Current Software Release

The current software release is Release 9.1R4. For information about obtaining the software packages, see M-series, MX-series, and T-series Upgrade and Downgrade Instructions or , depending on your router platform.

Outstanding Issues

Software Installation and Upgrade

• For hard disks that were originally formatted by JUNOS Release 4.4 or earlier, after you issue the request system snapshot partition command, the router cannot boot from the hard disk. As a workaround, issue the request system snapshot command before upgrading. [PR/36742]

Platform and Infrastructure

• When the Monitoring Services PIC is overloaded, the output from the show services accounting flow-detail command might freeze. [PR/32896]
• On T-series platforms, a Layer 2 maximum transmission unit (MTU) check is not supported for MPLS packets exiting the routing platform. [PR/46238]
• When you configure a source class usage (SCU) name with an integer (for example, 100) and use this source class as a firewall filter match condition, the class identifier might be misinterpreted as an integer, which might cause the filter to disregard the match. [PR/50247]
• When a Monitoring Services PIC is overloaded with traffic, the FPC might take the PIC offline and repeatedly send the same error message. The error message does not affect normal operation of the FPC and PICs. As a workaround, restart the FPC or bring the PIC online. [PR/55981]
• If you configure several DNS servers by including the name-server statement at the [edit system] hierarchy level, the JUNOS software uses only the first three configured DNS servers. [PR/59172]
• On a Monitoring Services III PIC configured as a dynamic flow capture (DFC) interface (dfc-fpc/pic/port), when you configure the DFC interface as the next hop in a forwarding path, port-mirrored packets might become corrupted. [PR/60799]
• If you configure 11 or more logical interfaces in a single VPLS instance, VPLS statistics might not be reported correctly. [PR/65496]
• You can safely ignore warnings like the following: "Warning: Block size restricts cylinders per group to xx." This type of message indicates the maximum number of cylinders per cylinder group as determined by various other parameters. This warning message no longer appears in JUNOS Release 8.5 and later. [PR/65917]
• In a routing matrix configured for graceful Routing Engine switchover (GRES), when the master Routing Engine of a T640 routing node (line-card chassis, or LCC) enters debug mode, it does not release mastership. [PR/66308]
• When a large number of kernel system log messages are generated, the log information might become garbled and the severity level could change. This behavior has no operational impact. [PR/71427]
• On M320 and T-series routing platforms, there is a process that monitors FPCs while they transition to an online state. If an FPC is busy and cannot complete the transition within the time limit, the process might time out and prevent the FPC from coming online. [PR/72364]
• If you configure the same IPv6 address on the fxp0 interface and another public interface within the same routing instance, the backup Routing Engine might restart. [PR/72573]
• On M320 and T-series routing platforms, when you configure the local gateway of an IPSec tunnel in a routing instance, IPSec might not function properly over a generic routing encapsulation (GRE) tunnel. [PR/73864]
• In the situation where a Link Services (LS) interface to a CE router appears in the VPN routing and forwarding table (VRF table) and a fragmentation is required, Internet Control Message Protocol (ICMP) cannot be forwarded out of the LS interface from a remote PE router that is in the VRF table. As a workaround, include the vrf-table-label statement in the configuration. [PR/75361]
• For J-series Services Routers, if you send a real-time performance monitoring (RPM) probe through an IPSec tunnel and the probe includes the hardware-timestamp statement at the [edit services rpm probe owner-name test test-name] hierarchy level, RPM icmp-ping type probes might not work. [PR/75927]
• On M160 and M40e routers, a hardware error on the Switch Fabric Module (SFM) might cause the board to reboot. [PR/79236]
• On the T-series routing platform, when you include the no-labels configuration statement at the [edit forwarding-options hash-key family mpls] hierarchy level, the statement is added to the configuration; however, MPLS labels are still included in the hash key. [PR/80334]
• For Gigabit Ethernet intelligent queuing (IQ) PICs installed in M-series and T-series routing platforms, system log messages for SFP receive power, laser bias, and temperature alarms might alternate between set and clear. These messages are mostly cosmetic and do not affect performance of the routing platform. [PR/80393]
• Traceroute does not work when ICMP tunneling is configured. [PR/94310]
• A firewall filter that matches the forwarding class of incoming packets (that is, includes the forwarding-class statement at the [edit firewall filter filter-name term term-name from] hierarchy level) might incorrectly discard traffic destined for the Routing Engine. Transit traffic is handled correctly. [PR/97722]
• On J-series Services Routers, you cannot use a USB device that provides U3 features (such as the "U3 Titanium" device from SanDisk Corporation) as the media device during system boot. You must remove the U3 support before using the device as external media. For the U3 Titanium device, you can use the U3 Launchpad Removal Tool on a Windows-based system to remove the U3 features. The tool is available for download at http://www.sandisk.com/Retail/Default.aspx?CatID=1415. (To restore the U3 features, you can use the U3 Launchpad Installer Tool, accessible at http://www.sandisk.com/Retail/Default.aspx?CatID=1411.) [PR/102645]
• When you enable point-to-multipoint (P2MP) LSPs over an outgoing aggregated Ethernet (AE) interface that is configured with circuit cross-connect (CCC) switching, the LSP fails to forward traffic and you receive the following error: nh_ucast_add. As a workaround, first disable the AE interface and P2MP LSPs. Then activate the AE interface and then the LSPs. Finally, clear the RSVP session for that LSP. [PR/105884]
• The JUNOS software does not support dynamic ARP resolution on Ethernet interfaces that are designated for port mirroring. This causes the Packet Forwarding Engine to drop mirrored packets. As a workaround, configure the next-hop address as a static ARP entry by including the arp ip-address statement at the [edit interfaces interface-name] hierarchy level. [PR/237107]
• When you issue the request system power-on other-routing-engine command, an MX960 Routing Engine does not power on after it has been powered off in response to the request system power-off other-routing-engine command. [PR/253061]
• When multiple interrupts occur at the same time and there is common interrupt handler for all of them, an “unknown jbus interrupt” syslog event is reported even though there are no problems with the system. You can safely ignore this error message. [PR/253098]
• The IP Option Errors section in the output from the show pfe statistics ip options command does not include counters for all possible types of errors. [PR/254653]
• The router’s address-assignment pool support enables you to create a named address range that is based on a specific DHCP option 82 value (either circuit-id or remote-id). However, when a client request is received, the router ignores the specified option 82 value and instead uses the first named range of addresses in the address-assignment pool. [PR/263077]
• On T640, T320, and M320 routers, if you take an FPC offline during an ISSU boot, other FPCs in the router might crash. This happens when there is transit traffic flowing from the other FPCs towards the offlined FPC. [PR/268294]
• When the file resolve.conf does not include a proper working DNS server name, the show ntp associations command output displays the message "Can't find host localhost" with NTP server definitions. Because the DNS server name is not mandatory in the resolve.conf file, the error message is unnecessary. [PR/270915]
• On an M20 router, when you include the route-accounting statement at the [edit forwarding-options family inet6] hierarchy level, the following message might appear in the system log: "Error requesting SET BOOLEAN, illegal setting 32." The software is in fact functioning correctly. [PR/273762]
• When a GGSN C-PIC sends a packet larger than the MTU of the outgoing interface in a default VRF, ICMP error messages that indicate fragmentation is needed do not reach the C-PIC. [PR/276392]
• Output drops were reported in a 10 X 1 Gigabit PIC, as the software incorrectly calculated the number of queues for polling stats in a 10 X 1 Gigabit PIC, which is different from other PICs. [PR/277693]
• When Periodic Packet Management (PPM) delegation for Bidirectional Forwarding Detection (BFD) sessions is disabled (the delegate-processing statement is removed at the [edit routing-options ppm] hierarchy level), the BFD sessions might be terminated (because a “state is down” message is sent) and then re-established. [PR/280233]
• When you perform an in-service software upgrade (ISSU) on a routing platform with an FPC3 or an Enhanced FPC3 with 256 MB of memory, and the number of routes in the routing table exceeds 750,000, route loss might occur. If route loss occurs, as a workaround, perform either of the following tasks:
  • Replace the FPC3 or Enhanced FPC3 with another FPC that has more memory.
  • After the ISSU is complete, reboot only the FPC3 or Enhanced FPC3.

