Issues in JUNOS Software Release 9.3 for M-series, MX-series, and T-series Routing Platforms

The current software release is Release 9.3R4. For information about obtaining the software packages, see Upgrade and Downgrade Instructions for JUNOS Software Release 9.3 for M-series, MX-series, and T-series Routing Platforms.

• Current Software Release
• Previous Releases

Current Software Release

The current software release is Release 9.3R4. For information about obtaining the software packages, see Upgrade and Downgrade Instructions for JUNOS Software Release 9.3 for M-series, MX-series, and T-series Routing Platforms.

Outstanding Issues

Platform and Infrastructure

• If the tunnel destination is in a VPN, the generic routing encapsulation (GRE) traffic may get deleted due to a lookup in the wrong forwarding table. [PR/45035]
• When you configure a source class usage (SCU) name with an integer (for example, 100) and use this source class as a firewall filter match condition, the class identifier might be misinterpreted as an integer, which might cause the filter to disregard the match. [PR/50247]
• On a Monitoring Services III PIC configured as a dynamic flow capture (DFC) interface (dfc-fpc/pic/port), when you configure the DFC interface as the next hop in a forwarding path, port-mirrored packets might become corrupted. [PR/60799]
• If you configure 11 or more logical interfaces in a single VPLS instance, VPLS statistics might not be reported correctly. [PR/65496]
• When a large number of kernel system log messages are generated, the log information might become garbled and the severity level could change. This behavior has no operational impact. [PR/71427]
• On M320 and T-series routing platforms, there is a process that monitors FPCs while they transition to an online state. If an FPC is busy and cannot complete the transition within the time limit, the process might time out and prevent the FPC from coming online. [PR/72364]
• In the situation where a Link Services (LS) interface to a CE router appears in the VPN routing and forwarding table (VRF table) and a fragmentation is required, Internet Control Message Protocol (ICMP) cannot be forwarded out of the LS interface from a remote PE router that is in the VRF table. As a workaround, include the vrf-table-label statement in the configuration. [PR/75361]
• On the T-series routing platform, when you include the no-labels configuration statement at the [edit forwarding-options hash-key family mpls] hierarchy level, the statement is added to the configuration; however, MPLS labels are still included in the hash key. [PR/80334]
• Traceroute does not work when ICMP tunneling is configured. [PR/94310]
• The initialization fails to parse the configuration present in the init.conf file. [PR/94576]
• For T-series and M320 routers, multicast traffic with the do not fragment bit set to a low MTU value is being dropped. If the clear pim join command is executed, the router stops forwarding all traffic transiting the interface. [PR/95272]
• A firewall filter that matches the forwarding class of incoming packets (that is, includes the forwarding-class statement at the [edit firewall filter filter-name term term-name from] hierarchy level) might incorrectly discard traffic destined for the Routing Engine. Transit traffic is handled correctly. [PR/97722]
• The JUNOS software does not support dynamic ARP resolution on Ethernet interfaces that are designated for port mirroring. This causes the Packet Forwarding Engine to drop mirrored packets. As a workaround, configure the next-hop address as a static ARP entry by including the arp ip-address statement at the [edit interfaces interface-name] hierarchy level. [PR/237107]
• Currently, the JUNOS Software cannot build an outbound serial connections through the AUX port. For example, build an outbound serial connection to a console on an adjacent router. [PR/256818]
• On T640, T320, and M320 routers, if you take an FPC offline during an ISSU boot, other FPCs in the router might crash. This happens when there is transit traffic flowing from the other FPCs towards the offlined FPC. [PR/268294]
• When Periodic Packet Management (PPM) delegation for Bidirectional Forwarding Detection (BFD ) sessions is disabled (the delegate-processing statement is removed at the [edit routing-options ppm] hierarchy level), the BFD sessions might be terminated (because a "state is down" message is sent) and reestablished. [PR/280233]
• When you perform an in-service software upgrade (ISSU) on a routing platform with an FPC3 or an Enhanced FPC3 with 256 MB of memory and the number of routes in the routing table exceeds 750,000, route loss might occur. If route loss occurs, as a workaround, perform either of the following tasks: (a) replace the FPC3 or Enhanced FPC3 with another FPC that has more memory, or (b) after the ISSU is complete, reboot only the FPC3 or Enhanced FPC3. [PR/282146]
• For Routing Engines rated at 850 MHz (which appear as RE-850 in the output from the show chassis hardware command), messages like the following might be written to the system log when you insert a PC Card: “bad Vcc request” and “Device does not support APM.” Despite the messages, operations that involve the PC Card work properly. [PR/293301]
• Next-hop marking (marked with a dash) in the show route forwarding-table command output indicates which next hops might not transmit traffic in a hierarchical load-balancing topology (for example, multiple load-balanced LSPs over multiple paths or aggregated interfaces). The forwarding-options indexed-next-hop statement was added to address hierarchical load-balancing issues, but configuring this statement may result in the next-hop marking being inaccurate and so the markings should be ignored. [PR/293306]
• Temporary files named in the format cprodxxxxxx are retained in the temporary directory on the router and can be deleted. [PR/304750]
• On a Protected System Domain, under the following conditions an FPC might generate a core file and stop operating: (a) a firewall policer with a large number of counters (for example, 20,000) is applied to a shared uplink interface and (b) the FPC that houses the interface does not have a sufficiently powerful CPU. As a workaround, reduce the number of counters or install a more powerful FPC. [PR/311906]
• The SSB servers display an error when you delete a string from the redix tree and then reboot. [PR/312453]
• When you commit a configuration that includes the dynamic demux relay feature and there is a large number of subscribers (for example, 64,000), all subscribers do not become active and the kernel generates an error. [PR/312563]
• Traffic originating from a remote PE router is silently dropped without informing the source that the data did not reach its intended recipient when the multicast MAC address is configured on the local PE router for a CE device. [PR/398698]
• Following an FPC reset, the next-hop route pointing to the service PIC interface running RPM might be incorrect. [PR/438599]

User Interface and Configuration

• The CLI does not generate a warning if multiple users are configured with the same user ID. [PR/55774]
• On M20 routers, after a Routing Engine mastership switchover, it might not be possible to enter CLI configuration mode on the new master Routing Engine. Also, the request system reboot and request system halt commands do not clearly fail but do not return the CLI prompt either. [PR/64899]
• The logical system administrator can modify and delete master administrator-only configurations by performing local operations such as issuing the load override, load replace, and load update commands. [PR/238991]
• When you are working in private configuration mode and try to commit a configuration that includes a comment about an inactive configuration statement, the commit operation fails with the message "syntax error.". [PR/270160]
• In the output from the configuration mode show | compare command, the banner might be the parent level of the current hierarchy level instead of the current level itself. For example, when the current hierarchy level is [edit interfaces fe-1/1/1], the banner in the output reads [edit interfaces], but the additions and deletions are reported with respect to the [edit interfaces fe-1/1/1] level. [PR/291574]
• A user belonging to a login class with limited rights to modify a specific firewall filter cannot use the insert command to reorder firewall terms. [PR/310872]
• The IPv6 PMTU discovery timeout variable is ip6_pmtu_timeout instead of path_mtu_timeout. [PR/315133]
• When executing the commit sync command, messages appear on the backup Routing Engine. These messages can be ignored. [PR/395716]
• Using the filter config text in the NETCONF get-config command results in a syntax error and the router configuration cannot be returned in ASCII format. [PR/430799]

Interfaces and Chassis

• On aggregated SONET/SDH interfaces, the counter for drops and errors in the show interfaces command output does not display the correct value, because the counter does not collect data from the constituent interfaces within the aggregate. [PR/23577]
• On channelized E1 interfaces, you might be able to configure clocking on ds-fpc/pic /port:n interfaces, where n is not unit 0. This is an invalid configuration and might cause a clocking selection problem on the other channels. [PR/24722]
• On a 2-port OC12 ATM2 IQ interface, the total virtual path (VP) downtime might not display correctly in the show interfaces command output. [PR/27128]
• On M20 and M40 routers, when a physical layer problem affects a SONET/SDH interface, carrier transition statistics might not increment correctly in the output of the show interfaces extensive command. [PR/33325]
• When you configure both the bundle link and constituent links at the [edit (logical-routers logical-router-name | logical-systems logical-system-name) interfaces] hierarchy level, the constituent links do not come up. As a workaround, configure the constituent links at the [edit interfaces] hierarchy level. [PR/35578]
• On the Channelized STM1 with a QPP PIC, error monitoring for CRC and frame errors might not work as expected. [PR/39440]
• When you apply an IPSec firewall filter to match traffic sent across a generic routing encapsulation (GRE) tunnel and originating from the local routing platform, the local traffic is dropped. Transient traffic is not affected. [PR/44871]
• On a Link Services PIC, the CLI might incorrectly allow you to configure a logical tunnel interface (interface identifier lt); the resulting interface might not work correctly. [PR/49818]
• If an MLPPP LSQ bundle carries a large volume of link fragmentation and interleaving (LFI) traffic and a small proportion of multilink traffic, packets might be dropped on the egress constituent links. [PR/56664]

  If you configure IS-IS, MPLS, and graceful Routing Engine switchover (GRES) and a switchover event occurs, the routing platform might end the PPP IP Control Protocol (IPCP) sessions and renegotiate them if the remote side has changed interface MTU settings prior to the switchover event. [PR/61121]

• If you configure graceful Routing Engine switchover (GRES) and issue the request chassis routing-engine master acquire command, in rare cases the master Routing Engine might fail to relinquish mastership, or the switchover to the backup Routing Engine might take up to 360 seconds. [PR/61821]
• For Automatic Protection Switching (APS) on SONET/SDH interfaces, there are no operational mode commands that display the presence of APS mode mismatches. An APS mode mismatch occurs when one side is configured to use bidirectional mode, and the other side is configured to use unidirectional mode. [PR/65800]

  If you ping a nonexistent IPv6 address that belongs to the same subnet as an existing point-to-point link, the packet loops between the two point-to-point interfaces until the time to live expires. [PR/94954]

• The output of the show interfaces diagnostics optics command includes the "Laser rx power low alarm" field even if the transceiver is a type (such as XENPAK) that does not support this alarm. [PR/103444]
• XFP-OC192-SR may report "XFP read fail, retry for 1 times" randomly. This is a cosmetic issue and doesn't affect to the interface functionality. [PR/262883]
• The hot swapping fan tray for the M120 might cause the Check CB alarm to activate. [PR/268735]
• On the JCS 1200, when you issue the clear -config -T switch[1] command using the management module, the switch module returns to its factory default setting instead of the Juniper Networks default setting. As a workaround, do not issue the command. [PR/274399]
• When you configure ILMI on an ATM interface (include the ilmi statement at the [edit interfaces interface-name atm-options] hierarchy level) and a graceful Routing Engine switchover (GRES) or unified in-service software upgrade (ISSU) event occurs, the show ilmi command no longer returns any output. [PR/282051]
• On a router with Frame Relay multilink configured on a MultiServices 400 PIC or on a channelized DS3 PIC, when the minimum links value for the Frame Relay interface is set to 8 and a link is deactivated from the configuration, the link remains up. [PR/285244]
• On the Juniper Control System (JCS) platform, the control and management traffic for all Routing Engines share the same physical link on the same switch module. In rare cases, the physical link might become oversubscribed, causing the management connection to Protected System Domains (PSDs) to be dropped. [PR/293126]
• On a Protected System Domain (PSD) configured with a large number of BGP peers and routes (for example, 5000 peers and a million routes), FPCs might restart during a graceful Routing Engine switchover. [PR/295464]
• When two routers are connected via SONET/SDH interfaces that are configured as container interfaces and the Routing Engine on one router reboots, the container interfaces on the other router might go down and come up again. [PR/302757]
• On M5, M10, M20, and M40 routers, when you issue an SNMP query for alarm LED status (such as the show snmp mib walk jnxLEDState command), the message “FPM device not open” might be logged. This is an erroneous message and can be ignored. [PR/313073]
• On MX-series routers, the path MTU discovery for a GRE tunnel is not functioning properly. [PR/390993]
• In JUNOS Release 9.3 and later, VPLS customer edge (CE)-facing interfaces can be associated with the CE mesh groups to which they belong, instead of only with the default CE mesh group (as in JUNOS Release 9.2 and earlier). However, the JUNOS Release 9.2 behavior still applies to interfaces in a VPLS routing instance that is defined at the [edit logical-systems logical-system-name routing-instances] hierarchy level. Also, if you move the configuration for a logical interface in a VPLS routing instance from the [edit routing-instances routing-instance-name] hierarchy level to the [edit logical-systems logical-system-name routing-instances routing-instance-name] hierarchy level, the value vpls might stop appearing in the Proto column of the output from the show interfaces terse command. As a workaround, perform the move in two steps by removing the interface from the [edit routing-instances routing-instance-name] hierarchy level and committing the configuration, then creating the interface at the [edit logical-systems logical-system-name routing-instances routing-instance-name] hierarchy level and committing again. [PR/400248]
• The XML output is not correct when the Virtual Router Redundancy Protocol (VRRP) track interface is configured. [PR/414734]
• On MX-series routers, MAC address accounting in the egress direction might not work if traffic is unidirectional and no traffic flows in the reverse direction for a duration longer than the aging interval. [PR/415146]
• When you configure the payload port-data statement at the [edit family mpls hash-key] hierarchy level on M120, MX-series, or M320 platforms with E3 FPCs, the hashing algorithm might not take the port-data values into account. [PR/442223]

Services Applications

• The output of the show services nat pool command displays duplicate entries for a single Network Address Translation (NAT) pool. [PR/34678]
• The show services accounting flow-detail extensive command sometimes displays incorrect information about input and output interfaces. [PR/40446]
• On Adaptive Services PICs configured for IPSec tunnel redundancy, if there are a large number of tunnels, sometimes a few of the tunnels might switch over to the backup tunnel. [PR/46733]
• When a routing platform is configured for graceful Routing Engine switchover and Adaptive Services (AS) PIC redundancy, and a switchover to the backup Routing Engine occurs, the redundant services interface (rsp-) always activates the primary services interface (sp-), even if the secondary interface was active before the switchover. [PR/59070]
• For Adaptive Services II PICs, even if you do not configure flow collector services, a temporary file might be created every 15 minutes in the /var/log/flowc/ directory. The file is deleted if there are no clients, and re-created only when a client connects and attempts to write to the file. [PR/75515]
• If a large number of BGP authentication sessions (for example, 400) are configured in a VRF instance, the following message is written to the system log when the configuration is committed: “keyadmin[pid]: dump_assn: posting additional read." This message can be ignored and there is no operational impact. [PR/295407]
• A user belonging to a login class with limited rights to modify a specific firewall filter cannot use the insert command to reorder firewall terms. [PR/312961]
• The IPv6 PMTU discovery timeout variable is ip6_pmtu_timeout instead of path_mtu_timeout. [PR/401247]
• As a fix, the Multilink Point-to-Point Protocol (MLPPP) reassembly logic does not perform a strict out-of-order check. In a multi-CPU packet handling environment, packets arriving later may be processed before the first. [PR/430296]

