Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

20.2R3-S2: Software Release Notification for JUNOS Software Version 20.2R3-S2

0

0

Article ID: TSB18137 TECHNICAL_BULLETINS Last Updated: 06 Aug 2021Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
ACX EX MX NFX PTX QFX SRX
Alert Description:
Junos Software Service Release version 20.2R3-S2 is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Risk Risk Description
Low/Notification - No defined time impact to take action Software Release Notification
Impact Impact Description
Low/Notification - Monitor the situation but no action needed Software Release Notification

Solution:

Junos Software service Release version 20.2R3-S2 is now available.

20.2R3-S2 - List of Fixed issues 
PR Number Synopsis Category: EX4300 PFE
1597548 Broadcast traffic might be discarded when a firewall filter is applied to the loopback interface
Product-Group=junos
On EX4300 platforms, when a firewall filter for broadcast traffic with discard action policer is applied to the loopback interface, all broadcast packets (including Layer 2 forwarding packets, such as DHCP discover packets) that match this filter rule might be dropped.
1598251 VLAN tagged traffic might be dropped with service provider style configuration
Product-Group=junos
On EX4300 platforms with both enterprise style and service provider style configurations, an interface with enterprise style IFL and flexible-vlan-tagging configured, VLAN tagged traffic might be dropped due to incorrect programming in the system.
PR Number Synopsis Category: EX4300 Platform
1582457 The pfex might crash during PIC 4x 1G/10G SFP/SFP+ offline/online
Product-Group=junos
On EX4300 platform, the pfex might crash while performing offline/online via CLI on 4x 1G/10G SFP/SFP+ or removing SFP module. When the issue happens, it might cause a traffic impact and generate a core file.
PR Number Synopsis Category: EX9200 Platform
1571399 Packet loss might be observed when sample based action is used in firewall filter
Product-Group=junos
On MX/EX92 platforms, if sample based action is used in firewall filter for an interface, such as syslog/log/port-mirror/Jflow, traffic loss might be observed if the sampled packets rate exceeds default DDOS sample bandwidth.
PR Number Synopsis Category: EX-Series VC Infrastructure
1579430 EX4300 VCP might not come up after upgrade when QSFP+-40G-SR4/QSFP+-40G-LR4/QSFP+40GE-LX4 is used
Product-Group=junos
On EX4300 VC platform, the virtual-chassis ports might go down after the image upgrade. This issue is seen in a scenario when QSFP+-40G-SR4/QSFP+-40G-LR4/QSFP+40GE-LX4 is used as VCP. The issue is fixed in the following Junos releases: junos:18.4R3-S9 junos:19.1R3-S6 junos:19.4R3-S4 junos:20.2R3-S2 junos:20.3R3 junos:20.4R3 junos:21.1R2 junos:21.2R1 junos:21.2R2 junos:21.3R1
PR Number Synopsis Category: QFX L3 data-plane/forwarding
1582408 Traffic loss may be seen when ipv6 traffic forwarded by ipv4 GRE tunnel
Product-Group=junos
On QFX platforms, when ipv6 traffic forwarded through ipv4 GRE (Generic routing encapsulation) tunnel, and the destination ipv6 address is not resolved/present in ipv6 neighbor database, it may be dropped.
PR Number Synopsis Category: MPC Fusion SW
1586403 Traffic drop after enabling flexible-queuing-mode on MPC2E linecards
Product-Group=junos
MPC2E NG PQ & Flex Q with MACsec dropping 50 percent of traffic after enabling flexible-queuing-mode on both 1G and 10G.Changed the port speed for MACSEC MIC from 1G to 10G to increase the XQIF queue size to 32. On MX platform with MPC2E NG line cards and MACSEC MIC, traffic drop of about 50 percent may be seen when flexible-queueing-mode is enabled and a traffic is sent at the rate of more than 5Gbps.
