Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 14.2R8

Application Layer Gateways (ALGs)

  • On all MX Series devices, when RTSP ALG is enabled, a certain crafted RTSP interleave data packet might cause the flowd process to crash. Repeated crashes of the flowd process constitute an extended denial-of-service condition for the MX Series device. See http://kb.juniper.net/JSA10721. PR1116559

Class of Service (CoS)

  • When the chained-composite-next-hop is enabled for Layer 3 VPN routes, MPLS CoS rewrite rules are attached to the core-facing interface for "protocol mpls-inet-both-non-vpn" and are applied not only to non-VPN traffic (which is the correct behavior) but also to Layer 3 VPN traffic. That is, both MPLS and IP headers in Layer 3 VPN traffic receive CoS rewrite. PR1062648
  • In rare cases, CoS-related queue statistics polling with multiple object identifier (OID) packing or multiple SNMP client polling on the same interface simultaneously can cause cosd to generate a core file and restart. The cosd restart does not impact any CoS services. PR1199687
  • The logical interfaces bound to routing-instance classifier are not seen under classifier index inside CFEB. This issue occurred because there was a “missing else statement” leading to data getting overwritten for an LSI scenario. PR1200785
  • When CoS is configured, in a very rare situation, due to the timing issue between dcd and cosd during commit, the cosd might crash. For example, if you delete an interface that belongs to an aggregated Ethernet interface and then configure it as a single port with CoS in a single commit, this issue might occur. PR1220524
  • A rounding-off issue led to a difference in commit behavior of values such as 79M and 79.1M. PR1252505
  • On some T Series routers, the LSI statistics are not displayed in aggregated Ethernet interface bundles and also the input statistics counter for aggregated Ethernet does not include MPLS traffic. PR1258003

Forwarding and Sampling

  • The daemon that performs as firewall compiler (dfwc) might fail to get filter information from the kernel in COMMIT_CHECK (config validation) mode. As a result, the filter index is regenerated starting from index 1. This will create the mismatch of filter index as compared to the existing filters in the system. PR1107139
  • The changes to sampling route reflector daemon (srrd), a new architecture for sampling process between Junos OS Releases 14.2R5.8 and 14.2R6.5, severely reduce the MX80 router’s available memory. Therefore, you observe RIB or FIB scaling. PR1187721
  • After FPC restart, unexpected traffic drops or policers action are observed when policers are applied to an aggregated Ethernet interface with units. PR1199238
  • On M7i or M10i with compact forwarding engine board (CFEB) installed, if bandwidth-percent is configured for the firewall policer and use this policer in the firewall filter, and then apply this firewall filter to an interface, the filter does not work. PR1202181
  • During chassis reboot and daemons restart, mib2d client tries to connect to the statistics daemon. There are two connections established from mib2d to the statistics daemon. When a few MIB requests are in the queue for processing in both the connections, because of the nature of the two connections, there is a chance of deadlock. The connection establishment of one connection is blocked by a processing request on another connection, which continues in a loop. This can cause two problems: 1. Walk on some OIDs (that is, 1.3.6.1.2.1.2 or 1.3.6.1.2.1.31) will not give results. 2. LLDP neighbor information will not be read. PR1221888
  • Firewall filter family "any" with shared-bandwidth-policer on MC-AE interface does not reconfigure bandwidth or carve up the policer when standby becomes active after A/S switchover; it drops all packets. PR1232607
  • With sampling configuration, if you do not define a version for the second flow server, after committing configuration, the backup Routing Engine might reboot. It might affect how routing protocols are replicated to the backup Routing Engine. PR1233155
  • With Routing Engine based sampling configured, it might be observed that the chassis stops exporting flow records after every 5-7 days. PR1270723
  • On all Junos OS platforms except SRX Series platforms, the firewall filter might not match when you configure the firewall filter with a wildcard (*.*) (such as "from interface ge-*.*") as matching condition. PR1274507

General Routing

  • Changing the static route configuration from next hop to qualified next hop might result in static route getting missed from the routing table. PR827727
  • In an MX Series Virtual Chassis (MX-VC) environment, the private local next hops and routes pointing to private local next hops are sent to the Packet Forwarding Engine from the master Routing Engine and not to the secondary Routing Engine. Then, a Routing Engine switchover occurs. Because the new master Routing Engine does not detect such next hops and routes, they are not cleaned up. When a next hop with the same index is added on the new master Routing Engine and sent to the Packet Forwarding Engine, the Packet Forwarding Engine might crash due to a stale next hop. PR951420
  • On QFabric node devices, interface flaps and resulting traffic drops can occur as a result of a Network Time Protocol (NTP) update. When this problem occurs, the string "SCHED_SLIP" appears in the log files. PR1008869
  • The output of show interfaces interface-set queue command might be abnormal. PR1014776
  • An MPLS route could have an associate clone route sharing the same label on the penultimate hop router. After an rpd restart, the label might not be released and causing 4 bytes rpd memory leak. Later, the rpd process might crash when MPLS tries to create the same label for another route. PR1028792
  • There was a timing issue between Junos OS software and the I2C controllers on an MPC5E during a reboot. The software has been corrected to wait for I2C controllers to be ready before it starts monitoring the voltage levels and current levels. PR1051902
  • MX Series Virtual Chassis inter chassis link load balancing is broken for MPC5/MPC6 due to hash mismatch between ingress and egress. As a consequence, when the ingress aggregated Ethernet interface primary link switchover is triggered and then control is switched back, VCP ports carried less traffic in the output direction than the stream ingress interface received. PR1060882
  • With inline L2TP IP reassembly feature configured, the MX Series routers with MPCs/MICs might crash due to a memory allocation issue. PR1061929
  • An incorrect byte count was seen in the ipfix exported statistics packets for MPLS flows. PR1067084
  • On a dual Routing Engine platform with GRES and NSR enabled, after Routing Engine switchover, the rpd might crash while trying to destroy a CNH NH (composite next hop, for example, it would be created in scenarios such as PIM, L3VPN, and MVPN) with a valid reference on it. This issue occurs because during switchover (while backup rpd switches to master), there is a transition period where rpd switches to master mode but KRT is still in backup mode. If KRT (still in backup mode) receives a CNH addition followed by route additions using this CNH during this phase, it would result in CNH in KRT with valid route references, yet on expiry queue. It is difficult to reproduce. In this case, after Routing Engine switchover it occurs twice consecutively. PR1086019
  • In dual Routing Engine systems when both Routing Engines reboot, if the mastership is not established or takes time to establish, mib2d might start and exit four times in quick succession. Hence it will not be running. PR1087428
  • On MX Series routers with MS-MPC/MS-MIC in use, if the NAT session is freed/removed without removing the timer wheel entry, the MS-MPC/MS-MIC might crash. This is a timing issue in which just before invoking the timer wheel callback, the NAT session extension got freed/removed. PR1117662
  • Insufficient time to allow an MPC5/MPC6 card to lock on the clocking source during FPC boot time might cause a Major Alarm because of "PLL Error." PR1137577
  • In an EVPN IRB deployment, when a given IP address initially bound to MAC M1 is later moved to be bound to MAC M2 instead, there might be a period of time where multiple IP routes exist for the IP address (one route associated with MAC M1, and one route associated with MAC M2) if M1 and M2 are hosted behind different EVPN PE devices on different Ethernet segments. Additionally, after such IP movement, multiple EVPN PEs might have ARP bindings for the IP address in question, though only one PE will have the latest binding. Other PEs might transiently have earlier, stale bindings until they age out via normal ARP procedures. This PR fix adds IP movement detection to EVPN so that stale ARP bindings and IP routes are cleaned up immediately when the IP move occurs rather than relying on the ARP aging timer. PR1141336
  • If any linecard crashes early during unified ISSU warmboot, the CLI might report ISSU success, resulting in a "silent ISSU failure". PR1154638
  • In a sampling feature, certain scenarios force handling of the sampled packet at the interrupt context, which might corrupt the BMEB packet context, and lead to BMEB FDB corruption. PR1156464
  • During periods of congestion on WAN egress of the Packet Forwarding Engine, WAN buffers are supposed to be used to queue up egress traffic. In this scenario, due to the software defect, fabric buffers were incorrectly getting utilized instead of the WAN buffers, leading to fabric buffer exhaustion. This prevented any further traffic toward fabric from being sent successfully on the concerned egress Packet Forwarding Engine, including diagnostic SELF-PING packets. Due to loss of SELF-PING, fabric healing would kick in for recovery/isolation. The issue is specific to MPC5/MPC6. The fix provided in this PR ensures that correct WAN buffers are used in case of over subscription. PR1163438
  • On MX Series routers with services PIC (MS-DPC/MS-MPC/MS-MIC), the ICMP time exceeded error packet is not generated on an IPsec router on the de-encapsulation side. PR1163472
  • When the MS-MIC or MS-MPC installed on an MX Series router is processing traffic, and the IPsec policy configuration is changed by means of adding or updating a policy, mspmand process might crash. At times IPsec rule configuration changes on the service PIC would not be updated without mspmand generating a core file. PR1166642
  • The cosd, dcd, or rpd might generate core files in subscriber management deployment using dynamic profiles and RADIUS authentication. PR1168327
  • Sampled continues logging events in the traceoption file after traceoption for sampled is deactivated. This can occur if there is no configuration under forwarding-options sampling but another configuration for sampled is present (for example, port-mirroring). PR1168666
  • In EVPN scenarios, the Layer 2 address learning daemon (l2ald) might not clean up the RNH_LE entry when the BGP neighbor is down, which causes end-to-end traffic of EVPN to be dropped. PR1173420
  • In very rare cases, multiple Routing Engine switchovers might result in SNGPMB crash. The SNGPMB is the same as SPMB. It is on the line card and contains the LCPU. It also manages locally discovered issues and the switch fabric (via the chassis manager thread (CM), which communicates with the fabric manager thread (FM) in chassisd. PR1176094
  • NAT64 service-set:Port block efficiency and unique pool users statistics display incorrect values when the NAT pool is modified dynamically with CGNAT traffic for the particular term in the NAT rule. PR1177244
  • This is a display issue and does not affect functionality of the power. The fix has been added to commands show chassis power and show chassis environment pem, when one of the DC PEM circuit breakers is tripped. PR1177536
  • CGNAT-NAT64: Memory leak is observed on a few ports for the EIM/EIF IPv4 traffic(2M sessions) from the public side. PR1177679
  • On dual Routing Engine platforms, if interface changes occur on aggregate Ethernet that result in marking ARP routes as down on the aggregate Ethernet (for example, bringing down one of the member links), due to an interface state pending operation issue on the backup Routing Engine, in race condition, the backup Routing Engine might crash and reboot with an error message (panic:rnh_index_alloc: nhindex XXX could not be allocated err=X). PR1179732
  • In an IPv6 sampling environment, when IPv6 routes flaps frequently due to a software defect, the Packet Forwarding Engine sometimes fails to insert or retrieve the sampling IPv6 route from the radix node. So, the Packet Forwarding Engine might crash. This is a corner case; it is hard to reproduce. PR1179776
  • In the hsl2 toolkit, there is a process that periodically checks the ASICs that communicate through it. Due to a bug in the toolkit code, the process used invalidate the ASIC, causing a crash. PR1180010
  • In case of point-to-point interfaces and unnumbered interfaces rpd crash might be seen in corner cases on configuration changes. PR1181332
  • When an MS-MIC/MS-MPC is installed on an MX Series router, the PIC card on the MS-MIC/MS-MPC might crash in rare cases. This is a timing issue that might cause traffic loss and has no exact aspect of configurations for trigging the issue. PR1182807
  • Fragmented ALG control traffic is not supported on the MS-MPC or MS-MIC. PR1182910
  • If IGMP snooping is configured in a VPLS routing instance and the VPLS instance has no active physical interfaces, multicast traffic arriving from the core might be sent to the Routing Engine. As a result, host queues might get congested, which might cause protocol instability. PR1183382
  • On MX Series routers, MS-MIC crash might occur. The exact trigger of the issue is unknown; generally, this issue might happen very rarely without any external triggers. The crash might occur with any services configuration, with core files pointing to a program terminated with signal 4, Illegal instruction. PR1183828
  • AMS redundant interfaces are not listed under possible completions for operational commands. PR1185710
  • When both AMS-redundant interface and AMS-load-balancing interface are configured in the system, the Not a deterministic nat pool syslog message is generated whenever the deterministic NAT CLI command show services nat deterministic-nat nat-port-block is executed. PR1186723
  • On MX Series routers, a vulnerability in IPv6 processing has been discovered that might allow a specially crafted IPv6 Neighbor Discovery packet (NDP) to be accepted by the router rather than discarded. The crafted packet, destined to the router, will then be processed by the Routing Engine. A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the Routing Engine CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this occurs, the DDoS policer might start dropping legitimate IPv6 neighbors as legitimate ND times out. Refer to JSA10749 for more information. PR1188939
  • On MX series routers with NAT service configured on AMS interfaces, after rebooting FPC/PIC, the NAT pool split between AMS members is incorrect. There are overlapping IP pools and sometimes missing pools, causing NAT to not work correctly. PR1190461
  • If a message received from the LLDP neighbor contains "Port Id" TLV that has "Interface alias" subtype and is longer than 34 bytes, subsequent running of show lldp neighbors might lead to l2cpd crash. PR1192871
  • On MX Series routers with MPC3/MPC4/MPC5/MPC6, the VSC8248 firmware on the MPC crashes occasionally. This PR enhances the existing VSC8248 PHY firmware crash detection and recovery, helping to recover from a few corner cases where the existing Junos OS workaround does not work. PR1192914
  • Due to a bug in schema with Junos OS Release 14.1Rx and 15.1Rx, administrators will not be able to push MPLS configurations to devices that include loose strict tags. PR1193599
  • In an EVPN scenario with static MAC configured in an EVPN instance, the remote EVPN instance can see the MAC route information. However after deactivating and activating the static MAC in EVPN instance, then checking the MAC route information in the remote EVPN instance, there is no such MAC route in the EVPN route table. PR1193754
  • In port mirroring, IPv4 inbound traffic might not get mirrored to the 10G analyzer interface in a certain interface type. PR1194139
  • The backup Routing Engine might restart unexpectedly due to memory leak after switchover. PR1198005
  • L2VPNs or L2Circuit services along with lengthy interface descriptions might lead to memory leak in a variable-sized malloc block, which in turn results in routing protocol process (rpd) crash because of an "out of memory" error. PR1198165
  • On MX Series routers with MPC5E installed, in a high-temperature situation, the temperature thresholds for triggering the high temperature alarm and controlling fan speed are based on the FPC level. Any sensor values in the FPC that exceed the temperature threshold of the FPC trigger the actions associated with temperature thresholds. PR1199447
  • Upgrading using unified ISSU might trigger a flap in the interfaces on MX Series routers. The following message might be seen: SFP: pointer Null, sfp_set_present. PR1200045
  • On MX Series routers, the mspmand process might crash on the MS-MPC with XLP B2 chip (for example, REV17). The exact trigger is unknown. It is usually seen with 70% to 90+% CPU load conditions. PR1200149
  • The MSPMAND might crash when an encrypted packet is received out of the range of replay-window size. The issue might occur in peak loads whereby the encrypted packets received are out of order due to drops in the network. PR1200739
  • The routing table will not be updated if some of the unnumbered interfaces go down, and some unnumbered interfaces are still active when there are multiple unnumbered interfaces configured under OSPF. PR1202795
  • During unified ISSU, MX Series Virtual Chassis might generate an unknown SNMP trap that indicates an event for the Routing Engine. The trap will show up as jnxChassisTraps.27 on the SNMP trap receiver. PR1203741
  • When a dynamic firewall filter is configured to match a packet in prefix/mask format, the firewall filter might not be correctly programmed on the Packet Forwarding Engine. PR1204291
  • In very rare conditions, the FPC might crash when the CLI command request chassis mic offline fpc-slot <fpc-slot> mic-slot <mic-slot> or request chassis pic offline fpc-slot <fpc-slot> pic-slot <pic-slot> is executed. This issue occurs when an SFP diagnostics polling function tries to access an already destroyed SFP data structure by the MIC/PIC offline. PR1204485
  • The Packet Forwarding Engine might install a next hop incorrectly and cause traffic loss, if there is a next-hop policy pointing to an IPv6 address that needs to be resolved. PR1204653
  • When PCEP is enabled and LSPs are undergoing changes, like make before break (MBB) for rerouting, the rpd has to send those updates to the PCE. However, when the PCEP session to PCE goes down, these updates are canceled, but the rpd fails to completely reclaim the memory allocated for these updates. This causes increases in the rpd memory every time the connection to the PCE goes down while LSPs are simultaneously going through MBB changes. This issue will be especially noticeable when connectivity to PCE goes UP and DOWN continuously. If the connection is in steady state, `either UP or DOWN, then the memory leak will not happen. PR1206324
  • When FPC software reads watchdog timer on boot-cpld register, sometimes it gets an unexpected value "0x0000" because it was not refreshed by strocker in time. As a result, npc_check_boot_cpld: boot cpld watchdog time access error @0xff000005, expected 0x0faf (4015) got 0x0000 error message could be seen in syslog. PR1206624
  • The l2ald might thrash when the targeted-broadcast is configured on EVPN IRB. PR1206979
  • False positive message Host 1 failed to mount /var off HDD, emergency /var created is observed after both Routing Engines are upgraded. PR1207864
  • The logic to calculate the IPsec phase2 soft lifetime has been changed in Junos OS Release 14.2R6, resulting in an interoperability issue in certain scenarios. A hidden configuration statement is provided as part of this PR, which will revert the soft lifetime logic to the one used in Junos OS Release 11.4. PR1209883
  • When an ARP entry is learned through the aggregated Ethernet interface, and a route is pointing to that ARP next hop, the ARP entry might not be expired even though the ARP IP is no longer reachable. This issue occurs due to the route next hop on the aggregated Ethernet interface getting stuck in a unicast state even if the remote end is not reachable, and the rpd never gets to determine that ARP is invalid. The route next hop on the aggregated Ethernet interface should be displayed in “hold” state when the remote end is not reachable. PR1211757
  • On MPC5E/6E without Q installed, the log message Drops due to disabled queueing system is observed when sampling or port-mirroring is enabled with packets clipped. PR1211855
  • On T Series platforms, if interfaces from FPC Type 4 and FPC TYPE 5 are configured together in one VPLS routing instance, incorrect TTL might be seen when packets go through the VPLS domain. For example, packets received through an FPC TYPE 4 might be forwarded to another FPC type 4 with incorrect TTL. The incorrect TTL could cause a serious VRRP issue. When VRRP is enabled, after one CE sends the VRRP advertise packets with TTL value 255, another CE might receive the VRRP packet with TTL value 0 and therefore discard these VRRP packets. As a result, the VRRP status in both CE becomes Master/Master. PR1212796
  • On EVPN/VXLAN setup with the MX Series router as PE device, when both ARP aging-timer and static MAC are applied on the IRB interface associated with EVPN, the packet originating from the Routing Engine on the PE router (such as ping) to the core side might be corrupted. This issue only impacts the traffic originating from the Routing Engine and does not impact the transit traffic. PR1213062
  • The MS-MPC/MS-MIC service cards might generate a core file when using certain ALGs or the EIM (endpoint-independent mapping ) / EIF (endpoint independent filtering) feature due to an incorrect mapping in memory. PR1213161
  • FPC Type 5 - 3D cards might run into an over-temperature condition in T4000 routers. Under certain circumstances, the chassisd declares the over-temperature condition and by default the router shuts down in 240 seconds. Over-temperature SNMP traps (jnxOverTemp) are not sent to external NMS. PR1213591
  • An MS-MPC or MS-MIC Service PIC might crash when large fragmented packets are passed through an Application Layer Gateway (ALG). Repeated crashes of the service PC can result in an extended denial of service condition. The issue can be seen only if NAT or stateful firewall rules are configured with ALGs enabled. PR1214134
  • If a zero-length interface name comes in the SDB database, on detection of a zero-length memory allocation in the SDB database, a forced rpd crash would be seen. PR1215438
  • The AMS interface is configured in warm-standby mode, and when failover occurs a percentage of the traffic might fail to get NAT. After the failover, the internal mappings driving traffic back to the service PIC might fail. PR1216030
  • In large-scale configurations or environments with high rates of churn on MX Series routers with FPCs, ASIC memory will become "fragmented" over time. In an extreme case, it is possible that memory of a particular size will become exhausted. Also, because of the fragmentation, the available memory will not fulfill the pending allocation. PR1216300
  • If RS/RA messages were received through an ICL-enabled (MC-AE) logical interface, packet loss would be seen and last for a while. PR1219569
  • On M Series, MX Series, or T Series routers, enabling the VRRP delegate-processing ae-irb feature might cause VRRP and BFD to flap. PR1219882
  • A vulnerability in IPv6 processing has been discovered that might allow a specially crafted IPv6 Neighbor Discovery packet (NDP) to be accepted by the router rather than discarded. The crafted packet, destined to the router, will then be processed by the Routing Engine. A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the Routing Engine CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer might start dropping legitimate IPv6 neighbors as legitimate ND times out. Refer to JSA10749 for more information. PR1220213
  • Due to a defect related to auto negotiation in a Packet Forwarding Engine driver, making any configuration change to interface in MIC "3D 20x 1GE(LAN)-E,SFP" might lead to interface flapping. PR1222658
  • The problem of tunnel stream getting misconfigured for interfaces is due to internal programming and has been corrected to evaluate multiple lt interfaces for FPC and PIC slot combination. PR1223087
  • In an EVPN all-active multihoming scenario, when you create and roll back an EVPN table, Layer 2 loop and traffic loss happens. RPD sends a MAC address for a Layer 2 address learning process on creation and a Remote-To-Local-Adv-Done flag. After this point there is no withdrawl sent for this MAC from the RPD due to a mismatch cpmac tree. The fix corresponds to the added code to ensure the deletion of the MAC from the server happens when building an IPC message instead of recording the event for later. PR1226436
  • The Routing Engine CPU uses chassis temperature to decide fan speed instead of Routing Engine CPU temperature. This PR has been fixed to use real the Routing Engine CPU temperature to decide the temperature threshold. PR1230109
  • On all platforms, for IPv6 static routes derived from weighted LSPs, unequal load balancing does not work. PR1230186
  • Unsuccessful DCE-RPC ALG sessions result in stale gates and lead to MS-MPC/MS-MIC restart when the gates clean up occurs after timeout. PR1230868
  • An incorrect PE router is being attached to an ESI when the router receives two copies of the same AD/ESI route (for example, one through eBGP and another one received from an iBGP neighbor). This will cause a partial traffic black hole and stale MAC entries. You can confirm the issue by checking the members of the ESI: user@router> show evpn instance extensive ... Number of ethernet segments: 5 ESI: 00:13:78:00:00:00:00:00:00:01 Status: Resolved Number of remote PEs connected: 3 Remote PE MAC label Aliasing label Mode 87.233.39.102 0 0 all-active 87.233.39.1 200 0 all-active <<<< this PE is not part of the ESI 87.233.39.101 200 0 all-active. PR1231402
  • ICMP identifier is not translated back to the expected value during traceroute for TTL exceeded packets on NAT using Multiservices MPC. This occurs for ICMP ID >255 and causes all hops (except first and last) to appear. PR1231868
  • When there is an MS-MPC card (Multiservices-MPC card) installed in an MX router, the MS-MPC card might crash when OSPFv3 IPv6 traffic goes through it, which impacts all of the service running on the MS-MPC card.PR1233459
  • When port mirroring is set on the MX Series router, LSP ping might fail and IP packets with options will not get mirrored due to an unexpected echo reply from DUT. PR1234006
  • When a non-Juniper SFP is used in MIC-3D-20GE-SFP-E or MIC-3D-20GE-SFP-EH MIC, the ISR 2 (MIC error interrupt) might run over 2.5 seconds, and then the FPC host for the MIC might be restart and crash. This fix adds interrupt throttling for MIC interrupt and restarts the MIC if interrupts are more than the threshold (> 2500 per 5 min). PR1235475
  • On all platforms that support EVPN-VXLAN, the outer source MAC in the ARP reply packet header does not correspond to the inner virtual MAC if virtual MAC is configured. PR1236225
  • When PIC-based MPLS J-Flow is configured and MPLS packets are being sampled at egress (to be sent to service PIC), the sampled packets do not reach the service PIC, which results in no MPLS J-Flow getting created. PR1236892
  • Due to lack of proper boundary checks in code, the MS-MPC might crash when receiving internally corrupted frames from other FPCs that have hardware failure or incorrect rewrite programming.PR1237667
  • When the interface configured under router-advertisement physically comes up for the first time, the rpd might repeatedly send the router advertisement, which might result in as high as 100% Routing Engine CPU usage. PR1237894
  • In some specific cases, the untagged bridged traffic might not be mirrored on the second port of the mirrored group. If the untagged bridged traffic is to be mirrored or sent on two different interfaces of the mirrored group, the traffic might be mirrored or sent only on one of the mirrored interfaces or ports. PR1241403
  • In a race condition, ksyncd crash might be seen on the new master Routing Engine after performing unified ISSU or GRES switchover. This issue is difficult to reproduce. PR1241875
  • The power supply modules (PSMs) enter the present state whenever there is a feed failure. The logic is changed to update the PSM state based on the number of feeds connected. PR1245459
  • This issue occurs in an EVPN-VXLAN scenario with IP fabric topology in which the leaf works as a Layer 2 gateway and the spine works as a Layer 3 gateway, and proxy-macip-advertisement has been enabled on the spine. When a MAC address learns initially from a PE on device an ESI, and then the MAC advertisement is received from the given PE on device a different ESI, the rpd process on the spine might crash and restart. PR1247338
  • SPMB reboot causes fabric traffic to be silently dropped or discarded for more than 1 minute in TXP-3D. PR1248063
  • When fragmented Remote Procedure Call (RPC) packets are processed by the RPC ALG, they end up in an infinite loop, which results in hardware thread hanging and FIFO queues getting full. Next, the MS-MPC/MS-MIC service “PIC” generates a core file, and traffic is silently dropped or disgarded. PR1248397
  • On Junos OS devices with EVPN and VXLAN configured, if proxy advertisement for the MAC+IP feature is enabled, after the ARP entries ages out on the leaf switch, the corresponding MAC+IP routes on the spine would not be cleaned up. PR1248647
  • When an IPv6 node receives an ICMPv6 PTB (Packet Too Big) message with MTU < 1280, the node will emit atomic fragments. This behavior might result in a denial-of-service attack. Refer to https://kb.juniper.net/JSA10780 for more information. PR1250832
  • Adding an application set with inactive applications that are not defined under the [applications] hierarchy will lead to constant core files, each time the services PIC boots back up. PR1258060
  • Class of service (CoS) does not correctly classify egress L3 multicast traffic from an ingress VLAN bridge interface after a configuration change. PR1260413
  • On MIC-3D-20GE-SFP-E or MIC-3D-20GE-SFP, when SFP diagnostic information is being read out periodically, due to a malfunctioning SFP or noise on the I2C BUS, the SFP thread might be hog CPU resources, and a watchdog check will restart the MPC to recover. Enhancements will prevent the SFP thread hogging and MPC restart. PR1260517
  • On MX Series routers with QSFP optics, Rx cleared and set messages will repeat when the laser is down, even when actual flapping does not occur, and overwhelm the messages file. PR1261793
  • On MX Series routers with MS-MPC, with the Ethernet frames with more than 2000 bytes of payload, the mspmand process that manages the Multiservices PIC might crash. Traffic forwarding might be affected. PR1264712
  • When VSTP is enabled on a double-tagged aggregated Ethernet logical interface and there is another single-tagged aggregated Ethernet logical interface configured with the same outer VLAN tag, then the incoming traffic on that VLAN incorrectly hits the AE_RESERVED_IFL_UNIT (AEx.32767) and the traffic gets dropped. PR1267238
  • Changing the mode of the interfaces causes the interface to go DOWN/UP. For the interface to be down, all the queues (in/out) associated need to be emptied. Due to a certain condition, the queue does not get emptied and the interface pointer does not get freed properly, resulting in FPC crash. PR1273462
  • In an EVPN-MPLS or EVPN-VXLAN environment, if the sub interface is configured with VLAN-aware (instance-type virtual-switch), in a rare condition the FPC/MPC might crash. PR1274976
  • On MX Series platforms with MS-MPC/MS-MIC installed, spd memory leak might be observed after adding/removing the service-set statement from the configuration. Spd will eventually crash due to memory exhaustion. PR1276809
  • After an MS-MPC-PIC is offline/onlined or bounced(because of an AMS configuration change), sometimes the PIC can take ~400 seconds to come up. PR1280336
  • A routine within an internal Junos OS sockets library is vulnerable to a buffer overflow. Malicious exploitation of this issue might lead to a denial of service (kernel panic) or be leveraged as a privilege escalation through local code execution. The routines are only accessible via programs running on the device itself, and veriexec restricts arbitrary programs from running on Junos OS. There are no known exploit vectors utilizing signed binaries shipped with Junos OS itself. Refer to https://kb.juniper.net/JSA10792 for more information.PR1282562
  • GRE Operation, Administration, and Maintenance (OAM) fails to come up when GRE tunnel source and family inet address are the same (as shown in the following configuration statements):
    set interfaces ge-0/0/0 unit 0 family inet address a.b.c.d/30
    set interfaces gr-0/0/1 unit 0 tunnel source a.b.c.d
    set interfaces gr-0/0/1 unit 0 tunnel destination x.x.x.x
    set interfaces gr-0/0/1 unit 0 family inet unnumbered-address ge-0/0/0.0
    set protocols oam gre-tunnel interface gr-0/0/0.0 keepalive-time x
    set protocols oam gre-tunnel interface gr-0/0/0.0 hold-time x PR1283646
  • The next-hop (NH) memory partition on the Packet Forwarding Engine might be exposed to a leak in the NH application when the number of ECMPs is changed from 18 to 17 (or 50 to 40). PR1285747
  • The rpd might not immediately notify the kernel to reinstate the direct routes associated with an interface coming UP. PR1288492
  • Performance issues might be seen when nontranslated traffic is introduced to a service-set using a large number of Network Address Translation terms. This has been seen so far when 2000 NAT terms were present and a few 100pps did not match any of these terms and went through nontranslated.PR1288510
  • With IKEv1 aggressive mode, dead peer detection and Network Address Translation-Traversal might not work because there is no vendor-ID shared. PR1290689
  • As a result of a regression, introduced in Junos OS Releases 14.1R5, 14.2R3, 15.1R1, 15.1F2 and later, G.751-framed E3 interface traffic rate has been limited to 30 mbps on certain MX Series MICs. This PR is to restore the correct E3 rate. PR1304344

