Repeated log message %PFE-3 fpcX expr_nh_index_tree_ifl_get and expr_nh_index_tree_ipaddr_get are observed when sampling packet is discarded with log(or syslog) knob under firewall filter.

Repeated log message %PFE-3 fpcX expr_nh_index_tree_ifl_get and expr_nh_index_tree_ipaddr_get are observed when sampling packets are discarded with log(or syslog) statements under the firewall filter.

18.1:RIO NPI: The ip-precedent code points are getting rewritten to zero when egressing out of an interface which does not have any rewrite rule configured

Upon classifying the L3 packets, DSCP will not be preserved or lost at the egress due to the limittations of broadcom chipset.

When powering off an individual FPC the other FPC PFE might go offline too

On all QFX10k-Seris platforms, when powering off an individual FPC through issuing "set chassis fpc X power off" in Junos CLI, the other FPC PFE might go offline.

Transit OSPF traffic over Q-in-Q tunneling might be dropped if a firewall filter applied to Lo0 interface

On EX2300 as CE/PE device, transit OSPF traffic over Q-in-Q tunneling might be dropped if a firewall filter applied to Lo0 interface.

Some storm control error logs might be seen on QFX-series platforms

On QFX Series platforms, in a corner scenario with a Virtual Chassis setup, if storm control configuration is enabled on interfaces and multicast traffic ingresses on the interfaces, some storm control error logs might be observed on these interfaces. It is only seen in one customer setup and not reproducible in a local setup. Also, it is just a logging issue and has no traffic impact.

l2ald process may crash and generate a core on EX2300 VC when converted a trunk port to dot1x access port with tagged traffic flowing

l2ald process may crash and generate a core on EX-VC when converted a trunk port to dot1x access port while tagged traffic is flowing. There may be a race-condition, where interface mode is being changed while traffic is running and l2ald has processed interface delete but dot1x has not.

The IRB transit traffic might not be counted for EVPN/VXLAN traffic

On QFX10002\QFX10008\QFX10016 Series platforms with EVPN/VXLAN deployment scenario, the transit statistics of Integrated Routing and Bridging (IRB) interface might fail to be counted for the EVPN/VXLAN traffic, but it works for the regular IRB interface.

JUNOS FUSION: "show chassis hardware satellite" command is not available on 17.3 JUNOS versions

JUNOS FUSION: "show chassis hardware satellite" command is not available on JUNOS versions 17.3

The RIOT may crash and cause traffic loss in case of oversubscription with X710 card on the VMX platform

In vMX over COT servers scenario, packets are handed by RIOT which uses i40evf (Intel 10/40GbE Virtual Function) PMD (Poll mode driver) for 10G/40G interfaces. In case of oversubscription, the VF driver may hit an error in packet reception. To increase packet stats, VF driver tries to refer some structure which is not populated, then the RIOT crashes and causes the traffic loss. This is a bug in i40evf driver.

The MTU might change to a Jumbo default size on PFE side after deleting and re-adding the interface

On EX and QFX platforms, if there is no manually MTU configuration, the MTU changes to be the Jumbo MTU after deleting and re-adding the interface.

Throughput/Latency performance of TCP traffic are dropped when TCP traffic is passing through from one logical system to another logical system

On vSRX, SRX1500, SRX4100,SRX4200 and SRX4600 platforms, when TCP Traffic is passing through from one logical system to another logical system, throughput performance of TCP traffic is dropped about two thirds and latency performance of TCP traffic is increased about 6-8 ms.

Change the default parameters for resource-monitor rtt-parameters

Default parameters for reource-monitor rtt-parameters have been changed from 3 X 5 = 15 seconds to 1 x 3 = 3 seconds.

FPC crash and slow convergence upon HMC Fatal error condition when inline-jflow is used

On MX platforms using MPC7E, MPC8E, MPC9E, MX10k-LC2101 or MX10003, when inline-jflow application is used, Fatal error on Hybrid Memory Cube (HMC) will perform "disable-pfe" action. Since Jflow records are hosted on the HMC memory partition, reading and writing to the HMC memory might trigger FPC crash and high FPC CPU utilization, causing slow convergence (adding/deleting routes or nexthops) for other PFEs on the same FPC carrier.

