Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles17.1R3-S2: Software Release Notification for JUNOS Software Version 17.1R3-S2
NOTE
PR1463859 introduces a software defect that causes a 10GE interface to flap continuously when configured with the WAN-PHY framing with the default "hold-down" timer (0). Once you upgrade a router to an affected software release, the interface may flap continuously. This is not applicable to an interface with the default framing - LAN-PHY. [TSB17782]
| PR Number | Synopsis | Category: MPC Fusion SW |
|---|---|---|
| 1463859 | The MPC2E-NG/MPC3E-NG card with specific MIC might crash after a high rate of interface flaps |
If any MIC of MIC-3D-2XGE-XFP / MIC-3D-4XGE-XFP / MIC-3D-20GE-SFP-E / MIC-3D-20GE-SFP-EH / MIC-MACSEC-20GE is installed in MPC2E-NG/MPC3E-NG card, the Microkernel (uKern) might hog for CPU on Packet Forwarding Engine (PFE) when there is a high rate of interface flaps (~30/40 flaps per second). This will eventually trigger the MPC2E-NG/MPC3E-NG card crash with an NGMPC core file. Normally the excessive interface flapping won't happen frequently in real world and it may be caused due to external environment. This fix will reduce the impact and prevent the uKern hog when having such conditions. |
| PR Number | Synopsis | Category: Firewall Filter |
| 1473093 | Traffic might not be forwarded into the right queue but the default queue when VPLS traffic has three or more VLAN tags with VLAN priority 5 |
On the MX platform with MPC line card (except DPC line card) used, if an input firewall filter is configured at the ingress VPLS interface, the packet with a VLAN priority of 5 with three or more VLAN tags might be forwarded into the wrong queue. When this occurs, it might cause traffic loss due to congestion as all traffic is forwarded into the default queue. |
| PR Number | Synopsis | Category: Express PFE L2 fwding Features |
| 1399369 | CPU hog may be observed on PTX/QFX10000 Series platform |
On PTX/QFX10000 series platform, CPU hog on PFC may be observed if the adaptive feature is enabled to load-balance for an AE interface. |
| PR Number | Synopsis | Category: Optical Transport Interface |
| 1467712 | "MIC Error code: 0x1b0002" alarm might not be cleared for MIC on MPC5E when the voltage has returned to normal |
The voltage high alarm might not be cleared when voltage level comes back to normal for MIC on MPC5. |
| PR Number | Synopsis | Category: FreeBSD Kernel Infrastructure |
| 1146891 | EX4300-48MP: 'set system ports console log-out-on-disconnect' does not work |
'set system ports console log-out-on-disconnect' does not work |
| PR Number | Synopsis | Category: PTX Broadway based PFE MPLS-LSPs RSVP VPNs tcc ccc software |
| 1484255 | FPC might crash when dealing with invalid next-hops |
On PTX3000/PTX5000 platform with some specific FPCs, if the weights of links are set to an invalid value on an AE bundle interface or unilist (an unilist next-hop composed of several unicast next-hops), the FPC crash might be observed. It is a rare issue and the FPC will try to reload to resolve this problem. Traffic loss might be seen before the FPC completes the reload period. |
| PR Number | Synopsis | Category: RPD policy options |
| 1357802 | Configuration commit operation after policy change causes rpd crash |
The rpd might crash during policy configuration changes. |
| PR Number | Synopsis | Category: SNMP Infrastructure (snmpd, mib2d) |
| 1392616 | The snmpd process might crash and cause a core dump |
The snmpd process leaks memory in the SNMPv3 query path and crashes. The issue is caused by a memory leak when the request PDU is dropped by SNMP when the snmp filter-duplicates configuration is enabled. Each request PDU has a structure pointer for the SNMPv3 security details. This is allocated when the PDU is created or cloned. But while dropping the duplicate requests, the corresponding structure is not freed, which causes the memory leak. |
| PR Number | Synopsis | Category: Stout PF fabric (SFB2) |
| 1461356 | Traffic might be impacted because the fabric hardening is stuck |
Fabric hardening (FH) is the process of controlling bandwidth degradation to prevent traffic null route. When FH is processing, if SFB/SCB get failure, FH process will be stuck, which will get traffic lost. |
| PR Number | Synopsis | Category: Software build tools (packaging, makefiles, et. al.) |
|---|---|---|
| 1417345 | The JSU package installation may fail |
In a specific scenario, the JSU (Junos OS selective upgrade) package installation on a router which has JET (Juniper Extension Toolkit) package installed may fail due to "Operation not permitted" error. This issue does not impact service and traffic. |
