Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

The current software release is Release 9.5R4. For information about obtaining the software packages, see Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms.

• Current Software Release
• Previous Releases

Current Software Release

The current software release is Release 9.5R4. For information about obtaining the software packages, see Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms.

Outstanding Issues

Class of Service

• If you try to configure a scheduler map containing two forwarding classes that are mapped to the same queue, the class-of-service scheduler is not applied to the Packet Forwarding Engine. As a workaround, configure a single forwarding class for each available queue. [PR/57907]
• On the MX960, bandwidth sharing across high priority and strict-high priority schedulers might not be as expected. This issue occurs when the schedulers are configured on logical interfaces. [PR/265603]
• On M Series routers (except M120 and M320), packet classification will not work on aggregated Ethernet bundles that have LACP enabled. [PR/492057]

Forwarding and Sampling

• On M320 and T-series routers, when you configure interface output sampling, packets might travel through the output firewall. As a workaround, configure a firewall filter on the output interface with then sample and then next-term statements. The workaround provides the same functionality as the other configuration, but avoids the problem behavior. [PR/70473]
• On T-series routers, if an ingress firewall is configured to drop all incoming multicast packets the discarded multicast packets, are incorrectly sent to the Routing Engine. This causes a high utilization of the CPU (50 percent) on the FPC. [PR/239268]
• The output firewall filter counter doesn’t count packets when a firewall is configured on the discard interface of an M120 router. [PR/404645]
• When configuring a routing-instance in a firewall filter on the MX480, the router might give a warning message "Warning: statement ignored: unsupported platform.". [PR/421765]
• Under rare circumstances, if the filter is changed while a counter query is in progress and the system is under heavy load, the system may crash. [PR/447033]
• Using the ipv4-template to collect flow monitoring version 9 statistics on ingress L3VPN PE devices results in BGP IP next–hop address not being included in the report. [PR/467403]
• On rare occasions, the firewall compiler can discard a prefix configured for accept. This issue depends on the set of prefixes configured for matching across the various terms. [PR/486633]
• The blocked-hosts-src term being used before the anti-spoof term in a firewall filter can cause incorrect firewall filter evaluation. [PR/493356]

High Availability

• The primary Routing Engine might lose CM/CP information if it looses connectivity with the redundant Routing Engine (i.e. through disabling GRES or halting/rebooting the redundant Routing Engine). This can cause small packet drop on multicast traffic upon a multicast distribution tree change. [PR/278882]
• When a static route created using the passive retain option is pointing to a private interface such as fxp0, the backup router during a GRES might not behave as expected. As a workaround, do not use the passive retain option to create a static route to a private interface. [PR/412746]
• When a Routing Engine switchover occurs at the same time that FRUs are reconnecting to the Routing Engine, kernel panic may occur. [PR/419966]
• On a TX Matrix router that has an aggregate sonet (AS) or container interfaces (CI) configured, the AS won't come up after an ISSU. All traffic passing through AS will be lost after ISSU. As a workaround, restart the interface or activate/deactivate the AS/CI after ISSU. [PR/446984]

Interfaces and Chassis

• On aggregated SONET/SDH interfaces, the counter for drops and errors in the show interfaces command output does not display the correct value, because the counter does not collect data from the constituent interfaces within the aggregate. [PR/23577]
• On a 2-port OC12 ATM2 IQ interface, the total virtual path (VP) downtime might not display correctly in the show interfaces command output. [PR/27128]
• On M20 and M40 routers, when a physical layer problem affects a SONET/SDH interface, carrier transition statistics might not increment correctly in the output of the show interfaces extensive command. [PR/33325]
• When you configure both the bundle link and constituent links at the [edit (logical-routers logical-router-name | logical-systems logical-system-name) interfaces] hierarchy level, the constituent links do not come up. As a workaround, configure the constituent links at the [edit interfaces] hierarchy level. [PR/35578]
• On the Channelized STM-1 with QPP PIC, error monitoring for CRC and frame errors might not work as expected. [PR/39440]
• When you apply an IPsec firewall filter to match traffic sent across a generic routing encapsulation (GRE) tunnel and originating from the local routing platform, the local traffic is dropped. Transient traffic is not affected. [PR/44871]
• If you configure IS-IS, MPLS, and graceful Routing Engine switchover (GRES) and a switchover event occurs, the routing platform might end the PPP IP Control Protocol (IPCP) sessions and renegotiate them if the remote side has changed interface MTU settings prior to the switchover event. [PR/61121]
• If you configure graceful Routing Engine switchover and issue the request chassis routing-engine master acquire command, in rare cases the master Routing Engine might fail to relinquish mastership, or the switchover to the backup Routing Engine might take up to 360 seconds. [PR/61821]
• For Automatic Protection Switching (APS) on SONET/SDH interfaces, there are no operational mode commands that display the presence of APS mode mismatches. An APS mode mismatch occurs when one side is configured to use bidirectional mode, and the other side is configured to use unidirectional mode. [PR/65800]
• When the ATM scheduler map is configured, the code does not check if the early packet discard (EPD) configured on the forwarding class exceeds the maximum EPD that the hardware supports. [PR/70336]
• The output of the show interfaces diagnostics optics command includes the "Laser rx power low alarm" field even if the transceiver is a type (such as XENPAK) that does not support this alarm. [PR/103444]
• Hot swapping the M120 router fan tray might cause the Check CB alarm to activate. [PR/268735]
• On the JCS 1200, when you issue the clear -config -T switch[1] command using the management module, the switch module returns to its factory default setting instead of the Juniper Networks default setting. As a workaround, do not issue the command. [PR/274399]
• When the ilmi statement is included at the [edit interfaces interface-name atm-options] hierarchy level and than a graceful Routing Engine switchover (GRES) or unified in-service software upgrade (ISSU) event occurs, the show ilmi command no longer returns any output even though ILMI is configured on the interface. [PR/282051]
• On a router with Frame Relay multilink configured on an MS400 PIC or on a Channelized DS3 PIC, when the minimum links value for the Frame Relay interface is set to 8 and a link is deactivated from the configuration, the link remains up. [PR/285244]
• On the Juniper Control System (JCS) platform, the control and management traffic for all Routing Engines share the same physical link on the same switch module. In rare cases, the physical link might become oversubscribed, causing the management connection to Protected System Domains (PSDs) to be dropped. [PR/293126]
• On a Protected System Domain (PSD) configured with a large number of BGP peers and routes (for example, 5000 peers and a million routes), FPCs might restart during a graceful Routing Engine switchover. [PR/295464]
• When two routers are connected via SONET/SDH interfaces that are configured as container interfaces and the Routing Engine on one router reboots, the container interfaces on the other router might go down and come up again. [PR/302757]
• When forwarding-options is configured without route accounting, a commit will be successful but will display the following error message: “Could not retrieve the route-accounting.” This message does not affect any functionality. [PR/312933]
• On MX-series routers, MAC address accounting in the egress direction might not work if traffic is unidirectional and no traffic flows in the reverse direction for a duration longer than the aging interval. [PR/415146]
• Under some conditions, if an interface flaps for an interval less than the hold-down time value configured, the interface might stop forwarding even though it appears as UP. As a workaround, monitor traffic on the interface or disable and then enable the interface. {PR/423065]
• When a backup Routing Engine is replaced after a graceful Routing Engine switchover (GRES), the device control process (dcd) generates a new link local address on non-MAC interfaces (such as SONET). [PR/429078]
• When the show interfaces extensive command is used, some interfaces may not display the correct value for the Oversized Frames counter. [PR/437176]
• When you configure the payload port-data statement at the [edit family mpls hash-key] hierarchy level on M120, MX, or M320 routers with E3 FPCs, the hashing algorithm might not take the port-data values into account. [PR/442223]
• When configured for WAN-PHY framing, the ports on the 4-port 10-Gigabit Ethernet PIC always report zero for path level errors (BIP-B3) in the output of the show interfaces extensive command. [PR/447653]
• The primary routing engine might fail to connect with the backup routing engine due to an autonegotiation issue with an em1 interface. [PR/461469]
• Certain Gigabit Ethernet SFPs on MX-series routers may periodically show the wrong diagnostic information even though they are operating correctly. [PR/463837]
• The APS process is fixed to handle the SONET defects when it is in the middle of switching over correctly. [PR/466649]
• On an M320 router, the Channelized OC12/STM4 Enhanced IQ PIC supports 2 ports (0 and 2) when configured for eight queues per port. [PR/475008]
• In some cases during periodic error statistics monitoring, you might see error messages on adjacent streams. These messages are cosmetic and can be ignored. [PR/481344]
• Under certain circumstances, the E3 IQ PIC might give incorrect CCV, CES, and CSES alarms. [PR/505921]