Unrelated AE interfaces might go down if committing configuration changes

On all Junos platforms, if VRRP is running upon AE interfaces while committing any configuration changes related to AE interfaces, unrelated AE interfaces might go down.

FPC CPU may not be displayed correctly

Ticks reported by /proc/stat are total accumulated numbers which only provides average since card booted.

The IPv6 neighbor might become unreachable after the primary link goes down in VPLS multihoming scenario

In VPLS (Virtual Private LAN Service) multihoming with LSI (Label-switched Interface) interfaces used scenario, if the IPv6 neighbor is established via the VPLS, the IPv6 neighbor might become unreachable after the primary link of the VPLS multihoming goes down. The issue results in traffic loss for the IPv6 neighbor.

EVPN enhancement for MAC flush mechanism in JUNOS

On JUNOS MX Platforms serving as EVPN gateways, some assycnhronous entries causing undesired events, due to relink logic failure for MACs flushing mechanism, when there are multiple ifbd/bd delete or vrrp flaps/loops.

RSI bloat due to vmhost based log collection

Started from JUNOS 17.3, "request support information" on next-generation routing-engine is dumping vmhost side logs, which will cause RSI bloat. It might lead to the RE switchover on MX10008 as well.

IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post-fragment happens

On all SRX platforms, if VPN IPsec is configured with NAT-T (Network Address Translation-Traversal), post-fragment of ESP packet may occur. This might impact performance due to the fragmentation operation. Post-fragment of ESP packet can be avoided by adjusting the MTU of the st0 interface.

Mac overlapping between different switches

If the 2 consecutively produced switches placed in the same L2 network, then their MAC might have overlapped before this fix.

QFX5210: Received LLDP frames on em0 not displaying in LLDP neighbor output

LLDP frames received on a QFX5210 management em0 port may not show in show lldp operational queries. Other non-em0 interfaces will display statistics

VC split after network topology changed

In Virtual Chassis (VC) scenario, when the interfaces flaps or VLAN configuration is changed frequently, the network topology will be changed accordingly, then CPU utilization will be dramatically increased to very high within a short time, which might cause the failure of essential communications between VC master and members. When the failure happens, FPC will automatically restart. As a result, VC is split and traffic is lost.

JDI-RCT:M/Mx: continuous rpd core @ l2ckt_alloc_label , l2ckt_standby_assign_label , l2ckt_intf_change_process in new backup during GRES in MX2010 box

Observe rpd core on backup router during label allocation after performing gres operation

IPv6 traffic might be dropped when static /64 Ipv6 routes are configured

On EX4300, when static /64 IPv6 route is configured and points to the interface where uRPF is configured, IPv6 packets which match the routes might be dropped.

PTX10K/LC1101: when an interface is configured with jumbo frames support (e.g. MTU = 9216), the effective MTU size for locally sourced traffic is 24 bytes less than the expected value

PTX10K/LC1101: when an interface is configured with jumbo frames support (e.g. MTU = 9216), the effective MTU size for locally sourced egress traffic is 24 bytes less than the expected value. This issue is confined to locally originated traffic only and does not affect transit traffic.

Fabric drops might be seen on MX10003 platform when two FPCs come online together

On MX10003 platform, when two FPCs come online together, the fabric links between FPCs might not be initialized, all traffic go through the fabric between FPC0 and FPC1 might be dropped.

The delay in transmission of BPDUs after GRES might result in loss of traffic on EX2300/3400 VC

On EX2300/3400 virtual-chassis platforms in GRES/NSB scenario, if the RSTP/MSTP is enabled, after the shutdown of the master RE (by 'request system halt' or power shutdown), the GRES is triggered but the delay in transmission of BPDUs might occur for several seconds. Apart from this, if the 'bpdu-timeout-action block' knob is enabled on the RSTP/MSTP peer, the STP re-convergence might occur instead of RSTP/MSTP re-convergence, which results in traffic loss for about 30 seconds.

The PICs might go offline and split-brain might be seen when interrupt storm happens on internal ethernet interface em0/em1

On SRX5400, SRX5600, SRX5800 platforms with chassis cluster scenario, the PICs might go offline and split-brain (both the active and passive firewalls claim master at the same time) might be seen when interrupt storm happens on internal ethernet interface em0/em1. The issue might result in complete service outage.

