Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

17.3R3-S10: Software Release Notification for JUNOS Software Version 17.3R3-S10

0

0

Article ID: TSB17898 TECHNICAL_BULLETINS Last Updated: 30 Oct 2020Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX, MX, PTX, QFX, NFX, VRR, vMX
Alert Description:
Junos Software Service Release version 17.3R3-S10 is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:

Junos Software service Release version 17.3R3-S10 is now available.

17.3R3-S10 - List of Fixed issues
PR Number Synopsis Category: EX2300/3400 PFE
1491905 Junos OS: EX2300 Series: High CPU load due to receipt of specific multicast packets on layer 2 interface (CVE-2020-1668)
Product-Group=junos
On Juniper Networks EX2300 Series, receipt of a stream of specific multicast packets by the layer2 interface can cause high CPU load, which could lead to traffic interruption. Refer to https://kb.juniper.net/JSA11065 for more information.
PR Number Synopsis Category: CoS support on ACX
1493518 On the ACX5048 and ACX5096 routers, the LACP control packets might be dropped due to high CPU utilization.
Product-Group=junos
On ACX5048/ACX5096 platforms, when one of the child links in AE goes down brings entire AE down due to high CPU.LACP control packets might get dropped as the port is blocked for a temporary period.
PR Number Synopsis Category: BBE interface related issues
1498024 Subscribers may be disconnected after one of the AE participating FPCs comes online in a Junos node slicing scenario
Product-Group=junos
On MX Series platforms with node slicing setup, if subscriber services and targeted distribution feature are enabled on an aggregated Ethernet interface, and the FPC where one of the aggregated Ethernet member port is located comes online, subscribers that are already online might be disconnected.
PR Number Synopsis Category: Border Gateway Protocol
1403186 All the BGP session flap after RE switchover
Product-Group=junos
With GRES and NSR enabled, if executing RE switchover, BGP session might flap in some scenario. When Junos version have the fix of PR-1440694, BGP session always flap after doing RE switchover.
1466709 BGP peers might flap if the parameter of hold-time is set as small.
Product-Group=junos
On all Junos platforms with BGP enabled, the hold timer is still running when the session is to processing BGP updates to peers, but the keepalive messages which BGP peer sends might be skipped. If the BGP updates in handling cannot be completed within the hold timer (e.g., manually sets the hold-time to 3s), the BGP peer flaps might be observed.
1517498 The rpd process might crash after deleting and then adding a BGP neighbor.
Product-Group=junos
In BGP scenario on all Junos platforms, after deleting and re-adding a BGP neighbor, the rpd might crash due to a rare timing issue.
1518056 Tag matching in the VRF policy does not work properly when the "independent-domain" option is configured
Product-Group=junos
On all platforms and in an L3VPN environment, when the tag is configured in the policy and applied to the VRF instance, configuring 'independent domain' for the autonomous system under the routing-options will cause the inet-vpn routes stop getting advertised between VRF instances.
PR Number Synopsis Category: Device Configuration Daemon
1539719 Syslog "should have at least one member link on a different fpc" might occurs after commit for configuration under interface hierarchy
Product-Group=junos
This log could occur after commit for configuration under interface hierarchy f we have AE configuration with logical-interface-fpc-redundancy config, even if the AE interface have multiple legs on different FPCs. Sep 11 15:57:22.395 2020 lab-router-mx dcd[41283]: %DAEMON-4: Interface: ae5, should have at least one member link on a different fpc Trigger: 1- AE interfaces with logical-interface-fpc-redundancy are configured 2- Config change under interface hierarchy 3- Commit config
PR Number Synopsis Category: JUNOS Dynamic Profile Configuration Infrastructure
1526934 Family IPv6 do not come up for the L2TP subscriber when additional attributes are not passed in the Framed-IPv6-Route VSA
Product-Group=junos
In DHCP/PPP Subscriber scenario with IPv6 dynamic-profile configured, all the additional attributes (route prefix, next-hop, metric, preference, tag) for IPv6 access route must be fully specified in dynamic-profile and passed via RADIUS server, otherwise family inet6 might not come up.