High Availability (HA) and Resiliency

  • After graceful switchover is triggered in the master VRRP router for the first time, the master state for all the VRRP instances are toggled to the backup and come back to the master immediately. During this time, all the traffic is dropped and comes back. PR1142227

Infrastructure

  • With Junos OS Release 13.3 using Ericsson and Juniper EPG platforms, some session PIC C-PIC cards might experience race condition resulting in kernel vmcores, followed by reboot (failover to spare C-PICs) due to soft-update BSD enabled in some partitions of the Routing Engine. The softdeps on FreeBSD is not used any longer in Free BSD6 where the fix includes disabling it on all Junos OS partitions. PR1174607
  • Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory. Refer to https://kb.juniper.net/JSA10784 for more information. PR1184592
  • In an RSVP scenario with provision RSVP LSP with ldp-tunneling enabled and the LSPs configured with link protection, continuous kernel logs and LDP statistics timeout errors might be seen when executing show ldp traffic-statistics. PR1215452
  • On all Junos OS platforms and on the router with PIM enabled that has a local receiver, stale next hops are present because they did not get deleted by processes (daemons) due to a timing issue. PR1250880
  • Legacy Junos OS kernel might generate a core file on userland_sysctl / sysctl_root / sysctl_kern_proc_env / panic_on_watchdog_timeout. PR1254742
  • On Junos OS devices with legacy Free BSD (Free BSD version 6.X) based on Junos OS, the devices might crash and reboot if there is a defect in the Junos OS SDK-based multi threaded application that has been used. PR1259616
  • For TX/TXP system, the kernel synchronization process (ksyncd) might restart on all LCCs after executing command clear interfaces statistics all when there is large SNMP polling. PR1274095

Interfaces and Chassis

  • If Virtual Router Redundancy Protocol (VRRP) is configured to track a route in a routing instance, after graceful Routing Engine switchover (GRES) or Routing Engine switchover, the VRRP group might show the wrong master/backup state. PR1134189
  • When polling SNMP MIBs for IPv6 traffic (for example, jnxIpv6IfInOctets) the logical interface (IFL) on IQ2 or IQ2E PIC might occasionally report double statistics. PR1138493
  • In an MX Series BRAS environment, when you try to remove a demux0 interface, the DCD process might crash and a core file will be generated. PR1175254
  • In MX Series Virtual Chassis setup, CFM sessions on the aggregated Ethernet interface are not distributed to the FPC when member-1 chassis are chosen as primary. PR1198447
  • On MX Series routers with oam ethernet connectivity-fault-management configured, if you deactivate or activate "oam ethernet" and simultaneously restart EOAM process (restart ethernet-connectivity-fault-management), then cfmd might be stuck in high CPU state. PR1198771
  • A cfmd core file is generated upon commit if the following conditions are met:
    • CFM is configured
    • ICC format for MA is incorrectly configured (for example, CC name-format does not start with a character).
  • When you configure vlan-tags for any interface, if the interface configuration is changed continuously, there could be a memory leak during device control process (dcd). If the memory is exhausted, the device control process (dcd) might crash. PR1207233
  • When VRRP is configured on an IRB interface with scaling configuration (300K lines), in a corner case, handles might not be released appropriately after their use is over. As a result, memory leak on vrrpd might be seen after configuration commit. PR1208038
  • In a PPP subscriber scenario, if the jpppd process receives a reply message attribute from the RADIUS or TACPLUS server with a character of %, it might cause the jpppd process to crash and cause the PPP user to be offline. PR1216169
  • The device control process (dcd) cannot start after router reboot because of a non existing logical interface referenced in demux-options underlying-interface. PR1216811
  • On Junos OS Release 14.2 and later releases, if asymmetric-hold-time, delegate-processing and preempt hold-time are configured, when the neighbor's interface comes up again, the asymmetric-hold-time feature cannot be used as expected. PR1219757
  • Previously, the same IP address could be configured on different logical interfaces from different physical interfaces in the same routing instance (including master routing instance), but only one logical interface was assigned with the identical address after commit. There was no warning during the commit, only syslog messages indicating incorrect configuration. This issue is fixed and it is now not allowed to configure the same IP address (the length of the mask does not matter) on different logical interfaces. PR1221993
  • When using the Ethernet Operation, Administration, and Maintenance (OAM) connectivity fault management feature, if the remote end deactivates the protocols oam ethernet connectivity-fault-management maintenance-domain configuration, the interface will go down as expected. However, once the remote end activates the configuration, the local interface stays down. (The defect is introduced in Junos OS Release 15.1F5 branch and occurs in Junos OS Release 15.1F5-S3 or later.) PR1231315
  • When OAM CFM (connectivity-fault-management) MEP is configured on the LSI or tunnel interface that is on DPC card, every time a DMM (two-way frame delay measurement) or 1DM (one-way frame delay measurement) packet is received, certain harmless error messages might be seen. This is due to software time stamping not being used. The fix addresses the time stamp and suppresses the logs as well. PR1232352
  • The configuration change in a static VLAN demux interface in which the underlying physical interface is changed to one with a lower bandwidth (for example, from xe to ge) can fail with the following error: error: Bandwidth on IFL demux0.7000 cannot be greater than that of its physical interface. For example: user@router# show | compare [edit interfaces demux0 unit 7000 demux-options] - underlying-interface xe-0/1/0; + underlying-interface ge-0/3/9; user@router# commit re0: error: Bandwidth on IFL demux0.7000 cannot be greater than that of its IFD error: DCD Configuration check FAILED. error: configuration check-out failed. PR1232598
  • On M7i and M10i devices, jnxOperatingState returns unknown value1 for Fan Tray 1. PR1237255
  • When configuring enhanced-sla-iterator for connectivity fault management (CFM) sessions, under performance-monitoring, a race condition might occur, where the sla-iterator will attempt to collect statistics on a maintenance endpoint (MEP) that is down. This will trigger the iterator adjacency to be removed from the Packet Forwarding Engine, leading to the inability to provide any statistics on the sla-iterator-profiles configured. PR1244525
  • In some rare situations, Ethernet connectivity fault management process (cfmd) might crash when committing a configuration where CFM filter refers to a firewall policy. When hitting this issue, all CFM enabled interfaces are down. PR1246822
  • If more than one logical interface (IFL) is configured under the same physical interface (IFD), and VRRP is configured on one logical interface without VLAN and the lower unit number logical interface has a VLAN configuration present, then VRRPD incorrectly carries the VLAN information from the lower unit number logical interface to this logical interface's configuration. As a result, VRRP might get stuck (state: unknown, VR State: bringup). This might happen if VRRP is configured on the physical interface with flexible-vlan-tagging or the lt interface without flexible-vlan-tagging. PR1247050
  • On Junos OS platforms, the cfmd process runs by default untill Junos OS Release 16.1R2. When the bridge-domain is configured with trunk port, when performing a commit to configuration related to physical interface or logical interface, cfmd memory leak (512 bytes) is observed due to a software defect. The memory leak could cause cfmd crash when it exceeds the RLIMIT (128M). PR1255584
  • When an Ethernet OAM LFM session is configured, the line card hosting the LFM session might reboot after the configuration is commited. PR1283280

J-Web

  • Junos OS: Integer signedness error occurs in GD Graphics Library (CVE-2016-3074) that results in a heap overflow when processing compressed data. Refer to https://kb.juniper.net/JSA10798 for more information. PR1218092

Layer 2 Ethernet Services

  • IPv4 and IPv6 long Virtual Router Redundancy Protocol (VRRP) convergence delay and unexpected packet loss might happen when MAC move for the IRB interface occurs (for example, when flapping the Layer 2 interface that is the underlying interface of IRB on the master VRRP). PR1116757
  • In rare cases, a logical IRB interface (irb.x) might refer to a wrong MAC address when sending unicast IPv6 neighbor solicitation (NS) (a packet type of IPv6 Neighbor Discovery Protocol) to verify the reachability of a neighbor. The NS messages will be sent with a wrong source MAC address, which results in the neighbor discarding the packet and IPv6 neighborship going to an unreachable state. Note: Neighbor solicitations are multicast when the node (host or router) needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor. Please note that this PR is not applicable from code point in Junos OS 15.1 Release. PR1191086
  • When trying to commit logical interface (Interface Unit) number greater than 32K under IRB interface in Junos OS Release 14.2R5-R7 or 16.1R1, commit does not report error, causing some protocols (such as VRRP) to not work properly. PR1192344
  • When MSTP or VSTP is configured, if graceful Routing Engine switchover (GRES) is enabled but nonstop bridging (NSB) is not enabled, after Routing Engine switchover, the MAC address might not be learned due to spanning-tree state "discarding" in the kernel table. PR1205373
  • When LACP is configured in fast periodic along with the fast-hello-issu command, LACP might time out if there is any interface commit operation on the peer router during unified ISSU, which causes OSPF adjacency flapping. PR1240679
  • In a large-scale unified ISSU testing, a MPC/FPC might go offline during the FRU upgrade phase of unified ISSU. PR1256940
  • The IPv4/IPv6 packets originating from the Routing Engine might be corrupted when the bridge domain has 'vlan-id' set to none, but the outgoing L2 interface for the packet is tagged and CoS is enabled. It only affects packets that originate from the Routing Engine but does not affect transit traffic. It affects both IPv4 and IPv6 packets. PR1263590

