CLI "show chassis errors active detail" not supported for QFK5K platforms.

The "show chassis errors active detail" command does not support QFK5000 platform. It will be hidden and taken care in other opened scopes.

With large number of IPSec tunnels established, few tunnels may fail during rekey negotiation if SRX initiates the rekey.

On SRX5400, SRX5600, SRX5800 devices with SPC3, with large number of IPSec tunnels established, few tunnels may fail during rekey negotiation if SRX initiates the rekey.

Link Fault Signaling (LFS) not working on ACX5448 10/40/100GbE interfaces

Link Fault Signaling (LFS) feature is not supported on ACX5448 10/40/100GbE interfaces.

Parity error might cause FPC alarm

The parity errors related to static memory areas in the XQ chip can be corrected by writing back the scheduling node configuration again. This part was missing and as a result we used to generate alarm for every such occurrence.

Error logs might be observed after performing ISSU

On MX platform with MPC2E-NG-2Q/MPC3E-NG-3Q, after performing ISSU, the error logs might be observed and the interfaces queue statistics on the affected MPC might stop incrementing.

The iked process might crash when IKE and IPsec SA rekey happens simultaneously

On SRX5000 Series devices with SPC3 (The third generation SPC card) installed, the iked process might crash when IKE and IPsec Security Association (SA) rekey happens simultaneously.

IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post-fragment happens

On all SRX platforms, if VPN IPsec is configured with NAT-T (Network Address Translation-Traversal), post-fragment of ESP packet may occur. This might impact performance due to the fragmentation operation. Post-fragment of ESP packet can be avoided by adjusting the MTU of the st0 interface.

PTX10K/LC1101: when an interface is configured with jumbo frames support (e.g. MTU = 9216), the effective MTU size for locally sourced traffic is 24 bytes less than the expected value

PTX10K/LC1101: when an interface is configured with jumbo frames support (e.g. MTU = 9216), the effective MTU size for locally sourced egress traffic is 24 bytes less than the expected value. This issue is confined to locally originated traffic only and does not affect transit traffic.

The PICs might go offline and split-brain might be seen when interrupt storm happens on internal ethernet interface em0/em1

On SRX5400, SRX5600, SRX5800 platforms with chassis cluster scenario, the PICs might go offline and split-brain (both the active and passive firewalls claim master at the same time) might be seen when interrupt storm happens on internal ethernet interface em0/em1. The issue might result in complete service outage.

DHCP-relay may not work in an EVPN-VxLAN scenario

On QFX10000 platform with an EVPN-VxLAN setup, DHCP-relay may not work if the DHCP server is reached via the routes learnt through EVPN type-5 routes.

The LACP interface might flap if performing a failover

On SRX4600 platform with LACP configured, in a rare condition, if RG0 failover the interface flap might happen. This issue might cause traffic interrupted.

REST API does not work on lower-end SRX platforms

REST API does not work on lower-end SRX platforms

With CNH for 6PE, MPLS EXP rewrite rule for non-VPN IPv4 over MPLS traffic might not work

On platforms that use Trio PFE (MX/EX9200/T4000), when Chained Composite Next-Hop for 6PE is configured, Class of Service MPLS EXP rewrite rule for non-VPN IPv4 over MPLS traffic ('protocol mpls-inet-both-non-vpn') may not work when a BGP 6PE route using the same MPLS LSP (same BGP next-hop) exists. This happens after the MPLS LSP next-hop is re-programmed, e.g. due to the network convergence.

SW:Rio-X NPI:Platforms: ACX5448-D Interfaces support:after chassis control restart load balancing on the child interfaces of ae interface stops

L4 Hashing will work for both IPv4 & IPv6 packets, if any one of the two CLIs is enabled. To disable L4 hashing for any one of IPV4 or IPV6, both CLIs needs to be in disabled state. CLIs for reference, set forwarding-options hash-key family inet layer-4 set forwarding-options hash-key family inet6 layer-4

Incorrect MAC count with "show evpn/bridge statistics"

After a mac move from local interface to a remote mac, "show bridge/evpn statistics" command reports the wrong number of MACs learned on an interface. "show bridge/evpn mac-table count" provides the accurate number of MACs learnt

"show isis adjacency extensive" output is missing state transition details

CLI command 'show isis adjacency extensive' output in text format is missing some details from the adjacency transition log. The output in XML format is still correct.