  [PR/282146]

• On the Juniper Control System (JCS) platform, the control and management traffic for all Routing Engines share the same physical link on the same switch module. In rare cases, the physical link might become oversubscribed, causing the management connection to Protected System Domains (PSDs) to be dropped. [PR/293126]
• For Routing Engines rated at 850 MHz (which appear as 'RE-850' in the output from the show chassis hardware command), messages like the following might be written to the system log when you insert a PC Card: "bad Vcc request" and "Device does not support APM." Despite the messages, operations that involve the PC Card work properly. [PR/293301]
• When a GRE tunnel key is configured, the TTL value might be decremented. [300956]
• When a PE router receives a PIM Join message from a CE router and the source for the required multicast data is another directly connected CE router, the attempt to create a flood next hop might initially fail. Messages, including the following, are written to the system log: “NH: Failed to install flood nexthop: <index>.” The next hop is eventually installed, so there is no operational impact. [PR/307579]
• On M120 routers or M320 platforms with M320 Enhanced III FPCs, packets might be discarded after a graceful Routing Engine switchover event. The following message might be written to the system log: “ichip_f_check_dest_errors: Fabric request time out for plane <index> dest <index> pfe <index>.” To restore forwarding performance, restart the Enhanced III FPC on M320 routers or the Forwarding Engine Board on M120 routers. [PR/310061]
• Hard disk crashes result in the compact flash being removed from the boot list instead of the hard disk. Depending on the exact hard drive failure, this could cause the Routing Engine to be stuck in a boot loop. [PR/389540]
• When a member link of an aggregate interface goes down and comes back up and new forwarding information is installed during that change-in-status period, traffic might be lost. [PR/392550]
• On T-series routing platforms with aggregated SONET/SDH interfaces, if multiple statistics requests for these interfaces are queued at the same time, a memory corruption might occur, causing the kernel to crash. [PR/393572]
• The problem is specific to aggregated interfaces. With aggregated interfaces and GRES enabled, when the neighboring machine goes down, the next hop turns to a hold next hop waiting to be resolved. If the next hop is resolved immediately, there is a possibility for the replicated routing engine to panic.. [PR/394209]
• Traffic originating from a remote PE blackholed when the multicast MAC is configured on the local PE for a CE device. [PR/398698]
• On J2300 Services Routers, sometimes the onboard Fast Ethernet ports do not allow traffic to pass through, while other interfaces are still passing traffic. [PR/406476]
• Before: The show pfe statistics CLI command did not display I-CHIP Ipktwr packet drop counts. After: A new display line has been added to display I-CHIP Ipktwr packet drop counts as follows: “regress@centaurus> show pfe statistics error Slot 1 ICHIP Error statistics: ICHIP 0 1 2 3 ------------------------------------------------------- SPI4 Sink(Rx): 0 0 0 0 SPI4 Src(Tx): 0 0 0 0 Iwi SPI Total: 0 0 0 0 Iwi PIF: 0 0 0 0 Iwo DESRD: 0 0 0 0 Iwo HDRF: 0 0 0 0 Ipktwr Drops: 0 0 0 0.” [PR/416477]
• Multicast traffic can be blackholed when oif is aggregated interface and each memberlink is on a different PFE. Reordering or child ifl's in aggregated interfaces is fixed. [PR/418583]
• Initial ARP packets are discarded by the default ARP policer because, when we restart Stoli FPC, Current Credit is initialized to JT_POL_SR_CURRENT_CREDIT_MAX, which is 0xFFFFF. This means it has a very high negative value in SR, so it will drop packets until it goes down. This can be avoided by initializing current credit to max_credit_limit (which is equal to (credit_limit / Rate) * time_credit) approximately equal to TC.. [PR/419909]
• On the MX-series router, when you configure MPLS and a tunnel configuration on the same GE DPC, the tunnel interface will show traffic as the sum of the traffic of the other GE interfaces on the DPC. This is a cosmetic issue and does not affect functionality.. [PR/422274]

Layer 2 Ethernet Services

• With a GRES configuration-enabled system, MX SIB might not initialize if you reboot both Routing Engines simultaneously, or do a power cycle with only one routing engine installed. This does not happen in a normal GRES switchover. [PR/408359]

User Interface and Configuration

• On M20 routers, after a Routing Engine mastership switchover, you might not be able to enter CLI configuration mode on the new master Routing Engine. Also, the request system reboot and request system halt commands do not clearly fail but do not return the CLI prompt either. [PR/64899]
• The logical router administrator can modify and delete master administrator only configurations by performing local operations such as issuing the load override, load replace, and load update commands. [PR/238991]
• When an M-series or T-series router is upgraded from JUNOS to JUNOS-FIPS, the request system snapshot command does not work. As a workaround, issue a request system snapshot force-fmt command from the shell. This issue is not present for upgrades from an older version of JUNOS-FIPS to a newer version of JUNOS-FIPS. [PR/252640]
• Executing a commit script during a commit operation causes the commit operation to stop responding. [PR/255430]
• When you are working in private configuration mode and try to commit a configuration that includes a comment about an inactive configuration statement, the commit operation fails with the message “syntax error”. [PR/270160]
• Sometimes, depending on the configuration, the system might fail to recognize an MD5 key configured for a BGP peer as part of a group configuration. [PR/283238]
• In the output from the configuration mode show | compare command, the banner might be the parent level of the current hierarchy level instead of the current level itself. For example, when the current hierarchy level is [edit interfaces fe-1/1/1], the banner in the output reads [edit interfaces], but the additions and deletions are reported with respect to the [edit interfaces fe-1/1/1] level. [PR/291574]
• The replace command removes quotation marks placed around policy algebra expressions. [PR/294344]
• Use of system log regular expressions to refine the logged messages does not work properly. [PR/295523]
• The file /var/db/feature.db is being read from and written to every 60 seconds. As a workaround, create the directory /config/license with the root user. [PR/308466]
• The alarm process (alarmd) updates /var/db/feature.db, a license-tracking file, every 60 seconds, even on routers that do not support the JUNOS software licensing feature (for example, the M7i, M10i, M40e, and T-series routing platforms). This causes unnecessary hard disk drive activity. To determine whether a router supports licensing, issue the show system license command. On routers that do not support licensing, the command returns the message “syntax error, expecting command.” As a workaround, you can create an empty /config/license directory at the root privilege level. [PR/308466]