MPLS

  • Traffic blackhole happens on some branches of p2mp lsp after one of the sub-lsp reconverges .Issue happens only if optimize-switchover-delay is configured and it is greater than LSP retry-timer .When issue is observed rpd and kernel are not synchronization with each other and LSP undergoes continuous MBB. PR1159838
  • The log messages like /kernel: %KERN-3: tag_nh_iff_record_delete_iff:404 are cosmetic and were switched on in another PR by mistake. PR1171947
  • RSVP signaled p2mp sub-LSP with at least 1 or more sub-LSPs in a down state might not get reoptimized in the event of a transit core link going down. If there are no sub-LSPs in a down state at the time of reoptimization, then this issue is not seen. This can cause traffic drop over the sub-LSPs carrying traffic that are unable to get reoptimized. PR1174679
  • In LDP-signaled LSPs scenario, if LDP statistic is configured or the command show ldp traffic-statistics is executed, the device will process statistics for every LDP-signaled LSP. If there is an LSP with scaled next hops, it might take too much time to look up all the next hops and overloading the routing protocol process (rpd). PR1191406
  • With a high degree of aggregation and a large number of next hops for the same route, LDP might spend too much CPU updating routes due to topology changes. This might result in scheduler slip, LDP session timing out, and long LSP convergence. PR1192950
  • A specific LDP packet destined to the Routing Engine will consume a small amount of the memory allocated for the routing protocol process (rpd). Over time, repeatedly receiving this type of LDP packet will cause the memory to exhaust and the routing protocol process (rpd) to crash and restart. It is not possible to free up the memory that has been consumed without restarting the rpd. This issue affects Junos OS based devices with either IPv4 or IPv6 LDP enabled via the [protocols ldp] configuration (the native IPv6 support for LDP is available in Junos OS 16.1 and later releases). The interface on which the packet arrives needs to have LDP enabled. Refer to https://kb.juniper.net/JSA10777 for more information. PR1197631
  • Junos OS: denial of service vulnerability in routing protocol process (rpd) (CVE-2017-2347); Refer to https://kb.juniper.net/JSA10795 for more information. PR1204027
  • When using RSVP-TE protocol to establish LSPs, make before break (MBB) might not be quit and will start again when there is a failure on PSB2 (RSVP Path State Block for new LSP) in some cases where PathErr is not seen. (For example, for a PSB2 that is already up and there is PathErr processing for it in place already; in this case, no PathErr is seen owing to local-reversion and a quick flap.) As a result, no rerouting happens even if the TE metric cost is raised. This issue has more chances of occurring when there is non-default optimize switchover delay. PR1205996
  • When nonstop active routing (NSR) is configured with a Label Distribution Protocol (LDP), export policy, or an L2 smart policy, the routing protocol process (rpd) on the backup Routing Engine might crash when LDP tries to delete a filtered label binding. PR1211194
  • Due to an imperfect fix for a compatibility issue between 64-bit routing protocol process (rpd) and 32-bit client applications (such as "mpls ping", "monitor label-switched-path" and "monitor static-lsp") on Junos OS Release 15.1F5-S3/15.1F6/14.2R7/15.1R4/16.1R1, the function of monitoring signaled or static LSP is broken on either 64-bit or 32-bit rpd. But the other 32-bit client applications ("mpls ping" and "monitor static-lsp, for example) are not impacted. PR1213722
  • In a scaled environment, when there are many unicast next hops related to the same transport LSP (for example, the same RSVP or LDP label), MPLS traffic statistics collection might take too much CPU time in kernel mode. This can in turn lead to various system impacting events, like scheduler slips of various processes and losing connection toward the backup Routing Engine and FPCs. PR1214961
  • On MX Series routers operating with Layer 3 VPN and configured to allow chained composite next hops for devices handling ingress or transit traffic in the network, packets might not be forwarded after they pass through the generic routing encapsulation (GRE) tunnel. This issue is observed on routers operating with Layer 3 VPN that also include the statement chained-composite-next-hop ingress at the [edit routing-options forwarding-table] hierarchy level. When configured in this manner, the Packet Forwarding Engine cannot push VPN labels for packets. As a result, packets arriving at the next-hop destination cannot be forwarded. PR1215382
  • On MX Series platforms with Label Distribution Protocol (LDP) enabled, the deletion of an LDP entry (for example, LDP interface down) might cause many LDP entries to be deleted, which might result in routing protocol process (rpd) crash. PR1221766
  • If the link or node failure that triggered a bypass persists for a long time, and there are LSPs that do not get globally repaired, as a result multiple stale LSP entries are shown and get listed multiple times in the MPLS LSP. PR1222179
  • In Junos OS 14.1R3 ,14.2R1 and later releases, label distribution protocol (LDP) will import metric for all IS-IS routes that have tags without the configuration statement track-igp-metric. PR1225592
  • On MX Series platforms, the rpd might crash when the RSVP bypass undergoes re-optimization and the re-optimized instance encounters failure before it becomes the main instance. PR1250253
  • The routing protocol process crash might be seen if egress-policy is configured in LDP and the same route prefixes are in both inet.0 and inet.3. PR1266358
  • At the transit node of a P2MP tunnel, the changes to the Resv-State of a sub-LSP might inadvertently cause the Resv-State of other sub-LSP in the same session to skip refresh cycles, which might result in the Resv-tears being sent upstream. Flapping of one of the sub-LSP might cause other sub-LSPs in same p2mp session to be torn down. PR1272223
  • The following log message might be seen when you have an output firewall filter attached to the loopback interface: >>>>>> kernel: in_dfw_match: invalid IP version 1. This is caused by incorrect parsing of MPLS l2ckt ping packets. The logs are completely harmless, and do not indicate any packet discard. PR1288829

Multicast

  • The routing protocol process (rpd) creates an indirect next hop when a multicast route (S,G) needs to be installed when listeners show their interest to S,G traffic. The kernel then creates a composite next hop. In this case, it appears to be P2MP MCNH that gets created. When any member interface is not a Packet Forwarding Engine specific interface (for example, Vt, LSI, IRB, or any other pseudointerfaces), the kernel throws a message indicating that FMBB cannot be supported. These messages are harmless and do not have any impact. PR1230465

Network Management and Monitoring

  • In rare cases, when the mib2d process attempts connection with the snmpd process and if there are pending requests waiting to be finished, the mib2d process might crash, and the CPU utilization is high around the same time as the crash happens. PR1076643
  • When a MIB table having a 32-bit key (unsigned int) is being queried in 64-bit machines, Junos OS might return an error or return unexpected data. PR1126973
  • A trailing newline was erroneously added to the $$.message variable. This had undesirable effects for some use cases when using the event-options policy <> then execute-commands commands <> stanza. The fix escapes any newline character, which mitigates the issue. PR1200820
  • Duplicated entries and errors while loading MIBs on ManageEngine MIB Browser are fixed for the following MIB files:
    - jnx-chas-defines.mib
    - jnx-gen-set.mib
    - jnx-ifotn.mib
    - jnx-optics.mib PR1216567
  • On Junos OS devices with SNMP enabled, a network-based attacker with unfiltered access to the Routing Engine can cause the Junos OS snmpd process (daemon) to crash and restart by sending a crafted SNMP packet. Repeated crashes of snmpd can result in a partial denial-of-service condition. Additionally, it might be possible to craft a malicious SNMP packet in a way that can result in remote code execution. Refer to https://kb.juniper.net/JSA10793 for more information. PR1282772
  • On MX Series devices, the show arp no-resolve interface command displays unrelated static ARP entries that are fixed to display proper static ARP entries of the given interface. PR1299619

Platform and Infrastructure

  • The sysctl_tnp_neighbor_interface_event messages might show up in a router's messages log. PR975539
  • SNMP queries to retrieve jnxRpmResSumPercentLost will return the RPM/TWAMP probe loss percentage as an integer value, whereas the precise value (including decimal points) can be retrieved through the CLI by using the following commands: show services rpm probe-results and show services rpm twamp client probe-results. PR1104897
  • Configuring a parameter of "broadcast 255.255.255.255" to an interface family inet when executing the commands show arp or clear arp causes a kernel crash. This issue might cause route flap, which impacts traffic. PR1120114
  • Bidirectional Forwarding Detection (BFD) session fails to come up when it is configured over the sonet interface without an IP address. The IFA GET operation performed by BFD fails because there is no address configured on the interface. PR1165720
  • In some scenarios, when multiple logical routers are configured on a single physical router, an ordering issue might occur while updating routing states across the logical routers, causing the kernel to crash. PR1169505
  • Internal Fabric Header Corruption on trio Packet Forwarding Engines can lead to packet corruption on the egress PFE. This PR effort is to protect the Fabric header coming to egress MX Series Packet Forwarding Engine with a fabric CRC check. This is shown to avoid wedges due to corrupted fabric headers.PR1170527
  • If you configure micro-bfd on aggregate interface, when using native-vlan and if native-vlan is configured on one of the logical interfaces, then ARP resolution fails for that logical interface. PR1172229
  • When persist-groups-inheritance is configured, mgd process is not setting the CHANGED bit in the configuration DB for policy-options prefix-list <> apply-path correctly. So rpd process determines that "apply-path" has not changed and does not read this configuration path again. Also, apply-path function is broken. PR1173443
  • This PR fixes an FD (file descriptor) leak problem in MGD process when NETCONF traceoptions are set. If <commit> rpc is executed through a NETCONF session, there is an FD leak in the corresponding MGD pid. PR1174696
  • On dual Routing Engines with graceful Routing Engine switchover (GRES) enabled, after performing GRES, if the configuration synchronization on the backup Routing Engine fails when it becomes the new master Routing Engine, then in rare conditions, some interfaces cannot be deleted or configuration changes cannot be committed. PR1179324
  • On MX Series routers with MPCs/MICs with network services Enhanced-IP mode, FPC CPU goes high for several minutes (30 minutes) when a bulk of MAC/ARP are learned through LSI interfaces, causing traffic interruption. The issue can be seen with various triggers (for example, MAC flush, FPC reboot and link flap). PR1192338
  • A rare VMCORE can occur because the process limit has been breached by too many RSHD children processes being created. PR1193792
  • On MX Series Virtual Chassis, MPC board selects a clock from the next reference after graceful Routing Engine switchover (GRES), which is a line interface. If there is no signal on that line, then the clock is bad and link flaps could occur or the MPC might generate a core file. PR1194651
  • Syslog storage in a file could abruptly stop due to a race condition in handling log file rotation. PR1195239
  • On an MX Series router with MQCHIP line cards (MX Series routers with MPCs) with traffic-control-profile, if the overhead accounting is configured with negative values, it might not work. The shape function will be affected. PR1195866
  • On Junos OS platforms with configuration statement delta-export enabled, the delta-export database might not get correctly reinitialized upon one of the following conditions:
    • delta-export is enabled for first time (delta-export is enabled in only this commit)
    • load override (delta-export is enabled in the configuration)
    • commit full (delta-export is enabled in the configuration)

    As a result, there is a mismatch in databases in further commits. As a result, the configuration on the backup Routing Engine will be corrupted. PR1199895

  • There is no configuration shown when showing default groups of junos-defaults. PR1201380
  • The blank firewall logs for IPv6 packets with next-header hop-by-hop issue is fixed. PR1201864
  • After system boot up or after PSM reset, you might see the PSM INP1 circuit Failure error message. PR1203005
  • When a NETCONF get-route-information RPC is executed for all routes through the ssh transport session and the session is terminated before all the route information is retrieved, the MGD and rpd processes cause high CPU utilization for an extended period of time. These are some of the examples of the issues caused by high CPU utilization for an extended periods:
    • BGP neighbors hold down timer expires and becomes ACTIVE
    • OSPF adjacencies reset during database exchange
    • OSPF LSA retransmission events on neighboring nodes occur due to missing ACKs
    • LDP sessions time out
    • Non-distributed Bidirectional Forwarding Detection (BFD) sessions get reset due to missing keepalives.

    PR1203612

  • If inline J-Flow is configured in scaled scenarios, inline J-Flow sampler route database takes a lot of time to converge. PR1206061
  • With 64-bit routing protocol process (rpd), if BGP is applied an export policy with "from protocol", it might cause an error to filter some routes that do not match the values from "from protocol". PR1206511
  • NH (next hop) memory leak might be seen if MACs are moved from extended ports to regular port over irb. PR1208514
  • When inline J-Flow is enabled, the flow sequence number in the flow data template is set to zero on MPC5E/6E/7E/8E/9E and MPC2E-NG/MPC3E-NG while exporting the flow record to collector. Certain collectors, depending on the implementation of the collector, might fail to decode the flow record and missing flows. PR1211520
  • The issue occurs when you are testing the real-time performance monitoring(rpm) probe through CLI command. This might sometimes hit the rmopd process generating a core file. PR1217140
  • MX Series routers with MPCs/MICs-based line cards might crash after firewall filter configuration change is committed. PR1220185
  • The auditd process might crash when it reads the event message from the socket and gets an EAGAIN error. When this issue occurs, log messages and core files like the following will be seen:

    router-re0 auditd[5357]: %DAEMON-0-AUDITD_SOCKET_FAILURE: auditd_event_reader: unable to read socket (Resource temporarily unavailable) <--------------
    router-re0 jlaunchd: %AUTH-3: audit-process (PID 5357) terminated by signal number 6. Core dumped! router-re0 jlaunchd: %AUTH-6: audit-process (PID 7907) started
    user@router> show system core-dumps
    -rw-rw---- 1 wheel 248577 /var/tmp/auditd.core-tarball.0.tgzPR1222493

  • NTP peers fail to synchronize in symmetric active mode when there is significant downtime of one peer (for example, due to power maintenance such as hardware or software upgrades). PR1222544
  • In an AI-Scripts (Advanced Insight Scripts) environment, when there is some special combination of jcs:printf(...) and some special characters (such as \n \t \\) at the boundary of the buffer, the scripts process might crash and high routing protocol process (rpd) memory usage is observed. PR1232418
  • Incoming interface index could not be used as a load-balancing input factor under family multiservice if the traffic payload is a non-Ethernet frame. PR1232943
  • The scale-subscriber license count might increase to an invalid license state with L2TP/LTS clients. This is due to the l2tpd daemon not going through a proper state transition on L2TP/LTS clients logout. Hence, the license count was not getting updated. PR1233298
  • NTP.org and FreeBSD have published security advisories for vulnerabilities resolved in ntpd (NTP daemon). Server-side vulnerabilities are only exploitable on systems where NTP server is enabled at the [edit system ntp] hierarchy level. A summary of the vulnerabilities that might impact Junos OS is in JSA10776. Refer to https://kb.juniper.net/JSA10776 for more information. PR1234119
  • Login for flow-tap DTCP-over-SSH service fails when SSH key-based authentication is configured for the flow-tap user. PR1234464
  • The issue occurs on TX Matrix Plus platform, in which audit process was running on both SFC and LCC. On MX Series Virtual Chassis, audit process was running on master for both primary and backup. LCC on TX Matrix Plus platform and backup master on MX Series Virtual Chassis setup do not have reachability to radius server. But since audit process was running on LCC and backup master, Junos OS device will try sending accounting packets to radius server from LCC and backup master. Since, there is no reachability, packet will not get transmitted and error message will be displayed in syslog. After the fix, audit process will not run on LCC and backup master as they do not have reachability to RADIUS server. Hence, no unnecessary logs displayed. PR1238002
  • On rare occasions during the route add/delete/change operation, the kernel might crash with the error rn_clone_unwire no ifclone parent. PR1253362
  • In a logical systems environment, if there are some failures that cause Routing Engine switchover (not performing Routing Engine switchover manually), the kernel routing table (KRT) queue might get stuck on the new master Routing Engine with the error ENOENT -- Item not found. PR1254980
  • During unified ISSU, memory from the previous image related to hash tables is not properly recycled, which leads to blocks of physical memory being left unused. The crash is triggered by an attempt to create a memory pool using one of these blocks. PR1258795
  • After an interface switch, when the MAC moves from one interface to another, the next hop is incorrectly following the MAC route, which has been corrected via code changes. PR1259551
  • On an MX Series Virtual Chassis setup acting as an MVPN bud node and having a downstream local receiver and a PE node, traffic with a few multicast groups is reported as not being forwarded to the local receiver. PR1261172
  • With real-time performance monitoring (rpm) daemon runs in Junos OS, if a new line-card/service-card comes online, error message GENCFG: op 9 (RPM Blob) failed; err 1 (Unknown) might be seen. PR1266336
  • In rare cases, the Packet Forwarding Engine might drop the TCP RST (reset) packet from the Routing Engine side while performing GRES or flapping an interface, and traffic might be dropped. PR1269202
  • Split horizon feature for Layer 2 packets is broken because of enhancements to other features. PR1286193
  • Incorrect load balancing for aggregated Ethernet interface might occur for traffic going from MS-DPC to MPC card in Enhanced-IP mode. PR1287086
  • When you see T3 with regard to hardware timestamps, and when you see T4 < T1 and T3-T2 because of NTP synchronization, those samples for any measurements (including round-trip time, ingress and egress jitter and delays) are not considered. However, they are reported under error statistics. In these cases, probes are received from the real-time performance monitoring server with correct timestamps and hence they are marked as successful probes. However, they are not used for any measurements.PR1300049
  • When the total number of available CoS queues on MPC Type 1 or Type 2 with Enhanced Queuing chip (QX chip) is limited with chassis fpc max-queues configuration, some interfaces might start dropping all traffic as Tail-/RED-drops. PR1301717
  • The Type-P Descriptor format of the Two-Way Active Measurement Protocol (TWAMP) Request-TW-Session message is not RFC compliant. This might cause interoperability issues with an RFC-compliant TWAMP.PR1305752