[QFX10008] After RE switchover, led status is not set for missing fan tray.

Fan led not set when lcmd detects a missing fan at startup.

The LACP interface might flap if performing a failover

On SRX4600 platform with LACP configured, in a rare condition, if RG0 failover the interface flap might happen. This issue might cause traffic interrupted.

The AE interface does not come up after rebooting the FPC/device though the physical member link is up

When a single FPC carries minimum 10 member links which belong to the same or different AE (Aggregate Ethernet) bundle, if one of the static AE bundle (LACP is not enabled) has disabled member link, this static AE interface does not come up after rebooting the FPC/device though it has physical member link with UP state.

Unicast arp requests are not replied with "no-arp-trap" option

On EX4300 Series platforms, the unicast arp request received might not be replied if "no-arp-trap" option is configured. This can cause ARP resolutions to fail on remote peer devices.

localhost core on vsrx-s, 15.1x49-D160

On vSRX platform, when the secure-wire feature is used, a flowd coredump may occur when one of the secure-wire interfaces goes down.

EX4300 without soft error recovery(parity check, correction and memscan) enable

EX4300 has enabled the soft error recovery feature on the PFE, which can automatically detect the PFE parity error and recover by itself.

REST API does not work on lower-end SRX platforms

REST API does not work on lower-end SRX platforms

Memory issue due to SSL-Proxy Whitelist /Whitelist-URL-Category

The SSL proxy config object was not being released when a session is using a particular config object and an update is received for the same config object. The old config object has to be released when the session closes which was not happening.

Error might be observed when using a script to load-configuration

Multiple delete of a non existing config statements produces errors via rpc load-configuration.

BGP session may go into down status once the traffic flow starts

In EVPN/VxLAN scenario with QFX5K platform, the entire BGP sessions might go into down status if restarting overlay/underlay BGP session while traffic flow starts.

The optical power of interface may gradually reduce the optical power for almost 3 mins after issuing "request system reboot at now" on QFX5110/5120

On QFX5110/5120, optical interface like 1G/10G SFP/SFP+ may take almost 3 mins to reduce the tx power to "0" on the other end of the interface, after issuing "request system reboot at now" command.

"show isis adjacency extensive" output is missing state transition details

CLI command 'show isis adjacency extensive' output in text format is missing some details from the adjacency transition log. The output in XML format is still correct.

Traffic might be sent on the standby link of AE bundle and get lost with LACP fast-failover enabled

On all Junos platforms, if Link Aggregation Control Protocol (LACP) fast-failover is enabled, The same weight might be installed for both active and standby links of the Aggregated Ethernet (AE) bundle. Due to this issue, the traffic will be sent on both active and standby links and leads to traffic loss on the standby link.

Outer VLAN tag may not be pushed in the egress VXLAN traffic towards the host for QinQ scenario

In EVPN-VXLAN with QinQ scenario, if the "encapsulate-inner-vlan" knob is configured on some VXLANs but not configured on some other VXLANs, and after an interface flap OR a configuration change, the switch may stop pushing the outer VLAN tag towards host for QinQ scenario.

scaled filter leads to packets drop as flt.Dispatcher.flt_err on PTX

Due to a bug in software, it may fail to clean up old entries during filter change operation. The filter manager is associating filters to transit packets where the ASIC unable to locate the program as it has been deleted earlier. Hence all transit packets are hitting flt.Dispatcher.flt_err and got dropped on PFE.

IPv6 neighbor solicitation packets getting dropped on PTX

In IPv6 scenario on PTX platforms (including PTX3K/5K with FPC3, PTX1K, PTX10K), when a parity error which is due to hardware error occurs on FPC, the neighbor solicitation (NS) packets might get dropped. It will cause IPv6 neighbor discovery failure, and no relevant alarms or logs are reported during the issue.

Packet drop might be seen if native VLAN is configured along with flexible VLAN tagging

When native VLAN is configured along with flexible VLAN tagging on a Layer 3 subinterface, untagged packets might be dropped on that Layer 3 subinterface.

