16.1R7-S8: Software Release Notification for JUNOS Software Version 16.1R7-S8

Junos Software service Release version 16.1R7-S8 is now available. JUNOS software version 16.1R7 reaches end of engineering (EOE) on 2020-07-28 and end of support (EOS) on 2021-01-28

Junos Software service Release version 16.1R7-S8 is now available.

16.1R7-S8 - List of Fixed issues

PR Number	Synopsis	Category: Mojito PFE
1480706	Junos OS: EX Series, QFX Series, MX Series, SRX Branch Series: Memory leak in packet forwarding engine due to 802.1X authenticator port interface flaps (CVE-2021-0215) Product-Group=junos	On Juniper Networks Junos EX series, QFX Series, MX Series, and SRX branch series devices, a memory leak occurs every time the 802.1X authenticator port interface flaps which can lead to other processes, such as the pfex process, responsible for packet forwarding, to crash and restart. Refer to https://kb.juniper.net/JSA11105 for more information.
PR Number	Synopsis	Category: All issues related to QFX PFE CoS
1510365	Traffic might be forwarded to the incorrect queue when a fixed classifier is used. Product-Group=junos	If L2 access or vlan bridge IFL is created after fixed classifier is applied, the traffic matching the fixed classifier might be forwarded in unexpected queue, it might cause congestion unexpectedly hence there is traffic impact.
PR Number	Synopsis	Category: PFE L2
1491669	Junos OS: EX and QFX5K Series: Storm Control does not work as expected when Redundant Trunk Group is configured (CVE-2021-0203) Product-Group=junos	On Juniper Networks EX and QFX5K Series platforms configured with Redundant Trunk Group (RTG), Storm Control profile applied on the RTG interface might not take affect when it reaches the threshold condition. Refer to https://kb.juniper.net/JSA11093 for more information.
PR Number	Synopsis	Category: Border Gateway Protocol
1497721	Receipt of certain genuine BGP packets from any BGP Speaker causes RPD to crash. Product-Group=junos	An improper use of a validation framework when processing incoming genuine BGP packets within Juniper Networks RPD (routing protocols process) daemon allows an attacker to crash RPD thereby causing a Denial of Service (DoS) condition. Refer to https://kb.juniper.net/JSA11024 for more information.
PR Number	Synopsis	Category: functionality related to Broadband Remote Access Server
1502274	MX Series platforms are not compliant with RFC 2868 and sending RADIUS access request includes tunnel assignment ID for LTS client. Product-Group=junos	In LTS (L2TP Tunnel Switch) scenario when the MX sending the access-request to the RADIUS (Remote Access Dial-In User Service) for the LTS client, it incorrectly includes the Tunnel-Assignment-ID which is not compliant with RFC 2868. It results in the RADIUS reject the access-request and the LTS client authentification fails.
PR Number	Synopsis	Category: MX Platform SW - Environment Monitoring
1395539	The minor alarm of "Bottom Fan Tray Pred Fail" might be wrongly raised when the fan speed is at high speed on MX960 Product-Group=junos	On the MX960 a check of the "actual" fan speed is compared to the "set" fan speed. If the difference between the actual fan speed and the set fan speed is greater than 20% the system uses this to predict that the fan might be about to fail. When the fans are set to run in high speed mode, some deviation from the set fan speed is expected to occur with the fans and it is expected to sometimes see a deviation greater than 20%. Going forward this 20% tolerance check will be disabled while running in high speed mode.
PR Number	Synopsis	Category: PTX Chassis Manager
1380056	Remove the chassisd alarms for FPCs exceeding 90 percent of power budget and exeeding 100 percent of power budget Product-Group=junos	Starting in Junos OS Release with this change, PTX Series Routers do not raise a chassis alarm in the following events; instead, it registers a system log.
PR Number	Synopsis	Category: Tracking sw issues related to Channelized 4xOC3/1xOC-12 Mic
1396538	On MX Series platforms, if the channelized OC MIC (such as, 1xCOC12/4xCOC3 CH-CE) is used, the MPC/AFEB/TFEB (Forwarding Engine Board) might crash, generating core files. This is not easily reproducible. The traffic through the MIC might be impacted. Product-Group=junos	On MX Series platforms, if channelized OC MIC (such as 1xCOC12/4xCOC3 CH-CE) is used, the MPC card/AFEB/TFEB (Forwarding Engine Board) might crash with core files generated. This is not easily reproducible. The traffic through the MIC would be impacted.
1420983	The FPC CPU might be hogged if channelized interfaces are configured Product-Group=junos	On MX Series platform, with 1xCOC12 or 4XCOC3 used, if channelized interfaces are configured, FPC CPU overuse might be seen.
PR Number	Synopsis	Category: OpenSSL and related subsystems
1479780	OpenSSL Security Advisory [20 Dec 2019] Product-Group=junos	The OpenSSL project has published a security advisory for a vulnerability resolved in the OpenSSL library on December 20, 2019. Refer to https://kb.juniper.net/JSA11025 for more information.
PR Number	Synopsis	Category: Device Configuration Daemon
1350192	The link-degrade-monitor configuration might cause the commit sync failure on backup RE Product-Group=junos	On Junos platform along with redundant Routing Engine, if both link-degrade-monitor and any other configurations are configured on a port, commit synchronize might fail on the backup RE. If this occurs, the configuration might be lost after switchover and thus it might cause traffic loss.
PR Number	Synopsis	Category: Express PFE CoS Features
1347805	QFX10000 platforms might encounter a chassis alarm indicating "FPC 0 Major Errors - PE Error code: 0x2100ba". Product-Group=junos	QFX10000 platforms may encounter a chassis alarm indicating "FPC 0 Major Errors - PE Error code: 0x2100ba". This error is incorrectly categorized as 'Major' and it can be safely ignored unless it is encountered with high frequency. Future Junos releases will recategorize this message to "Info" severity.
PR Number	Synopsis	Category: Express PFE Services including JTI, TOE, HostPath, Jflow
1431498	IPFIX Flow timestamp is not matching with NTP synchronized system time Product-Group=junos	The timestamp reported for packet arrival in NetFlow records will report inaccurate time due to the synchronization issue with NTP.
