Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

17.3R3-S6: Software Release Notification for Junos Software Service Release version 17.3R3-S6



Article ID: TSB17647 TECHNICAL_BULLETINS Last Updated: 27 Sep 2019Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
Alert Description:
Junos Software Service Release version 17.3R3-S6 is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts

Junos Software service Release version 17.3R3-S6 is now available


Due to a software defect introduced by PR1432397. When you configure a firewall with the forwarding-class feature on ACX2200, MX80, or MX104, this causes the "firewall process" - "dfwd" -  to restart unexpectedly. The result is no firewall is installed on the PFE. If you are using a firewall with "forwarding-class" on ACX2200, MX80, or MX104, do not upgrade to JUNOS version 17.3R3-S5, or 17.3R3-S6

The following are incremental changes in 17.3R3-S6.

PR Number Synopsis Description

The BGP session might flap if the ksyncd is restarted before RE switchover

In NSR enabled routers with BGP peers configured, if the ksyncd on the backup RE is restarted somehow, it might cause the replication state to be out-of-sync. The subsequent RE switchover could cause the BGP session flapping.


MX-VC: suboptimal Aggregate Ethernet Load Balancing when an Aggregate Ethernet bundle is part of an ECMP path.

Load Balancing is uneven across AE(Aggregate Ethernet) member links when the AE bundle is part of an ECMP(Equal Cost Multi-Path) path. The AE member-links needs to span VC members.


commit block for vlan-id none with evpn routing-instance without routing-instance

When a VLAN uses an IRB interface as the routing interface, the vlan-id parameter must be set to "none" to ensure proper traffic routing. This issue is platform-independent.


Unable to provide management when em0 interface of FPC is connected to another FPC L2 interface of the same VC

On EX4600/QFX5000 Series switches in VC scenario, when em0 interface of FPC member is connected to another FPC Layer 2 (L2) interface of the same VC, it can be seen that no connectivity for management is provided by em0 interface.


Multihop eBGP peering session exchanging EVPN routes can result in rpd core when BGP updates are sent

When eBGP multihop sessions exchanging EVPN routes are configured, a core can result due to an internal error.


Packets with the DEI/CFI bit set to 1 in the L2 header might not be forwarded

On EX2300/EX3400/EX4600/QFX5110/QFX5200/QFX3500/QFX3600 platform, traffic with DEI/CFI bit set to 1 in the L2 header might not be forwarded.


"PSM X Not OK" alarm is set/clear continuously when some of the PSMs are in power off state

On MX2020/MX2010/MX2008 platform, when power off a PSM, the Major alarm "PSM X Not OK" will be set. Due to a software defect, PEM periodic function will clear all the previous PEM related alarms and reset the alarms. Because of this, the "PSM X Not OK" alarm is set/clear continuously.


i40e NVM upgrade support for PTX platforms

Adding support for i40e NVM upgrade in PTX3000 platforms


FPCs might reboot continuously until the system is rebooted or RE switchover.

On NG-RE (Next Generation Routing-Engine), a failure of the HWRNG (Hardware Random Number Generator) will leave the system in a state where not enough entropy is available to operate.


The fxpc process might use high CPU on ACX5000 after upgrade

On ACX5000 platforms with Junos 16.2 onwards, if the ECC Errors occur, the FPC/fxpc process might use high CPU. This issue can be hit after the upgrade in some cases.


Traffic spikes generated by IPFIX might be seen on QFX10002

From 17.3R1, on QFX10002 platform, in a rare condition, the IPFIX flow statistics (packet/byte counters) are incorrect in the exported record. Since the stats are not collected properly, the flow might timeout and get deleted due to inactive timeout, causing the number of exported records to be sent out unexpected. Traffic spikes generated by IPFIX might be seen.


SFP-T might not work on QFX5100/QFX5110 devices

In a mixed mode Virtual Chassis of QFX5100 and QFX5110 or standalone switch with QFX5e series switch Junos version, interfaces based on SFP-T on the device will not transition to up state.


some SNMP jnxOperating* OIDs missing in EX4300 VC

EX4300 virtual-chassis systems may fail to register some jnxOperating SNMP OIDs related to the routing-engines. This behavior is more likely if virtual-chassis members 0 and 1 (FPC0 and FPC1) are not selected as routing-engines.


Applying "set switch-options no-arp-trap" command might cause ARP resolutions to fail

On QFX5100/QFX5110/QFX5200/QFX5300/EX4600 switches, when the "switch-options no-arp-trap" knob is configured, the unicast Address Resolution Protocol (ARP) packets that are not destined to the switch routed interfaces might cause traffic to be transmitted wrongly or traffic failure due to ARP resolutions failure.


Cosmetic log "warning: [---] is protected, '---' cannot be deleted" is seen after commit using "configure private" in a configuration with "protect" flag present

If the current configuration file have "protect" flag present, the commit then exit in 'configure private' mode will cause the cosmetic log message of "warning: [---] is protected, '---' cannot be deleted".