Subscriber Access Management

• When dynamic IP address assignment is configured, if there is only one address left in the address allocation pool and an attempt to authenticate with a service fails (because, for example the authentication request specifies an invalid service name), a subsequent authentication attempt for the service also fails. The following messages might appear in the log for the authentication process (authd): "assigned address address in use, trying next available" and "Unable to assign an address." [PR/305516]
• When you use a RADIUS Change-of-Authorization (CoA) message to activate a service that is already activated, the service is removed. [PR/307983]

Routing Policy and Firewall Filters

• On M-series and T-series routers running JUNOS Release 9.3R1 and later, FPCs might stop functioning if you configure a firewall filter and include the family any statement at the [edit firewall] hierarchy level, and apply the filter to an interface for which the configuration includes the family iso statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level. Apply a firewall filter that is configured with the family any statement only to an interface that is not configured with the family iso statement. [PR/408617]
• On an MX-series router, if you configure a logical interface policer containing the bandwidth-limit and burst-size-limit statements at the [edit firewall police policer-name if-exceeding] hierarchy level, then perform an in-service software upgrade (ISSU) from JUNOS Release 9.3 to 9.4, load another configuration, issue the ping command to verify connectivity to an adjacent neighbor, and finally perform a rollback to the first configuration, you might not be able to reach the neighbor again when you reissue the ping command because the ICMP packet flow might be blocked. [PR/408893]

Routing Protocols

• The CLI allows you to commit a configuration that specifies a value higher than 32 for the metric statement at the [edit protocols dvmrp interface all] hierarchy level, but values higher than 32 are invalid. [PR/33429]
• If a router receives a Pragmatic General Multicast (PGM) Source Path Message (SPM), it does not create a forwarding cache, nor does it forward the message to other routers as a heartbeat, as specified in RFC 3208. Also, the routers multicast cache might time out if it does not receive actual PGM data (ODATA) for more than 6 minutes. As a workaround, configure the PGM source application to send PGM ODATA at least once every 6 minutes. The ODATA acts as the heartbeat message in lieu of the SPM messages and ensures that the multicast and forwarding caches are created and updated. [PR/37504]
• When you configure damping globally and use the import policy to prevent damping for specific routes, and a new route is received from a peer with the local interface address as the next hop, the route is added to the routing table with default damping parameters, even though the import policy has a nondefault setting. As a result, damping settings do not change appropriately when the route attributes change. [PR/51975]
• If a BGP group is created but without any defined peers, a warning message appears when the configuration is committed. [PR/63279]
• When you issue the show ldp traffic-statistics command, the following system log message might be generated for all forwarding equivalence classes (FECs) with an ingress counter set to zero: "send rnhstats GET: error: ENOENT -- Item not found." [PR/67647]
• In the output of the show pim join extensive command, the assert winner status is displayed in the Outgoing Interface List (OIL) for PIM Dense Mode (PIM-DM) but not for auto-RP dense groups. [PR/74737]
• If ICMP tunneling is enabled on the router and you configure a new logical system that does not have ICMP tunneling enabled, the feature is globally disabled. [PR/81884]
• When the flow of multicast traffic changes because an OSPFv3 link goes down, the output from the show multicast statistics inet6 command reports incorrect values in the In kbytes and In packets fields for the new ingress interface. [PR/234969]
• When you commit a new configuration for nonstop routing (NSR) on a primary Routing Engine that differs from the configuration for NSR that is already running on the backup Routing Engine, the routing protocol process stops functioning on the backup Routing Engine only. Traffic forwarding is not affected. [PR/254379]
• Disabling the PIM protocol with the set protocols pim disable command can cause the router to stop operating until that statement is removed. As a workaround, use the deactivate protocols pim command instead. [PR/274478]
• The routing protocol process may restart if PIM is configured to run on unnumbered interfaces. [PR/295319]
• The clear ospf io-statistics command may not clear the counter values that would be seen using the show ospf io-statistics command. [PR/308679]
• The clear ospf io-statistics command might not clear the counter values that are displayed by the show ospf io-statistics command. [PR/401351]
• The show isis statistics command does not display the IS-IS packet statistics. [PR/405022]
• OSPF and IS-IS differ in how they handle the addition of a better internal or external (smaller IGP metric) route into the protocol’s internal routing-table. IS-IS flushes all next-hops information (including LSP next-hops) when learning a better prefix, despite equal-cost LSP tunnels, whereas OSPF does not. However, this does not cause any issues with respect to load balancing. [PR/408702]
• The rendezvous point (RP) is not learned on a router where auto-rp discovery is configured. A mismatch occurs between the PIM interface configuration on a router where auto-rp discovery is configured and on a router where auto-rp mapping is configured. For example, one router has an IFL with PIM configured and the other has an IFL with PIM disabled. As a workaround, ensure that PIM is enabled on all IFLs on both routers. [PR/445917]

MPLS Applications

• If you configure a label-switched path (LSP) with the no-cspf statement at the [edit protocols mpls] hierarchy level, the LSP might cycle up and down several times before stabilizing. [PR/10415]
• If a cross-connected circuit (CCC) traverses a forwarding adjacency label-switched path (LSP), traffic forwarding might be affected. [PR/60088]
• RSVP graceful restart does not function for LSPs that have a forwarding adjacency (FA) label-switched path (LSP) as a next hop. [PR/60256]
• When you modify the primary path for an MPLS LSP by using the delete protocols mpls label-switched-path lsp-path-name primary path-name command in configuration mode, followed by the set protocols mpls label-switched-path lsp-path-name primary path-name command, and then issue the commit command, the entire LSP (both primary and secondary) is torn down and then rebuilt from scratch. As a workaround, issue the delete protocols mpls label-switched-path lsp-path-name primary path-name command in configuration mode, followed by the commit command. Then issue the set protocols mpls label-switched-path lsp-path-name primary path-name command, followed by the commit' command. [PR/62365]
• When you enable per-packet load balancing on parallel label-switched paths (LSPs), the output of the show mpls lsp ingress command might display all the routes on only one of the LSPs even when traffic is evenly balanced across the LSPs. [PR/70487]
• An error in the Constrained Shortest Path First (CSPF) software might cause the routing protocol process (rpd) to generate a core file and stop operating. [PR/103777]
• When there are more than five link-protected or node-link-protected LSPs to the same destination and per-packet load balancing is enabled, some bypass next-hops might not be part of the active route. This can occur after a primary link goes down and comes back up. [PR/259219]
• For point-to-multipoint LSPs configured for VPLS, the ping mpls command reports 100 percent packet loss even though the VPLS connection is active. [PR/287990]
• The monitor label-switched-path output control key "n" does not work. [PR/298814]

VPNs

• When you modify the frame-relay-tcc statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level of a Layer 2 VPN, the connection for the second logical interface might not come up. As a workaround, restart the chassis process (chassisd) or reboot the router. [PR/32763]
• Traffic might not flow when an ATM interface is used as the access circuit on an M120 router. [PR/255160]
• If a PE router is acting as the mapping agent for PIM auto-RP, PR elections based on the bootstrap router (BSR) do not work correctly. [PR/305325]
• For a VRF instance configured for PIM, MVPN, and provider tunnels (the pim and mvpn statements are included at the [edit routing-instances vpn-name protocols] hierarchy level and the provider-tunnel statement is included at the [edit routing-instances vpn-name] hierarchy level), when PIM is deactivated and reactivated, it fails to install type-5 (source-active) routes in the instance-name.mvpn.0 routing table. This issue arises only when remote C-multicast joins are configured on the ingress PE router (as displayed by the show mvpn c-multicast command). [PR/306983]
• When an LSP switches from a primary path to a bypass path, Layer 2 circuits might go down and come up again, resulting in packet loss. [PR/309085]
• In JUNOS Release 9.3, when you configure inter-AS VPLS with MAC processing at the autonomous system (AS) boundary router along with multihoming, and if a designated forwarding AS boundary router fails and then comes back up again, traffic flowing to the local AS from the other AS’s boundary router might be lost. The loss occurs in the time period (tenths of a second) during which the old designated forwarding AS boundary router is taking back the role of designated forwarder. [PR/312730]
• On a router configured for NSR (the nonstop-routing statement is included at the [edit routing-options] hierarchy level), if an NSR switchover occurs after the configuration for routing instances changes in certain ways, BGP sessions between PE and CE routers might not be established after the switchover. [PR/399275]
• After the ingress PE router for an NG MVPN instance performs a GRES event, the egress PE routers could fail to install a new forwarding state for the multicast traffic. Clearing the BGP session on the ingress router can restore traffic to all egress routers. [PR/441392]

High Availability

• On a router with dual Routing Engines and nonstop active routing (NSR) enabled, if you perform a commit synchronize operation when the backup Routing Engine is not available, routing protocol sessions might not be reestablished. To expedite protocol synchronization, issue the restart routing command on the backup Routing Engine when it comes up. [PR/277993]
• In a routing matrix, if you include the prefix-action statement at the [edit firewall family inet] hierarchy level and perform an ISSU operation, the FPCs on the T640 routing nodes do not come online. In the output from the show chassis fpc command, the FPC state is reported as ISSU Error. [PR/391266]
• On M-series, MX-series, and T-series routing platforms, if you configure IPv6 on an interface with no MAC address (such as a SONET or loopback interface), it might cause the Routing Engine to restart. As a workaround, do not configure IPv6 addresses on interfaces that do not have MAC addresses. [PR/439252]

Class of Service

• The class-of-service process (cosd) can fail under certain circumstances when container interfaces (for example, rlsq) and graceful routing engine switchover (GRES) are configured. There is no workaround. [PR/466104]
• When a logical tunnel (lt-) interface is the outbound interface, JUNOS software does not support the IEEE 802.1p rewrite rule. [PR/55903]
• If you try to configure a scheduler map containing two forwarding classes that are mapped to the same queue, the class-of-service scheduler is not applied to the Packet Forwarding Engine. As a workaround, configure a single forwarding class for each available queue. [PR/57907]
• On M-series routers connected by VLAN circuit cross-connects (CCCs) and configured with class-of-service (CoS), when explicit forwarding (EF) traffic is generated from the ingress customer edge router (CE1) to the egress customer edge router (CE2), the ingress provider edge router (PE1) properly marks the packets with default EXP bits and sends the packets out queue 1, but the intermediary core router forwards all traffic through queue 0 instead of sending it through the EF queue. As a workaround, include the no-control-word statement at any of the following hierarchy levels: [edit protocols l2circuit neighbor address interface interface-name], [edit (logical-routers logical-router-name | logical-systems logical-system-name) protocols l2circuit neighbor address interface interface-name], [edit routing-instances routing-instance-name protocols l2vpn], or [edit (logical-routers logical-router-name | logical-systems logical-system-name) routing-instances routing-instance-name protocols l2vpn]. [PR/65280]
• When you configure a specific classifier for a logical unit, it does not override the fixed classifier configured using wildcards. [PR/68888]
• On M320 and T-series routing platforms, if you map multiple forwarding classes to the same queue (specify the same value for the queue-num statement at the [edit class-of-service forwarding-classes class class-name] hierarchy level for multiple classes) and then include the multiple classes in one scheduler map (by including the forwarding-class statement for each one at the [edit class-of-service scheduler-maps map-name] hierarchy level), the commit operation fails with the message "Total bandwidth allocation exceeds 100 percent for scheduler-map." [PR/103370]
• On MX-series routers, when you configure VPLS over an LSI interface, classification does not work on the egress PE router for traffic flowing from the core of the network to the egress CE router. [PR/240777]
• If you configure the tri-color statement at the [edit class-of-service] hierarchy level, the drop counters for the show interfaces queue command appear to not work for the medium-high (yellow) priority traffic and the low (green) priority traffic. The drop counter for the high-priority traffic (red) functions normally. [PR/258499]
• On MX960 routers, bandwidth sharing across high priority and strict-high priority schedulers might not be as expected. This issue occurs when the schedulers are configured on logical interfaces. [PR/265603]
• When you set the port speed of a multi-rate POS type 2 PIC to OC3, it does not correctly change the CoS speed value within the PFE. The speed is left at OC12. This will result in unexpected class-of-service (CoS) behavior and there is no workaround at this time. [PR/279617]]
• When a core-facing interface on a PE router that is acting as an IGP peer is deactivated (for example, by deactivating the interface interface-name statement at the [edit protocols ospf area area-id] hierarchy level), the following message might be written to the system log: "COSMAN: cosman_unbind_update_if_refcount: Failed to find the ifd interface-name (index) in the ifdtable for ifl index." There is no operational impact. [PR/291630]
• When the sum of shaping-rates at the logical interfaces is greater than the interface bandwidth and the rate-limit statement is applied to one of the logical interface queues, the limiting bandwidth for the queue is based on a scaled down logical interface shaping-rate value rather than the configured logical interface shaping-rate. [PR/441413]

Forwarding and Sampling

• On M320 and T-series routing platforms, when you configure interface output sampling, packets sometimes might travel through the output firewall. As a workaround, configure a firewall filter on the output interface with then sample and then next-term statements. The workaround provides the same functionality as the other configuration, but avoids the problem behavior. [PR/70473]
• On T-series routers, if there is an ingress firewall configured to drop all incoming multicast packets, the discarded multicast packets are incorrectly sent to the Routing Engine. This causes a high utilization of the CPU (50 percent) on the FPC. [PR/239268]
• Do not use the virtual LAN (VLAN) variable when configuring ether-type or vlan-ether-type match conditions for a firewall filter at the [edit firewall family vpls filter filter-name term term-name] hierarchy level. Using the VLAN variable will cause the firewall filter to fail. [PR/273448]
• The show interfaces filters and show interfaces extensive CLI commands do not display the interfaces. [PR/295977]
• Under some circumstances, when you add a prefix at the [edit policy-options prefix-list list-name] hierarchy level, the commit operation might fail with one of the following error messages: “Check-out failed for Firewall daemon (/usr/sbin/dfwd) without details" or "configuration check-out failed." [PR/305510]

• The following message might be written to the system log: "rts_cos_get_shaping_rate_for_ifl(): Entry not found for IFL index in cos ifl table" under the following conditions:

  • You configure interface-specific input and output filters that contain logical bandwidth policers (include the logical-bandwidth-policer statement at the [edit firewall policer policer-name] hierarchy level, and both that policer and the interface-specific statement at the [edit firewall family family filter filter-name term term-name then] hierarchy level).
  • You apply the filters to an interface (include the input filter-name and output filter-name statements at the [edit interfaces interface-name unit logical-unit-number family family filter] hierarchy level).
  • You apply a traffic control profile to the interface (include the profile-name statement at the [edit class-of-service traffic-control-profiles] hierarchy level and the output-traffic-control-profile profile-name statement at the [edit class-of-service interfaces interface-name] hierarchy level).
  • The router receives host-bound packets or IP option packets.
  As a workaround, include the shaping-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level. [PR/314292]

Network Management

• The following groups of MIB objects do not segregate the data they return according to the routing instance specified in an SNMP request: vrrpMIB, jnxCosIfqStatsTable, jnxCosQstatTable. [PR/63045]
• The TCP dump is reports a max-response-time within IGMP in seconds while displays units of 1/10th of a second. [PR/424618]

J-Web

• While configuring VAP, the No Broadcast SSID is selected even if the user disables it and redisplays the page. [PR/462903]

Resolved Issues

This section lists issues that are fixed in the JUNOS Release 9.3R4. The identifier following the description is the tracking number in our bug database.