Interfaces and Chassis

• On aggregated SONET/SDH interfaces, the counter for drops and errors in the show interfaces command output does not display the correct value, because the counter does not collect data from the constituent interfaces within the aggregate. [PR/23577]
• On ATM interfaces, when the IP address of a remote device is changed, the output of the show ilmi interface command on the local routing platform might continue to display the old IP address for the remote device. [PR/24126]
• On channelized E1 interfaces, you might be able to configure clocking on ds-fpc/pic /port:n interfaces, where n is not unit 0. This is an invalid configuration and might cause a clocking selection problem on the other channels. [PR/24722]
• On a 2-port OC12 ATM2 IQ interface, the total virtual path (VP) downtime might not display correctly in the show interfaces command output. [PR/27128]
• On a 2-port OC12 ATM2 IQ interface, if you configure and then change the virtual path (VP) setting, the SNMP jnxAtmVpTotalDownTime counter might be reset. [PR/27131]
• On an OC3 ATM2 intelligent queuing (IQ) interface, when you configure a shaping rate greater than the speed of the OC3 link and commit the configuration, the actual shaping rate might be less than the interface speed. [PR/27459]
• On ATM2 IQ interfaces, when you include the atm-l2circuit-mode statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level, the control-word sequence number is not reset to 1 after the transmit sequence number reaches 65,535. [PR/31669]
• On M20 and M40 routers, when a physical layer problem affects a SONET/SDH interface, carrier transition statistics might not increment correctly in the output of the show interfaces extensive command. [PR/33325]
• When you configure both the bundle link and constituent links at the [edit logical-routers logical-router-name interfaces] hierarchy level, the constituent links do not come up. As a workaround, configure the constituent links at the [edit interfaces] hierarchy level. [PR/35578]
• On ATM2 DS3 and E3 interfaces, when you configure ATM point-to-multipoint permanent virtual circuits (PVCs), the following error messages might appear in the system log: “/kernel: RT_COS: COS IPC op 4 (CLASS TO IFL) failed”, “err 1 (Unknown)”, “ssb BCHIP 0: invalid entry type 127 at stream 8 channel 0 for ifl 83”, and “ssb COSMAN: mapping table bind to ifl 83 failed”. There is no operational impact. [PR/36524]
• When you apply an IPSec firewall filter to match traffic sent across a generic routing encapsulation (GRE) tunnel and originating from the local routing platform, the local traffic is dropped. Transient traffic is not affected. [PR/44871]
• On a Link Services PIC, the CLI might incorrectly allow you to configure a logical tunnel interface (interface identifier lt); the resulting interface might not work correctly. [PR/49818]
• If an MLPPP LSQ bundle carries a large volume of link fragmentation and interleaving (LFI) traffic and a small proportion of multilink traffic, packets might be dropped on the egress constituent links. [PR/56664]
• For ISDN dialer interfaces in a J-series Services Router, when you configure the no-keepalives statement at the [edit interfaces dl0 unit logical-unit-number] hierarchy level and you issue the show interfaces dl0 command, the Link flags field in the output might still show 'Keepalives'. [PR/58520]
• If you disable an adaptive services interface by including the disable statement at the [edit interfaces sp-fpc/pic/port] hierarchy level and then delete the disable statement from the configuration, IPSec service is not reset correctly. As a workaround, either issue the deactivate services command followed by the activate services command, or issue the request chassis pic offline fpc-slot slot-number pic-slot pic-number command followed by the request chassis pic online fpc-slot slot-number pic-slot pic-number command. [PR/58522]
• On ISDN interfaces in a J-series Services Router, if you include the vrf-table-label statement at the [edit routing-instances instance-name] hierarchy level, packets might be dropped from the connection. [PR/59718]
• On ISDN dialer interfaces in a J-series Services Router, if you include the minimum-links statement at the [edit interfaces dl0 unit logical-unit-number] hierarchy level and then deactivate the BRI interface associated with the dialer interface, the output packets counter displayed in the output of the show interfaces dl0 command might continue to increment. [PR/59986]
• On ISDN dialer interfaces in a J-series Services Router, when you include the load-threshold 100 statement at the [edit interfaces dl0 unit logical-unit-number dialer-options] hierarchy level and the 56-Kbps bandwidth threshold is exceeded, the interface does not support additional network traffic and might not activate another BRI interface. [PR/60045]
• If you configure IS-IS, MPLS, and graceful Routing Engine switchover (GRES) and a switchover event occurs, the routing platform might end the PPP IP Control Protocol (IPCP) sessions and renegotiate them if the remote side has changed interface MTU settings prior to the switchover event. [PR/61121]
• If you configure graceful Routing Engine switchover and issue the request chassis routing-engine master acquire command, in rare cases the master Routing Engine might fail to relinquish mastership, or the switchover to the backup Routing Engine might take up to 360 seconds. [PR/61821]
• For Automatic Protection Switching (APS) on SONET/SDH interfaces, there are no operational mode commands that display the presence of APS mode mismatches. An APS mode mismatch occurs when one side is configured to use bidirectional mode, and the other side is configured to use unidirectional mode. [PR/65800]
• J4350 and J6350 Services Routers might not have enough data buffers to meet expected delay-bandwidth requirements. Lack of data buffers might degrade CoS performance with smaller-sized packets (500 bytes or less). [PR/73054]
• On M20 routers, when you start the router with Routing Engine 0 and System and Switch Board (SSB) 0 as master components, issue the request chassis routing-engine master switch command, and then log in to Routing Engine 1 and issue the request chassis ssb master switch and request system reboot commands, the ONLINE LED might remain lit on both SSBs. [PR/74283]
• If you include the disable statement at the [edit interfaces interface-name] hierarchy level to disable the ingress interface for a SONET link between two routers that are not configured for APS or other link protection, the egress interface might not be notified. This situation might cause traffic loss. [PR/78831]
• On J4350 and J6350 Services Routers, if the MTU is set to more than 6 KB for a built-in Gigabit Ethernet port or a 1-port Gigabit Ethernet ePIM, packets might be discarded with an FCS error. [PR/82245]
• If you ping a nonexistent IPv6 address that belongs to the same subnet as an existing point-to-point link, the packet loops between the two point-to-point interfaces until the time to live expires. [PR/94954]
• If the delay between VRRP advertisement packets is set to a small value (such as 100 ms) for a number of VRRP groups, and the router configuration is changed and committed several times in quick succession, the VRRP mastership state might be unstable. In other words, if the value of the fast-interval statement at the [edit interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-number] hierarchy level is 100 for several VRRP groups, and configuration changes are committed several times in quick succession (even changes at other levels of the hierarchy), a VRRP backup router might assume mastership and immediately release it again. As a workaround, set the value of the fast-interval statement to 300 or higher. [PR/102111]
• The output of the show interfaces diagnostics optics command includes the "Laser rx power low alarm" field even if the transceiver is a type (such as XENPAK) that does not support this alarm. [PR/103444]
• On channelized DS3 interfaces, when a logical unit is configured with Multilink Frame Relay (MLFR) end-to-end encapsulation and Frame Relay PPP encapsulation is configured on the next numerically higher logical unit, the commit will fail. As a workaround, configure Frame Relay PPP encapsulation on a numerically smaller logical unit before a logical unit with MLFR encapsulation. [PR/229071]
• When you issue the show chassis ethernet-switch statistics command on a routing platform with graceful Routing Engine switchover enabled, the two Routing Engines might be unable to exchange information for about 2 seconds. [PR/233779]
• On serial interfaces transmitting either 64-byte or 128-byte packets, the effective bandwidth might be reduced when the interface is highly oversubscribed. [PR/235753]
• On 1-port 10-Gigabit Ethernet XFP Uplink PICs and 1-port 10-Gigabit Ethernet XENPAK PICs, when the 10-Gigabit Ethernet port is disabled through the CLI, the transmit laser is shut off correctly. After this, if the XFP or XENPAK module is changed or reseated, the transmit laser is turned on, even though the port is disabled. [PR/267308]
• If you configure more than 50 track routes (any combination of IPv4 and IPv6 routes) by including the track statement at the [edit interfaces interface-name unit logical-unit-number family (inet | inet6) address address (vrrp-group | vrrp-inet6-group) group-id] hierarchy level, the VRRP software might not correctly update route information when the status of routes changes. [PR/267769]
• Hot swapping the M120 fan tray might cause the "Check CB" alarm to activate. [PR/268735]
• On a router configured for graceful Routing Engine switchover, if the backup Routing Engine is running JUNOS Release 8.1 or later and the master Routing Engine is running JUNOS Release 8.0 or earlier, updates might not be made to the forwarding table. [PR/273492]
• When you issue the clear -config -T switch[1] command using the management module on the JCS 1200, the switch module is returned to its factory default setting instead of the Juniper Networks default setting. Do not issue the clear -config -T switch[1] command. [PR/274399]
• If you enable nonstop active routing (NSR) and perform a commit synchronize when the backup Routing Engine is not available, the system provides a warning message. To expedite protocol synchronization, issue the restart routing command on the backup Routing Engine when it comes up. [PR/277993]
• Adding per-unit-scheduler configuration to a one- or two-port IQ PIC might cause errors and affect the forwarding state of the ports. [PR/282934]
• On a router with Frame Relay multilink configured on an MS 400 PIC or on a channelized DS3 PIC, when the minimum links value for the Frame Relay interface is set to 8 and a link is deactivated from the configuration, the link remains up. [PR/285244]
• The commit operation does not fail when the configuration includes the following invalid combination of statements: the address specified by the source or destination statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number tunnel] hierarchy level is the same as the interface’s own subnet address (as specified by the address statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number family family-name] hierarchy level). [PR/299443]
• The 1-port ATM2 OC48/STM12 IQ PIC might generate an RDI-P error when it receives a packet in which the bits corresponding to the enhanced path-RDI encoding of the G1 path overhead byte are set, even if the formal path-RDI bit within the G1 path overhead byte is not set. [PR/309929]
• On M5, M10, M20, and M40 routers, when you issue an SNMP query for alarm LED status (such as show snmp mib walk jnxLEDState), the message “FPM device not open” might be logged. This is an erroneous message and can be ignored.
• On M5, M10, M20, and M40 routers, when you issue an SNMP query for alarm LED status (such as show snmp mib walk jnxLEDState), the message “FPM device not open” might be logged. This is an erroneous message and can be ignored. [PR/313073]

