Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
[+] Expand All
[-] Collapse All

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 14.2R8 for the M Series, MX Series, and T Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Class of Service (CoS)

  • When the egress rewrite rules are assigned to both the underlying interface and the subscriber interface, the rewrite rule applied to the underlying interface takes precedence and the priority values are applied as set at that level, which is wrong. The rewrite rule applied to the subscriber interface should take effect over the underlying interface. PR1058372

Forwarding and Sampling

  • When the Virtual Router Redundancy Protocol (VRRP) is configured on MX Series routers with MPCs/MICs-based interfaces, static MAC entries are installed on the Packet Forwarding Engine in the MAC database as part of the MAC-filter installations. The MIB-walk on some object identifier (OID) will trigger a walk over the MAC MIB entry(walk over the static MAC entries with no OIDs) resulting in an error message. During the walk, it is expected that no entries are read from static MAC database entries. However, the EODB is not set to indicate the MAC database walk has ended. This error log does not have any functional impact on the MIB-walk.

    mib2d[xxx]: MIB2D_RTSLIB_READ_FAILURE: check_rtsock_rc: failed in reading mac_db: 0 (Invalid argument) mib2d[xxx]: SNMP_GET_ERROR1: macStatsEntry getnext failed for interface: index1 ge-*/*/* (Invalid argument).

    The following OID might trigger the issue: 1. Rpf related oid 2. AtmCos related oid 3. Mac related oid , such as jnxMacStatsEntry 4. PMon related oid 5. jnxSonetAlarmTable 6. Scu related oid 7. jnxCmRescueChg 8. jnxCmCfgChgEventLog 9. jnxIpv4AdEntReasmMaxSize. PR1042610

  • OID . stops responding after upgrading Junos OS from Junos OS Release 11.4X27 to Junos OS Release 13.3R5.9. PR1072841
  • On MX Series routers with an MPCs/MICs-based platform, when the Layer 3 packets destined to an integrated routing and bridging (IRB) interface and then hit the underlying Layer 2 logical interfaces (IFLs), the egress feature list of the Layer 2 logical interfaces might get skipped. Thus the features under the family bridge (for example, the firewall filter) on the Layer 2 interfaces might not be executed. PR1073365
  • A performance issue might be seen when using route filter under routing-options flow. PR1115769
  • If bandwidth-percent based policer is applied on an aggregated Ethernet bundle without the shared-bandwidth-policer configuration statement, traffic will hit the policer even if the traffic is not exceeding the configured bandwidth. As a workaround, configure the shared-bandwidth-policer configuration statement under the policer. PR1125071
  • Firewall filter-list configured of inet and inet6 are applied on the same logical interface under inet and inet6 family input-list. There are no functionality issues and the CLI command run show firewall shows correct statistics for both filter-lists configured for inet and inet6 families. The limitation arrived with the day-one implementation of filter-list renaming logic. Both inet and inet6 filter-list configured will have the same name.
    Refer to: Understanding Multiple Firewall Filters Applied as a List. The system has two filters with the same name. Because of this, in SNMP MIB will handle only one of the filter-list stats and report when fetched. In conclusion, when input-list or output-list filters are applied under different families with the same logical interface, only one of the filter-list family counters will be displayed in the SNMP MIB walk of the firewall counter table. PR1173332
  • The default-arp-policer option is applied to every relevant logical interface to rate limit the ARP traffic. You can disable the default-arp-policer option by running the above hidden command set firewall disable-arp-policer. Note that improper application leads to the Routing Engine getting overloaded with a bulk of ARP traffic, leading to a typical DOS scenario. The issue was that even after disabling "default-arp-policer", it still affects the logical interface in some scenarios, such as after DUT reboot or when a new logical interface is created. PR1198107
  • In some stress test conditions, the sampled process crashes and generates a core file while connecting to Layer 2 Bitstream Access and EVPN subscribers aggressively. PR1293237