PR Number	Synopsis	Category: gladiator fabric
1283553	The PTX SPMB might crash after the FPC replacement followed by a SIB restart Product-Group=junos	Due to a bug in microkernel of Switch Processor Mezzanine Board (SPMB) in PTX Control Board, the SPMB might crash after the FPC replacement followed by a Switch Interface Board (SIB) restart. The crash could cause all SIBs restart, which in turn could result in outage or traffic black hole.
PR Number	Synopsis	Category: PRs for AE/AS/Container on the kernel side
1474300	A newly added LAG member interface might forward traffic even though its micro BFD session is down. Product-Group=junos	On all Junos platforms, if a static Link Aggregate Group (LAG) is configured, and Bidirectional Forwarding Detection (BFD) is enabled on the LAG which is also called as micro BFD, a newly added member link might start to forward traffic immediately when the configuration change commits even though its micro BFD session is still down, for example, add a new member interface only on single end, and the remote member interface is disabled or not added. Therefore, traffic loss might be seen due to this issue.
PR Number	Synopsis	Category: jdhcpd daemon
1432162	The jdhcpd memory leak might happen on MX5, MX10, MX40, MX80, and MX104 when testing DHCP subscribers log-in/out. Product-Group=junos	On MX5/MX10/MX40/MX80/MX104 Series platforms with DHCP server configuration for DHCP subscribers, the jdhcpd memory leak might happen and the memory increase by 15MB which depends on the number of subscribers when testing the DHCP subscribers log-in/out.
PR Number	Synopsis	Category: slt security platform jweb support
1499280	Security vulnerability in J-Web and Web-based (HTTP/HTTPS) services is observed. Product-Group=junos	Junos OS: Security vulnerability in J-Web and web-based (HTTP/HTTPS) services (CVE-2020-1631). Refer to https://kb.juniper.net/JSA11021 for more information.
PR Number	Synopsis	Category: Layer 2 Circuit issues
1498040	VPNs The l2circuit neighbor might be stuck in RD state at one end of the MC-LAG peer. Product-Group=junos	In MC-LAG scenario, if the l2circuit is configured with primary-neighbor/backup-neighbor over the MC-LAG link and the l2ckt (l2ciruits control daemon for pseudowire) session of the primary-neighbor/backup-neighbor is flapped continuously (such as clear neighbor ldp and ospf etc), one of the remote neighbors may be stuck in RD (the remote pseudowire neighbor is down) state due to race condition between VC (virtual circuit) state update timer and L2ckt intf state change timer. Then, that pseudowire might be down, the traffic might be impacted if the RD pseudowire is not up.
PR Number	Synopsis	Category: Label Distribution Protocol
1436119	Traffic loss might be seen after the LDP session flaps rapidly. Product-Group=junos	On MX/PTX platforms under BGP scenario with LDP is enabled, if the knob "ecmp-fast-reroute"/"protect core" is configured, after the LDP session rapidly flaps and converges without any label change, traffic loss might be seen.
PR Number	Synopsis	Category: Port-based link layer security services and protocols that a
1503010	The replay protection window size is wrongly set if replay-protect for MACsec is enabled with replay-window-size value set to zero Product-Group=junos	If replay-protect for MACsec is enabled with replay-window-size value set to zero, the size of the replay protection window is wrongly set to max window size.
PR Number	Synopsis	Category: Bugs related to ethernet interface on MX platform
1367224	I2C error logs are seen when configuring wavelength on tunable SFP+. Product-Group=junos	I2C error logs are seen when configuring wavelength on tunable SFP+
PR Number	Synopsis	Category: MX104 Software - Chassis Daemon
1279339	On MX104 platform with GRES enabled, the chassis network-services might not get set as "Enhanced-IP" Product-Group=junos	On MX104 platform with graceful routing engine switchover (GRES) enabled. The chassis network-services might not get set as "Enhanced-IP" though it is specifically configured. "Disable GRES, then config enhanced-ip" is a workaround for this issue.
PR Number	Synopsis	Category: Kernel Composite Next Hop (composite / l3vpn) Infrastructure
1287956	Not following the guideline of rebooting entire chassis after changing chassis network-services configuration can cause vmcore and crash of FPCs/routing-engines on chassis. Product-Group=junos	When configuration at hierarchy [edit chassis network-services] is changed a reboot of chassis is needed to avoid any unexpected behavior. One such behaviour is an assert condition due to issues in nexthop allocation leading to vmcore and reboot of FPCs/REs on the chassis. This PR introduces changes to handle such assert conditions gracefully and to avoid FPC/RE crash. The guideline of rebooting the entire chassis when configuration change is made is still valid.
PR Number	Synopsis	Category: Kernel-only Base FreeBSD Infrastructure
1453683	FreeBSD-SA-19:20.bsnmp : Insufficient message length validation in bsnmp library (CVE-2019-5610) Product-Group=junos	The bsnmp software library is a SNMP (Simple Network Management Protocol) implementation included with Juniper Networks Junos OS for the snmpd process. A programming error allows a remote user to read unrelated data or trigger a snmpd process crash. Refer to https://kb.juniper.net/JSA11047 for more information.
PR Number	Synopsis	Category: Category for ifstate infrastructure issues
1486161	Kernel core might be seen if deleting an ifstate Product-Group=junos	On all Junos OS platforms, some operations such as configuration change might cause the state information to change and eventually cause the ifstate to be deleted. In a very rare case, deleting an ifstate (kernel state) might cause kernel core and Routing Engine restart. There is no specific trigger. This issue is reported by the configuration change.
PR Number	Synopsis	Category: Kernel MPLS / Tag / P2MP Infrastructure
1493053	The backup RE may crash if an indirect next-hop is sent by the master RE without associated sgid. Product-Group=junos	The backup Routing Engine might crash unexpectedly due to a rare timing issue during a route churn in the network.
PR Number	Synopsis	Category: JUNOS Network App Infrastructure (for ping, traceroute, etc)
1502386	Arbitrary code execution vulnerability in telnet server (CVE-2020-10188). Product-Group=junos	A vulnerability in the telnetd Telnet server allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions. Refer to https://kb.juniper.net/JSA11057 for more information.