Services Applications

• The output of the show services nat pool command displays duplicate entries for a single Network Address Translation (NAT) pool. [PR/34678]
• The show services accounting flow-detail extensive command sometimes displays incorrect information about input and output interfaces. [PR/40446]
• When you configure intrusion detection service (IDS) on J-series platforms, including the threshold statement at the [edit services ids rule rule-name term term-name then logging] hierarchy level has no effect. [PR/46577]
• On Adaptive Services PICs configured for IPSec tunnel redundancy, if there are a large number of tunnels, sometimes a few of the tunnels might switch over to the backup tunnel. [PR/46733]
• On routing platforms configured for Internet Key Exchange (IKE)-based IPSec, if a remote peer using other vendors equipment does not renegotiate the IKE security association (SA) when it is about to expire and continues to send dead peer detection (DPD) requests on the same SA, the routing platform might not be able to reply to these messages. [PR/47004]
• If the socket buffer becomes full on a remote router, you cannot clear all the IPSec security associations (SAs) from the router. [PR/55189]
• When a routing platform is configured for graceful Routing Engine switchover and Adaptive Services (AS) PIC redundancy, and a switchover to the backup Routing Engine occurs, the redundant services interface (rsp-) always activates the primary services interface (sp-), even if the secondary interface was active before the switchover. [PR/59070]
• When you modify a flow collection services configuration and commit the changes, the system log might contain error messages regarding the commit. There is no operational impact and these messages can be ignored. [PR/64201]
• For Adaptive Services II PICs, even if you do not configure flow collector services, a temporary file might be created every 15 minutes in the /var/log/flowc/ directory. The file is deleted if there are no clients, and re-created only when a client connects and attempts to write to the file. [PR/75515]
• The JUNOS software does not issue a warning when you configure an address as both the destination IP address of a voice-over-IP (vp-) interface and the primary address of another interface on the router. This configuration is not valid, and can disrupt forwarding of traffic to the voice-over-IP interface. [PR/75535]
• On J4350 and J6350 Services Routers, when you insert a Telephony Gateway Module (TGM) 550 PIM and the PIM is in a reset state, the router might not respond to any show chassis commands for up to five seconds. [PR/78695]
• On some J-series Services Routers, when you press the F10 key to save and exit from BIOS configuration mode, the operation might not work as expected. As a workaround, use the "Save and Exit" option from the "Exit" menu. This issue affects J4350 and J6350 routers with BIOS Version 080011 and J2320, and J2350 routers with BIOS Version 080012. [PR/237721]
• On some J-series Services Routers, the Clear NVRAM option in BIOS configuration mode does not work as expected. This issue affects J4350 and J6350 routers with BIOS Version 080011, and J2320 and J2350 routers with BIOS Version 080012. To help mitigate this issue, keep records of any changes you make to the BIOS configuration, so that you can revert to the default BIOS configuration as needed. [PR/237722]
• If the Juniper-Firewall-Attribute attribute in a RADIUS server configuration file names a policer that sets a bandwidth limit for Layer 2 Tunneling Protocol (L2TP) sessions but not an exclude-bandwidth limit, the bandwidth limit might not be set correctly. [PR/254503]
• In JUNOS Release 9.1, a license feature was introduced for all CE platforms. As a result, on M120 routers (a designated CE platform) whenever you configure L2TP sessions and tunnels with RADIUS authentication, the following message might be displayed: “profile user1 { ## ## Warning: requires 'subscriber-authentication' license ## authentication-order radius; }.” In the system log, the following message might appear: “regress@turkey# Apr 1 16:13:22 turkey alarmd[4669]: Alarm cleared: License color=YELLOW, class=CHASSIS, reason=Per Subscriber Radius Authentication usage requires a license Apr 1 16:13:22 turkey alarmd[4669]: LICENSE_EXPIRED: License for feature subscriber-authentication(31) expired.” This has no effect on the generation of the L2TP tunnels and sessions. [PR/277424]
• If a large number of BGP authentication sessions (for example, 400) are configured in a VRF instance, the following message is written to the system log when the configuration is committed: “keyadmin[pid]: dump_assn: posting additional read.” There is no operational impact. [PR/295407]

Subscriber Access Management

• The router's address-assignment pool support enables you to create a named address range that is based on a specific DHCP option 82 value (either circuit-id or remote-id). However, when a client request is received, the router ignores the specified option 82 value and instead uses the first named range of addresses in the address-assignment pool. [PR/263077]

Routing Protocols

• When you include the as-path atomic-aggregate statement at the [edit routing-options aggregate defaults as-path] hierarchy level to manually add the ATOMIC_AGGREGATE attribute on a BGP AS path, the attribute is not added. [PR/2527]
• When you issue the mtrace command from a UNIX client, the router does not respond to a query that requires multicast response, but responds correctly to any query that requires unicast response. As a result, the first two probes time out. The third probe is the unicast response probe, which usually succeeds. [PR/17237]
• The CLI allows you to commit a configuration that specifies a value higher than 32 for the metric statement at the [edit protocols dvmrp interface all] hierarchy level, but values higher than 32 are invalid. [PR/33429]
• If a router receives a Pragmatic General Multicast (PGM) Source Path Message (SPM), it does not create a forwarding cache, nor does it forward the message to other routers as a heartbeat, as specified in RFC 3208. Also, the router’s multicast cache might time out if it does not receive actual PGM data (ODATA) for more than 6 minutes. As a workaround, configure the PGM source application to send PGM ODATA at least once every 6 minutes. The ODATA acts as the heartbeat message in lieu of the SPM messages and ensures that the multicast and forwarding caches are created and updated. [PR/37504]
• The configurable range for the lsp-interval knob does not match the values in the online documentation available via the help reference command. [PR/41613]
• The bgpM2PrefixInPrefixesAccepted MIB object counts only the active routes; it should also count inactive routes that are eligible to become active. [PR/41975]
• When you configure damping globally and use the import policy to prevent damping for specific routes, and a new route is received from a peer with the local interface address as the next hop, the route is added to the routing table with default damping parameters, even though the import policy has a nondefault setting. As a result, damping settings do not change appropriately when the route attributes change. [PR/51975]
• If a BGP group is created without any defined peers, a warning message appears when the configuration is committed. [PR/63279]
• When you issue the show ldp traffic-statistics command, the following system log message might be generated for all forwarding equivalence classes (FECs) with an ingress counter set to zero: "send rnhstats GET: error: ENOENT -- Item not found." [PR/67647]
• If ICMP tunneling is enabled on the router and you configure a new logical router that does not have ICMP tunneling enabled, the feature is globally disabled. [PR/81884]
• When the flow of multicast traffic changes because an OSPFv3 link goes down, the output from the show multicast statistics inet6 command reports incorrect values in the In kbytes and In packets fields for the new ingress interface. [PR/234969]
• When you commit a new configuration for nonstop routing (NSR) on a primary Routing Engine that differs from the configuration for NSR that is already running on the backup Routing Engine, the routing protocol process stops functioning on the backup Routing Engine only. Traffic forwarding is not affected. [PR/254379]
• The address for the flow route is terminated at 348 characters. It is a cosmetic issue and affects the flow route output from the show route command. [PR/273385]
• On a J-series router, when traffic is actively shaped, Bidirectional Forwarding Detection protocol (BFD) sessions might flap. [PR/293285]
• On a router with dual Routing Engines and NSR configured backup, RPD may crash in very rare scenarios while processing an indirect next-hop delete. This crash should not affect any functionality. [PR/302731]
• When more than one external path originates from the same autonomous system (AS), the JUNOS software does not comply with the RFC 5004 path selection algorithm. [PR/392819]
• When you configure the BFD event flag trace option, the backup Routing Engine might report a "down -> down" event repeatedly and fill up the trace file. As a workaround, disable the use of BFD trace options to prevent excess disk usage. [PR/405022]
• When rapid configuration commits occur for a certain type of configuration changes with Nonstop Routing configured, rpd may stop consuming further configuration changes with the message "SIGHUP while previous commit isn't yet complete". Note: Release note not applicable to releases 9.3 and later because they contain the fix. [PR/405761]
• If you redistribute a default route or other labeled unicast FEC with the “discard” or “reject” action into BGP and enable traffic statistics at the [edit protocols bgp family inet labeled-unicast] hierarchy level, the routing protocol process (rpd) might dump core and FECs might be logged with a value of 0. As a workaround, change the next-hop action to any valid IP destination. [PR/407546]