Layer 2 Ethernet Services

• Multicast packets received on an AE interface that is part of an IRB will be counted twice, once for the bridged packet and a second time for the routed packet. [PR/461923]
• When inserting a DPC into the chassis, the chassid log might display an incorrect error message: "FPC X temperature is -60 degrees C, which is outside operating range." This message does not impact any functionality. [PR/470512]

MPLS Applications

• The output of the show mpls lsp route and the show mpls lsp extensive 'Active Route' counter is incorrect when per-packet load balancing is configured. [PR/22376]
• If a cross-connected circuit (CCC) traverses a forwarding-adjacency label-switched path (LSP), traffic forwarding might be affected. [PR/60088]
• When you modify the primary path for an MPLS LSP by using the delete protocols mpls label-switched-path lsp-path-name primary path-name command in configuration mode, followed by the set protocols mpls label-switched-path lsp-path-name primary path-name command, and then commit, the entire LSP (both primary and secondary) is torn down and then rebuilt from scratch. As a workaround, issue the delete protocols mpls label-switched-path lsp-path-name primary path-name command in configuration mode followed by the commit. Then issue the set protocols mpls label-switched-path lsp-path-name primary path-name command followed by the commit. [PR/62365]
• When you enable per-packet load balancing on parallel label-switched paths (LSPs), the output of the show mpls lsp ingress command might display all the routes on only one of the LSPs even when traffic is evenly balanced across the LSP. [PR/70487]
• No p2mp LSPs are reported with the show mpls lsp p2mp command. As a workaround enter the show mpls lsp command before you enter the show mpls lsp p2mp.[PR/266343]
• For point-to-multipoint LSPs configured for VPLS, the ping mpls command reports 100 percent packet loss even though the VPLS connection is active. [PR/287990]
• P2MP LSP branches undergoing make-before-break perform double bandwidth reservation on the same link while rerouting. [PR/454692]
• A race condition between MVPN and RSVP p2mp signaling can lead to the creation of stale flood next hops. [PR/491586]

Network Management

• tcpdump might crash when receiving malformed IPv6 packets. This has no impact on actual traffic. [PR/399073]
• After changes are made to the firewall, and the counters are cleared and commited, SNMP sends the wrong value for 5 seconds. This creates a discrepancy between the CLI output and the get snmp output. [PR/459583]
• The SNMP MIB on jnxFWCounterDisplayName might miss certain policer counters of firewall filters applied with respect to IFL. [PR/485477]

Platform and Infrastructure

• If a tunnel destination is in a VPN, with GRE encapsulation the traffic might get black-holed due to a lookup in the wrong forwarding table. [PR/45035]
• On T-series platforms, a Layer 2 maximum transmission unit (MTU) check is not supported for MPLS packets exiting the routing platform. [PR/46238]
• When you configure a source class usage (SCU) name with an integer (for example, 100) and use this source class as a firewall filter match condition, the class identifier might be misinterpreted as an integer, which might cause the filter to disregard the match. [PR/50247]
• If you configure 11 or more logical interfaces in a single VPLS instance, VPLS statistics might not be reported correctly. [PR/65496]
• When a large number of kernel system log messages are generated, the log information might become garbled and the severity level could change. This behavior has no operational impact. [PR/71427]
• When a Link Services (LS) interface to a CE router appears in the VPN routing and forwarding table (VRF table) and fragmentation is required, Internet Control Message Protocol (ICMP) cannot be forwarded out of the LS interface from a remote PE router that is in the VRF table. As a workaround, include the vrf-table-label statement in the configuration. [PR/75361]
• On T-series routing platforms, the commit operation succeeds when you include the no-labels statement at the [edit forwarding-options hash-key family mpls] hierarchy level, but MPLS labels are still included in the hash key. [PR/80334]
• Traceroute does not work when ICMP tunneling is configured. [PR/94310]
• When the configuration present in 'init.conf' includes values in a nonstandard order, the init parser returns a syntax error. [PR/94576]
• If you ping a nonexistent IPv6 address that belongs to the same subnet as an existing point-to-point link, the packet loops between the two point-to-point interfaces until the time-to-live expires. [PR/94954]
• On T-series and M320 routers, multicast traffic with the "do not fragment" bit set is being dropped due to a low MTU value. The router might stop forwarding all traffic transiting this interface if the clear pim join command is executed. [PR/95272]
• A firewall filter that matches the forwarding class of incoming packets (that is, includes the forwarding-class statement at the [edit firewall filter filter-name term term-name from] hierarchy level) might incorrectly discard traffic destined for the Routing Engine. Transit traffic is handled correctly. [PR/97722]
• The JUNOS software does not support dynamic ARP resolution on Ethernet interfaces that are designated for port mirroring. This causes the Packet Forwarding Engine to drop mirrored packets. As a workaround, configure the next-hop address as a static ARP entry by including the arp ip-address statement at the [edit interfaces interface-name] hierarchy level. [PR/237107]
• Currently, the JUNOS cannot build an outbound serial connections through the AUX port. [PR/256818]
• When Periodic Packet Management (PPM) delegation for Bidirectional Forwarding Detection (BFD) sessions is disabled (the delegate-processing statement is removed at the [edit routing-options ppm] hierarchy level), the BFD sessions might be terminated (because a "state is down" message is sent) and reestablished. [PR/280233]
• When you perform an in-service software upgrade (ISSU) on a routing platform with an FPC3 or an Enhanced FPC3 with 256 MB of memory and the number of routes in the routing table exceeds 750,000, route loss might occur. If route loss occurs, as a workaround, perform either of the following tasks: (a) replace the FPC3 or Enhanced FPC3 with another FPC that has more memory, or (b) after the ISSU is complete, reboot only the FPC3 or Enhanced FPC3. [PR/282146]
• For Routing Engines rated at 850 MHz (which appear as RE-850 in the output from the show chassis hardware command), messages like the following might be written to the system log when you insert a PC Card: “bad Vcc request” and “Device does not support APM.” Despite the messages, operations that involve the PC Card work properly. [PR/293301]

• On a Protected System Domain, under the following conditions an FPC might generate a core file and stop operating:

  • A firewall policer with a large number of counters (for example, 20,000) is applied to a shared uplink interface.
  • The FPC that houses the interface does not have a sufficiently powerful CPU
  As a workaround, reduce the number of counters or install a more powerful FPC. [PR/311906]
• When a CFEB failover occurs on an M10i or M7i router that has 4000 or more IFLs, the following message will display:

  IFRT: 'IFD ioctl' (opcode 10) failed
  ifd 153; does not exist
  IFRT: 'IFD Ether autonegotiation config' (opcode 163) failed

  The message has no operational impact. When the backup CFEB becomes the active CFEB, the message will not display. [PR/400774]

• For tunnel PICs, the following messages may display in /var/log/messages: /kernel: if_tunnel_cookie_remove no callback!!! This message is harmless and not valid. [PR/422715]
• On M320, M120, T-series, and MX-series routers, a traceroute egressing an LSP, configured for explicit-null and no-decrement-ttl or no-propagate-ttl, might not show the transit IP hop router immediately after the LSP egress router. [PR/438735]
• If the subinterface on an aggregate interface goes down, the GRE traffic egressing that interface might not use the backup subinterface. This will result in GRE traffic being dropped. [PR/454751]
• An overloaded strict-high priority queue might result in loss of high-priority traffic. [PR/455152]
• DHCP-related configurations (such as delete bootp server address) under some rare conditions might generate an FUD core. [PR/458132]
• On T640 routers, an interface might report LSIF errors/ Cell mismatched errors after it receives an IPv6 packet that has an invalid payload. The interface still accepts traffic, but discards all outgoing packets. To recover, reboot the FPC on T640 and TX-series router. If the IPv6 packets invalid payload are still transmitted, the problem will occur again. [PR/470219]
• When an aggregated SONET interface is configured with cisco-hdlc encapsulation, a member link may not be marked link down if remote end of the link is disabled. [PR/472677]
• Payload corruption and packet drops might occur for packets bigger than 3000 bytes when MPLS over GRE is configured on a service PIC. [PR/478563]
• If a duplicate IPv6 address has been configured, every icmp6 packet received ( icmp request, icmp neighbor solicitation, or icmp neighbor advertisement ) will trigger an mbuf leak. Such a duplicate address configuration might not get noticed at the VRRP backup router, which is not used for data forwarding. Correcting the configuration and deactivating/activating the interface will stop the mbuf leak. [PR/481071]
• Statistics might be updated twice, which causes an inconsistency between ifd and ifl stats. [PR/486200]
• Swapping out eight FPCs and replacing them with a different FPC types, might cause the kernel to crash when the last FPC is powered on. [PR/502075]