Overflow filters on PVLAN IRB may not work after ISSU

On QFX5K platform, if an ISSU is done to the image containing this fix, in case of more than 15 L3 filters are configured, the filter applied to PVLAN (Primary VLAN) IRB interfaces might not work unless the filter is deleted and re-added.

The l2circuit traffic might be black-holed at EVPN SPINE/MPLS LSP TRANSIT device if VXLAN access interface flaps on remote PE node(QFX5110)

When there is a L2circuit connection between 2 QFX5110 established through an EVPN SPINE/MPLS LSP TRANSIT device. If the VXLAN access interface flap at one QFX5110, it will cause corruption for l2circuit at the other QFX5110. So the l2circuit traffic is blackholed at MPLS transit node.

The mc-ae interface may get stuck in waiting state in dual mc-ae scenario

In dual mc-ae scenario, if an LACP active device reboots or all AEs are disabled/enabled on the device, the LACP partner and its mc-ae peer might have different partner system ID, it causes mc-ae to get stuck in waiting state hence have traffic impact in the network.

IRB IFL is not up when local L2 member is down and IM NH present

In EVPN scenario, IRB sub unit is marked down when local L2 interfaces are down even though IM route exist

[AppSecure] Automatic application-identification download stops after going over the year and reboot.

Automatic application identification download stops after going over the year and reboot set services application-identification download automatic stanza will be removed upon upgrading to the fixed OS. You need to add the configuration to initiate an automatic download after the Junos OS upgrade.

DHCP discover packets sent to IP addresses in the same subnet as irb interface cause the QFX5110 to send bogus traffic out of dhcp-snooping enabled interfaces

When the DHCP discover packets are received with destination mac address of the device's irb interface, the packets are supposed to be dropped when dhcp snooping is enabled and DHCP relay and DHCP server are not configured.

The /var/db/scripts directory might be deleted after executing "request system zeroize"

On all platforms which support ZTP (Zero Touch Provisioning), the /var/db/scripts directory might get deleted after executing "request system zeroize", and it won't be recreated automatically.

JDI_MMX_REGRESSIONS : Router is not reachable after downgrade from 18.2-20190513.0 to 18.2R2.6

On an MX10003, it is possible that there are multiple processes try to access CB FPGA concurrently. This can lead to the system hung state immediately after bootup. This fix makes "alarmd" process retries if it failed to gain access to the FPGA. This will prevent alarmd to hang the router during boot-up

Unknown SNMP trap (1.3.6.1.4.1.2636.3.69.1.0.0.1) sent on QFX5110 restart

Unknown SNMP trap (1.3.6.1.4.1.2636.3.69.1.0.0.1) sent on QFX5110 restart.

The BGP session might flap after RE switchover done simultaneously on both boxes of BGP peer in scaled BGP session setup

On MX platforms enabled with Graceful Routing Engine Switchover (GRES) and NonStop Routing (NSR) on both end of BGP peer, in scaled BGP session setup, BGP peers might flap after the execution of RE mastership switchover on both the boxes simultaneously.

The CPU utilization on a daemon might keep around 100% or backup RE might crash in race conditions

The CPU utilization on a daemon might keep around 100% or backup RE might crash in race conditions (it may get hit or triggered at times by some churn in the system, no specific trigger).

19.2R1:SRX1500: L2NG: member of dynamically created vlans info is not displaying on show vlans.

On the SRX1500 platform, when an interface is changed from access mode to MVRP trunk port, traffic will be blocked and dynamic VLAN cannot be learned. As a workaround, reboot the device or srxpfe after configuration.

Commit check error for VSTP on EX9200s: "xSTP:Trying to configure too many interfaces for given protocol"

On EX9200s, when configuring too many VLANs and interfaces under VSTP a commit error might happen: "xSTP:Trying to configure too many interfaces for given protocol"

Configuring ESI on a single-homed 25G port might not work

In an EVPN scenario, if the 25G interface of CE (Leaf node) is configured with an Ethernet Segment Identifier (ESI), and it actually only has a single-homed to reach its peer, that might cause the packets to the peer to be discarded.