PTX10008: error logs seen when flows are sample through aggregate bundles when jflow sampling enabled

When you sample flows which the ingress and egress interfaces are of "aggregate" type on PTX10000s and QFX10000s, you may see syslog info messages about "expr_get_local_pfe_child_ifl" and "flowtb_get_cpu_header_fields". Even though these messages are non-impact messages, they will crowd syslog files and syslog servers.


Interface with Tri Rate Copper SFP(P/N:740-01311) in "MIC 3D 20x 1GE(LAN)-E,SFP" will stop forwarding traffic after ISSU upgrade

Interface with Tri Rate Copper SFP (P/N: 740-01311) in "MIC 3D 20x 1GE(LAN)-E,SFP" will stop forwarding traffic after ISSU upgrade.


The rpd might crash on the new primary RE when performing GRES

On all Junos platforms with Graceful Routing Engine Switchover (GRES) and Nonstop active Routing (NSR) enabled, if Border Gateway Protocol (BGP) is configured, the rpd process might crash on the new primary Routing Engine (RE) when performing GRES due to this timing issue.


The routes learned over an interface will be marked as "dead" next-hop after changing the prefix-length of IPv6 address on that interface

If an interface is configured with 128 prefix length for IPv6 address, the route learned over that interface might be marked as "dead" next-hop after the prefix length is changed from 128 to any other prefix length.


The pfe_disable action does not disable the logical tunnel interfaces belonging to the affected PFE

When pfe_disable action is triggered (for example by a major error on the PFE), all the physical interfaces for that PFE will be disabled. This PR is meant to ensure that logical tunnel interfaces (e.g. lt-*) are also disable to prevent attracting traffic to the failed PFE.


New CLI knob to enable copying of Open vSwitch Database (OVSDB) to RAM on Virtual Chassis backup RE instead of SSD

In Open vSwitch Database (OVSDB) environment with Solid State Drive (SSD) installed on the backup RE side, primary RE copies /var/db/ovsdatabase to backup RE whenever ovsdatabase is updated and the backup RE writes the whole ovsdatabase file to the SSD card. SSD endurance is based on the number of write/erase cycles a flash block. You may want to use RAM instead of SSD. Introduce a new CLI knob to enable copying of database to RAM on backup RE (instead of SSD). This knob can be enabled only on QFX5K platforms. >>set protocols ovsdb copy-ovsdatabase-to-backup-ram >> The knob would be disabled by default. If the new knob is enabled, VGD (Virtual-Tunnel-End-Point-Management Daemon) will copy /var/db/ovsdatabase from primary to backup RAM file partitions when OVSdatabase file changed. When backup RE becomes primary RE (Ex: switch-over) and if new knob is enabled, then the file will be copied from RAM to /var/db/ovsdatabase in SSD.


The rpd might crash under a rare condition if GR helper mode is triggered

When graceful restart is configured on the BGP peer device, if the peer device initiate new TCP connection when there is an existing TCP connection for the BGP session, send OPEN message and this new TCP connection also get torn down immediately after establishment/sending of OPEN message. The rpd might crash.


Polling interface statistic and status becomes very slow when MPC CPU goes to 100%

On MX platforms, when there is large number of routes add/deletion, PFE CPU can becomes very busy (goes to 100%) in processing the messages form RE, and the PFE could not process other task like interface statistic polling. It can cause the CLI taking several seconds to response show interface command, or cause SNMP get/bulkget timeout.


A RSVP-signaled LSP might stay in down state after a link in the path flaps

In RSVP (Resource Reservation Protocol) LSP (Label Switched Path) with loose or undefined path scenario, the LSP might stay in down state due to loop detection after the link in the path flaps.


ARP/ethernet-table is pointing to down AE interface if MTU is changed

In EVPN-VXLAN all-active multihoming scenario, when the CE and PEs (suppose they are PE1 and PE2) are connected with AE interfaces, if the AE interface (AE1) is brought down on PE1 then changing the MTU of AE1, the ARP and ethernet-switching table entries on PE1 might point to AE1 even though AE1 is in down state.


Add more information to the firewall flexible match syntax

This PR provides additional information for the "set firewall flexible-match source-ipv6-match ..." cli commands to avoid confusion.


In rare cases rpd might crash after RE switchover when BGP multipath and L3VPN vrf-table-label are configured

When BGP multipath and L3VPN vrf-table-label are configured, after RE switchover, in rare cases, rpd might crash due to a vrf-table-label reallocation issue. During the crash, the routing table and neighborship will become unstable and traffic will be dropped, it will be restored automatically.