Routing Protocols

• When you configure damping globally and use the import policy to prevent damping for specific routes, and a new route is received from a peer with the local interface address as the next hop, the route is added to the routing table with default damping parameters, even though the import policy has a nondefault setting. As a result, damping settings do not change appropriately when the route attributes change. [PR/51975]
• If a BGP group is created without any defined peers, a warning message no longer appears when the configuration is committed. [PR/63279]
• When you issue the show ldp traffic-statistics command, the following system log message might be generated for all forwarding equivalence classes (FECs) with an ingress counter set to zero: "send rnhstats GET: error: ENOENT -- Item not found." [PR/67647]
• If ICMP tunneling is enabled on the router and you configure a new logical system that does not have ICMP tunneling enabled, the feature is globally disabled. [PR/81884]
• When the flow of multicast traffic changes because an OSPFv3 link goes down, the output from the show multicast statistics inet6 command reports incorrect values in the In kbytes and In packets fields for the new ingress interface. [PR/234969]
• When you commit a new configuration for nonstop routing (NSR) on a primary Routing Engine that differs from the configuration for NSR that is already running on the backup Routing Engine, the routing protocol process stops functioning on the backup Routing Engine only. Traffic forwarding is not affected. [PR/254379]
• RPD may restart if PIM is configured to run on unnumbered interfaces. [PR/295319]
• On routers running OSPF and advertising LSA for a DC-incapable neighbor, the RPD might crash when the LSA is purged. [PR/406276].
• OSPF and IS-IS differ in how they handle the addition of a better internal or external route (smaller IGP metric) into the protocol internal routing table. IS-IS flushes all next-hop information (including LSP next hops) when learning a better prefix, despite equal cost LSP tunnels, whereas OSPF does not. However, this does not cause any issues with respect to load balancing. [PR/408702]
• The "Keepalive timeout" counter for multicast sessions is not displayed after the PIM protocol is deactivated and activated. This is a cosmetic issue and there is no interruption to multicast traffic flow, even though the "Keepalive timeout" counter is not displayed after the PIM protocol is activated. [PR/419509]
• Setting the advertise-high-metric option when using IS-IS overload also suppresses route leaking. [PR/419624]
• In a router with VPNs configured, modifying or adding to the configuration could reset the 'age' of the secondary routes to 0. For example, secondary routes are BGP routes in the .inet.0 table that are learned from the remote PE routers through BGP and imported into this table. Although the age is reset, these routes downloaded again to PFEs and there is no impact to traffic forwarding. [PR/447802]
• The rpd sporadically dumps the core due to a soft assertion failure. [PR/451021]
• All local generated type 5 LSAs will be purged and regenerated when an NSSA area is deleted from an ABR. [PR/457579]
• The RPD might crash, which causes BGP sessions to flap. [PR/465624]
• When an FPC reboots or an interface is temporarily deactivated, two RPD_PIM_NBRDOWN messages are logged for every PIM neighbor affected; however, only one RPD_PIM_NBRUP message is logged when the service is restored. This might lead to inconsistencies in management software. [PR/472873]
• When PIM is configured on an interface, it might not process interface mismatch. This causes mpvn c-multicast traffic to be duplicated. As a workaround, configure PIM under the main instance. [PR/481476]
• When PIM is configured on an interface, the router can send the first PIM hello shortly before the interface comes up. This causes the router to drop the first outgoing PIM hello message. [PR/482903]
• During transient periods where both the secondary and primary LSPs exist in the route table and the number of LSP next hops is greater than 16 in a multigateway scenario, IS-IS is unaware of the preference. Because of this, it might remove the preferred LSP next hop. [PR/485748]

Services Applications

• The show services accounting flow-detail extensive command sometimes displays incorrect information about input and output interfaces. [PR/40446]
• On Adaptive Services PICs configured for IPsec tunnel redundancy, if there are a large number of tunnels, sometimes a few of the tunnels might switch over to the backup tunnel. [PR/46733]
• When a routing platform is configured for graceful Routing Engine switchover and Adaptive Services (AS) PIC redundancy, and a switchover to the backup Routing Engine occurs, the redundant services interface (rsp-) always activates the primary services interface (sp-), even if the secondary interface was active before the switchover. [PR/59070]
• For Adaptive Services II PICs, even if you do not configure flow collector services, a temporary file might be created every 15 minutes in the /var/log/flowc/ directory. The file is deleted if there are no clients, and re-created only when a client connects and attempts to write to the file. [PR/75515]
• When the PGCP configuration contains values for RTCP traffic management for sustained-data-rate or peak-data-rate (at the [edit pgcp gateway gateway-name h248-properties traffic-management sustained-data-rate rtcp] hierarchy level), SIP calls may fail with error code 500 (Internal Server Error). The default values of the RTCP SDR and PDR are 5% of RTP's SDR and PDR. If the configuration overrides these values and sets RTCP's SDR to be higher than the PDR, media gates for calls will not be created, and the call is rejected with error code 500. [PR/400618]
• When you configure L2TP with link fragmentation and interleaving (LFI), the MultiServices PIC drops a significant number of MLPPP fragments. [PR/401247]
• With E-CFEB on M7i and M10i routers, when a firewall filter is configured with an action of sampling and then applied to the filter to the interface, all the packets received on the PIC are corrupt and packets are dropped. [{R408802]
• When you configure overload control for the BGF, you must set the reject-new-calls-threshold to a value greater than the queue-limit-percentage, and you must set the reject-all-commands-threshold to a value greater than the reject-new-calls-threshold. If you do not set these values correctly, the software resets the values so that they conform to these rules. To view the actual values enforced by the system, use the show pgcp active-configuration command. [{R415614]
• On a services interface, the mlppp reassembly logic will not do a strict out-of-order check. In a multi-CPU packet handling environment, packets could be processed before the first packet. [PR/430296]
• The clear services stateful-firewall flows command can cause the MSDPC to fail. This command should be avoided. There is no workaround. [PR/472386]
• A static route pointing to destination is incorrectly added for source NAT when a next-hop style service set is used. [PR/476165]
• The show services nat pool pool-name command does not work. [PR/493820]
• When you configure different autonomous-system-types (origin and peer ) toward two v5 servers, the router incorrectly counts the origin as the autonomous system type for both flow servers. [PR/496954]

Subscriber Access Management

• RADIUS subscribers with framed-protocol attributes on the server will fail to authenticate. [PR/424323]
• Wimax testing with SBR must be done with transposable IP for HA. Otherwise, FA-HA authentication will fail with return code 132. [PR/431969]
• When the Acct-Interim-Interval attribute is sent from RADIUS and the value is set to 600 seconds, the MX-serues router starts sending duplicate records every 2 seconds instead of every 600 seconds. [PR/448456]
• The router always uses the revert-interval value that is configured at the [edit access] hierarchy level, and ignores any revert-interval valueconfigured at the [edit access profile] hierarchy level. If no value is configured, the router uses the default value of 600 seconds. [PR/454040]
• RADIUS authentication must be configured in order to use RADIUS accounting. [PR/488627]

User Interface and Configuration

• Setting allow-commands show interfaces $will disable the use of the show interface command. [PR/55413]
• The router will not give a warning if the same UID is configured for multiple users. [PR/55774]
• The router will allow without warning the deletion of configuration groups with the allow-configuration and deny-configuration statements. [PR/59187]
• Performance is considerably slower for users who have permissions controlled by Juniper-Allow-Cmmands and/or Juniper-Deny-Commands expressions and have complex regular expressions configured under these same commands. To help avoid this problem, define the expressions in the allow-configuration and deny-configuration commands in a restrictive manner. [PR/63248]
• When the get-configuration or load-configuration commands are run via JUNOScript, these events are not recorded in the syslog. [PR/64544]
• On M20 routers, after a Routing Engine mastership switchover, it might not be possible to enter CLI configuration mode on the new master Routing Engine. Also, the request system reboot and request system halt commands do not clearly fail but do not return the CLI prompt either. [PR/64899]
• JUNOScript does not support the configuration-text statement. [PR/82004]
• The logical system administrator can modify and delete master administrator-only configurations by performing local operations such as issuing the load override, load replace, and load update commands. [PR/238991]
• The “'replace:” tag is missing from the output when entering the save terminal command from inside a configuration object. [PR/269736]
• The primary Routing Engine validates the configuration. During commit synchronize, the backup Routing Engine will not validate the configuration as it was already validated by primary Routing Engine. [PR/282896]
• A user belonging to a login class with limited rights to modify a specific firewall filter cannot use the insert command to reorder firewall terms. [PR/310872]
• Users with superuser privileges will sometimes have their access restricted to view permission only when they log in through TACACS. [PR/388053]
• Double logging does not occur during load upate and commit (load update occurs on backup Routing Engine). [PR/395716]
• On the TX Matrix routing platform, automatic rollback might not work as expected on the backup Routing Engine. [PR/425617]
• Using the filter config-text in the get-config command results in a syntax error and the router configuration cannot be returned in ASCII format. [PR/430799]
• Help page Information is not available for the Monitor->Alarms page. [PR/437377]
• Core files cannot be deleted when logged in with superuser access privileges unless the Routing Engine name is included in the path. Core files can, however, be deleted when logged in as root without specifying the Routing Engine name. [PR/469168]
• When commit scripts are used and the configuration contains a policy that uses an apply-group with a then action of “then community + EXPORT”', the commit fails. [PR/501876]
• The load replace command does not consider the allow-configuration configuration.