The DHCP Snooping table might be cleared for VLAN ID 1 after adding a new VLAN ID to it

On EX/QFX-Series platforms with DHCP Snooping configuration, the DHCP Snooping table of default VLAN ID 1 might be cleared if another VLAN ID is added to the DHCP Snooping configuration. The impact is that all the hosts' traffic in the default VLAN 1 might be blocked, especially if other features that leverage the DHCP Snooping table (like Dynamic ARP Inspection) are also configured on the device.

Security logs cannot be sent to external syslog server via TCP

RTLOG is not able to create new connection with syslog server any more after a lot of TCP connections have been created by RTLOG. This issue causes security logs not to be sent to external syslog server via TCP.

Interfaces configured with flexible-vlan-tagging might loss connectivity

On QFX5000 series platform and related products (like ACX5K and EX4600), a port configured in service provider style (flexible-vlan-tagging) might lose connectivity over the native VLAN when additional tagged VLANs are added to it. The impact is that all the hosts' traffic over the designated native VLAN might be dropped.

The recovery snapshot cannot be created after system zeroize

On EX2300/3400 platforms, the recovery snapshot might not be able to be created after a system zeroize. This is due to certain hardware space limitation over time where there is not enough space to save full snapshot.

Error message "RPD_DYN_CFG_GET_PROF_NAME_FAILED: Get profile name for session XXX failed: -7", may be seen in syslog after restarting routing daemon

Error message "RPD_DYN_CFG_GET_PROF_NAME_FAILED: Get profile name for session XXX failed: -7", may be seen in syslog after restarting routing daemon. This message may or may not impact any subscribers coming up. Earlier issue where few subscribers were seen offline along with this message is fixed by PR-1417574 but the message is still seen.

The wmic process might crash and restart when using User Firewall with Active Directory

On all SRX-Series platforms and in an Integrated User Firewall with Active Directory scenario, the wmic daemon might crash and restart automatically if the wmic process lost connections with the Domain Controller. Because the wmic will access the Null pointer if the Active Directory server closes the socket. As a result, it might cause a delay for the Integrated User Firewall authentication with the Active Directory.

The "vlan all interface all" combination not working as expected under VSTP

In VSTP scenario, if flexible vlan tagging is configured on the interface and multiple IFLs are configured for the interface, if "vlan all interface all" is configured under VSTP, not all interfaces are enabled for this protocol.

Improve serviceability of error message "PFESVCS: Input IFL not found"

This is a minor modification and has no functionality change as the change is done to add more description to PFESVCS log message.

18.2R3: SRX-RIAD: VSRX3.0: APPID: appid.core found at ../../../../../../../../src/junos/usr.sbin/appidd/appidd_ng_utils.c:8096

required to release note

JDI-RCT: QFX10002 MCLAG PDT:L2,L3 Traffic drop seen on disable/enable mclag.

required to release note

The bandwidth value of the DDOS-protection might cause the packets loss after the device reboot

In the DDOS-protection scenario, when the aggregate bandwidth value (e.g value A) of protocols (l3mtu-fail/ttl/ip-opt/rsvp/ldp/bgp/unknown-l2mc/rip/ospf/stp/pvstp/lldp) is configured, this bandwidth value might be reset to the default value (e.g. value B) after the device reboot or PFE restart.

18.2x41 SPC3 & SPC2 mixed mode : SPC2 wrongly forwarded packet to SPC3 core0 and core14, see core0 and core14 back pressure detected.

In Mix-mode, when packets are forwarded from SPC2 to SPC3, in some condition, packet might wrongly forwarded to SPC3 core0 and core14, then causing the packet drop.

ATT Whitebox : Mac+IP routes are not consistent // ATTip46103

Mac+IP routes are consistent when MAC aged out.

Restarting l2-learning might cause some remote MAC addresses to move into forwarding 'dead' state

When restarting l2-learning (l2ald) process on MX in an EVPN/MPLS scenario, some mac-addresses might be pointed to dead next-hop in the forwarding-table. All further MAC-addresses learned using the same indirect next-hop or from the same remote PE will get rejected by the kernel too and will not be installed in the PFE anymore. This is only applicable if the routing-instance type is evpn. If the EVPN instances type is virtual-switch there is no exposure.

SRX branch with RPM probe-server hardware timestamp configured does not respond with correct timestamp to the RPM client

SRX branch with RPM probe-server hardware timestamp configured does not respond with the correct timestamp to the RPM client. On the RPM client the RPM probe result will not display the hardware timestamp data received from SRX RPM server.