Platform and Infrastructure

• If too many statistics requests are sent to the FPC from the Routing Engine, the kernel might run out of buffers and this results in a Routing Engine failure. [PR/281458: This issue has been resolved.]
• On MX, M120 or M320 routers, with E-3FPC platforms a logical interface flap may trigger a jtree memory leak. [PR/403472: This issue has been resolved.]
• A large volume of next-hop changes in a short period may cause a small number of packets to be lost or sent to the wrong destination. [PR/411567: This issue has been resolved.]
• If a duplicate address is detected for theIPv6 family on an Ethernet interface, the DAD does not restart even after the interface goes down and then back comes up. The has been fixed in JUNOS Release 9.3 and later and in JUNOS software released after April 23, 2009. [PR/421241: This issue has been resolved.]
• The input statistics of the AE interface shows the wrong value if the member link is part of an IQ-2 PIC. [PR/429771: This issue has been resolved.]
• On MX-series and M120 routers, and M320 routers with an Enhanced III FPC, if the VRF configuration includes the vrf-table-label statement, a DPC or FPC might dump core when an MPLS packet with time-to-live (TTL) equal to 0 (zero) or 1 (one) is processed at the egress provider edge (PE) router. [PR/436017: This issue has been resolved.]
• In JUNOS Release 9.1 or earlier, when MVPN is configured with auto-RP and there is a change in the RP of the default routing instance, then an RP address changes and a Layer 2 descriptor leak occurs. [PR/436637: This issue has been resolved.]
• SCU configuration causes the PFE to drop some host-bound packets on M320 and T-series routers. [PR/438261] [PR/438261: This issue has been resolved.]
• Under certain circumstances an Intelligent Queuing PIC might not be able to boot properly on an E3-FPC. [PR/438678: This issue has been resolved.]
• When the FPCs for T1600-FPC4-ES, T640-FPC4-1P-ES, T640-FPC1-ES, T640-FPC2-ES, and T640-FPC3-ES receive corrupted cells through high-speed links, they might unnecessarily reboot and report the following system log error message: "Unrecoverable Error: Flist gtop bit toggled !." No reset is needed to recover from this condition. [PR/441844: This issue has been resolved.].
• On T1600, TX Matrix, or T640 routers installed with one of the following Flexible PIC Concentrators (FPCs)—T1600-FPC4-ES, T640-FPC4-1P-ES, T640-FPC4-ES, T640-FPC1-ES, T640-FPC2-ES and T640-FPC3-ES—and JUNOS Release 9.3 or higher, jtree memory might get corrupted once routes are deleted while traffic is send to those prefixes. This can result in permanent or transient packet drops. One or more of the following symptoms might be logged in the system log:
  • SRCHIP(1): 131072 Discards - stack underflow
  • SRCHIP(1): 129735 Discards - truncated key - next hop
  • SRCHIP(1): 4670347 Multicast list discard route entries
  • SRCHIP(1): SOF (58) >= DMA length (46) (Read Channel)
  • SRCHIP(1): RKME int_status 0x300
  • SRCHIP(1): 14486 Discards - illegal BTT
  • SLCHIP(1): 1617082 new errors (illegal link) in DESRD last stream 0 last lout_key 0xabd0e
  • SLCHIP(1): 1622998 new errors (packet error) in HDRF, lout_hdrf_poll_stats

  There is no workaround and an FPC reboot might be needed to recover. [PR/443171: This issue has been resolved.]

• The kernel may have an error due to the loss of a watchdog if several packets are sent out from the Routing Rngine through an aggregated (SONET) interface when the logical interface is down and the physical interface is up. [PR/449361: This issue has been resolved.]
• FIPS 140-2 Level 2 mode operation is not supported, when dual Routing Engines are on the router. [PR/449750: This issue has been resolved.].
• On MX-series tunnel interfaces configured on DPC show traffic incorrectly on other interfaces. [PR/450844: This issue has been resolved.]
• In a Layer 3 VPN PE carrying multicast routes, an error in the kernel crash might occur when an FPC homing on an aggregate Ethernet interface is restarted. [PR/452999: This issue has been resolved.]
• The FPC experiences a heap memory leak when Ethernet OAM protocols are configured. The workaround is to disable the Ethernet OAM protocols. [PR/453842: This issue has been resolved.]
• Due to a JUNOS software issue, an M120 FEB/FPCx can overreact to a CPU Layer 2 cache single-bit-error. [PR/457157: This issue has been resolved.]

User Interface and Configuration

• During commit synchronize, the backup Routing Engine logs the commands to the TACACS+ server. As a result, the commit synchronize process takes a long time to commit. [PR/424255]
• Wildcard apply groups do not work properly in JUNOS Releases 9.1, 9.2, 9.3R1, and 9.3R2. [PR/425355: This issue has been resolved.]
• Issuing the set cli complete-on-space off command may result in unexpected CLI authorization behavior. [PR/426916: This issue has been resolved.]
• SSH/Telnet sessions may time out for a longer period of time then usual if a user or password is not provided. [PR/428116: This issue has been resolved.]
• The idle sync-other-re process may be incorrectly shown in configuration mode. [PR/433164: This issue has been resolved.]
• If you configure the traceoptions statement under system scripts commit, the router may have commit errors. [PR/438289: This issue has been resolved.]

Interfaces and Chassis

• On MX-series routers configured for graceful Routing Engine switchover (GRES), aggregated interfaces might not operate correctly after any of the following events occurs: (a) a simultaneous reboot of both master Routing Engines, (b) a power cycle of the chassis, or (c) a graceful switchover from a master Routing Engine to the backup Routing Engine. To restore functioning, on the master Routing Engine either issue the commit synchronize full command or restart the interface process (dcd). [PR/309716 : This issue has been resolved.]
• When you reboot an FPC while it is coming online and if the FPC adding process is interrupted before it successfully completes, the chassis process does not operate properly. [PR/400676: This issue has been resolved.]
• Incorporating changes to the interfaces configuration results in a small leak in the DCD process. The leak is at the rate of 16 bytes per interface configured per commit. [PR/411596: This issue has been resolved.]
• When you configure LACP on an aggregated Ethernet interface, the counters displayed by the show interface extensive command might show unexpected values. This problem occurs for logical interfaces that have an incoming interface index value that matches the default index of the data stream. [PR/418054: This issue has been resolved]
• The PPP MTU value of an interface protocol on a peer might change as a result of an irrelevant configuration change and cause the PPP MTU negotiation to fail. [PR/421706: This issue has been resolved.]
• When you change a hardware Field Replacement Unit (FRU) in the chassis, the craft process (craftd) might fail upon reinitializing the device list and generate a core file. This does not affect normal operation of the FRU. [PR/429171: This issue has been resolved.]
• On MX480 and MX960 platforms, the FAN LED stays green even when the FAN tray is pulled out. [PR/429521: This issue has been resolved.]
• The algorithm that is responsible to switch over the SFM and take the FPC offline does not clear the errors (hard/soft) on each FPC after the SFM is switched over. [PR/433616: This issue has been resolved.]
• For some interfaces, when configured with the WAN-PHY framing mode, the monitor interface command might be missing some counters. [PR/435775: This issue has been resolved.]
• A large number of ATM2 error interrupts might cause the FPC to fail. [PR/438073: This issue has been resolved.]
• In the output of the show chassis pic fpc-slot x pic-sloty command, the SFP-GE40KM SFP might be shown erroneously as 1000LH instead of 1000EX. [PR/438753: This issue has been resolved.]
• When the same logical interface is deleted from the default system and added into a logical system, the Routing Rngine might fail. [PR/441284: This issue has been resolved.]
• When the sum of shaping rate at a logical interface is greater than the interface's bandwidth and a rate limit is applied to one of the logical interface queues, the bandwidth limit for the queue is based on a scaled-down logical interface shaping rate value rather than the configured logical interface shaping rate. [PR/441413: This issue has been resolved.]
• On M-series routers, BGP sessions flap when any configuration change happens, even an relevant one. As a workaround, make the difference between the configured MRRU and the MTU to be greater than eight. [ [PR/442688: This issue has been resolved.]
• When the ingress router re-signals an RSVP session, traffic could egress from a disabled SONET interface that is part of an APS group that is using container interfaces. As a workaround, switch the APS interfaces. [PR/443295: This issue has been resolved.]
• If VRRP tracks a cloned route this is because the cloned route will always be treated as down. The reason this it is always treated as down, is that the unicast cloned routes are not added to the routing table. [PR/446408: This issue has been resolved.]

Services Applications

• A TCP-based stateful firewall flow might remain active after the service interface inactivity timeout expires, even though the corresponding TCP session is already closed. Several iterations of Reset and TCP keepalive messages might be exchanged between the peers before the flow is completely closed. [PR/446960: This issue has been resolved.]

General Routing

• The show helper statistics and clear helper statistics commands are not available on MX-series platforms on or after the following JUNOS releases: 9.3R4, 9.4R4, 9.5R3, and 9.6R2. [PR/445240: This issue has been resolved.]

Routing Protocols

• When more than one external path originates from the same autonomous system (AS), the JUNOS software does not comply with the RFC 5004 path selection algorithm. [PR/392819: This issue has been resolved.]
• Deactivation of routing instances might cause the routing protocol process (rpd) to create a soft assertion failure. [PR/396122: This issue has been resolved.]
• In some cases (for example, after a repeated power-down event), one of the internal database files (/var/db/lmpd-name-id.db) becames corrupt, causing the lmpd system process to fail on commit. As a workaround, delete the file and commit again. [PR/403129: This issue has been resolved.]
• If a multiaccess interface is disabled, it is advertised as a disabled link in the router LSA after the Routing Engine switchover. [PR/418559: This issue has been resolved.]
• If OSPF is in overload mode on the standby Routing Engine but not in overload mode on the master Routing Engine, it may take a long time to install OSPF routes on the standby Routing Engine. [PR/421636: This issue has been resolved.]
• In rare cases, the BPG cleans the data structures correctly when the entire peer group fails and the peer group is deleted. [PR/423060: This issue has been resolved.]
• In a large-scale BGP multipath setup, the BGP multipath calculation uses a large amount of CPU and slows down RPD for a long period of time. [PR/424360: This issue has been resolved.]
• If RIP authentication is turned on, updates may get dropped on sequence number mismatch because they are not processed in the order they are received. [PR/429297: This issue has been resolved.]
• The assert condition is not valid for cases where the PIF is flapped. [PR/429392: This issue has been resolved.]
• Community types are being allocated at random to the members in the community list. As a result, extended communities might be treated as simple and vice versa, which causes failures in the VRF import code. [PR/430728: This issue has been resolved.]
• With non-stop routing enabled for BGP, the master and backup RPD instances will fail to establish and maintain a synchronized state. [PR/434162: This issue has been resolved.]
• If a static route is pointing to a discard configuration, a failure may happen when the router attempts to collect the multicast statistic data. [PR/434298: This issue has been resolved.]
• A Layer 3 VPN BGP using the show bgp neighbor command shows local-id 0.0.0.0 as output when NSR is enabled. [PR/434321: This issue has been resolved.]
• With BGP multipath configured, the BGP trace option flags may not be refreshed after a change in the trace-option flag configuration. [PR/436440: This issue has been resolved.]
• Embedded RP is not created upon receiving a trigger from multicast traffic. Deactivate and activate the configuration to fix the problem. [PR/437893: This issue has been resolved.]
• Embedded RP configurations cause continuous RPD failure if PIM is disabled. [PR/438159: This issue has been resolved.]
• When you use auto-rp, if the rendezvous point (RP) configuration is deactivated and then reactivated on the provider edge (PE) router, the router fails to rediscover the RP announced by the customer edge (CE) router. [PR/438356] [PR/438356: This issue has been resolved.]
• If a RIB is referenced within the FROM clause of a policy statement, the statement might change on each commit. This can lead to route flaps on every commit if the statement is used as the import policy for a RIB group, which in turn is referenced in OSPF. [PR/441557: This issue has been resolved.]
• RPD may fail if a VRF routing instance is reconfigured in a single commit from Draft-Rosen MVPN to Next-Gen MVPN with RSVP-TE inclusive provider tunnels. [PR/442391: This issue has been resolved.]
• When you configure the path-selection always-compare-med statement at the [edit protocols bgp] hierarchy level, BGP multipath might not find all eligible paths. [PR/444629: This issue has been resolved.]
• When BGP NSR is configured with sampling (under forwarding-options sampling), duplicate updates for some prefixes could be sent during a Routing Engine switchover. [PR/458669: This issue has been resolved.]

MPLS Applications

• On M-series and T-series routers, when the MPLS label-switched path (LSP) re-optimizes (or changes path) followed by a signaling failure along that path, then the path change does not occur till the next LSP re-optimization event. [PR/401343: This issue has been resolved.]
• The load-balancing spread is affected when both the primary and the first secondary LSP are out of commission. [PR/422596: This issue has been resolved.]
• The mplsResourceTunnelTable reports bandwidth in bps instead of Kbps. [PR/432716: This issue has been resolved.]
• The MPLS LSP auto-bandwidth adjustment may stop working while RSVP signals for the path; either optimization is initiated or the LSP goes down. [PR/4438157: This issue has been resolved.]
• On a PE router, when an uplink is deactivated, the MPLS LSP BFD session over this link may not switch to other uplinks. [PR/454071: This issue has been resolved.]
• When MPLS traceroute is executed in downstream mapping TLV (TLV 2), the reply packet contains misleading values because of an MPLSOAMD error. [PR/454796: This issue has been resolved.]

VPNs

• Applying configuration changes that remove both static P2MP LSP and a static MVPN provider tunnel group configuration, can result in RPD failure. To avoid this problem, first remove the provider-tunnel configuration, then remove the LSP P2MP configuration. [PR/288456: This issue has been resolved.]
• In Layer 2 CCC scenarios packets where the size is less than 64 bytes, the scenarios packets may be erroneously padded when forwarded through an Ethernet uplink. As a result, the packets size arriving at the remote end will not correspond to those that were originally sent. [PR/420037: This issue has been resolved.]
• If you create new VPLS instances with a provider-tunnel Point-to-Multipoint (P2MP) label-switched path template, the routing protocol daemon (RPD) might restart, creating P2MP LSP paths. [PR/442544: This issue has been resolved.]
• While configuring a Layer 2 VPN routing instance, if the protocol’s Layer 2 VPN stanza is not included as part of the routing instance configuration when a commit is performed and instead is added during a later commit, the Layer 2 VPN session associated with this routing instance may not come up. [PR/449494: This issue has been resolved.]