PR Number	Synopsis	Category: This PR category is for tracking only TCP/UDPtransport layer
1449664	FPC might reboot with vmcore due to memory leak. Product-Group=junos	On all Junos platforms, if the device is up for a long period (e.g. several weeks or months), there might be a slow memory leak happening in some error scenarios where an application tries to send some data on a stale TCP socket (e.g. short-lived TCP connections used by the mgd process), and this issue might lead to FPC reboot with vmcore files.
PR Number	Synopsis	Category: Kernel Tunnel Interface Infrastructure
1470667	The GRE tunnel might go down in the scenario with IPv4 and IPv6 IPsec service configured Product-Group=junos	On all Junos platforms running with Generic Routing Encapsulation (GRE) tunnel, if there is also IPv4 and IPv6 IP security (IPsec) service configured, in a corner case, IPsec deferred packet queuing might cause a deferred packet (e.g. a deferred IPv6 packet) to be sent over the same GRE logical interface on which a different packet (e.g. an IPv4 packet) is already being processed, the GRE tunnel might go down due to GRE interface loop detection. This is a timing issue.
PR Number	Synopsis	Category: OSPF routing protocol
1385014	The rpd process crashes when executing specific show ospf interface commands from the CLI with the configured OSPF authentication. Product-Group=junos	Execution of the "show ospf interface extensive" or "show ospf interface detail" CLI commands on a Juniper Networks device running Junos OS may cause the routing protocols process (RPD) to crash and restart if OSPF interface authentication is configured, leading to a Denial of Service (DoS). By continuously executing the same CLI commands, a local attacker can repeatedly crash the RPD process causing a sustained Denial of Service. Refer to https://kb.juniper.net/JSA11030 for more information.
PR Number	Synopsis	Category: Express Paradise PFE L3 Features
1251154	An FPC major alarm might be seen with error messages "DLU: ilp memory cache error" and "DLU: ilp prot1 detected_imem_even error" Product-Group=junos	On PTX platforms with FPC3, PTX1000 with build-in chassis and QFX10000 platforms, a Flexible PIC Concentrator (FPC) major alarm might be seen if the system detects parity error, and the error messages "DLU: ilp memory cache error" and "DLU: ilp prot1 detected_imem_even error" might appear. The alarm might be cleared without intervention. This error may also be accompanied by traffic loss.
PR Number	Synopsis	Category: Path computation client daemon
1472825	Manually configured ERO on NS controller lost when PCEP session bounced Product-Group=junos	On all Junos platform with Path Computation Element Protocol (PCEP) enabled, if PCEP session bounced druing Routing Engine (RE) switchover on a LSP ingress router, unexpacted delete message might be sent from Path Computation Client (PCC) to Path Computation Element (PCE) with North Star (NS) controller. In the end, manually configured explicit route object (ERO) for RSVP-TE based label switched path (LSP) on NS controller will be lost. However, traffic go through ERO set on NS controller is still normal.
PR Number	Synopsis	Category: PTX5KBroadway based PFE IPv4, IPv6 software
1479789	Multicast routes add or delete events might cause adjacency and LSPs to go down. Product-Group=junos	In PTX5000 platform with (FPC2-PTX-P1A \| FPC-PTX-P1A), or PTX3000 with FPC-SFF-PTX-P1-A, with PIM/MVPN scenario, The adjacency relationships of routing protocols and LSPs might go down if add/delete some multicast routes (which can be achieved by flapping interface or protocol) ). It is because that though the routes are deleted, its counter for statistic will not be removed from Junos resulting in memory block for counter exhaustion. And due to the exhaustion, any protocols that are sharing the same memory scope might fail to allocate its own counter, which eventually causes protocol adjacency and LSPs to go down. [TSB17747]
PR Number	Synopsis	Category: Periodic Packet Management Daemon
1448670	The connection between ppmd (Routing Engine) and ppman (FPC) might get lost due to session time out. Product-Group=junos	Under certain circumstances such as JUNOS VM freeze at the Routing Engine, ppmd to ppman connection might be closed if the session timeout is greater than 3 seconds in either direction. This might lead to flapping of distributed ppm protocol adjacency such as lacp/mBFD.
PR Number	Synopsis	Category: Issues related to Junos SNMP Infrastructure (snmpd, mib2d)
1364001	SNMP process crashes during polling CFM stats Product-Group=junos	During polling Ethernet Connectivity Fault Management protocols stats SNMP process may crash
PR Number	Synopsis	Category: Generic platform and infra issues for MS-MIC and MS-MPC(XLP)
1405917	The FPC crash might be observed in MS-MPC HA environment Product-Group=junos	On MX Series platform with MS-MPC card used, in race condition, if the MS-MPC is used on HA (High Availability) scenario ( the 'set interfaces ms-x/x/x redundancy-options redundancy-peer/redundancy-local' knob and GRES is configured), the FPC might crash due to the bus error (segmentation fault). The reason is that two CPUs simultaneously access the same session-extension memory in the session structure, one for writing, the other for reading. A reading CPU gets an incorrect value and uses that as the memory address. This causes the bus error (segmentation fault).
1441517	Junos OS: MX Series: MS-MPC/MIC might crash when processing malformed IPv6 packet in NAT64 configuration. (CVE-2020-1680) Product-Group=junos	On Juniper Networks MX Series with MS-MIC or MS-MPC card configured with NAT64 configuration, receipt of a malformed IPv6 packet may crash the MS-PIC component on MS-MIC or MS-MPC. This issue occurs when a multiservice card is translating the malformed IPv6 packet to IPv4 packet. Refer to https://kb.juniper.net/JSA11077 for more information.
1489942	Prolonged flow control might occur with MS-MPC or MS-MIC. Product-Group=junos	On MX platforms with MS-MPC/MS-MIC, datapath is getting blocked due to incorrect handling of fragment packets with payload size 0. When the datapath is blocked for more than 5 seconds, it is identified as Prolonged flow control, and the pic is rebooted. Core dump is generated if dump-on-flow-control is enabled.
PR Number	Synopsis	Category: platform related PRs on SRX branch platforms
1289649	Junos OS: SRX and NFX Series: Insufficient Web API private key protection (CVE-2020-1688) Product-Group=junos	On Juniper Networks SRX Series and NFX Series, a local authenticated user with access to the shell may obtain the Web API service private key that is used to provide encrypted communication between the Juniper device and the authenticator services. Exploitation of this vulnerability may allow an attacker to decrypt the communications between the Juniper device and the authenticator service. Refer to https://kb.juniper.net/JSA11085 for more information.