On PTX/QFX AE outgoing traffic might be dropped after changes are made to AE

On PE-chip based PTX/QFX platforms (including PTX1K/3K/5K/10K series, QFX10K series), if CoS IEEE-802.1 rewrite rule is configured and bound to the AE interface, traffic going out the AE interface might get dropped after changes are made to AE, due to nexthop install failure on ingress PFEs.

LINX:SNMP trap comes twice for FRU removal in MX10K- one trap with FRU nameas FPC: JNP10K-LC2101 and second with FRU name as FPC @ 1/*/*

LINX:SNMP trap comes twice for FRU removal in MX10K- one trap with FRU nameas FPC: JNP10K-LC2101 and second with FRU name as FPC @ 1/*/*

The AE interface might flap whenever a new IFL is added to it

On MX Junos Fusion setup with AE (Aggregated Ethernet) interface configured with link-speed, the AE interface might flap whenever a new IFL (Logical Interface, e.g. subinterface) is added to it and commit. The issue results in service on the AE interface flap.

Packet loss is seen with ECMP resilient-hash enabled on QFX platforms

With ECMP resilient-hash enabled, unilist next-hop entries may not be programmed correctly. This will impact traffic flow and may cause traffic loss.

Clients in isolated vlan might not get IP addresses after completing authentication when both dhcp-security and dot1x are configured

After Junos 18.2R1, on EX-NG platforms which support "DHCP snooping with PVLAN" (e.g. EX4300/EX2300/EX3400), when using PVLAN with dot1x and dhcp-security, and IRB interface is not configured for the PVLAN, due to the DHCP packets getting dropped on the promiscuous port, clients in isolated vlan might not get IP addresses after completing authentication.

The packets originating from the IRB interface might be dropped in VPLS scenario

In VPLS scenario on the PE router, The packets originating from the IRB interface might be dropped, which look up for the LSI resolved on LT interface. In the multihoming VPLS scenario, the connect of the IRB interfaces between the multiple VPLS PEs might be broken due to this issue, which might result in dual master VRRP.

EX3400 FAN alarm (Fan X not spinning) appears and disappears repeatedly after removed the fantray (Absent).

EX3400 FAN alarm (Fan X not spinning) appears and disappears repeatedly after removed the fantray (Absent).

The chassisd is unable to power off a faulty FPC after RE switchover which leading to chassisd restart loop

In the MX router with a faulty (e.g. hardware error) FPC (Flexible PIC Concentrator) installed, performing RE (Routing Engine) switchover or restarting chassisd which may cause chassisd restart loop. This issue will cause traffic lose completely.

traffic dropped at MX/EVPN-L3GW when VRRP switchover is initiated at host side; irb_arp_ndp NH is programmed as discard during the problem state

In proxy ARP, MAC+IP is not allowed to be learned before Mac is learned as per design but there is a scenario where GARP packet received with different Ether Mac could result reverse and will move IP Route/NH into discard state.

Flow control does not work as expected on 100G interface of QFX5110

On 100G interface of QFX5110, flow control does not work as expected. As a result, QFX5110 may stop transferring traffic when receiving a pause frame on flow control disabled interface or flow control does not work though enabling it.

The KRT queue might be stuck when more than 65k IPv6 labeled-unicast routes are received on BGP-LU IPv6 session which is configured on PTX10000 series platform

When BGP labeled-unicast (BGP-LU) IPv6 session is configured on PTX10000 series platform and more than 65k IPv6 labeled-unicast routes are received on this session, the F-label might be exhausted because chained composite next hops for ingress labeled-bgp LSPs is not supported on this platform. The F-label exhaustion could cause kernel routing table (KRT) queue to be stuck with the error of "ENOMEM -- Cannot allocate memory" which could cause routes to be missing in forwarding table. The fix for this issue is to make "forwarding-table chained-composite-next-hop ingress labeled-bgp inet6" being supported under routing-options hierarchy in PTX10000 series platform.