Flood of messages "vhostd_mq_send_to_junos: Connected to JUNOS server after 1 attempts" in vmhost logs

Excessive "vhostd_mq_send_to_junos" message may be printed continuously in the vmhost syslog file on MX routers with RE-S-X6-64G. These messages are non-impact to the system. However, they may contribute to excessive disk activities.

NATT-PMI: P1/P2 SAs are deleted after RG0 failover.

Additional IKE trace messages are added to provide more information to help troubleshooting P1/P2 SAs processing.

Ping fails over Type-5 tunnel on IRB interfaces under EVPN-VXLAN scenario

On EVPN-VXLAN scenario with Type-5 route used, if ping Type-5 destinations over IRB interfaces, it might fail and packets are all dropped.

Intermittent packets drop might be observed if IPsec is configured

On all SRX platforms with Junos 18.2R1 onwards, if IPsec VPN is configured, intermittent packets drop might be seen.

ACX5448 might malfunction in encapsulating small packets if egress link is 40G/100G

On ACX5448 box, if egress link is 40G/100G, small packets (payload less than 60 bytes long) encapsulating might malfunction and causing remote interface drops the packets as runts (packets that are too small).

traffic drop when session key roll-over between primary & fallback for more than 10 times

When disable-preceding-key is configured and session key rollover between primary & fallback for more than 10 times customer might see traffic drop with following error "out of KI-nextPN entries" but macsec session recovers correctly with expected primary/fallback key session. Working on a fix.

With SR enabled 6PE next-hop is not installed

With "no-ipv6-routing" enabled under isis, inet6.3 table was not getting created, which affected 6PE and 6VPE scenarios.

The second IPSec ESP tunnel might not be able to establish between two IPv6 IKE peers

On SRX5400/5600/5800 platforms acting as a middle device between Internet Key Exchange (IKE) peers, it is not able to establish more than one Encapsulating Security Payload (ESP) session between two IPv6 IKE peer if the IKE ALG is enabled on the middle SRX device.

SPC3 / SRX fragments egress VPN traffic earlier than required by ingress packet sizes

VPN overhead calculation is going wrong on SPC3 due to using wrong spu-id API. Fixed this issue by calling common API for spc2 and spc3 to get SPU-id without core-id.

The interface using LACP flaps when RE is busy

On SRX4100, SRX4200 and SRX4600 platforms, if LACP is configured on the reth interfaces and chassis cluster is used, the interface using LACP flaps when RE is busy. This issue causes traffic gets dropped for around one second.

i40e NVM upgrade support for EX9200 platform

Added support for i40e NVM upgrade in EX9208 in JUNOS Software releases

Packet reorder does not work when sending traffic over IPsec tunnel

If IPSec is configured on vSRX,SRX4K,SRX5K platforms, SRX device will do post-fragment when traffic pass through IPSec tunnel. Then VPN packets might be sent out-of-order to peer device, which causes packets get dropped.

The nsd process might crash when SNMP query deterministic NAT pool information

On all SRX Series devices with deterministic NAT configured, when getting deterministic NAT pool information by SNMP request (such as executing the command "show snmp mib walk jnxJsNatMIB"), the nsd process might crash.

BGP route next-hop can be incorrect in some scenarios with PIC edge configuration

BGP route next-hop can be incorrect in some scenarios with PIC edge configuration

Frequent issuance of command "show class-of-service spu statistics" cause rtlogd busy.

frequent issuance of command "show class-of-service spu statistics" can cause rtlogd busy, which can temporarily impact snmp retrieval.

18.2X41.13-SPC3-CCL:Decryption traffic doesnt take PMI path after ipsec rekey (initiated by peer) when loopback interface is configured as external interface.

After an IPSec flow going through a rekey event, the IPSec flow were decapsulated via the normal path instead of going through the PMI path.

RIO:ACX5448:DHCP Packets not Transparent over L2CIRCUIT

Transit DHCP packets are not punted to CPU and are transparently passthrough.

Performance improvements were made to Screens which benefit multi-socket systems

Performance improvements were made to Screens which benefit multi-socket systems like the SRX 4200, SRX 4600, and SPC3's.