PR Number Synopsis Category: ISIS routing protocol
1482983 The output of the show isis interface detail command might be incorrect if wide-metrics-only is enabled for IS-IS and the ASCII representation of the metric in decimal is more than 6 characters long.
Product-Group=junos
If 'wide-metrics-only' is enabled for any IS-IS level and a metric configured on the IS-IS enabled interface for that level has ASCII representation in decimal more than 6 characters long, this interface's metric for that level will be merged with 'priority' field value in the output of 'show isis interface detail'.
1526447 The IS-IS LSP database synchronization issue might be seen while using the flood-group feature.
Product-Group=junos
On all Junos platform, when flood-group is configured on interface under isis, if isis LSPs time out and then come up, the device sends only self-generated LSPs and doesn't increment the LSP updates received from neighbor which flapped. This is causing LSP database out of synchronization issue.
PR Number Synopsis Category: Layer 2 Control Module
1350652 ERPv1_EX: On Ex3400 VC setup ERP node sessions stuck at pending state, with additional/removal of GRES config.
Product-Group=junos
ERP filters are not getting installed with NSB configuration in place with NSB configured l2cpd will be running on the backup RE as well. This l2cpd running on backup RE connects to DFWD running on master RE. This connection is causing the issue here as the filter installation posted over tcp socket by l2cpd master RE to DFWD on master RE is not getting processed. With NSB unconfigured no issues are observed.Code changes done to disable l2cpd filter init on the backup RE to fix the issue. Note : As a part of switchover (master change) could see the l2cpd_filter_init is happening on the new master.See logs below. When master becomes standby could see l2cpd_filter_shutdown is happening which removes the connection between l2cpd and dfwd. Apr 6 08:06:53.005235 JTASK_TASK_REINIT: Reinitializing Apr 6 08:06:53.013342 task_module_var_inits: initializing Kernel family init Apr 6 08:06:53.013351 task_module_var_inits: initializing RT Instance family init Apr 6 08:06:53.013359 task_module_var_inits: initializing TELEMETRY Apr 6 08:06:53.013366 task_module_var_inits: initializing PPM Apr 6 08:06:53.013379 task_module_var_inits: initializing L2CPD-FILTER Apr 6 08:06:53.013389 task_module_var_inits: initializing ERP
PR Number Synopsis Category: lacp protocol
1366825 RG1 failover occurs when RG0 failover is triggered
Product-Group=junos
RG1+ which is configured for interface-monitor, might fail over to the other node if RG0 failover is triggered.
PR Number Synopsis Category: Label Distribution Protocol
1451157 The LDP route timer resets when committing unrelated configuration changes.
Product-Group=junos
The LDP route timer is reset due to committing unrelated configuration changes. As usual, the "route timer reset" implies route churn, but LDP itself is not affected as there is no real nexthop change in the case of configuration commit with unrelated changes. However, protocols using the LDP route as protocol nexthop may be impacted.
PR Number Synopsis Category: Multicast for L3VPNs
1425876 MVPN using PIM dense mode does not prune the OIF when PIM prune is received.
Product-Group=junos
In the MVPN (Multicast Virtual Private Network) scenario, when PIM Dense mode is used, the egress PE might not prune the OIF (outgoing interface) when PIM prune is received.
PR Number Synopsis Category: Fabric Manager for MX
1482124 Fabric healing logic incorrectly makes all MPC line cards go offline in the MX2000 router while the hardware fault is located on one specific MPC line card slot.
Product-Group=junos
In specific MPC hardware failure conditions within the MX2K platform, fabric healing will attempt to auto-heal the fault location in 3 phases to prevent traffic blackholing. If under such fault conditions only destination timeouts are reported without corresponding link errors, the fabric healing process might restart all MPCs in phase-2 in an auto-healing attempt and if the error condition appears again within 10 minutes the last phase-2 might offline all MPCs in the system.