| PR Number | Synopsis | Category: QFX Access control list |
| 1026708 | EX4300/EX4600/QFX3500/QFX5100 Series: Stateless IP firewall filter may fail to evaluate certain packets (CVE-2020-1604) |
On EX4300, EX4600, QFX3500, and QFX5100 Series, a vulnerability in the IP firewall filter component may cause the firewall filter evaluation of certain packets to fail. Refer to https://kb.juniper.net/JSA10983 for more information. |
| 1458027 | Junos OS: EX4300/EX4600/QFX3500/QFX5100 Series: Stateless IP firewall filter may fail to evaluate certain packets (CVE-2020-1604) |
On EX4300, EX4600, QFX3500, and QFX5100 Series, a vulnerability in the IP firewall filter component may cause the firewall filter evaluation of certain packets to fail. Refer to https://kb.juniper.net/JSA10983 for more information. |
| PR Number | Synopsis | Category: BBE network stack related issues |
| 1432957 | Junos OS: MX Series: In BBE configurations, receipt of a specific MPLS or IPv6 packet causes a Denial of Service |
Receipt of a specific MPLS or IPv6 packet on the core facing interface of an MX Series device configured for Broadband Edge (BBE) service may trigger a kernel crash (vmcore), causing the device to reboot. Please refer to https://kb.juniper.net/JSA10987 for more details. |
| PR Number | Synopsis | Category: Bi Directional Forwarding Detection (BFD) |
| 1354409 | AE interface and BFD session remain down after interface disable/enable |
With Bidirectional Forwarding Detection (BFD) configured on an aggregated Ethernet interface, if you disable/enable the aggregated Ethernet interface, then that interface and the BFD session might not come up. |
| PR Number | Synopsis | Category: Border Gateway Protocol |
| 1351639 | The rpd crashes in JunOS 16.1 or higher during BGP convergence |
In JunOS 16.1 or higher, during BGP convergence, the input/output thread constructing the outgoing BGP PDU and manipulating the path attributes before hand-off the data to the socket. If this PDU length is zero, it will trigger an assertion and routing-protocol demon is restarting. |
| 1487691 | High CPU utilization might be observed when the outgoing BGP updates are sending slowly |
On all Junos platforms with BGP scenario, the rpd process might go into high CPU utilization if there are a few BGP peers that are sending the updates slowly. The high CPU utilization of the BGP IO thread (bgpio, it is part of the rpd daemon) happens when the outgoing BGP update queue is full. This defect could cause a slow BGP network convergence problem. (See also https://kb.juniper.net/TSB17725) |
| PR Number | Synopsis | Category: BBE Remote Access Server |
| 1402653 | The '%USER-3-DH_SVC_DUPLICATE_IPADDR_ERR' errors might be seen when subscribers login and the address pools have few addresses freed |
The authd reuses address too quickly before jdhcpd completely cleans up the old subscriber, which results in syslog errors: jdhcpd: %USER-3-DH_SVC_DUPLICATE_IPADDR_ERR: Failed to add 10.1.128.3 as it is already used by 1815. |
| 1449064 | Subscribers login fails when PCRF server is unreachable |
In Gx-Plus for Provisioning Subscribers scenario, when the PCRF (Policy and Charging Rules Function) server is unreachable or the diameter protocol is down, the subscriber login might fail to successfully establish a session or the subscribers might fail to bind a service policy by Gx-Plus after the PCRF Server connectivity is restored. |
| PR Number | Synopsis | Category: PTX Express ASIC interface |
| 1340612 | Link goes down on PTX3000/PTX5000 with FPC3 inserted after router reboot or link flap |
On PTX3000/PTX5000 with FPC3 inserted, sometimes if there is a router reboot or link flap, DFE tuning (link training) might end up with port staying down. |
| PR Number | Synopsis | Category: Interface Information Display |
| 1269229 | After MACsec link flaps, traffic forwarding across the MACsec link might not be received |
After the MACsec session flaps, data traffic sent over the MACsec-enabled link might not be properly received and the receiving device might report the received frames as "framing errors" in the output of show interfaces command. |
| PR Number | Synopsis | Category: mc-ae interface |
| 1447693 | The l2ald might fail to update composite NH |
This is a timing issue where the l2ald receive underlay NH from rpd as part of LSI IFF ADD (VPLS core NH) and creates flood NH. Due to LSI flap on switchover, the l2ald receives multiple LSI IFF Add and Delete in some order. In some sequence where rpd delete underlay NH from Kernel Forwarding table but the l2ald still create flood NH with this underlay NH, because IFF delete is yet to be received at the l2ald, so l2ald might fail to update Composite NH. This is generic L2 issue and can happen without mc-ae. |