Routing Protocols

  • In a BGP scenario with IPv4 and IPv6 neighbors coexisting in the same group, if all of the IPv4 peers flap but none of the IPv6 peers flap, a timing issue might occur in which one of the IPv4 peers comes up before inet.0 RIB is cleaned up. As a result, the routing protocol process (rpd) might crash. PR986272
  • When a BGP speaker (router) has multiple peers configured in a BGP group, there is sometimes an inaccurate count of prefixes. This occurs when the BGP speaker receives a route from a peer and re-advertises the route to another peer within the same group. In such instances, the MIB object "jnxBgpM2PrefixOutPrefixes" for peers in the same group reports the total number of advertised prefixes in the group. MIB value "jnxBgpM2PrefixOutPrefixes" is defined as being used on a per-peer basis. However, it is instead being used to report prefixes on a per-group basis. To display an accurate number of advertised prefixes, use the show bgp neighbor command. PR1116382
  • The routing protocol process (rpd) might crash because of RPF check when PIM neighbor goes down. PR1122530
  • For devices populated with master and backup Routing Engines and configured for nonstop active routing (NSR) and Protocol Independent Multicast (PIM) configuration, the routing protocol process (rpd) might crash on the backup Routing Engine due to a memory leak. PR1155778
  • After Routing Engine switchover, a race condition could result in RIB not registering for route flash. As a result, there might be stale entries seen when routes are withdrawn. This is a rare condition. PR1170572
  • The issue occurs when the route is received from different eBGP neighbors. For this specific route, if all BGP selection criteria is matching, router ID is used. Because it is an eBGP route, BGP uses the active route as the preferred one. If this specific route flaps with the sequence from the non-preferred to the preferred path, routing protocol process (rpd) will run the path selection. During path selection, rpd might generate a core file. This issue has no operational impact. PR1180307
  • In a single-hop BFD scenario where BFD is enabled on a direct link between two routers, when the peer router's interface is brought down by "disable/deactivate/delete" configuration or a transmission issue, the BFD (and the protocol like OSPF relying on BFD) session on the local router might remain UP for 10 seconds more before going down, resulting in traffic loss during that period. This issue happens if there is an alternate path for that direct link configured with BFD. After the primary (direct) link goes down, the peer router will still transmit BFD packets using the alternate path, causing the session on the local router to remain UP until the peer stops transmitting in 10 seconds more. PR1183353
  • In inline BFD or distributed BFD (in Packet Forwarding Engine) scenario, Packet Forwarding Engine fast reroute is not invoked anymore if the remote peer signals BFD ADMINDOWN message to the local node and convergence time is performed based on protocol signaling. PR1196243
  • With nonstop-routing (NSR) enabled, all running protocols including PIM and NG-MVPN will be replicated. If NSR is disabled only under PIM set protocol pim nonstop-routing disabled, this will remove both PIM and NG-MPVN from the replicated list. Then adding PIM NSR again by using delete protocol pim nonstop-routing disabled will not work as expected, and PIM will not be added. PR1203943
  • In a rare scenario, OSPF routes are leaked from the routing instance to the inet.0 table and BGP routes are resolved by these OSPF routes. If OSPF routes and BGP routes are withdrawn/deleted at same time, it might cause rpd to crash. PR1206640
  • When a rib-group exists that has routing instance.inet.0/inet.3 in import-rib, rpd might crash when deactivating the routing instance. PR1207248
  • When multiple labels become stale in stale-label-holddown-duration (by default 60 seconds), the timer is restarted and all stale labels are accumulated without being deleting. This might cause memory for allocating labels to be exhausted and then MPLS traffic might be affected due to abnormal/failing label allocation. PR1211010
  • BGP routes are rejected because the cluster ID loop prevention check fails due to a misconfiguration. When the misconfiguration is removed, BGP routes are not refreshed. The fix for this issue sends a soft route refresh dynamically when a cluster ID is deleted. PR1211065
  • When changing the RD for an existing VRF with established highly active MSDP sessions or deleting or deactivating an MSDP session in the configuration, rpd might crash, which leads to traffic disruption. PR1216078
  • The routing protocol process (rpd) on a backup Routing Engine might restart unexpectedly in a large BGP NLRI environment. PR1220651
  • In NG-MVPN scenario with PIM designated router (DR) and backup designated router (BDR) configured, when DR comes back after rebooting, it takes the DR role back but does not create PIM register state for some (S,G) routes due to the stale Type 5 route from BDR. Traffic will be disrupted when the BDR withdraws the stale Type 5 route. PR1225726
  • If MPLS goes down due to link flap, FPC reboot, or restart, rpd core files could be seen. PR1228388
  • In a rare condition after a BGP session flaps, BGP updates might not be sent completely, resulting in BGP routes being shown in the advertising-protocol table on the local end but not shown in the receive-protocol table on the remote end. PR1231707
  • The routing protocol process (rpd) sometimes is interrupted and halted when it tries to free a session reference block. This can occur when the memory red zone check fails and at the same time attempting to free reference memory block. The failure is caused when the red zone check receives an address that is not the beginning of a memory block. PR1232742
  • In a PIM scenario with BSR configured, after deleting a static RP configuration from another router, then checking an RP table on a BSR router, there might be a stale bootstrap RP entry (which is the static RP deleted from another router) in the RP table. PR1241835
  • The rpd might crash after configuring an IP address that does not exist on the device under [routing-options bmp local-address]. PR1244556
  • The OpenSSL project has published a security advisory for vulnerabilities resolved in the OpenSSL library on January 26, 2017. Refer to https://kb.juniper.net/JSA10775 for more information. PR1249517
  • There is a 30 second outages on multicast flows, when that's checked irregular timer behavior has been spotted. PR1257668
  • The Junos OS routing protocol process (RPD) might generate core files because of a BGP update with malformed optional transitive attributes (CVE-2017-10618). See JSA10820 for details.PR1279204
  • In BGP-LU protection scenario with the statement per-prefix-label configured, the routing protocol process (rpd) might crash due to a certain chain of events. Specifically, when if receiving a BGP route with the indirect next hop firstly and later receiving another BGP route with the direct next hop (which has the same prefix as the route received earlier), then the prefix is advertised as “atleast” on the group. PR1282672
  • The rpd might crash if dynamic rendezvous point (RP) goes down in the equal cost multipath (ECMP) topology and protocol independent multicast (PIM) join-load-balance automatic statement is configured. PR1288316
  • BGP-RR sends full route updates to its RR-Clients when any family MPLS interface gets bounced due to any fiber cut or manual events causing high CPU spike. This happens due to the process generating outbound soft-route-refresh to the network peers. PR1291079
  • In a rare scenario, a transient state could exist where both an IS-IS route leaked from a routing instance to inet.0 and a BGP route resolving over that same IS-IS route are withdrawn simultaneously. The routing protocol process (rpd) might generate a core file and cause routing protocols to restart. PR1303327

Services Applications

  • In Junos OS Release 14.2R7, the code change for IKE ALG (application-protocol ike-esp-nat) causes all packets matching with stateful firewall or NAT rule, which is configured with application junos-ike, to be treated as IKE ALG packets. However, ike-esp-nat ALG is not supported on MS-DPC platform. Hence, this might cause packet drops when using MS-DPC with this kind of configuration. PR1160691
  • When using Network Address Translation (NAT) on the MX Series routers, the FTP ALG fails to translate the PORT command when the FTP client uses active mode and requests AUTH(SSL-TLS) but the FTP server does not use AUTH. PR1194510
  • When MS-PIC is running on T640, T1600, and T4000 routers, the number of maximum service sets is incorrectly limited to 4000, instead of 12000. This might impact scaled service (IPsec, IDS, NAT, stateful firewall filter) environments. PR1195088
  • When configuring Network Address Translation (NAT) service, the service route is still available in the route table even after disabling the service interface. Any types of service interfaces (except ams- interface) that support NAT might be affected. PR1203147
  • IDP policy crashes with some log messages. PR1209351
  • The kmd process might consume excessive CPU resources during continuous polling for IKE-related data through SNMP. This issue is specific to IKE-related SNMP polling and is not seen when continuously polling IPsec-related data through SNMP. PR1209406
  • In case of massive flapping of subscribers on M120 platform, a memory leak on IQ2E PIC can happen and it can cause inability to attach a configured CoS policer to the newly connected l2tp subscriber. PR1210976
  • When loading or rolling back a configuration that removes a service set and changes where the MS interfaces are assigned, traffic might be silently dropped or discarded to a series of the existing service sets. PR1223302
  • When the stateful firewall flows time out repeatedly, there can be performance degradation on the MS-DPC PIC. This will eventually lead to MS-DPC being unable to scale to the peak flows that are allowed. PR1242556
  • With MS-MIC/MS-MPC used for NAT service, when changing the source-address under a NAT rule term for a BASIC-NAT translation type, all future traffic hitting the NAT term will be dropped. PR1257801
  • In an IPsec scenario, the kmd process might crash after configuring IPsec using apply-groups. PR1265404

Subscriber Access Management

  • If RADIUS returns Framed-route="0.0.0.0/0" to a subscriber terminated on a Junos OS platform, this subscriber cannot log in due to an authentication error. PR1208637

User Interface and Configuration

  • Configuration database is locked by "root" user when trying to commit VPLS circuit configurations with the configure exclusive command. PR1208390
  • If a user enters configuration mode with configure exclusive and does not confirm the commit in time, the commit fails after automatic rollback. The user still can make configuration changes with the replace pattern command, the subsequent commit fails with error: access has been revoked. After exiting configuration mode, the user might fail to enter configuration mode using configure exclusive with error: configuration database modified. PR1210942
  • When the secret for a key is not configured, commit would fail with the message error: configuration check-out failed: daemon file propagation failed. PR1213165
  • The routing protocol process (rpd) memory is increasing and cannot go back after an IS-IS interface flap. If this memory leak reaches a high level that impacts the route calculating, it might cause unexpected network issues. PR1243702
  • Some configuration objects are not properly handled by "delta-export" (dexp). This leads to an omission of the section in the configuration. PR1245187

VPNs

  • After performing a graceful Routing Engine switchover (GRES) with NSR enabled, in NG-MVPN scenario, the CPU on the new backup Routing Engine routing protocol process (rpd) is consuming more than 90% of CPU resources. PR1189623
  • The routing protocol process (rpd) process might crash when receiving routes from BGP with invalid next-hop related information. PR1192963
  • With MVPN and NSR enabled, high CPU utilization on the backup Routing Engine might be seen. PR1200867
  • On Junos OS platforms, only VPLS supports automatic-site-id. Configuring automatic-site-id under the L2VPN instance could cause rpd to generate a core file. PR1214328
  • The routing protocol process (rpd) might eventually become exhausted and crash when Layer 2 Circuit, Layer 2 VPN, or virtual private LAN service (VPLS) configurations are committed. These commit activities might create a small memory leak of 84 bytes in the rpd. PR1220363
  • In an NG-MVPN scenario with asm-override-ssm configuration statement for source-specific multicast (SSM) group, if you issue the clear pim join command on the source PE, downstream interfaces get pruned, causing the multicast flow to stop. PR1232623
  • The L2circuit does not switch from primary to backup and vice versa based on the APS status change, because when APS switchover happens, the PW switchover does not switch to the new APS active neighbor. PR1239381
  • In an MVPN scenario with I-PMSI tunnels and multihomed source, if the link between source and PIM-DR PE1 goes Down, the second PE2 takes the PIM-DR role and starts to advertise Type-5 prefixes. Then as the link between the source and PE1 comes back Up and PE1 takes PIM-DR role back, PE1 might not generate Type-5 BGP prefixes for active sources in some multicast groups. Without Type-5 prefixes from the ingress PE router, the receiver’s PE router does not generate Type-6/7 and the ingress PE router does not send multicast traffic. PR1242493
  • If PIM-MVPN is enabled for IPv4, but does not explicitly set the next-generation MVPN to disable for IPv6, when the PIM mcast route is created in IPv4 it will also create the ALT KAT timer. However, when the IPv4 mcast route is removed, the PIM checks if NG-MVPN is enabled for IPv4 only, which is false. Hence, the ALT KAT timer is not deleted. This leads to memory leak. PR1276041

Resolved Issues: 14.2R7

Class of Service (CoS)

  • When customers delete an IFL from an interface-set that has CoS applied to it and activate CoS profile directly on that IFL in one single commit, commit fails with an error. Commit goes through if they do it one by one, delete IFL from interface set, commit and then activate CoS on that IFL, commit. PR1169272

Forwarding and Sampling

  • The configuration statement "interface-mac-limit" might be set to default value when activating "mac-table-size" on a VPLS routing instance. Restarting l2ald, reapplying the "interface-mac-limit" or changing to another value (set interface ge-3/1/0.0 interface-mac-limit 510) fixes the issue. user@router> show vpls statistics | match count Current MAC count: 0 (Limit 1024) << set to default value 1024 instead of the value set by interface-mac-limit PR1025503
  • On MX Series router with "network-services enhanced-ip" configuration. When firewall daemon first come up as part of the system reboot, it could not read the chassis network-service configuration statement from the kernel, which is expected. After so many read retries, firewall daemon has to choose the default chassis network-service IP mode. When the interface description change is committed, firewall reads the chassis network-service configuration statement again. If it reads successfully, the firewall daemon has to restart itself because the chassis network-service is enhanced-ip mode. When firewall daemon is restarted, the openFlow connections get dropped. PR1035956
  • On MX Series routers, a change of policers or counters to an existing firewall filter using physical-interface-filter or interface-specific configuration statements will not be correctly detected by MIB2D. PR1157043
  • Configuration container [protocols] [l2-learning] [global-mac-move] is made visible. The functionality under it are already supported but the command was hidden till now. PR1160708
  • After upgrading by using ISSU, as part of bring-up procedure, mib2d will initialize connections to FPC Packet Forwarding Engines ( packet forwarding engines ). It might start querying states from Packet Forwarding Engine while the connection is not ready yet. This failure will cause the connection to reinitialize again. Thus this can form sort of loop which can cause memory and CPU cycle usage to grow. As a result, it causes mib2d to crash. PR1165136
  • Commit gives error as follows when apply-groups is configured under bridge domain. error: Check-out failed for Firewall process (/usr/sbin/dfwd) without details. PR1166537
  • This issue will be seen only when there are huge number of routes having different BGP NHs pointing to the same AS. Depending on the number of routes pointing to AS paths and also the difference in BGP NHs in the routes can shoot up the srrd (Sampling Route-Record Daemon) CPU consumption. In the real network this issue might not be seen often, as the number of AS paths will be huge and the routes referring these AS paths will be usually distributed among the AS paths. Even if the routes are pointing to the same AS, the impact would be lesser than the one seen in this scenario. PR1170656
  • When polling SNMP counters for Trio-Only firewall filters, MIB2D_RTSLIB_READ_FAILURE cosmetic error messages might get reported in syslog. PR1173057
  • statistics-service daemon (pfed) experiences constant memory leak of 10 KB every 2 minutes when MobileNext package is installed: > show version Model: mx480 Junos: 14.1X55-D30.10 JUNOS Base OS boot [14.1X55-D30.10] <...> JUNOS MobileNext Routing Engine Software [14.1X55-D30.10] <<< this package PR1174193
  • Even if packets don't match firewall filter conditions, wildcard mask firewall filter might match any packets. << Sample config >> ------------------------------------------------- set firewall family inet filter TEST-filter term TEST1 from destination-address 0.0.0.255/0.0.0.255 <<<<<< set firewall family inet filter TEST-filter term TEST1 then count TEST1 set firewall family inet filter TEST-filter term TEST1 then discard set firewall family inet filter TEST-filter term TEST2 then accept ------------------------------------------------- This is discard filter for /24 prefix broadcast address. However it might discard other packets. PR1175782
  • In EVPN/VXLAN environment, while Layer2 Address Learning Daemon (l2ald) is processing MAC Routes during re-sync (whenever l2ald gets restarted) with kernel, if MAC Route has stale information, it needs to be deleted by l2ald and then by the kernel. Due to a software defect, there is no check for ifl validation, if ifl is invalid (which could be due to several reasons such as config change), the l2ald process might crash, traffic forwarding might be affected. PR1176177
  • SRRD(Sampling Route-Record Daemon) process doesn't delete routes when the DELETE is received from RPD in few configuration cases. This results in build-up of memory in SRRD daemon and once SRRD reaches the limit, it crashes and restarts itself. This happens only when one certain family is not configured on all of the FPC clients (e.g. FPC with inline jflow enabled or PIC with PIC-based sampling enabled is one client). For example, only IPv4 family is configured in all the clients and, IPv6 and MPLS families are not configured for sampling in any of the clients. PR1180158
  • FPC offline could trigger Sampling Route Record (SRRD) daemon restart. PR1191010