DHCPv6 Client might fail to get an IP address

If DHCPv6 relay is configured, the device might relay the DHCPv6 request without adding "link-layer-type" value to DHCP Option-79 in the relay packet (Normally, the value in DHCP option-79 consists of 2 bytes for link-layer type + 6 bytes for client MAC address). When the DHCP server receives this relay packet, it will misunderstand the option value and cannot provide correctly the IPv6 address to the DHCPv6 client.

When host bound packet received in MAP-E BR router, service interface statistics counter shows incorrect number of bytes

In MAP-E configured BR router, service interface statistics shows different number from actual packet size when BR received host bound packet from client under CE equipment.

RTSP resource session is not found during NAT64 static mapping

On all SRX platforms, when using NAT64 translation, RTSP uses a wrong string to re-write the message payload, which may result in the message being dropped in a remote device.

The cfmd process might crash after a restart on Junos 17.1R1 and above

On MX platforms running Junos 17.1R1 and above, when enhanced-ip mode and CFM centralized mode ("no-aggregate-delegate-processing" konb is configured for CFM) are used , after a cfmd restart (e.g. device cold start/restart, RE switchover), the cfmd process might crash and could not run anymore.

"/var/host/motd does not exist" message is flooded every 5 sec in chassisd logs

"/var/host/motd does not exist" message is flooded every 5 sec in chassisd logs since EX2300 / EX3400 do not support a backup partition.

The rpd might crash in OSPF scenario due to invalid memory access

In Open Shortest Path First (OSPF) scenario, rpd might crash when trying to resolve the Forwarding Address (FA) from an OSPF LSA type 5/7. The issue is due to accessing memory bytes exceeding the valid size, and occurs in rare condition.

Detached LACP member link gets LACP State as enabled in PFE when switchover because of device reboot

If particular set of events happened the status for detached LACP link may get turned on in PFE which may later create traffic blackholing for transit traffic.

Lawful Intercept on LAC access interface might not work as expected due to MTU check failure

On MX platforms which is configured as Layer 2 Tunneling Protocol Access Client (LAC), if Lawful Intercept (LI) is enabled on LAC access interface, in the corner case that PPPoE packet size is larger than (PPPOE MTU - 32), but smaller than PPPOE MTU, and DF bit is set for inner PPPOE IP header, the LI mirrored packets might get dropped due to MTU check failure.

Python op scripts executed as user "nobody" if started from NETCONF session, not as logged in user, resulting in failing PyEZ connection to the device.

When executed over Junos CLI, Python op script is started as a separate process with the same user as the user which started the script.However, when the python op script is started from NETCONF session, the script started as a process from user "nobody". If the script is using PyEZ session to connect to the device and execute RPC commands, it will return the following error from Pyez: ConnectError(host: None, msg: user "nobody" does not have access privileges.). This is fixed by executing with the python op script with the same user as the user from the NETCONF session which invoked op script. This means that the behavior from CLI and NETCONF sessions are the same.

The process jdhcpd may crash after issuing the command "show access-security router-advertisement-guard"

On the platforms that don't support Router Advertisement Guard (RA Guard), such as PTX, after issuing the command "show access-security router-advertisement-guard", the process jdhcpd may crash.

Major alarm log messages for temperature conditions for EX4600 at 56 degrees Celsius

EX4600 will generate a major alarm once any sensor temperature is hit at 56 degrees celsius. This is incorrect behavior and can be resolved by upgrading version of code. **Note: Even though incorrect alarms are triggered, the chassis will still shut down gracefully when "fire shutdown" threshold is hit as seen in operational mode > show chassis temperature-thresholds.

The rpd might crash when the policy applied to the MoFRR is deleted

When a policy is applied to the MoFRR (Multicast-Only Fast Reroute, knob "set routing-options multicast stream-protection policy "), and after the policy is deleted, somehow, the policy is still being applied to the MoFRR. Thus, during the commit, the rpd process will crash since the policy is referenced but not configured. The routing protocols might be impacted and traffic disruption might be seen during the rpd crash and restart.

Traffic Discarded for only specified VLAN in IPACL_VXLAN filters

When there is only one term containing user-vlan-id match condition and there are no other terms in the IPACL_VXLAN filter except discard, the discard action for non-matching traffic will work for only that VLAN which is specified under user-vlan-id and not for other VxLAN VLANs which are part of that trunk port on which filter is applied. This can be ignored by adding another term to the filter which doesn't contain user-vlan-id match.