General Routing

  • Loopback filter handling for Openflow traffic. PR837136
  • On M Series routers, packets are dropped upon setting the aggregated Ethernet link protection discard-data configuration statement. However, there is no CLI command to display the drop count. PR876190
  • The logical interface count is incorrect and will not be repaired until a PIC restart. PR882406
  • Minor memory leaks might occur if you add and delete the same multi-VLAN flow on the order of 100,000 such add and delete operations. PR905620
  • With chassis maximum-ecmp 64 configured, when a route having 64 ECMP LSP next-hops and CoS-based forwarding (CBF) is enabled with 8 forwarding classes (64*8=512 next-hops), not all next-hops will be installed on the Packet Forwarding Engine because of crossing the boundary in the kernel when the number of ECMP next-hops is larger than 309. PR917732
  • On the Junos OS platform, a license service might crash during a license check process. As a result, a core file is generated by the license-check daemon. You might also see multiple core files in the system. PR918682
  • There is a 50 Kpps drop in performance because of the addition of new functionality over the previous release. PR935393
  • OVSDB/NSX: NSX controller does not delete stale VTEP+MAC information. PR962949
  • Traceroute through an interface-services style aggregated multiservices (AMS) service-set fails under some configurations. PR966171
  • In a large-scale DHCP subscribers scenario (for example., 54000 dual-stack DHCPv4/DHCPv6), graceful Routing Engine switchover (GRES) is configured. When Routing Engine switchover occurs, if you execute the command root@user> show dynamic-configuration many times, large-scale DHCP or DHCPv6 subscribers might be terminated. PR968021
  • If the ICMP echo response is sent with an incorrect sequence number, flow lookup passes and the counter gets incremented, but the packet is discarded by the ICMP ALG. PR971871
  • In an MX Series Virtual Chassis (MXVC) environment, if the Virtual Chassis ports are configured on MPC2E-3D-NG, MPC2E-3D-NG-Q, MPC3E-3D-NG, and MPC3E-3D-NG-Q line cards for which the corresponding Junos continuity package is installed, then the Virtual Chassis ports oscillate and the MPC crashes. The Junos Continuity package allows new hardware to be deployed on already shipping releases. Hence, MPC2E-3D-NG, MPC2E-3D-NG-Q, MPC3E-3D-NG, and MPC3E-3D-NG-Q line cards are not supported on MX Series Virtual Chassis in Junos OS Release 14.2R3. PR1034420
  • With basic NAT44, when a router receives packets on a GRE tunnel, NAT drops all protocols other than PPTP on a GRE tunnel. PR1069872
  • In a subscriber management environment, changing the system time to the past (for example, over one day) might cause the processes (for example, pppoed, and autoconfd) that use the time to become unresponsive. PR1070939
  • ICMP echo_reply traffic with applications like IPsec will not work with the MS-MIC and MS-MPC cards in an asymmetric traffic environment because these cards employ a stateful firewall by default. The packet will be dropped at the stateful firewall because it acknowledges an ICMP reply that has no matching session. PR1072180
  • For Junos OS Release 13.3R5, 14.1R1, and later, the MX Series Virtual Chassis inter-chassis TCP control flows are changed to Virtual Chassis high priority. So, a high volume of Virtual Chassis inter-chassis TCP control flow might impact Virtual Chassis stability and responsiveness to external protocol events. PR1074760
  • During a unified ISSU on an MX Series Virtual Chassis working as an LAC, a few HELLO packets from L2TP network server (LNS) will go unanswered, which might cause L2TP tunnel to get torn down. PR1074991
  • In a scaled subscriber management environment (for example, 3.2K PPPoE subscribers), after a heavy login or logout, the session setup rate keeps decreasing and PAP-NAK messages are sent with "unknown terminate code". This continues until the broadband network gateway (BNG) does not accept PPP sessions and all newly incoming sessions are stuck in PAP authentication phase (no PAP ACK received). PR1075338
  • Processes (or daemons) using a synchronous API might get stuck because these APIs are blocking in nature and do not allow an mib2d or ifinfo to perform any activity during this period. For example, NMS queries on interfaces (for which a mib2d shall respond) could time out if an mib2d is stuck in such a state. PR1078505
  • On chassis based line cards, the "FI: Protect: Parity error for CP freepool SRAM" SRAM parity error might be seen. It is harmless and can be ignored. PR1079726
  • The MX Series with MPCs/MICs-based line card might reboot immediately after restarting the l2tp process at L2TP network server (LNS) during login/logout of scaled (for example, 10,000) L2TP clients. PR1082321
  • MACsec using a static secure association key (SAK) security mode does not work properly on MX80 routers with FPC slots other than slot 0 on MX104 routers. PR1086117
  • On MX Series routers with MS-MPC/MS-MIC, memory leaks can be seen with jnx_msp_jbuf_small_oc object, upon sending millions of Point-to-Point Tunneling Protocol control connections (3 through 5 miliion) alone at higher cells per second (cps) (greater than 150K cps). This issue is not seen up to 50,000 control connections at 10,000 through 30,000 cps. PR1087561
  • The expansion memory usage computation does not account for freed memory. So the displayed expansion memory usage is higher than the real expansion memory usage. As displayed expansion memory usage reaches over the configured threshold (in this case, the threshold is 95%), subscribers are denied to come up. As a workaround, you can disable the resource monitoring throttling feature to avoid the possibility of incorrect expansion memory usage. PR1090733
  • The 40G ER4 optics might not be correctly recognized. It could be marked as "unknown" in the output of the show chassis hardware or other CLI commands. PR1099901
  • When using "write coredump" to invoke generating a live core file on an FPC in a T Series, the contents of R/SR ASIC memory (Jtree SRAM) will get dumped. When there is a parity error present in the SRAM, the core file will abort and the FPC will crash. As a workaround, configuring set chassis pfe-debug flag disable-asic-sram-dump before "write coredump" will help to avoid the issue. PR1105721
  • Dynamic VLAN logical interface is not removed with 'remove when-no-subscriber' configuration. PR1106776
  • In some scenarios, upon executing the show services sessions or show services sessions extensive command, the CLI might collect information about the sessions as and when the packets for that particular session are being processed. Under these circumstances, the frame count and byte count of both the forward and reverse flow in a session, displays zero for a few seconds. After a few seconds, once the processing of the packet is complete, the frame count and byte count shows correct values. PR1110303
  • With EVPN VXLAN configured on top-of-rack and MX Series routers running Junos OS software and spine switches configured for IBGP to the gateway layer and EBGP to top-of-rack layer, no-nexthop-change is typically configured on spine switch (as the switch does not participate in EVPN and is part of the IP underlay) and VTEP tunnels are established between top-of-rack and MX Series devices. If this configuration statement is changed on the spine switch, spine switch will announce itself to be the EVPN protocol next-hop and new VTEP tunnels will be set up between MX/top-of-rack to the spine switch, but the old VTEP tunnels between the top-of-rack and MX Series routers will not be deleted. It is not expected that the status of the configuration statement will be changed on the spine switch as it does not have L2 state to support forwarding. PR1114809
  • The entire set of prefix list needs to be committed at once. In case a new prefix must be added on the fly, all the prefix lists need to be re-added after deletion so that all prefix lists are honored. PR1124165
  • In some cases at high packets per second, the CPU utilization reported in the output of the show services service-sets summary command might fluctuate but there is no impact on functionality. PR1127433
  • In an SIP session, Real-Time Control Protocol (RTCP) packets from the public get dropped. This issue is due to the return flow from the outside triggered session, which conflicts with the inside triggered session (forward flow). The workaround is to trigger outside traffic first (initiate RTCP packet from the outside first). PR1137615