General Routing

  • DPD may not work with link-type IPSec tunnels when NAT is present between the IPSec peers. Even when NAT is not present between the IPsec peers, the issue can occur with lesser probability. PR895719
  • In MX Virtual Chassis (MX-VC) environment, the private local next hops and routes pointing to private local next hops are sent to thePacket Forwarding Engine from master Routing Engine and not sent to slave Routing Engine, then an Routing Engine switchover happens. Now, as the new master Routing Engine does not know about such next hops and routes, they are not cleaned up. When a next hop with same index is added on new master Routing Engine and sent to Packet Forwarding Engine, the Packet Forwarding Engine might crash due to a stale next hop existing. PR951420
  • An EVPN with support for inter-subnet routing using an irb interface may experience a crash and restart of rpd, leaving a core file for analysis. In this case, EVPN MAC routes contain MAC+IP, and this IP/32 is installed in VRF table on egress router. Core is triggered in the IP/32 route installation flow. There is no special trigger point- it's a timing issue with basic irb configurations. PR992059
  • The L2ald may crash after interface flap. PR1015297
  • In IP security (IPsec) VPN environment, after performing the RE switchover, the traffic may fail to be forwarded due to the SAs may not be downloaded to the PIC, or due to some security associations (SAs) on the PIC may incorrectly hold references for old Security Policy Database (SPD) handles while SPD has deleted its entries in the Security Association Database (SAD). PR1047827
  • PCE-initiated LSPs are less preferred than locally configured LSPs. After this issue is fixed, PCE-initiated LSPs will have same preference as locally configured LSPs. PR1075559
  • Junos OS runs PKId for certificate validation. When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer certificate is treated as valid. This may allow an attacker to generate a specially crafted self-signed certificate and bypass certificate validation. Refer to JSA10755 for more information. PR1096758
  • If NSR (nonstop routing) is enabled and a TCP session is terminated while there is still data in the socket pending transmission, the MBUF (kernel memory buffer) used to store this data might not get deallocated properly. In order to hit this issue the TCP session must use NSR active socket replication. If the system runs low on MBUF memory, the kernel will automatically throttle down memory allocation on low priority applications and ultimately, if there is no MBUF left, the system could become unresponsive due to its inability to serve I/O requests. PR1098001
  • On MX Series routers where MS-MIC or MS-MPC is inserted, certain combinations of fragmented packets might lead to an MS-MIC or MS-MPC coredump. PR1102367
  • In rare condition, after Routing Engine switchover, - the MPC PIC might offline, and some error messages might be seen. - at times chassisd on Routing Engine goes to continuous coring makes unit unusable as none of interfaces come up. Root cause: After Routing Engine switch over chassisd fail to get proper status of the FPCs and cores due to insufficient IDEEPROM read times. PR1110590
  • If a static or protocol learned route points to a set of interfaces effectively resulting in static route pointing to a unilist nexthop, it is possible that the selector weights may not be initialized correctly resulting in traffic drop. You can mitigate this issue by deactivating and then activating the static route configuration. PR1120370
  • For scaled configuration, it may take too much time for commit and session gets hung because there is an unnecessary check to see if family Ethernet-switching co-exists with family bridge for all interfaces having bridge configuration. PR1122863
  • RPD crash might be seen during deletion of address family on an interface while rpf check is configured. PR1127856
  • The speed konb auto-10m-100m allows to auto negotiate the speed maximum to 100mbps. PR1155196
  • CE in an EVPN setup which has no-mac-learning or is otherwise forwarding traffic upstream to MX's in an Active/Active EVPN configuration will see split horizon broken by the MX PE which has the MAC as DRC status. PR1156187
  • After MIC "MIC-3D-4OC3OC12-1OC48" reboot, we might see below logs filling syslog message : router-re0 fpc2 cc_mic_sfp_is_present:????????????????????????????????????????????????????? ?????????????????????????^^??^P-sM-^T^S?? - Device is not SFP type router-re0 fpc2 cc_mic_sfp_periodic: Link 0 SFP - plugged in. router-re0 fpc2 cc_mic_sfp_is_present:????????????????????????????????????????????????????? ?????????????????????????^^??^P-sM-^T^S?? - Device is not SFP type [LOG: Err] cc_mic_sfp_is_present:????????????????????????????????????????????????????? ?????????????????????????5?x??l?8 - Device is not SFP type [LOG: Err] cc_mic_sfp_is_present:????????????????????????????????????????????????????? ?????????????????????????5?x??l?8 - Device is not SFP PR1156353
  • Given an active BGP multipath route with 2+ Indirect-Next-Hops and another BGP route which can participate in protocol independent multipath with router-next-hop, rpd might crash if the interface on which first member of Indirect-Next-Hop resolves goes down. PR1156811
  • A previous enhancement to strengthen the VC-Heartbeat message exchange resulted rejecting messages at the crucial time of determining the health of the other VC member when all adjacency links fail. Validation of messages has been adjusted to remain strong when the VC is connected, but relaxed during the split conditions to prevent rejecting valid messages. PR1157383
  • On MX Series platform supporting MPC3E or MPC4E type MPC, the single-hop BFD session configured under a routing-instance (RI) can flap intermittently. The problem would be seen when the main-instance loopback firewall filter discards/rejects the BFD packets OR has term to accept only BFD packets from neighbors configured under main instance. In both scenarios, the BFD session packets coming on routing-instance will be wrongly matched to main-instance loopback filter and gets discarded. With the fix of this issue, this situation is avoided and BFD session packets from routing-instance will be matched with the correct RI loopback filter (if configured). Note: In case there is no RI loopback interface configured, then BFD packets are matched against main-instance loopback filter. PR1157437
  • From Junos OS Release 13.2R1 and later, Packet Forwarding Engine interfaces on MX Series routers with certain MPCs might remain down after performing "request system reboot both-routing-engines " or "restart chassisd" several times. Reboot the FPC might restore it. PR1157987
  • RPD may crash after EVPN was configured when extra bits in the ESI label extended community are set besides the single-active bit PR1158195
  • On MX Series platform, when MPC experiences a FATAL error, it gets reported to the chassisd daemon. Based on the action that is defined for a FATAL error, the chassisd will take subsequent action for the FATAL error. By default, the action for FATAL error is to reset the MPC. When the MPC reports FATAL error, chassisd will send offline message and will power off the MPC upon the ACK reception. However, if MPC is in busy state for any reason, the ACK doesn't come in time and hence there would be a delay in bringing down the MPC. The fix ensures to bring down the MPC in time upon FATAL error. PR1159742
  • Software OS thread on the line card is doing a busy loop by reading the clock directly from hardware, Sometimes it seems the thread is getting wrong values from HW register and waiting forever in the busy loop. After the busy loop crosses a certain time period, the line card crashes and reboots. This is a rare condition. PR1160452
  • The Router Lifetime field is set to 0 in the first Routing Advertisement sent from LNS back to PPPoE subscriber. PR1160821
  • Upon receiving some specific packets, a compute CPU of the MS-MIC/MS-MPC will stop refreshing the inactivity-timeout of sessions despite receiving traffic matching them. As a result, an affected session will be removed when the inactivity-timeout time has expired. PR1161040
  • The VCCPD_PROTOCOL_ADJDOWN system log message does not include a 'reason' string to explain why the virtual chassis adjacency was terminated. This information will now be present in the message. PR1161089
  • Default EVPN policy in junos-defaults for mx-series is removed. This was used to enable per packet load-balance for EVPN routes. Now per-packet load balance needs to be configured explicitly. PR1162433
  • Interfaces routing status message xxx.xxx.xxx.xxx <Up Broadcast Multicast Localup> may be reported on an interface that is not associated with the config change, such as bridge-domain addition. It should be reported only if there is any change in the IFL parameters. This is an info(6) level message for debug purpose, so we can safely ignore the cosmetic problem. rpd[xxx]: %DAEMON-6: EVENT Flags ge-1/0/4.0 index 371 10.180.230.8/24 -> 10.180.230.255 <Up Broadcast Multicast Localup> rpd[xxx]: %DAEMON-6: EVENT Flags irb.110 index 326 10.9.17.254/22 -> 10.9.17.255 <Up Broadcast Multicast Localup> rpd[xxx]: %DAEMON-6: EVENT Flags irb.190 index 373 10.9.53.254/22 -> 10.9.53.255 <Up Broadcast Multicast Localup> PR1162699
  • From Junos OS Release 14.1X51-D75, 15.1F4, and 15.2IB, if deactive interface, in rare condition, due to a software defect, NH is getting deleted, while there are still routes pointing to it, which leads to inconsistent states in Packet Forwarding Engine. The MPC might crash or traffic blackhole. PR1164101
  • On MX Series router with MPC3/4/5/6/7E/8E/9E linecard, neither low-light warning nor alarm work on these linecards with 10G or 100G interfaces. When using JAM image, NG-MPC are affected as well. This is optics or fiber issue, no critical service impact. PR1168589
  • When MS-MPC is used, if any bridging domain related configuration exists (e.g. "family bridge", "“vlan-bridge"”, "“family evpn", etc), in some cases, continuous MS-MPC crash hence traffic loss may occur. PR1169508
  • Adding keyword 'fast-filter-lookup' to existing filters of an input or output filter list may result in failure to pass traffic. To avoid this issue, the filter list should first be deactivated then the filters updated with a the keyword 'fast-filter-lookup; then the filter list activated. PR1170286
  • If the "no-cell-share" configuration statement under the chassis stanza is activated on MPC3, MPC4, MPC5, or MPC6 cards, the Packet Forwarding Engine will only be able to forward about 62Gbps versus ~130Gbps and causing fabric queue drops. PR1170805
  • The fan speed logic does not operate correctly once PEM on MX104 platforms does automatically shuts down due to over-temperature protection. The fan speed moves back to speed normal. It takes more time for PEM to cool down and come back online automatically with fan at normal speed. PR1174528
  • Storm control feature is not working on MX104 platform. In Packet Forwarding Engine, associated filters and vty commands are not visible as well. It works on other MX Series platforms. PR1176575
  • On dual Routing Engine system, if master Routing Engine is running Junos OS 13.3R9/14.1R7/14.2R5/15.1R3/15.2IB or later, backup Routing Engine is running Junos OS prior to 13.3R9/14.1R7/14.2R5/15.1R3/15.2IB, a major alarm is raised. This is cosmetic and can be safely ignored. Please upgrade backup Routing Engine to the same release with master RE to avoid the issue. user@router> show system alarms 2 alarms currently active Alarm time Class Description 2016-xx-xx xx:xx:xx UTC Major PEM 1 Not OK 2016-yy-yy yy:yy:yy UTC Major Host 1 failed to mount /var off HDD, emergency /var created <<<<<<<<<<<<<<< PR1177571
  • In a rare error scenario krt_q_entry of flow route is freed without dequeuing it from the queue. This has been fixed via software change. PR1178633
  • In EVPN A/S mode, IFL mark down programming at the Packet Forwarding Engine on the BDF gets removed causing traffic loops. PR1179026
  • [EVPN] Active-Active IP4 L3 session with CE over IRB Flaps. PR1179105
  • On 10x10GE(LAN/WAN) SFPP PIC, when the port is configured with WAN PHY mode, the CoS configuration on the port will be incorrectly programmed and it might result in unexpected packet drop. PR1179556
  • In the CGNAT CLI show service alg conversations fails to display parent session status for ALG conversations. PR1181140
  • When "dynamic-tunnels" is configured with configuration statement "gre", performing Routing Engine switchover might result in rpd crash. PR1181986
  • If a bridge domain (BD) is created within an Ethernet VPN (EVPN) instance with type of virtual-switch but its VLAN ID is not added to the extended vlan list, the BD works in local switching mode only. When the BD's VLAN ID is then later added to the extended vlan list, there might be a chance that the update is not properly replicated to the routing protocol daemon (RPD) and therefore the EVPN database doesn't properly learn local or remote MAC addresses. PR1182215
  • Fragmented ALG control traffic is not supported on the MS-MPC. PR1182910
  • With NAT translation-type as napt-44, a few sessions are getting stuck upon deactivating/activating service-set or corresponding applications at a few times with traffic running. The same symptom is seen upon deactivating/activating service-set with traffic running and with 'deterministic-napt44' translation type as well. PR1183193
  • In EVPN environment, the rpd might crash when a bridge-domain within an EVPN virtual-switch instance for VLAN X is deleted from the configuration when a trunk interface which is part of the same instance still has VLAN X present in the vlan-id-list. The core files can be seen via command "show system core-dumps" root@PE1> show system core-dumps -rw-rw---- 1 root field 4974891 May 18 03:24 /var/tmp/rpd.core-tarball.0.tgz PR1183570
  • With BGP add-path and consistent-hash enabled, when a BGP learnt route prefix with multiple paths(next-hop) is installed in the forwarding-table, all the next-hops should be reachable/resolvable at the time of installing the route in the forwarding-table. However, there might be a chance that any of the next-hops are not resolvable at that time, which will lead Packet Forwarding Engine's incorrect route programming. In this case, traffic forwarded to this prefix will be affected. PR1184504
  • When ams-interface is configured in warm-standby mode without adding any members, configuration commit will lead to rdd core. PR1185702
  • AMS redundant interfaces not listed under possible-completions of operational commands. PR1185710
  • ksyncd crash might be seen with GRES due to kernel replication error. PR1186317
  • The command "request system reboot both-routing-engines local' on VC-Mm will reboot only one Routing Engine on an MX-VC, with this fix, it will reboot both Routing Engines of local chassis. In addition, this fix also removes the "set virtual-chassis member <n> role line-card" configuration option on an MX-VC because this option is not supported on MX-VC as designed. PR1188383
  • In rare cases, a logical IRB interface (irb.x) might refer to a wrong MAC address when sending unicast IPv6 neighbor solicitation (NS) (a packet type of IPv6 Neighbor Discovery Protocol) to verify the reachability of a neighbor. The NS messages will with a wrong source MAC address, result in the neighbor discard the packet and IPV6 neighborship goes to an unreachable state. Note: - Neighbor Solicitations are multicast when the node (host or router) needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor. PR1191086
  • Memory leak in variable-sized malloc block leading to RPD crash due to "out of memory". PR1198165

High Availability (HA) and Resiliency

  • The rtsock message length that was sent by ksyncd to kernel via rtsock was incorrectly set to ipc length. PR1052425
  • Right after all FPC complete their upgrade, the kernel (on the VC-Mm) closes its connection to ksyncd (on the VC-Bm) since it has received a message "invalid IPC type 20". This disconnect causes ksyncd to restart, it then cleans all kernel state in the VC-Bm and starts the replication process. This causes the timer for waiting for the VC to become GRES ready (after FPC upgrade) to expire and abort the ISSU. PR1163807
  • When configure the "nonstop-routing" under one group and apply this group to routing-options configuration hierarchy, sometimes the NSR does not work. As a workaround, please configure the "nonstop-routing" directly under the routing instance hierarchy. PR1168818

Infrastructure

  • RPD stuck on high CPU utilization when executing 'show route multicast' CLI with Invalid Option and RPD stops responding to any management requests. PR1027891
  • In scaling setup (in this case, there are 1000 VLANs, 1000 Bridge Domains, 120 IRB interfaces, 120 VRRP instances, BGP and IGP), if the routing protocols are deactivated and activated, there might be a chance that the pending route stats are not cleaned up, which will cause the stats infra to have stale pointers and lead to memory corruption in socket layers. The system might go to db prompt because of this. All the traffic going through the router will be dropped. PR1146720

Interfaces and Chassis

  • In affected releases, the following cosmetic alarms are seen after reseating the clocking cables: 2015-11-13 05:22:56 UTC Major CB 0 External-A LOS 2015-11-13 05:22:56 UTC Major CB 0 External-B LOS PR1152035
  • SONET interface on MIC-3D-1OC192-XFP does not count input error correctly. While hardware counts framing error, runts and giants but input error in 'show interface extensive' command reports runts and giants only. PR1154268
  • When a Routing Engine (RE) experiences a media block error, the RE will try to switch mastership immediately due to this software defect. The switch-over attempt happens even on a single RE system which in this case will cause all FPCs to reset. PR1168494
  • If an interface configured with VRRP is removed from a routing-instance to global, or from global to a routing-instance, the IFLs of that interface will be deleted and recreated. In ideal cases as the interface gets deleted, VRRP should move to bringup state; when the interface is created again, VRRP goes to previous state. After this, VRRP should get VIP addition notification from kernel and update VRRP state and group id for VIP. However, in race conditions, VRRP might get VIP addition notification from kernel even before the interface creation event happens. If so, VRRP will never be able to update proper VRRP state and group id. So the VIP will reply for the ARP with an incorrect MAC ending with "00", while the correct MAC should end with the groups id configured. PR1169808
  • In previous release, only IEEE classification is supported for CFM OAM packets. In the fix, we will support 802.1AD based filter for CFM OAM packets. when Linktrace and loopback requests are received in MX, 802.1p bits is used to determine the forwarding class and queue for response or linktrace request forwarded to next router, this cause these PDUs are put to wrong queue when input-vlan-map pop is present because received PDU doesn't carry 802.1p bits. In the fix, we will use incoming forwarding class to determine the 802.1p priority and outgoing forwarding class and queue for new generated response or link trace requests. PR1175951
  • Commit check may exit without providing correct error message and causing dcd exit. The only known scenario to trigger this issue is to configure a IPv6 host address with any other address on the same family. PR1180426
  • when there is a configuration change, cfmd memory leak is observed and sometime also may trigger cfmd coredump. Following messages are observed: /kernel: Process (44128,cfmd) has exceeded 85% of RLIMIT_DATA: used 378212 KB Max 393216 KB PR1186694

Junos Fusion Provider Edge

  • Do not issue commands that might generate more than 24k of output using the 'request chassis satellite shell-command' command. Use 'request chassis satellite login' and then run the commands in the resulting session. PR1188712

Layer 2 Features

  • In BGP-based VPLS scenarios, changing the configuration of a VPLS mesh group might cause rpd core. FPC reboot might also be seen during the rpd core. PR1123155
  • From Junos OS Release 13.2R1 and later, the rpd process might crash when adding/deleting Virtual private LAN service (VPLS) neighbors in a single commit. For example, a primary neighbor is changed to become the backup neighbor. PR1151497

Multiprotocol Label Switching (MPLS)

  • In MPLS environment, the master Routing Engine might crash due to Mbuffer allocation failure and this crash will trigger an Routing Engine switchover, as a result Backup Routing Engine will become active. The issue is unreproducible, and trigger condition is not clear. PR979448
  • Due to some data structure changes of ipc messages in 64-bit RPD, some of 32-bit applications (e.g. lsping, lspmon) would not work normally when RPD is running in 64-bit mode. Depends on Junos version, some of cli commands might not work as expected. PR1125266
  • User is allowed to configure both "load-balance-label-capability" and "no-load-balance-label-capability" together. This is incorrect and confusing. PR1126439
  • Static MPLS LSP using VT interface as a outgoing interface would not come up. PR1151737
  • With NSR enabled and LDP configured, the rpd process might crash and restart on the new master Routing Engine after a Routing Engine switchover. PR1155002
  • LSPing returns 'routing instance does not exist' when used in vpls routing-instance under logical system. PR1159588
  • If container LSP name and the suffix together are more than 60 characters in length, rpd process might crash during extensive split merge conditions. Its always advisable to keep them less than 60 characters. The member lsp name is coined in the following manner: <container-name>-<suffix-name>-<member-count> The LSP name can have upto 64 characters. So after putting together the container name, suffix, member-count (could go up to 2 digits), and the 2 hyphens, it should not exceed 64. So container-name and suffix together should not exceed 60 characters. A commit check will be added to throw warning if the name is more than supported character long. PR1160093
  • When L2VPN composite next hop configuration statement is enabled along with L2VPN control-word, end-to-end communication fails. Because in this scenario, control-word is not inserted by the ingress PE, but other end expects the control-word. PR1164584
  • Changing maximum-labels configuration under the hierarchy [edit interfaces interface-name unit logical-unit-number family mpls] might cause existing MPLS LSPs to become unusable. The root cause of this issue is that the family MPLS gets deleted and re-added. PR1166470
  • In LDP-signaled VPLS environment, other vendor sends an Address Withdraw Message with FEC TLV but without MAC list TLV. The LDP expected that Address Withdraw Message with FEC TLV should always have MAC list TLV. As such, it rejected the message and close the LDP session. The following message can be seen when this issue occurs: A@lab> show log messages |match TLV RPD_LDP_SESSIONDOWN: LDP session xxx.xxx.xxx.xxx is down, reason: received bad TLV PR1168849
  • In MVPN scenario, if active primary path goes down, then PLR(Point of Local Repair) needs to send Label Withdraw for old path and new Label Mapping for new path to the new upstream neighbor. In this case, LDP P2MP path may stay in "Inactive" state for indefinite time if an LSR receives a Label Release, immediately followed by a Label Mapping for the same P2MP LSP from the downstream neighbor. PR1170847

Network Management and Monitoring

  • In customer setup Packet Forwarding Engine was not able to keep-up with full stats requests from PFED. Because of this delay, PFED runs out of transfer credits to send stats request to Packet Forwarding Engine and starts returning full stats requests with error response to mib2d with ifl-info flag set to LS STATS and a payload filled with value zero. mib2d was treating the returned 0 filled stats value as correct stats and was returning these 0 values. This results in spike in delta value calculated by the customer side script. PR1010534
  • When syslog is forwarded to an external host, the millisecond and year format should not be forwarded as it is a JUNOS specific implementation. When such details are included in syslog messages sent to a remote host, it can result in duplicate timestamp on log message as shown in following example. user@router> show log messages Oct 30 18:16:58.496 2014 MX96-1-re0 : %DAEMON-3: Oct 30 18:16:58.498 2014 MX96-1-re1 ffp[6375]: "dynamic-profiles": No change to profiles >>>>>>>>>>> Duplicate timestamp PR1038616

Platform and Infrastructure

  • The mgd daemon (which manages the CLI) may crash when "system commit persist-groups-inheritance" configuration statement is deleted and later added again. PR1079991
  • Under large-scale setup, VPLS MAC might not be aged-out from remote-Packet Forwarding Engine when local-Packet Forwarding Engine is MPC3/MPC4/MPC3E/MPC4E, then unknown-unicast frames flood will be seen on local Packet Forwarding Engine. PR1099253
  • When "system/commit/delta-export" is enabled, a system configuration commit may result in crash and the following error. A core file might be generated. PR1102046
  • In certain cases, with some events such as disable/enable of links followed by Routing Engine rebooting or GRES enabled switch-over, below error message could be seen due to a software bug where it doesn't handle an internal flag properly. KERNEL/Packet Forwarding Engine APP=NH OUT OF SYNC: error code 1 REASON: invalid NH add received for an already existing nh ERROR-SPECIFIC INFO: PR1107170
  • Configuring one group with configuration of routing-instances and applying this group under routing-instances, then the rpd process will crash after executing "deactivating/activating routing-instances" commands. As a workaround, you can avoid using "apply-groups" under routing-instances hierarchy. PR1109924
  • FPC can crash and core due to a missing NULL check. PR1144381
  • On MX2000 Series, MPC4 going offline is seen when SFB (Switch Fabric Board) is offlined or removed. This could be caused by the build-up of CDR in ADC which leads to transient packet loss or even getting stuck. The fix prevents line-cards going offline due to transient buildup in ADC. PR1149677
  • With Enhanced LAG mode enabled and sampling configured on AE interfaces, MS-DPC might drop all traffic as "regular discard". Disabling Enhanced LAG mode would avoid this issue. PR1154394
  • On MX2000 series platform, when MPC goes down ungracefully, other MPCs in the chassis will experience "destination timeout". In this situation, auto fabric-healing will get triggered due to "destination timeout" condition, which may cause Fabric-Plane reset, even all other MPCs to be restarted in some cases. PR1156069
  • cosd[20362]: cosd_config_database: Configuration database(/var/run/db/juniper-prop.data) does not exist. cosd[20460]: cosd_config_database: Configuration database(/var/run/db/juniper-prop.data) does not exist. The above log messages may be seen after after some commits. These messages do not pose an operational impact. PR1158127
  • If one logging user is a remote TACACS/RADIUS user, this remote user will be mapped to a local user on device. For permissions authorization of flow-tap operations, when they are set on the local device without setting the permissions on the remote server, they cannot work correctly. The flow-tap operations are as follow: flow-tap -- Can view flow-tap configuration flow-tap-control -- Can modify flow-tap configuration flow-tap-operation -- Can tap flows PR1159832
  • LU(or XL) and XM chip based linecard might go to wedge condition after receiving corrupted packets, and this might cause linecard rebooting. PR1160079
  • The MPC with LU chipset might crash after ISSU. PR1160748
  • Due to software bug on chassisd, backup CB temperature information is missing on cli command 'show chassis environment cb' if it's replaced once. PR1163537
  • For MX Series Virtual Chassis with "default-address-selection" configured, when we have a discard route to a specific subnet ( e.g., 10.0.0.0/8 ) with discard next-hop, and at the same time we have more specific routes through other interfaces ( e.g., 10.1.1.1 through xe-0/0/0 ), if a UDP packet is being sent to 10.1.1.1 through xe-0/0/0 while interface xe-0/0/0 flaps or FPC reboots, it might cause kernel crash on both Master Routing Engine in the Virtual Chassis master router (VC-Mm) and Master Routing Engine in Virtual Chassis backup router (VC-Bm). As a workaround, we can disable "default-address-selection" configuration. PR1163706
  • The following log can be seen on MX2020 after one FPC was pulled out and committing the configuration related interface: CHASSISD_UNSUPPORTED_FPC: FPC with I2C ID of 0x0 is not supported. PR1164512
  • A sonet interface configured as unnumbered BFD session fails to come up. PR1165720
  • Modifying the configuration of a hierarchical policer when in use by more than 4000 subscribers on an FPC can cause the FPC to core and restart. PR1166123
  • Because the sequence number in RPM ICMP-PING probes is introduced as 32-bit variable instead of 16-bit, if it increases and reaches the max value 65535, it does not rollover, which might cause all RPM ICMP-PING probes to fail and not succeed any more. PR1168874
  • In affected release, if user runs the Packet Forwarding Engine debug command like "show sample-rr eg-table ipv4 entry ifl-index 1224 gateway 113.197.15.66" will cause the MPC crash. PR1169370
  • Layer 2 protocols might flap when router was flooded with low priority traffic reaching towards FPC CPU/Routing Engine CPU when DDoS protection is disabled. PR1172409
  • On MPC5E/6E/7E/8E/9E/NG linecards, firewall filter of family inet/inet6/vpls configured with non-contiguous prefixes for address matching might fail and cause traffic drop. Using only contiguous prefixes can avoid this issue. PR1172725
  • Because of an internal timer referring Time in Unix epoch (UNIX epoch January 1, 1970 00:00:00 UTC) value getting wrapped around for every 49 days, flows might get stuck for more than the period of active/inactive time out period. The number of flows that get stuck and how long they get stuck can not be deterministic exactly, which depends on the number of flows at the time of timer wrapping around. PR1173710
  • "show arp" command can't get complete results and reports "error: could not find interface entry for given index". PR1174150
  • A flow is determined by doing hashing on the packet header. Usually 5-tuple (src/dest IP addresses, IP protocol number, src/dest ports) are used for hashing because a flow is defined by 5-tuple. This is all fine for TCP/UDP packets. But Layer-3 packets generated by JDSU tester only have Layer-3 header and don't have Layer-4 header. JDSU tester uses the same location as Layer-4 header as packets' sequence number. So MX Series card treats sequence number of JDSU tester packets as Layer-4 header of a packet, hence Junos OS thinks every packet is a single flow and order of different flows is not guaranteed. PR1177418
  • On MX2020/2010, chassisd file rotation on commit check will cause the trace file to be stuck and no other operational chassisd events will be logged until chassisd restart. PR1177625