PR Number	Synopsis	Category: Issues related to mgd, DAX API, DDL/ODL infrastructure, Juno
1423500	Configuration commit might fail when the file system gets into full state. Product-Group=junos	On all platforms running Junos OS, when the file system gets into the Full state and there is not enough spare disk space, it might get into a problematic system condition while committing the configuration. After that, if the consecutive commits are still done in such a problematic condition, commit-check failure logs might be seen eventually. Due to this issue, some processes might not run even if the configuration is present.

16.1R7-S8 - List of Known issues

PR Number	Synopsis	Category: ESWD
1192520	GARPs are being sent from the switch once in every 10 minutes. Product-Group=junos	GARPs were being sent whenever there was a MAC (fdb) operation (add or delete). This is now updated to send GARP when the interface is up and l3 interface attached to the VLAN.
PR Number	Synopsis	Category: All issues related to L3 data-plane/forwarding
1443507	IPv6 connectivity between MC-LAG peers might fail when multiple IRB interfaces are present. Product-Group=junos	On all Junos platforms which are enabled with MultiChassis Link Aggregation Group (MC-LAG), if there are multiple Integrated Routing and Bridging (IRB) interfaces present, and the Inter Chassis Link (ICL) is also connected over an IRB interface, when both MC-LAG peers have not learnt link-local addresses and IPv6 ping is firstly initiated from the remote peer, the Neighbor Solicitation (NS) packet might take ICL path and couldn't get answered properly.
PR Number	Synopsis	Category: agentd software daemon
1248813	"telemetry_start_polling_fd: evSelectFD failed, errno: 9" messages are continuously seen in the log Product-Group=junos	The error messages "Telemetry_start_polling_fd: evSelectFD failed, errno: 9" are continuously seen in logs. These are cosmetic logs and harmless. As a workaround, configure "set system processes SDN-Telemetry disable" and "deactivate groups junos-defaults routing-options enable-sensors" if telemetry is indeed not needed/configured to prevent the issue of error logs.
PR Number	Synopsis	Category: PRs related to Aloha SW
1454595	The 100-Gigabit Ethernet interfaces might not come up again after going down on MPC3E-NG. Product-Group=junos	On MPC3E-NG cards with 100G interface in use, if the interface detects Loss of Lock (LOL) on the link without Loss of Signal (LOS), the interface will go down and may not come up again after the link is recovered.
PR Number	Synopsis	Category: Border Gateway Protocol
600308	JUNOS BGP Established state is not shown in "show bgp summary" if only master routing instance is present Product-Group=junos	When only the default routing-instance is present, the command "show bgp summary" does not show the BGP ESTABLISH state. If the BGP state is not an ESTABLISHED state, then it shows the state as design (that is, Active, Idle, Connect). If there is a routing-instance configured (apart from master routing-instance inet.0), the BGP ESTABLISH state is shown properly. The issue happens for IPv4 BGP sessions only; on IPv6 all the BGP states are seen as default.
1403186	All the BGP session flap after RE switchover Product-Group=junos	With GRES and NSR enabled, if executing RE switchover, BGP session might flap in some scenario. When Junos version have the fix of PR-1440694, BGP session always flap after doing RE switchover.
1447601	On the MX2000 and PTX10000 lines of devices , Layer 3 VPN PE-CE link protection exhibits unexpected behavior. Product-Group=junos	In L3VPN PE-CE link protection scenario with MX2K/PTX10K platforms, the external and internal BGP (EIBGP) multipath route might be advertised with an unexpected VPN label if IBGP backup path is present. When the backup IBGP path goes away, it will get the correct VPN label like other routes.
1487486	The rpd might crash with BGP RPKI enabled in a race condition Product-Group=junos	On all Junos platforms with BGP PRKI (Resource Public Key Infrastructure) scenario, if NSR is enabled and scale routes and ROAs exist, in a very rare case, the ROA (route origin authorization) might be withdrawn before replicating to the backup RE when ROA changes happen, which results in the rpd crash.
1517498	The rpd might crash after deleting and re-adding a BGP neighbor. Product-Group=junos	In BGP scenario on all Junos platforms, after deleting and re-adding a BGP neighbor, the rpd might crash due to a rare timing issue.
1523075	The BGP session with VRRP virtual address might not come up after a flap. Product-Group=junos	When VRRP virtual address is configured and used to set up a BGP session with the remote side, under rare timing conditions, BGP peer establishment may get rejected repetitively.
PR Number	Synopsis	Category: Cassis pfe microcode software
1298161	In some MX Series deployments running Junos OS, the following random syslog messages are observed for FPCs: fpcx ppe_img_ucode_redistribute Failed to evict needed instr to GUMEM - xxx left. These messages might not have a service impact. These messages are addressed as INFO level messages. On a Packet Forwarding Engine, there are dedicated UMEM and shared GUMEM memory blocks. This informational message indicates some evicting events between UMEN and GUMEN and can be safely ignored. Product-Group=junos	In some MX Series deployments running Junos OS, random syslog messages are observed for FPC cards: "fpcx ppe_img_ucode_redistribute Failed to evict needed instr to GUMEM - xxx left". These messages are not an issue and might not have a service impact. These messages will addressed as INFO level messages. On a Packet Forwarding Engine, there are dedicated UMEM and shared GUMEM memory blocks. This informational message indicates some evicting events between UMEN and GUMEN and can be safely ignored.
1303489	The following error message is observed: DROP protect_regs error (status=0x8). Product-Group=junos	Due to parity error in queue memory a major alarm and following messages are generated: messages log: fpcx XQCHIP(46):XQ-chip[0]: DROP protect_regs error (status=0x8) alarmd[3158]: Alarm set: FPC color=RED, class=CHASSIS, reason=FPC x Major Errors Major alarm set, FPC x Major Errors fpcx XQCHIP(46):XQ-chip[0]: DROP protect_regs error (status=0x8). - This message with status 0x8 has no service impact. - PR/1481558 has perform software changes and move the severity from Major to Minor. - FPC restart is needed to clear off this alarm, otherwise this error message will be generated every 60 seconds.