PR Number Synopsis Category: MX104 Software - PFE Microcode
1356657 The packets might be dropped when they go through MX104 built-in interface
Product-Group=junos
If the packets are destined to a specific MAC address (such as last two octets are 0x1101, 0x1102, 0x1103, 0x1104, 0x1106, 0x1108, 0x1109, 0x110a, and so on), they might be dropped on the remote-end device when going through MX104 built-in xe (10-Gigabit Ethernet) ports.
PR Number Synopsis Category: RPD route tables, resolver, routing instances, static routes
1421566 Some LDP routes in VRF cannot be resolved over the inet.3 table
Product-Group=junos
Any route that is added to the rib will be resolved over predefined tables, and the resolution tables for a given protocol are fixed. LDP routes added to foo.mpls.0, the resolution table is not initialized due to this NULL access happen to lead to the core.
PR Number Synopsis Category: Resource Reservation Protocol
1524736 The inter-domain LSP with loose next-hops path might get stuck in down state
Product-Group=junos
In the scenario of inter-domain LSP with loose next-hops path, when expanding the loose hop at the Area Border Router (ABR) / Autonomous System Border Router (ASBR), the LSP might not come up properly if the incoming link of the LSP at the ABR/ASBR is an unnumbered interface.
PR Number Synopsis Category: Generic platform and infra issues for MS-MIC and MS-MPC(XLP)
1482400 The vmcore process crashes sometimes along with the mspmand process on MS-MPC/MS-MIC if large-scale traffic flows are processed
Product-Group=junos
With NAT/Stateful-firewall/TCP tickle (enable by default) configured on MS-MPC/MS-MIC, the vmcore crash sometimes along with mspmand crash might happen if large-scale traffic flows (e.g. million flows) are processed by it.
PR Number Synopsis Category: MPC7/8/9 Interface Issues
1441816 Egress stream flush failure and traffic black hole might occur.
Product-Group=junos
Egress stream flush failure and silent dropping of traffic could occur in a rare occasion for a repeatedly flapping link on MPC7E, MPC8E, MPC9E cards, MX204 and MX10003.
PR Number Synopsis Category: Authentication, Authorization, Accounting, PAM (RADIUS/tacplus)
1393839 The lockout-period might not work for the user being locked out
Product-Group=junos
If 'system login retry-options lockout-period' is configured, the variables related to lockout-period are accessed without getting initialized, which could cause junk values in the variables to be used. The junk values in the variables might cause the lockout-period to not work. The actual behavior depends on what is the junk value. For example, user might not be allowed to login with correct password even after the lockout-period is elapsed, or user still can login during lockout-period.
PR Number Synopsis Category: Configuration mgmt, ffp, load-action, commit processing
1385902 The device with more than five IP addresses configured in the DHCP server group goes into amnesiac mode after reboot
Product-Group=junos
If the knob "commit fast-synchronize" is enabled, the device with more than 5 IP addresses configured in the dhcp server-group might go into amnesiac mode after reboot. But in practice it should not allow more than 5 IP addresses based on the implementation, and this validation for "commit check" is skipped when fast-synchronize is configured.
 

17.3R3-S10 - List of Known issues
PR Number Synopsis Category: Marvell based EX PFE ACL
1434927 The FPC crashes with pfem generating core file might be seen if large-scale number of firewall filters are configured.
Product-Group=junos
On EX Series switches, If you are configuring a large-scale number of firewall filters on some interfaces, the FPC might crash and generate core files.
PR Number Synopsis Category: NFX Series Platform Software
1462556 Junos OS: NFX350: Password hashes stored in world-readable format (CVE-2020-1669)
Product-Group=junos
The Juniper Device Manager (JDM) container, used by the disaggregated Junos OS architecture on Juniper Networks NFX350 Series devices, stores password hashes in the world-readable file /etc/passwd. This is not a security best current practice as it can allow an attacker with access to the local filesystem the ability to brute-force decrypt password hashes stored on the system. Refer to https://kb.juniper.net/JSA11066 for more information.
PR Number Synopsis Category: ACX MPLS
1512821 On a ACX ring topo, after link connection flap between PHP node and Egress PE node, VRF traffic that should be PHP still go out with MPLS and VPN labels
Product-Group=junos
After link connection flap between the PHP node and the egress PE node, the VRF traffic which supposed to PHP and sent only with VPN label out to egress PE, would wrongly tagged with both MPLS label and VPN label.