  • ALG-SIP64: SIP session fails when an IPv4 SIP client in a public network initiates a SIP call with an IPv6 SIP client in a private network. PR1139008
  • 5M PPTP control and data sessions are not supported on PIC. CPUs are busy with closing sessions and going to Prolong Flow control mode. CPU throttling can control the incoming session rate but cannot control teardown session rate. These scale values are not supported. Note: 2M-4M PPTP control + Data sessions were tested several times for 48 hours and the FPC generated core files that were not seen in those tests. PR1140832
  • Dynamic tunnel interface bounces are causing memory corruption and leading to a routing protocol process (rpd) crash. The new routing protocol process (rpd), once up, synchronizes with the kernel, which might have information stored about the GRE tunnel logical interface created by the previous routing protocol process (rpd) . The new routing protocol process (rpd) uses this information from the kernel, leading to subsequent routing protocol process (rpd) crashes being triggered. The following logs might be seen when this issue occurs: user@host>show log messages| match "Address already in use" %DAEMON-3: Error creating dynamic logical interface from sub-unit 32792: Address already in use %DAEMON-3-RPD_KRT_Q_RETRIES: kqp 0x49df00d0: op add queue low-add attempts 4010 ifd index 284, ifl unit 32792, family 2 instance id 0, state create IFL RPD_KRT_Q_RETRIES: IFL IFF Update: Address already in use. PR1152912
  • When a NAT pool is shared among multiple terms, and if "address-pooling paired" is enabled only in a few of those terms (not all), it leads to a traffic drop. So, for all terms sharing a NAT pool, either all of them should have address-pooling paired configured or none of them should have it configured. PR1161623
  • Traffic might drop during Routing Engine switchover. PR1164107
  • When OSPF LFA is configured and no load-balance policy is configured, the jTree gets corrupted, which causes the router to stop forwarding traffic after the interface flaps. PR1169468
  • On MX240/480/960 platforms, because of a I2C bus hardware issue, the FPC might reboot and an error message might appear. PR1174001
  • When LFM, CFM, LACP, BFD use periodic packet management thread at FPC OS to send periodic KA packets, the adjacencies might go down unexpectedly because of time out condition. The trigger is fabric card or other hardware that let chassis thread at FPC OS consumes more CPU time. PR1174043
  • In a virtual tunnel (VT) environment with forwarding class, a customer uses an aggregated Ethernet interface to terminate subscribers on the box and the aggregated Ethernet interface has members on two different FPCs. Because of a software defect, the mirrored traffic is not going to the correct forwarding class as expected. The issue is also seen when terminate subscribers and VT-hosted interface are on two different FPCs (non aggregated Ethernet case). PR1174257
  • Physical interface output statistics are not updated correctly while using service accounting. PR1175074
  • In PCEP scenario, while receiving an RSVP PathError message from LSR/LER, because of an issue on code (PCEP's RSVP-ERROR-SPEC-TLV within PCRpt message does not include RSVP-ERROR-SPEC-Object's header within PathError message), outgoing PCRpt message might not be encoded correctly or understood by PCE. PR1175229
  • NAT64: Source-prefix filtering and protocol filtering of the CGNAT sessions are incorrect. For example, show services sessions extensive protocol udp source-prefix <0:7000::2> displays incorrect filtering of the sessions. PR1179922
  • CGNAT pool statistics for "Available address" is displayed incorrectly for destination pool. Available address is displayed as zero even though destination NAT IPs are available. PR1183538
  • show services nat deterministic-nat nat-port-block command does not give desired output for the prefixes added under the except clause of nat-rule. PR1185180
  • Ingress queuing configuration on MPC2E next generation is leading to host loopback wedge because of some bug in the code specific to MPC2E next generation. There is a misprogramming in the Junos OS code for the lookup chip for this type of card. PR1189800
  • Source-address based filter-based Forwarding is used under forwarding options to steer the packets towards an AMS bundle in the Vodafone configuration. When you remove the from source address condition from the filter, the reverse traffic gets looped back into the AMS bundle. Under this condition, prolonged flow control generated core files are seen. The source address configured in the SFW rule, which should drop the packets that are getting looped back into the AMS bundle. However, this is not working, even though SFW functionality works as expected for other packets. PR1192184
  • GUMEM errors for the same address might continually be logged if a parity error occurs in a locked location in GUMEM. Since GUMEM utilizes ECC memory, any error is self-correcting and has no impact on the router's operation. In a rare case, such a parity error might appear repeatedly at a specific location. As a workaround, the error can be cleared by rebooting the FPC. PR1200503
  • In certain interface scaling scenarios, during configuration commit or rollback the following message might appear for a few seconds: fpcx list_get_head list has bad magic (0xdeadbeef). This message can be safely ignored because of FPGA monitor mechanism on DPC cards for logical interface mapping (ifl_map). Between deleting a physical interface and the monitoring event, this mechanism checks through the stored logical interfaces. While trying to find the family of one such recently deleted logical interface, which is not cleaned from ifl_map, you might see these messages populating the messages log files. PR1210877
  • The MPC series/T4000-FPC5-3D EPM port-group wedged and blocked and it stopped forwarding traffic, which is caused by HW transient errors. PR1220019
  • Currently MS-MIC supports a max of 2M routes scale. This includes all IPv4, IPv6, and MPLS routes in the system. When scale limit is exceeded, the forwarding database memory will exhaust and the MS-MIC will start to drop the routes and print logs. PR1243581
  • On all Junos OS platforms that have the routing protocol process (rpd), if some interfaces go down, which results in some peers going down or BGP-RR (route-reflector) re-advertising routes, then the rpd might crash. PR1250978
  • A low memory condition putting the service PIC into the red zone on the MS-MIC or MS-MPC card can cause the SIP ALG to generate a core file. PR1268891
  • The mspmand log incorrectly generates messages about memory zone level. This occurs every 49.7 days and will recover by itself. This is a display issue and will not affect traffic. PR1273901
  • Ethernet A-D per Ethernet segment route (Type-1 PER ES) is NOT generated with a new route target after changing the route target..PR1279529
  • If a user disables the interface on which “WAN PHY” framing is configured, Ezchip MAC generates interrupts at a high rate and this leads to a high CPU utilization. PR1284177
  • When the service-set has both NAT rule and stateful-firewall rule configured but a source IP address would not match with any NAT rule but could be matched with stateful-firewall rule, the PPTP session from this source IP address might not be able to establish successfully. PR1285207
  • Next-hop partition memory expands and contracts as the configuration changes. During the contraction process, if a segment becomes empty, the segment address is set to 'INVALID' and the segment size is set to 0. In Junos OS Release 14.2R7, the segment size is not set to 0 as expected. This leaves the segment in state (INVALID address and non-zero size) that is ignored during the expansion process and the segment becomes unusable. When the expansion or contraction is repeated, the next-hop partition effectively loses the ability to add memory beyond the initial memory pools in segment 0 and the safety pool. The line card must be restarted to recover. PR1287192
  • With protocol-independent load balancing for Layer 3 VPNs enabled (that is, configure routing-instances <routing-instance-name> routing-options multipath) in a virtual routing and forwarding (VRF) routing instance, when toggling a TTL action statement (that is, vrf-propagate-ttl/no-vrf-propagate-ttl) for this VRF routing instance, if BGP receives a VPN route update for the VRF during the processing of the reconfiguration, the RPD might crash. This is a timing issue due to the race condition.PR1302504