High Availability

• When you issue the show chassis ethernet-switch statistics command on a routing platform with graceful Routing Engine switchover (GRES) enabled, the two Routing Engines might be unable to exchange information for about 2 seconds. [PR/233779: This issue has been resolved.]
• The MIB definitions, jnxPicXDpcCombo10X1GE and jnxPicXQDpcCombo10X1GE for Combo DPC PICs, are missing in the database which causes errors in the chassis process (chassisd) logs. [PR/418469: This issue has been resolved.]
• After an ISSU software upgrade on the MX-series router, you might see a kernel database replication error, an ISSU prepare timeout, and a core dump. These problems might be due to issues with allocated schedulers after the ISSU. This issue is seen only with Gigabit Ethernet Enhanced Queuing IP Services DPCs. [PR/427694: This issue has been resolved.]
• The TX LCC displays an error when ARP entries time out and are added back. This problem occurs with JUNOS Release 9.0 and later (released after August 14, 2007) and in JUNOS Release 8.5R3.3 and 8.5 (released after October 17, 2008). [PR/450698: This issue has been resolved.]

Layer 2 Ethernet Services

• For MX480 routers only, the temperature gap between the MX480 fan speed-up and slow-down has changed from 0 degree Celsius to 5 degree Celsius. Before the change, the fan speeds up to a maximum temperature of 54 Celsius and slows down to 53 Celsius (0 degree gap). After the change, the fan speeds up to a maximum temperature of 56 Celsius and slows down to 49 Celsius (5 degree gap). [PR/394651: This issue has been resolved.]
• When you configure GRES on the MX-series router, the SIB might not initialize if you reboot both Routing Engines simultaneously, or reboot the router with only one Routing Engine installed. [PR/408359: This issue has been resolved.]
• When the router is configured as a DHCP relay agent with the option 82 enabled, it starts dropping packets when the packet size exceeds the maximum size as specified in option 57. [PR/411626: This issue has been resolved.]
• The relay-option-60 configuration, located under the group statement, stops working if something else is changed under the same group statement. [PR/434373: This issue has been resolved.]

High Availability

• An AGRES switchover may cause an FPC failure if the interfaces configuration contains the following statement: sp-x/y/0 { unit 0 { family inet; }. [PR/399152: This issue has been resolved.]
• If static routes are configured under [routing-options], which points to a discarded interface, and if GRES is also configured, then the kernel database may not synchronize with the backup Routing Engine after a GRES switchover is performed. The backup Routing Engine displays a connection error. [PR/399888: This issue has been resolved.]
• When the IPv6 protocol is configured in an IP-IP tunnel and if GRES and NSR are enabled, the backup Routing Engine might display a replication error. [PR/420102: This issue has been resolved.]
• Installing OSPF routes may take a longer then normal period of time, if OSPF is in overload mode on a standby Routing Engine and is not in overload mode on the master Routing Engine (RE). [PR/421636: This issue has been resolved]
• When you use auto-RP and if the rendezvous point (RP) configuration is deactivated and then reactivated on the provider edge (PE) router, the router will fail to rediscover the RP announced by the customer edge (CE) router [PR/438356: This issue has been resolved]
• When you configure the path-selection always-compare-med statement at the [edit protocols bgp] hierarchy level, BGP multipath may not find all eligible paths. [PR/444629: This issue has been resolved]

Class of Service

• The packet drop cannot be brought down to zero. However, with this fix the packet drop should be reduced by nearly half. [PR/429961: This issue has been resolved.]
• On M320 routers, when the Tunnel PIC is on a standard FPC, multicast traffic conforming to Internet draft-rosen-vpn-mcast-08.txt might be subject to incorrect CoS queuing and rewrite. [PR/433142: This issue has been resolved.]
• After the aggregate chassis configuration is deactivated then activated, the classifier might not be properly applied on aggregate interfaces. [PR/442240: This issue has been resolved.]
• After an FPC restart, the classifiers might not be properly applied to the aggregate members if they have LACP configured. This following error message is displayed: Jun 4 12:43:02 sting-re1 fpc0 SLCHIP(0): Unable to fathom what channel used by IFL 68 Jun 4 12:43:02 sting-re1 fpc0 SLCHIP(0): error 1 in setting QoS table 1 for ifl 68 Jun 4 12:43:02 sting-re1 fpc0 COSMAN: lchip write failed, lchip 0 while binding IFL(68) to classifier(1) Jun 4 12:43:02 sting-re1 fpc0 SLCHIP(0): Unable to fathom what channel used by IFL 68 Jun 4 12:43:03 sting-re1 fpc0 SLCHIP(0): error 1 in setting QoS table 1 for ifl 68 Jun 4 12:43:03 sting-re1 fpc0 COSMAN: lchip write failed, lchip 0 while binding IFL(68) to classifier(1)

  The problem is seen on JUNOS Release 9.3, 9.4 releases shipped after 08/15/2008. Deactive and activate CoS to fix the problem. [PR/442418: This issue has been resolved.]

• When an Intelligent Queuing PIC is taken offline and then brought back online, the chassis scheduler map might change to [95,0,0,5]. As a workaround, deactivate the chassis scheduler map before taking the PIC offline and then activate the chassis scheduler map after PIC comes back online. [PR/444543: This issue has been resolved.]
• Tail drops are not seen in the Routing Engine CLI output. [PR/446617: This issue has been resolved.]

Forwarding and Sampling

• Policers cannot be modified after a system upgrade because of a flaw in the parser routine. This error occurs when the current item is deleted and then the parser cannot proceed to the next item. With the fix, the routine in the forwarding process (dwfd) has been modified so that the next item in the object tree is fetched before the current object is parsed. [PR/433418]

Network Management

• When the SNMP has a response that is larger than 9KB, a "Message too long" log is reported but no SNMP get response failure occurs. [PR/389559: This issue has been resolved.]
• When subagents are slow in responding to SNMP queries, the SNMP process continues to buffer the incoming SNMP requests. SNMP memory becomes exhausted after the buffer increases to a bigger value, which causes the SNMP process to fail. [PR/430106: This issue has been resolved.]
• If the master snmpd restarts in a TX Matrix platform and the SNMP subagent running with an LCC chassisd tries to register MIB objects with the master snmpd, the registration progress fails and results in the snmpd (running at SCC) utilizing large amounts of CPU. [PR/438085: This issue has been resolved.]

Previous Releases

Resolved Issues

9.3R3

This section lists issues that were fixed in JUNOS Release 9.3R3. The identifier following the description is the tracking number in our bug database.

Platform and Infrastructure

• On M320 and T-series routing platforms, when you configure the local gateway of an IPSec tunnel in a routing instance, IPSec might not function properly over a generic routing encapsulation (GRE) tunnel. [PR/73864: This issue has been resolved.]
• On M7i and M10i routers, when the system log for the CFEB becomes full, additional messages are discarded instead of overwriting the oldest messages in the log. [PR/79128: This issue has been resolved.]
• When the resolve.conf file does not include a proper working DNS server name, the show ntp associations command output displays the message Can't find host localhost with NTP server definitions.” Because the DNS server name is not mandatory in the resolve.conf file, the error message is unnecessary. [PR/270915: This issue has been resolved.]
• You might encounter output drops with the 10–Gigabit Ethernet PICs. The output drops occur because the software incorrectly calculates the number of queues for polling statistics in a 10-Gigabit Ethernet PIC, even though it is different from other PICs. [PR/277693: This issue has been resolved.]
• On MX-series routers using Routing Engine-based sampling, when samples are sent from the Packet Forwarding Engine to the Routing Engine over certain interfaces, the interface Input/Output index and next-hop address are set to 0. The following interfaces are affected: ge-x/0/y, ge-x/1/y, xe-x/2/0, and xe-x/3/0. [PR/286089: This issue has been resolved.]
• When an IPv6 BGP peer becomes unreachable, the raw IPv6 packets might be forwarded without the correct Layer 2 encapsulation over an Ethernet connection. [PR/314629: This issue has been resolved.]
• The MX-series Tri-rate DPC does not support MAC accounting and returns the following message: "error: MAC accounting and policing not supported." [PR/387919: This issue has been resolved.]
• On T1600 routing nodes with JUNOS Release 9.3R1 or 9.3R2, if there are interface flaps and routes from 0.0.0.0 to 127.255.255.255 using an indirect next hop, the following error message might be triggered in the syslog: "JTREE(jt_nh_get_reachable_nh32): Not reachable 0x00000000:0x2d740780 for seg 1 (rt_jtree_build_nh)" and forwarding traffic is impacted. [PR/392876: This issue has been resolved.]
• For aggregated interfaces only, when GRES is enabled and the neighboring server fails, the next hop turns to a hold next hop which waits to be resolved. If the next hop is resolved immediately, the replicated Routing Engine (RE) might panic. [PR/394209: This issue has been resolved.]

• In an MPLS Layer 3 VPN network, the traceroute command does not return a valid result (it returns three asterisks [* * *] instead) for the hop between two routers when their configuration includes both of the following features:

  • Per-packet load balancing (the load-balance per-packet statement is included at the [edit policy-options policy-statement policy-name then] hierarchy level and that policy-name statement is included at the [edit routing-options forwarding-table] hierarchy level)
  • Multiple equal-cost paths between the routers (for example, when the encapsulation frame-relay statement is included at the [edit interfaces interface-name] hierarchy level for a SONET/SDH interface and the same address is specified for more than one of its logical interfaces at the [edit interfaces interface-name unit logical-unit-number family family address] hierarchy level)
  [PR/396280: This issue has been resolved.]
• When you have configured the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level for a VRF routing instance, IPv4 and IPv6 MTU error notification is not handled properly. On M320 routers with an incoming FPC as SFPC and an outgoing FPC as FFPC, large IPv6 packets are not being detected and discarded properly. [PR/397334: This issue has been resolved.]
• When the Routing Engine requests numerous statistics that surpass a set boundary, "PFEMAN: Couldn't write..." messages might be logged and DPC failures occur. [PR/398233: This issue has been resolved.]
• When the multicast MAC address is configured on the local PE for a CE device, traffic originating from a remote PE is silently dropped without informing the source that the data did not reach its intended recipient [PR/398698: This issue has been resolved.]
• Prolonged fast interface flaps with thousands of ARP entries might cause the FPC to stop functioning. [PR/399175: This issue has been resolved.]
• On T640 and T1600 routing platforms with the Enhanced Scaling FPC4, errors such as the following might be written to the system log: "x new errors (mtu error) in HDRF,lout_hdrf_poll_stats," "Error (code: 30, type:Minor) encountered, cmalarm_passive_alarm_signal," and "1 new errors in SLout OP." There is no operational impact. [PR/399258]
• On egress PE routers, the correct EXP classifier is not applied to label-switched interfaces (LSIs) that are created by including the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level. [PR/399634: This issue has been resolved.]
• In specific a configuration such as MVPN, restarting RPD causes a small memory leak on the PFE lookup table. [PR/400917: This issue has been resolved.]
• For T640 routing nodes only, when you configure per-packet load balancing, the outgoing traffic is dropped. This issue is exacerbated if you configured two PFE routing instances. [PR/402031: This issue has been resolved.]
• When the ifd channel mode is of type HYBRID, LSI statistics are counted every time ifl_stats are collected for each logical interface. This causes the LSI input counters to be incremented by a multiple of the logical interfaces. [PR/404857: This issue has been resolved.]
• On MX-series routers, when IGMP snooping is enabled in a VPLS instance, a VPLS interface flap causes a DPC to unexpectedly restart. [PR/405136: This issue has been resolved.]
• The traffic class byte is set to 0x00 in the header of some BGP packets sent between interfaces that have IPv6 addresses, instead of the correct setting of 0xc0 (INTERNETCONTROL). [PR/406802: This issue has been resolved.]
• For MX-series routers running with JUNOS Release 9.1R1 or higher, when traffic is sent to the router with the IEEE 802.1p value set to 2 or the source class usage (SCU) configured, the packets are discarded when they reach the PFE. [PR/414491: This issue has been resolved.]
• The show pfe statistics CLI command does not display I-CHIP Ipktwr packet drop counts. [PR/414477: This issue has been resolved.]
• Under rare circumstances, the kernel panics on the TX Matrix LCC or on the SRX-series platform following a Routing Engine switchover or an RDP connection timeout between the LCC and SCC. [PR/416973: This issue has been resolved.]
• For multicast traffic, if the OIF is on an aggregated interface and its member link is on a different PFE (for example, 7/1/0 and 6/1/0), multicast traffic might be lost after the FPC, which has IIF for the multicast, is rebooted. [PR/418583: This issue has been resolved.]
• Initial ARP packets are discarded by the default ARP policer because when a T1600 routing nodes FPC restarts, the current credit is initialized to JT_POL_SR_CURRENT_CREDIT_MAX, which is 0xFFFFF. This has a high negative value in SR, so packets are dropped until it goes down. As a workaround, you can initialize the current credit to max_credit_limit (which is equal to (credit_limit / Rate) * time_credit), approximately equal to TC. [PR/419909: This issue has been resolved.]
• The SNMP remote operations process (rmopd) might fail after configuring a BGP neighbor with a local address. [PR/420504: This issue has been resolved.]
• In JUNOS Release 9.3R1 or higher, on Juniper Networks routers with Type 4 FPCs or T1600 routing nodes, multicast traffic is not counted within the interface statistics counters once class-of-service rewrite rules have been applied to the interface. [PR/420681: This issue has been resolved.]
• On the MX-series router, when you configure MPLS and a tunnel configuration on the same Gigabit Element (GE) DPC, the tunnel interface shows traffic as the sum of the traffic of the other Gigabit Element (GE) interfaces on the DPC. This is a cosmetic issue and does not affect functionality. [PR/422274: This issue has been resolved.]
• When an aggregate bundle fails and the aggregate bundle is part of an Equal Cost Multi-Path (ECMP), there is a short transient window while traffic is re-routed where one or all of the following entries is reported in the message log: - PFE: Detected error nexthop - RCHIP(1): RKME int_status 0x10000000 - LCHIP(1): 3067 new errors (illegal size) in DESRD - LCHIP(1): 3067 new errors (illegal link) in DESRD - RCHIP(1): SOF (61) >= DMA length (46). [PR/424741: This issue has been resolved.]
• On MX-series routers, the FPC might reboot without a failure if the DWDM is incorrectly configured. Either disconnect the offending link or configure the Disable statement at the [edit interfaces] hierarchy level to stop the FPC reboots. [PR/430703: This issue has been resolved.]
• When configuring Proxy ARP on unnumbered interfaces, the router can incorrectly answer address collision detection ARP requests, causing DHCP clients to decline the offered address. [PR/431192: This issue has been resolved.]
• When you configure flow monitoring on a T1600 with a T640 or T1600 Enhanced Scaled FPC4 and the input and output traffic are located on the same bottom PFE1, then the next-hop address and output interface are set to 0. [PR/431567: This issue has been resolved.]
• On MX-series, M120, and M320 routers with an Enhanced III FPC, the DPC FPC fails if the VRF configuration includes the vrf-table-label statement when an MPLS packet with time-to-live (TTL) is set equal to 0 (zero) or 1 (one) and is processed at the egress PE. [PR/436017: This issue has been resolved.]
• An ARP retry count is incorrect in that instead of sending out the first five retries every second, the third and consequent retries are sent every 15 seconds. [PR/436580: This issue has been resolved.]
• On MX-series routers with a Combo DPC (20-port 1-Gigabit Ethernet 2-port 10-Gigabit Ethernet), if the family mpls statement is included at the [edit interfaces interface-name unit logical-unit-number] hierarchy level for any 1-Gigabit Ethernet port of a DPC slot, the show interfaces statistics command reports zero values for input traffic at all ports. This issue does not affect the input traffic statistics for the 10-Gigabit Ethernet ports. This is a cosmetic issue and does not affect functionality. [PR/436653: This issue has been resolved.]

