Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

19.4R3-S5: Software Release Notification for JUNOS Software Version 19.4R3-S5

0

1

Article ID: TSB18131 TECHNICAL_BULLETINS Last Updated: 30 Jul 2021Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX, MX, PTX, QFX, NFX, SRX, VRR, vMX, vSRX
Alert Description:
Junos Software Service Release version 19.4R3-S5 is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Risk Risk Description
Low/Notification - No defined time impact to take action Software Release Notification
Impact Impact Description
Low/Notification - Monitor the situation but no action needed Software Release Notification

Solution:

Junos Software service Release version 19.4R3-S5 is now available.

19.4R3-S5 - List of Fixed issues
PR Number Synopsis Category: JUNOS bugs found in UAC integration
1585158 Unified-access-control(UAC) authentication might not work post system reboot
Product-Group=junos
Post reboot on vSRX devices, UAC authentication might not work as expected. Unauthenticated traffic is not redirected to UAC module.
PR Number Synopsis Category: EX4300 PFE
1597548 Broadcast traffic might be discarded when a firewall filter is applied to the loopback interface
Product-Group=junos
On EX4300 platforms, when a firewall filter for broadcast traffic with discard action policer is applied to the loopback interface, all broadcast packets (including Layer 2 forwarding packets, such as DHCP discover packets) that match this filter rule might be dropped.
1598251 VLAN tagged traffic might be dropped with service provider style configuration
Product-Group=junos
On EX4300 platforms with both enterprise style and service provider style configurations, an interface with enterprise style IFL and flexible-vlan-tagging configured, VLAN tagged traffic might be dropped due to incorrect programming in the system.
PR Number Synopsis Category: EX4300 Filters implementation
1578859 The dcpfe crash is observed on Junos QFX/EX platforms
Product-Group=junos
On Junos QFX/EX platforms, the dcpfe crash may be seen. This is due to the interface flaps that on which a large number of mac-based VLAN clients registered. When it happens, the dcpfe crash, and the PFE(Packet Forwarding Engine) will restart, then all the traffic related to the PFE may be dropped. After that, the PFE could be self-recovery.
PR Number Synopsis Category: EX2300/3400 PFE
1598346 The backup VC member may not learn mac-address on a master after removing a VLAN unit from the SP style AE interface which is part of multiple VLAN units
Product-Group=junos
On EX2300/3400/4300MP/4400 and QFX5100/5110/5200 VC platforms, if removing a VLAN unit from the SP style AE interface which is part of multiple VLAN units, the backup member might not learn mac-address on a master and start processing packet to that mac as unknown unicast. In this case, flooding will happen in the VLAN which might cause traffic loss due to the limited bandwidth.
PR Number Synopsis Category: MPC Fusion SW
1586403 Traffic drop after enabling flexible-queuing-mode on MPC2E linecards
Product-Group=junos
MPC2E NG PQ & Flex Q with MACsec dropping 50 percent of traffic after enabling flexible-queuing-mode on both 1G and 10G.Changed the port speed for MACSEC MIC from 1G to 10G to increase the XQIF queue size to 32. On MX platform with MPC2E NG line cards and MACSEC MIC, traffic drop of about 50 percent may be seen when flexible-queueing-mode is enabled and a traffic is sent at the rate of more than 5Gbps.
PR Number Synopsis Category: Border Gateway Protocol
1581578 BGP replication might be stuck in rare and timing conditions
Product-Group=junos
On all platforms with dual Routing Engines running Junos OS or Junos OS Evolved, BGP Nonstop-Routing replication might be stuck in a rare and timing case. BGP session(s) on the primary Routing Engine are stuck in "SoWait" state, and BGP session(s) on the backup Routing Engine cannot sync with the primary Routing Engine. From the BGP peer side, the BGP session(s) will break after hold-time expiry (90 seconds by default). This defect could be seen after the following series of events happen. * BGP NSR replication starts while primary Routing Engine (BGP session) is busy reading packets (i.e. protocol data unit). * Primary Routing Engine (BGP session) requests to stop reading at PDU boundary. * While BGP session on primary Routing Engine is waiting to read complete packet (remaining bytes), the TCP sync connection (between primary and backup BGP) flaps (i.e., PDU boundary is NOT read before the flap).