| PR Number | Synopsis | Category: Multiprotocol Label Switching |
| 1460283 | Pervious configured credibility preference it is not considered by CSPF despite the configuration is deleted or changed to prefer another protocol in TED |
After configuring the credibility, the new credibility preference value will be stored internally and its not cleared or consider by the CSPF module, incase if the perviously configuration of "traffic-engineering credibility-protocol-preference" was deleted or if you configure "traffic-engineering credibility-protocol-preference" under another protocol (for example ISIS) |
| PR Number | Synopsis | Category: OS IPv4/ARP/ICMPv4 |
| 1442815 | ARP resolution might fail after ARP HOLD NHs are added and deleted continuously |
ARP (Address Resolution Protocol) address resolution might fail after ARP HOLD NHs (next-hop) are getting added and deleted from ARP entries continuously. |
| PR Number | Synopsis | Category: "ifstate" infrastructure |
| 1379657 | Protocol adjacency might flap and FPC might reboot if jlock hog happens. |
On all platforms and in scaling scenario, if doing some operations which causes jlock hog, the protocols adjacency might flap and all the FPCs might reboot. |
| PR Number | Synopsis | Category: JUNOS Network App Infrastructure (for ping, traceroute, etc) |
| 1463622 | The cosmetic error messages of NTP time synchronization might be seen during device booting |
In NTP with the boot-server scenario, when the router or switch boots, the NTP daemon will send a ntpdate request to poll the configured NTP boot-server to determine the local date and time. If the ntpdate is not be activated correctly while the device booting, the ntpdate might not work successfully. Then some cosmetic error messages of time synchronization might be seen, but there is no impact with time update since ntp daemon will update the time eventually. |
| PR Number | Synopsis | Category: IPSEC functionality on M/MX/T ser |
| 1444183 | The kmd process might crash and restart with a kmd core file created if IP of NAT mapping address for IPsec-VPN remote peer is changed. |
The kmd (Key Manager Daemon) process is mainly responsible for IPSec key negotiation. When IPsec-VPN peers enable Network Address Translation-Traversal (NAT-T) and established IKE SA (IPsec security associations) with Dynamic Endpoint (DEP) tunnel through the intermediate NAT device, the kmd might crash when IP of NAT mapping for IPsec-VPN remote peer is changed. The kmd crash may result in IPSec traffic loss. When kmd crashes, the established IPsec tunnel will not be affected, unless the IPsec SA re-negotiate happens to take place during the kmd restarting. For the new establishing IPSec tunnel, it cannot be established until kmd comes back up automatically. In rare cases, the kmd will restart, but it may crash again. |
| PR Number | Synopsis | Category: Generic platform and infra issues for MS-MIC and MS-MPC(XLP) |
| 1102367 | MS-MIC, MS-MPC might generate coredump upon receiving fragmented traffic |
On MX Series routers where MS-MIC or MS-MPC is inserted, certain combinations of fragmented packets might lead to an MS-MIC or MS-MPC coredump. |
| PR Number | Synopsis | Category: MPC7/8/9 Interface Issues |
| 1441816 | Egress stream flush failure and traffic blackhole might occur |
Egress stream flush failure and silent dropping of traffic could occur in a rare occasion for a repeatedly flapping link on MPC7E, MPC8E, and MPC9E cards. |
| PR Number | Synopsis | Category: Configuration management, ffp, load action |
| 1356218 | Commit check error seen while using config private mode on device with openconfig package |
Commit check error can be seen while using config private mode on device with openconfig package |
| PR Number | Synopsis | Category: UI Infrastructure - mgd, DAX API, DDL/ODL |
| 1415042 | The user might not enter configure mode due to mgd is in lockf status |
If "commit confirmed " is executed, then issuing another "commit" or "commit confirmed " after around the minutes, in race condition, a rollback might be hit. At last, it may cause the mgd process to enter and to stay in lockf status. Thus, the user might not enter configure mode anymore. |
| PR Number | Synopsis | Category: Virtual Private Networks - rpd |
| 1356763 | Junos OS: The routing protocol process (rpd) may crash and generate core files upon receipt of specific valid BGP states from a peered host. (CVE-2019-0059) |
A memory leak vulnerability in the of Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) to the device by sending specific co |
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search