PR Number Synopsis Category: BBE interface related issues
1577007 Commit failure-error: Modified IFD "ae0" is in use by targeted BBE subscriber, commit denied - mtu config changed (1522), (1514)
Product-Group=junos
Commit failure-error: Modified IFD "ae0" is in use by targeted BBE subscriber, commit denied - mtu config changed (1522), (1514). The commit check error might be observed when targeted-distribution is configured for Subscriber Management associated with ae interfaces.
PR Number Synopsis Category: Border Gateway Protocol
1581578 BGP replication might be stuck in rare and timing conditions
Product-Group=junos
On all platforms with dual Routing Engines running Junos OS or Junos OS Evolved, BGP Nonstop-Routing replication might be stuck in a rare and timing case. BGP session(s) on the primary Routing Engine are stuck in "SoWait" state, and BGP session(s) on the backup Routing Engine cannot sync with the primary Routing Engine. From the BGP peer side, the BGP session(s) will break after hold-time expiry (90 seconds by default). This defect could be seen after the following series of events happen. * BGP NSR replication starts while primary Routing Engine (BGP session) is busy reading packets (i.e. protocol data unit). * Primary Routing Engine (BGP session) requests to stop reading at PDU boundary. * While BGP session on primary Routing Engine is waiting to read complete packet (remaining bytes), the TCP sync connection (between primary and backup BGP) flaps (i.e., PDU boundary is NOT read before the flap).
PR Number Synopsis Category: BBE Remote Access Server
1603030 The "Service session entry creation failed" errors are seen during ephemeral commit
Product-Group=junos
On MX platforms and in subscriber scenario, the "Service session entry creation failed" messages are seen in syslog sometimes during ephemeral commit (usually with ESSM service activation). This can cause some services to fail. This is caused by occasional failure of shmlog filtering feature.
PR Number Synopsis Category: MX Platform SW - FRU Management
1595693 Firmware may fail to be downloaded to MIC on MX Virtual Chassis setup
Product-Group=junos
On MX platforms with Virtual Chassis(VC), firmware upgrading may fail due to improper Trivial Network Protocol (TNP) server address, so the firmware will fail to be downloaded to MIC.
PR Number Synopsis Category: MX Platform SW - UI management
1551171 Silent compact flash (/dev/ada1) failure might occur during reboot/startup of router
Product-Group=junos
On MX platforms with routing-engine RE-S-1800X4, compact Flash failure without any alarms might occur during reboot. The compact flash is used for storing recovery image and if this issue is hit, it is not possible to take snapshot which can be used for recovery later. This means, if RE disk image also goes bad, router needs to be recovered manually using USB with physical presence.
PR Number Synopsis Category: QFX Access Control related
1587837 Process dot1xd crash might be seen and re-authentication may be needed on EX9208 platform
Product-Group=junos
On EX9208 platform with fusion scenario where around 30,000 mac-radius authenticated sessions are established, process dot1xd might crash and the users may need to have re-authentication due to relevant memory not getting freed when dot1x is deleted on any interface, which causes a memory leak and leads the crash.