PR Number Synopsis Category: Virtual-chassis platform/chassisd infrastructure PRs for MX
1569556 JDI-RCT:M/Mx: not able to set member-id as RE is in synching mode forever when its having invalid VC data( error: Command aborted. VC configuration synch to backup RE in progress, try after 120 secs. )
Product-Group=junos
New SCB cards may have uninitialized VC Data Blocks, preventing setting the member-id when configuring as a MX-VC for the first time.
PR Number Synopsis Category: QFX Access Control related
1587837 Process dot1xd crash might be seen and re-authentication may be needed on EX9208 platform
Product-Group=junos
On EX9208 platform with fusion scenario where around 30,000 mac-radius authenticated sessions are established, process dot1xd might crash and the users may need to have re-authentication due to relevant memory not getting freed when dot1x is deleted on any interface, which causes a memory leak and leads the crash.
PR Number Synopsis Category: Control Plane for Node Virtualization
1580168 MPC7E/8E/9E/11E line card might be stuck in "Unresponsive" state in a Junos Node Slicing setup
Product-Group=junos
There are two issues resolved in this PR. Issue 1: In a Junos Node Slicing setup, after assigning MPC7E/8E/9E/11E line card to a guest network function (GNF), a file containing GNF information might be copied to line card with incomplete content during card booting up and it cannot be updated with correct values in subsequent booting as well. It is a rare timing issue (e.g., it may happen if the line cards copy the file from routing engine in Base System (BSYS) while BSYS is populating the file with GNF information.) The issue could cause the MPC7E/8E/9E/11E line card to be stuck in "Unresponsive" state. Issue 2: In a Junos Node Slicing setup with MPC7E/8E/9E/11E line card, after assigning these line cards to a GNF or BSYS or activating/deactivating network-slices, duplicate entries could be added into some files in card (i.e., /etc/hosts.equiv and /root/.rhosts files in card). Over time (maybe years), these files could occupy large disk space and lead to the line card booting up issue.
PR Number Synopsis Category: EVPN control plane issues
1534021 The route table shows additional paths for the same EVPN or VXLAN type 5 destination after upgrading from Junos OS Release 18.4R2 S3 to Junos OS Release19.4R1 S2.
Product-Group=junos
When upgraded from 18.4R2-S3 to 19.4R1-S2, EVPN/VXLAN type 5 routes show additional paths to the same destination. The behaviour can cause a traffic impact in some certain routes leaking scenarios.
PR Number Synopsis Category: SRX4100/SRX4200 platform software
1547953 On vSRX2.0, vSRX3.0, SRX1500, SRX4100, SRX4200, SRX4600 running chassis cluster in Junos OS Release 18.3 or later, multiple messages of "LCC: ch_cluster_lcc_set_context:564: failed to lock chassis_vmx mutex 11" are generated in the chassisd log file. These messages may recur after every few seconds and they do not have any impact on system operation.
Product-Group=junos
On vSRX2.0, vSRX3.0, SRX1500, SRX4100, SRX4200, SRX4600 running Chassis Cluster in Junos 18.3 or later, multiple messages of "LCC: ch_cluster_lcc_set_context:564: failed to lock chassis_vmx mutex 11" are generated in the chassisd log file. These messages may reoccur after every few seconds and they do not have any impact on system operation.
PR Number Synopsis Category: jdhcpd daemon
1594371 jdhcpd core dump post Junos upgrade to 18.4R3-S4.2
Product-Group=junos
Post Junos upgrade to 18.4R3-S4.2, sometimes jdhcpd core dump can be observed with dhcp process restarts and there's no service impacts.
PR Number Synopsis Category: jl2tpd daemon
1596972 "show services l2tp tunnel extensive", "show services l2tp session extensive" and "show subscribers accounting-statistics" commands do not work on LTS
Product-Group=junos