MPLS Applications

• If you configure a label-switched path (LSP) with the no-cspf statement at the [edit protocols mpls] hierarchy level, the LSP might cycle up and down several times before stabilizing. [PR/10415]
• If a cross-connected circuit (CCC) traverses a forwarding-adjacency label-switched path (LSP), traffic forwarding might be affected. [PR/60088]
• RSVP graceful restart does not function for LSPs that have a forwarding adjacency (FA) label-switched path (LSP) as a next hop. [PR/60256]
• When you enable per-packet load balancing on parallel label-switched paths (LSPs), the output of the show mpls lsp ingress command might display all the routes on only one of the LSPs even when traffic is evenly balanced across the LSPs. [PR/70487]
• An error in the Constrained Shortest Path First (CSPF) software might cause the routing protocol process (rpd) to generate a core file and stop operating. [PR/103777]
• When there are more than five link-protected or node-link-protected LSPs to the same destination and per-packet load balancing is enabled, some bypass next-hops might not be part of the active route. This can occur after a primary link goes down and comes back up. [PR/259219]
• After some types of network events (for example, when an interface goes down and comes back up), LDP routes might be removed incorrectly from the inet.3 routing table. As a workaround, restart all LDP sessions. [PR/297144]
• On M- or T-series routers, configuration changes to some attributes of a standby secondary path of a MPLS label-switched path (LSP) might cause the LSP to flap and create some packet loss. [PR/394184]
• If an RSVP LSP configured with LDP tunnels initiates auto bandwidth adjustments, LDP might fail to send keepalive messages, which could trigger LDP session flap as a result of the hold-down timer expiration. As a workaround, increase the LDP keepalive-timeout value at the [edit protocols ldp] hierarchy level from the default (30 seconds) to 90 seconds. [PR/407707]

VPNs

• When you modify the frame-relay-tcc statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level of a Layer 2 VPN, the connection for the second logical interface might not come up. As a workaround, restart the chassis process (chassisd) or reboot the router. [PR/32763]
• Traffic might not flow when an ATM interface is used as the access circuit on an M120 router. [PR/255160]
• When you include the load-balance bandwidth statement at the [edit protocols rsvp] hierarchy level for a router with two LSPs to a destination, the balance coefficient is set to zero for the next-hop interfaces in the MPLS forwarding table entry for the route to the destination that is marked with "(S=0)." (In other words, in the output from the show route forwarding-table family mpls extensive command, the record with the header "Destination: <index>(S=0)" has "Next-hop interface" entries for which the "Balance" field does not appear.) [PR/257570]
• Nonstop active routing (NSR) for VPLS does not support interprovider topologies using the BGP-labeled unicast address family. The related VPLS label state is not replicated on the backup Routing Engine, leading to loss during a nonstop active routing event. [PR/283691]
• When an LSP switches from a primary path to a bypass path, Layer 2 circuits might flap, causing packet loss. [PR/309085]

High Availability

• When you issue the show chassis ethernet-switch statistics command on a routing platform with graceful Routing Engine switchover enabled (GRES), the two Routing Engines might be unable to exchange information for about 2 seconds. [PR/233779]
• On a router with dual Routing Engines and nonstop active routing (NSR) enabled, if you perform a commit synchronize operation when the backup Routing Engine is not available, routing protocol sessions might not be reestablished. To expedite protocol synchronization, issue the restart routing command on the backup Routing Engine when it comes up. [PR/277993]

Class of Service

• If you deactivate or activate an aggregated Ethernet interface, the Packet Forwarding Engine might report errors. [PR/50090]
• When a logical tunnel (lt) interface is the outbound interface, JUNOS software does not support the IEEE 802.1p rewrite rule. [PR/55903]
• If you try to configure a scheduler map containing two forwarding classes that are mapped to the same queue, the class-of-service scheduler is not applied to the Packet Forwarding Engine. As a workaround, configure a single forwarding class for each available queue. [PR/57907]
• On M-series routers connected by VLAN circuit cross-connects (CCCs) and configured with class of service (CoS), when explicit forwarding (EF) traffic is generated from the ingress customer edge router (CE1) to the egress customer edge router (CE2), the ingress provider edge router (PE1) properly marks the packets with default EXP bits and sends the packets out queue 1, but the intermediary core router forwards all traffic through queue 0 instead of sending it through the EF queue. As a workaround, include the no-control-word statement at any of the following hierarchy levels: [edit logical-routers logical-router-name protocols l2circuit neighbor address interface interface-name], [edit protocols l2circuit neighbor address interface interface-name], [edit logical-routers logical-router-name routing-instances routing-instance-name protocols l2vpn], or [edit routing-instances routing-instance-name protocols l2vpn]. [PR/65280]
• When you configure a specific classifier for a logical unit, it does not override the fixed classifier configured using wildcards. [PR/68888]
• If you configure CoS traffic control profiles on every logical interface by using the '*' wildcard to represent the interfaces, the configuration cannot be committed. In other words, the commit fails if you include the input-traffic-control-profile and output-traffic-control-profile statements at the [edit class-of-service interfaces type-fpc/pic/port *] hierarchy level. [PR/100690]
• On M320 and T-series routing platforms, if you map multiple forwarding classes to the same queue (specifying the same value for the queue-num statement at the [edit class-of-service forwarding-classes class class-name] level for multiple classes) and then include the multiple classes in one scheduler map (by including the forwarding-class statement for each one at the [edit class-of-service scheduler-maps map-name] hierarchy level), the commit operation fails with the message “Total bandwidth allocation exceeds 100 percent for scheduler-map.” [PR/103370]
• On M120, M320, and MX-series routers, if the value set by the transmit-rate statement at the [edit class-of-service schedulers scheduler-name] hierarchy level is larger than the value set by the buffer-size statement at that level, forwarding latency is greater than expected. [PR/233213]
• On MX-series routers, when you configure VPLS over an LSI interface, classification does not work on the egress PE router for traffic flowing from the core of the network to the egress CE router. [PR/240777]
• If you configure the tri-color statement at the [edit class-of-service] hierarchy level, the drop counters for the show interfaces queue command appear to not work for the medium-high (yellow) priority traffic and the low (green) priority traffic. The drop counter for the high-priority traffic (red) functions normally. [PR/258499]
• In JUNOS Release 8.4 and later, the commit or commit-check operation fails if a rewrite rule is defined both at the [edit class-of-service interfaces interface-name unit logical-unit-number rewrite-rules] hierarchy level and in a configuration group (defined at the [edit groups] hierarchy level) that is applied to that interface. The correct behavior is for the directly applied rule to override the rule inherited from the configuration group. [PR/261229]
• On MX960 platforms, bandwidth sharing across high priority and strict-high priority schedulers might not be as expected. This issue occurs when the schedulers are configured on logical interfaces. [PR/265603]
• CoS rewrite rules changes are not applied to active multicast streams. Only new multicast streams use the modified configuration. As a workaround, clear all active multicast streams after the changes have been applied. [PR/266341]
• The output from the show class-of-service interface command includes the Input scheduler map field even when you configure egress-only mode for the PIC that houses the interface (by including the mode egress-only statement at the [edit chassis fpc slot-number pic slot-number traffic-manager] hierarchy level). [PR/275038]
• On J-series Services Routers, MLPPP bundles with congested member links on which fragmentation is active might interfere with other bundles within the same system and trigger high latency or packet drops. As a workaround, configure the shaping rate on the bundle with fragmentation enabled to avoid flow control from the member link. [PR/281985]