PR Number Synopsis Category: MPC5/6E pfe microcode software
1298161 In some MX Series deployments running Junos OS, the following random syslog messages are observed for FPCs: fpcx ppe_img_ucode_redistribute Failed to evict needed instr to GUMEM - xxx left. These messages might not have a service impact. These messages are addressed as INFO level messages. On a Packet Forwarding Engine, there are dedicated UMEM and shared GUMEM memory blocks. This informational message indicates some evicting events between UMEN and GUMEN and can be safely ignored.
Product-Group=junos
In some MX Series deployments running Junos OS, random syslog messages are observed for FPC cards: "fpcx ppe_img_ucode_redistribute Failed to evict needed instr to GUMEM - xxx left". These messages are not an issue and might not have a service impact. These messages will addressed as INFO level messages. On a Packet Forwarding Engine, there are dedicated UMEM and shared GUMEM memory blocks. This informational message indicates some evicting events between UMEN and GUMEN and can be safely ignored.
PR Number Synopsis Category: Device Configuration Daemon
1221993 Identical IP address are configured on different logical interfaces from different physical interfaces in the same routing instance including the master routing-instance
Product-Group=junos
The same IP address could be configured on different logical interfaces from different physical interfaces in the same routing instance (including master routing instance), but only one logical interface was assigned with the identical address after commit. There was no warning during the commit, only syslog messages indicating the incorrect configuration.
PR Number Synopsis Category: Covers Application classification workflows apart from custo
1473151 Junos OS: SRX Series: High CPU load due to processing for HTTP traffic when Application Identification is enabled.
Product-Group=junos
On Juniper Networks SRX Series configured with application identification inspection enabled, receipt of specific HTTP traffic can cause high CPU load utilization, which could lead to traffic interruption. Refer to https://kb.juniper.net/JSA11081 for more information.
PR Number Synopsis Category: jdhcpd daemon
1511782 Junos OS: Receipt of malformed DHCPv6 packets causes jdhcpd to crash (CVE-2020-1671)
Product-Group=junos
On Juniper Networks Junos OS platforms configured as DHCPv6 local server or DHCPv6 Relay Agent, Juniper Networks Dynamic Host Configuration Protocol Daemon (JDHCPD) process might crash with a core dump if a malformed DHCPv6 packet is received, resulting with the restart of the daemon. Refer to https://kb.juniper.net/JSA11068 for more information.
PR Number Synopsis Category: IPSEC/IKE VPN
1517262 The flowd might crash in IPsec VPN scenario
Product-Group=junos
On SRX platforms with IPsec VPN configured, the flowd might crash during the IPsec VPN rekey window. The traffic/service might be impacted if hitting this issue.
PR Number Synopsis Category: Key Management Daemon
1421591 IPsec tunnels flapping causes KMD memory leak
Product-Group=junos
KMD leaks memory when DEP (dynamic endpoints) or static IPsec tunnels are flapping or getting re-established. In a scaled scenario this eventually leads to KMD crash due to memory exhaustion.
PR Number Synopsis Category: Track Mt Rainier RE platform software issues
1386306 The log message of 'kernel: interrupt storm detected on "irq11:"; throttling interrupt source' might be seen when NG-RE is used
Product-Group=junos
With Next Generation Routing Engine (NG-RE), in some race conditions, the following interrupts messages might be seen on master RE: kernel: interrupt storm detected on "irq11:"; throttling interrupt source
PR Number Synopsis Category: FreeBSD Kernel Infrastructure
1518898 The kernel might crash if a file/directory is accessed for the first time and is not created locally
Product-Group=junos
On the Junos with Virtual Filesystem (VirtFS), if a file/directory is accessed for the first time and is not created locally, the kernel might crash and generate a vmcore file. Junos might reboot due to this issue.
PR Number Synopsis Category: rtsock kernel instrastructure
1425492 Error messages "rtslib: ERROR IDL TLV Decode Error -2(Allocation Failure)" are harmless.
Product-Group=junos
Error messages "rtslib: ERROR IDL TLV Decode Error -2(Allocation Failure) "are harmless.