User Interface and Configuration

• The alarm process (alarmd) updates /var/db/feature.db, a license-tracking file, every 60 seconds, even on routers that do not support the JUNOS software licensing feature (for example, the M7i, M10i, M40e, and T-series routing platforms) and causes unnecessary hard disk drive activity. [PR/308466: This issue has been resolved.]
• The container value is unavailable when the commit script show configuration system scripts commit is used with traceoptions and when the direct-access statement is set. [PR/394243: This issue has been resolved.]
• The algorithm that switches over the SFM and takes the FPC offline, does not clear the hard/soft errors on each FPC once the SFM is switched over. [PR/433616: This issue has been resolved.]
• When the direct-access statement is configured, the firewall filter input-list in a commit script may not return an expected value. [PR/406663: This issue has been resolved.]
• The RPC get-configuration statement may not get the expected output if both direct-access and filter are configured under [system scripts commit]. [PR/406687: This issue has been resolved.]
• You get a commit fail when applying a group to the chassis section of a configuration. [PR/425355: This issue has been resolved.]
• When you use the commit confirmed command on TX-series routers, it fails to roll back the original configuration as expected. [PR/425642: This issue has been resolved.]
• If you configure the traceoptions statement under system scripts commit, the router may have commit errors. [PR/438289: This issue has been resolved.]

Interfaces and Chassis

• In the output from the show interfaces extensive command, the count of REI-P errors in the SONET path section is incorrect when the RDI-P error also appears in the SONET defects field. [PR/256049: This issue has been resolved.]
• On aggregated Ethernet interfaces configured for LACP (the lacp statement is included at the [edit interfaces aex aggregated-ether-options] hierarchy level), if you deactivate one of the interfaces in the aggregate, multicast traffic might not be detoured as expected. [PR/313617: This issue has been resolved.]
• On a router with dual Routing Engines, if the hard disk is inoperable or missing on the backup Routing Engine, no chassis alarm is set (visible in the output of the show chassis alarms command), nor is an SNMP trap or system log message generated. The only indication is a line like the following in the output from the show system boot-messages command: "adx: not attached, missing in Boot List." [PR/392837: This issue has been resolved.]
• On the T1/E1 Circuit Emulation PIC, if you specify an invalid value for the payload-size statement at the [edit interfaces (t1 | e1)-fpc/pic/port satop-options] hierarchy level, the DS1 alarm LOF is raised, as reported in the output from the show interfaces (t1 | e1)-fpc/pic/port:channel command.

  The valid values for the payload-size statement are as follows:

  • In T1 mode, a multiple of 24 in the range 24 to 1024
  • In E1 mode, a multiple of 32 in the range 64 to 1024

  [PR/395143: This issue has been resolved.]

• In JUNOS Release 9.3R1 and later, SONET Automatic Protection Switching (APS) does not work correctly on the 4-port Channelized OC3/STM1 Circuit Emulation PIC with SFP. [PR/402068: This issue has been resolved.]
• On channelized OC12 intelligent queuing (IQ) interfaces, incoming code violation path (CV-P) messages might not trigger the sending of remote error indication path (REI-P) messages.[PR/47188: This issue has been resolved.]
• While bringing a PIC online, after bringing a router online and performing an FPC or PIC (re)start, the interface hold-down up timer is activated and the interface comes up immediately. [PR/277236: This issue has been resolved.]
• In TX Matrix platforms, the show chassis fpc X command returns an error instead of showing the FPC information when X is greater than 8. [PR/387950: This issue has been resolved.]
• In OC768-over-OC192 mode on the 4-port OC192c PIC, when you change the clocking internal statement to clocking external at the [edit interfaces interface-name] hierarchy level, the clock may not come up. [PR/395847: This issue has been resolved.]
• When the no-auto-negotiation statement is configured under a port within IQ2 PICs, the down link may flap. [PR/397491: This issue has been resolved.]
• On T640 router nodes when the FPC is taken offline, the AE bundle statistics (which issue the monitor interface traffic command) display a high value. This is not an issue for the TX Matrix platform. [PR/399451: This issue has been resolved.]
• Running OAM under an aggregate interface might not detect a link failure in a child interface. This causes the router to direct network traffic to a destination where it is lost. [PR/399868: This issue has been resolved.]
• The output for queue counters under the show interfaces command (xe-fpc/pic/port extensive) might be incorrect when traffic is passed at near maximum throughput to any Queuing IQ2 or IQ2E PICs or DPCs. [PR/401431: This issue has been resolved.]

• High priority traffic gets RED dropped even though the rate is lower than the shaping-rate under the following conditions:

  • 248 VLANs are configured on a single port within an IQ2 Gigabit Element (GE) PIC
  • The shaping rate for each VLAN is set to 4m and a buffer size for high priority traffic (for example, real-time is 5 percent)
  • Both high and low priority traffic are sent out through all 248 VLANs where the total rate is higher than the line rate
  [PR/401893: This issue has been resolved.]
• When Multilink Frame Relay encapsulation is configured on an interface using the encapsulation multilink-frame-relay-uni-nni statement is included at the [edit interfaces interface-name] hierarchy level), the kernel might generate an error. [PR/407608: This issue has been resolved.]
• When a 10-Gigabit Element interface of a DPC is connected to a faulty optical card which causes the link state to change at a very high rate, the DPC fails. [PR/411072: This issue has been resolved.]
• When a Layer 2 policer is applied to the egress interface of a router, the dropped frame statistics might show incorrect information. [PR/419181: This issue has been resolved.]
• On an IQ2 PIC, the slow aging interval might be overwritten with a value of 202 seconds which causes the MAC entry to be removed in 6 to 7 minutes. [PR/419510: This issue has been resolved.]
• The address family of child next hops is incorrectly set to the address family of the IFF, instead of the address family of the parent next hop. [PR/425802: This issue has been resolved.]
• A NULL pointer reference in an ifinfo failure is caused by a loss of synchronization with GRES-enabled Routing Engines. [PR/43112: This issue has been resolved.]
• The SFP-GE40KM SFP may display as 1000LH instead of 1000EX in the output of the chassis pic fpc-slot x pic-slot y command. [PR/433616: This issue has been resolved.]

Services Applications

• The issue occurs when you configure the NAT match-direction output statement and attach it to a interface-style service set on an egress interface. When you explicitly configure forward and backward rules for a NAT service set, an ICMP fragmentation-needed message is not sent and the traffic is dropped without notification. If the backward rule is not configured and is left implicit, this problem is not seen. An explicit backward rule causes the ICMP error packet to be handled as a new flow. [PR/238215: This issue has been resolved.]
• On an M7i or M10i router with the enhanced CFEB, if you issue the deactivate forwarding-options sampling command, sampling stops for both IPv4 and IPv6 traffic. If you then issue the activate forwarding-options sampling command, sampling resumes for only IPv4 traffic. [PR/415140: This issue has been resolved.]

General Routing

• When you configure multiple addresses for the from neighbor statement inside a routing policy term, only the last address takes effect. [PR/414768: This issue has been resolved.]
• On TX Matrix platforms, use of generate in the routing-options stanza with reference to a policy results in the commit not completing successfully. [PR/416380: This issue has been resolved.]
• A RPD error occurs after you commit changes to a routing instance configuration. [PR/425126: This issue has been resolved.]

Routing Protocols

• On a router with dual Routing Engines and NSR configured, the backup RPD may go down in rare instances while processing an indirect next-hop delete. [PR/302731: This issue has been resolved.]
• Inefficient deletions of BGP routes from the routing instance table cause the scheduler to slip. [PR/305027: This issue has been resolved.]
• When more than one external path originates from the same autonomous system (AS), the JUNOS software does not comply with the RFC 5004 path selection algorithm. [PR/392819: This issue has been resolved.]
• The deactivation of a routing instance causes an RPD to create a soft assertion failure. [PR/396122: This issue has been resolved.]
• On a router configured with nonstop routing (NSR), when you apply the BGP import policy and then issue the clear bgp neighbor address soft command to reset BGP, the policy does not take effect. [PR/396291: This issue has been resolved.]
• If you specify an IPv6 address as a value in the ssm-groups statement at the [edit routing-options multicast] hierarchy level, the SSM group does not work as expected. [PR/399352: This issue has been resolved.]
• When you enable distributed periodic packet management by including the delegate-processing statement at the [edit routing-options ppm] hierarchy level, BFD packets are transmitted on a queue other than queue 3 (this could be queue 0 or queue 4 depending on the JUNOS software version). [PR/400907: This issue has been resolved.]
• The SNMP interface index is not set internally which causes the MIB interface queries to display the index value as zero.This can also cause SNMP interface MIB queries for statistics to return stale information. [PR/401038: This issue has been resolved.]
• If GRES is not enabled on a Routing Engine switchover, then the routing protocol process (rpd) on the new backup Routing Engine quits before cleaning up the forwarding table. [PR/402372: This issue has been resolved.]
• When you issue the mtrace source command and the route to the source is defined in the routing table for a PIM nonforwarding instance (that is, not in the main instance table, inet.0), the command fails with the following messages: "...giving up" and "Timed out receiving responses." [PR/403033: This issue has been resolved.]
• When an operator executes the show route aspath-regex command and then attempts to escape with CTRL+C, an RPD generates a failure. [PR/403410: This issue has been resolved.]
• When the OSPF overload timeout is set, even as low as the minimum of 60 seconds, the external LSA may not be generated even after the overload timer times out. [PR/404097: This issue has been resolved.]
• When peers in different BGP peer groups have similar export policies such that identical advertisements are sent, the routing protocol process (rpd) might generate an error and become unresponsive when the backup Routing Engine comes online. [PR/404471: This issue has been resolved.]
• When certain statements are included at the [edit protocols bgp group group-name] hierarchy level, the routing protocol process (rpd) might generate an error and stop operating in some circumstances. [PR/404667: This issue has been resolved.]
• Aggregate routes with a large number of contributing members cause the routing protocol process (rpd) to monopolize the CPU constantly with frequent routing changes. However this condition applies only when you configure a policy with the aggregate-contributor match condition. [PR/405499: This issue has been resolved.]
• An SNMP MIB walk of the downstream interfaces of point-to-multipoint multicast routes might cause the routing protocol process (rpd) to fail. [PR/405505: This issue has been resolved.]
• When rapid configuration commits occur for a certain type of configuration changes that include nonstop routing configuration, rpd may stop consuming further configuration changes with the message "SIGHUP while previous commit isn't yet complete." [PR/405761: This issue has been resolved.]
• If you redistribute a default route or other labeled unicast FEC with the discard or reject action into BGP and enable traffic statistics at the [edit protocols bgp family inet labeled-unicast] hierarchy level, the routing protocol process (rpd) might fail and FECs might be logged with a value of 0. [PR/407546: This issue has been resolved.]
• When changing from static OSPF and ISIS route load balancing to BGP load balancing with multipath enabled, the routes may not be load balanced correctly until the BPG session is restarted. [PR/407925: This issue has been resolved.]
• PIM mistakenly prefers a specific hidden route over an active less specific route as the RPF route to the MCAST source. [PR/411385: This issue has been resolved.]
• If a multiaccess interface is disabled, it is advertised as a disabled link in the router LSA after the Routing Engine (RE) switchover. [PR/418559: This issue has been resolved.]
• In rare cases, the BPG cleans the data structures correctly when the entire peer group fails and the peer group is deleted. [PR/423060: This issue has been resolved.]
• In a large-scale BGP multipath setup, the BGP multipath calculation uses a large amount of CPU and slows down RPD for a long period of time. [PR/424360: This issue has been resolved.]
• If RIP authentication is turned on, updates may get dropped on sequence number mismatch because they are not processed in the order they are received. [PR/429297: This issue has been resolved.]
• The assert condition is not valid for cases where the PIF is flapped. [PR/429392: This issue has been resolved.]
• Community types are being allocated at random to the members in the community list. As a result, extended communities might be treated as simple and vice versa, which causes failures in the VRF import code. [PR/430728: This issue has been resolved.]
• If a static route is pointing to a discard configuration, a failure may happen when the router attempts to collect the multicast statistic data. [PR/434298: This issue has been resolved.]
• A Layer 3 VPN BGP using the show bgp neighbor command shows local-id 0.0.0.0 as output when NSR is enabled. [PR/434321: This issue has been resolved.]
• With BGP multipath configured, the BGP trace option flags may not be refreshed after a change in the trace option flag configuration. [PR/436440: This issue has been resolved.]
• Embedded RP configurations cause continuous RPD failure if PIM is disabled. [PR/438159: This issue has been resolved.]
• On a router configured for NSR, when you apply a BGP import policy and issue the clear bgp neighbor address soft command to reset BGP, the policy does not take effect. (In terms of configuration statements, the nonstop-routing statement is included at the [edit routing-options] hierarchy level and the import policy-name statement at the [edit protocols bgp group group-name neighbor address] hierarchy level.) As a workaround, either disable NSR or issue the clear bgp neighbor address command without the soft option, which forces BGP peers to reestablish their sessions. [PR/396291: This issue has been resolved.]
• When two BGP peers establish a session, they negotiate the hold time to use for keepalive messages. If one of the peers uses a nondefault hold-time value (that is, the hold-time statement is included at the [edit protocols bgp group group-name] hierarchy level in its configuration), and either of the peers goes down immediately after the session is established, the hold timer incorrectly expires after the default interval instead of the negotiated interval. [PR/396823: This issue has been resolved.]
• If you specify an IPv6 address as a value for the ssm-groups statement at the [edit routing-options multicast] hierarchy level, the SSM group does not work as expected. As a workaround, specify only IPv4 addresses. [PR/399352: This issue has been resolved.]
• When you enable distributed periodic packet management (by including the delegate-processing statement at the [edit routing-options ppm] hierarchy level), BFD packets are transmitted on a queue other than queue 3 (queue 0 or 4 depending on the JUNOS version). If system load allows it, disable distributed PPM as a workaround. [PR/400907: This issue has been resolved.]
• When you issue the mtrace source command and the route to the source is defined in the routing table for a PIM nonforwarding instance (that is, not in the main instance table, inet.0), the command fails with the following messages: "...giving up" and "Timed out receiving responses." [PR/403033: This issue has been resolved.]
• When certain statements are included at the [edit protocols bgp group group-name] hierarchy level, the routing protocols process (rpd) might generate an error and stop operating in some circumstances. [PR/404667: This issue has been resolved.]