PR Number Synopsis Category: EVPN control plane issues
1590128 The traffic might be dropped in EVPN-VXLAN multihomed scenario
Product-Group=junos
In EVPN-VXLAN multihomed scenario, when an ESI (Ethernet segment identifier) is shared among EVIs (EVPN instances), if the ESI is deactivated and activated back, it might affect the traffic.
PR Number Synopsis Category: Signature Database
1594283 IDP signature DB update fails
Product-Group=junos
On SRX Branch platforms, it is unable to use latest signature pack due to IDP DB failing to update.
PR Number Synopsis Category: jdhcpd daemon
1594371 jdhcpd core dump post Junos upgrade to 18.4R3-S4.2
Product-Group=junos
Post Junos upgrade to 18.4R3-S4.2, sometimes jdhcpd core dump can be observed with dhcp process restarts and there's no service impacts.
PR Number Synopsis Category: High Availability/NSRP/VRRP
1591559 Security policies might not be synced to all PFEs (Packet Forwarding Engine) post upgrade
Product-Group=junos
On SRX-Series devices configured in chassis-cluster, after ISSU (in-service software upgrade) when there is any policy or ipid related events/config change, the security policies might not sync to all the PFEs.
PR Number Synopsis Category: Security platform jweb support
1592021 Junos OS: J-Web allows a locally authenticated attacker to escalate their privileges to root. (CVE-2021-0278)
Product-Group=junos
An Improper Input Validation vulnerability in J-Web of Juniper Networks Junos OS allows a locally authenticated attacker to escalate their privileges to root over the target device. Please refer to https://kb.juniper.net/JSA11182 for more information.
1602228 J-web application might crash with httpd core-dumps
Product-Group=junos
On SRX-Series devices, the J-web application might crash and generate httpd core-dumps when "set system no-compress-configuration-files" is configured.
1603993 Radius users might not be able to view/modify configuration via J-web
Product-Group=junos
On SRX-Series devices, when Radius server is used for authentication with login-class "Juniper-Local-User-Name" then users might not be able to view/modify configuration via J-web.
PR Number Synopsis Category: Layer2 forwarding on EX/NTF/PTX/QFX
1584109 Layer-2 multicast VXLAN instance is down since local vtep ifl is not associated to EVPN instance
Product-Group=junos
Multicast VXLAN EVPN instance is down since local vtep ifl is not associated to EVPN instance post deactivate/activate of routing-instance.
PR Number Synopsis Category: mc-ae interface
1583547 New added MC-LAGs do not come up after RE switchover
Product-Group=junos
In the MC-LAG scenario, after RE switchover on the peer node, due to a timing issue, new added MC-LAGs do not come up on the peer.
PR Number Synopsis Category: MPC11 ULC platform software related issues.
1527266 Set of Info level ORPHAN (no passwd entry) cron logs is displayed every 1 minute.
Product-Group=junos
Set of Info level ORPHAN (no passwd entry) cron logs is displayed every 1 minute.
PR Number Synopsis Category: DCBX
1554098 The interface might not come up with 1G optics.
Product-Group=junosvae
On QFX-5100-48s platforms, the interfaces might remain in down state after loading the QFX 5E Series image on the device. This issue is only observed with 1G optics(SFP-SX & SFP-LX10) and auto-negotiation setting enabled. The traffic through the affected interface will be lost.
PR Number Synopsis Category: QFX L2 PFE
1602811 Traffic loss might be seen in MC-LAG scenario on EX4600/QFX platforms
Product-Group=junos