FPC might crash when BGP multipath is configured with protection

When running with Border Gateway Protocol (BGP) multipath with protection configured, it is possible to encounter a situation where nexthops references are not properly decremented, thus causing the system to hold onto nexthops when they should be freed. This leads to a memory hog situation which eventually results in a Flexible PIC Concentrator (FPC) crash.


BGP IPv6 routes with IPv4 nexthop causes rpd crash

When a BGP import policy changes IPv6 routes to have IPv4 nexthop, rpd might crash during route resolution. With the fix, changing route to have nexthop with different address family will not be allowed, if the route table does not have that resolution family configured.


Layer 3 ip route might be deleted after L2 next-hop change is seen.

On EX4300 platform, Layer 3 ip route would be deleted when L2 next-hop change is seen or PFE receives duplicate nexthop change messages (Examples can be the STP/LAG state change of interfaces). And it will cause traffic drop.


"show chassis fpc" command on PTX1000 and PTX10000 series routers shows incorrect buffer memory utilization

On PTX1000 and PTX10000 series routers, cli command "show chassis fpc" shows incorrect buffer memory utilization.


The PPPoE subscribers are unable to reconnect after FPC reboot

In the scale subscribers management environment, the PPP inline keepalives don't work after all the AE (Aggregate Ethernet) member link line cards reboot. This issue may cause the PPPoE subscribers are unable to reconnect.


The rpd might crash when LDP route with indirect next-hop is deleted

If Label Distribution Protocol (LDP) route with indirect next-hop exists (e.g. LDP egress-policy is used to advertise BGP route into LDP), the rpd might crash when the LDP route is deleted.


The MTU might change to a Jumbo default size on PFE side after deleting and re-adding the interface

On EX and QFX platforms, if there is no manually MTU configuration, the MTU changes to be the Jumbo MTU after deleting and re-adding the interface.


Change the default parameters for resource-monitor rtt-parameters

Default parameters for reource-monitor rtt-parameters have been changed from 3 X 5 = 15 seconds to 1 x 3 = 3 seconds.


Traffic over the AE IFD might get filtered with the filter on one child IFL on ACX Series

On ACX 1000/2000/4000/5048/5096 platforms, after a new child IFL with VLAN and filter is added on an AE IFD or changing the VLAN ID of a child IFL with filter, traffic over the AE IFD might get filtered with that filter on the child IFL. Example: ae-0/0/0 is an IFD and ae-0/0/0.100 is an IFL.


Class-of-service configuration changes might lead to traffic drop on cascade port in Junos Fusion setup

In Junos Fusion provider edge setup, if COS (class-of-service) is configured in the cascade port, when doing some COS configurations changes, such as deactivating or activating COS configurations on the cascade port, the traffic on this port would be silently dropped due to PFE mis programming for COS queue of the cascade port.


Unrelated AE interfaces might go down if committing configuration changes

On all Junos platforms, if VRRP is running upon AE interfaces while committing any configuration changes related to AE interfaces, unrelated AE interfaces might go down.


LLDP memory leak when ieee dcbx packet is received in auto-neg mode followed by another dcbx packet with none of ieee_dcbx tlvs present.

LLDP memory leak when ieee dcbx packet is received in auto-neg mode followed by another dcbx packet within same second with none of ieee_dcbx tlvs present which is leading to this second packet not being classified as ieee_dcbx.


Resources might be reserved for stale RSVP LSP when RSVP is disabled on the interface

If Resource Reservation Protocol (RSVP) is disabled on the incoming interface of a transit Label-Switching Router (LSR) along Label Switched Path (LSP) requesting link protection, no PathTear message is sent downstream. Hence all LSRs downstream retain the LSP till the state ages out. As the LSRs use long refresh interval by default, it will take approximately an hour and a half for the LSP to age out on the downstream LSRs.


BGP might stuck in Idle state when the peer triggers a GR restart event

When NSR (nonstop-routing) is enabled in local device and BGP GR (Graceful-Restart) is enabled in peer device, and the backup RE is ready to run (Synchronization must be complete), if the peer triggers a GR restart (it is usually caused by some failure in peer or the peer restarts rpd, etc), some BGP sessions might stuck in Idle state. The reason is that when the GR restart happens, the device is still doing the initial sync to the backup RE of the previous sessions, so some BGP sessions might stuck in Idle state because the router does not complete the process (the initial sync of the data set to the backup).


JFLOW: To Reduce max flow table Size when using Flex-flow-sizing

In MPC8 line card, enabling both bandwidth knob along with flex-flow-sizing knob may result in Jflow service getting disabled due to not able to allocate the memory requested by flex-flow-sizing knob.


FPC crash may be observed if it reaches heap utilization limit

In a subscriber management environment, FPC crash may be observed if it reaches heap utilization limit along with continuously subscriber login in, this is due to a code defect which fails to report this condition accurately, then because of this failure further subscriber login in is allowed, which further causes FPC crash.