PR Number Synopsis Category: QFX L2 PFE
1475005 The system might stop new MAC learning and impact the Layer 2 traffic forwarding.
Product-Group=junos
On QFX platforms, if there are a lot of MAC moves, the system might stop new MAC learning and lots of old MAC addresses might be stuck and couldn't be aged and deleted. Due to this issue, could have impact on layer 2 traffic forwarding and the customer service.
PR Number Synopsis Category: KRT Queue issues within RPD
1486922 rpd SIGABRT with EVPN SRTE rt_instance_check_id_resolved rt_instance_table_kernid_cb
Product-Group=junos
The rpd core files might be generated in the absence of an explicit route-distinguisher configuration.
PR Number Synopsis Category: Generic issues on MS-PIC and MS-DPC related Services feature
1397259 SPD_CONN_OPEN_FAILURE: spd_svc_set_summary_query: unable to open connection to si-0/0/0 (No route to host)
Product-Group=junos
The following SPD failed messages are seen when jnxSpMIB Walk/Query is Polled: Oct 24 16:28:31 spd[5536]: SPD_CONN_OPEN_FAILURE: spd_svc_set_summary_query: unable to open connection to si-0/1/0 (No route to host) Oct 24 16:28:31 spd[5536]: SPD_CONN_FAILURE: Connection did not succeed (Pic is down or busy) error: libservicesui: Unable to connect to 128.0.1.16 at fpc-slot 0 and pic-slot 0 after 1 retries (errno = 65) NOTE: There is no functionality break due to these error logs. SNMP svc-set queries are not supported for MX Series inline services.
PR Number Synopsis Category: Issues related to broadband edge apps (PPP, DHCP) on Trio ch
1421314 MX Series router LNS might fail to forward the traffic on the subscriber access route.
Product-Group=junos
On MX platforms, if the following steps happen in a succession, packets from subscriber using the subscriber access route prefix might be dropped in PFE with exception reason as "SW ERROR". 1. Bring up subscriber with BGP disabled 2. Subscriber Access route prefix is installed with correct RPF info 3. Enable BGP 4. Access Route get updated with a different non subscriber NH. This results in loss of RPF information 5. Disable BGP 6. Route get added back with subscriber NH. This time since the RPF information is lost, RPF check for this IP will result in drop of packet
PR Number Synopsis Category: Trio pfe bridging, learning, stp, oam, irb software
1542537 In EVPN-MPLS scenario, BUM traffic is dropped during configuration changes.
Product-Group=junos
In evpn-mpls scenario, BUM(Broadcast, unknown-unicast and multicast) traffic would be dropped due to flood nexthop deletion during configuration changes on any of the PE node.
PR Number Synopsis Category: PTX/QFX100002/8/16 interface software
1268678 The following error message is observed during LC1101 reboot: pechip_cmerror_set_error:3113: Level: Major, cmerror_code: 0x210613 (id=1555).
Product-Group=junos
When an FPC goes offline or restarts, FPC x sends traffic to FPC y. The following error messages are seen and a corresponding alarm is set on the destination FPC. Specific to PTX10000, the transient alarm gets set when this condition occurs. The alarm clears later because the source FPC goes offline. Apr 09 10:31:24 [TRACE] [asta] Apr 9 10:19:59 asta fpc4 Error (0x210613), module: PE Chip, type: Apr 09 10:31:24 [TRACE] [asta] Apr 9 10:19:59 asta fpc4 Cmerror Op Set: PE Chip: PE1[1]: FO:core intr: 0x00000010: Grant spray drop due to unspray-able condition error Apr 09 10:31:24 [TRACE] [asta] Apr 9 10:19:59 asta fpc4 Error (0x210614), module: PE Chip, type: Apr 09 10:31:24 [TRACE] [asta] Apr 9 10:19:59 asta fpc4 Cmerror Op Set: PE Chip: PE1[1]: FO:core intr: 0x00000008: Request spray drop due to unspray-able condition error.

 
Modification History:
First publication 2020-10-29
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search