On EX4600/QFX platforms running as the Multichassis Link Aggregation Group (MC-LAG) peers, if the knob "flexible-vlan-tagging" is configured on the interface connecting with the MC-LAG client device, one of MC-LAG peers is disabled and the corresponding interface on the DUT is flapped, then traffic loss might be seen on Interchassis Link (ICL) link.
PR Number Synopsis Category: QFX EVPN / VxLAN
1561588 Dcpfe process might crash on after committing EVPN-VXLAN profile configuration and ARP resolution may fail causing traffic issues.
Product-Group=junos
Dcpfe process might crash on after committing EVPN-VXLAN profile configuration and ARP resolution may fail causing traffic issues.
1589702 LLDP packets drop on SP style interface for QFX devices
Product-Group=junos
On QFX platforms with VxLAN Ports configured in SP style, LLDP neighbor ship may not be formed due to wrong IFL allocation in hostpath. This can cause LLDP packet drops.
1601949 On QFX5120-48y-8c, dc-pfe core observed while issuing "show pfe vxlan nh-usage" in ERB EMC scenario with ~6000 ARP entries
Product-Group=junos
dc-pfe core observed while issuing "show pfe vxlan nh-usage", if there are any VTEP tunnels reachable through unilist.
PR Number Synopsis Category: KRT Queue issues within RPD
1588439 The rpd crash might be observed on the router running a scaled setup
Product-Group=junos
On all Junos platforms, in a rare scenario with scaled routing set up, the Kernel memory might get full which could lead to the rpd crash. There will be service impact and it will get recover automatically after the crash. When the rpd crash happens, the core-dump files could be seen by executing CLI command "show system core-dumps". user@hostname>show system core-dumps -rw-rw- - - - 1 root field  /var/tmp/rpd.core<*>.gz
PR Number Synopsis Category: Secure Web Proxy functionality on Junos
1585542 Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed
Product-Group=junos
On SRX series device, Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed.
1589957 Pass-through traffic might fail post reboot when Secure Web Proxy is configured
Product-Group=junos
On SRX-Series devices, pass-through traffic on Secure Web Proxy may fail after rebooting the device.
PR Number Synopsis Category: Trio pfe l3 forwarding issues
1548972 FPC crash may occur after flapping the multicast traffic
Product-Group=junos
On all MX Series routers and the EX9200 line of switches with Trio line cards in a scaled scenario (8000 logical interfaces), any activity that causes the number of multicast receivers to change can cause FPC crash and traffic drop. One example of the scenario that can cause this issue is a scaled setup running IGMP join/leave test. As long as allocation happens from 24-bit memory, it is fine. The moment any allocation happens from 25-bit memory, a core file (or dump file) will be seen. The FPC will restart after the issue and traffic will be restored.
PR Number Synopsis Category: VSRX platform software
1564117 Fabric probe packets might be processed incorrectly when power-mode-ipsec (PMI) is enabled
Product-Group=junos
On SRX-Series devices with PMI enabled, the fabric probe packets used by HA (High-availability) control plane might be processed incorrectly.
PR Number Synopsis Category: usf nat related issues
1599603 MX SPC3 applications for protocol ICMP is not detected and does not allow user to modify inactivity-timeout values.
Product-Group=junos
MX SPC3 applications for protocol ICMP is not detected and does not allow user to modify inactivity-timeout values.
 