The IRB interface might flap after committing configuration change on any interface

When configuring an IRB interface with iff (interface address family) MTU higher than ifd (physical interface) MTU and that particular IRB interface is part of a bridge-domain or VLANs, if the above two configurations are committed at the same time, the IRB interface might flap on the subsequent committing which invokes interface configuration daemon (e.g. any interface configuration, bridge-domain or routing-instance configuration, etc.).


Services dependent on LDP might be impacted if committing any configuration changes

On all Junos platforms, if there is any protocol running dependent on LDP (e.g., l2circuit/L2VPN), after committing any configuration changes, even only such as changing the description on an interface, unnecessary LDP updates might be seen. Only services dependent on LDP might be impacted during the period.


Traffic blackhole might be seen due to a long LSP switchover duration in RSVP-signaled LSP scenario

In RSVP-signaled LSP scenario with LSP bypass path configured, when all interfaces on a transit node along primary LSP are brought down, the LSP might not go down on the ingress node, it will take 3-4 minutes before LSP switchover begins and cause a long traffic blackhole.


The dcpfe crash might be seen in EVPN-VXLAN scenario

Under extremely rare circumstances, on QFX10000 series platforms with EVPN-VXLAN scenario, the FPC PFE may crash because of an external event like a rpd restart.


The IPv6 neighbor might become unreachable after the primary link goes down in VPLS multihoming scenario

In VPLS (Virtual Private LAN Service) multihoming with LSI (Label-switched Interface) interfaces used scenario, if the IPv6 neighbor is established via the VPLS, the IPv6 neighbor might become unreachable after the primary link of the VPLS multihoming goes down. The issue results in traffic loss for the IPv6 neighbor.


Traffic loss might be seen on the ae interface on QFX10000 platforms

On QFX10000s platforms, when AE membership state changes on an Aggregate Ethernet with VXLAN VLAN and IRB access interface, if member links of the Aggregate Ethernet are on different PFE chips, the membership state changes may result in traffic loss.


The rpd crash might be seen if l2circuit/local-switching connections flap continuously

On all Junos platforms, if there are multiple interfaces configured under a single l2circuit/local-switching, and each of these interfaces has a description field configured under them, when l2circuit/local-switching connections flapping continuously, memory usage increment might happen, eventually, it will result in rpd crash because of running out of memory.


The PPPoE negotiation of subscriber connection might fail when 65535 is assigned as session-id

On MX platform running with Point-to-Point over Ethernet (PPPoE), the reserved PPPoE session-id 65535 might also be assigned to the subscriber, and it's conflicted with RFC 2516. The PPPoE negotiation of subscriber connection might fail due to this issue.


rtsock_peer_unconsumed_obj_free_int: unable to remove node from list logged extensively

In some cases the following messages might be logged extensively. kernel: rtsock_peer_unconsumed_obj_free_int: unable to remove node from list This is cosmetic and after this PR fix, log error level has been moved to debug level. It is safe to filter them out.


The ARP request might not be replied although "proxy-arp" is configured

When "proxy-arp" is configured on the device, the ARP request might be dropped if the next-hop to the ARP requester is in "hold" state.


The traffic from GVPN to MPLSoUDP tunnel is not sent for decryption to MS-MPC

On MX-series routers with MS-MPC cards, when FPC restart or routing-instance type is changed (e.g. virtual-router to vrf), or RD is changed, traffic from a Group virtual private network (GVPN) tunnel to MPLS over UDP tunnel may fail to get decrypted on the MS-MPC, this will cause complete service loss.


LDP might not update the LDP ingress route metric when inet.3 route flash happens before inet.0

LDP route metric might not match IGP route metric even with "ldp track-igp-metric" configured.


The system does not reboot or halt as configuration when encountering the disk error

When the system encounters disk error or halted system (ex. memory leak), the chassisd might go in hung state with the blow error messages even though "disk-failure-action reboot" or "disk-failure-action halt" is configured.


SNMP (ifHighSpeed) value is not getting appear properly only for VCP interfaces, it is getting appear as zero.

On EX4300 switches, SNMP (ifHighSpeed) value is not getting appear properly only for VCP interfaces, it is getting appear as zero.


The rpd might crash if no-propagate-ttl is configured in BGP multipath scenario

In BGP multipath scenario with labeled-unicast (LU) enabled, if no-propagate-ttl is configured, the rpd might crash if BGP LU route's ttl action is changed after which it does not match BGP multipath cache.


The LDP might withdraw a label for an FEC once the IGP route is inactive in inet.0

If LDP is used without using egress-policy, when the route from other routing protocol is preferred over the IGP route in inet.0, e.g. BGP-LU route exported in inet.0, LDP might withdraw the FEC label hence causing LDP traffic to get lost.