Support inspection for pass-throughs IPIP tunnel traffic on TAP mode

SRX platform. Capabilities are added to support inspection for pass-throughs IPIP tunnel traffic on TAB mode

18.2x41 SPC3 & SPC2 mixed mode : SPC2 wrongly forwarded packet to SPC3 core0 and core14, see core0 and core14 back pressure detected.

In Mix-mode, when packets are forwarded from SPC2 to SPC3, in some condition, packet might wrongly forwarded to SPC3 core0 and core14, then causing the packet drop.

When using "no-arp-suppression", an ARP request may not be sent out when an ARP entry aged out

This issue applies to a router/switch running EVPN VXLAN with "no-arp-suppression" configuration. When an ARP entry aged out, the node does not send out an ARP request.

The interface's operational status in HW and SW might be out of sync in EVPN setup with arp-proxy feature enabled

In EVPN setup with arp-proxy feature enabled by default, the interface's operational status in HW (Hardware) and SW (Software) might be out of sync after it flaps, hence the packets are received from HW even when interface status in SW is down.

ACX5448: Pkt buffer error from PFE leading to memory leak when IGMP is sent from NNI AC in L2circuit & VPLS

In an ACX5448 platforms, when the PFE failed to allocate packet buffer, portion of packet memories may not be freed.

RTSP resource session is not found during NAT64 static mapping

On all SRX platforms, when using NAT64 translation, RTSP uses a wrong string to re-write the message payload, which may result in the message being dropped in a remote device.

The cfmd process might crash after a restart on Junos 17.1R1 and above

On MX platforms running Junos 17.1R1 and above, when enhanced-ip mode and CFM centralized mode ("no-aggregate-delegate-processing" konb is configured for CFM) are used , after a cfmd restart (e.g. device cold start/restart, RE switchover), the cfmd process might crash and could not run anymore.

Non-Designated port is not moving to backup Port role

Once VSTP has converged, if there is a VSTP config change and then BPDU might not be flooded due to which port role might be incorrect state in the adjacent switches. There is no loop created in the network.

The IPsec VPN traffic drop might be seen on SRX platforms with NATT scenario

On SRX platforms, when NATT (NAT-Traversal) is used for an IPsec VPN tunnel, the traffic through the tunnel may stop forwarding after a rekey. Below is the rekey explanation. In IPsec VPN, the keys are directional, one for incoming traffic and the other for outgoing traffic and a pair of keys are installed to data-plane. There is a transition time for both the peer devices to switch to new keys. So sometime both new and old keys exist together. Each device is set their own timer (implementation specific) to switch to the new keys (mainly for outgoing traffic, incoming traffic can come on any of the keys). Old keys need to be there until they get deleted by whoever initiates rekey. Devices switch to new keys when activation timer expires or the peer device start sending traffic with new keys. If devices switch to new keys with a timer then outgoing traffic starts using new keys but the peer device could keep sending with old keys until it switches to new keys.

SRX300, interface LED does not work in 19.2R1

On SRX300, interface LED does not work in 19.2R1 although the interface works absolutely fine. This is a cosmetic issue. This issue is fixed in 19.2R2 onwards.

LACP cannot work with "encapsulation flexible-ethernet-services" configuration

On SRX550M devices, when encapsulation flexible-ethernet-services is configured together with LACP protocol on AE interfaces, the interface does not come up.

The flowd process crashes when SRX5800 devices works at SPC3 mix mode with 1 SPC3 card/7 SPC2 cards

When NAT is used on SRX5800 (SRX5800 device works at SPC3 mix mode with 1 SPC3 card/7 SPC2 cards), it might cause the flowd process crash and traffic impact.

SPC3 Talus FPGA stuck on 0x3D/0x69 golden version

In SRX5000 series with SPC3, at the first bootup after a Junos upgrade, if the SPC3 FPGA upgrade gets interrupted for example by another reboot, the FPGA upgrade may persistently fail and fallback to an older FPGA image (0x3D/0x69), which may cause the SPC3 card to come online, but not process traffic. The system alarm 'Talus version mismatch' will be raised in this case.

The flowd/srxpfe process might crash when SSL proxy service is used

On all SRX Series devices with SSL proxy service used, a memory leak issue might occur, which results in the flowd/srxpfe process crash.