Forwarding and Sampling

• On M320 and T-series routing platforms, when you configure interface output sampling, packets sometimes might travel through the output firewall. As a workaround, configure a firewall filter on the output interface with then sample and then next-term statements. The workaround provides the same functionality as the other configuration, but avoids the problem behavior. [PR/70473]
• On MX-series routers running JUNOS Release 8.4 and later, entries in the MAC address table expire three times faster than on MX-series routers running JUNOS Release 8.3 and earlier, and on M-series and T-series routing platforms running any release of the JUNOS software (including JUNOS Release 8.4 and later). To configure the correct effective value on MX-series routers running JUNOS Release 8.4 and later, specify a value for the mac-table-aging-time statement at the [edit protocols l2-learning] hierarchy level that is three times the desired value. For example, if you want the expiration time to be 15 seconds, specify 45 seconds. [PR/241485]
• On an M320 router with mixed FPCs installed, the Packet Gateway Control Protocol process (pgcpd) fails to retrieve filter counters. [PR/284637]
• Under the conditions specified in the following sentence, this message might be written to the system log: "rts_cos_get_shaping_rate_for_ifl(): Entry not found for IFL <index> in cos ifl table." The conditions are: (a) you configure interface-specific input and output filters that contain logical bandwidth policers (include the logical-bandwidth-policer statement at the [edit firewall policer policer-name] hierarchy level, and both that policer and the interface-specific statement at the [edit firewall family family filter filter-name term term-name then] hierarchy level), (b) you apply the filters to an interface (include the input filter-name and output filter-name statements at the [edit interfaces interface-name unit logical-unit-number family family filter] hierarchy level), (c) you apply a traffic control profile to the interface (include the profile-name statement at the [edit class-of-service traffic-control-profiles] hierarchy level and the output-traffic-control-profile profile-name statement at the [edit class-of-service interfaces interface-name] hierarchy level), and (d) the router receives host-bound packets or IP option packets. As a workaround, include the shaping-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level. [PR/314292]

Network Management

• The following groups of MIB objects do not segregate the data they return according to the routing instance specified in an SNMP request: vrrpMIB, jnxCosIfqStatsTable, jnxCosQstatTable. [PR/63045]

Resolved Issues

Platform and Infrastructure

• If you configure a large number of MD5 authentication keys for BGP sessions, and then deactivate and reactivate the keys, the router might generate a commit error and MD5 authentication might not be applied on some of the BGP sessions. [PR/238960: This issue has been resolved.]
• When you issue the file copy command with an FTP path as the source or destination and include the source-address option, the specified source address is not used for establishing a connection with the peer FTP server. [PR/240580: This issue has been resolved.]
• On MX platforms using Routing Engine-based sampling, when samples are sent from the Packet Forwarding Engine to the Routing Engine over certain interfaces, the interface Input/Output index and next-hop address are set to 0. The following interfaces are affected: ge-x/0/y, ge-x/1/y, xe-x/2/0, and xe-x/3/0. It is not possible in this case to match on the interface index to retrieve data from the NetFlow collector. [PR/286089: This issue has been resolved.]
• When you configure a static route on an unnumbered link, it causes the router to reset; even rebooting does not help. You must remove the static route configuration to restore stability to the router. [PR/301732: This issue has been resolved.]
• When a line containing more than 1405 characters is pasted from a console configured with the load merge terminal option, the pasting process might stop after the first 1405 characters are shown. [PR/304956: This issue has been resolved.]

• The maximum number of active security services flows on a J-series Services Router for each platform and memory allotment is as follows:

  • J2320 router with 512 MB: 20,000 flows
  • J2320 router with 1 GB: 45,000 flows
  • J2350 router with 512 MB: 30,000 flows
  • J2350 router with 1 GB: 50,000 flows
  • J4300 router with 512 MB: 20,000 flows
  • J4300 router with 512 MB: 20,000 flows
  • J6300 router with 512 MB: 20,000 flows
  • J6300 router with 1 GB: 45,000 flows
  • J4350 router with 512 MB: 40,000 flows
  • J4350 router with 1 GB: 60,000 flows
  • J6350 router with 512 MB: 40,000 flows
  • J6350 router with 1 GB: 65,000 flows
  • J6350 router with 2 GB: 75,000 flows
  These are the system maximum values. If you include the max-flows statement for a service set, the other service sets share whatever is left from the system maximum value. The sum of the max-flows values for individual service sets cannot exceed the global maximum value. If the configured total exceeds this value, the max-flows value for the last configured service set is truncated and a warning message is logged. [PR/305350: This issue has been resolved.]
• When a PE router receives a PIM Join message from a CE router and the source for the required multicast data is another directly connected CE router, the attempt to create a flood next hop might initially fail. Messages including the following are written to the system log: "NH: Failed to install flood nexthop: <index>." The next hop is eventually installed, so there is no operational impact. [PR/307579: This issue has been resolved.]
• On MX-series and M120 routers, and M320 routers with an Enhanced III FPC, if the configuration includes the explicit-null statement at the [edit protocols mpls] or [edit protocols ldp] hierarchy level, a DPC or FPC might reboot (but not generate a core file) when an MPLS packet with time-to-live (TTL) equal to 0 (zero) or 1 (one) is processed at the egress of a tunnel. [PR/313319: This issue has been resolved.]
• When an IPv6 BGP peer becomes unreachable, raw IPv6 packets might be forwarded without the correct Layer 2 encapsulation over an Ethernet connection. [PR/314629: This issue has been resolved.]
• When the Routing Engine hard disk fails, the compact flash might be removed from the list of media used at boot time, instead of the hard disk being removed. In some cases, this makes the Routing Engine unable to initialize. [PR/389540: This issue has been resolved.]
• The output from the traceroute command includes both the IP address and DNS hostname of each hop. The hostname information might be incorrect for one or more hops. [PR/389794: This issue has been resolved.]
• During recovery after the Routing Engine hard drive fails, the JUNOS kernel might fail, causing the router to reboot. [PR/390306: This issue has been resolved.]
• When a member link of an aggregate interface goes down and comes back up and new forwarding information is installed during that change-in-status period, traffic might be lost. [PR/392550: This issue has been resolved.]
• On T-series routing platforms with aggregated SONET/SDH interfaces, if multiple statistics requests for these interfaces are queued at the same time, a memory corruption might occur, causing the kernel to reset unexpectedly. [PR/393572: This issue has been resolved.]
• In an MPLS Layer 3 VPN network, the traceroute command does not return a valid result (it returns three asterisks [* * *] instead) for the hop between two routers when their configuration includes both of the following features: (a) per-packet load balancing (the load-balance per-packet statement is included at the [edit policy-options policy-statement policy-name then] hierarchy level and that policy-name statement is included at the [edit routing-options forwarding-table] hierarchy level), and (b) multiple equal-cost paths between the routers (for example, when the encapsulation frame-relay statement is included at the [edit interfaces interface-name] hierarchy level for a SONET/SDH interface and the same address is specified for more than one of its logical interfaces at the [edit interfaces interface-name unit logical-unit-number family family address] hierarchy level). [PR/396280: This issue has been resolved.]
• On M120 and MX-series routers, and on some FPCs on M320 routers, the Packet Forwarding Engine might not free memory correctly during operations on multicast next hops. [PR/396903: This issue has been resolved.]
• When you have configured the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level for a VRF routing instance, IPv4 and IPv6 MTU error notification is not handled properly. On M320, routers with an incoming FPC as SFPC and an outgoing FPC as FFPC, large IPv6 packets are not detected and discarded properly.[PR/397334: This issue has been resolved.]
• On a T1600 routing node, an FPC might stop operating while processing an ICMP TTL expiration packet. Such packets increment the count in the ttl expired field of the output from the show pfe statistics ip icmp command. [PR/398059: This issue has been resolved.]
• On T640 and T1600 routing platforms with the Enhanced Scaling FPC4, errors like the following might be written to the system log: "<x> new errors (mtu error) in HDRF,lout_hdrf_poll_stats," "Error (code: 30, type:Minor) encountered, cmalarm_passive_alarm_signal," and "1 new errors in SLout OP." There is no operational impact. [PR/399258: This issue has been resolved.]
• When you install an FPC in all eight slots on a T1600 routing node configured for graceful Routing Engine switchover (the graceful-switchover statement is included at the [edit chassis redundancy] hierarchy level), the routing node might reboot repeatedly. As a workaround, disable GRES or remove one FPC. [PR/400267: This issue has been resolved.]
• When you configure per-packet load balancing, outgoing traffic is being dropped on T640 routers. The problem is exacerbated if you have configured two PFE instances. [PR/402031: This issue has been resolved.]
• On MX routing platforms, when igmp-snooping is enabled in a VPLS instance, a vpls interface flap may cause a DPC to unexpectedly restart. [PR/405136: This issue has been resolved.]
• The traffic class byte is set to 0x00000000 in the header of some BGP packets sent between interfaces that have IPv6 addresses, instead of the correct setting 0xc0 (INTERNETCONTROL). [PR/406802: This issue has been resolved.]
• On MX platforms with JUNOS Release 9.1R1 or later when traffic is sent to a router with the 802.1p value set to 2 or Source Class Usage (SCU) configured, the packets can be discarded at PFE. [PR/414491: This issue has been resolved.]