VPNs

• When you modify the frame-relay-tcc statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level of a Layer 2 VPN, the connection for the second logical interface might not come up. As a workaround, restart the chassis process (chassisd) or reboot the router. [PR/32763]
• Traffic might not flow when an ATM interface is used as the access circuit on an M120 router. [PR/255160]
• For a VRF instance configured for PIM, MVPN, and provider tunnels (the pim and mvpn statements are included at the [edit routing-instances vpn-name protocols] hierarchy level and the provider-tunnel statement is included at the [edit routing-instances vpn-name] hierarchy level), when PIM is deactivated and reactivated, it fails to install type-5 (source-active) routes in the instance-name.mvpn.0 routing table. This issue arises only when remote C-multicast joins are configured on the ingress PE router (as displayed by the show mvpn c-multicast command). [PR/306983]
• When you configure inter-AS VPLS with MAC processing at the autonomous system (AS) boundary router along with multihoming, and if a designated forwarding AS boundary router fails and then comes back up again, traffic flowing to the local AS from the other AS’s boundary router might be lost. The loss occurs in the time period (tenths of a second) during which the old designated forwarding AS boundary router is taking back the role of designated forwarder. [PR/312730]
• Under certain circumstances, if BGP is configured as the PE router to CE router protocol in a Layer 3 VPN routing instance, renaming the routing instance can cause the PE router to CE router session to stay down. [PR/399275]
• In Layer 2 CCC scenarios where the packet size is less than 64 bytes, the packets may be erroneously padded when forwarded through an Ethernet uplink. As a result, the packet sizes arriving at the remote end will not correspond to the originally sent packet sizes. [PR/420037]
• On a BGP L3VPN PE router, with a combination of (1) label-per-next-hop in the VRFs, (2) configuration of the same IP addresses in different VRFs (3), need for an indirect next-hops within the VRFs, then label routes with an indirect next-nop might be created incorrectly in the master instance table "mpls.0." [PR/436404]
• On MX-series, M120. and EIII FPCs on M320 routers, the ISO/Connectionless Network Service (CLNS) packets over the translational cross-connect (TCC) are dropped in the case of Frame Relay, even though the family TCC has been configured to switch family iso on the Frame Relay interface. [PR/462052]
• When different prefixes are advertised to the same source by different PE routers, an egress PE router can’t pick the lower prefix route for RPF when the PR advertising the higher prefix loses its route to the source. [PR/493835]

Resolved Issues in JUNOS Release 9.5 for M-series, MX-series, and T-series Routers

Class of Service

• When you configure a specific classifier for a logical unit, it does not override the fixed classifier configured using wildcards. [PR/68888]

Interfaces and Chassis

• If you ping a nonexistent IPv6 address that belongs to the same subnet as an existing point-to-point link, the packet loops between the two point-to-point interfaces until the time-to-live expires. [PR/94954]
• Bandwidth on any IFL configured on an IFD should always be less than or equal to that of the speed on the respective IFD. This fix addresses the issue only on ether devices. If bandwidth is not configured on the IFl, it will be set to the speed of the IFD. [PR/426469]
• On an MX960 with a significant number of DPCs, even if unconfigured (more than 8), the output of the show interface extensive command can be very slow if SCU/DCU is configured for some units. [PR/449034]

Layer 2 Ethernet Services

• The show dhcp binding interface interace-name command does not work properly when an MX-series Router is configured as a DHCP server.

MPLS Applications

• If you configure a label-switched path (LSP) with the no-cspf statement at the [edit protocols mpls] hierarchy level, the LSP might cycle up and down several times before stabilizing. [PR/10415]
• On M-series routers, if you disable and then enable IPv6 on an interface, routing on that interface will no longer work. [PR/459781]

Platforms and Infrastructure

• On a Monitoring Services III PIC configured as a dynamic flow capture (DFC) interface (dfc-fpc/pic/port), when you configure the DFC interface as the next hop in a forwarding path, port-mirrored packets might become corrupted. [PR/60799]
• On M320 and T-series routing platforms, a process monitors FPCs while they transition to an online state. If an FPC is busy and cannot complete the transition within the time limit, the process might time out and prevent the FPC from coming online. [PR/72364]
• On the Routing Engine on the line-card chassis of the TX Matrix router, sometimes the reboot will fail due to an incorrect ntp query. [PR/450217]
• If you configure a lot of vrf prefixes with the l3vpn-composite-nexthop statement and a lot of link flaps occur, the jtree might become corrupted. This corruption triggers traffic black-holing. Other symptoms of this include the router sending VPN MPLS traffic with stale MPLS label information or running out of Layer 2 descriptors many flaps. [PR/468584]
• An FPC may stop forwarding traffic when an aggregate interface flaps and the router is using per-prefix load balancing (default configuration) for some prefixes. For this issue to occur the aggregate interface must flap. The more likely scenario can occur when aggregate interface is configured with just a single link (that flaps) AND per-prefix load balancing is used. This issue can be avoided by using a load-balancing per-packet policy for all prefixes (per-flow load balancing) and/or not having aggregate interfaces flap. The most likely aggregate interface to flap is one with a single member link. [PR/477326]

Routing Protocols

• The CLI allows you to commit a configuration that specifies a value higher than 32 for the metric statement at the [edit protocols dvmrp interface all] hierarchy level; however, values higher than 32 are invalid. [PR/33429]
• If a router receives a Pragmatic General Multicast (PGM) Source Path Message (SPM), it does not create a forwarding cache, nor does it forward the message to other routers as a heartbeat, as specified in RFC 3208. Also, the router’s multicast cache might time out if it does not receive actual PGM data (ODATA) for more than 6 minutes. As a workaround, configure the PGM source application to send PGM ODATA at least once every 6 minutes. The ODATA acts as the heartbeat message in lieu of the SPM messages and ensures that the multicast and forwarding caches are created and updated. [PR/37504]
• When you configure the l3vpn-composite-nexthop statement at the [edit routing-options] hierarchy level and issue the commit command, the BGP session is immediately restarted. [PR/292173]
• When the state for an IGMP group is exclude and the source list is non-empty, the traffic for the excluded sources will still be received and sent as if it were in the exclude state. [PR/422190]
• The router might crash if a nonexistent table is referenced when using the rib-groups statement. [PR/467332]
• If a reject route is present for the address of a Multicast Source Discovery Protocol (MSDP) SA originator, the routing protocol process (RPD) might crash. [PR/469142]
• When a dampened route is restored, the accepted counter for the peer in the show bgp summary command output is not shown. [PR/473567]
• Sometimes the closing tag for route-family is missing in the output of the show multicast route extensive | display xml statement.