The PoE might not work after upgrading the PoE firmware on EX4300 platforms

On EX4300 PoE platforms, the PoE might not work if the PoE firmware upgrade hangs (e.g. abnormal interruption to the PoE firmware upgrade, such as power failure during upgrade) during the PoE firmware upgrade. The issue results in unable to provide power to the PoE device.

The firewall filters might not be created due to TCAM Issues

On EX4300 platform, if FBF filters are applied on IRB with LAG configuration also existing on the box, the firewall filters can not be created and function correctly due to TCAM Programming issues.

Packet loss happens during cold-sync from secondary node after rebooting

On SRX5000 series devices with an SPC3 card, packet loss is observed for seconds on the primary node when the secondary node joins the chassis cluster after rebooting.

The transit packets might be dropped if an LSP is added or changed on MX/PTX device

On MX/PTX series platforms acting as a transit router, if the "set protocol mpls sensor-based-stats" and "ldp-tunneling" are used and when an LSP is added or changed, part of its data structure might not be freed which might cause the resources to be exhausted. Once the resource is exhausted, the kernel routing table (KRT) queue will be built-up and new routes cannot be programmed in the forwarding engine, in the end, the transit packets might be lost.

phone home on macallan fails because sysctl cannot read device serial number

Trigger : Provisioning an EX4300 device using phone-home client feature can result in a failed upgrade. Behaviour : The phone-home upgrade can fail sometimes on the EX3400 device. Workaround : No workaround exists for this issue.

The dhcp-relay knob might not work on MX10008/MX10016 platforms

On MX10008/MX10016 platforms, if the dhcp-relay knob is enabled under the forwarding-option hierachy, either in default or non-default routing-instance, the Dynamic Host Configuration Protocol (DHCP) relay feature might not work as expected. Due to this issue, all the DHCP discovery packets couldn't be relayed.

The rpd crashes and commit fails when trying to commit configuration changes

When loading configuration changes related to routing instance through RPC (e.g. OpenConfig), if the mgd reads an invalid routing-instance name (e.g. longer than 256 characters or mistaken name) from the configuration file and transfers it to the rpd, rpd crash happens.

Added CLI config 'on-disk-failure' on EX3400-series.

When a disk error occurs, The VC unit goes into hang state. Add CLI config "on-disk-failure" to recover it. - set chassis routing-engine on-disk-failure disk-failure-action (reboot | halt)

Packet loss happens during cold-sync from secondary node after rebooting.

On SRX5000 Series devices with an SPC3 card, packet loss is observed for seconds on the primary node when the secondary node joins to the chassis cluster after rebooting.

The flowd process crashes when SRX5K devices work at SPC3 mix mode with 1 SPC3 card/7 SPC2 cards

When NAT is used on SRX5K (SRX5400, SRX5600 and SRX5800 devices work at SPC3 mix mode with 1 SPC3 card/7 SPC2 cards), it might cause the flowd process crash and traffic impact.

SPC3 Talus FPGA stuck on 0x3D/0x69 golden version

In SRX5000 series with SPC3, at the first bootup after a Junos upgrade, if the SPC3 FPGA upgrade gets interrupted for example by another reboot, the FPGA upgrade may persistently fail and fallback to an older FPGA image (0x3D/0x69), which may cause the SPC3 card to come online, but not process traffic. The system alarm 'Talus version mismatch' will be raised in this case.

The DHCP relay feature might not work as expected with "helpers bootp" configured

On MX10K/MX204/MX150/PTX10K/PTX1K/EX2300/EX3400/EX4300/EX4650/EX9250 platforms or platforms equipped with NG-RE, if the "helpers bootp" knob is enabled under the forwarding-option hierachy, the Dynamic Host Configuration Protocol (DHCP) relay feature might not work as expected. Due to this issue, all the DHCP discovery packets couldn't be relayed.

Loopback address exported into other VRF instance might not work on EX/QFX/ACX platforms

On EX/QFX/ACX platforms, the loopback address exported into other VRF instance might not work.

Version compare in phc may fail making phc to download the same image.

Version compare in phc may fail making phc to download the same image.