The AE interface does not come up after rebooting the FPC/device though the physical member link is up

When a single FPC carries minimum 10 member links which belong to the same or different AE (Aggregate Ethernet) bundle, if one of the static AE bundle (LACP is not enabled) has disabled member link, this static AE interface does not come up after rebooting the FPC/device though it has physical member link with UP state.


Unicast arp requests are not replied with "no-arp-trap" option

On EX4300 Series platforms, the unicast arp request received might not be replied if "no-arp-trap" option is configured. This can cause ARP resolutions to fail on remote peer devices.


EX4300 without soft error recovery(parity check, correction and memscan) enable

EX4300 has enabled the soft error recovery feature on the PFE, which can automatically detect the PFE parity error and recover by itself.


BGP knob "multipath multiple-as" does not work in specific scenario

By default BGP multipath is for load balance with BGP neighbors in same AS. For load balance with BGP neighbors in different AS, the knob "multiple-as" is further needed. However if the knob "multiple-as" is only configured in some BGP groups but not in all BGP groups, the expected load balance will not work.


IPFIX Flow timestamp is not matching with NTP synchronized system time

The timestamp reported for packet arrival in NetFlow records will report inaccurate time due to the synchronization issue with NTP.


The optical power of interface may gradually reduce the optical power for almost 3 mins after issuing "request system reboot at now" on QFX5110/5120

On QFX5110/5120, optical interface like 1G/10G SFP/SFP+ may take almost 3 mins to reduce the tx power to "0" on the other end of the interface, after issuing "request system reboot at now" command.


Traffic might be sent on the standby link of AE bundle and get lost with LACP fast-failover enabled

On all Junos platforms, if Link Aggregation Control Protocol (LACP) fast-failover is enabled, The same weight might be installed for both active and standby links of the Aggregated Ethernet (AE) bundle. Due to this issue, the traffic will be sent on both active and standby links and leads to traffic loss on the standby link.


Outer VLAN tag may not be pushed in the egress VXLAN traffic towards the host for QinQ scenario

In EVPN-VXLAN with QinQ scenario, if the "encapsulate-inner-vlan" knob is configured on some VXLANs but not configured on some other VXLANs, and after an interface flap OR a configuration change, the switch may stop pushing the outer VLAN tag towards host for QinQ scenario.


SRLG entry shows Uknown after removing it from configuration in show mpls lsp extensive output or show mpls srlg. Shows Unknown-0xXX (XX will vary)

After deleting srlg from an interface under (protocols -> mpls or routing-options -> srlg, Unkown-0xXX (XX will vary) can be seen in the output of show mpls srlg and under show mpls lsp extensive for previously configured LSPs. No known impact due to these Unknown entries.


IPv6 neighbor solicitation packets getting dropped on PTX

In IPv6 scenario on PTX platforms (including PTX3K/5K with FPC3, PTX1K, PTX10K), when a parity error which is due to hardware error occurs on FPC, the neighbor solicitation (NS) packets might get dropped. It will cause IPv6 neighbor discovery failure, and no relevant alarms or logs are reported during the issue.


The P2MP LSP branch traffic might be dropped for a while when the Sender PE is doing switchover

On a system with NSR enabled, if the RSVP P2MP LSP with multiple branches is used (NGMVPN is one of the typical scenarios), when bringing down one of the branches (for eg, bringing one of the receivers down -- one of the receivers withdraws interest), and then if doing switchover on ingress PE, some unexpected traffic drop might be seen for a while. The reason is that the withdraw P2MP branch will be deleted but backup RE could not update properly and the LSP is down on the backup RE. After switchover is done, there is no loss seen.


The mc-ae interface may get stuck in waiting state in dual mc-ae scenario

In dual mc-ae scenario, if an LACP active device reboots or all AEs are disabled/enabled on the device, the LACP partner and its mc-ae peer might have different partner system ID, it causes mc-ae to get stuck in waiting state hence have traffic impact in the network.


DHCP discover packets sent to IP addresses in the same subnet as irb interface cause the QFX5110 to send bogus traffic out of dhcp-snooping enabled interfaces

When the DHCP discover packets are received with destination mac address of the device's irb interface, the packets are supposed to be dropped when dhcp snooping is enabled and DHCP relay and DHCP server are not configured.


The FPC/pfex crash may be observed due to DMA buffer leaking

On EX2300/EX3400/EX4300/EX4600 platforms, DMA buffer leaking may be hit once the next-hop of received traffics is not resolved and eventually to cause an FPC/pfex crash if the DMA buffer runs exhaustion.


The dfwd crash can be seen with forwarding-class configuration in policers

When the forwarding-class is configured under firewall policer, the dfwd may crash.


The CPU utilization on a daemon might keep around 100% or backup RE might crash in race conditions

The CPU utilization on a daemon might keep around 100% or backup RE might crash in race conditions (it may get hit or triggered at times by some churn in the system, no specific trigger).