MPLS Applications

• After a link flap which triggers a print-to-multipoint LSP reroute, the CCC connection stays down for an long period of time due to a race condition between CSPF runs and the RSVP. [PR/280259: This issue has been resolved.]
• Traffic loss might occur during an LSP switchover. [PR/392406: This issue has been resolved.]
• When you change the configuration of a secondary (standby) LSP in certain ways, the entire LSP is taken down and set up again, which might cause traffic loss or delay. Specifically, the problem occurs if you add or change the value of certain statements at the [edit protocols mpls label-switched-path lsp-name secondary lsp-name] hierarchy level, including admin-group, hop-limit, and priority. [PR/394184: This issue has been resolved.]
• On M-series and T-series routers, when the MPLS label-switched path (LSP) re-optimizes (or changes path) followed by a signaling failure along that path, then the path change does not occur till the next LSP re-optimization event. [PR/401343: This issue has been resolved.]
• If an RSVP LSP configured with LDP tunnel initiates auto-bandwidth adjustment, the LDP might fail to send keepalive message. This can trigger an LDP session flap as a result of hold-down timer expiration. [PR/407707: This issue has been resolved.]

VPNs

• The time-to-live (TTL) threshold value is not propagated correctly for VPNs that use IPv6 addresses. This might cause multiple entries for the same address in the output from the traceroute command. [PR/257497: This issue has been resolved.]
• When you reboot a PIC or FPC that houses a virtual tunnel (vt-) interface, the interface is not re-created. As a workaround, deactivate and reactivate the interface in the configuration. [PR/266170: This issue has been resolved.]
• When deleting a Layer 2 VPN routing instance and then adding a new VPLS routing instance using the same interface within the same commit, RPD fails. [PR/291407: This issue has been resolved.]
• If you take a PIC offline that hosts a large number (for example, 1000) of CE-facing interfaces in a Layer 2 VPN, the routing protocols process (rpd) might generate an error. [PR/300601: This issue has been resolved.]

• On a router configured for nonstop routing (NSR), if you perform the following sequence of steps, the routing protocol process (rpd) on the backup Routing Engine might generate a failure:

  1. Remove a Layer 2 VPN routing instance (that is, one for which the configuration includes the instance-type l2vpn statement at the [edit routing-instances routing-instance-name] hierarchy level).
  2. Commit the configuration.
  3. Immediately create a new Layer 2 VPN routing instance.
  4. Commit the configuration.
  [PR/401057: This issue has been resolved.]
• In a VPLS dual-homed configuration, traffic loss might occur for approximately 20 seconds during a switchover from the backup to the primary interface. [PR/404605: This issue has been resolved.]
• On a router configured as a Layer 2 VPN ASBR or route reflector, if a BGP session to a Layer 2 VPN peer (Layer 2 VPN signaling is enabled) flaps or is explicitly cleared, the backup routing protocol process (rpd) might fail and restart. [PR/407820: This issue has been resolved.]
• If MAC addresses are learned within a VPLS instance, CE devices will communicate directly even though no-local-switching is configured. [PR/419976: This issue has been resolved.]
• Multicast group addresses ending with .232 are classified as SSM groups when using multicast VPNs. These routes are not installed in a multicast VPN routing table and all traffic to these destinations is dropped. [PR/426811: This issue has been resolved.]
• While handling the ifl mismatch notification, multicast code finds the active route from the route (S,G) that should get installed in the forwarding plane which leads to a mismatch. The multicast code then hands the mismatch notification to the protocol that owns the active route. While finding the active route, multicast ignores the MVPN route and the mismatch notification is dropped. [PR/431211: This issue has been resolved.]

Layer 2 Ethernet Services

• For MX480 router only, the temperature gap between the MX480 fan speed-up and slow-down has changed from 0 degree Celsius to 5 degree Celsius. Before the change, the fan speeds up to a maximum temperature of 54 Celsius and slows down to 53 Celsius (0 degree gap). After the change, the fan speeds up to a maximum temperature of 56 Celsius and slows down to 49 Celsius (5 degree gap). [PR/394651: This issue has been resolved.]
• When you configure GRES on the MX-series router, the SIB might not initialize if you reboot both Routing Engines simultaneously, or reboot the router with only one Routing Engine installed. [PR/408359: This issue has been resolved.]
• When the router is configured as a DHCP relay agent with the option 82 enabled, it starts dropping packets when the packet size exceeds the maximum size as specified in option 57. [PR/411626: This issue has been resolved.]
• The relay-option-60 configuration, located under the group statement, stops working if something else is changed under the same group statement. [PR/434373: This issue has been resolved.]

High Availability

• An AGRES switchover may cause an FPC failure if the interfaces configuration contains the following statement: sp-x/y/0 { unit 0 { family inet; }. [PR/399152: This issue has been resolved.]
• If static routes are configured under [routing-options] which points to a discarded interface and if GRES is also configured then the kernel database may not synchronize with the backup Routing Engine (RE) after a GRES switchover is performed. The backup Routing Engine (RE) displays a connection error. [PR/399888: This issue has been resolved.]
• When the IPv6 protocol is configured in an IP IP tunnel and if GRES and NSR are enabled, the backup Routing Engine (RE) might display a replication error. [PR/420102: This issue has been resolved.]

Class of Service

• When you use wildcards to configure class-of-service (CoS) attributes for interfaces on intelligent queuing PICs (for example, IQ and IQ2), the scheduler map specified for the interface can be applied to the chassis stream. Performing a Routing Engine (RE) switchover in this condition can result in the chassis scheduler map being removed. As a workaround, you can explicitly configure a chassis scheduler map with the scheduler-map-chassis statement at the [edit class-of-services interfaces] hierarchy level. [PR/425710: This issue has been resolved.]
• When you apply a class-of-service (CoS) classifier to a logical interface that has the * (wildcard) value configured as the unit number, the classifier is removed after a Routing Engine reboot occurs. This issue does not occur if the logical interface unit value is configured as a specific numerical value. To apply a CoS classifier to a logical interface, include the classifier classifier-name statement at the [edit interfaces interface-name unit unit-value] hierarchy level. For classifier-name, include the name of a classifier configured at the [edit class-of-service classifiers] hierarchy level. [PR/427848: This issue has been resolved.]
• In JUNOS Release 8.4 and later, the commit or commit-check operation fails if a rewrite rule is defined at both the [edit class-of-service interfaces interface-name unit logical-unit-number rewrite-rules] hierarchy level and in a configuration group (defined at the [edit groups] hierarchy level) that is applied to that interface. The correct behavior is for the directly applied rule to override the rule inherited from the configuration group. [PR/261229: This issue has been resolved.]

Forwarding and Sampling

• A flow route is assigned an internal identifier that captures the values of all match conditions specified at the [edit routing-options flow route route-name match] hierarchy level. If the length of the identifier exceeds a certain limit, the MIB II process (mib2d) might repeatedly generate an error and fail to restart. The higher the number of match conditions, and the more values specified for conditions that accept multiple values (such as the destination-port and source-port statements), the more likely the problem is to occur. As a workaround, limit the number of conditions or values or both. [PR/273373: This issue has been resolved.]
• On an MX480 router, if you change link speed for a physical interface (by changing the value of the speed statement at the [edit interfaces interface-name] hierarchy level) and a rate-limiting output policer is applied to one of its logical interfaces (the output statement is included at the [edit interfaces interface-name unit logical-unit-number family family-name policer] hierarchy level), the traffic rate does not change (as reported by the show policer command). As a workaround, deactivate the policer statement, commit, reactivate the statement, and commit again. [PR/314143: This issue has been resolved.]
• For a filter whose last term has a next-term statement, if the filter 1) is applied individually, and 2) is within the term of another filter, or is applied in an input-list or an output-list, then the firewall process will commit with errors in the log and the filters might not be applied. [PR/395561: This issue has been resolved.]
• The password statement configured under [ accounting-options file x archive-sitesis] may not work correctly. [PR/396648: This issue has been resolved.]
• A sample core error occurs when you perform an assertion which causes a memory allocation failure. [PR/418126: This issue has been resolved.]
• When a filter term has "next term" as the action, the action may be shown in the firewall log as "unknown" for the matched outgoing packets. [PR/421810: This issue has been resolved.]
• For list filters, the firewall compiler (dfwc) creates temporary interface-specific filters marked with a flag (DFW_FLAGS_IFACE_INLINE) and uses them to clone as needed. These filters are usually purged from the system after cloning, but with this issue the filters are not purged and occupy index space. The workaround is to identify the unpurged list filter by checking for the flag DFW_FLAGS_IFACE_INLINE and then deleting it manually. [PR/426137: This issue has been resolved.]

• The commit fails with the error message “Referenced prefix-list xxx” is not defined under the following conditions:

  • An input-list or output-list is configured on an interface in a logical system
  • The filters in the list are defined under the firewall hierarchy of the main router
  • A prefix list defined under the policy-options of the main router is referenced by one of the filters in the list
  [PR/427253: This issue has been resolved.]
• Policers could not be modified after a system upgrade because of a flaw in the parser routine. This error occurs when the current item is deleted and then the parser cannot proceed to the next item. With the fix, the routine in the forwarding process (dwfd) has been modified so that the next item in the object tree is fetched before the current object is parsed. [PR/433418]

General Routing

• The jnxFWCounterPacketCount MIB module does not show the correct values and displays a zero even if the statistics used in the show command are non-zero. [PR/403563: This issue has been resolved.]
• If the kernel is slow to respond to interface statistics requests made by the Management Information Base II (MIB II) process (mib2d), it could be that the MIB II process is blocking the request. In addition, if there is an interface flap (link down followed by up), the MIB II process may recognize only the latest interface link state and thereby miss modifying the ifLastChange object identifier (OID) associated with the interface, and also miss sending a link down trap. [PR/421585: This issue has been resolved.]
• The Management Information Base II (MIB II) process (mib2d) core is generated when the Routing Engine 1 (RE1) is reloaded. [PR/436218: This issue has been resolved.]

9.3R2

This section lists issues that fixed in JUNOS Release 9.3 R2. The identifier following the description is the tracking number in our bug database

Platform and Infrastructure

• When the Routing Engine hard disk fails, the compact flash might be removed from the list of media used at boot time, instead of the hard disk being removed. In some cases, this makes the Routing Engine unable to initialize. [PR/389540: This issue has been resolved.]
• On M120 and MX-series routers, and on some FPCs on M320 routers, the Packet Forwarding Engine might not free memory correctly during operations on multicast next hops. [PR/396903: This issue has been resolved.]
• On a T1600 routing node, an FPC might stop operating while processing an ICMP TTL expiration packet. Such packets increment the count in the ttl expired field of the output from the show pfe statistics ip icmp command. [PR/398059: This issue has been resolved.]
• On egress PE routers, the correct EXP classifier is not applied to label-switched interfaces (LSIs) that are created by including the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level. [PR/399634: This issue has been resolved.]
• When you install an FPC in all eight slots on a T1600 routing node configured for graceful Routing Engine switchover (the graceful-switchover statement is included at the [edit chassis redundancy] hierarchy level), the routing node might reboot repeatedly. As a workaround, disable GRES or remove one FPC. [PR/400267: This issue has been resolved.]

User Interface and Configuration

• When you issue the request system (halt | power-off | reboot) other-routing-engine lcc routing-node-index command on a TX Matrix platform, the requested operation is performed on the TX Matrix platform instead of the specified routing node (line-card chassis, or LCC). As a workaround, issue the command on the routing node itself (without the lcc option). [PR/241274: This issue has been resolved.]
• On routers that do not use JUNOS software licensing (for example, the M7i, M10i, M40e, and T-series routing platforms) the alarm process (alarmd) nevertheless updates a license-tracking file every 60 seconds. This causes excessive disk activity. As a workaround, become the root user and create an empty directory called /config/license. To determine if a router supports licensing, issue the show system license command. On routers that do not support licensing, the command returns the message "syntax error, expecting <command>” and we recommend the workaround. [PR/308466: This issue has been resolved.]

Interfaces and Chassis

• On MX-series routers, when a DPC configured with a large number of interfaces restarts, the chassis process (chassisd) might write the following messages to the log: "failed to complete channel bonding" and "reached link 5 max index value." [PR/292057: This issue has been resolved.]
• When only one Routing Engine is installed in an M120 router, on the craft interface the LEDs for the power supplies never light up. Similarly, in the PS LEDs section of the output from the show chassis craft-interface command, there is a period in all four fields (indicating that no LEDs are lit). [PR/302504: This issue has been resolved.]
• When Multilink Frame Relay encapsulation is configured on an interface (the encapsulation multilink-frame-relay-uni-nni statement is included at the [edit interfaces interface-name] hierarchy level), the kernel might generate an error. [PR/408066: This issue has been resolved.]

Services Applications

• Network address translation (NAT) is not performed correctly for Real-Time Streaming Protocol (RTSP) methods when the Content-Length field is set to 0 (zero). [PR/393171: This issue has been resolved.]

Subscriber Access Management

• If you create multiple subscriber sessions on a logical interface at the same time, some clients might not initialize correctly. The show dhcp server binding detail command reports the value act-prof in the State column for these clients. [PR/303778: This issue has been resolved.]

Layer 2 Ethernet Services

• When more than one of a physical interface's logical interfaces is associated with a bridge domain (the family bridge statement is included at more than one [edit interfaces interface-name unit logical-unit-number] hierarchy level and each logical interface is specified as the value for an interface interface-name statement at an [edit bridge-domains domain-name] hierarchy level), the monitor physical-interface-name command displays incorrect values in the Input packets field of the Traffic statistics section. [PR/397745: This issue has been resolved.]

Routing Protocols

• On a router with dual Routing Engines that is configured for nonstop active routing (NSR) and graceful Routing Engine switchover, if the backup-router or inet6-backup-router statement is included at the [edit system] hierarchy level, the static route to the backup destination is not deleted on the backup Routing Engine when you activate NSR. [PR/305597: This issue has been resolved.]
• If the route to a multicast source address is learned using BGP and the upstream interface goes down, PIM might not detect the outage. As a consequence, the value unknown appears in the Upstream interface and Upstream neighbor fields of the output from the show pim join extensive command. [PR/397410: This issue has been resolved.]
• If PIM sources are accessed via different addresses on the same neighbor, and PIM is deactivated and reactivated on the neighbor, the Upstream interface and Upstream neighbor fields of the output from the show pim join extensive command continue to report the value unknown after the neighbor is active. [PR/400573: This issue has been resolved.]
• When peers in different BGP peer groups have similar export policies such that identical advertisements are sent, the routing protocols process (rpd) might generate an error and become unresponsive when the backup Routing Engine comes online. [PR/404471: This issue has been resolved.]

MPLS Applications

• When the load-balance bandwidth statement is included at the [edit protocols rsvp] hierarchy level on a router with two LSPs to a destination, the balance coefficient is set to zero for the next-hop interfaces in the MPLS forwarding table entry for the route to the destination that is marked with (S=0) (in other words, in the output from the show route forwarding-table family mpls extensive command, the record with the header Destination: index(S=0) has Next-hop interface entries where the Balance field does not appear). [PR/257570: This issue has been resolved.]

  When both CSPF and link protection are enabled, in rare instances the routing protocol process (rpd) might generate an error and restart. [PR/266126: This issue has been resolved.]