Services Applications

• Application layer gateways (ALGs) might cause memory corruption when certain flows in the session are closed ahead of the main initiator flow. [PR/475436]
• When a standard application is specified at the [edit security idp idp-policy policy-name rulebase-ips rule-name match application] hierarchy. IDP doesn't detect the attack on the non-standard port (for example, junos:ftp on port 85). Whether it is a custom or predefined application, the application name does not matter. IDP simply looks at the protocol/port from the application definition. Only when traffic matches the protocol/port, then IDP tries to match/detect against the attached attack. [PR/477747]

Subscriber Access Management

• When dynamic IP address assignment is configured, if there is only one address left in the address allocation pool and an attempt to authenticate with a service fails (because, for example, the authentication request specifies an invalid service name), a subsequent authentication attempt for the service also fails. The following messages might appear in the log for the authentication process (authd): "assigned address address in use, trying next available" and "Unable to assign an address." [PR/305516]

User Interface and Configuration

• The message from jcs:syslog() is visible after the rest of the system log. [PR/449778]
• The J-Web interface will not display the USB option under Maintain->Reboot->Reboot from Media. [PR/464774]

Previous Releases

Resolved Issues for JUNOS Release 9.5R3

Class of Service

• In the cosd logs for JUNOS Release 9.4R1, "entries" is misspelled as "enteries." [PR/439993]
• When an Intelligent Queuing PIC is taken offline and back online again, the chassis scheduler map might change to [95,0,0,5]. As a workaround, deactivate the chassis scheduler map before taking the PIC offline and then activate the chassis scheduler map after the PIC comes online. [PR/444543]
• When a classifier is applied on a services PIC logical interface, a commit warning is issued stating that the classifier is not supported on this interface. [PR/448913]

Forwarding and Sampling

• On M320 and T-series routing platforms, when you configure interface output sampling, packets sometimes might travel through the output firewall. As a workaround, configure a firewall filter on the output interface with then sample and then next-term statements. The workaround provides the same functionality as the other configuration, but avoids the problem behavior. [PR/70473]
• On T-series routers, if an ingress firewall is configured to drop all incoming multicast packets, the discarded multicast packets are sent to the Routing Engine incorrectly. This causes a high utilization of the CPU (50%) on the FPC. [PR/239268]
• When configuring a routing instance in a firewall filter, the router will give the warning message “Warning: statement ignored: unsupported platform.” [PR/421765]
• Upon changing policers on an aggregated Ethernet interface, the DPC might reboot. [PR/431635]

High Availability

• When you issue the show chassis ethernet-switch statistics command on a routing platform with graceful Routing Engine (GRES) switchover enabled, the two Routing Engines might be unable to exchange information for about 2 seconds. [PR/233779]

Interfaces and Chassis

• On the Channelized STM-1 with QPP PIC, error monitoring for CRC and Frame Errors might not work as expected. [PR/39440]
• When you configure ILMI on an ATM interface (include the ilmi statement at the [edit interfaces interface-name atm-options] hierarchy level) and a graceful Routing Engine switchover (GRES) or unified in-service software upgrade (ISSU) event occurs, the show ilmi command no longer returns any output. [PR/282051]
• On a router with Frame Relay multilink configured on a MultiServices 400 PIC or on a Channelized DS3 PIC, when the minimum links value for the Frame Relay interface is set to 8 and a link is deactivated from the configuration, the link remains up. [PR/285244]
• The XML output is not correct when the VRRP track interface is configured. [PR/414734]
• Under some conditions, if an interface flaps for an interval less than the hold down time value configured, an interface might stop forwarding even though it shows as being UP. As a workaround, enable traffic monitoring on the interface or enable and disable the interface. [PR/423065]
• Upon changing policers on a Aggregate Ethernet interface, the DPC might reboot. [PR/431635]
• For some interfaces, when configured with the WAN-PHY framing mode, the monitor interface command might be missing some counters.. [PR/435775]
• Too many ATM2 error interrupts might cause the FPC to panic. [PR/438073]
• When you configure the payload port-data statement at the [edit family mpls hash-key] hierarchy level on M120, MX-series, or M320 platforms with E3 FPCs, the hashing algorithm might not take the port-data values into account. [PR/442223]
• On M-series routers, BGP sessions flap when any configuration (even irrelevant) change happens. As a workaround, make the difference between the configured MRRU and MTU to be greater than eight. [PR/442688]
• If VRRP tracks a cloned route then the cloned route will always be treated as down. The reason is that the unicast cloned routes not added to the routing table. [PR/446408]

Layer 2 Ethernet Services

• When you configure graceful Routing Engine switchover (GRES) on MX-series routers, the Switch Interface Board (SIB) might not initialize if you reboot both Routing Engines simultaneously or reboot a router with only one Routing Engine installed. [PR/408359]

MPLS Applications

• When you modify the primary path for an MPLS LSP by using the delete protocols mpls label-switched-path lsp-path-name primary path-name command in configuration mode, followed by the set protocols mpls label-switched-path lsp-path-name primary path-name command, and then issue the commit command, the entire LSP (both primary and secondary) is torn down and then rebuilt from scratch. As a workaround, issue the delete protocols mpls label-switched-path lsp-path-name primary path-name command in configuration mode followed by the commit command. Then issue the set protocols mpls label-switched-path lsp-path-name primary path-name command followed by the commit command. [PR/62365]
• When there are more than five link-protected or node-link-protected LSPs to the same destination and per-packet load balancing is enabled, some bypass next hops might not be part of the active route. This can occur after a primary link goes down and comes back up. [PR/259219]
• The mplsResourceTunnelTable reports bandwidth in bps instead of kbps. [PR/432716]
• MPLS LSP auto-bandwidth adjustment may stop working while RSVP signals for the path; either optimization is initiated or the LSP goes down. [PR/438157]

Network Management

• When the SNMP get response is larger than 9 KB, a "Message too long" log is reported but no SNMP gets a response failure with a code "tooBig" sent back to the source. [PR/389559]
• tcpdump might report a max-response-time within IGMP in seconds while it is presenting units of 1/10th of a second. [PR/424618]

Platform and Infrastructure

• On T-series routing platforms, the commit operation succeeds when you include the no-labels statement at the [edit forwarding-options hash-key family mpls] hierarchy level, but MPLS labels are still included in the hash key. [PR/80334]
• After an ISSU software upgrade on the MX-series router, you might see a kernel database replication error, ISSU prepare timeout, and a core dump. These problems might be due to issues with allocated schedulers after the ISSU. This issue is seen only with Gigabit Ethernet Enhanced Queuing IP Services DPCs. [PR/427694]

Routing Protocols

• If a BGP group is created but without any defined peers, a warning message appears when the configuration is committed. [PR/63279]
• Reverse OIF mappings are lost when you add or delete an interface set of multicast VLANs when subscriber VLANs are active. [PR/423376]
• When reverse OIF mapping enabled is configured on multicast VLAN interfaces, reverse OIF mappings to DHCP subscriber interfaces are lost if the routing protocol process gracefully restarts. [PR/438930]
• When the l3vpn-composite-nexthop statement and the multipath vpn-unequal-cost statement at the [edit routing-options] hierarchy, are configured together, the routing process may crash during the multipath calculation for destinations that contain both composite and non-composite eligible paths. [PR/448745]

Services Applications

• The output of the show services nat pool command displays duplicate entries for a single Network Address Translation (NAT) pool. [PR/34678]

Subscriber Access Management

• Incorrect reverse OIF mappings can be created when a multicast VLAN interface with reverse-OIF mapping enabled receives a join request from a DHCP subscriber and both of the following are true: A valid route to the subscriber is not present and another route's subnet mask overlaps the address of the subscriber interface. [PR/416774]
• On MX routers, Wimax testing with SBR must be done with Non-Transposable IP for high availability (HA). Otherwise FA-HA authentication will fail with return code 132. [PR/431969]

VPNs

• On a BGP Layer 3 VPN provider edge router with a combination of (1) label per next hop in the VRFs, (2) configuration of the same IP addresses in different VRFs, and (3) a need for an indirect next-hops within the VRFs, then label routes with indirect next hop, may be created incorrectly in the master instance table "mpls.0." [PR/436404]
• After the ingress PE router for an NG MVPN instance performs a GRES event, the egress PE routers could fail to install a new forwarding state for the multicast traffic. Clearing the BGP session on the ingress router can restore traffic to all egress routers. [PR/441392]
• The VPLS instance on the MX960 router does not learn the remote CE MAC address after issuing the clear vpls mac-address command. [PR/476020]

Resolved Issues for JUNOS Release 9.5R2

Class of Service

• In JUNOS Release 8.4 and later, the commit or commit check operation fails if a rewrite rule is defined both at the [edit class-of-service interfaces interface-name unit logical-unit-number rewrite-rules] hierarchy level and in a configuration group (defined at the [edit groups] hierarchy level) that is applied to that interface. The correct behavior is for the directly applied rule to override the rule inherited from the configuration group. [PR/261229: This issue has been resolved.]
• When you set the port speed of a Multi-Rate SONET Type 2 PIC to OC3, it does not correctly change the CoS speed value within the Packet Forwarding Engine. The speed value remains OC12, which results in unexpected CoS behavior. There is no workaround. [PR/279617: This issue has been resolved.]
• When a CoS classifier is applied to a logical unit with a wildcard (*), the default classifier is removed after the Routing Engine reboots. [PR/427848: This issue has been resolved.]
• A packet drop is seen when a logical unit is configured with the per-unit-scheduler. [PR/429961: This issue has been resolved.]
• On M320 routers, when the Tunnel PIC is on a standard FPC, multicast traffic conforming to Internet draft-rosen-vpn-mcast-08.txt might be subject to incorrect CoS queuing and rewrite. [PR/433142: This issue has been resolved.]
• The CoS DSCP classifier might not work properly on a redundant LSQ interface. [PR/435701: This issue has been resolved.]
• After the aggregate chassis configuration is deactivated then activated, the classifier might not be properly applied on aggregate interfaces. [PR/442240: This issue has been resolved.]
• The OC3/12 Multi-Rate PIC may not be able to transmit any packet. [PR/444077: This issue has been resolved.]
• When an Intelligent Queuing PIC is taken offline and brought back online, the chassis scheduler map configured may be changed to [95,0,0,5]. The workaround is to deactivate the chassis scheduler map before taking the PIC offline and activate the configuration after the PIC comes online. [PR/444543: This issue has been resolved.]