Routing Protocols

  • Traffic drop from less than 400 ms to 8 seconds might be seen in RLFA scenario when the primary link comes up. The reason for seeing the traffic drop is due to the delay in ARP resolution on the new link that just came up and IGP has programmed that link as the primary next hop. So though the FIB has been updated, Packet Forwarding Engine cannot still use it as it waits for ARP resolution on the new link. PR1106310
  • BFD session configured with authentication of algorithm keyed-sha1 and keyed-md5 might be flapping occasionally due to FPC internal clock skew. PR1113744
  • In multicast environment, when the RP is FHR (first-hop router) and it has MSDP peers, when the rpf interface on RP changed to MSDP facing interface, due to the multicast traffic is still on the old rpf interface, a multicast discard route will be installed and traffic loss will be seen. PR1130238
  • On Junos-based products, changes in routing-instance, like changing route-distinguisher or routing-option changes in some corner cases might lead to rpd crash. As a workaround always deactivate routing-instance part that is to be changed before committing the changes. PR1134511
  • When Protocol Independent Multicast (PIM) is used, in very rare condition, if the last hop router (LHR) migrates from (Designated Router) DR to non-DR, repeated routing protocol process (rpd) crash may occur due to patricia tree walk issue. PR1140230
  • In BGP scenario with large scale routing-instances and BGP peers configured, due to a software defect (a long thread issue), BGP slow convergence might be seen. For example, BGP might go down 8-9 seconds after BFD brings down the EBGP session. The rpd slip usually does not hurt anything functionally, but if the slip gets big enough, it could eventually cause tasks to not be done in time. For example, BGP keepalives with lower than 90 seconds hold-time might be impacted. There is no known workaround for this issue, but configuring the configuration statement "protocol bgp precision-timers" can take care of the weak spot like sending BGP keepalives. PR1157655
  • In BGP scenario with independent domain enabled in a VRF, when configuring a BGP session in a VRF routing instance with a wrong local-as number, some routes might be declared as hidden because of AS path loop. If later configuring the correct AS number as local-as and committing the configuration, those routes might still remain in hidden state. The hidden routes can be released after performing the commands "commit full" or "clear bgp table <ANY_VRF>.net.0". PR1165301
  • In L3VPN scenario, feature multipath is configured under [set protocols bgp group] with L3VPN chained CNH under routing-options, the feature multipath does not work for L3VPN routes. PR1169289
  • When clearing IS-IS database, process rpd might crash due to a rare memory de-allocation failure that a task pointer is attempted to be freed twice. In the fix of this issue, the order of referencing the task pointer is being revised to avoid the occurrence of rpd crash. PR1169903
  • PIM bootstrap export policy is not working as expected when there are no pim neighbors up on the router PR1173607
  • In L3VPN scenario, VPN routes with different next-hops were advertised with same label, leading to PE-CE link protection failure and longer than expected traffic loss (as reported 2.6 sec). PR1182777
  • Any configuration change can cause deletion of a firewall filter created for a routing instance if the flowspec routes in that instance are imported using rib-group, and there is no "inet-vpn flow" address family configured and the routing instance does not have any BGP group configured with "inet flow" address family. PR1185954
  • On the RSVP LSP scenario with ISIS configured, memory leak might happen in rpd and Packet Forwarding Engine after the LSP re-optimization, and this migth cause FPC crash. PR1187395

Services Applications

  • When making a configuration change to a EXP type rewrite-rule applied to a SONET interface in an MX FPC Type 2 or MX FPC Type 3, if MS-DPC is also installed on the device, a MS-PIC core dump may be generated. PR1137941
  • When NAT for SIP is enabled, in a rare situation where the child SIP flow entries are still present in the parent conversation while they have already been deleted, the service PIC might crash if the SIP parent flow tries to access them. PR1140496
  • On MX Series platform, when using MS-MPC, the "idpd_err.date" error message is filling var/log. Please refer to KB30743 for details. PR1151945
  • When deleting NAT flow under a race condition the Service PIC can core. PR1159028
  • When traffic is flowing through MS-DPC card Service PIC and there is an active port block and some ports are assigned from that active port block, if changing the max-blocks-per-address setting to a lower value (lower than the current value), the service line card may crash. PR1169314
  • MS-PIC core-dump when MPLS or IPV6 routing updates are received in the PIC. PR1170869
  • When using MS-DPC under heavy load condition (e.g. with about 7m flows) with deterministic NAT and port block allocation (PBA) scenario, in rare condition, MS-DPC crash may occur due to memory issue. PR1186391

User Interface and Configuration

  • When entering the "restart r" incomplete command in the CLI, the command "restart routing" is executed. It should throw an error like "error: invalid daemon: r". PR1075746
  • MGD spawns dexp with one of below three options: - delta-export is enabled in just this commit, (so dexp.db should not exist) - Someone deactivated delta-export in some previous commits and actiavted it now, so dexp.db in case if existing should be discarded - For some reasons change bit is set on delta-export configuration statement It is possible that an incorrect update into dexp.db goes through instead of just copying the file, causing mismatch in config (i.e. we display config that was previously deleted or miss some statements that have been applied). PR1168906
  • Description: Issue --------------- pinned-page found for bucket warning is seen after application (in this case dfwc) is done with the page pool and trying to com eout after ppool_close. Root-cause --------------- This warning is given when the application is done with the page pool and tries to find out if there were any pinned pages in memory. However this warning is basically internal to Junos development team and has been masked in the later releases starting from 15.1 onwards with below: PR https://gnats.juniper.net/web/default/1030715 Fix --------------- We have the taken the relevant changes from PR 1030715 to prevent these flurry of warnings, and to enable these warnings only for Junos development team upon enabling leak check internally. PR1179264

VPNs

  • In NG-MVPN large-scale multicast routes (140k Rosen and 140k NGen MVPN routes total in 500+ VRFs) network, RE switchover with GRES/NSR enabled, it might cause multicast traffic loss . PR1086129
  • Upon clearing p2mp lsp in dual-home topology, system is adding the same outgoing interface to the (S,G)OIL multiple times and thus duplicate/multiply the amount outgoing traffic. PR1147947

Resolved Issues: 14.2R6

Class of Service (CoS)

  • This PR does optimization in AE SNMP handling. If all the links in an AE bundle go down, then any COS SNMP query for this AE IFD/IFL will return cached values. PR1140440
  • On MX104 platforms, when applying the "rate-limit" and the "buffer-size" on the logical tunnel (lt-) interface on the missing MIC (not inserted on MPC), commit failure with error message would occur. As a workaround, this issue can be avoided by applying the "rate-limit and "buffer-size" on inserted MIC, then commit. PR1142182

Forwarding and Sampling

  • On MX80 and MX104 platforms, applying a firewall filter with an MX Series specific match condition will raise the following warning message: "Filter <filter_name> is specific to MX Series routers with certain MPCs; will not get installed on DPCs for interface <interface_name>". This warning message is needed for the other modular-type MX Series platforms since they can have DPC and MPC mixed. But the message is not needed for MX80 and MX104 platforms since they only have the MX Series-based Packet Forwarding Engine. Although the warning message indicates that the relevant firewall filter is not installed, the firewall filter is correctly installed into the Packet Forwarding Engine. Thus, the user can ignore the message in case it is logged on MX80 and MX104 platforms. PR1138220
  • For Junos OS Release 14.1R1 and above, when a broadcast packet is sent in a scenario of Integrated routing and bridging (IRB) over Virtual Tunnel End Point (VTEP) over IRB, the packet is getting dropped in kernel as it was looping due to a software issue. The error log message "if_pfe_vtep_ttp_output: if_pfe_ttp_output failed with error 50" is observed when issue occurs. PR1145358

General Routing

  • On an MX Virtual Chassis platform, when we restart one or both of the standby Routing Engines, the log message "ksyncd_select_control_plane_proto: rhost_sysctlbyname_get: No such file or directory" might be observed as the ksyncd daemon attempts to select a communication protocol (UDP/TCP). After several tries, it will fall back to TCP and proceed as normal. PR945925
  • The L2ald may crash after interface flap. PR1015297
  • On MX Series platforms, MPC may crash when bringing up the 100-Gigabit Ethernet MIC with CFP2 (model number: MIC6-100G-CFP2) if initialization failure occurs (e.g., when bringing up the MIC6 which has hardware issues). PR1037661
  • There is a remote loopback feature in 802.3ah standard, where one end can put the remote end into remote-loopback mode by sending an enable loopback control LFM PDU. In remote loopback, all incoming packets (except LFM packets) are sent back on wire as it is. Transmit or receive of LFM packets should not be affected when an interface is in remote loopback mode. On VMX platforms, when we configure the LFM remote-loopback, we run into problem state. In problem state we will see that LFM packets sent from node that is in loopback state is not reaching the peer end, hence we will not see the remote entity information for the "run show oam ethernet link-fault-management" command on the peer router. PR1046423
  • On all routing platforms M/MX/T/PTX with BGP configured to carry flow-specification route, in case of deleting a filter term and policer, then adding the same term and policer back (it usually happens in race condition when adding/deleting/adding the flow routes), since confirmation from dfwd for the deleting policer might not be received before attempting to add the same policer, the rpd would skip sending an add operation for it to dfwd. As a result, when the filter term is sent to dfwd and tells it to attach to the policer, dfwd has already deleted the policer, and since rpd skipped re-adding it, dfwd will reject the attach filter with a policer not found error and rpd will crash correspondingly. PR1052887
  • When a labeled BGP route resolves over a route with MPLS label (e.g., LDP/RSVP routes), after clearing the LDP/RSVP routes, in the short window before the LDP/RSVP routes restore, if the BGP route resolves over a direct route (e.g., a one-hop LSP), the rpd process might crash. PR1063796
  • Link Up/Down SNMP traps for AE member links might not be generated, but the SNMP traps for the AE bundle work well. PR1067011
  • PCE-initiated LSPs are less preferred than locally configured LSPs. After this issue is fixed, PCE-initiated LSPs will have same preference as locally configured LSPs. PR1075559
  • MPC connection to Routing Engine closed with below error logs: [May 19 19:41:23.724 LOG: Err] PQ3_IIC(WR): I/O error (i2c_stat=0xa3, i2c_ctl[1]=0xb0, bus_addr=0x77) [May 19 19:41:23.724 LOG: Err] Failed to enable PCA9548(0x77):grp(0x1)->channel(1) These logs are generated because the FPC ideeprom should not be accessed when the card is online and cty to any FPC results in accessing the ideeprom of all the FPCs in the Routing Engine, before establishing the actual cty. Routing Engine (cty) accessing the ideeprom and the FPC accessing the I2c devices at the same point can result in conflict and end up in port hang state and other issues. PR1089266
  • When DHCP subscribers are terminated at specific routing-instances and the interface stack is IP demux over vlan-subinterface over AE interface, there might be a memory leak in the kernel AE iffamily when subscribers log in/log out. PR1097824
  • If NSR (nonstop routing) is enabled and a TCP session is terminated while there is still data in the socket pending transmission, the MBUF (kernel memory buffer) used to store this data might not get deallocated properly. In order to hit this issue, the TCP session must use NSR active socket replication. If the system runs low on MBUF memory, the kernel will automatically throttle down memory allocation on low priority applications and ultimately, if there is no MBUF left, the system could become unresponsive due to its inability to serve I/O requests. PR1098001
  • With ECMP-FRR enabled, after rebooting the FPC which is hosting some ECMP links, the ECMP-FRR might not work. Clearing any of BGP sessions (that are the part of ECMP) could help to clear this issue. PR1101051
  • On MX Series platform, in rare condition, if Packet Forwarding Engine sends wrong Packet Forwarding Engine id to chassisd as part of capability message, kernel might crash and some FPCs might be stuck in the present state, the traffic forwarding will be affected. This is a corner case, it is not reproduced consistently. PR1108532
  • On MX240/480/960 Series routers with MS-DPC, customers running BGP over IPsec. This BGP session has a BFD session tied to it. The BGP session is up but the BFD session remains in INIT state. The issue might be seen with any service configured with multi-hop BFD enabled. Traffic forwarding will not be affected. PR1109660
  • In rare condition, after Routing Engine switchover, the MPC PIC might offline, and some error messages might be seen. At times chassisd on Routing Engine goes to continuous coring makes unit unusable as none of interfaces come up. Root cause: After Routing Engine switch over chassisd fail to get proper status of the FPCs and cores due to insufficient IDEEPROM read times. PR1110590
  • Right now this fix is available from 14.2R6 and later. On 14.2R5 or earlier images, MSRPC gates once opened would never get deleted. From 14.2R6 and later, MSRPC gates are opened for 60 minutes no matter whether the expected packet hits the gate or not. After 60 minutes, gates are deleted by the timer. PR1112520
  • On a busy MX Series Virtual Chassis platform, for example, with 100k subscribers and 16k subscribers concurrent login/logout, the ksyncd process might crash on Virtual Chassis backup Routing Engines (REs) after a local or global graceful Routing Engine switchover (GRES). This issue has no service impact. PR1115922
  • On TX/TXP platforms, when an LCC hit overtemp situation occurs, it might go offline abruptly without notifing SFC and other LCCs, which might cause traffic loss or performance degradation. Now with the fix, the overtemp situation on LCC is handled gracefully. PR1116942
  • On M/MX Series platform, the 10G Tunable SFP/SFP+ cannot be tuned in Junos OS Release 15.1R2. PR1117242
  • On MX Series routers containing multiple Packet Forwarding Engines such as MX240/MX480/MX960/MX2010/MX2020, with MPC3E/MPC4E/MPC5E/MPC6E cards, if the routers have GRE decap, then certain packet sizes coming via these line cards at very high rate can cause these line cards to exhibit a lockup, and one or more of their Packet Forwarding Engines corrupt traffic toward the router fabric. PR1117665
  • On MX Series platforms, in rare conditions, if removing or deactivating "member-interfaces" configured for an aggregated Multiservices (AMS) bundle (only officially supported on MS-MPC/MS-MIC), for example, using the CLI command "deactivate interfaces ams0 load-balancing-options member-interface mams-7/1/0", all the MX Series routers with FPCs and the MS-MPC/MS-MIC may crash. As a workaround, to avoid the issue, following is the recommended procedures to change AMS bundle size: 1. Offline member PICs. 2. Change AMS configuration. 3. Online member PICs. PR1119092
  • On MS-MPC-equipped MX Series platforms, during the "three-way handshake" process, when receiving ACKs (e.g., after sending SYN and receiving SYN/ACK) with window size 0 (as reported, it is set to 0 by TCP client when using some proprietary protocol), the ACKs would be incorrectly dropped by the line card due to failure in TCP check. This issue could be avoided by preventing software from dropping packets that fail in the check, for example, by the following CLI command, re# set interfaces ms-3/0/0 services-options ignore-errors tcp. PR1120079
  • Router is using BFD with its ECMP neighbours, when FPCs are rebooted, normally FPC would resolve ARP one by one and update unilist and corresponding selector. But in this case, due to a software defect, unilists remained stale and disabled. So the traffic might be dropped or not be load balanced. PR1120809
  • On MX Series platforms, the MS-MPC crash might occur. The exact trigger of the issue is unknown; normally, this issue might happen over long hours (e.g., within a week) of traffic run (e.g., running HTTP/HTTPS/DNS/RTSP/TFP/FTP traffic profile). PR1124466
  • Right now this fix is available from Junos OS Release 14.2R6 and later. On Junos OS Release 14.2R5 or earlier images, SUN RPC gates once opened would never get deleted. From Junos OS Release 14.2R6 and later, SUN RPC gates are opened for 60 minutes no matter whether the expected packet hits the gate or not. After 60 minutes, gates are deleted by the timer. PR1125690
  • In an EVPN scenario, the EVPN route table between the master Routing Engine and backup Routing Engine would be different (unused garbage routes will appear) once Routing Engine switchover (e.g., by rebooting the "old" master Routing Engine or performing a graceful Routing Engine switchover) is performed, which might cause a kernel crash on the new master Routing Engine in some cases. PR1126195
  • When Junos OS devices use the Link Layer Discovery Protocol (LLDP) , the command "show lldp neighbor" displays the contents of PortID type, length, and value (TLV) received from the peer in the field 'Port Info', and it could be the neighbor's port identifier or port description. A Junos OS CLI configuration statement can select which "interface-name" or "SNMP ifIndex" to generate for the PortID TLV, so we do not have any problem as long as two Junos OS devices are connected for LLDP, but we might have an interoperability issue if another vendor’s device that can map the configured 'port description' in the PortID TLV is used. In this case, Junos OS displays the neighbor's PortDescription TLV in the Port info field, and if the peer sets the port description whose TLV length is longer than 33 bytes (included), Junos OS is not able to accept the LLDP packets and discards the packets as errors. The PortID TLV is given as : "the port id tlv length = port description field length + port id subtype(1B)". PR1126680
  • EVPN route attributes like the label and Ethernet segment identifier (ESI) may be missing from EVPN family routes installed by BGP. PR1126770
  • On M320/T320/T640 with FPC 1/2/3 and their enhanced version (-E2/-E), in multicast scenario and AE interface is within multicast NH (such as, AE interface is the downstream interface for a multicast flow), egress multicast statistics displays incorrectly after flapping of AE member links. PR1126956
  • If two redundant logical tunnel (rlt) sub-interfaces are configured in the same subnet and in the same routing-instance, a sub-interface will be down (this is expected), but if the sub-interface is removed from the routing-instance later, after disabling and enabling the rlt interface, a sub-interface might remain in the down state unless you remove the configuration of the rlt interface and then do a rollback. PR1127200
  • In current Juniper Networks implementation, the IPv6 multicast Router Advertisement timer is not a uniformly distributed value between MinRtrAdvInterval and MaxRtrAdvInterval as described in RFC 4861. PR1130329
  • When software encounters an error configuring the optics type into the VSC8248 PHY retimer component of an MX MIC/PIC (typically done on SFP+ module plugin), this could lead to 100% FPC CPU utilization indefinitely. MPCs and MICs that are potentially affected are: MPC3 + 10x10GE SFPP, MIC MPC4 32XGE, MPC4 2CGE+8XGE (10G interfaces only), MPC6 + 24x10GE (non-OTN) SFPP MIC. PR1130659
  • On MX Series routers with MS-MIC (or possibly, MS-MPC is affected as well), changing the configuration of sampling input parameters, such as "rate" under forwarding-options, is not reflected without restarting the line card. PR1131227
  • When using Point-to-Point Tunneling Protocol (PPTP) Application Layer Gateways (ALGs) on MS-MPC/MS-MIC, if running a scaled number of PPTP sessions control and data sessions (e.g., 1M sessions) for long hours (e.g., more than 8 hours), when the traffic is stopped, the "Bytes used" field of the output of CLI command "show services service-sets summary" will show a randomly large value due to memory issue. PR1131605
  • On MX Series-based line card, multiple modifications of the firewall filter might cause lookup chip error and traffic blackhole. The following jnh_free error messages could help to identify this issue: “messages: fpc1 jnh_free(10212): ERROR [FW/3]:1 Paddr 0x006566a9, addr 0x2566a9, part_type 0call_stack 0x40497574 0x418ffa84 0x41900028 0x418ecf94 0x41861690.” PR1131828
  • CLI output of "clear services sessions" gives an impression to the user that the session is marked for deletion in case of delayed delete, but the XML output "clear services sessions|display xml"of the above command says "session removed." Ideally both should convey the same message to the user. The changes have been made to make sure CLI and XML information given to the user is in sync. PR1132006
  • When customers do changes under "protocol router-advertisement interface X" (such as changing timers, etc.), they expect that a commit would trigger a new router-advertisement being sent out to notify hosts about configuration changes. However, this does not seem to be the case, unfortunately. It makes the router information to expire on hosts and causes obvious loss of connectivity for the hosts. PR1132345
  • In a situation where both mirrored interface and mirrored destination are on MPC card and mirror destination interface is a unilist next-hop (e.g., an ae interface), mirrored packets may get dropped. PR1134523
  • On MX Series platforms with non-Q-MPC (for example, MPC2-3D) or Q-MPC with enhanced-queueing off, when traffic has to egress on any one of the dynamic PPPoE (pp0), IP-DEMUX (demux0), and VLAN-DEMUX (demux0) IFLs, the queue mapping might get wrong. The traffic forwarding might be affected. PR1135862
  • MXVC-Same subnet VC-heartbeat polling failed to recover. PR1136119
  • On MS-MIC, TCP session Up/Down causes JSERVICES_NAT_* and JSERVICES_SESSION_* messages though severity level "none" are configured for services. PR1137596
  • On MX Series platforms, the "Max Power Consumption" of MPC Type 1 3D (model number: MX-MPC1-3D) would exceed the default value due to software issues. For example, the value might be shown as 368 Watts instead of 239 Watts when "max ambient temperature" is 55 degrees Celsius. PR1137925
  • MIC-3D-16CHE1-T1-CE only supports 4 queues by default due to the incorrect setting in code; this is a very minor change to make MIC-3D-16CHE1-T1-CE support 8 queues by default. PR1138270
  • JNH periodically attempts to recover memory no longer in use. Recently, when firewall address space was expanded to 16M, a side effect was triggered: memory recovery was extended to 16M as well. On the Hercules line card, Firewall does not use a small block of IDMEM, causing JNH to attempt the return of the unused memory. There is no mechanism for recovery of IDMEM, therefore, this message is displayed. Excepting the syslog impact, there is no further effect on the line card. PR1140021
  • On a Junos Fusion Provider Edge topology, if there are power failures or the power is not connected to a power supply on a satellite device, the "jnxPowerSupplyFailure" traps are not generated by the aggregation device. For example, if there are two Power Entry Modules (PEMs) inserted on the satellite device and one PEM is not powered on, the aggregation device does not generate a trap for the PEM without power. PR1140097
  • With a 100G CFP2 MIC installed in a MPC6E FPC, if the FPC fails to initialize the MIC, it is very likely that the FPC will get into boot loop. PR1148325
  • In EVPN environments, when CE MAC address alone gets changed for a MAC+IP entry, the new MAC+IP entry is not getting reflected in the EVPN database and the old entry still exists on the PE router. PR1149340
  • Commit error after attempting to delete all guaranteed rates on all traffic-control-profiles associated with demux0 [edit] lab@mx480-J12_09# commit re0: [edit class-of-service interfaces] 'demux0' IFL excess rate not allowed on interface (demux0), please specify guaranteed rate on at least one IFL error: configuration check-out failed. PR1150156
  • When using type 5 FPC on T4000 platforms, traffic going out of the interface where "source-class-usage output" is configured will be dropped if the Source Class Usage (SCU) or Destination Class Usage (DCU) policy configuration is missing. This issue is caused by incomplete configuration, so to avoid the issue, please make the configuration complete (e.g., with "source-class-usage output" and SCU policy). PR1151503
  • From Junos OS Release 14.2 with "exclude-hostname" configuration, hostname is not excluded from the messages before forwarding. This is a minor case, there is no other service impact. PR1152254
  • Routers using inline Layer 2 services may experience Packet Forwarding Engine wedge leading to fabric degradation and FPC restart. During issue state, the affected FPC will not be able to transmit and traffic will be fully blackholed. This problem is amplified by fragmented and out of order packets. This log entry may be seen during the error state: Host Loopback:HOST LOOPBACK WEDGE DETECTED IN PATH ID 0. PR1153750
  • In the TXP environment, the Line-Card Chassis (LCC) Switch Interface Board (SIB) status is not right when execute the command "user@router> show chassis environment", their status is Absent, but no alarms. This is a minor issue, it does not affect business. PR1156841
  • On Junos devices with a GRE or IPIP tunnel configured (i.e., devices with a gr- or ip- interface), a specifically crafted ICMP packet can cause a kernel panic resulting in a denial of service condition. Knowledge of network specific information is required to craft such an ICMP packet. Receipt of such a packet on any interface on the device can cause a crash. Refer to JSA10752 for more information. PR1159454
  • On MX Series routers with enhanced queuing DPCs, there is a memory leak whenever doing SNMP walk to any of COS related OIDs or issue the command "show interfaces interface-set queue <interface-set-name>". PR1160642