1380566	FPC Errors might be seen in subscriber scenario Product-Group=junos	In subscriber scenario, if the"service-accounting-deferred" is configured on dynamic-profile, and there is multicast to a large number of destinations on the same physical port, the FPC Errors might be seen.
PR Number	Synopsis	Category: Enhanced Broadband Edge support for cos
1407480	FPC may crash shortly after XQ chip memory read failure Product-Group=junos	In a rare scenario XQ based FPC may reset shortly after it encounters XQ chip memory read failure.
PR Number	Synopsis	Category: QFX Access Control related
1515972	"dot1x" memory leak Product-Group=junos	Memory leak is seen in 'dot1xd' daemon when no 'dot1x' is configured. Memory leak is seen for the allocation while creating socket from 'dot1xd' daemon to 'authd' daemon. If 'authd' is not running , 'dot1xd' daemon tries to connect to 'authd' periodically and every time it was allocating memory for string "/var/run/authd_control" for socket creation. The memory does not free in this scenario and we see memory leak for string "/var/run/authd_control". There will be no service impact to other services/daemons other than dot1x.
PR Number	Synopsis	Category: OpenSSH and related subsystems
1508253	Junos OS: SRX Series: Integrated User Firewall OpenLDAP vulnerability resolved (CVE-2019-13565) Product-Group=junos	A vulnerability that allows an unauthenticated remote attacker to obtain access that would otherwise be denied in the Simple Authentication and Security Layer (SASL) implementation that is part of the OpenLDAP third party software package has been resolved in Juniper Networks SRX Series configured with Integrated User Firewall. Refer to https://kb.juniper.net/JSA11088 for more information.
PR Number	Synopsis	Category: Device Configuration Daemon
1519334	Buffer overflow vulnerability in a device control daemon is observed. Product-Group=junos	A stack buffer overflow vulnerability in the device control daemon (DCD) on Juniper Networks Junos OS allows a low privilege local user to create a Denial of Service (DoS) against the daemon or execute arbitrary code in the system with root privilege. Please refer to https://kb.juniper.net/JSA11061 for more information.
PR Number	Synopsis	Category: This is for all defects raised against dns-proxy feature
1168322	Junos OS: SRX Branch Series and vSRX Series: Multiple vulnerabilities in ISC BIND named. (CVE-2016-1285, CVE-2016-1286) Product-Group=junos	ISC BIND software included with Junos OS on SRX Branch Series and vSRX devices has been upgraded to resolve multiple vulnerabilities. These issues are only applicable to SRX Branch Series and vSRX Series with DNS Proxy server enabled. Refer to https://kb.juniper.net/JSA10994 for more information.
PR Number	Synopsis	Category: JUNOS Dynamic Profile Configuration Infrastructure
1258744	The device control process (dcd) crashes during the ATM-related configuration commit. Product-Group=junos	In a subscriber service environment, the device control process (dcd) might restart unexpectedly during commit process after changes to ATM interface configuration.
PR Number	Synopsis	Category: Inline Jflow PRs for defect & enhancement requests
1362887	The inline J-Flow sampling configuration might cause FPC crash on MX Series platforms. Product-Group=junos	On MX-series platforms, if the inline-jflow "nexthop-learning" knob is configured, when the sampling removes one next-hop, the FPC might crash. It is not easily reproducible and it is a rare issue.
PR Number	Synopsis	Category: PRs for AE/AS/Container on the kernel side
1346949	After an FPC becomes online or child interface added to ae bundle in config, traffic loss might be experienced for around 30 seconds till LACP reaches operational state. If child link stays detached in LACP, traffic loss will continue. Product-Group=junos	On the Trio-based platform with "enhanced-ip" enabled which is enabled by default on MX80, MX104, MX 2010, MX2020, and MX10003, if the aggregate interface is initialized before the child interface is marked as part of the aggregate after FPC becomes online or child interface added to ae bundle in config, the traffic goes out from the ae interface might lose for around 30 seconds till LACP reaches operational state. If child link stays detached in LACP, traffic loss will continue.
1425211	Interface with FEC disabled might flap after Routing Engine mastership switchover. Product-Group=junos	By default, RS-FEC (Reed-Solomon Forward Error Correction) is enabled for 100G SR4/PSM4 optics and disabled for 100G LR4 optics. The "set interfaces xx gigether-options fec" knob was introduced in Junos OS Release 16.1R1, it can be used to override the default behavior and explicitly enable/disable FEC for a 100G interface. In GRES scenario, when a 100G interface with SR4/PSM4 optics (e.g. QSFP-100GBASE-SR4/QSFP-100G-PSM4) is a member of an AE interface, and FEC is disabled on AE (knob "gigether-options fec none" is configured), the interface might flap during RE mastership switchover. After that, the interface will come up itself and this issue will recover automatically.
PR Number	Synopsis	Category: jpppd daemon
1350563	Spontaneous jpppd generates core files on the backup Routing Engine in a longevity test at ../../../../../../src/junos/usr.sbin/jpppd/pppMain.cc:400. Product-Group=junos	In L2TP scenario when MX router functions as LTS (L2TP Tunnel Switch), there is a memory leak in jpppd process running on the backup RE, which will eventually lead to jpppd core dump due to out of memory condition. There is no functional impact as it happens on the backup RE.
PR Number	Synopsis	Category: IPSEC/IKE VPN
977435	Junos OS: SRX Series: An attacker sending spoofed packets to IPSec peers may cause a Denial of Service. (CVE-2020-1657) Product-Group=junos	On SRX Series devices, a vulnerability in the key-management-daemon (kmd) daemon of Juniper Networks Junos OS allows an attacker to spoof packets targeted to IPSec peers before a security association (SA) is established thereby causing a failure to set up the IPSec channel; Refer to https://kb.juniper.net/JSA11050 for more information.
PR Number	Synopsis	Category: slt security platform jweb support
1518212	Junos OS: Privilege escalation in J-Web due to arbitrary command and code execution via information disclosure from another users active session (CVE-2021-0210) Product-Group=junos	An Information Exposure vulnerability in J-Web of Juniper Networks Junos OS allows an unauthenticated attacker to elevate their privileges over the target system through opportunistic use of an authenticated users session. Please refer to https://kb.juniper.net/JSA11100 for more information.