  • The show system memory command does not work on 64-bit systems. The implementation requires the use of a loadable kernel module to gather data. This module has known issues and has been the root cause of numerous kernel panics. In addition, the pmap utility, which provides the data for the CLI, has known, rare, crashes on 32-bit kernels. In case the pmap utility crashes, no information will be reported by the CLI. PR883953
  • When the Routing Engine instructs the FPC to delete a next-hop (NH), which involves a PFH or Packet Forwarding Engine internal interface, the FPC might crash. PR928230
  • With a 64-bit image, when the Network Time Protocol (NTP) configuration is activated with a system date set prior to 1981, a negative value from the ntpd process results in incorrect time settings instead of Real-time clock (RTC), and the router might crash. PR1056669

Interfaces and Chassis

  • During a Routing Engine switchover in which OAM-AH (LFM) is configured, the peer router might see syslog entries that indicate an LFM session new state of up. These logs are harmless, but do cause concern that the LFM session had dropped, which is not the case. PR775616
  • The Online insertion and removal (OIR) is not supported on a PIC(PD-4XGE-XFP) currently. When pulling out a PIC(PD-4XGE-XFP) from an FPC that is not offline, the, FPC will crash generating a core file.. PR874266
  • Routing Engine might panic and go to database prompt when a member link of an aggregated Ethernet bundle is moved out of the bundle and the links are configured separately in it in a single commit. PR892129
  • For a Virtual Router Redundancy Protocol (VRRP) interface, if illegal speed is configured (for example, 100M is configured to a GE-only interface), there is a possibility that the virtual IP addresses for the VRRP will be removed from the master VRRP router at commit. PR901803
  • Kernel might crash when a router running a Junos OS install with the fix to PR 937774 is rebooted. This problem will not be observed during the upgrade to this Junos OS install. If it occurs late enough in the shutdown procedure, then it should not interfere with normal operation. PR956691
  • When an aggregated Ethernet interface is brought down, VRRP sessions over that aggregated Ethernet do not move to init state directly in case of a scaled configuration. This is because the delay in "interface down" VRRP session detects adjacency down first and moves to master state. Subsequently, when the interface down is reported, the VRRP session moves to init state. PR959672
  • The Virtual Router Redundancy Protocol (VRRP) version change is a catastrophic event. Runtime change in VRRP version might result in a significant amount of traffic drop, duplication of packets, false state change alarm, and so on. Changing the version on a production router is not advisable. PR960395
  • On MX Series routers, in a rare condition, the kernel might crash and the router might go to the database prompt when the router reboots. PR993978
  • On MX Series based line cards, in a virtual private LAN service (VPLS) environment, the next hop in the kernel allocated by connectivity fault management process (cfmd) might not be free even after the CFM session has been removed (for example, deactivating the routing-instance). In this situation, after re-activating the routing instance, the interface within the routing instance would fail to come up because the next hop is not freed by the cfmd application and hence the VPLS connection is down. PR1000060
  • On dual Routing Engine platforms, when adding the logical interfaces (IFLs) and committing, the device control process (dcd) on the backup Routing Engine might fail to process the configuration and keep it in the memory. In some cases, it might be observed that the memory of the device control process keeps increasing on the backup Routing Engine. PR1014098
  • On an MX Series platform with large-scale PPPoE subscribers (more than 60,000) connected, the PPP client process (jpppd) might crash and generate core files when performing Routing Engine switchover. PR1018313
  • Unified ISSU is not supported for VRRP sessions running over an LT interface. For minimum impact on traffic during upgrade, users should move the mastership to the peer router and then issue an upgrade. PR1030945
  • FPCs might get stuck in present state after provisioning MX Series Virtual Chassis and adding VCP ports.PR1052821
  • During subscriber login or logout, the following error log might get displayed on the device configured with GRES/NSR: /kernel: if_process_obj_index: Zero length TLV! /kernel: if_pfe: Zero length TLV (pp0.1073751222). PR1058958
  • After changing the MTU on the physical interface, there is a missing IPv6 link local address on the static VLAN demux interface. PR1063404
  • Whenever the MIC 10x 1GE(LAN) SFP is offlined, there might be times when certain PCI error messages are seen as part of the messages. This happens if the PCI thread is running and thread_yield() is invoked when the MIC is being offlined. These error messages are expected due to the thread_yield. These messages are harmless and should not affect PCI access once the MIC is brought online. PR1067083
  • The following debug message can be seen on the log, but is harmless and no action needs to be taken: /kernel: pp0.102132231: ENTERED: calculate_ppp_mru with lower_mru (1492) ppp_local_mtu = 1492 ppp_cfg_mru = 0 , lower_max_mtu = 9016 , pppoe_rwlen = 24, pppoe_ifl_l2hdr_len = 0. PR1074765
  • The following error might occur in the scenario of a CFM session flap, as per design. It is possible to get multiple ADJ down messages for an inline session. The following is a debug message: ppman_cfm_delete_inline_adj: inline adjacency key is NULL,cannot delete session ppman_cfm_delete_inline_adj: inline adjacency key is NULL,cannot delete session ppman_cfm_delete_inline_adj: inline adjacency key is NULL,cannot delete session. Starting in Junos OS Release 15.1R2, the messages are reclassified as debug instead of an error. PR1084892
  • In a VPLS scenario with a specific CE mesh group configured, after a Routing Engine restart or Routing Engine master switchover, the flood next hop for the mesh group might not be programmed properly. A complete black holing for the VPLS instance would be seen as a consequence. PR1087293
  • Deactivating or activating logical interfaces might cause BGP session flapping when BGP is using VRRP VIP as source address. This is caused by a timing issue between a device control process and a VRRP overlay file. When device control process reads the overlay file, it is not the updated one or yet to be updated. This results in an error and the device control process stops parsing the VRRP overlay file. PR1089576
  • To ensure that the router or switch is reachable for management purposes while it boots or if the routing protocol process fails to start properly, you can configure a backup router, which is directly connected to the local router or switch (that is, on the same subnet) through its private management interface (for example, fxp0 or me0). When a backup router running IPv6 and a static route to reach the management network are configured, some invalid IPv6 routes are added to the default forwarding table on the master or the backup Routing Engine (RE). PR1100981
  • In a PPPoE subscriber management environment, when dynamic VLAN subscriber interfaces are created based on agent circuit identifier (ACI) information, the subscribers might be unable to log in after rebooting the FPC with syslog message PADI due to no ACI IFLSET. PR1117070
  • In a dynamic PPPoE subscriber management scenario, when the system is overloaded with requests coming, the subscribers might fail to log-in in a race condition. PR1130546
  • The jpppd process might crash and restart due to a buffer overwrite. The jpppd process restart results in a minimal impact of system and subscribers. All connected subscribers remain connected and only subscribers are attempting to connect at time of process restart would need to retry. PR1132373
  • The jpppd process generates a core file at SessionDatabase::getAttribute() from Ppp::LinkInterfaceMsOper::getLowerInterfaceType(). PR1165543
  • The jpppd process might crash and generates a core file due to memory heap violation associated with processing MLPPP requests. PR1187558
  • In a VPLS multihoming scenario, the CFM packets are forwarded over the standby PE link, resulting in duplicate packets or a loop between the active and standby link. PR1253542
  • In a Junos OS upgrade involving Junos OS Release 14.2R5 and Junos OS Release 16.1 and their maintenance releases and with a CFM configuration can cause cfmd to generate a core file after upgrading. This is due to the old version of /var/db/cfm.db. PR1281073


  • When you open a J-Web interface session using HTTPS, enter a username and a password, and then click the Login button. The J-Web interface takes 20 seconds longer to launch and load the Dashboard page than it does if you use HTTP. PR549934
  • When the J-Web interface is launched using HTTPS, the time shown in the View Events page (Monitor >Events And Alarms > View Events) differs from the actual time in the switch. As a workaround, set the correct time in the box after the J-Web interface is launched. PR558556

Layer 2 Ethernet Services

  • When using Link Aggregation Control Protocol (LACP) link protection to protect a single link in the aggregated Ethernet bundle, the lacpd process might crash upon the configuration changes to aggregated Ethernet or LACP. PR1078184
  • The issue occurs when running LACP between Juniper Networks and Cisco devices with different timers (Juniper Networks fast and Cisco slow) on both sides. On the Cisco side it takes almost 90 sec to bring the interface down from the bundle. When one interface is removed from the LAG on the Juniper Networks side, the lead on the Cisco side needs to time out to bring the interface down from the bundle. This results in unexpected outage behavior on the network. PR1169358
  • If a client sends a DHCP request packet, and Option 55 includes PAD option (0), a DHCP ACK will not be sent back to the client. PR1201413

