Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

20.4R3-S1-EVO: Software Release Notification for JUNOS Software Version 20.4R3-S1-EVO

0

0

Article ID: TSB18209 TECHNICAL_BULLETINS Last Updated: 23 Nov 2021Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
PTX and QFX Series running Junos Evolved Software
Alert Description:
Junos Software Service Release version 20.4R3-S1-EVO is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Risk Risk Description
Low/Notification - No defined time impact to take action Software Release Notification
Impact Impact Description
Low/Notification - Monitor the situation but no action needed Software Release Notification

Solution:

Junos Software service Release version 20.4R3-S1-EVO is now available.

20.4R3-S1-EVO - List of Fixed issues

PR Number Synopsis Category: "agentd" software daemon
1590432 Non zero values might be displayed against the drop field in ?show network-agent statistics? CLI post switchover scenarios.
Product-Group=evo
In case of switchover scenarios, if the collector which was connected to older master, tries to connect to new master immediately, non-zero values could be seen in drops field for ?show network-agent statistics? CLI. These are not actual packet drops. Each packet sent as part of streaming data would contain a header which would have a meta information of the packet contents. One such field in the header indicates the current packets sequence number. This is a monotonically increasing number for each packet from a producer of telemetry data. During switchover cases, collectors may receive initial packets with a higher sequence number which could get reset to 0 after sometime. Due to this pattern, the cli would show non zero values against drops field. Note: These are not actual packet drops and there is no functionality impact. However it is not expected to see further increase in this value shown against the drops field.
PR Number Synopsis Category: Border Gateway Protocol
1611070 The rpd may crash after a commit if there are more than one address in the same address ranges configured under 'bgp allow'
Product-Group=evo
If the 'bgp allow' feature is used and there are more than one address in the same address range, the rpd may crash on a commit with such configuration. And the subsequent commits related to BGP configuration change can cause rpd to crash as well.
1616931 Excessive logging of RPD_RV_INVALID_ENTRY messages
Product-Group=evo
Every time a BGP policy evaluates RPKI status of a prefix as INVALID, a syslog message is printed.
PR Number Synopsis Category: Interfaces on QFX52xx platforms running EVO software
1576199 QFX5220, QFX5130: MTU changes causes the interface to flap multiple times
Product-Group=evo
Any MTU change on an interface on QFX5220-32CD, QFX5220-128C or QFX5130 will cause the interface to flap multiple times. This will stabilize within 2 seconds.
PR Number Synopsis Category: PFE L2 forwarding features on BT based platforms
1612606 The ISIS session might not come up when network type is p2p for IRB interface
Product-Group=evo
On EVO PTX platforms, the ISIS protocol session might not come up when network type is p2p (point-to-point) for IRB (Integrated Routing and Bridging) interface. This issue is seen as the ISIS control packets are exchanged with special destination MAC as 09:00:2b:00:00:04/05 which doesn't get handled by MAC table when ISO family is enabled/disabled.
PR Number Synopsis Category: QFX xSTP Control Plane related
1592264 xSTP might not get configured when enabled on a interface with SP style configuration on all platforms
Product-Group=evo
On all Junos and EVO platforms, if xSTP is enabled on interface with service provider(SP) style configuration and the interface has multiple IFLs(units) each having different families then xSTP might not be configured on the interface and commit might fail with the following error message: "XSTP : Interface <> is not enabled for Ethernet Switching"
PR Number Synopsis Category: mgd, ddl, odl infra issues
1594651 Junos OS Evolved: Allow an attacker with authenticated CLI access to be able to bypass configured access protections to execute arbitrary shell commands (CVE-2021-31356)
Product-Group=evo
A command injection vulnerability in command processing on Juniper Networks Junos OS Evolved allows an attacker with authenticated CLI access to be able to bypass configured access protections to execute arbitrary shell commands within the context of the current user. Refer to https://kb.juniper.net/JSA11221 for more information.
1602331 Configuration transfer-on-commit not working if commit is done via netconf
Product-Group=evo
On all Evo platforms, transfer-on-commit may not work when the commit is done via netconf over ssh and the session is closed as soon as the commit is done (typically within 2-4seconds). With below configuration under system hierarchy (scp URL is variable) committed, 1) open a Netconf session over ssh 2) run edit-config rpc with some config 3) run commit RPC 4) then run close-configuration and close-session RPC as soon as commit RPC is done. (please check techpub for right RPCs) archival { configuration { transfer-on-commit; archive-sites { "scp://root@10.85.211.88/root/anim/" password "$9$0KNeORSrlMLX-Sys2aJDj"; ## SECRET-DATA } } }
PR Number Synopsis Category: SNMP, mib2d issues
1621606 incorrect IF-MIB::ifHCInUcastPkts and ifHCInBroadcastPkts statistics
Product-Group=evo
incorrect IF-MIB::ifHCInUcastPkts and ifHCInBroadcastPkts statistics reported
PR Number Synopsis Category: Indirect nexthop routing infrastructure
1613723 The process rpd might crash in BGP rib-sharding scenario
Product-Group=evo
In all Junos and Junos Evolve platforms, rpd crash might be seen when BGP rib-sharding is enabled and it may affect services/traffic.
PR Number Synopsis Category: RPD policy options
1600544 The configuration check would fail if more than 8 FCs are configured and CBF is enabled
Product-Group=evo
In EVO platforms the configuration check would fail if more than 8 FCs are configured and CBF is enabled. EVO can support upto 16 FCs with CBF. So 'max-forwarding-classes' platform-parameters knob is added to the default-config for EVO platforms.
PR Number Synopsis Category: RPD route tables, resolver, routing instances, static routes
1599084 IPv4 static route might still forward traffic unexpectedly even when the static route configuration has already been deleted
Product-Group=evo
On all Junos and EVO platforms with "static defaults" configured under "routing-options" hierarchy, if IPv4 static route configuration is added, and then deleted, the IPv4 static route will not be removed from routing table and still forward traffic unexpectedly due to this issue.
PR Number Synopsis Category: Configuration management, ffp, load action
1601159 The commitd core file may be observed after committing some configuration change
Product-Group=evo
On all Junos platforms, if juniper.db size is more than 700 MB and commitd is invoked, it causes the device to generate a core file (or dump file).
 