High Availability (HA) and Resiliency

  • With NSR enabled on multiple Routing Engine systems, when a dynamic GRE tunnel is configured, performing Routing Engine switchover might cause rpd to crash repeatedly on backup the Routing Engine. PR1130203

Infrastructure

  • The Remote NFS Server process (nfsd) is not terminated on the new backup Routing Engine (RE) after RE switchover. As a result, it spawns a new one upon RE switchover until running out of memory. PR1129631
  • On M/T/PTX platforms, the SNMP requests may return timeout if SNMP pollings on IF-MIB and COS-MIB for the same ifl/ifd are requested at the same time. This is a generic async stats infra issue in kernel. On MX Series platforms, the same issue may not be seen since SNMP pollings for ifl stats go through pfed instead of kernel on MX Series platforms. PR1149389

Interfaces and Chassis

  • jnxBoxDescr is reworded for MXVC to replace the platform type with a more general representation that replaces the specific member platform type with "Virtual Chassis." Old virtual chassis text example: jnxBoxDescr.0 = member0 Juniper MX240 Internet Backbone Router. New virtual chassis text example: jnxBoxDescr.0 = member0 Juniper MX Series Virtual Chassis Internet Backbone Router. NOTE: The MIB design for jnxBoxAnatomy "top-level" chassis information works properly for a standalone chassis, but doesn't fully represent virtual chassis multi-member configurations because it is capable of providing information for only one physical chassis. (The remainder of the jnxBoxAnatomy MIB "containers" properly support the inventory of a multi-member configuration.) MX Series virtual chassis provides another MIB, jnxVirtualChassisMemberTable, to supply the equivalent "top-level" information. PR1024660
  • MS-DPC might crash when allocating chain-composite next hop in an enhanced LAG scenario. PR1058699
  • The following CLI configuration statement needs to be used for the CFM session to work: "set chassis aggregated-devices disable-lag-enhanced." Enhanced-lag is enabled by default in the system when the system is configured with enhanced-ip. CFM is not supported with enhanced-lag at present. PR1116826
  • MXVC-specific behavior for SNMP walk of jnxOperating* containers was divergent from the physical MX Series. Returned to vergence. PR1136414
  • Due to movement of SNMP stats model from synchronous requests to asynchronous requests in Junos OS Release 13.3R1, the IQ2/IQ2E PIC, which has limited memory and CPU power, cannot handle scaling SNMP polling at high rate (e.g., a burst of 4800 SNMP requests). This issue comes with high rate SNMP stats polling for IQ2/IQ2E interfaces or Aggregated Ethernet (AE) interface with IQ2/IQ2E as member links. These memory failures can cause IQ2/IQ2E PIC reboot because keepalive messages will also not get memory. PR1136702
  • When Micro Bidirectional Forwarding Detection (BFD) sessions are configured for link aggregation group (LAG), the device control process (DCD) acts as the client to the micro BFD session. In order to monitor the connection between client (DCD) and server(BFD), the client needs to exchange keepalive hello packets with the server. To send hello packets, DCD needs to move out of IDLE phase to CONFIG_BFD phase, which is the reason for the following log messages: dcd.c:585 dcd_new_phase_if_idle() INFO : Current phase is IDLE, going to phase CONFIG_BFD usage.c:75 dcd_trace_times() INFO : Phase Usage for IDLE : user 0.001 s, sys 0.000 s, wall 60.019 s dcd.c:717 dcd_new_phase() INFO : New phase is CONFIG_BFD usage.c:75 dcd_trace_times() INFO : Phase Usage for CONFIG_BFD : user 0.000 s, sys 0.000 s, wall 0.000 s dcd.c:717 dcd_new_phase() INFO : New phase is IDLE. There is no functionality impact; however, these messages might flood the logs. As a workaround, we can filter out these messages from being written to the log file according to this KB article: http://kb.juniper.net/InfoCenter/KB9382. PR1144093
  • On OAM maintenance domain intermediate point (MIP), the connectivity fault management (CFM) will not be enabled on the L2VPN interface if it is configured after L2VPN is up. PR1145001
  • Starting from 12.3R4, on dual-RE equipped M series routers, due to the mismatch of online status of the missing FRU (e.g., FPC or FEB which is not inserted, but is reported as online on backup Control Board), error messages about the missing FRU might be seen intermittently on the device. PR1148869
  • With Junos OS Release 14.2R1 to 14.2R5, for an multichassis link aggregation group (MC-LAG) running in active-standby mode, when two MC-LAG peers are connected to a specific vendor's device (e.g., NEC QX switch), after the configured MC-AE active node is rebooted, both MC-AE member links will become "Collecting distributing" (Active) status for LACP. Depending on topology, there might be a loop and causing broadcast storm. PR1158444
  • When a Routing Engine (RE) experiences a media block error, the RE will try to switch mastership immediately due to this software defect. The switch-over attempt happens even on a single RE system which in this case will cause all FPCs to reset. PR1168494

J-Web

  • An information leak vulnerability in J-Web may allow unauthenticated remote users with network access to the J-Web service to gain administrative privileges or perform certain administrative actions on the device. Refer to JSA10754 for more information. PR1114274

Junos Fusion Provider Edge

  • On a Junos Fusion Provider Edge topology, broadcast Ethernet traffic with an unknown Ethertype might generate the following log entries: fpc0 XL[0:0]_PPE 1.xss[0] ADDR Error and fpc0 XL[0:0]_PPE 1 Errors async xtxn error. PR1123040
  • On a Junos Fusion Provider Edge topology, if you configure Junos Fusion on an MX Series aggregation device, corresponding system log messages might not be received by a remote syslog server. PR1134269

Layer 2 Features

  • In VRRP scenario, one host connected to active and backup VRRP switches, if the host send huge amount of traffic continuously to backup VRRP switch, it might cause high ppmd (Periodic Packet Management Daemon) CPU utilization and slow response on backup VRRP switch. PR1124038
  • In VPLS scenario with AE interfaces as core facing interfaces, when LDP mesh-group is enabled with local-switching enabled in it, the neighbors configured under the local-switching hierarchical will cause LSI (Label-Switched Interface) to be created automatically. If port flapping occurs causing MPLS interface change associated with the LSI interface, the VPLS split-horizon might not be in functionality, this will cause traffic to be looped back. As a workaround, configuring configuration statement "enhanced-ip" can avoid this issue. PR1138842
  • In a VPLS scenario, when "$junos-underlying-interface-unit" is configured in the "dynamic-profiles" hierarchy, which is then implemented in a routing-instance, upgrade/commit will fail with the following error message: Parse of the dynamic profile (<dynamic_profile_name>) for the interface: $junos-interface-ifd-name and unit: $junos-underlying-interface-unit failed. PR1147990
  • For routers equipped with the following line cards: T4000-FPC5-3D, MX-MPC3E-3D, MPC5E-40G10G, MPC5EQ-40G10G, MPC6E MX2K-MPC6E. If the router is working as VPLS PE, due to MAC aging every 5 minutes, the VPLS unicast traffic is flooded as unknown unicast every 5 minutes. PR1148971

Layer 2 Ethernet Services

  • There is a bug in code of handling the redistribution of PPM (periodic packet management) Transmit and Adjacency entries for LACP, when the Interface entry is in pending distribution state. This issue might cause ppmd crash after graceful Routing Engine switchover. PR1116741
  • For Routing Engine generated packet with VLAN tag, if the outgoing interface is an LT interface, the VLAN tag will not be removed even if the LT interface is configured with untagged encapsulation. PR1118540
  • In the DHCPv4 or DHCPv6 relay environment with large-scaled environment (in this case, 50-60K subscribers), and the system is under stress (many simultaneous operations), the subscribers might get stuck in RELEASE state with large negative lease time. PR1125189
  • Input/Output pps/bps statistics might not be zero after a member link of AE interface with distributed ppmd was down in M320/T-Series (GIMLET/STOLI-based FPC) PR1132562
  • When the LACP hold timer config is added and LACP is getting activated for the first time on the parent interface, the lacpd process might crash. PR1135187
  • When a power supply has failed, the Power Supply failed alarm is generated every 30 minutes. The expected interval is every 60 minutes. This is a minor issue, there is no other service impact. PR1144795
  • The "Node ID" information is not shown on MX Series platform when traceoption flag "pdu" is configured to trace Ethernet ring protection switching (ERPS) PDU reception and transmission. PR1157219

Multiprotocol Label Switching (MPLS)

  • With egress protection configured for Layer 3 VPN services to protect the services from egress PE node failure in a scenario where the CE site is multihomed with more than one PE router, when the egress-protection is un-configured, the egress-protection route cleanup is not handled properly and still points to the indirect composite next hop in kernel, but the composite next hop can be deleted in rpd even when the egress protection route is pointing to the composite next hop. This results in composite next hop "File exists" error when the egress protection is re-enabled and reuses the composite next hop (new CNH addition fails as old CNH is still referenced in kernel). PR954154
  • Please see CVBC section PR1054491
  • In MPLS scenarios, removing the "family mpls" configuration from an outgoing interface may cause inet and/or inet6 next hops associated with that interface to unexpectedly transit to dead state. Even adding back "family mpls" cannot restore it. PR1067915
  • For advertising IPV6 packets over an MPLS GRE tunnel, the IPv6 address gets stuck in the KRT queue. PR1113967
  • If a RSVP LSP has both primary and secondary standby path and link-protection enabled, a /32 bypass route is unhidden when the primary link goes down. This /32 route is supposed to be made hidden again when primary link comes back up. But in some cases, due to software defect, this /32 bypass route remains unhidden forever, which causes some issues, for example, BFD session down due to better prefix received from Bypass LSP. PR1115895
  • During interoperation with Cisco device (e.g., CRS) belonging to different IGP area, if the P2MP LSP ping echo reply message from the Cisco device is using interface address other than loopback/router-id as the source address, the reply message will be dropped on the Junos OS device. With the fix, the Junos OS device will accept the packets and print them as 'uncorrelated responses'. PR1117166
  • When an PLR is a non-Juniper router, Juniper ingress node might stay on the bypass tunnel and ignore the CSPF result. PR1138252
  • When a link fails on an RSVP LSP which has link-protection or node-link-protection configured, the PLR (point of local repair) will initiate a bypass LSP and the RSVP LSP will be tunneled on this bypass LSP. However, if now the bypass LSP is brought down because there is a link failure on it, the PLR might only send out a session_preemted PathErr message to the upstream node without sending a ResvTear message. Hence the ingress node does not receive the ResvTear message and the RSVP LSP is not immediately torn down. The RSVP LSP will remain UP for more than 2 minutes until the RSB (Resv sate block) on the ingress's downstream node gets timed out and it sends a ResvTear message to the ingress. PR1140177
  • There is no entropy label for an LDP route in the scenario of LDP tunneling across a single-hop RSVP LSP with label 0 (explicit-null) used. As a workaround, either remove LDP tunneling or RSVP explicit-null will resolve the issue. PR1142357
  • This issue is related to inter-op between a multivendor scenario. This fix will add sub-object RRO, which will help change of label during an FRR active scenario. PR1145627
  • MPLS TED might not select random links to calculate the ERO when OSPF is overloaded. Instead, only one or two interfaces will be used for all the configured LSPs originating from the router. PR1147832
  • In LDP P2MP scenario with NSR, after performing multiple iterations of FPC reloads, protocol bounce, interface bounce, GRES, rpd restarts in random, in rare condition, the rpd process might crash, the routing protocols are impacted and traffic disruption will be seen due to loss of routing information. PR1148404
  • With NSR enabled and LDP configured, the rpd process might crash and restart on the new master Routing Engine after a Routing Engine switchover. PR1155002
  • If container LSP name and the suffix together are more than 60 characters in length, rpd process might crash during extensive split merge conditions. Its always advisable to keep them less than 60 characters. The member lsp name is coined in the following manner: <container-name>-<suffix-name>-<member-count>. The LSP name can have upto 64 characters. So after putting together the container name, suffix, member-count (could go up to 2 digits), and the 2 hyphens, it should not exceed 64. So container-name and suffix together should not exceed 60 characters. A commit check will be added to throw warning if the name is more than supported character long. PR1160093

Network Management and Monitoring

  • Mib2d cores while trying to re-add a lag child into the internal DB. Since the entry is already present in the internal DB, before adding the child link, mib2d does a lookup on the tree, to know if the entry is not already there. However, this lookup returns no results, since the child link is part of snmp filter-interface configuration. PR1039508
  • LAG MIB tables dot3adAggPortTable, dot3adAggPortDebugTable polling, or lag configuration changes may result in mib2d process core or unexpected values for lag MIB OIDs. The PR fix will resolve these MIB table issues. PR1060202
  • With Junos OS Release 13.3R8, 14.1R6, 14.1X53-D30, 14.2R5, 15.1R2, 15.1X49-D30, and above, when we configure fxp0 "master-only" address as the source address of and SNMP trap, the SNMP trap packets are not sent out after Routing Engine (RE) switchover. To restore this issue, we can use "restart snmp" or "delete/set snmp trap-options". As a workaround, we can use other addresses for the SNMP trap source. PR1153722