Layer 2 Features

  • In a high-scale VPLS configuration, modification of a tunnel interface through a restart or reconfiguration might cause the packet processing engine to access an invalid interface, resulting in a minor packet loss and logging of packet processing engine traps. Existing traffic flows on the Packet Forwarding Engine are not affected. The router recovers quickly and normal operation resumes with the new configuration. PR976972
  • When input-vlan-map with a push operation is enabled for dual-tagged interfaces in "Enhanced-IP" mode, there is a probability that the broadcast, unknown unicast, and multicast (BUM) traffic might be dropped silently or discarded on some of the child interfaces of the egress aggregated Ethernet interfaces or on some of the equal-cost multipath (ECMP) core links. PR1078617

Multiprotocol Label Switching (MPLS)

  • In a point-to-multipoint branch LSP, the value of jnxMplsTeP2mpTunnelTotalUpTime is reported incorrectly after a new instance of the branch LSP is re-signaled at the ingress. PR543855
  • When a firewall filter is set on Bidirectional Forwarding Detection (BFD) remote side egress direction to block the incoming packet in local router point of view, after the firewall filter is deleted, the BFD session might get stuck in an "Init" state and the remote state might go "Down". PR860951
  • IPv6 traceroute might not show some hops for scenarios where (1) two LSPs are involved. (2) inet6 shortcuts are enabled. In such scenarios, hops that are egress for one LSP and ingress for the next LSP in the traceroute do not show up. This is a software issue with ICMP error handling for packets with IPv6 payload with a ttl of 1. PR899283
  • Traffic loss is observed in MVPN traffic after link up because the old path used for LDP P2MP LSP is not loop-free. The traffic loss occurs until the new LDP P2MP branch is established on the new best path with mLDP signaling. This is caveat for LDP P2MP make before break. It works only if the old path is not torn down due to IGP route changes. PR1017032
  • When soft-preemption is enabled on the ingress router and the preemption is configured with the aggressive option to preempt RSVP sessions whenever bandwidth is lowered or a new higher-priority session is established, if one LSP is established over the aggregated Ethernet interface, if link failure occurs, the bandwidth becomes insufficient at the ingress. As a result, the CSPF is not triggered to establish a new path (because of missing data in TED) for more than 30 seconds, and eventually the LSP is hard preempted. PR1030586
  • When using mpls traffic-engineering bgp-igp-both-ribs with both LDP and RSVP enabled, Constrained Shortest Path First (CSPF) for interdomain RSVP LSPs cannot find the exit ABR when there are two or more such ABRs. This causes interdomain RSVP LSPs to break. RSVP LSPs within the same area are not affected. PR1048560
  • Up until version -10 of the BGP-LS draft, the OSPF DR node representation was ambiguous. One could represent DR node as AdvertisingRouterId-InterfaceIpAddress or InterfaceIpAddress-1. Junos OS used to follow InterfaceIpAddress-1 format. Starting in Junos OS Release 11 of the BGP-LS draft, the representation for OSPF DR node must be AdvertisingRouterId-InterfaceIpaddress. Junos OS now follows the latest format. PR1085219
  • Running the clear ldp neighbor all command might result in the message error: timeout communicating with routing daemon and it can cause task scheduler slip in a scaled LDP setup. Traffic loss will be observed. PR1092532
  • During point-to-multipoint LSP optimization (with many sub-LSPs), scheduler slip occurs in routing protocol process (rpd) because of a tight loop and large processing time. PR1129714
  • Error code 3 error messages are generated. They are benign and can be ignored. These messages should be removed from later code. PR1136033
  • This issue is related to RSVP-TE FRR (RFC 4090) interoperability between Juniper Networks and Cisco. If Juniper Networks is the point-of-local-repair (PLR), then it does not set the "label recording desired" flag in the backup path messages. Also, Juniper as the merge-point (MP) does not send the label sub-object in the RESV RRO for the backup LSPs. However, the Cisco PLR sends the backup path message with the "label recording desired" flag set and expects to see the label sub-object in the corresponding RESV RRO. So as a result, in the scenario where the Cisco device is the PLR and the Juniper Networks device is the MP, a change in the RESV label while protection is in use at the PLR will not get propagated upstream beyond the MP. PR1145627
  • In a point-to-multipoint (P2MP) LSP setup, such that an ingress LER is running a Junos OS Release 14.1R1 or earlier release image and the egress is running the Junos OS Release 14.1R1 or later image, the point-to-multipoint (P2MP) LSP might not come up. PR1160549
  • In some interoperability scenario, sometimes a new label is advertised without withdrawing the old label by peer. When this occurs, the Junos OS rejects the new label advertised (as per RFC 3036 behavior). The logs generated in such event are as follows: Line 408105: Mar 14 14:00:21.716559 LDP: LabelMap FEC L2CKT NoCtrlWord ETHERNET VC 40347 label 53 - received unsolicited additional label for FEC, releasing new label . PR1168184
  • If RSVP link-protection optimize-timer is enabled, routing protocol process (rpd) memory might leak in "TED cross-connect" when a bypass LSP is being optimized. PR1198775

Network Management and Monitoring

  • Eventd uses event library for signal handling. A core file is generated because of a race condition/synchronization issue in event library while handling signals. Event library is not signal safe and thus it is vulnerable to such issues. Eventd handles different kinds of signals (through signal handlers): - SIGHUP (on commit), - SIGTERM (on killing eventd), - SIGCHLD (on termination of event script execution), - SIGUSR1 & SIGUSR2 (on log rotation). If one signal handler is preempted by another signal handler, then it can disrupt WaitList structures (and this can cause a core file to be generated). This can happen when eventd receives a new signal when it is processing another signal. PR1122877
  • On MX Series devices, the show arp no-resolve interface command shows the unrelated static ARP entries that are fixed to display proper static ARP entries of the given interface. PR1299619