High Availability

• On an MX-series router configured for VRRP for IPv6, during a mastership change the original master does not relinquish mastership, with the result that both it and the original backup are reported as master in the VR state field of the output from the show vrrp summary command. [PR/398399: This issue has been resolved.]
• On a router configured for nonstop active routing (NSR), if you perform the following sequence of steps, the routing protocols process (rpd) on the backup Routing Engine might generate an error: remove a Layer 2 VPN routing instance (that is, one for which the configuration includes the instance-type l2vpn statement at the [edit routing-instances routing-instance-name] hierarchy level), commit the configuration, immediately create a new Layer 2 VPN routing instance, and commit the configuration. [PR/401057: This issue has been resolved.]

Class of Service

• When you update a CoS rewrite rule, the changes are not applied to active multicast streams, but only to streams created after the change. As a workaround, clear all active multicast streams after updating the rule. [PR/266341: This issue has been resolved.]

9.3R1

This section lists issues that were fixed in JUNOS Release 9.2R1. The identifier following the description is the tracking number in our bug database.

Platform and Infrastructure

• When you enable point-to-multipoint LSPs over an outgoing aggregated Ethernet interface that is configured with circuit cross-connect (CCC) switching, the LSP fails to forward traffic and the following error appears in the system log: "nh_ucast_add." As a workaround, disable the interface and LSP, reenable them in that order, and then clear the RSVP session for the LSP. [PR/105884: This issue has been resolved.]
• If you configure a large number of MD5 authentication keys for BGP sessions, and then deactivate and reactivate the keys, the router might generate a commit error and MD5 authentication might not be applied on some of the BGP sessions. [PR/238960: This issue has been resolved.]
• When you issue the file copy command with an FTP path as the source or destination and include the source-address option, the specified source address is not used for establishing a connection with the peer FTP server. [PR/240580: This issue has been resolved.]
• On MX960 routers, if you issue the request system power-off other-routing-engine command to power down a Routing Engine, it does not power back on when you then issue the request system power-on other-routing-engine command. [PR/253061: This issue has been resolved.]
• When you configure aggregated interfaces as core-facing links, translational cross-connect (TCC) might not work properly. [PR/267867: This issue has been resolved.]
• Including the mirror-flash-on-disk statement at the [edit system] hierarchy level has no effect. [PR/268474: This issue has been resolved.]
• On MX-series Ethernet Services routers, if the label-switched interface (LSI) is enabled for an xe member link that is part of an aggregated Ethernet (ae) interface, the xe interface statistics are counted twice. [PR/274396: This issue has been resolved.]
• When a GGSN C-PIC sends a packet larger than the MTU of the outgoing interface in a default VRF, ICMP error messages that indicate fragmentation is needed do not reach the C-PIC. [PR/276392: This issue has been resolved.]
• On a Routing Engine of type RE-3.0 (as reported by the show chassis hardware command) with a 1-GB compact flash card, issuing the request system snapshot command might corrupt one or more JUNOS package files in the /altroot/packages directory. [PR/291295: This issue has been resolved.]
• In an environment with many active multicast routes and one or more aggregated interfaces as downstream interface, when an aggregated interfaces flaps or an FPC containing an aggregated interface restarts, the kernel might restart unexpectedly. This issue is seen in networks with greater than 1000 multicast routes. The chance of kernel restarts increases as the number of multicast routes increases or the number of downstream aggregated interfaces increases. [PR/292521: This issue has been resolved.]
• If a small form-factor pluggable transceiver (SFP) does not respond to a request for diagnostic data, a message is written to the system log. The message is unnecessary because the failure to respond has no operational impact. [PR/293212: This issue has been resolved.]
• When a Multilink Point-to-Point Protocol (MLPPP) link is incorrectly added to a Multilink Frame Relay (MLFR) bundle, the kernel resets unexpectedly. [PR/294885: This issue has been resolved.]
• An MPLS frame with an explicit NULL label designated for the Routing Engine might be dropped by the Packet Forwarding Engine. [PR/298967: This issue has been resolved.]
• For individual T1 links in an MLPPP bundle, the counts of input bytes and input packets are not reported correctly in the Traffic statistics section of the output from the monitor interface t1-fpc/pic/port command. [PR/299688: This issue has been resolved.]
• On M320 and T-series routing platforms, when member links of a Multilink Frame Relay bundle go down and come back up, an FPC in which a Link Services Queuing (LSQ) PIC is installed might stop forwarding traffic and need to be rebooted. As a workaround, install the PICs with the member links and the LSQ PIC in the same FPC. [PR/300331: This issue has been resolved.]
• If both the key and ttl statements are included at the [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel] hierarchy level for a GRE tunnel, the TTL value might be decremented incorrectly. This can cause the ping command to fail. [PR/300956: This issue has been resolved.]
• When you configure an unnumbered interface to borrow from a loopback or non-Ethernet interface and also configure unrestricted proxy ARP on the unnumbered interface, the incoming proxy-ARP requests are dropped. As a workaround, configure the unnumbered interface to borrow from any Ethernet interface. [PR/301101: This issue has been resolved.]
• If an interface is configured as a shared uplink for the JCS 1200 platform (the shared-uplink statement is included at the [edit interfaces interface-name] hierarchy level), it cannot function as a label-switched interface (LSI). [PR/305520: This issue has been resolved.]
• When you enable or disable MPLS on an interface configured as a shared uplink to the JCS 1200 platform, an FPC that has a tunnel PIC installed might generate an error. [PR/305670: This issue has been resolved.]
• VPLS flood forwarding might not work correctly on an interface configured as a shared uplink to the JCS 1200 platform (the shared-uplink statement is included at the [edit interfaces interface-name] hierarchy level). [PR/307213: This issue has been resolved.]
• On the TX Matrix platform, if there are a large number of interface configuration changes in a small amount of time, or if the alarm process (alarmd) restarts, it might take a long time for the show version detail command to return all of its output. [PR/307228: This issue has been resolved.]
• During graceful Routing Engine switchover (GRES), resynchronization between Routing Engines might fail. In this case, the Kernel database field in the output of the show system switchover command reports the value Connection error, Initialize error. [PR/307501: This issue has been resolved.]
• When a PE router receives a PIM Join message from a CE router and the source for the required multicast data is another directly connected CE router, the attempt to create a flood next hop might initially fail. Messages including the following are written to the system log: "NH: Failed to install flood nexthop: index." The next hop is eventually installed, so there is no operational impact. [PR/307579: This issue has been resolved.]
• On T-series routing platforms with VPLS configured, if a customer edge-facing interface on a provider edge router is on an Enhanced Scaling FPC4, the following message might be written repeatedly to the system log: "LCHIP(0): number new errors in SLout OP". The condition that triggers the message has no operational impact. [PR/309044: This issue has been resolved.]
• On M120 routers or M320 platforms with M320 Enhanced III FPCs, packets might be discarded after a graceful Routing Engine switchover event. The following might be written to the system log: "ichip_f_check_dest_errors: Fabric request time out for plane index dest index pfe index." To restore forwarding performance, restart the Enhanced III FPC on M320 routers or the Forwarding Engine Board on M120 routers. [PR/310061: This issue has been resolved.]
• In a Protected System Domain, under the following conditions VPLS traffic received on a core-facing shared uplink interface is not forwarded: (a) both the main routing instance and a logical system are using the shared uplink interface and (b) an FPC housing a tunnel PIC goes down and comes back up. As a workaround, configure another logical system for the main routing instance, so that all the shared uplink interfaces and peer tunnel interfaces are configured in a logical system. [PR/311302: This issue has been resolved]
• When the mirror-flash-on-disk statement is included at the [edit system] hierarchy level and the Routing Engine is rebooted, the following spurious message appears when you log in to the Routing Engine: "NOTICE: System is running on alternate media device (/dev/device-file)." [PR/311768: This issue has been resolved.]
• When two BGP peers are configured to use MD5 authentication and you issue the clear bgp neighbor command on one peer, the following message might be written to the system log on the other peer: "tcp_auth_ok: Packet from address:identifier missing MD5 digest." Traffic forwarding is not affected. [PR/312680: This issue has been resolved.]
• When the authentication-key statement is included at the [edit protocols bgp group group-name] hierarchy level, TCP sessions might not be terminated properly. As a result the message "tcp_auth_ok: Packet from address missing MD5 digest" might be written to the system log for each TCP ACK packet sent from a remote endpoint. [PR/313119: This issue has been resolved.]
• On MX-series and M120 routers, and M320 routers with an Enhanced III FPC, if the configuration includes the explicit-null statement at the [edit protocols mpls] or [edit protocols ldp] hierarchy level, a DPC or FPC might reboot (but not generate an error) when an MPLS packet with time-to-live (TTL) equal to 0 (zero) or 1 (one) is processed at the egress of a tunnel. [PR/313319: This issue has been resolved.]
• The output from the traceroute command includes both the IP address and DNS hostname of each hop. The hostname information might be incorrect for one or more hops. [PR/389794: This issue has been resolved.]
• During recovery after the Routing Engine hard drive fails, the JUNOS kernel might fail, causing the router to reboot. [PR/390306: This issue has been resolved.]
• When a member link of an aggregate interface goes down and comes back up and new forwarding information is installed during that change-in-status period, traffic might be lost. [PR/392550: This issue has been resolved.]
• On T-series routing platforms with aggregated SONET/SDH interfaces, if multiple statistics requests for these interfaces are queued at the same time, a memory corruption might occur, causing the kernel to crash. [PR/393572: This issue has been resolved.]

User Interface and Configuration

• Under certain conditions, when you issue show configuration | compare command the management process (mgd) might generate an error. [PR/281705: This issue has been resolved.]
• If a BGP peer is defined in a configuration group, it might not be possible to establish a connection with it. [PR/283238: This issue has been resolved.]
• If you use the replace pattern command to change the name of a policy that is applied to an object in the [edit protocols] hierarchy (for example, the import policy-name statement is included at the [edit protocols bgp group group-name neighbor address] hierarchy level) and then commit the configuration, the show | compare command reports the name change at the hierarchy level for the object but shows the new name as both the old and new value. The output remains the same even after multiple repetitions of the commit command. However, the policy with the new name is being applied correctly. [PR/294344: This issue has been resolved.]
• When you include the match regular-expression statement at the [edit system syslog (console | file | host | user)] hierarchy level to refine the set of messages included in the log, messages that do not match the expression are still included. [PR/295523: This issue has been resolved.]
• Under the following conditions, the commit operation might fail with the syntax error "inactive: group group-name { ... }": (a) you use the configure private command to enter configuration mode, (b) a BGP group is deactivated, and (c) you change another BGP group’s name. As a workaround, use the configure command to enter configuration mode. [PR/300917: This issue has been resolved.]
• When you invoke a commit or commit check operation for a configuration that includes forwarding-table filters, the firewall process (dfwd) might generate an error and restart. [PR/301806: This issue has been resolved.]
• When TACACS+ authentication is configured and a user tries to log in to the router over an SSH or FTP connection, the JUNOS software does not include the remote user address in the authentication request packet sent to the TACACS+ server. [PR/301927: This issue has been resolved.]
• If the set of transient changes specified in a commit script (enclosed by the <transient-change> tag) includes the deactivation of a configuration statement, none of the transient changes take effect. [PR/307352: This issue has been resolved.]

Interfaces and Chassis

• On channelized T3 interfaces, the T1 loopback state does not reflect loopbacks set by facilities data link requests using the remote-loopback-respond statement at the [edit interfaces interface-name t1-options] hierarchy level. [PR/45837: This issue has been resolved.]
• If you include the compression-device statement at the [edit interfaces at-fpc/pic/port unit logical-unit-number] hierarchy level (that is, on an ATM interface), the JUNOS kernel might generate an error and restart. [PR/265542: This issue has been resolved.]
• On 1-port 10-Gigabit Ethernet XFP Uplink PICs and 1-port 10-Gigabit Ethernet XENPAK PICs, when the 10-Gigabit Ethernet port is disabled through the CLI, the transmit laser is shut off correctly. After this, if the XFP or XENPAK module is changed or reseated, the transmit laser is turned on, even though the port is disabled. [PR/267308: This issue has been resolved.]
• When you issue the show interfaces diagnostics optics command and do not specify an interface name, the output is the same as for the show interfaces command, instead of including optic diagnostics. [PR/285978: This issue has been resolved.]
• In JUNOS Release 9.0 and later, the monitor interface interface-name command output is missing some information. [PR/296131: This issue has been resolved.]
• The commit operation does not fail when the configuration includes the following invalid combination of statements: the address specified by the source or destination statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number tunnel] hierarchy level is the same as the interface’s own subnet address (as specified by the address statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number family family-name] hierarchy level). [PR/299443: This issue has been resolved.]
• When a Routing Engine switchover takes place, the kernel might generate an error. [PR/301327: This issue has been resolved.]
• On a router without redundant Routing Engines (such as the M7i router), if the Routing Engine restarts, the router might stop forwarding packets. As a workaround on the M7i router, issue the request chassis cfeb restart command. [PR/301788: This issue has been resolved.]
• On a Gigabit Ethernet IQ2 PIC with SFPs, if a logical interface is configured for VRRP, the values in the Traffic statistics section of the output from the show interfaces ge-fpc/pic/port extensive command might not be accurate. [PR/303151: This issue has been resolved.]
• If you change the MTU for a shared-uplink interface on the root system domain (RSD) (by adding the mtu statement at the [edit interfaces interface-name] hierarchy level or changing its value), the RSD process (rsdd) generates an error and the MTU does not change. [PR/303256: This issue has been resolved.]
• In a Protected System Domain with a large number of LSPs configured (for example, 50,000), an FPC might generate an error when you issue the show pfe route mpls command repeatedly. [PR/303349: This issue has been resolved.]
• If you change any VRRP configuration statement (at the [edit interfaces interface-name unit logical-unit-number family (inet | inet6) address address] hierarchy level and commit the configuration, VRRP performs a mastership election even if the changed statement does not affect mastership. [PR/303701: This issue has been resolved.]
• When you configure bandwidth management for a Protected System Domain (PSD) by including the control-plane-bandwidth-percent statement at the [edit chassis system-domains protected-system-domain psdn] hierarchy level, it might take up to four hours for FPC core file errors to transfer to the PSD. To reduce the transfer time to approximately 15 minutes, use one of the following workarounds: (a) remove the control-plane-bandwidth-percent statement, or (b) set the control-plane-bandwidth-percent value to 96 on the PSD to which the FPC is assigned. [PR/304765: This issue has been resolved.]
• When the links in a redundant LSQ bundle are not configured at the remote site, if a graceful Routing Engine switchover occurs and then a primary or secondary LSQ PIC goes offline, the backup Routing Engine might generate an error. [PR/306667: This issue has been resolved.]
• For SONET/SDH interfaces, when the hold-time statement is included at the [edit interfaces so-fpc/pic/port] hierarchy level and you change the framing type from the default (SONET) to SDH by including the framing sdh statement at the [edit interfaces so-fpc/pic/port] hierarchy level, the interface does not come up after the commit operation. As a workaround, deactivate the hold-time statement before changing the framing. [PR/306687: This issue has been resolved.]
• When you disable a Fast Ethernet interface, a router at the other end of a link to the interface might not mark the link as down. [PR/307538: This issue has been resolved.]
• The 1-port ATM2 OC48/STM12 IQ PIC might generate an RDI-P error when it receives a packet in which the bits corresponding to the enhanced path-RDI encoding of the G1 path overhead byte are set, even if the formal path-RDI bit within the G1 path overhead byte is not set. [PR/309929: This issue has been resolved.]
• When you set a nondefault payload size for a SAToP pseudowire (by including the payload bytes statement at the [edit interfaces interface-name satop-options] hierarchy level), the setting does not take effect and the default payload size is retained. The payload size is reported in the TDM payload size field in the output of the show route table l2circuit detail command. [PR/311066: This issue has been resolved.]
• When you configure a shared uplink interface on the JCS 1200 platform, the interface process (dcd) might generate an error and stop operating. [PR/311384: This issue has been resolved.]