Layer 2 Ethernet Services

• On MX-series routers, access ports configured for VSTP (the interface <interface-name> statement corresponding to the port is included at the [edit protocols vstp] hierarchy level) might not interoperate properly with other vendors' switches. [PR/390026: This issue has been resolved.]
• On an MX-series router configured for VRRP for IPv6, during a mastership change the original master does not relinquish mastership, with the result that both it and the original backup are reported as master in the VR state field of the output from the show vrrp summary command. [PR/398399: This issue has been resolved.]
• In some cases l2cpd-service restart may be required for VSTP on access ports to be operational. [PR/413919: This issue has been resolved.]

User Interface and Configuration

• When you issue the request system (halt | power-off | reboot) other-routing-engine lcc routing-node-index command on a TX Matrix platform, the requested operation is performed on the TX Matrix platform instead of the specified routing node (line-card chassis, or LCC). As a workaround, issue the command on the routing node itself (without the lcc option). [PR/241274: This issue has been resolved.]
• Under certain conditions, when you issue the show configuration | compare command the management process (mgd) might generate a core file. [PR/281705: This issue has been resolved.]

Interfaces and Chassis

• In the output from the show interfaces extensive command, the count of REI-P errors in the SONET path section is incorrect when the RDI-P error also appears in the SONET defectsfield. [PR/256049: This issue has been resolved.]
• On MX-series routers, when a DPC configured with a large number of interfaces restarts, the chassis process (chassisd) might write the following messages to the log: "failed to complete channel bonding" and "reached link 5 max index value." [PR/292057: This issue has been resolved.]
• When only one Routing Engine is installed in an M120 router, on the craft interface the LEDs for the power supplies never light up. Similarly, in the PS LEDs section of the output from the show chassis craft-interface command, there is a period in all four fields (indicating that no LEDs are lit). [PR/302504: This issue has been resolved.]
• When the links in a redundant LSQ bundle are not configured at the remote site, if a graceful Routing Engine switchover occurs and then a primary or secondary LSQ PIC goes offline, the backup Routing Engine might generate a core file. [PR/306667: This issue has been resolved.]
• For SONET/SDH interfaces, when the hold-time statement is included at the [edit interfaces so-<fpc>/<pic>/<port>] hierarchy level and you change the framing type from the default (SONET) to SDH by including the framing sdh statement at the [edit interfaces so-<fpc>/<pic>/<port>] hierarchy level, the interface does not come up after the commit operation. As a workaround, deactivate the hold-time statement before changing the framing. [PR/306687: This issue has been resolved.]
• The 1-port ATM2 OC48/STM12 IQ PIC might generate an RDI-P error when it receives a packet in which the bits corresponding to the enhanced path-RDI encoding of the G1 path overhead byte are set, even if the formal path-RDI bit within the G1 path overhead byte is not set. [PR/309929: This issue has been resolved.]
• When the Routing Engine requests numerous statistics that surpass a set boundary, "PFEMAN: Couldn't write..." messages might be logged and DPC core dumps might be produced. [PR/311831: This issue has been resolved.]
• On aggregated Ethernet interfaces configured for LACP (the lacp statement is included at the [edit interfaces ae<x> aggregated-ether-options] hierarchy level), if you deactivate one of the interfaces in the aggregate, multicast traffic might not be detoured as expected. [PR/313617: This issue has been resolved.]
• On a router with dual Routing Engines, if the hard disk is inoperable or missing on the backup Routing Engine, no chassis alarm is set (visible in the output of the show chassis alarms command), nor is an SNMP trap or system log message generated. The only indication is a line like the following in the output from the show system boot-messages command: "ad<x>: not attached, missing in Boot List." [PR/392837: This issue has been resolved.]
• On an OC768-over-OC192 mode on the 4-port OC192c PIC, when you change the clocking internal statement to clocking external at the [edit interfaces interface-name] hierarchy level, the clock may not come up. [PR/395847: This issue has been resolved.]
• AE bundle stats (monitor interface traffic) on T640 goes to high value when FPC is offlined. No issue with TX. [PR/399451: This issue has been resolved.]
• When Multilink Frame Relay encapsulation is configured on an interface (the encapsulation multilink-frame-relay-uni-nni statement is included at the [edit interfaces <interface-name>] hierarchy level), the kernel might generate a core file. [PR/408066: This issue has been resolved.]
• A DPC can crash if a 10–Gigabit Ethernet interface is connected to faulty optics. The faulty optics can cause the link state to change at a very high rate which results in an interrupt storm hogging the DPC CPU. [PR/411072: This issue has been resolved.]

Services Applications

• The issue arises when you configure the NAT match-direction output statement and attach it to a interface-style service set on an egress interface. When you explicitly configure forward and backward rules for a NAT service set, an ICMP fragmentation-needed message is not sent and the traffic is dropped without notification. If the backward rule is not configured and is left implicit, this problem is not seen. An explicit backward rule causes the ICMP error packet to be handled as a new flow. As a workaround, do not explicitly configure backward rules unless they are absolutely necessary. [PR/238215: This issue has been resolved.]
• Input packet counters do not increment for IPSec packets on an AS or MultiServices PIC (sp interface) over a multilink bundle. [PR/314456: This issue has been resolved.]
• Network address translation (NAT) is not performed correctly for Real-Time Streaming Protocol (RTSP) methods when the Content-Length field is set to 0 (zero). [PR/393171: This issue has been resolved.]

General Routing

• On the TX Matrix, in JUNOS releases 9.1 and later, use of generate in routing-options stanza with a reference to a policy results in a commit not completing successfully on TX Matrix. This issue is fixed in JUNOS releases 9.1 and later released after January 22nd 2009. Even with this fix, knobs instance-export and intsance-import under routing-options for TX are not to be used. [PR/416380: This issue has been resolved.]

Routing Protocols

• When routes are exported into OSPF and then OSPF is deactivated, the routing protocol process (rpd) might generate a core file and stop operating. [PR/232362: This issue has been resolved.]
• When you enable PIM on an unnumbered Ethernet interface, the routing protocol process (rpd) might restart as a result of an address error. [PR/295377: This issue has been resolved.]
• When an IPv6 duplicate address is detected, the interface stops forwarding but ISIS and OSPF3 continue to announce the interface as a valid route. However, the address is unreachable and all traffic destined to or through the interface is dropped. [PR/296740: This issue has been resolved.]
• On a router with dual Routing Engines that is configured for nonstop active routing (NSR) and graceful Routing Engine switchover, if the backup-router or inet6-backup-router statement is included at the [edit system] hierarchy level, the static route to the backup destination is not deleted on the backup Routing Engine when you activate nonstop routing. [PR/305597: This issue has been resolved.]
• An uninitialized nex-thop data structure can lead to a RPD crash. There is no workaround. [PR/388995: This issue has been resolved.]
• If the source address for IPv6 multicast traffic is resolved by a static route, information about an upstream neighbor might not be updated after a graceful Routing Engine switchover event (the value unknown appears in both the Upstream interface and Upstream neighbor fields in the output from the show pim join extensive command). [PR/389856: This issue has been resolved.]
• When a PE router receives an external LSA of type 7 (NSSA) that has a matching VPN tag or has the DN (down) bit set, it nevertheless includes the advertised route in its OSPF route calculation. According to RFC 4576, it must ignore such routes. [PR/391733: This issue has been resolved.]
• On a router configured for nonstop active routing (NSR), when you apply a BGP import policy and issue the clear bgp neighbor <address> soft command to reset BGP, the policy does not take effect. (In terms of configuration statements, the nonstop-routing statement is included at the [edit routing-options] hierarchy level and the import <policy-name>statement at the [edit protocols bgp group <group-name> neighbor <address>] hierarchy level.) As a workaround, either disable nonstop routing or issue the clear bgp neighbor <address> command without the soft option, which forces BGP peers to reestablish their sessions. [PR/396291: This issue has been resolved.]
• When two BGP peers establish a session, they negotiate the hold time to use for keepalive messages. If one of the peers uses a nondefault hold-time value (that is, the hold-time statement is included at the [edit protocols bgp group <group-name>] hierarchy level in its configuration), and either of the peers goes down immediately after the session is established, the hold timer incorrectly expires after the default interval instead of the negotiated interval. [PR/396823: This issue has been resolved.]
• If the route to a multicast source address is learned using BGP and the upstream interface goes down, PIM might not detect the outage. As a consequence, the value unknown appears in the Upstream interface and Upstream neighbor fields of the output from the show pim join extensive command. [PR/397410: This issue has been resolved.]
• If you specify an IPv6 address as a value for the ssm-groups statement at the [edit routing-options multicast] hierarchy level, the SSM group does not work as expected. As a workaround, specify only IPv4 addresses. [PR/399352: This issue has been resolved.]
• If PIM sources are accessed via different addresses on the same neighbor, and PIM is deactivated and reactivated on the neighbor, the Upstream interface and Upstream neighbor fields of the output from the show pim join extensive command continue to report the value unknown after the neighbor is active. [PR/400573: This issue has been resolved.]
• When you enable distributed periodic packet management (by including the delegate-processing statement at the [edit routing-options ppm] hierarchy level), BFD packets are transmitted on a queue other than queue 3 (queue 0 or 4 depending on the JUNOS version). If system load allows it, disable distributed PPM as a workaround. [PR/400907: This issue has been resolved.]
• When you issue the show ospf database advertising-router command and a NULL argument is passed to the command, the routing protocol process (rpd) might stop operating. [PR/401437: This issue has been resolved.]
• If GRES is not enabled and on a Routing Enging switchover, the rpd on the new backup Routing Engine will quit before cleaning up the forwarding table. [PR/402372: This issue has been resolved.]
• When you issue the mtrace <source> command and the route to the source is defined in the routing table for a PIM nonforwarding instance (that is, not in the main instance table, inet.0), the command fails with the following messages: "...giving up" and "Timed out receiving responses." [PR/403033: This issue has been resolved.]
• When peers in different BGP peer groups have similar export policies such that identical advertisements are sent, the routing protocols process (rpd) might generate a core file and become unresponsive when the backup Routing Engine comes online. [PR/404471: This issue has been resolved.]
• When certain statements are included at the [edit protocols bgp group <group-name>] hierarchy level, the routing protocols process (rpd) might generate a core file and stop operating in some circumstances. [PR/404667: This issue has been resolved.]
• Aggregate routes with a large number of contributing members can cause the routing protocol process (rpd) to monopolize the CPU constantly with frequent routing changes. However this condition applies only when you configure a policy with the aggregate-contributor match condition. [PR/405499: This issue has been resolved.]
• When changing from static/ospf/isis route load balancing to bgp load balancing with multipath enabled, the routes may not be load balanced correctly until the bgp session is restarted. [PR/407925: This issue has been resolved.]
• PIM mistakenly prefers a more specific hidden route over an active less specific route as the RPF route to the MCAST source. [PR/41138: This issue has been resolved.]]

MPLS Applications

• When both CSPF and link protection are enabled, in rare instances the routing protocol process (rpd) might generate a core file and restart. [PR/266126: This issue has been resolved.]
• If an ingress LSP detects a routing loop (reported as 'Routing loop detected [number times]' in the output from the show mpls lsp name lsp-name extensive command), it might stop handling traffic. [PR/293686: This issue has been resolved.]
• When a CCC comes back up after an interruption of network connectivity, MPLS routing table does not record the label change for CCC appropriately, and traffic is not sent through the CCC connection. [PR/306043: This issue has been resolved.]
• Without a fix, MPLS will keep increasing and cause a memory leak. [PR/390381: This issue has been resolved.]
• On M-series and T-series routing platforms, if a node-link protected LSP with multiple paths experiences an LSP switchover, traffic loss might occur. [PR/392406: This issue has been resolved.]

VPNs

• The time-to-live (TTL) threshold value is not propagated correctly for VPNs that use IPv6 addresses. This might cause multiple entries for the same address in the output from the tracerout command. [PR/257497: This issue has been resolved.]
• rpd might crash when the pim rpf update runs while the system trying to access the rpf or neighbor info which has been deleted. [PR/290849: This issue has been resolved.]
• If you take a PIC offline that hosts a large number (for example, 1000) of CE-facing interfaces in a Layer 2 VPN, the routing protocols process (rpd) might generate a core file. [PR/300601: This issue has been resolved.]
• When a logical tunnel (lt-) interface forwards a multicast packet, it incorrectly sets the destination MAC address. [PR/304516: This issue has been resolved.]

High Availability

• If there are static routes configured under the [rouing-options] hierarchy level pointing to discard interface and if GRES is also configured on the router, the kernel database may not synchronize with the backup routing engine after a GRES switchover is done. Due to which, output of the show system switchover command on the backup routing engine will show "connection error". [PR/399888: This issue has been resolved.]
• When combining two sonet interfaces into an aggregate sonet bundle class-of-service, rewrite rules may not be correctly applied to the aggregate bundle member links. This is seen if a single commit is performed to activate sonet-options and deactivate an existing logical unit. [PR/417943: This issue has been resolved.]

Class of Service

• When class-of-service routing-instances is configured, you may see a cosd memory leak of approximately 1 kilobyte on each commit. A workaround for this issue is to deactivate the class-of-service routing-instances stanza in the configuration. [PR/285249: This issue has been resolved.]

Forwarding and Sampling

• A flow route is assigned an internal identifier that captures the values of all match conditions specified at the [edit routing-options flow route route-name match] hierarchy level. If the length of the identifier exceeds a certain limit, the MIB II process (mib2d) might repeatedly generate a core file and fail to restart. The higher the number of match conditions, and the more values specified for conditions that accept multiple values (such as the destination-port and source-port statements), the more likely the problem is to occur. As a workaround, limit the number of conditions or values or both. [PR/273373: This issue has been resolved.]
• If a prefix list specified at the [edit firewall family inet6 filter filter-name term term-name from source-prefix-list] hierarchy level includes an IPv4 address, the commit operation fails with the following message: "Invalid inet6 addr: 'ipv4-address/prefix-length'." [PR/310299: This issue has been resolved.]