PR Number	Synopsis	Category: Layer 2 Circuit issues
1512834	The rpd might crash when deleting l2circuit configuration in a specific sequence. Product-Group=junos	If l2circuit local-switching is enabled with connection-protection, the rpd could crash in the following configuration change sequence. 1. First, delete the logical interface (IFL) used by a l2circuit and commit the change. 2. Then, delete the corresponding l2circuit configuration. The rpd could crash after committing the change.
PR Number	Synopsis	Category: Application specific PRs (cos/snmp/time-sync/routing/BRAS)
1255542	General Routing Load balancing is uneven across aggregated Ethernet member links when the aggregated Ethernet bundle is part of an ECMP path. The aggregated Ethernet member links must span the Virtual Chassis members. Product-Group=junos	Load balancing is uneven across Aggregated Ethernet (AE) member links when the AE bundle is part of an equal cost multipath (ECMP). The AE member links need to span Virtual Chassis members.
PR Number	Synopsis	Category: Multiprotocol Label Switching
1467278	The rpd might crash in PCEP for the RSVP-TE scenario. Product-Group=junos	In PCEP (Path Computation Element Protocol) with RSVP Traffic Engineered LSP (TE LSP) scenario, the two LSPs with the same TE LSP name might be shared between Path Computation Element (PCE) and Path Computation Client (PCC) in some rare cases. Then, if the configuration of LSP is delegated from CLI and externally controlled by PCC at the same time, the rpd might be crashed.
PR Number	Synopsis	Category: Multi Protocol Label Switch Operations, Admin & Maintenance
1328058	JSA10877 2018-10 Security Bulletin: Junos OS: RPD daemon crashes upon receipt of specific MPLS packet (CVE-2018-0043) Product-Group=junos	The RPD daemon crashes upon receipt of specific MPLS packet (CVE-2018-0043); Refer to https://kb.juniper.net/JSA10877 for more information.
1399484	The rpd process might crash when executing "traceroute mpls bgp" Product-Group=junos	When traceroute is performed to a remote host for an MPLS LSP using the command "traceroute mpls bgp", in very rare cases, it is possible that mplsoam process is holding the stale BGP instance handle in the query to the rpd process to get the information for the Forwarding Equivalence Class (FEC). Hence rpd crash might occur because of the invalid instance and cause traffic impact until rpd comes back up.
PR Number	Synopsis	Category: MX104 Software - Kernel
1223979	On the MX104 router, CPU hog or busy state occurs with the sporadic L2C access error message and false alarms. Product-Group=junos	In MX104, when RE CPU usage is going high, sporadic I2C error message would be shown up. Since the situation would be temporary, the I2C access may success in next polling and there would be no impact.
PR Number	Synopsis	Category: Track Mt Rainier RE platform software issues
1220061	The routers equipped with NG-REs might raise memory size mismatch alarm after upgrade Product-Group=junos	MX or PTX series routers equipped with NG-REs might raise memory mismatch alarm which is cosmetic.
1408480	The alarm 'Mismatch in total memory detected' is observed after issuing "request reboot vmhost routing-engine both". Product-Group=junos	Alarm 'Mismatch in total memory detected' is observed after reboot vmhost both.
1498966	Downgrade fails on RE-S-X6-64G-LT-S SKU to junos below 17.2R1 Product-Group=junos	Downgrade to junos version 17.2 below with RE-S-X6-64G-LT-S will fail with below errors > request vmhost software add junos-vmhost-install-mx-x86-64-16.1R7-S6.1-limited.tgz warning: Packages /var/home/remote-su/junos-vmhost-install-mx-x86-64-16.1R7-S6... is not limited edition and can not be loaded on this RE, please try the supported version
PR Number	Synopsis	Category: Category for ifstate infrastructure issues
1379657	Protocol adjacency might flap and FPC might reboot if jlock hog happens Product-Group=junos	On all platforms and in scaling scenario, if doing some operations which causes jlock hog, the protocols adjacency might flap and all the FPCs might reboot.
PR Number	Synopsis	Category: PRs requiring triage and/or fix in the PFE Peer Infra
1209308	Protocol may flap Product-Group=junos	In some rare scenarios, TCP keepalive may timeout on the local sockets between the master Routing Engine and the FPCs. The problem caused by a delay in packet processing on em0 interface, or delay in processing keepalive packets during network instability events. The results are protocol flap events.
PR Number	Synopsis	Category: This PR category is for tracking only TCP/UDPtransport layer
1370803	Junos TCP application might be affected if zero window condition persists Product-Group=junos	In some scenarios, Zero Window Attack flag not being correctly handled in JUNOS, causing BGP sessions to flap. The BGP TCP session should never be RST in scenarios where Zero Window Condition persists.
1394370	The command "commit synchronize" might fail because several internal connections are stuck Product-Group=junos	Command "commit synchronize" might fail due to kernel TCP socket stuck, the stuck can also result in login failure to the Backup RE from Master RE or to an FPC.
PR Number	Synopsis	Category: Path computation client daemon
1442598	A few Path Computation Element Protocol (PCEP) logs are marked as error even though they are not an error. The severity of those logs is now marked as INFO. Product-Group=junos	1. Connection with rpd established! 2. Switched to master mode 3. received SIGHUP, handle configuration 4. Switched to slave 5. PCCD mastership is: %d 6. Delegation retry timedout: LSP id: %d with PCE: %s 7. Connection with pce %s (%s:%u) successful 8. Connection to pce %s (%s:%u) failed 9. PCCD received message '%s' from libpcep 10. PCClose received from PCE. Switching to new main PCE 11. No protocol trace configuration found 12. Could not get pce-group id from pce
PR Number	Synopsis	Category: PTX5KBroadway based PFE IPv4, IPv6 software
1254415	On the PTX Platform with FPC-PTX-P1-A or FPC2-PTX-P1A, you might encounter a single event upset (SEU) event that might cause a linked-list corruption of the TQCHIP. Product-Group=junos	On the PTX Platform with FPC-PTX-P1-A or FPC2-PTX-P1A, you might encounter a single event upset (SEU) event that might cause a linked-list corruption of the TQCHIP. The following syslog message gets reported: Jan 9 08:16:47.295 router fpc0 TQCHIP1: Fatal error pqt_min_free_cnt is zero Jan 9 08:16:47.295 router fpc0 CMSNG: Fatal ASIC error, chip TQ Jan 9 08:16:47.295 router fpc0 TQ Chip::FATAL ERROR!! from PQT free count is zero jan 9 08:16:47.380 router alarmd[2427]: Alarm set: FPC color=RED, class=CHASSIS, reason=FPC 0 Fatal Errors - TQ Chip Error code: 0x50002 Jan 9 08:16:47.380 router craftd[2051]: Fatal alarm set, FPC 0 Fatal Errors - TQ Chip Error code: 0x50002 The Junos OS Chassis Management error handling detects such a condition, raises an alarm, and disables the affected Packet Forwarding Engine entity. To recover this Packet Forwarding Engine entity, restart the FPC. Contact your Juniper support representative if the issue persists even after the FPC restarts.