Platform and Infrastructure

  • Adaptive load-balancing functionality is supported only for unicast traffic. If the aggregated bundle contains logical interfaces for bridge or VPLS domains, flooded traffic might be dropped. PR821237
  • The CLI command show route forwarding-table would only display <= 16 ecmp paths when CBF was used. PR832999
  • When scripts are synchronized from one Routing Engine to the other, the destination for the scripts in the other Routing Engine should be based on the configuration on the other Routing Engine. An issue prevents this from happening, and the destination for scripts depends on the current Routing Engine from which the scripts were synchronized instead of the configuration on the other Routing Engine. PR841087
  • The audit daemon (auditd) process handles system accounting events and tries to send them out to configured RADIUS servers. If there is any problem in sending these accounting records to RADIUS servers (for example, RADIUS servers are unreachable or disconnecting frequently), auditd will spend more time on each accounting record because of the retries. During this time if there are many accounting events, all those records will be in queue. Eventually, the queue exceeds its limit and hence auditd crashes. PR863697
  • Kernel messages SO_RTBL_INDEX are seen continuously when LDP session is down. The log messages were meant for debugging purpose and are harmless. Message example: /kernel: setsocketopts: setting SO_RTBL_INDEX to 0. PR888162
  • Checksum error is seen on ICMP reply when the sequence, data field in the request is set to '0'. PR898487
  • When there is huge logical interface (IFL) scaling on aggregated Ethernet interfaces (500 or more) with more than 32 member links and when all FPCs are restarted one by one, followed by member link addition to the LAG, the state dependency evaluation in the kernel will take a long time, preventing the FPCs from getting all the states from the Routing Engine. This is an uncommon sequence of events, and the likelihood of this happening in the field is very remote. PR938592
  • If you configure the DHCP option 125, the CLI does not accept all the hexadecimal characters. PR965368
  • The overhead values need to be represented with 8 bits to cover the range "-120..124", but the microcode is only using the last 7 bits. PR1020446
  • The rate-limit value does not match between the Routing Engine and the Packet Forwarding Engine. PR1023809
  • When upgrading from Junos OS Release 13.3R3 to Junos OS Release 14.2, users might notice a tnetd core file after the upgrade. This core file is harmless and does not affect operation of the platform or software in any way. PR1025287
  • Inactive telnet session does not get automatically timed out. This issue is fixed in Junos OS Release 15.1 and later releases. PR1033972
  • Once the Traffic Offload Engine (TOE) thread is stalled due to memory error at the lookup chip, all statistics collected from the interfaces hosted by this Packet Forwarding Engine are not updated anymore. PR1051076
  • In configurations with IRB interfaces, during times of interface deletion (for example, FPC reboot), the Packet Forwarding Engine might log errors stating nh_ucast_change:291Referenced l2ifl not found. This condition should be transient, with the system reconverging on the expected state. PR1054798
  • On MX Series routers, parity memory errors might happen in pre-classifier engines within an MPC. Packets will be silently discarded because such errors are not reported and are therefore harder to diagnose. The correct behavior is for CM errors such as syslog messages and alarms to be raised when parity memory errors occur. PR1059137
  • This issue occurs on MX Series routers with frame-relay (FR) CCC to connect FR passport devices. If some of the FR circuits carry traffic without any valid FR encapsulations, the MX Series based Packet Forwarding Engine drops those frames. PR1059992
  • With VLAN manipulation configured for Ethernet services, incorrect frame length might be used for egress policing on MX Series routers with MPCs/MICs-based line cards. Currently, the frame length calculation is inconsistent for different traffic topology: 1. In case traffic crossed the fabric, the frame length prior to output VLAN manipulation is used 2. In case of local traffic, the frame length prior to input VLAN manipulation is used. Actually, the length after output VLAN manipulation should always be used. PR1064496
  • Juniper VSA length above 2000 bytes is not supported. Using authorization parameters above this length results in incorrect authorization settings for the user. PR1072356
  • On MX Series routers with MPCs/MICs-based line cards, when the firewall filters with prefixes are configured, the heap memory leak issue might be observed. PR1073911
  • When deleting some uncommitted configuration on the active Routing Engine, the routing protocol process (rpd) on the backup Routing Engine might restart with the following error: Unable to proceed with commit processing due to SIGHUP not received. Restarting to recover. PR1075089
  • This issue occurs in the following scenario: In XM-based multi-LU systems (MX Series platform with MPC3E/MPC4E/MPC5E/MPC6E/NG-MPC3/NG-MPC2 or T4000 with T4000-FPC5-3D linecard), with multiple LUs representing the same Packet Forwarding Engine complex. BFD processing is designated to a dedicated LU (LU 0), called an anchor LU; the rest of the LUs (LU 1, LU 2, LU 3) are called non-anchor LUs. When the inline BFD packets punts from the non-anchor LU to the anchor LU, it does not have the 'interface-group' populated in the packet context, so the packets might not be matched by the related filter term. PR1084586
  • When the large-scale firewall filter (for example, with 10000 terms on input or output) is configured on either FPC5 or MPC3/4/5/6, traffic drop might occur due to allocation limit. PR1093275
  • An issue occurs in which you could end up with two <junos-comment> entries under the [interfaces] stanza. PR1102086
  • The kernel next-hop acknowledgement timeout maximum interval configured (krt-nexthop-ack-timeout) under the CLI hierarchy routing-options forwarding-table has been increased to 400 seconds to avoid performance issues with scaled subscribers. PR1102346
  • Improved VTY commands to show internal JNH memory usage. PR1103660
  • On MX Series with MPCs/MICs-based platforms, in an MX Series Virtual Chassis (MXVC) environment, if the subscriber logical interface (IFL) index 65793 is created (for example, when carrying 15,000 DHCPv4 subscribers to exceed logical interface index creation 65793) and the IEEE 802.1p rewrite rule is configured (for example, using CoS rewrite rules for host outbound traffic), due to usage of an incorrect logical interface index, the Virtual Chassis Control Protocol Daemon (vccpd) packets (for example, Hello packets) transmission might get lost on all VC interfaces, which might lead to VC decouple (split brain state, where the cluster breaks into separate parts). As a workaround, either delete the rewrite rule [delete class-of-service host-outbound-traffic ieee-802.1 rewrite-rules], or find the logical interface in the jnh packet trace that is not completing the vccpd transmission to other chassis, and at the Routing Engine clear that subscriber interface to resolve the issue. PR1105929
  • In the MX Series with MPCs/MICs base line card environment with inline sampling service, after FPC reboot, in a rare condition, traffic forwarding might get affected because the PFEMAN SRRD thread consumes high CPU resources continuously. PR1141814
  • On ungraceful exit of telnet (quit/shell logout), perm and env files created by pam were not deleted. PR1142436
  • There is no need to perform auto-ttrace and next-hop tracing upon LMEM parity error, because the memory is corrected and it prevents an exposure of DRD command sequence error, causing permanent impact on the Packet Forwarding Engine. PR1157173
  • Group names handling process enhancement: One of the core functions was optimized by introducing more efficient pointer comparisons instead of CPU intensive string ones. PR1158652
  • The delegated BFD session over aggregated Ethernet interface failed to come up after FEB switchover with FEB redundancy group (1:1 and 1:N). PR1169018
  • Internal fabric header corruption on MX Series with MPCs/MICs Packet Forwarding Engines can lead to packet corruption on the egress Packet Forwarding Engine. This PR effort is to protect the fabric header coming to the egress MX Series Packet Forwarding Engine with a fabric CRC check. This is shown to avoid wedges due to corrupted fabric headers. PR1170527
  • When IPv6 route points to aggregated Ethernet bundle, J-Flow record shows the outgoing Interface as a child interface and not the actual aggregated Ethernet interface. PR1177790
  • With sampling is configured, if AS paths change, over a period of time in the network, the stale AS paths might be seen in the sampler database of JNH memory. PR1189689
  • When IPv6 traffic learned on an L2/bridge/multilink interface it has been traversed through MPLS, core random packets might get classified incorrectly by the fabric, which leads to packet loss. PR1223566
  • Due to transient hardware events, fabric stream might report CPQ1: Queue underrun indication - Queue <q> continuously. For such events, all fabric traffic is queued for the Packet Forwarding Engine reporting the error, resulting in a high amount of fabric drops. PR1265385
  • On MX Series with MPCs/MICs based platform, transit traffic that has the second LSB set in the first octet of destination MAC will be punted to the Routing Engine and get dropped when mac-learn-enable is configured on the receiving interface. PR1285874