In a subscriber management environment CLI commands "show services l2tp tunnel extensive", "show services l2tp session extensive" and "show subscribers accounting-statistics" do not work on LTS (L2TP tunnel switch).
PR Number Synopsis Category: Security platform jweb support
1592021 Junos OS: J-Web allows a locally authenticated attacker to escalate their privileges to root. (CVE-2021-0278)
Product-Group=junos
An Improper Input Validation vulnerability in J-Web of Juniper Networks Junos OS allows a locally authenticated attacker to escalate their privileges to root over the target device. Please refer to https://kb.juniper.net/JSA11182 for more information.
1597221 [J-Web] a custom application name contains "any" is listed under Pre-defined Applications
Product-Group=junos
In J-Web, custom application info is usually listed under "Custom-Applications". However, if the application name contains "any", it is listed under "Pre-defined Applications".
1603993 Radius users might not be able to view/modify configuration via J-web
Product-Group=junos
On SRX-Series devices, when Radius server is used for authentication with login-class "Juniper-Local-User-Name" then users might not be able to view/modify configuration via J-web.
PR Number Synopsis Category: Neo Interface
1576370 MIC specific alarms are not cleared after MIC reboot
Product-Group=junos
An alarm raised due to a transient HW problem with MIC does not get cleared automatically after MIC restart.
1595682 The interface down might be delayed after performing the "set interface disable" command
Product-Group=junos
On MX platforms with MPC4E/MPC7E line cards used, if performing the "set interface disable" command to disable an interface, the interface down might be delayed and cause traffic loss during this delay time.
PR Number Synopsis Category: TCP/UDP transport layer
1527246 During RE switchover the new master RE may suddenly crash
Product-Group=junos
Due to a rare problem in TCP socket replication between routing engines and md5 digest processing on the backup RE in NSR configuration, the new master RE may crash during RE switchover.
1595649 Junos OS: Upon receipt of specific sequences of genuine packets destined to the device the kernel will crash and restart (vmcore) (CVE-2021-0283, CVE-2021-0284)
Product-Group=junos
A buffer overflow vulnerability in the TCP/IP stack of Juniper Networks Junos OS allows an attacker to send specific sequences of packets to the device thereby causing a Denial of Service (DoS). Please refer to https://kb.juniper.net/JSA11200 for more information.
PR Number Synopsis Category: KRT Queue issues within RPD
1554981 The rpd process may crash if the BGP route is resolved over a tunnel
Product-Group=junos
On all Junos platforms, the rpd process might crash if the BGP route is resolved over the tunnel (e.g. IPIP, GRE, and UDP).
PR Number Synopsis Category: Secure Web Proxy functionality on Junos
1585542 Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed
Product-Group=junos
On SRX series device, Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed.
PR Number Synopsis Category: SFW, CGNAT on MS-MIC/MS-MPC (XLP)
1574321 DS-Lite throughput degradation might be seen on MS-MPC
Product-Group=junos
On MX240, MX480, MX960, MX2008, MX2010 and MX2020 platforms with MS-MPC, when sending DS-Lite softwire session under heavy load in MS-MPC, throughput performance for DS-Lite in MS-MPC is dropped about 80 percent. Packets drop might be seen.
PR Number Synopsis Category: MPC7/8/9 Interface Issues
1574279 QSFP 4x10G interface might not come up after FPC reboot
Product-Group=junos
On EA-based MX platforms with QSFP module, QSFP 4x10G interface fails to come up after FPC reboot.
PR Number Synopsis Category: VSRX platform software
1564117 Fabric probe packets might be processed incorrectly when power-mode-ipsec (PMI) is enabled
Product-Group=junos
On SRX-Series devices with PMI enabled, the fabric probe packets used by HA (High-availability) control plane might be processed incorrectly.
PR Number Synopsis Category: usf nat related issues
1599603 MX SPC3 applications for protocol ICMP is not detected and does not allow user to modify inactivity-timeout values.
Product-Group=junos
MX SPC3 applications for protocol ICMP is not detected and does not allow user to modify inactivity-timeout values.
 