Forwarding and Sampling

• When a filter term has "next term" as the action, the action may be shown in the firewall log as "unknown" for the matched outgoing packets. [PR/421810: This issue has been resolved.]
• If (1) an input-list or output-list is configured on an interface in a logical system, (2) the filters in the list are defined under the firewall hierarchy of the main router, and (3) a prefix list defined under the policy-options of the main router is referenced by one of the filters in the list, the commit will fail with the error message "Referenced prefix-list xxx is not defined." [PR/427253: This issue has been resolved.]

General Routing

• When attempting to use a framed route from a RADIUS client, rpd may core if there is no static route table. [PR/432447: This issue has been resolved.]

Interfaces and Chassis

• In a TX Matrix router, the show chassis fpc fpc-number command returns an error instead of showing FPC information when the FPC number is greater than 8. [PR/387956: This issue has been resolved.]
• When you reboot an FPC while it is coming online and if the FPC adding process is interrupted before it successfully completes, the chassis process does not operate properly. [PR/400676: This issue has been resolved.]
• When traffic is passed at near maximum throughput to any queuing IQ2 or IQ2E PICs or DPCs, the show interfaces xe-fpc-pic-port extensive command output for queue counters might be incorrect. [PR/401431: This issue has been resolved.]
• Incorporating any changes in the interfaces configuration results in a small leak in the dcd process. The leak is at the rate of 16 bytes per interface configured per commit. [PR/411596: This issue has been resolved.]
• When you configure LACP on an aggregated Ethernet interface, the counters displayed by the show interface extensive command might show unexpected values. This problem occurs for logical interfaces that have an incoming interface index value that matches the default index of the data stream. [PR/418054: This issue has been resolved.]
• On the M320 router, clearing statistics with the clear interfaces statistics command might take up to 10 seconds. [PR/421520]
• The PPP MTU value of an interface protocol on a peer might change as a result of an irrelevant configuration change and cause the PPP MTU negotiation to fail. [PR/421706: This issue has been resolved.]
• Using disable under an aggregate member can lead the interface to be flagged in the “HARDDOWN” state despite being physically up. Deactivate/activate the interface to fix the problem. [PR/422933: This issue has been resolved.]
• During the Switching and Forwarding Module (SFM) switchover process, the algorithm to switch over the SFM and take the FPC offline does not clear the hard and soft errors on each FPC. [PR/433616: This issue has been resolved.]
• In the output of the show chassis pic fpc-pic-slot command, the 40 port Gigabit Ethernet DPC with SFP might be shown erroneously as 1000LH instead of 1000EX. [PR/438753: This issue has been resolved.]
• When the same logical interface is deleted from the default system and added into the logical system, the Routing Engine might fail. [PR/441284: This issue has been resolved.]
• When the sum of the shaping rate for the logical interfaces for a physical interface is greater than the physical interface's bandwidth and a rate limit is applied to one of the logical interface queues, the bandwidth limit for the queue will be based on a scaled down logical interface shaping rate value rather than the configured logical interface shaping rate. [PR/441413: This issue has been resolved.]
• When the ingress router re-signals an RSVP session, traffic could egress a disabled SONET interface that is part of an APS group using container interfaces. Switching the APS interfaces resolves the problem. [PR/443295: This issue has been resolved.]

Layer 2 Ethernet Services

• Upon issuing the clear dhcp relay bindings all command, not all access-internal routes are deleted from the route table for DHCP subscribers being terminated on dynamic demux interfaces. The routes point to demux interfaces that are no longer present. Associated ARP entries and DHCP bindings appear to be properly cleared. [PR/425279: This issue has been resolved.]
• The relay-option-60 configuration stops working under a configured group if something else is changed under that group. [PR/434373: This issue has been resolved.]
• After the MX-series router reboots, no DHCP packets reach the JDHCPD log. [PR/438269: This issue has been resolved.]

MPLS Applications

• On an M-series or T-series router, when an MPLS label-switch path (LSP) re-optimizes or changes path and there is a signaling failure along that path, then the path change will not happen until the next LSP re-optimization event. [PR/401343: This issue has been resolved.]
• The load-balancing spread is affected when both the primary and the first secondary LSP are out of commission. [PR/422596: This issue has been resolved.]
• For JUNOS Release 9.5 and later, when the show mpls lsp p2mp statistics egress command is entered, the Packets and Bytes fields should display as "NA" for egress LSP sessions. The statistics should display meaningful numbers only for ingress and transit LSP sessions. Instead, the fields display as 0 with the show mpls lsp p2mp statistics egress command. This is changed to NA after including the no-tunnel-services statement at the [edit routing-instances vpls1 protocols vpls] hierarchy level. [PR/429001: This issue has been resolved.]
• If you have disabled the trap statement at the [edit protocols ldp log-updown] hierarchy level, upgrading to JUNOS Release 9.2 and later from a release previous to 9.2 will fail. [PR/432003: This issue has been resolved.]

Network Management

• When subagents are slow in responding to SNMP queries, the SNMP process continues to buffer the incoming SNMP requests. SNMP memory becomes exhausted after the buffer increases to a bigger value, which causes the SNMP process to dump core. [PR/430106: This issue has been resolved.]
• When Routing Engine 1 (RE1) is reloaded, the Management Information Base II (MIB II) process (mib2d) dumps core. [PR/436218: This issue has been resolved.]
• When the master SNMP process (snmpd) restarts on a TX Matrix platform, the SNMP subagent running on the line-card chassis (LCC) chassis process (chassisd) tries to register MIB objects with the master snmpd. If the registration progress enters in infinite loop, it causes the master snmpd to consume high CPU utilization. [PR/438085: This issue has been resolved.]

Platform and Infrastructure

• On M320 and T-series routing platforms, when you configure the local gateway of an IPsec tunnel in a routing instance, IPsec might not function properly over a generic routing encapsulation (GRE) tunnel. [PR/73864: This issue has been resolved.]
• On MX-series platforms using Routing Engine-based sampling, when samples are sent from the Packet Forwarding Engine to the Routing Engine over certain interfaces, the interface Input/Output index and next-hop address are set to 0. The following interfaces are affected: ge-x/0/y, ge-x/1/y, xe-x/2/0, and xe-x/3/0. It is not possible in this case to match on the interface index to retrieve data from the flow collector. [PR/286089: This issue has been resolved.]
• If a duplicate address is detected for the IPv6 family on an Ethernet interface, the DAD is not restarted even after the interface goes down and comes back. [PR/421241: This issue has been resolved.]
• On the M320 router, clearing statistics with the clear interfaces statistics command might take up to 10 seconds. [PR/421520: This issue has been resolved.]
• On M10i routers with I-chip based E-CFEBs, IQ2 PIC ISSU is not supported. Take the IQ2 PIC offline before initiating ISSU on M10i routers. [PR/421988: This issue has been resolved.]
• When you configure an aggregate Ethernet interface as unnumbered, the router might fail. As a workaround, do not configure aggregate Ethernet interfaces with unnumbered addresses. [PR/428345: This issue has been resolved.]
• On MX-series Ethernet Services routers, the FPC might reboot without a core dump when the DWDM is incorrectly configured, and that incorrect configuration causes many link flaps. As a workaround, either disconnect the offending link or include the disable statement at the [edit interfaces] hierarchy level to stop the FPC reboots. [PR/430703: This issue has been resolved.]
• When configuring proxy-arp on unnumbered interfaces, the router can incorrectly answer address-collision-detection ARP requests, causing DHCP clients to decline the offered address. [PR/431192: This issue has been resolved.]
• When you configure flow monitoring on a T1600 router with a T640 or T1600 Enhanced Scaled FPC4, if both input and output traffic are located on the same bottom Packet Forwarding Engine, the next-hop address and output interface are set to 0. [PR/431567: This issue has been resolved.]
• On MX-series and M120 routers, and M320 routers with an Enhanced III FPC, if the VRF configuration includes the vrf-table-label statement, a DPC or FPC might dump the core when an MPLS packet with time-to-live (TTL) equal to 0 (zero) or 1 (one) is processed at the egress provider edge (PE) router. [PR/436017: This issue has been resolved.]
• The Address Resolution Protocol (ARP) retry count might be incorrect: instead of sending out the first five retries every second, the third and consequent retries might be sent out every 15 seconds. [PR/436580: This issue has been resolved.]
• On an MX-series platform with a Combo DPC (20-port 1-Gigabit Ethernet 2-port 10-Gigabit Ethernet), if the family mpls statement is included at the [edit interfaces interface-name unit logical-unit-number] hierarchy level for the 1-Gigabit Ethernet port of a DPC slot, the show interfaces statistics command reports zero values for input traffic at all ports. This issue does not affect the input traffic statistics for the 10-Gigabit Ethernet ports. This is a cosmetic issue and does not affect functionality. [PR/436653: This issue has been resolved.]
• SCU configuration causes the PFE to drop some host-bound packets on M320 and T-series routers. [PR/438261] [PR/438261: This issue has been resolved.]
• Under certain circumstances Intelligent Queuing PICs might not be able to boot properly on E3-FPCs. [PR/438678: This issue has been resolved.]
• When certain FPCs (T1600-FPC4-ES, T640-FPC4-1P-ES, T640-FPC1-ES, T640-FPC2-ES, and T640-FPC3-ES) receive corrupted cells via high-speed links, they might unnecessarily reboot and report the following system log error message: “Unrecoverable Error: Flist gtop bit toggled !”. No reset is needed to recover from this condition. [PR/441844: This issue has been resolved.]