20.2R3-S2 - List of Known issues 
PR Number Synopsis Category: QFX PFE CoS
1568333 Traffic might be dropped by destination device
Product-Group=junos
On QFX5120/EX4400/EX4650 platforms, if the switch is acting as a routing transit device, and if the value of the IPv4 header checksum is 0xffff in the ingress traffic, the checksum of the IPv4 header will not be recalculated even though the TTL (time to live) value has been reduced. This will most likely lead to traffic being dropped by the next transit-device or the destination-device due to the bad checksum.
PR Number Synopsis Category: Border Gateway Protocol
1585321 The rpd crash might be seen when BGP RPKI session record-lifetime is configured less than the hold-time
Product-Group=junos
In BGP RPKI (Resource Public Key Infrastructure) scenario, if the session record-lifetime is configured less than the hold-time, the record-lifetime for route validation (RV) might expire while the session is still up, which will cause the rpd crash.
PR Number Synopsis Category: EVPN control plane issues
1586361 BGP session failing towards ESI LAG after a JUNOS upgrade from 19.1R3-S2 to 20.2R2-S2
Product-Group=junos
The command "set protocols evpn remote-ip-host-routes" is needed in EVPN VxLAN leaf devices if BGP session is established over IRB interfaces. This is needed for in releases after 19.x releases
PR Number Synopsis Category: EVPN Layer-2 Forwarding
1570757 The l2ald process may crash and restart with an l2ald core file created when the global level telemetry sensor is enabled
Product-Group=junos
On EX2300/EX3400/EX4300/EX46xx/QFX5xxx/QFX1xxxx/MX Series, the l2ald process may crash when the global level telemetry sensor is enabled and data is streamed every 1 second. The L2 functionality would be impacted during the l2ald crash.
PR Number Synopsis Category: SRX4100/SRX4200 platform software
1554716 Certain SRX4100, SRX4200 and JRR200 devices SSD may encounter "buffer I/O error" leading to drive failure
Product-Group=junos
Certain SRX4100, SRX4200 and JRR200 device solid-state drives (SSD) may fail with "buffer I/O error" after approximately 3.22 years (Power_On_Hours of 28224) in service due to SSD firmware error. The failed device can be recovered with a power cycle, however failure may reoccur 42 days (1008 hours) later. The impacted SSD firmware version is MG02.
PR Number Synopsis Category: Firewall Network Address Translation
1406248 The nsd process crashes and creates coredump. This can impact transit traffic.
Product-Group=junos
If an application is configured in source/destination NAT rule, once this application is deleted or modified, the nsd process might crash and generate a coredump. This can lead to packet drops.
PR Number Synopsis Category: Multiprotocol Label Switching
1287337 In SR-TE path, IPv6 Explicit NULL Label is not removed when the top label resolves over explicit null
Product-Group=junos
In an SR-TE path, if the top label has IPv6 Explicit NULL Label (label 2), it is not removed even when there are real labels below it.
1598207 Sometimes MPLS LSP may go down due to a timing issue when a protected link goes down
Product-Group=junos
When a protected link goes down, MPLS gets tunnel local repair message from RSVP and trigger CSPF computation. Next, MPLS gets link protection information through RRO notification. If MPLS receives TED notification first before RRO notification, then CSPF computation fails. Since the link protection flag is not set, MPLS thinks it is an unprotected link and brings down the LSP.
PR Number Synopsis Category: DCBX
1317750 On the QFX5100-48T-6Q line of switches, the port LEDs might not work.
Product-Group=junosvae
Port LEDs on the QFX5100 do not work. If a device connects to a port on the QFX5100, the port LED stays unlit.
PR Number Synopsis Category: QFX L3 data-plane/forwarding
1380350 Reroute counter log events are seen sometimes while changing the routes pointed by the unilist next hop.
Product-Group=junos
When adding or deleting routes that are pointed to by the unilist next hop, reroute counter log events might be seen. These are harmless messages and do not have any functionality impact.
PR Number Synopsis Category: QFX EVPN / VxLAN
1562692 On QFX5K platforms, the dcpfe process might crash after deleting VXLAN configuration
Product-Group=junos
On QFX5K platforms in EVPN-VXLAN scenario, if VXLAN configuration is deleted then due to a race condition dcpfe process might crash. This might impact traffic.
1570689 Unexpected multicast traffic streams after enabling EVPN is observed.
Product-Group=junos
BUM traffic replication over VTEP is sending out more packets than expected and there seems to be a loop also in the topology.
PR Number Synopsis Category: RPM and TWAMP
1522488 rmopd reports false TCP errors in the log messages: RMOPD_TWAMP_SOCKOPT_FAILURE setsockopt(TCP_KEEP.*) failed, error: Invalid argument. This is cosmetic issue.
Product-Group=junos
rmopd reports false TCP errors in the log messages: RMOPD_TWAMP_SOCKOPT_FAILURE setsockopt(TCP_KEEP.*) failed, error: Invalid argument. This is cosmetic issue. The issue is fixed in Junos releases 21.1R1 and newer.
PR Number Synopsis Category: Trio pfe bridging, learning, stp, oam, irb software
1520626 On the MX480 router, during the verification of GRES and NSR functionality with VXLAN feature, the convergence is not as expected L2-DOMAIN-TO-L3VXLAN.
Product-Group=junos
With GRES and NSR functionality with VXLAN feature, the convergence time may be slightly higher than expected for L2-DOMAIN-TO-L3VXLAN
PR Number Synopsis Category: QFX RCB issues
1601867 During image upgrade sometimes system goes for NMI / auto vmcore generation
Product-Group=junos
There is a remote possibility that during many reboots, the Junos VM goes into a state where NMI is needed to continue the reboot. There is no workaround for this and a subsequent reboot does not seem to hit this issue.
 
Modification History:
First publication 2021-06-08
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search