20.4R3-S1-EVO - List of Known issues

PR Number Synopsis Category: Issues related to debug utilties - objmon,objshell/Dashboard
1602272 Junos OS and Junos OS Evolved: python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API via timed processing of valid PKCS#1 v1.5 ciphertext. (CVE-2020-25659)
Product-Group=evo
A vulnerability in the python cryptographic library as used in Juniper Networks Junos OS and Junos OS Evolved allows an attacker to perform timing oracle attacks against RSA decryption. Please refer to https://kb.juniper.net/JSA11245 for more information.
PR Number Synopsis Category: mgd, ddl, odl infra issues
1595006 SSH connection-limit & port configuration under "system services ssh" might cause warnings during commit in some cases.
Product-Group=evo
On EVO, SSH connection-limit and port configuration under "system services ssh" might cause warnings during commit in some cases but has no impact on the commit.
PR Number Synopsis Category: Express PFE CoS Features
1580795 In certain scenarios, shapers applied on a 10g interface may drop the traffic more than the configured max-rate.
Product-Group=evo
In certain scenarios, shapers applied on a 10g interface may drop the traffic more than the configured max-rate.
PR Number Synopsis Category: QFX52xx Timing software
1604699 PTP stuck in freerun run state with enterprise profile
Product-Group=evo
On the QFX5220-32cd platform, the PTP BC state machine can get into the freerun state(expected state is Phasee Aligned). This can happen when the config sequence is applied in the below order (1) config PTP BC, then commit; (2) config IP address on interface, then commit; The workarund to avoid this happening is to have all the configuration in a single commit (1) config PTP BC; (2) config IP address on interface; (3) commit;
PR Number Synopsis Category: PTX10K specific platform PRs
1581476 PTX10008 Evo, CB 1 becomes "Fault Standby" after "request node power-off re1"
Product-Group=evo
Evo, CB becomes "Fault Standby" after issuing "request node power-off re " on master re. The correct CB state is Offline. This applies to all variants of PTX10K (4/8/16 slots)
PR Number Synopsis Category: EVO Services Sflow PRs for defect & enhancement requests
1602448 EVO:: sflow ingress sampling reports oif as 0 and nextHop as 0000:0000:0000:0000:0000:0000:0000:0000 with user ipv6 traffic with ECMP case at last hop router with Ultimate Hop Pop lsp
Product-Group=evo
Sflow ingress sampling reports incorrect OIF and NH with user ipv6 traffic in ECMP scenario at last-hop router with Ultimate Hop Pop lsp
 
Modification History:
First publication 2021-11-23
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search