19.4R3-S5 - List of Known issues
PR Number Synopsis Category: BBE multicast related issues
1545394 JDI BBE REGRESSION : NGMPC2 core seen@gmph_group_aggregate_client_state: gmph_reevaluate_group:: gmph_destroy_client_group:: gmph_destroy_group_client_groups
Product-Group=junos
When subscribers running distributed imp logging out at high rate, sometimes because of RE control plane to line card msg out of order, we can see line card have too much work to do to deleting pseudo-if before all its subscribers, hogging CPU too long that it is killed by scheduler, thus crash. This is a rare condition.
PR Number Synopsis Category: MIBs related to BBE
1535754 Snmp mib walk for jnxSubscriber OIDs returns a general error.
Product-Group=junos
Snmp mib walk for jnxSubscriber OIDs returns General error
PR Number Synopsis Category: SRX4100/SRX4200 platform software
1554716 Certain SRX4100, SRX4200 and JRR200 devices SSD may encounter "buffer I/O error" leading to drive failure
Product-Group=junos
Certain SRX4100, SRX4200 and JRR200 device solid-state drives (SSD) may fail with "buffer I/O error" after approximately 3.22 years (Power_On_Hours of 28224) in service due to SSD firmware error. The failed device can be recovered with a power cycle, however failure may reoccur 42 days (1008 hours) later. The impacted SSD firmware version is MG02.
PR Number Synopsis Category: Signature Database
1594283 IDP signature DB update fails
Product-Group=junos
On SRX Branch platforms, it is unable to use latest signature pack due to IDP DB failing to update.
PR Number Synopsis Category: IPSEC/IKE VPN
1530684 On all SRX Series devices using IPsec with NAT traversal, MTU size for the external interface might be changed after IPsec SA is re-established.
Product-Group=junos
On all SRX series devices using IPsec with NAT Traversal, MTU size might be changed to a lower value for the ike external interface after IPsec SA is re-established.
PR Number Synopsis Category: Security platform jweb support
1606271 On All SRX platforms, if you make a change in JWeb and refresh the page, the changes will not appear in the configuration
Product-Group=junos
On All SRX platforms, if you make a change in JWeb and refresh the page, the changes will not appear in the configuration. Instead, you will get a message that a commit is pending.
PR Number Synopsis Category: Label Distribution Protocol
1529944 The rpd may crash if deactivating the routing-instance with LDP configured
Product-Group=junos
On all Junos platforms with LDP configured in the routing-instance, rpd might crash if deactivating the routing-instance which has IPv4 address routes of LDP.
PR Number Synopsis Category: Multiprotocol Label Switching
1598207 Sometimes MPLS LSP may go down due to a timing issue when a protected link goes down
Product-Group=junos
When a protected link goes down, MPLS gets tunnel local repair message from RSVP and trigger CSPF computation. Next, MPLS gets link protection information through RRO notification. If MPLS receives TED notification first before RRO notification, then CSPF computation fails. Since the link protection flag is not set, MPLS thinks it is an unprotected link and brings down the LSP.
PR Number Synopsis Category: Neo Interface
1541382 With hold time configuration, the ge Interfaces remain down on reboot.
Product-Group=junos
With hold time configuration, GE Interfaces from MPC cards which use MIC driver (such as MPC2E/3E NG, MPC Type 1, MPC Type 2) may go down.
PR Number Synopsis Category: MX10003/MX204 Platform SW - Chassisd s/w defects
1315577 MX10003 : Despite of having all AC low PEM alarm is raised.
Product-Group=junosvae
An alarm is raised if mixed AC PEMs are present. This occurs because the criteria for checking whether mixed AC is present was changed.
PR Number Synopsis Category: Configuration management, ffp, load action
1585479 After image upgrade device might fail to come up due to certain configurations
Product-Group=junos
On all Junos platforms dual-re/chassis cluster scenario the RE/node might fail to come up at the first time reboot after software upgrade if NTP is configured as fully qualified domain name (FQDN) and the following configuration is present. "set system name-resolution no-resolve-on-input"
PR Number Synopsis Category: UI Infrastructure - mgd, DAX API, DDL/ODL
1555685 The chassisd core dump might be observed if PIC number 2 or 3 is used on MX204
Product-Group=junos
On MX204, if PIC number 2 or 3 is used for an interface under groups, the chassisd process might crash.
 
Modification History:
First publication 2021-07-30
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search