PR Number	Synopsis	Category: Periodic Packet Management Daemon
1003991	FPC packet buffer memory leak due to continuous delegated BFD session flapping Product-Group=junos
PR Number	Synopsis	Category: Routing Information Protocol
1508814	The rpd crash might occur due to RIP updates being sent on an interface in the down state. Product-Group=junos	When RIP with p2mp (point-to-multiple) is configured on an interface in down state, in a very corner case, routing daemon might crash while sending RIP updates to an interface which is already down.
PR Number	Synopsis	Category: RPD Next-hop issues including indirect, CNH, and MCNH
1276044	Routing Protocol Daemon(RPD) might crash with core-dump if forwarding-table export policy with 'install-nexthop' is configured Product-Group=junos	Routing Protocol Daemon(RPD) might crash with core-dump if forwarding-table export policy with 'install-nexthop' is configured and that LSP is not available
1370174	The rpd might crash after Routing Engine switchover is performed or the rpd is restarted if interface-based dynamic GRE tunnel is configured. Product-Group=junos	With interface-based Dynamic GRE Tunnel configured, there might be 2 next-hops for a single dynamic GRE tunnel when a new route is resolved over the dynamic tunnel after RE switchover is performed or the rpd is restarted. Subsequent withdrawal of the routes over that tunnel or master Routing Engine restarting will cause the rpd crash. This issue is introduced in PR 1202926 (which is fixed in 15.1F7 16.1R4 16.2R1-S6 16.2R1-S6-J1 16.2R2 17.1R2-S7 17.1R2-S8 17.1R3 17.2R1).
1534455	Some routes might get incorrectly programmed in the forwarding table in the kernel which is no longer present in rpd. Product-Group=junos	In a scaled routes scenario, if there is any route change operation when the system is under memory pressure, the rpd might change a route entry but the same is not conveyed to the kernel. This causes a mismatch between routes in rpd and kernel leading to traffic blackhole for the mismatched route entries that are incorrectly programmed in the kernel.
PR Number	Synopsis	Category: RPD route tables, resolver, routing instances, static routes
1457955	An aggregate route with BGP contributing routes may flap in some scenarios as expected Product-Group=junos	Aggregate route with BGP contributing routes may flap in some scenarios as expected. The reasons is, by default, aggregate route carries some BGP attributes like AS-PATH, originator, cluster. Aggregate route inherits those attributes from active contributing routes. If one or few contributing routes adding/deleting/changing happens, while other contributing routes are still stable, aggregate route may refresh since its attributes got changed. If this aggregate route is exported into BGP, a BGP update will be sent to downstream router with updated attributes, causing a service impact. Reference page: https://www.juniper.net/documentation/en_US/junos/topics/concept/policy-aggregate-routes.html
PR Number	Synopsis	Category: show route table commands, tracing, and syslog facilities an
1198032	'show configuration routing-options flow' should disply then action statements followed by the match conditions Product-Group=junos	The sequence of statements in the output of show configuration routing-options flow operational command has changed to improve readability. The then statements are now displayed after the match conditions in a logical sequence.
PR Number	Synopsis	Category: Resource Reservation Protocol
1493718	JSA11098 Junos OS and Junos OS Evolved: In bidirectional LSP configurations, on MPLS egress router RPD may core upon receipt of specific malformed RSVP packet. (CVE-2021-0208) Product-Group=junos	An improper input validation vulnerability in the Routing Protocol Daemon (RPD) service of Juniper Networks Junos OS allows an attacker to send a malformed RSVP packet when bidirectional LSPs are in use, which when received by an egress router crashes the RPD causing a Denial of Service (DoS) condition. Please refer to https://kb.juniper.net/JSA11098 for further information.
PR Number	Synopsis	Category: Non sparks issues in jflow/monitoring services
1284918	The sampled route reflector process (srrd) might crash in the large routes churn situation. Product-Group=junos	When the FPCs are busy in high churn scenarios, because the srrd thread in the Packet Forwarding Engine has low priority, CPR resources are insufficient to process the messages sent by srrd process. Due to this, the queue for these busy FPCs are piling in srrd and eventually leading to crash. Refer to the description for the details.
PR Number	Synopsis	Category: Generic platform and infra issues for MS-MIC and MS-MPC(XLP)
1415119	Only 40 MS-PICs (10 MS-MPC cards) can be in the ACTIVE state even if more than 10 MS-MPC cards are inserted in the MX2020 chassis Product-Group=junos	On MX2020 platform, at most 40 MS-PICs (10 MS-MPC cards) can be in the ACTIVE state even if more than 10 MS-MPC cards are inserted in the MX2020 chassis.
1453811	Delay in freeing processed defragment buffers lead to prolonged flow control and might crash. Product-Group=junos	On Juniper Networks Junos MX Series with service card configured, receipt of a stream of specific packets may crash the MS-PIC component on MS-MIC or MS-MPC. Refer to https://kb.juniper.net/JSA11037 for more information.
PR Number	Synopsis	Category: PRs for SFW, CGNAT on MS-MIC/MS-MPC (XLP)
1335956	In an MS-MPC or MS-MIC in ALG scenario, the MAC_STUCK message might be observed and traffic might be dropped. Product-Group=junos	In an MS-MPC or MS-MIC in ALG scenario, the MAC_STUCK message might be observed and traffic might be dropped.