The chassisd might crash after enabling hash-key

On all Junos platforms, if hash-key is enabled under chassis, packets might be dropped due to chassisd crash, even packets on other FPCs which the hash-key is disabled.


Mixed link-speed AE bundle could not add new sub-interface successfully

Adding a new sub-interface ae*.xxx (i.e. for new VLAN's) of an existing AE bundle (ae member interfaces have different speed) might fail even though the AE bundle has the knob "link-speed mixed" configured.


Commit check error for VSTP on EX9200s: "xSTP:Trying to configure too many interfaces for given protocol"

On EX9200s, when configuring too many VLANs and interfaces under VSTP a commit error might happen: "xSTP:Trying to configure too many interfaces for given protocol"


The FPC might crash when PFE memory is exhausted

FPC might crash when PFE memory usage for a partition such as NH/DFW is high. Under low PFE memory condition log "Safety Pool below 25% Contig Free Space" or "Safety Pool below 50% Contig Free Space" might be observed.


Interfaces configured with flexible-vlan-tagging might loss connectivity

On QFX5000 series platform and related products (like ACX5K and EX4600), a port configured in service provider style (flexible-vlan-tagging) might lose connectivity over the native VLAN when additional tagged VLANs are added to it. The impact is that all the hosts' traffic over the designated native VLAN might be dropped.


Targeted-distribution for static demux interface over aggregate ether interface does not take correct lacp link status into consideration when choosing primary and backup links

The value of "lacp-port-mode" (or LACP mode on child-links of AE bundle) is always "0", irrespective of whether LACP is turned ON or OFF on AE bundle. Whereas the expectation is that as per the LACP mode (OFF/ACTIVE/PASSIVE) present on AE bundle, the same should be propagated to child-links. Since the lacp mode was not propagated to child links, Device Control Daemon (DCD) used to assign the links to subscribers only based on its physical status. But there were few links which were physically UP but lacp down, so traffic disrupted.


The flow label is not pushed when "chained-composite-next-hop ingress l2ckt/l2vpn" is enabled

On MX platforms, in MPLS (Multiprotocol Label Switching) l2ckt/l2vpn with FAT (Flow-Aware Transport of Pseudowires) Flow Labels scenario, the flow label is not pushed when "chained-composite-next-hop ingress l2ckt/l2vpn" is enabled. The issue results in load balance problem for the l2ckt/l2vpn service.


The "vlan all interface all" combination not working as expected under VSTP

In VSTP scenario, if flexible vlan tagging is configured on the interface and multiple IFLs are configured for the interface, if "vlan all interface all" is configured under VSTP, not all interfaces are enabled for this protocol.


DHCP offer packets towards IRB over LT interface getting dropped in DHCP relay enviroment

In DHCP relay enviroment, the DHCP offer packets from server might get dropped towards IRB (Integrated Routing and Bridging) over LT (Logical Tunnel) interface.


The bandwidth value of the DDOS-protection might cause the packets loss after the device reboot

In the DDOS-protection scenario, when the aggregate bandwidth value (e.g value A) of protocols (l3mtu-fail/ttl/ip-opt/rsvp/ldp/bgp/unknown-l2mc/rip/ospf/stp/pvstp/lldp) is configured, this bandwidth value might be reset to the default value (e.g. value B) after the device reboot or PFE restart.


One of the downstream interfaces flapped and the traffic via interface xe-2/0/38 broke

With SP style config & interface-mac-limit/mac-table-size (i.e software learning is enabled), MAC's might be stuck in pending state in BCM while adding & deleting IFL's on an IFD. Due to this traffic will be dropped.


RIP routes are discarded by Juniper device when the next-hop field in the RIPv2 response packet contains a subnet Broadcast address

When RIPv2 neighborship is formed address between a Juniper device and a RIP device from a different vendor that encodes the next-hop field of a RIP response packet with interface IP address, RIP routes advertised by the neighbor would be discarded by the Juniper device if the interface IP addresses on the neighbor is configured with a subnet mask of (/31 subnet). The PR fix allows for installation and propogation of RIP routes received in updates with next-hop set to subnet broadcast address, when RIP neighborship is configured over a /31 subnet.


Restarting l2-learning might cause some remote MAC addresses to move into forwarding 'dead' state

When restarting l2-learning (l2ald) process on MX in an EVPN/MPLS scenario, some mac-addresses might be pointed to dead next-hop in the forwarding-table. All further MAC-addresses learned using the same indirect next-hop or from the same remote PE will get rejected by the kernel too and will not be installed in the PFE anymore. This is only applicable if the routing-instance type is evpn. If the EVPN instances type is virtual-switch there is no exposure.


PSU status keeps "Check" when power supply is disconnected

When power supply is disconnected, PSU status keeps "Check". The proper status should be "Present".