• On T1600, TX Matrix, or T640 routers installed in JUNOS Release 9.3 or higher with one of the following Flexible PIC Concentrators (FPCs):

  • T1600-FPC4-ES
  • T640-FPC4-1P-ES
  • T640-FPC4-ES
  • T640-FPC1-ES
  • T640-FPC2-ES
  • T640-FPC3-ES

jtree memory might get corrupted once routes are deleted while traffic is send to those prefixes. This can result in permanent or transient packet drops.

One or more of following messages might get logged in the system log:

• SRCHIP(1): 131072 Discards - stack underflow
• SRCHIP(1): 129735 Discards - truncated key - next hop
• SRCHIP(1): SOF (58) >= DMA length (46) (Read Channel
• SRCHIP(1): RKME int_status 0x300
• SRCHIP(1): 4670347 Multicast list discard route entries
• SRCHIP(1): 14486 Discards - illegal BTT
• SLCHIP(1): 1617082 new errors (illegal link) in DESRD last stream 0 last lout_key 0xabd0e
• o SLCHIP(1): 1622998 new errors (packet error) in HDRF, lout_hdrf_poll_stats

There is no workaround and an FPC reboot might be needed to recover. [PR/443171: This issue has been resolved.]

Routing Protocols

• Deactivation of routing instances might cause the routing protocol process (rpd) to create a soft assertion core dump. [PR/396122: This issue has been resolved.]
• If a multiaccess interface is disabled, after a Routing Engine switchover this disabled link is advertised in the router link-state advertisement (LSA). [PR/418559: This issue has been resolved.]
• If OSPF is in overload mode on the standby Routing Engine but not in overload mode on the primary Routing Engine, it may take a long time to install OSPF routes on the standby Routing Engine. [PR/421636: This issue has been resolved.]
• Community types are allocated at random to the members in the community list; as a result, sometimes extended communities are treated as simple and vice versa, which causes problems with the VRF import code. [PR/430728: This issue has been resolved.]
• If static route pointing to discard is configured, a core happens when the router tries to collect the multicast statistic data. [PR/434298: This issue has been resolved.]
• BGP in L3VPN will show “local-id 0.0.0.0” in output from the show bgp neighbor command when NSR is enabled [PR/434321: This issue has been resolved.]
• When you configure support for alternate loop-free routes through the link-protection statement and you configure PIM join-load-balance, the backup paths will be used in load-balancing PIM joins along with the active path. [PR/434996: This issue has been resolved.]
• With BGP multipath configured, BGP traceoption flags may not be refreshed after a change in the traceoption flag configuration. [PR/436440: This issue has been resolved.]
• Embedded RP is not created upon receiving a trigger from multicast traffic. Deactivating and activating the configuration solves the issue. [PR/437893: This issue has been resolved.]
• If PIM is disabled, embedded rendezvous point (RP) configurations might cause continuous routing protocol process (rpd) cores. [PR/438159: This issue has been resolved.]
• When you configure auto-rp, if the rendezvous point (RP) configuration is deactivated and then reactivated on the provider edge router, the router fails to rediscover the RP announced by the customer edge router. [PR/438356: This issue has been resolved.]
• If a RIB is referenced within the from clause of a policy statement the statement, might be changed on every commit. This can lead to route flaps on every commit if the statement is used as the import policy for a RIB group, which in turn is referenced in OSPF. [PR/441557: This issue has been resolved.]
• RPD may crash if a VRF routing instance is reconfigured in a single commit from Draft-Rosen MVPN to Next-Gen MVPN with RSVP-TE inclusive provider tunnels. [PR/442391: This issue has been resolved.]
• When you configure the path-selection always-compare-med statement at the [edit protocols bgp] hierarchy level, BGP multipath might not find all the eligible paths. [PR/444629: This issue has been resolved.]
• TTL for BGP listen socket changed from 64 to 255 to give support for GTSM. [PR/449160: This issue has been resolved.]

Services Applications

• When using L2TP services on M-series routers, every session or tunnel connection and disconnection will leak memory. [PR/312961: This issue has been resolved.]
• When the IDP config, service-sets, and interfaces are committed separately, the IDP policy push will fail. [PR/434624: This issue has been resolved.]

User Interface and Configuration

• When you set the time-zone statement at the [edit system] hierarchy level, it might cause the backup Routing Engine to lock the configuration. As a result, you would no longer be able to reboot the Routing Engine or perform any commits. To clear the issue, you must log on to the backup Routing Engine and issue the clear system commit command. [PR/309100: This issue has been resolved.]
• In JUNOS Release 9.5, the time it takes to commit a configuration is significantly improved when the configuration is very big (for example, for 250K firewall filters or 64K IFLs). With small or medium configurations; ;however, the improvement in commit time is not as noticeable or might even seem slower because of features added in JUNOS Release 9.5. [PR/417957] [PR/417957: This issue has been resolved.]
• The dynamic-db policies feature works under logical systems but needs to restart the logical router after any changes or commits to the dynamic policy configuration under the [edit logical-systems] hierarchy level in the dynamic database. [PR/418969: This issue has been resolved.]
• When you issue the commit confirmed command on a TX Matrix platform, it might not roll back to the original configuration as expected when the commit is not confirmed. [PR/425642: This issue has been resolved.]
• Trying to use the system-generated certificate is displayed in the J-Web interface, it will commit errors. [PR/432208: This issue has been resolved.]
• When you configure trace options at the [edit system scripts] hierarchy level, the router sometimes produces commit errors. [PR/438289: This issue has been resolved.]

VPNs

• Applying configuration changes that remove a static point-to-multipoint LSP and a static MVPN provider tunnel group configuration can cause the routing protocol process (rpd) to reset unexpectedly. To avoid this problem, first delete the provider-tunnel configuration, then the LSP configuration. [PR/288456: This issue has been resolved.]
• When you delete a Layer 2 VPN routing instance and add a new VPLS routing instance using the same interface within the same commit, the routing protocol process (rpd) might dump core. [PR/291407: This issue has been resolved.]

Resolved Issues for JUNOS Release 9.5R1

This section lists issues that were fixed in JUNOS Release 9.5R1. The identifier following the description is the tracking number in our bug database.

Software Installation and Upgrade

• The ARP aging time configuration in the system configuration stanza in JUNOS Release 9.4R1 is incompatible with the ARP aging configuration in JUNOS Release 9.3R1 or earlier and JUNOS Release 9.4R2 or later. If you have configured system arp aging-timer aging-time on an M-series, MX-series, or T-series routing platform running JUNOS Release 9.4R1 and upgrade to JUNOS Release 9.4R2 or downgrade to JUNOS Release 9.3R1, the router will display configuration errors on booting up after the upgrade or downgrade. As a workaround, delete the arp aging-timer aging-time configuration in the system configuration stanza before you upgrade or downgrade from JUNOS Release 9.4R1, and reapply the configuration after you complete the upgrade or downgrade. [PR/ 425221: This issue has been resolved.]