PR Number	Synopsis	Category: Stout cards (MPC7, MPC8, MPC9, SFB2, MRATE & 8x100 MICs)
1354070	The log of "SMART ATA Error Log Structure error: invalid SMART checksum." might be seen on FPC with WINTEC mSata SSD Product-Group=junos	The log of "SMART ATA Error Log Structure error: invalid SMART checksum." might be seen on FPC with WINTEC mSata SSD
PR Number	Synopsis	Category: Interface Issues seen on Stout cards (MPC7, MPC8, MPC9)
1441816	Egress stream flush failure and traffic black hole might occur. Product-Group=junos	Egress stream flush failure and silent dropping of traffic could occur in a rare occasion for a repeatedly flapping link on MPC7E, MPC8E, MPC9E cards, MX204 and MX10003.
PR Number	Synopsis	Category: Trinity LU, IX, QX, MQ chip drivers, ucode & related SW
1059137	An enhancement for reporting CM-ERRORs when memory parity errors occur within MPC pre-classifier engines Product-Group=junos	On MX Series routers, parity memory errors might occur in pre-classifier engines within an MPC. Packets are silently discarded because such errors are not reported and hence harder to diagnose. CM errors such as syslog messages and alarms should be raised when parity memory errors occur.
PR Number	Synopsis	Category: Issues related to broadband edge apps (PPP, DHCP) on Trio ch
1308000	Enhanced Subscriber Management: Targetting for subscribers terminated in non-default routing-intance is supported from 17.3R2 Product-Group=junos	Enhanced Subscriber Management: For subscribers terminated in routing-instance, targeting will be supported from 17.3R2 onwards. With current code subscribers may come up but traffic towards subscriber may be dropped at MX as it is not support in current release.
1401808	FPC core files due to a corner case scenario (race condition between RPF, IP flow). Product-Group=junos	In a subscriber management deployment where the Reverse-Path-Forwarding (RPF) check and MAC check is enabled, a race condition might cause software failure and resulted in a Flexible PIC Concentrator (FPC) to restart.
PR Number	Synopsis	Category: trinity pfe qos software
1382288	One single port with Dual stack subscribers pppoe/dhcpv6 drop all the connections and no subscribers seen now. Product-Group=junos	One single port with dual stack subscribers pppoe/dhcpv6 drop all the connections and no subscribers are seen.
1418602	FPC log messages: "Q index(xxxxx) is not allocated" Product-Group=junos	The cause of the messages is a race condition. For each IFL, IFLSET or IFD object, HALP statistics module reads stats values from hardware for the individual queues. HALP stats module is implemented as a separate stats thread and while stats thread is waiting, PFEMAN thread may assign different queues to the IFL/IFLSET/IFD object. After stats thread gets CPU back, before reading HW for the next queue, stats thread needs to validate that queue is still applicable, which fails if we see the message. The messages are harmless and can be ignored.
PR Number	Synopsis	Category: Interface based services (map-e, 6rd, ip-reassembly) on TRIO
1465490	On MPC7, MPC8, and MPC9, WO packet error and FPC major alarm are observed when reassembling the small fragments. Product-Group=junos	When a device is running Juniper Networks Junos OS with MPC7, MPC8, or MPC9 line cards installed and the system is configured for inline IP reassembly, used by L2TP, MAP-E, and GRE, the Packet Forwarding Engine is disabled upon receipt of small fragments requiring reassembly. Refer to https://kb.juniper.net/JSA11036 for more information.
PR Number	Synopsis	Category: trinity pfe l3 forwarding issues
1474154	Junos OS: MX Series: PFE crash on MPC7/8/9 upon receipt of large packets requiring fragmentation (CVE-2020-1655) Product-Group=junos	When a device is running Juniper Networks Junos OS with MPC7, MPC8, or MPC9 line cards installed and the system is configured for inline IP reassembly, used by MAP-E, the Packet Forwarding Engine is disabled upon receipt of large packets requiring fragmentation. Refer to https://kb.juniper.net/JSA11041 for more information.
PR Number	Synopsis	Category: DDos Support on MX PR category
1377899	Junos OS: MX series/EX9200 Series: IPv6 DDoS protection does not work as expected. (CVE-2020-1665) Product-Group=junos	On Juniper Networks MX Series and EX9200 Series, in a certain condition the IPv6 Distributed Denial of Service (DDoS) protection might not take affect when it reaches the threshold condition. Refer to https://kb.juniper.net/JSA11062 for more information.
PR Number	Synopsis	Category: Authentication, Authorization, Accounting, PAM (RADIUS/tacpl
1233649	additional fix for timing issue that can cause auditd core Product-Group=junos	additional fix for timing issue that can cause auditd core, covered several corner cases to prevent core related to PR1191527
PR Number	Synopsis	Category: Issues related to configuration management, ffp, load action
1267433	The commitd process might generate a core file when removal of certain configuration is followed by a commit operation. Product-Group=junos	Core file is generated by commitd when deletion for a certain configuration is committed. Configuration is properly changed after commit even though core file remains.
PR Number	Synopsis	Category: Virtual Private LAN Services
1295664	Layer 2 Features LSI interface might not be created, causing remote MACs not to be learned and display of the following error log: RPD_KRT_Q_RETRIES: ifl iff add: Device busy". Product-Group=junos	With VPLS being configured, after upgrade to 15.1/16.1/17.x releases, in some circumstances VPLS LSI interface are not correctly created, causing remote MACs not being learnt and L2 VPLS outage. The issue is not reproduced and the code change is not a fix but add a instrumentation using a hidden command 'show vpls ipc-history', which should be captured right away when the issue is seen on latest releases. show vpls ipc-history <<<<< show vpls connections show krt queue show route forwarding-table extensive /var/log/messages
PR Number	Synopsis	Category: Virtual Router Redundancy Protocol
1305327	VRRP could not support IFLs using the same group ID in VRRP delegated-process mode Product-Group=junos	If one IFL changes VR (virtual-router) state from Master to Backup, traffic might black-holed for other IFLs which shares the same group ID on an IFD.

Knowledge Base

16.1R7-S8 - List of Fixed issues

16.1R7-S8 - List of Known issues