Memory leak might happen if PIM messages received over an MDT (mt- interface) in Draft-Rosen MVPN scenario

On all Junos platforms configured in the Draft-Rosen Multicast Virtual Private Network (MVPN) scenario, if Protocol Independent Multicast (PIM) messages are received over an Multicast Distribution Tree (MDT) tunnel logical interface (mt- interface), there might be memory leak which will lead to the rpd process crash.


The chassisd is unable to power off a faulty FPC after RE switchover which leading to chassisd restart loop

In the MX router with a faulty (e.g. hardware error) FPC (Flexible PIC Concentrator) installed, performing RE (Routing Engine) switchover or restarting chassisd which may cause chassisd restart loop. This issue will cause traffic lose completely.


Interfaces on PTX might not come up after FPC restart or port flap

On PTX platform, FPC-P2 with 15x100GE/15x40GE/60x10GE QSFP28 PIC interfaces might take a long time to come up or some ports never come up after reboot/the chassisd process restart/FPC restart/port flap.


Traffic drop might be seen at EVPN Layer3 Gateway scenario

In EVPN-VXLAN Layer3 Gateway scenario, when some events occur (such as, IP/VM move, VRRP switchover and so on), the GARP (Gratuitous Address Resolution Protocol) packet is received with source Ether MAC different with inner ARP MAC, then it would move IP Route/NH (Next-Hop) into discard state in the forwarding-table. This causes traffic drop. The reason is that normally (as per design) MAC+IP is allowed to be learned after MAC is learned. But in this scenario the GARP is received before the inner MAC is learned. So it might result in reverse process and would move the ARP NH into the discard state. The fix is to drop ARP (or GARP) packets till the host/Server Mac is learned. This could avoid ARP entry moving into discard NH.


Flow control does not work as expected on 100G interface of QFX5110

On 100G interface of QFX5110, flow control does not work as expected. As a result, QFX5110 may stop transferring traffic when receiving a pause frame on flow control disabled interface or flow control does not work though enabling it.


EX9200 -- DHCP-Relay is stripping the 'GIADDR' field in messages towards the DHCP Clients

On EX9200 platforms configured for DHCP-Relay, the 'GIADDR' field in the DHCP Offer/Reply/Ack packets is stripped/set to '', which might cause some DHCP Clients to not accept the offered IP address. These DHCP Clients do not implement RFC-1542, which states: "A BOOTP client MUST NOT interpret the 'giaddr' field of a BOOTREPLY message to be the IP address of an IP router. A BOOTP client SHOULD completely ignore the contents of the 'giaddr' field in BOOTREPLY messages." This default behavior can be changed on the EX9200 by configuring the following hidden knob: "set forwarding-options dhcp-relay overrides allow-giaddr-towards-client" Note: this hidden knob also works in conjunction with "forward-only" option.


Enhancement of add/delete a single vlan in vlan-id-list under interface family bridge

Enhancement of add/delete a single vlan in vlan-id-list under interface family bridge.


The kernel process may crash and restart with a vmcore file created if proxy ARP and ARP suppression is enabled on EVPN instance with IRB interface

For Ethernet VPN (EVPN) instance with integrated and routing (IRB) interface, the proxy ARP and ARP suppression is enabled by default. With EVPN proxy ARP and ARP suppression enabled and 17.2Rx or 17.3Rx (x >= 3, the correlated service release is also affected), the kernel process on primary Routing Engine (RE) may crash due to a software defect on packet handling. This is a rare issue.


Inline-keepalive might stop working for LNS subscribers if the knob "routing-services" is enabled

On MX PowerPC platforms (e.g. MX5/10/40/80/104) enabled with enhance subscriber management feature, if the "routing-services" knob is enabled for Layer 2 Tunneling Protocol Network Server (LNS) subscribers, the inline-keepalive feature might stop working which leads to subscriber sessions broken up and turned into stale sessions. This is a timing issue.


The rpd might crash in OSPF scenario due to invalid memory access

In Open Shortest Path First (OSPF) scenario, rpd might crash when trying to resolve the Forwarding Address (FA) from an OSPF LSA type 5/7. The issue is due to accessing memory bytes exceeding the valid size, and occurs in rare condition.


Detached LACP member link gets LACP State as enabled in PFE when switchover because of device reboot

If particular set of events happened the status for detached LACP link may get turned on in PFE which may later create traffic blackholing for transit traffic.


The laser TX might be enabled while the interface is disabled

In ex4300 switches when 1G SFP is connected to 10G port, Auto-negotiation should be disabled (when enabled causes many issues like ARP, link down..) hence when AN is disabled somehow corrupting the TX_DISABLE field hence Laser Tx remain enabled when disabling and plug-out - plug-in.