Routing Protocols

  • The multicast next hop (show multicast nexthop) shown for the Master and backup Routing Engine for the same flow could be different if the next hop is hierarchy MCNH. During a nonstop active routing (NSR) switch, however, there is no traffic loss caused by this show difference. PR847586
  • BFD triggered local-repair is not initiating immediately on receiving BFD DOWN packet when the peer has detected the BFD session as down through control expiry. PR825283
  • When a new bidirectional RP is configured after the RPF to the RP has been resolved, PIM would not receive a RPF change event. Hence, the RPF interface would not be added to the multicast route incoming interface list. The traffic forwarding might be affected. PR939823
  • The routing protocol process (rpd) process will crash with a core file generated due to ASPATH check error when RIB groups are added first and later virtual router and forwarding (VRF) occurs. PR959962
  • A bug in the code path for show route resolution was causing an extra decrement of the refcount in the show handling. PR995170
  • On MX Series routers, when an instance type is changed from VPLS to EVPN, and in the same commit an interface is added to the EVPN instance, the newly added EVPN interface might not be able to come up. PR1016797
  • When configuring a router in route reflector mode (cluster-id or option B MP-eBGP peering), the advertise-external feature will not be applicable in local VRFs due to a different route selection or advertisement process (main bgp.l3vpn.0 vs VRF.inet.0). PR1023693
  • The static access routes pointing to an unnumbered interface are getting added in the routing table even if the interface is down. In this case, if graceful Routing Engine switchover (GRES) is disabled, this type of route will never be added in the routing table after Routing Engine switchover. PR1064331
  • In a Protocol Independent Multicast (PIM) sparse mode environment, suppose the router is used as both the rendezvous point (RP) and the last-hop router. Also, the (*,G) entry is present on the RP and a discard multicast route already exists (for example, because of receiving multicast traffic from a non-RPF interface). Then if the (S,G) entry is learned after receiving a source-active from the Multicast Source Discovery Protocol (MSDP), then the shortest-path tree cutover might fail to trigger. There is no traffic impact as receivers still can get traffic from the (*,G) route.PR1073773
  • Junos OS exhibits two different next-hop advertisement behaviors for MP_REACH_NLRI on a multi-hop eBGP session, based on whether it is loopback peering or physical interface peering. When the routers are peering on their loopback, only the global IP of the interface (lo0) is advertised, whereas when the routers are peering through the physical interface, both global and link-local address are advertised as the next hops. PR1115097
  • When multiple addresses are configured on an interface, if the interface has interface-type p2p configured under OSPF and the router does not receive any OSPF packets from one of the IFAs, the OSPF state will not go down for the corresponding adjacency. It should have no impact on route learning, but it might cause confusion for troubleshooting, when peering with Cisco devices, which have multiple addresses configured as secondary addresses. PR1119685
  • In a multicast environment, suppose the rendezvous point (RP) is the first-hop router and it has MSDP peers. When the rpf interface on the RP changes to an MSDP-facing interface, a multicast discard route is installed and traffic loss is seen. This occurs because multicast traffic is still on the old rpf interface. PR1130238
  • Generate route does not inherit the next hop from the contributing route in L3VPN case when the contributing route is learned through MP-BGP. The next-hop remains as reject for the generated route. PR1149970
  • For devices populated with master and backup Routing Engines and configured for nonstop active routing (NSR) and Protocol Independent Multicast (PIM), the routing protocol process (rpd) might crash on the backup Routing Engine due to a memory leak. This leak occurs when the backup Routing Engine handling mirror updates about PIM received from the master Routing Engine deletes information about a PIM session from its database. But because of a software defect, a leak of 2 memory blocks (8 or 16 bytes) might occur for every PIM leave. If the memory is exhausted, the rpd might crash on the backup Routing Engine. There is no impact seen on the master Routing Engine when the rpd crashes on the backup Routing Engine. Use the show system processes extensive command to check the memory. PR1155778
  • In certain code versions, BGP trace options will have packet flag enabled with only open flag configured and will log every BGP packet. PR1175826
  • In customer setup, PIM registers are getting dropped in the transit node (due to firewall) before reaching the rendezvous point (RP). PIM register statistics remained "zero" even though the PIM state indicates that the register messages were sent toward the RP. For the expected output, PIM statistics should be working properly in order to help troubleshoot production issues. But the limitation is that the PIM register statistics are incremented only for NULL-register packets on first hop router (FHR), and NOT for the data register packet. So, if the register packet does not reach the RP, the PIM statistics will not increment on the FHR. However, on the RP, the PIM register statistics are incremented for both NULL and DATA-register packets. On the data register packet is encapsulated by the "forwarding module (PFE)" (this information is local to the Packet Forwarding Engine and is not shared with the PIM) and is forwarded like a normal unicast packet. Because the PIM does not get any notification about this, the register statistics are not incremented. In the customer scenario, its the PIM Data Register Packets that are being sent by FHR and getting dropped due to firewall. However, NULL Registers are handled by PIM where stats are incremented accordingly. NULL Registers are a result of receiving Register Stop from RP. On the RP the following occurs: On receiving the encapsulated packet, the forwarding module (Packet Forwarding Engine) de-encapsulates the packet and finds that it is a PIM register packet. The Packet Forwarding Engine then hands over the complete register packet to the PIM. Because the PIM receives the data register packet from Packet Forwarding Engine, it then updates the statistics (increments the PIM register count for data register). PR1194480
  • In a dual Routing Engines scenario, if the Open Shortest Path First (OSPF) protocol is configured with MD5 authentication, after Routing Engine switching, the OSPF session might flap, indicating authentication failure. PR1198179
  • Here are the results when L1 is disabled for Lo0: {master}[edit] user@router# run show isis interface IS-IS interface database: Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric lo0.0 3 0x1 Disabled Passive 0/0 Here are the results when L2 is disabled for Lo0 {master} user@router> show isis interface IS-IS interface database: Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric lo0.0 3 0x1 Passive Disabled 0/0 . PR1202216
  • In a BGP scenario with inet-mdt family configured under BGP protocols, route table <NAME>.mdt.0 might get deleted if it has no routes. As a result, the routing protocol process (rpd) might crash on the backup Routing Engine, and BGP sessions might flap on the master Routing Engine. PR1207988
  • In the context of a large number of configured VPNs, routes changing in the midst of a BGP path-selection configuration change can sometimes lead to routing protocol process (rpd) core file. This core file has been seen with the removal of the "always-compare-med" option. PR1213131
  • The routing protocol process (rpd) on the backup Routing Engine might restart unexpectedly upon the addition of a new L2VPN routing instance. Following a major change in the configuration of a L2VPN routing instance (such as changing instance type on-the-fly, or routing instance rename), the routing instance and all its data structures get successfully deleted/changed on the master Routing Engine. On the backup Routing Engine however, this might not get done, and therefore, the backup might still hold the routing instance with the original name (or original type), in addition to another newly created routing instance reflecting the configuration change. Due to this, one of the routing instance parameters, the "sync-id", is freed on the master, but remains in use on the backup. Later, another routing-instance gets added in an unrelated provisioning activity. If the sync-id that gets allocated for the new instance is the same as the one for the instance that was not properly deleted in the first change, then routing protocol process (rpd) on the backup will crash due to an assert, and then restart. PR1233514
  • Multicast flow interruption might be observed on a transit router in a Protocol Independent Multicast scenario such as the following: (*,G) join is received on one interface, and (*,G) join and (S,G,RPT) prune are received on another interface,which then receives (*,G) prune. Multicast flows on the first interface get reset and interrupted for a short period of time (for example,1 second). PR1293900

