDs behave correctly when ifconfig utility is used to bring them down.

All dcd operations might be blocked if profile-db is corrupt

In 'dynamic-profiles' scenario, if the profile-db is corrupt, all dcd operations are blocked. (e.g., not be able to add any interfaces). The device control process (dcd) is used to control the device's interfaces.

Certain otn-options cause interface flapping during commit.

With following configuration present, the interface flaps after a commit where an AE interface is being added. set interfaces otn-options trigger oc-tsf hold-time up <> down <> set interfaces otn-options trigger odu-bei hold-time up <> down <>

FPC might crash after offline/online MIC-3D-16CHE1-T1-CE-H.

On MX and ACX platforms, after offline and then online MIC-3D-16CHE1-T1-CE-H card, the related FPC might crash.

Executing command "request system configuration rescue save" may fail with error messages

The command "request configuration rescue save" is not functioning well and it prints an error log for the nonexisting FPCs. So it cannot restore the configuration in time in the event of a software failure.

The ERPS ring may fail and traffic may lose on EX

On the EX-series switch with ERPS configured scenario, if one of the ERPS (Ethernet Ring Protection Switching) interfaces is deleted by unplugging transceiver, eswd (ethernet switching process) crash and ERPS PDUs won't be sent anymore. This issue may cause the ERPS ring failure and traffic loss.

Kernel replication failure might be seen if an ipv6 route next-hop points to an ether-over-atm-llc ATM interface

If an ipv6 route next-hop points to an ATM interface with encapsulation ether-over-atm-llc, after performing or re-enabling the graceful routing engine switchover, the ksyncd core and vmcore might be seen and the kernel replication might fail, which results in non-synchronization status of routing protocols on both REs.

Family inet of the unnumbered interface might be getting deleted when deleting one of the IPs of the binding interface

When an unnumbered interface is binding to an interface which has more than one IP address and one of the IPs is deleted, the family inet of the unnumbered interface might be getting deleted. The issue results in traffic loss for all the services that rely on the family inet of the unnumbered interface. Configure preferred-source-address on the unnumbered interface will prevent deletion of the IP hence avoiding the deletion of the family inet of the unnumbered interface.

The unexpected AS prepending action for AS path might be seen after the no-attrset knob is configured or deleted with vrf-import/vrf-export configuration

If the independent AS domain (It is enabled with independent-domain knob, and attribute set messages are enabled by default) is configured for the virtual routing and forwarding (VRF) instance, the global autonomous system (AS) number in the master routing instance should be prepended to the AS path when the route prefix is imported into the VRF instance. And with no-attrset configured (which disable the attribute set messages), the global AS number in the master routing instance should not be prepended to the AS path. But the current implementation violate the above behavior when vrf-import/vrf-export policy is used in the VRF routing-instance and the no-attrset knob is configured or deleted.

MAC learning might not happening correctly when using tagged-access port with wireless AP controller.

EX swith (authenticator) ------ AP controller (untagged) ------- Wireless client (tagged) If tagged-access port is used for DOT1X authentication against wireless AP controller, which has wireless clients connected (that do not require DOT1X authentication), there are chances upon DOT1X reauthentication clients' MAC might being used for DOT1X authentication, which will fail the authentication process and block the port as a result. During authentication in single supplicant mode, if an MAC is pending authentication, and if there is a different MAC coming in for authentication, the dot1x was updating the queried vlan of the authentication node. In this case the AP that sending untagged vlan was pending authentication. Before the authentication could complete the client device MAC request for authentication was received, and the queried vlan of the authentication session was updated. After the accept response from RADIUS, DOT1XD response to ESWD, was the wrong vlan, due to which Aruba AP MAC was learnt on a tagged vlan. Using configuration knob no-tagged-mac-authentication might not help if fall-back authentication method is configured (e.g. authentication order [dot1x, mac-radius]). When DOT1X is not successful, the authentication mechanism changes to mac radius, which uses the mac address to authenticate. During initial authentication, the no-tagged-mac-authentication configuration prevents the authentication of a tagged mac address. But when the authentication is not going through and the auth mechanism changes to mac-radius, there is no check to avoid tagged mac authentication if no-tagged-mac-authentication is configured. Due to this, authentication was going through for tagged mac as well.

The IRB interface might flap after committing configuration change on any interface

When configuring an IRB interface with iff (interface address family) MTU higher than ifd (physical interface) MTU and that particular IRB interface is part of a bridge-domain or VLANs, if the above two configurations are committed at the same time, the IRB interface might flap on the subsequent committing which invokes interface configuration daemon (e.g. any interface configuration, bridge-domain or routing-instance configuration, etc.).

The priority tagged packets might not be stripped causing connectivity issues

When the dot1x client connects to the EX using the dot1x authentication, the priority tagged packets (like ARP, ICMP, etc. )might not be stripped causing connectivity issues. It might impact the dot1x client connectivity not to work after authentication.

failed to reload keyadmin database for /var/etc/keyadmin.conf

During commit of the configuration change the following warning message can appear: warning: Command exited: PID 7527, status 255, command keyadmin error: failed to reload keyadmin database for /var/etc/keyadmin.conf

Traffic loss when one of logical interfaces on LAG is deactivated or deleted

If SP style config is used in EX4300, deactivated or deleted one of logical interfaces on LAG would cause traffic failure passing through the same LAG interface. Using EP style config will be a workaround.

Diagnostics tdr might stop working on EX3300 platform

On EX3300 platform, after upgrading to a specified software version, diagnostics tdr might stop working, so the intended function (showing various of status of the monitored interface) can't be performed.

Auditd crashed when Accounting RADIUS server not reachable..

When Junos device tries to send accounting messages to the accounting server and when the accounting radius server is not responding to accounting request messages from the Junos device, Junos will try to resend the accounting request messages after a timeout. If the number of accounting messages is huge, these messages will be stored in a queue and Junos will read the messages one by one from the queue and send the messages out. While trying to allocate memory and store the messages in a queue, memory allocation is failing resulting in a crash. This issue will not occur if the accounting radius server is responding. As part of the fix, if memory allocation fails, half of the messages in the queue are deleted so that memory for those messages will get freed.

The knob "flexible-queuing-mode" is not working on FPCs of VC member 1

In MX-VC scenario, the knob "flexible-queuing-mode" can not function properly, this could cause CoS function impact.

L2 traffic might be impacted if the vlan name given in 'show vlan' contains more than 169 characters

On legacy platforms (EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, EX8208, EX8216, EX-XRE, QFX3008-I, QFX3600-I, QFX3500 and QFX3600), if the vlan name given in 'show vlan' contains more than 169 characters, the eswd might crash and L2 traffic and vmember based traffic might get impacted. Spanning tree service might get impacted as well.