On QFX10008 traffic impact might be seen when the JSRV interface is used

The JSRV is Juniper services interface and it is used only either for dot1x or captive portal scenario. And it is supported in QFX10008 platform. As the JSRV IFD (pysical interface) shares same port type with IRB interface thus IRB IFD`s SMAC (source MAC) might be overwritten with JSRV IFD`s SMAC. Then the QFX might discard the traffic. As a workaround, if doing 'disable dot1x (reboot is needed)' (# set system processes dot1x-protocol disable), the JSRV interface won`t come up in the switch and then the traffic would recover.


The process jdhcpd may crash after issuing the command "show access-security router-advertisement-guard"

On the platforms that don't support Router Advertisement Guard (RA Guard), such as PTX, after issuing the command "show access-security router-advertisement-guard", the process jdhcpd may crash.


Major alarm log messages for temperature conditions for EX4600 at 56 degrees Celsius

EX4600 will generate a major alarm once any sensor temperature is hit at 56 degrees celsius. This is incorrect behavior and can be resolved by upgrading version of code. **Note: Even though incorrect alarms are triggered, the chassis will still shut down gracefully when "fire shutdown" threshold is hit as seen in operational mode > show chassis temperature-thresholds.


The high CPU utilization of l2ald is seen after replacing EVPN config

The l2-learning CPU utilization might get high and remain stuck forever after switching configuration files several times between EVPN and non-EVPN (e.g VRRP) by loading the corresponding configuration file. Because of that some of the data in the device is not successfully clean up, when EVPN-config (virtual-switch) is removed and the Ethernet Segment Identifier (ESI) interface is configured in a non-EVPN routing-instance.


The jflow version 5 stops working after changing "input rate" value

The jflow version 5 stops working after changing "input rate" value. No sampling packet will be generated when this issue occurs. The issue will restore after system reboot.


The firewall filters might not be created due to TCAM Issues

On EX4300 platform, if FBF filters are applied on IRB with LAG configuration also existing on the box, the firewall filters can not be created and function correctly due to TCAM Programming issues.


The transit packets might be dropped if an LSP is added or changed on MX/PTX device

On MX/PTX series platforms acting as a transit router, if the "set protocol mpls sensor-based-stats" and "ldp-tunneling" are used and when an LSP is added or changed, part of its data structure might not be freed which might cause the resources to be exhausted. Once the resource is exhausted, the kernel routing table (KRT) queue will be built-up and new routes cannot be programmed in the forwarding engine, in the end, the transit packets might be lost.


The dhcp-relay knob might not work on MX10008/MX10016 platforms

On MX10008/MX10016 platforms, if the dhcp-relay knob is enabled under the forwarding-option hierachy, either in default or non-default routing-instance, the Dynamic Host Configuration Protocol (DHCP) relay feature might not work as expected. Due to this issue, all the DHCP discovery packets couldn't be relayed.


Intra-router PPMD[RE] to PPMAN[FPC] connection could be closed if the session timeout is greater than 3 seconds in either direction.

Optimize the PPMD to PPMAN connection's session timeout. This is to improve system resiliency when JUNOS VM temporary freeze on a Routing Engine.


Loopback address exported into other VRF instance might not work on EX/QFX/ACX platforms

On EX/QFX/ACX platforms, the loopback address exported into other VRF instance might not work.


Interfaces might flap forever after deleting the interface disable configuration

In a rare scenario, the interface might flap forever after disabling and enabling it more than once within 12 seconds.


The SFP-T interface might not come up if the Junos is upgraded to 17.3R3-S5

On QFX5100/QFX5110/QFX5120/QFX5200/QFX5210 Series platforms, the SFP-T interface might not come up if the Junos is upgraded to 17.3R3-S5. This problem only exists on Junos 17.3R3-S5.


Configuring a new burst-size under traffic-control-profile is not taking effect

In subscriber scenario, when a new burst-size of traffic-control-profiles (TCP) is configured under dynamic-profile, the new burst-size can not take effect, instead, the old burst-size is still activated actually. In the corner case, this will cause packets to drop.


MPLS LDP may still use stale MAC of the neighbor even the LDP neighbor's MAC changes

On EX/QFX/ACX platforms, when there is MAC change for LDP neighbor and IP remains the same, ARP update is proper but MPLS LDP may still use the stale MAC of the neighbor. If there is any application/service such as MP-BGP using LDP as next-hop, all transit traffic pointing to the stale MAC will be dropped.


vgd core dumps might happen on any platforms supporting OVSDB

vgd core dumps might happen on any platforms supporting OVSDB


Config change in VLAN all option might affect the per-VLAN configuration

The VLAN specific parameters might not be used if configuring VLAN all option and VLAN specific config.


Few seconds of traffic drop might be seen towards the existing receivers when another receiver joins/leaves

With "protocol igmp-snooping" configured, if some receiver joins/leaves a group, few seconds of traffic drop might be seen towards the existing receivers.

Modification History:
First publication 2019-09-26
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search