Services Applications

  • Performance degradation of 8% is observed on the maximum packet per second supported of J-Flow records exported. PR949965
  • When transferring a large FTP file, the server might send packets with incorrect layer 4 checksum. If inline NAT service is enabled on the router, it might transit the packets to the client instead of dropping them, which eventually causes the client FTP to time out. PR972402
  • SNMP L2TP OID jnxL2tpTunnelGroupStatsTotalSessions does not provide correct information. The MX Series routers provides total sessions only associated with a remote ID for L2TP and does not correctly reflect the total sessions associated with the L2TP tunnel group when there are multiple remote IDs for L2TP tunnels. PR989386
  • In the NAT environment, the jnxNatSrcPoolName object identifier is not implemented in jnxSrcNatStatsTable. PR1039112
  • With scaling Layer 2 Tunneling Protocol (L2TP) sessions (for example, 128,000 sessions), when executing the L2TP show command in one terminal and the clear command in another terminal simultaneously, pressing Ctrl-C or closing the terminal on one terminal might cause the jl2tpd process crash. PR1063207
  • With the majority of L2TP subscribers logging in with invalid credentials (75% of new login requests are invalid), low call setup rate (CSR) is observed for the good login attempt subscribers. PR1079081
  • If l2tp is configured under the access group hierarchy, during commit or commit check operation, the pppd process might crash (the configuration could commit successfully). It might result in minimal impact to the system, and it will restore automatically. As a workaround, configure under the access profile client hierarchy. PR1108024
  • In a Layer 2 Tunneling Protocol (L2TP) subscriber management environment, the jl2tpd process (L2TP daemon) might crash during cleanup and re-creation of the L2TP tunnel or session continuously. PR1179261
  • This issue occurs with MS-PICs. When you retain SAs in kmd (ipsec-key-management daemon) when the PIC is offline and set them as "not installed," if you reinstall those SAs when the PIC comes online, sometimes reverse routes have reference count problems if the SAs are retained during PIC restart. This issue causes incorrect next hops of the reverse routes. PR1285907

Subscriber Access Management

  • When a BNG router is processing a session "idle timeout", the following error message might be seen: /../../../../src/junos/usr.sbin/authd/acc/ Failed to process the Idle Timeout for session-id:10. However, it does not affect any of the services. PR1041654
  • When using Neighbor Discovery Router Advertisement (NDRA) and DHCPv6 prefix delegation over PPPoE in the subscriber access network, if a local pool is used to allocate the NDRA prefix, when the CPE sends a DHCPv6 solicit message with both Internet Assigned Numbers Authority (IANA) and Identity Association Prefix Delegation (IAPD) options, the subscriber might get an IPv6 prefix from the NDRA pool but not the delegated pool. As a workaround, the CPE should send a DHCPv6 solicit message with only the IAPD option. PR1063889
  • Subscriber is not coming up when Cisco AVPair VSA value is returned in RADIUS ACCESS-ACCEPT packets in certain scenarios. PR1074992
  • On MX Series platforms, when using the DHCPv6 prefix delegation over PPPoE, if the RADIUS server allocates a DHCPv6 pool name during the authentication of subscribers and "on-demand-ip-address" feature is enabled in a dynamic profile, the prefixes might not be cleared by the authentication process (authd) after disconnecting the subscribers. PR1108038
  • For scenarios that are not in a Layer 3 wholesale network environment, you can configure "duplication-vrf" to send duplicate accounting records to a different set of RADIUS servers that reside in either the same or a different routing context. After Routing Engine switchover, however, the duplicate accounting feature stops working for existing subscribers. PR1121524
  • In a subscriber management environment with AAA authentication, after a few rounds of login/logout, some dynamic PPPoE subscribers might get stuck in configured (AuthClntLogoutRespWait) state. PR1127823
  • Active PPPoE session might hang. The session timeout for the sessions is expired, but the subscribers still show up. These sessions cannot be cleared using network access or PPPoE sessions commands. As a workaround, to clear these sessions by using the dynamic-configuration session delete method. PR1230315

User Interface and Configuration

  • In the J-Web interface, selecting the Monitor port for any port in the Chassis Viewer page takes the user to the common Port Monitoring page instead of to the corresponding monitoring page of the selected port. PR446890
  • In the J-Web interface, select Configure > Routing > OSPF >Add, and then click the Interface tab. You see only the following three interfaces by default: pfh-0/0/0.16383 , lo0.0 , and lo0.16385. To overcome this issue and to configure the desired interfaces to associated OSPF area-range, set the following statements from the CLI: set protocols ospf area area-range set protocols ospf area interface fe-0/3/1.PR814171
  • On HTTPS service, J-Web is not launching the chassis viewer page at Internet Explorer 7. PR819717
  • When you select configure > clitools >point and click > system > advanced >deletion of saved core, the No option does not work in J-Web. PR888714
  • The basic value entry format error check is not present in Configure->Security->IPv6 Firewall Filters, but the same check is present in IPv4 Firewall Filters. It throws an error when you try to commit the wrong format data entered. PR1009173


  • In a multihomed source topology in next-generation MVPN (applicable to both inter-AS and intra-AS scenario), there are two problems:
    • Multicast (S, G) signaling does not follow RPF. When the routing table (mvpninstancename.inet0) has two routes, due to the policy configuration, the best route to the source is via the MPLS core, but Multicast (S, G) PIM join and next-generation MVPN Type 7 both point to an inactive route through the local BGP peer.
    • When clear pim join instance NG is entered, the multicast forwarding entries are wiped out.


  • In a dual Routing Engines scenario with NSR enabled, when L2Circuit/L2VPN/VPLS is enabled, due to race conditions in different messages and events between master and backup, if label reuse occurs in the master routing protocol process (rpd), the backup routing protocol process (rpd) might handle messages and events unsuccessfully and crash. There is no functional impact. PR1119684

Modified: 2017-12-12