Platform and Infrastructure

• You might encounter output drops with the 10-Gigabit Ethernet PICs. The output drops occur because the software incorrectly calculates the number of queues for polling statistics in a 10-Gigabit Ethernet PIC, even though it is different from other PICs. [PR/277693: This issue has been resolved.]
• The MX Tri-rate DPC does not support MAC accounting and returns the following message: "error: MAC accounting and policing not supported." [PR/387919: This issue has been resolved.]
• When you have configured the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level for a VRF routing instance, IPv4 and IPv6 MTU error notification is not handled properly. On M320 routers with an incoming FPC as SFPC and an outgoing FPC as FFPC, large IPv6 packets are not being detected and discarded properly. [PR/397334: This issue has been resolved.]
• When the Routing Engine requests numerous statistics that surpass a set boundary, "PFEMAN: Couldn't write..." messages might be logged and DPC core dumps might occur. [PR/398233: This issue has been resolved.]
• When you configure per-packet load balancing, outgoing traffic is dropped on T640 routers. The problem is exacerbated if you have configured two PFE instances. [PR/402031: This issue has been resolved.]
• Aggregate bundle child interface statistics do not account for the packets sent to a demux interface using an AE bundle as the underlying interface. [PR/403570: This issue has been resolved.]
• When ifd channel mode is of type HYBRID, LSI statistics are counted every time ifl_stats are collected for each logical interface. This causes the LSI input counters to be incremented by a multiple of the logical interfaces. [PR/404857: This issue has been resolved.]
• With the E-CFEB on the M10i router, the backup Routing Engine will go to the database prompt when GRES and NSR are enabled with a Layer 2 circuit configuration. [PR/409075]
• The show pfe statistics command is not displaying the I-CHIP Ipktwr packet drop counts. [PR/416477: This issue has been resolved.]
• Under rare circumstances, it is possible for the kernel to panic on the TX Matrix LCC or on the SRX platform following a Routing Engine switchover or RDP connection timeout between the LCC and SCC. [PR/416973: This issue has been resolved.]
• For multicast traffic, if the OIF is on an aggregated interface and its member link is on a different PFE (for example, 7/1/0 and 6/1/0), multicast traffic might be lost after the FPC, which has IIF for the multicast, is rebooted. [PR/418583: This issue has been resolved.]
• Initial ARP packets are discarded by the default ARP policer because when a T1600’s FPC restarts, the current credit is initialized to JT_POL_SR_CURRENT_CREDIT_MAX, which is 0xFFFFF. This has a high negative value in SR, so packets are dropped until it goes down. As a workaround, you can initialize the current credit to max_credit_limit (which is equal to (credit_limit / Rate) * time_credit), approximately equal to TC. [PR/419909: This issue has been resolved.]
• The SNMP remote operations process (rmopd) might fail after configuring a BGP neighbor with a local address. [PR/420504: This issue has been resolved.]
• In JUNOS Release 9.3R1 or higher, on Juniper Networks routers with Type 4 FPCs or T1600 routers, multicast traffic is not counted within the interface statistics counters once class-of-service rewrite rules have been applied to the interface. [PR/420681: This issue has been resolved.]
• On the MX-series router, when you configure MPLS and a tunnel configuration on the same Gigabit Ethernet DPC, the tunnel interface shows traffic as the sum of the traffic of the other Gigabit Ethernet interfaces on the DPC. This is a cosmetic issue and does not affect functionality. [PR/422274: This issue has been resolved.]

Interfaces and Chassis

• In OC768-over-OC192 mode on the 4-port OC192c PIC, when you change the clocking internal statement to clocking external at the [edit interfaces interface-name] hierarch level, the clock may not come up. [PR/395847: This issue has been resolved.]
• The AE bundle statistics (issue the monitor interface traffic command) on T640 routers display a high value when the FPC is taken offline. There is no issue with the TX Matrix. [PR/399451: This issue has been resolved.]
• Aggregate bundle child interface statistics do not account for the packets sent to a demux interface using an AE bundle as the underlying interface. [PR/403570: This issue has been resolved.]
• With the E-CFEB on M7i and M10i routers, total traffic loss might occur after a CFEB switchover. [PR/407608: This issue has been resolved.]
• With the IQ2 interface, the queue scheduler will not work as expected for shaped L2TP sessions. Only the rate limit will work on a per queue basis. This problem does not occur for Enhanced IQ2 interfaces. [PR/409590:This issue has been resolved.]
• When a 10-Gigabit Ethernet interface of a DPC is connected to a faulty optical card which is causing the link state to change at a very high rate, the DPC might fail. [PR/411072: This issue has been resolved.]
• The valid range for timeslot under e1-options in channelized E1 (CE1) interfaces of Enhanced Intelligent Queuing (IQE) PICs is 2 through 32. This option is used to create fractional E1 interfaces. [PR/416800: This issue has been resolved.]
• When a Layer 2 policer is applied to the egress interface of a router, the dropped frame statistics might show incorrect information. [PR/419181: This issue has been resolved.]
• On an IQ2 PIC, the slow aging interval might be overwritten with a value of 202 seconds. This causes the MAC entry to be removed between 6 and 7 minutes. [PR/419510: This issue has been resolved.]

Services Applications

• With the E-CFEB on M7i and M10i routers, If you configure a firewall filter with an action of sampling and then apply the filter to the interface, all packets received on the PIC are corrupt and consequently dropped. [PR/408802: This issue has been resolved.]
• On an M7i or M10i routers with the enhanced CFEB, if you issue the deactivate forwarding-options sampling command, sampling stops for both IPv4 and IPv6 traffic. If you then issue the activate forwarding-options sampling command, sampling resumes for only IPv4 traffic. [PR/415140: This issue has been resolved.]
• If you are setting the option refresh rate using the flow monitoring feature supported in version 9 and you set the lowest rate to IPv6 and the highest rate to IPv4, the device will treat IPv6 as having the lowest rate. [PR/416788: This issue has been resolved.],

Layer 2 Ethernet Services

• When you configure GRES on the MX-series router, the SIB might not initialize if you reboot both Routing Engines simultaneously, or reboot the router with only one Routing Engine installed. [PR/408359: This issue has been resolved.]
• Integrated routing and bridging (IRB) configured over VPLS or multicast might not be reachable. As a workaround, clear the ARP table with the clear arp command. [PR/418438: This issue has been resolved.]

Subscriber Access Management

• When a RADIUS initiated disconnect is attempted on a client session that does not have time-based accounting enabled, the generic authentication service process (authd) currently logs out the session and cleans up, but does not send an Ack message back to the requesting server. This may lead the RID server to retry even though the subscriber has already been successfully logged out. This problem occurs when volume-based accounting is configured or when no accounting is configured for the subscriber. It does not occur when time-based accounting is configured for that subscriber. [PR/417765: This issue has been resolved.]

General Routing

• On a TX Matrix with JUNOS Release 9.1 and later, configuring the generate statement at the [edit routing-options] hierarchy level with a reference to a policy results in the commit not completing successfully. [PR/416380: This issue has been resolved.]

Routing Protocols

• On a router with dual Routing Engines and NSR configured, the backup RPD may go down in rare instances while processing an indirect next-hop delete. [PR/302731: This issue has been resolved.]
• When you transition an MVPN configuration from sparse mode to dense mode, you might need to restart routing to ensure that dense mode (DM) is flooding properly over the core router's default multicast distribution tree (MDT). [PR/398110: This issue has been resolved.]
• If GRES is not enabled, on a Routing Engine switchover the routing protocol process (rpd) on the new backup Routing Engine quits before cleaning up the forwarding table. [PR/402372: This issue has been resolved.]
• With JUNOS Release (9.3R1) or higher with a Type 4 FPC or T1600, multicast traffic is not counted in the interface statistics after the class-of-service (CoS) rewrite rules have been applied to the interface. [PR/420681: This issue has been resolved.]

VPNs

• If MAC addresses are learned within a VPLS instance, CE devices will communicate directly even though the no-local-switching statement is configured. [PR/419976: This issue has been resolved.]
• Multicast group addresses ending with .232 are classified as SSM groups when using multicast VPNs. These routes are note installed in the multicast VPN routing table and all traffic destined to these destinations is dropped. As a workaround, include the asm-override-ssm statement at the [edit routing-instances routing-options multicast] hierarchy level. [PR/426811: This issue has been resolved.]

Forwarding and Sampling

• The policer value does not change dynamically on changing the shaping rate. The policer keeps the initial value. As a workaround, deactivate and activate the filter. [PR/286663: This issue has been resolved.]

Related Topics

• New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
• Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
• Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
• Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms