Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases.

For the most complete and latest information about known Junos OS defects, use the Juniper online Junos Problem Report Search application.

Resolved Issues: Release 14.1X53-D46

Authentication and Access Control

  • EX4200: Captive-portal redirection URL not working for 36th interface. PR1217743

Firewall Filters

  • QFX5100/EX4600: Traffic might be impacted if the last filter term is ended with reject action and is applied to lo0 interface. PR1245210
  • On QFX5100 switches, if a term with the policer action is configured, dc-pfe: list_destroy() messages might be displayed on commit. PR1286209

High Availability (HA) and Resiliency

  • On EX4300 Virtual Chassis, pfex might restart while doing master reboot or during nonstop software upgrade (NSSU) if the old master reboots at the end of NSSU phases. PR1258863

Infrastructure

  • Routing Engine (RE) boots up as a line card and needs 10 minutes to obtain RE role again. PR1225696
  • jdhcpd core-dump on EX4300VC. PR1243962
  • DHCP option 2 is not working if configuring switch as DHCP server. PR1252437
  • EX8200 might put the wrong source MAC address. PR1262968
  • The packets with certain UDP destination port might be dropped on EX Series Virtual Chassis except EX4300/EX4600/EX9200-VC. PR1262969
  • No space in an EX8200 line card to save pfem core dumps. PR1263024
  • On EX4300/EX4600/QFX5100/QFX3500/QFX3600 platforms, with DHCP relay traffic flowing, CPU usage of pfex_junos might go high. The issue might be seen if DHCP relay function is on and DHCP relay packets are received continually. PR1276995

Interfaces and Chassis

  • Unexpected error message might be seen after commit. PR1119713
  • The PFE might coredump on EX4300. PR1214727
  • EX4550-32T: Traffic black hole on 1G link while EX4550-32T is booting up. PR1257932
  • For EX Series switches, in a rare condition (for example: reboot or reloading configuration), the MAC address of an AE interface and its member links might be inconsistent, causing unexpected behavior for some routing protocols. PR1272973
  • On EX Series and QFX Series platforms on which MC-LAG with IPv6 is supported, the l2ald memory might leak for every IPv6 ND (Neighbor Discovery) message it receives from a peer MC-LAG and it does not free the memory allocated, causing l2ald memory exhaustion and an l2ald process crash. PR1277203
  • Starting from Junos OS 15.1R3, the 40G link with SR4 transceivers on EX4550 device will fail to come up after a PIC offline/online event or a link UP and DOWN event. PR1281983
  • On EX4600/QFX3500/QFX3600/QFX5100 switches, if an interface is configured with 100m speed explicitly and no-auto-negotiation, the interface might be down after reboot. PR1283531

MPLS

  • QFX5100/EX4600: Stale MPLS label entries might exist on MPLS table in PFE after deleting or disabling the underlying interface of IRB/AE interface. PR1243276

Multicast Protocols

  • Multicast traffic is black-holed when the master reboot is done on a QFX5100 or EX4600 Virtual Chassis. PR1164357
  • On QFX5100/EX4600, receiving malformed PIM Hello packets can cause 24-byte memory leaks. PR1224397
  • On EX4300 switch, if igmp-snooping is configured, the IGMP leave packet might be flooded to all ports (including the receive port) in the VLAN. PR1228912
  • On EX4300 switches, certain multicast traffic might impact the network, for example, cause OSPF to flap. Issues might occur when multicast packets use the same interface queue as certain network protocol packets (for example, OSPF, RIP, PIM, and VRRP). PR1244351

Port Security

  • If storm control is enabled with the shutdown action on QFX3500, QFX3600, QFX5100, EX4300, or EX4600, the interface with DN and SCTL flags will lose the SCTL flag and will remain permanently down after GRES. PR1290246

Routing Protocols

  • On EX4600/QFX Series switches with unicast-in-lpm configured, EBGP packets with ttl=1 and non-EBGP packets with ttl=1, whether destined for the device or even transit traffic, go to the same queue. This might result in valid EBGP packet drop, which can cause EBGP flapping. PR1227314

Security

  • The Juniper Networks enhanced jdhcpd process might experience high CPU utilization, or crash and restart upon receipt of an invalid IPv6 UDP packet. Both high CPU utilization and repeated crashes of the jdhcpd process might result in a denial of service as DHCP service is interrupted. Refer to JSA10800 for further details. PR1119019
  • A buffer overflow vulnerability in Junos OS CLI may allow a local authenticated user with read only privileges and access to Junos CLI, to execute code with root privileges. Refer to JSA10803 for further details. PR1149652
  • Two vulnerabilities in telnetd service on Juniper Networks Junos OS may allow a remote unauthenticated attacker to cause a denial of service through memory and/or CPU consumption. Please refer to JSA10817 for more information. PR1159841
  • Junos: Potential remote code execution vulnerability in PAM (CVE-2017-10615); Refer to https://kb.juniper.net/JSA10818 for more information. PR1192119
  • A vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the router rather than discarded. The crafted packet, destined to the router, will then be processed by the routing engine (RE). A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out.\ Refer to JSA10749 for more information. PR1220211
  • Junos: EX Series PFE and MX MPC7E/8E/9E PFE crash when fetching interface stats with extended-statistics enabled (CVE-2017-10611); Refer to https://kb.juniper.net/JSA10814 for more information. PR1247026
  • MACsec session fails with dot1x core dump. PR1251508
  • On Junos OS devices with SNMP enabled, a network-based attacker with unfiltered access to the Routing Engine can cause the Junos OS snmpd process (daemon) to crash and restart by sending a crafted SNMP packet. Repeated crashes of snmpd process can result in a partial denial-of-service condition. Additionally, it may be possible to craft a malicious SNMP packet in a way that can result in remote code execution. Refer to https://kb.juniper.net/JSA10793 for more information. PR1282772
  • MACsec issue: the "show security macsec statistics" command does not show expected results. Statistics are incorrectly cleared for each physical interface once per second. PR1283544

Software Installation and Upgrade

  • EX4300 Virtual Chassis: More than expected traffic loss during NSSU. PR1115398
  • New switch added in EX2200-VC is not getting automatic software update from master switch. PR1270412

System Management

  • Netconf syntax error reported if the resync character is split in multiple streams. PR1161167

Virtual Chassis

  • On EX4300 FRU removal/insertion trap not generated for non-master (backup/line card) FPCs. PR1293820

Resolved Issues: Release 14.1X53-D45

Authentication and Access Control

  • In 802.1X (dot1x) single-supplicant mode, after username and password were configured on interfaces and dot1x supplicants were started, the users were authenticated with Radius_Data VLAN, but the Ethernet-switching table was not updated for one of the interfaces. PR1283880

Dynamic Host Control Protocol

  • On EX4300, jdhcp core @ jdhcpd_security_v4_trans_ce_remove. PR1273452

Hardware

  • On EX4200, EX4550, and EX4300 switches, there is either nothing being displayed or characters are reversed on the LCD screen. This is an LCD corruption issue. PR1310733

Infrastructure

  • Some error messages will be seen on the PDB-unsupported platforms. PR1103035
  • On EX9200 and EX4300 switches, 802.1X supplicants may not get re-authenticated in a server fail scenario after the server becomes reachable. PR1157032
  • A timeout error occurs when using the request system snapshot slice alternate command. PR1229520

Interfaces

  • On EX4300 switches with GRE tunneling configured, when GRE encapsulated packets are received, next-hop resolution might not happen properly and packets might not reach the ultimate destination. PR1254638

Routing Policy and Firewall Filters

  • On an EX4300 egress VLAN-based firewall filter on a Q-in-Q interface, after a switch reboot, firewall counters might not increment as expected. PR1165450

Resolved Issues: Release 14.1X53-D44

Authentication and Access Control

  • On EX2200 and EX3300, 802.1X authentication might fail, as the NAS-Port-Type attribute in the access-request message is sent as unknown value. PR1111863
  • On EX4300 Virtual Chassis, on 802.1X-enabled interfaces, clients are not getting IP addresses and ports are programmed under incorrect VLANs. PR1230073

Port Security

  • On EX4300 switches, a signal='Unknown signal: -1', core dumped, command '/usr/bin/tftp message is displayed in file messages when dhcp-snooping-file is configured. PR1257975
  • After a MACSec link flaps, traffic is not forwarded across the MACSec link. PR1269229

Routing Policy and Firewall Filters

  • On EX4300, firewall filters are deleted when new bind points are added. PR1214151

Security

  • NTP.org and FreeBSD have published security advisories for vulnerabilities resolved in ntpd (NTP daemon). Server-side vulnerabilities are only exploitable on systems where NTP server is enabled within the [edit system ntp] hierarchy level. A summary of the vulnerabilities that may impact Junos OS is in JSA10776. Refer to JSA10776 for more information. PR1234119

Virtual Chassis

  • On an EX4200 and EX4500 mixed Virtual Chassis, a LAG interface is not programed in one of the FPCs that has rejoined the Virtual Chassis. PR1255302
  • On EX4550 Virtual Chassis, fast-failover disable does not take effect after the whole chassis is rebooted. PR1267633
  • On EX4300, EX4600, or QFX5100 Virtual Chassis, an IRB interface does not turn down when the master chassis is rebooted or halted. PR1273176

Resolved Issues: Release 14.1X53-D43

Authentication and Access Control

  • On EX2200 and EX3300, authd process core crashes continuously during RADIUS authentication. PR1241326
  • The dot1x MAC RADIUS authenticated clients might not be in the correct state when plenty of clients authenticate at once. PR1251530
  • On EX4300, dot1x EAP clients not getting authenticated when there is a high number of authentication requests sent from switch. PR1259241

Class of Service (CoS)

  • On QFX5100, EX4300, or EX4600, traffic might be dropped when there is more than one forwarding-classes under forwarding-class-sets. PR1255077

Infrastructure

  • On QFX5100 and EX4600, password required for user root even after SSH public key authentication is enabled. PR1234100

Interfaces and Chassis

  • The AE interface might be down after NSSU is done on QFX5100 or EX4600 switches. PR1227522
  • Incorrect statistics might be shown for an AE interface after rebooting device or clearing interface statistics. PR1228042
  • SFP+ sometimes not recognized after EX4300 reboot PR1247172

Layer 2 Features

  • Layer 2 traffic is dropped on EX4300 in some cases. PR1157058
  • The egress PE device (EX4300) sends out LLDP frames towards the CE device with the destination MAC address of 01:00:0c:cd:cd:d0, which is a duplicated frame and is rewritten by the ingress (PE) device. PR1251391

Network Management and Monitoring


  • NTP.org and FreeBSD have published security advisories for vulnerabilities resolved in ntpd (NTP daemon). Server-side vulnerabilities are only exploitable on systems where NTP server is enabled within the [edit system ntp] hierarchy level. A summary of the vulnerabilities that may impact Junos OS is in JSA10776. Refer to JSA10776 for more information. PR1234119 , PR1159544
  • After the reboot of the EX4600 Virtual Chassis, authentication of SNMPv3 users fails due to the change of the local engine ID. PR1256166

Platform and Chassis

  • On EX4300 Virtual Chassis, system warns All Packet Forwarding Engines are not ready for RE switchover and may be reset when switchover with GRES enabled is performed. PR1158881

  • Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory. Refer to JSA10784 for more information, https://kb.juniper.net/JSA10784. PR1184592
  • The interface which is configured with 1G and no-auto-negotiation might be down after reboot on EX4300 switch. PR1223234

Port Security

  • On an EX4300, a route entry for IRB interfaces may be removed from the DHCPv6 server if the snooping device is configured with ND inspection. PR1201628
  • MACsec issues on EX4600—tunnel will not come up again. PR1234447
  • High CPU caused by fxpc can lead to MACsec session drops. PR1247479

Routing Policy and Firewall Filters

  • On EX4300, all ICMP packets might be dropped if a policer with action of loss-priority is applied to the lo0 interface. PR1243666

Routing Protocols

  • VRRPv2 for IPv4 not working correctly. Router with physical interface higher IPv4 address preempts for mastership in case of a priority tie. PR1204969

Spanning-Tree Protocols

  • The option of edge should be removed from the [edit protocols stp] hierarchy. PR1028009

VLAN Infrastructure

  • The traffic might not be transmitted correctly after a logical interface is deleted from one VLAN and added to another VLAN on EX9200, EX4300, QFX Series. PR1228526

Resolved Issues: Release 14.1X53-D42

Authentication and Access Control

  • On EX Series switches, in single-supplicant mode with MAC aging configured, supplicant MAC entries might not age out sometimes, even after the 802.1X client is unauthenticated. This is due to stale MBV (MAC-based VLAN) entries that are not deleted due to a race condition when the 802.1X client is unauthenticated. As a workaround, attempting to reauthenticate the 802.1X client on the interface and having the client fail authentication again should clear the MBV entry and resolve the issue. PR1205258

Dynamic Host Configuration Protocol (DHCP)

  • On EX Series switches, Ethernet switching process (eswd) scheduler slips might occur when the switch cannot reach the TFTP server to store the DHCP snooping database file. The eswd scheduler slips might affect Layer 2 switching features, such as MAC address learning and spanning-tree protocols, resulting in service impacts. PR1201060
  • On EX4300 switches with DHCP relay configured, DHCP return packets—for example, DHCPREPLY and DHCPOFFER—that are received across a GRE tunnel might not be forwarded to clients, which can impact DHCP services. PR1226868

Firewall Filters

  • On EX Series switches, the dfwc (daemon that performs as a firewall compiler) might fail to get filter information from the kernel in COMMIT_CHECK (configuration validation) mode. As a result, the filter index is regenerated starting from index 1. This will create the mismatch of filter index as compared to the existing filters in the system. PR1107139
  • On an EX4300, if you install a firewall filter with filter-based forwarding rules to multiple bind points, it might exhaust the available TCAM. In this case, the filter is deleted from all the bind points. You can work around this issue by applying the filter to the bind points with a series of commits, applying the filter to some of the bind points with each commit. PR1214151

High Availability (HA) and Resiliency

  • In an EX4300 Virtual Chassis, you might repeatedly see a message such as /kernel: %KERN-5: tcp_timer_keep: Dropping socket connection due to keepalive timer expiration. There is no service impact from the condition that causes the message (a Packet Forwarding Engine timeout trying to connect to a daemon that is not active). PR1209847

Infrastructure

  • On an EX Series or QFX Series Virtual Chassis, during an upgrade, failover, or switchover operation on the backup Routing Engine member, you might see vmcore and ksyncd core files created and see the log message /kernel: Nexthop index allocation failed: regular index space exhausted. PR1212075
  • In an EX4600 Virtual Chassis or an QFX5100 Virtual Chassis or Virtual Chassis Fabric (VCF), when using scp on the management interfaces to copy files greater than about 150 MB, you might see protocol flapping and Routing Engine TCP connections dropping. PR1213286
  • When you load and commit a configuration on an EX2200 or EX3300 switch running Junos OS Release 14.1X53-D40, the system might automatically go into db mode. As a result, you might not be able to access the switch via SSH, and a vmcore file is generated. PR1237559

Interfaces and Chassis

  • In an EX3300 Virtual Chassis, when the master Routing Engine member is rebooted, PoE devices connected to the master might not come back online after the reboot. As a workaround to avoid this issue, when configuring PoE interfaces, use the set poe interface all configuration command instead of configuring specific interfaces individually. To recover connections after seeing this issue, disable and reenable the ports with the issue. PR1203880
  • On an EX4600 switch, when you remove the 40GBASE-ER4 QSFP+ module, the show chassis hardware command still shows that the module is inserted. PR1208805
  • On EX4300 switches, problems with connectivity might arise on 100M interfaces set to full duplex and half duplex or on 10M interfaces set to full duplex or half duplex. The links appear, but connectivity to end devices might not work. The port does not transmit packets even though port statistics show packets as transmitted. As a workaround:
    1. Move the device to a different port.
    2. Set the port to negotiate and connect a device that will autonegotiate to 1G, full duplex; then reset the port to 10/100 full duplex or half duplex and reconnect the device.
    3. Restart the pfex process.

    PR1249170

MPLS

  • On EX Series and QFX Series switches, if you change a Layer 2 circuit configuration from Ethernet CCC encapsulation to VLAN CCC encapsulation, traffic losses might occur at the pseudowire tunnel initiation point. As a workaround, restart the Packet Forwarding Engine on which the problem occurs. PR1222888

Multicast Protocols

  • On EX4300, EX4600, and QFX5100 switches in a Virtual Chassis configuration, IPv6 multicast packets might not be flooded in a VLAN if IGMP snooping is enabled and the ingress interface is on a different FPC than the egress interface. PR1205416
  • On EX4300 switches or EX4300 Virtual Chassis, HSRP (Hot Standby Router Protocol) packets are dropped in the VLAN if IGMP snooping is configured. PR1211440

Network Management and Monitoring

  • On EX4600 switches, when the FPCs’ temperatures are polled, the temperatures might not be polled for all SNMP members. PR1232911

Routing Protocols

  • On EX4500 switches, if you initiate a BGP session with a peer that is not configured and the peer autonomous system is a member of a confederation group, the routing protocol process (rpd) generates a core file. As a workaround, configure a peer for each peer in the confederation autonomous systems. PR963565
  • On EX4300 switches, with redundant trunk groups (RTGs) configured, Layer 3 protocol packets such as OSPF or RIP packets might not be sent. PR1226976

Resolved Issues: Release 14.1X53-D40

Interfaces and Chassis

  • On EX4600, QFX3500, QFX3600, and QFX5100 switches, some SFP-T modules could not be recognized due to low timeout for I2C read/write. PR1180097

Power over Ethernet (PoE)

  • If you upgrade the Power over Ethernet (PoE) firmware on a member of an EX4300 Virtual Chassis, the PoE firmware upgrade process might fail or get interrupted on that member switch. You can see that this problem has occurred if the member switch is not listed in the command output when you issue the show poe controller command. The problem is also indicated if you issue the show chassis firmware detail command and the PoE firmware version field is not shown in the output or has a value of 0.0.0.0. As a workaround, upgrade the Junos software to a release marked as fixed in this PR, and then upgrade the PoE firmware on the affected member switch.

    To confirm PoE firmware has been successfully upgraded and to check the version, issue the command show chassis firmware detail. PR1178780

Resolved Issues: Release 14.1X53-D35

Interfaces and Chassis

  • An EX4600-EM-8F expansion module installed in a QFX5100-24Q switch or an EX4600 switch does not support 100 Mbps speed on 10-Gigabit Ethernet interfaces. PR1032257

Virtual Chassis and Virtual Chassis Fabric

  • In a mixed QFX3500 and EX4300 Virtual Chassis with a QFX3500 switch acting in the master role, the Virtual Chassis mastership might change when the Virtual Chassis receives multicast traffic. A mixed QFX3500 and EX4300 Virtual Chassis with a QFX3500 switch acting in the master role is not a supported configuration in this release of Junos OS because of this issue. PR1126216
  • On a QFX Series Virtual Chassis Fabric (VCF), rebooting a leaf node might change the size of the VCF, resulting in a flood loop of the unicast or multicast traffic. To fix the issue, use the new configuration statement fabric-tree-root. See details about this new statement in Changes in Behavior and Syntax. PR1093988

Resolved Issues: Release 14.1X53-D30

Interfaces and Chassis

  • In a mixed QFX3500 and EX4300 Virtual Chassis configured for persistent MAC and MAC limiting, traffic is not received on aggregated Ethernet interfaces on EX4300 switches when the EX4300 switches are operating in the linecard role. PR1033618

System Management

  • On EX Series and QFX Series switches that are configured with the include-option-82 nak option so that DHCP servers include option 82 information in NAK messages, two copies of option-82 might be appended to DHCP ACK packets. PR1064969

Resolved Issues: Release 14.1X53-D27

No issues that were previously reported in any version of the Junos OS Release 14.1X53 release notes have been resolved in Junos OS Release 14.1X53-D27 for the EX Series switches.

Resolved Issues: Release 14.1X53-D26

Interfaces and Chassis

  • On a mixed EX4300 and EX4600 Virtual Chassis, MAC learning sometimes stops happening on an interface after 802.1x is disabled. As a workaround, disable and re-enable the interface. PR1070885
  • On EX4600 and QFX5100 switches, the 100Mbps LED functionality is not working. The LED does not glow when 100Mbps traffic is sent or received on the switch, and no output is displayed when the show chassis led command is entered to gather information on the 100Mbps interface. PR1025359

Resolved Issues: Release 14.1X53-D25

MPLS

  • Layer 2 tagged traffic sent over an MPLS L2 circuit from one local customer edge (CE1) switch to another (CE2) might be dropped after an in-service software upgrade occurs in the provider edge (PE1) switch . However, traffic from CE2 to CE1 is not affected. In addition to the traffic loss, OSPF neighbors might be lost. OSPF is an interior gateway protocol (IGP) that routes packets within a single autonomous system (AS). PR1044999

Resolved Issues: Release 14.1X53-D16

Authentication and Access Control

  • On EX4300 switches with 802.1X authentication configured, when an 802.1X-enabled interface flaps, the dot1x daemon (dot1xd) might generate frequent core files due to a memory leak. PR1049635

Interfaces and Chassis

  • On EX4600 switches, disabling a member link of an AE interface might cause packets to be sent to a port that is down, which results in traffic loss. As a workaround, to restore service, bring the port that is down back up again. PR1050260

MPLS

  • On EX Series switches, issuing a ping command does not work after disabling and re-enabling the interface. PR1039743

Port Security

  • In a mixed-mode Virtual Chassis Fabric with storm control enabled, if autonegotiation is enabled on a 1-gigabit interface (the default setting), the storm-control value for allowed bandwidth might be set to 0, which would cause traffic to be dropped. As a workaround, manually configure the link speed instead of using autonegotiation. PR1051756

Spanning-Tree Protocols

  • On EX4300 switches with VLAN Spanning Tree Protocol (VSTP) running on aggregated Ethernet interfaces, the root port might receive VSTP BPDUs that are intended for other interfaces (port IDs). This issue can cause the root bridge to flap. The issue can also cause the root bridge to dispute the BPDUs and not converge. PR1066137

Virtual Chassis and Virtual Chassis Fabric

  • On the EX4600 and EX4300 Virtual Chassis, disabling and re-enabling LAG interfaces causes traffic failure. You must reboot for the interface to recover. PR1044580

VLAN Infrastructure

  • On EX4300 switches, naming a VLAN "vlan-rewrite" causes an error when you commit the configuration. PR1054996

Resolved Issues: Release 14.1X53-D10

MPLS

  • In certain scenarios, the pseudowire redundancy feature might not work as expected. PR1013686
  • For MPLS FRR and L2 circuit, certain scenarios after an ISSU might not work as expected. As a workaround, restart the Packet Forwarding Engine. PR1016513

Port Security

  • On an EX2200 or EX3300 Virtual Chassis, when DHCP snooping is enabled and 1000 or more IPv4 and 500 or more IPv6 DHCP bindings occur simultaneously, the software forwarding daemon (sfid) might create a core file. There might be a traffic impact because of the core file creation. PR1019136

Modified: 2017-11-29