Services Applications

• If Network Address Port Translation (NAPT) is configured and multiple short-lived flows are established, ports on MS PICs might not be assigned correctly. In some cases, this situation causes the MS PIC to stop functioning. [PR/300553: This issue has been resolved.]
• If Network Address Port Translation (NAPT) is configured and multiple short-lived flows are established, ports on MS PICs might not be assigned correctly. In some cases, this situation causes the MS PIC to stop functioning. [PR/304088: This issue has been resolved.]
• When a PPP session on a dedicated interface is terminated, associated static routes might remain in the routing table. [PR/309771: This issue has been resolved.]

Subscriber Access Management

• The router’s address-assignment pool support enables you to create a named address range that is based on a specific DHCP option 82 value (either circuit-id or remote-id). However, when a client request is received, the router ignores the specified option 82 value and instead uses the first named range of addresses in the address-assignment pool. [PR/263077: This issue has been resolved.]
• When you configure either AAA or local authentication for Mobile IP services (at the [edit services mobile-ip] hierarchy level), a call-setup rate of more than 20 calls per second might cause the following: (a) a significant drop in the connection rate and (b) a high CPU utilization rate for the Mobile IP process (mipd) when there are more than 30,000 configured subscribers. [PR/307121: This issue has been resolved.]
• On a router configured for Mobile IP services, under the following conditions both the Mobile IP process (mipd) and the authentication process (authd) might generate an error and restart: (a) the order aaa statement is included at the [edit services mobile-ip authenticate] hierarchy level, (b) the call setup rate is more than 20 calls per second, and (c) more than 30,000 subscribers are configured. [PR/308707: This issue has been resolved.]
• On a router configured for Mobile IP services, when 40,000 concurrent subscribers are logged in, the authentication process (authd) might create an error and restart. [PR/309778: This issue has been resolved.]
• When you change a dynamic profile in the [edit dynamic-profiles] configuration hierarchy and commit the configuration, the foreign file propagation process (ffp) might generate an error. As workaround, remove the dynamic profile, commit the configuration, reinsert the dynamic profile with the desired changes, and commit again. [PR/310327: This issue has been resolved.]

Layer 2 Ethernet Services

• When you configure bridge options for a trunk interface (by including the interface statement at the [edit bridge-domain domain-name bridge-options] hierarchy level) and the bridge domain is part of the default virtual switch, the JUNOS software rejects the configuration as invalid. As a workaround, include the complete bridge domain configuration at the [edit routing-instances routing-instance-name] hierarchy level, along with another interface statement at that level for the trunk interface. [PR/307000: This issue has been resolved.]
• When you change the values for the vlan-id and vlan-tags statements at the [edit routing-instances routing-instance-name bridge-domains domain-name] hierarchy level, the multicast snooping process (mcsnoopd) might generate an error. There is no operational effect and the process recovers automatically. [PR/307322: This issue has been resolved.]
• On an MX-series router with a large-scale Layer 2 Control Protocol configuration, Layer 2 traffic might be discarded after an in-service software upgrade. [PR/311893: This issue has been resolved.]
• On MX-series routers, access ports configured for VSTP (the interface interface-name statement corresponding to the port is included at the [edit protocols vstp] hierarchy level) might not interoperate properly with other vendors’ switches. [PR/390026: This issue has been resolved.]

Routing Protocols

• You can specify a value for the lsp-interval statement at the [edit protocols isis interface-name] hierarchy level that exceeds the documented maximum (the operation does not fail when you commit such a configuration). However, values that exceed the maximum can cause unexpected behavior. [PR/41613: This issue has been resolved.]
• If the configuration includes VPNs and nonstop active routing is enabled, the following message is written repeatedly to the system log: "Error creating dynamic logical interface from sub-unit 0: No such file or directory." [PR/277005: This issue has been resolved.]
• When an IPv6 duplicate address is detected, the interface stops forwarding but IS-IS and OSPFv3 continue to announce the interface as a valid route. However, the address is unreachable and all traffic destined to or through the interface is dropped. [PR/296740: This issue has been resolved.]
• If during an LDP outage you change the value of the ldp-synchronization hold-time statement at the [edit protocols ospf area area-id interface interface-name] or deactivate the statement, OSPF might advertise the incorrect metric for the interface. [PR/303733: This issue has been resolved.]
• If during an LDP outage you change the value of the ldp-synchronization hold-time statement at the [edit protocols isis interface interface-name] or deactivate the statement, IS-IS might advertise the incorrect metric for the interface. [PR/304532: This issue has been resolved.]
• When you include the stale-routes-time statement at the [edit protocols bgp graceful-restart] hierarchy level, but not the graceful-restart statement at the [edit routing-options] hierarchy level, the commit operation fails with the following message: "Error in neighbor address of group group-name: graceful restart must be enabled in routing-options too." [PR/307034: This issue has been resolved.]
• On an AS boundary router or a route reflector for a VPN address family, under the following conditions VPN routes are not imported into the routing instance (VRF instance) tables: (a) the nonstop-routing statement is included at the [edit routing-options] hierarchy level, (b) routing instances are configured for locally attached VPN sites, and (c) you deactivate and reactivate the routing instance configuration. [PR/307770: This issue has been resolved.]
• When you configure a policy that causes BGP to advertise static routes that lead to unnumbered interfaces, the routing protocol process (rpd) might generate an error. [PR/308465: This issue has been resolved.]
• If a BGP notification message has an invalid value for the length of the next-hop network address field in the MP_REACH_NLRI attribute, the JUNOS software sends error code 3, subcode 1 ("Malformed Attribute List"), instead of the code specified by RFC 2858, which is code 3, subcode 9 ("Optional Attribute Error"). [PR/308628: This issue has been resolved.]
• When you re-add a previously deleted or deactivated address statement for an interface’s IPv6 address on a PIM upstream neighbor (at the [edit interfaces interface-name unit logical-unit-number family inet6] hierarchy level), the addition does not register at the downstream neighbor. On the downstream neighbor, the value in the Upstream interface and Upstream neighbor fields remains unknown in the output from the show pim join extensive command. As a workaround, issue the clear pim join command. [PR/309972: This issue has been resolved.]
• If unicast routes towards a multicast source are updated via BGP static routing and an IPv6 address on a BGP peer router is deactivated and reactivated, multicast forwarding does not function correctly. [PR/386781: This issue has been resolved.]
• If the source address for IPv6 multicast traffic is resolved by a static route, information about an upstream neighbor might not be updated after a graceful Routing Engine switchover event (the value unknown appears in both the Upstream interface and Upstream neighbor fields in the output from the show pim join extensive command). [PR/389856: This issue has been resolved.]
• When a PE router receives an external LSA of type 7 (NSSA) that has a matching VPN tag or has the DN (down) bit set, it nevertheless includes the advertised route in its OSPF route calculation. According to RFC 4576, it must ignore such routes. [PR/391733: This issue has been resolved.]

MPLS Applications

• If an ingress LSP detects a routing loop (reported as Routing loop detected[number times] in the output from the show mpls lsp name lsp-name extensive command), it might stop handling traffic. [PR/293686: This issue has been resolved.]
• After some types of network events (for example, when an interface goes down and comes back up), LDP routes might be removed incorrectly from the inet.3 routing table. As a workaround, restart all LDP sessions. [PR/297144: This issue has been resolved.]
• If you include the traffic-engineering (bgp-igp-both-ribs | mpls-forwarding) statement at the [edit protocols mpls] hierarchy level for a link-protected point-to-multipoint LSP, the routing protocol process (rpd) might generate an error. [PR/303993: This issue has been resolved.]
• When a Layer 2 circuit comes back up after an interruption of network connectivity, the JUNOS software does not record the state change appropriately, and traffic is not sent through the Layer 2 circuit connection. [PR/306043: This issue has been resolved.]
• If two point-to-multipoint branch LSPs share the same incoming interface, and one of them comes up after the other during a remerge event at a transit router, the in-label for both LSPs is marked Discard, as reported by the show route table mpls.0 command. [PR/306312: This issue has been resolved.]
• When you issue the traceroute mpls ldp command, the MPLS OAM process (mplsoamd) might generate an error. [PR/307732: This issue has been resolved.]
• If an IP address is configured as both a direct LDP neighbor and a targeted LDP neighbor, and an LDP session with the neighbor repeatedly goes down and comes up again, the routing protocol process (rpd) might generate an error and stop operating. [PR/308178: This issue has been resolved.]
• If there is a single hop to an LDP neighbor and the source address of the received LDP Link Hello address is the same as the LDP Targeted Hello source address, when the LDP link neighbor and target LDP neighbor go down and come back up in a certain sequence, the Layer 2 circuit connection might remain inactive (reported as VC-Dn in the St field of the entry for the neighbor in the output from the show l2circuit connections command). To return the connection to the active state, issue the clear ldp neighbor address command. [PR/312672: This issue has been resolved.]

VPNs

• When a logical tunnel (lt-) interface forwards a multicast packet, it incorrectly sets the destination MAC address. [PR/304516: This issue has been resolved.]
• Including both the interface and neighbor statements in a VPLS mesh group (that is, at the [edit routing-instances routing-instance-name protocols vpls mesh-group group-name] hierarchy level) is not a valid configuration, but the commit operation does not fail. The mesh groups are not established correctly, however, as indicated in the output from the show vpls connections extensive command. [PR/304952: This issue has been resolved.]
• A dynamic change to the provider tunnel type might cause the routing protocol process (rpd) to generate an error. [PR/305081: This issue has been resolved.]
• In rare cases, changes to the encapsulation or MAC address on a PE router’s CE-facing interface, followed by a nonstop active routing (NSR) event, might disrupt Layer 2 circuit communications. The show l2circuit connections command reports an MTU Mismatch (MM) status for the Layer 2 circuit connection on the remote PE router. To restore communications, on the local PE router deactivate and reactivate the l2circuit configuration stanza at the [edit protocols] hierarchy level. To avoid the error, include the ignore-mtu-mismatch statement at the [edit protocols l2circuit local-switching interface interface-name] hierarchy level for every interface. [PR/306453: This issue has been resolved.]

High Availability

• On a router with BGP and nonstop active routing (NSR) enabled, after a few graceful Routing Engine switchover events (for example, three or four) the routing protocols process (rpd) might generate an error and stop operating. [PR/288783]
• Following a unified in-service software upgrade (ISSU), logical tunnel interfaces might not work properly. Problems might include failure of the ping command and formation of Layer 2 forwarding loops. As a workaround, deactivate and activate the affected interfaces after the upgrade finishes. [PR/294284: This issue has been resolved.]
• During an in-service software upgrade on a TX Matrix platform, firewall counters are reset to zero (as reported by the show firewall command) at two points: when the backup Routing Engines on the routing nodes are upgraded and when FRUs are upgraded on a newly rebooted routing node. After the second reset to zero, the counters no longer increment. [PR/305450: This issue has been resolved.]

Class of Service

• When you remove a CoS scheduler map from an interface (by removing the scheduler-map statement at the [edit class-of-service interfaces interface-name] hierarchy level), corresponding data structures might not be removed from Packet Forwarding Engine memory. An attempt to configure a different scheduler map on the interface might fail, as indicated by the following message in the system log: "mqchip_red_profile() no profile space available." [PR/292223: This issue has been resolved.]
• If the configured shaping rate for an interface is low (the value of the shaping-rate statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level is less than 5m), queue transmission rates do not match the configured values. [PR/305209: This issue has been resolved.]

Forwarding and Sampling

• When you include the route-accounting statement at the [edit forwarding-options family inet6] hierarchy level, the sampling process (sampled) might generate an error. [PR/291455: This issue has been resolved.]
• Under some circumstances, when you add a prefix at the [edit policy-options prefix-list list-name] hierarchy level, the commit operation might fail with one of the following error messages: "Check-out failed for Firewall daemon (/usr/sbin/dfwd) without details" or "configuration check-out failed." [PR/305510: This issue has been resolved.]
• When you configure Routing Engine-based sampling (by including the sampling statement at the [edit forwarding-options] hierarchy level), 4-byte AS numbers might be incorrectly reported as 2-byte numbers in the output from the monitor start sampled command. [PR/310276: This issue has been resolved.]
• If a prefix list specified at the [edit firewall family inet6 filter filter-name term term-name from source-prefix-list] hierarchy level includes an IPv4 address, the commit operation fails with the following message: "Invalid inet6 addr: 'ipv4-address/prefix-length'." [PR/310299: This issue has been resolved.]
• Specifying peer as the value for the autonomous-system-type statement at the [edit forwarding-options sampling output cflowd hostname] hierarchy level has no effect (the exported information is the same as when the value origin is specified). [PR/310313: This issue has been resolved.]

Network Management

• When some PIC types are taken offline and brought back online, an SNMP linkUp trap is not generated for some of the logical interfaces. [PR/294667: This issue has been resolved.]
• The JUNOS software does not generate an SNMP linkDown trap when an interface’s state (represented by the ifOperStatus object) changes from up to lowerLayerDown. The trap is required by RFC 2863. [PR/297829: This issue has been resolved.]
• When you issue the monitor traffic interface or tcpdump command for a logical interface on a T1 or T3 interface, the command might fail and return the following error message: "BIOCSETIF: <interface-name>: Device not configured." [PR/310814: This issue has been resolved.]
• When you enable firewall counters for IPv4 and IPv6 traffic on an interface (by including the count statement at the [edit firewall family (inet | inet6) filter filter-name term term-name then] hierarchy level and the filter filter-name statement at the [edit interfaces interface-name unit logical-unit-number (inet | inet6)] hierarchy level), the show snmp mib walk jnxFWCounterByteCount command might not display all of the counters. [PR/313194: This issue has been resolved.]

Related Documentation

• Features in JUNOS Software Release 9.3 for M-series, MX-series, and T-series Routing Platforms
• Changes in Default Behavior and Syntax in JUNOS Software Release 9.3 for M-series, MX-series, and T-series Routing Platforms
• Errata and Changes in Documentation for JUNOS Software Release 9.3 for M-series, MX-series, and T-series Routing Platforms
• Upgrade and Downgrade Instructions for JUNOS Software Release 9.3 for M-series, MX-series, and T-series Routing Platforms