Platform and Infrastructure

  • When one of the "deny-commands" is incorrectly defined in the profile of a TACACS+ server, all "deny-commands" regexes will be ignored, which leads to an over-permissive profile without any warning. PR1078238
  • Fragmenting a special host outbound IP packet with an invalid IP header length (IP header length is greater than actual memory buffer packet header length) can trigger NULL mbuf accessing and dereferencing, which might lead to a kernel panic. PR1102044
  • Junos OS defines the SNMP ifXTable (ifJnxInErrors/ifJnxInL3Incompletes) counter as 64-bit width, but it worked as 32-bit width counter. It works as 64-bit width counter after the fix. PR1105266
  • On MX-VC, when traffic with TPID 0x88a8 or 0x9100 is sending over an AE interface, the packets which cross VCP links might be dropped on the egress VCP Packet Forwarding Engine due to an invalid fabric token. PR1112752
  • On a Junos Fusion Provider Edge topology, when unicast next hops for the satellite device extended ports are deleted and added, if the routing chip memory is not freed, a small memory leak occurs during the next-hop deletion. If the churn happens for an extended period, the Flexible PIC Concentrator (FPC) might run out of memory and stop operating. PR1114369
  • Inline 6rd and 6to4 support for XL and XL-XM-based platforms. PR1116924
  • In certain specific network/operating system configurations when a telnet or SSH session client is initiated from a Junos OS device to another device, both the telnet/SSH server, and the telnet/SSH client incorrectly handle the TCP connection on each end. In this event, both the client and the server are stuck in various TCP states and never establish the connection, or release the connection. PR1123496
  • On MX Series-based line cards, for GRE over IPv6 packet with layer 4 length less than 8 bytes, it will be discard with reason "L4 len too short". PR1126752
  • On MX Series platforms, when offlining the line card (possibly, with any of the line cards listed below), "Major alarm" might be seen due to HSL (link between line card and Packet Forwarding Engine) faults. This fault is non-fatal and would not cause service impact. The line cards that may hit the issue could be seen as: MS-MPC/MS-MIC MIC-3D-8DS3-E3, MIC-3D-8CHDS3-E3-B, MIC-3D-4OC3OC12-1OC48, MIC-3D-8OC3OC12-4OC48, MIC-3D-4CHOC3-2CHOC12, MIC-3D-8CHOC3-4CHOC12, MIC-3D-1OC192-XFP, MIC-3D-1CHOC48. PR1128592
  • On MX Series based line card platform, if FPC offline is performed while FPC is in online progress (online process is at the stage of fabric links training), in very corner scenario, the Routing Engines state is stale and being sent to other existing FPCs, so the traffic forwarding might be affected. PR1130440
  • For IPv6 packet with "no next header" in Hop-By-Hop header, if the Hop-By-Hop header length field value is large than 112, the router will drop the packet and log the following error: PPE PPE HW Fault Trap: Count 105, PC 60ce, 0x60ce: ipv6_input_finished_parsing LUCHIP(3) PPE_10 Errors lmem addr error. PR1130735
  • NTP.org published a security advisory for 13 vulnerabilities in NTP software on Oct 21st, 2015. These vulnerabilities may allow remote unauthenticated attackers to cause Denial(s) of Service(s), disruption of service(s) by modification of time stamps being issued by the NTP server from malicious NTP crafted packets, including maliciously crafted NTP authentication packets and disclosure of information. This can impact DNS services, as well as certificate chains, such as those used in SSL/https communications, and allow attackers to maliciously inject invalid certificates as valid which clients would accept as valid. Refer to JSA10711 for more information. PR1132181
  • Doing a file copy from a Routing Engine running Junos OS image to a Routing Engine running Junos OS with Upgraded FreeBSD image fails. PR1132682
  • Too many duplicate ACK messages are generated from Packet Forwarding Engine for TCP control connection with Routing Engine. This could cause: 1. MX-VC DDoS protection violation for VC-control low queue and makds MXVC split. 2. Routing Engine and FPC high CPU utilization. PR1133293
  • With scaled firewall filters attached to interfaces (e.g., 10k+ filters), running the "show configuration" command can cause high CPU of the mgd process. As a workaround, use the "show configuration | display set" command to view the config. PR1134117
  • On XM chip-based line cards (e.g., MPC3/4/5/6, and FPC type 5), in rare situations, when LU or XL chip congestion occurs (e.g., may occur when configuring with more than 4000 entries in the multicast list and large traffic performing replication, please note this is not a realistic configuration), XM chip wedge may occur. PR1136973
  • On MX2020, when we remove whole power of a power zone, and then put the power back to the zone, FANTray LED stays Amber and FANTray LED on craft card stays OFF, and do not revert to green (FANTray LED) or ON (Craft LED) until we reboot the entire chassis system or hot swap that FAN tray. For Zone 0 (PSM 0 to 8), FAN 1 shows the above behavior. For Zone 1 (PSM 9 to 17), FAN 3 shows the above behavior. PR1138209
  • When the CLI command "show Packet Forwarding Engine statistics exceptions | match reject" is executed, the CPROD thread in the Packet Forwarding Engine may hog the CPU and result in an FPC crash. PR1142823
  • Receipt of a specifically crafted UDP packet destined to an interface IP address of a Junos OS device with a 64-bit architecture may result in a kernel crash. This issue only affects systems with a 64-bit architecture. 32-bit systems are unaffected by this vulnerability. Refer to JSA10758 for more information. PR1142939
  • When ARP is trying to receive a next hop message whose size (for example, 73900 bytes) is bigger than its entire socket receive buffer (65536 bytes), the kernel might crash, and the traffic forwarding might be affected. PR1145920
  • In certain affected Junos OS Releases, executing the "nhinfo -d" shell command might trigger a kernel panic. This is caused by insufficient buffer space in the routing socket requested by the "nhinfo" utility. PR1148220
  • On MX Series platform with MX Series based line card, inline 6rd with si interface is deployed, if downlink traffic is over ECMP or AE, some traffic might be dropped. PR1149280
  • When a routing instance is configured with "routing-instances <instance-name> routing-options localized-fib", then VPN localization may fail, causing all routes for the affected routing instance to be installed on all Packet Forwarding Engines. PR1149840
  • When the NTP server address is configured in a routing instance table and reachable from inet.0 by static configuration (for example, by configuring static/route/next-table/VRF.inet.0), and NTP source-address is configured, the ntpd (the Network Time Protocol daemon running on NTP client) might pick the wrong source-address instead of the configured source-address. As a result, the NTP server cannot send the NTP packet back. PR1150005
  • FPC may experience blackhole of traffic after lmem data error in private zone. PR1152026
  • During an ISSU upgrade in MXVC environment, linecards may crash, causing service impact. When the linecards come up, there may be a nexthop programming issue as a secondary impact and some IFLs may not pass traffic. Affected linecards need to be rebooted to recover from this condition. PR1152048
  • On MX Series routers with Junos OS Release 14.2R5-S1, when we specify a multiservice (ms-) interface to add a timestamp to Real-time Performance Monitor (RPM) probe messages, it will cause the mspmand process to crash and the MS-MPC/MS-MIC to keep crashing. As a workaround, configure RPM to perform timestamping either on the Routing Engine (Routing Engine-based RPM) or on an installed MPC Packet Forwarding Engine (Inline-RPM). PR1152785
  • Fixed an issue with Inline J-Flow where the Observation Domain field in exported IPFIX datagrams were always using the value attributed for LU0 in MPCs with multiple LUs per Forwarding-Engine. PR1152854
  • The logs CHASSISD_READBACK_ERROR are reported on the backup Routing Engine for the non-empty FPCs. PR1155823
  • Configuring a firewall filter with multiple terms matching either on flexible-match-mask or flexible-match-range might lead to FPC crashing while trying to program the firewall filter and add it to the local table. PR1157759
  • On a Junos Fusion Provider Edge topology, you could only assign "satellite all" privileges to a single user class. In Junos OS Release 14.2R6, you can now include the "satellite all" statement at the [edit system login class class-name] hierarchy level for multiple classes. PR1161531

Routing Policy and Firewall Filters

  • When a malformed prefix is used to test policy (command "test policy <policy name> <prefix>"), and the malformed prefix has a dot symbol in the mask filed (e.g., x.x.x.x/.24), the rpd process might crash. PR1144161
  • From Junos OS Release 13.2R1, an attempt to commit a configuration with a dangling conditional policy referring to a non-existent/inactive routing-instance will be permitted. If we have a conditional policy referring to an active routing-instance, deleting/deactivating this routing-instance and then committing will cause the rpd process crash. As a workaround, we should always make sure that conditional policies are referring to active routing-instances. PR1144766

Routing Protocols

  • If the command to trace ppm is issued from the FPC shell and a malformed incoming packet (required to be handled by PPM) is in the buffer, the FPC may crash. An example of such a malformed packet would be a multihop BFD packet with an incorrect length (larger than normal). PR1082878
  • When a BGP session supports multiple address families, the inactive route of some of the address families might not be flushed correctly, leading to wrong behaviors for some of the features which need to advertise inactive routes(e.g.,. advertise-inactive, advertise-external, optimal-route-reflection, etc.). PR1097297
  • After executing the CLI commands "show route detail" or "show route extensive," the routing protocol process (RPD) might get stuck in an infinite loop and might stop responding to any events such as CLI commands, protocol keepalives, etc. This would result in a timeout of all protocol adjacencies and a high CPU utilization by RPD might be seen on the device (over 90% used by RPD). In some cases, the memory that is used to store the command output might not be freed during executions, which might lead to an RPD restart because of memory exhaustion (RLIMIT exceeded). PR1104090
  • Triggered S,G,RPT join is not being sent immediately upon receiving the *,G join or S,G join on RPT tree. Join to S,G,RPT will go over periodic join result in delay pulling traffic till the periodic join sent. PR1107896
  • This issue is a regression defect introduced in Junos OS Release 11.4R11, 12.1R10, 12.2R8, 12.3R6, 13.2R4, 13.3R2, and 14.1R1. After upgrading to those releases containing the original fix, when there is no export policy configured for the forwarding table to select a specific LSP, whenever routes are resolved over RSVP (for example, due to aggressive auto-bandwidth), the resolver will spend a considerable amount of time on the resolver tree, which contributes to a baseline increase in rpd/Routing Engine CPU. PR1110854
  • IGMPv2 working in v2/v1 compatibility mode does not ignore v2 Leave messages received on a bridge-domain's L2 member interface. Moreover, an IGMP snooping membership entry for the respective group at this L2 member interface will be timed out immediately upon IGMPv2 Leave reception, even when there are some other active IGMP hosts attached to this L2 member interface. It might breaks multicast forwarding for this L2 member interface. PR1112354
  • When two (or more) route target communities of MP-BGP route match to two (or more) route target communities in VRF import policy of a RI, duplicate routing entries might be installed in the RI. In the output of “show route table <RI-name>.inet.0 detail”, two identical routing entries appear with one being marked as 'Inactive reason: Not Best in its group - No difference'. When such duplicate routing information is to be deleted, rpd process will crash. PR1113319
  • On a dual Routing Engine router, BFD is configured for BGP with holddown-interval. After a BFD flap (disabling/enabling the interface) the BGP/BFD is up in master Routing Engine, but in backup Routing Engine still shows BGP/BFD down, it will never come up. PR1115429
  • There may be a stale BFD session after channging physical in terface MTU, it may also cause BFD session flap to be continuous or stay in down state. PR1116666
  • During many types of configuration changes, especially including import policy, BGP has the need to re-evaluate the routes it has learned from peers impacted by the configuration change. This re-evaluation involves re-running import policy to see if there ares any changes to the learned routes after applying the new policy. This work is done in the background as part of an "Import Evaluation" job. When BGP is reconfigured a second time, and the "Import Evaluation job" has not completed, it is necessary to re-run the job from the beginning if there's another change to policy or something with similar impact. This state is noted as "Import Evaluation Pending". However, in this case, there was a bug that caused BGP to always enter the pending state upon reconfiguration, regardless of whether relevant changes were made to import or other similarly impactful configuration. The result is that once it is necessary to start re-evaluation of the routes for a peer, even trivial configuration changes that happen too quickly will cause the "Import Evaluation job" to need to run again as a result of the "Pending" flag being set. To avoid the issue, please ensure that "ImportEval" is not present in a BGP peer's Flags output from the CLI (show bgp neighbor) prior to doing even trivial commits. PR1120190
  • With BGP configured on CE-faced interfaces (in VRFs), doing “show route” frequently may cause rpd to slowly leak memory. The leak rate will be one memory block of the size necessary to hold the instance name of the routing instance for a BGP neighbor. If the rpd process memory is exhausted, the rpd process might crash, and the routing protocols are impacted and traffic disruption will be seen due to loss of routing information. You can check rpd memory usage with the "show task memory brief" command. PR1124923
  • In multicast environment, when the RP is FHR (first-hop router) and it has MSDP peers, when the rpf interface on RP changed to MSDP-facing interface, due to the multicast traffic is still on the old rpf interface, a multicast discard route will be installed and traffic loss will be seen. PR1130238
  • In multicast environment with Protocol Independent Multicast sparse mode (PIM SM) used, if an upstream router of last-hop router receives the (S,G) SPT join while the shortest-path tree (SPT) is not yet established (only because multicast source is not reachable, a reachable route for SPT which is just not established yet will not cause this issue), when the multicast route gets deleted on the router (e.g., receives the (S,G) prune from the downstream PIM router), the router will incorrectly stop forwarding the multicast traffic even if a rendezvous-point tree (RPT) path exists. PR1130279
  • On dual Routing Engine platforms, due to a software issue, the OSPF (including both OSPFv2 and OSPFv3) the "DoNotAge" bit (e.g., source of LSA has flood-reduction feature enabled) is not mirrored to the backup routing protocol process (rpd). In this situation, after performing nonstop active routing (NSR) switchover, the LSA on the new master rpd remains without the "DoNotAge" bit set. Once the LSA reaches OSPF max age, the router will flood LSA purge, hence route flapping might be seen on all routers under the OSPF topology. PR1131075
  • In rare condition, mt tunnel interface flap causes backup Routing Engine core. The exact root cause is not known. While processing updates on the backup Routing Engine (received from master Routing Engine), accessing free pointer causes the core. PR1135701
  • On dual Routing Engine platform with Bidirectional Forwarding Detection (BFD) protocol enabled, after graceful Routing Engine switchover (GRES), the periodic packet management process (ppmd) might crash on the backup Routing Engine due to a software defect. PR1138582
  • Deleting mvpn configuration from routing instance "delete routing-instances <instance-name> protocols mvpn" might cause routing daemon on master RE to crash. PR1141265
  • When multicast-only fast reroute (MoFRR) is enabled in PIM or multipoint LDP domain, memory leak will be observed on generation of the multicast FRR next hops. The leak rate is 8 bytes for IPv4 and 12 bytes for IPv6 addresses, per FRR next hop created. Eventually, the rpd process will run out of memory and crash when it cannot honor some request for a memory allocation. PR1144385
  • With NSR configured, when the BFD sessions are replicated on the backup Routing Engine, the master will not send the source address, instead the backup Routing Engine will query the kernel to get the source address. In rare cases, the query might fail, resulting in the source address as all zeros. Later, if a GRES switchover happens, the new master will have this all-zeros source address. When a BFD packet with this source address is send out, the other end will drop the BFD session due to no matching session (source address). PR1145612
  • In the BGP labeled unicast environment, the secondary route is configured with both add-path and advertise-external. If the best route and secondary route are changed in a routing table at the same time, add-path might miss to readvertise the changed route. The old route with the old label is still the last route advertised to one router, instead of updating the advertisement with the new route and new label. So the traffic forwarding might be affected. PR1147126
  • This core is seen because of incorrect accounting of refcount associated with the memory block which composes the nhid (IRB nh). When the refcount prematurely reaches 0, we released the memory block while it was still referenced from a route. We may see this issue when mcsnoopd becomes a slow consumer of rtsock events generated by rpd (next-hop events in the current case) and messages get delivered in an out-of-order sequence, causing the refcount to be incorrectly decremented. In the testbed where the issue was reported, tracing was enabled for mcsnoopd (for logging all events), causing it to become a slow consumer. However, it may become slow also for other reasons, such as processing very high rate of IGMP snooping reports/leaves which could potentially trigger this issue. PR1153932
  • OpenSSH client software supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. This functionality contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based). Refer to http://kb.juniper.net/JSA10734 for more information. PR1154016
  • BGP Monitoring Protocol (BMP) feature is introduced in 13.3R1. When BMP is configured in passive mode and BMP session is closed ungracefully (e.g. No TCP FIN sent), in rare cases, the TCP session might not be cleaned up properly and rpd process crash might be observed during the re-establishment of the previous session. PR1154017
  • When rib-group copy is done for a route change, the rib-group copy of the secondary route into the destination tables of the copy may not honor maximum-prefixes in some scenarios, such as upon damping changes. The traffic forwarding might be affected. PR1157842

Services Applications

  • The Point-to-Point Tunneling Protocol (PPTP) ALG is used for tunneling Point-to-Point Protocol (PPP) packets over an IP network. But if the router configures session-limit-per-prefix, the PPTP-ALG does not work. PR1128484

User Interface and Configuration

  • When committing a configuration with a very long as-path, in this case the as-path is almost 12000 characters long, the commitd process might crash. The commitd process restart results in a minimal impact on the system. As a workaround, please configure as-path to be less than 4096 characters long. PR1119529
  • When there are two or more sessions accessing the router, and one of the sessions (for example, session 1) is executing commit check in configuration private mode, if another session (for example, session 2) is keeping executing commit-and-quit in configuration private mode, because the commit check is not keeping the lock on the local Routing Engine for the entire session, there is a chance that session 2 will hit a Database opening error. The detailed sequence events are as follows: (1) Session 1: commit check is not keeping the lock on local Routing Engine for entire session, once commit check on local is a success, while it asked for lock on other Routing Engine. (2) Session 2: mgd acquired db lock on local Routing Engine. (3) Session 1: once commit check is completed on remote Routing Engine, it does cleanup and deletes the juniper.data+ (created by Session 2). (4) Session 2: juniper.data+ is still in use at local Routing Engine by daemons and daemons start complaining about it and emit the messages as "Database open failed for file '/var/run/db/juniper.data+' ". PR1141576

VPNs

  • On dual Routing Engine platforms with BGP L2VPN and NSR configured, there might be a chance that the block label allocation and deletion for L2VPN is out of order on the backup Routing Engine as following: Master rpd follows the below sequences (which is the correct order): Add Prefix P1 of Label L1 Delete Prefix1 of Label L1 Add Prefix P2 of Label L1. However, on backup rpd, it goes like this: Add Prefix P1 of Label L1 Add Prefix P2 of Label L1 <====== Delete Prefix1 of Label L1. In this situation, backup rpd cannot allocate the label L1 for P2 since L1 is already in use for P1, so it crashes. This occurs in scaling environments (10k L2VPN) where the router has multiple BGP peers, and different L2VPN routing-instances are deleted and added back. PR1104723
  • In L2circuit environments, if one PE has pseudowire-status-tlv configured but remote hasn't, and at the same time, this PE doesn't support control-word but remote does, then it will not send changed local status code to remote PE, in a rare condition, after enable status-tlv support at remote end, the l2circuit might get stuck in "RD" state on the remote PE. PR1125438

Resolved Issues: 14.2R5

Class of Service (CoS)

  • On MX104 platforms, when we configure rate-limit for the logical tunnel (lt-) interface, the commit will fail. As a workaround, we can use firewall filter with policer to achieve the same function. PR1097078
  • On MX Series platforms, when class-of-service (CoS) adjustment control profiles and "overhead-accounting" are configured, if the ANCP adjust comes before the logical interface (IFL) adding message and the IFL is in "UP" state when added (for example, it may occur when carrying scaling subscribers, for instance, 8K subscribers), for some of the subscribers, the local shaping rate from dynamic profile for the subscriber IFL may not be overridden by shaping-rate of ANCP. PR1098006

Forwarding and Sampling

  • This defect is seen only when an existing child link from an AE is moved to a newly created AE, simultaneously from both ends. The new AE is listed as a child link in the existing AE in the “show interface ae<>.0 extensive” CLI. PR965872
  • The command "clear firewall all" will now clear the policer stats displayed by "show policer __auto_policer_template_1__", ... "show policer __auto_policer_template_8__". PR1072305
  • This issue is seen in Junos OS Release 14.2 and later. When Routing Engine based sampling is enabled and BGP session is using 4-byte AS, improper AS number can be found in sampling information. [router1]--------[DUT]--------[router2] AS 1,000 A AS 10,0000 | sampling 1.1.1.1 ---------------------->2.2.2.2 traffic --- traceoptions log --- Aug 10 12:21:21 v5 flow entry Aug 10 12:21:21 Src addr: 1.1.1.1 Aug 10 12:21:21 Dst addr: 2.2.2.2 Aug 10 12:21:21 Nhop addr: 20.20.20.1 Aug 10 12:21:21 Input interface: 747 Aug 10 12:21:21 Output interface: 749 Aug 10 12:21:21 Pkts in flow: 594 Aug 10 12:21:21 Bytes in flow: 49896 Aug 10 12:21:21 Start time of flow: 4648545 Aug 10 12:21:21 End time of flow: 4707547 Aug 10 12:21:21 Src port: 0 Aug 10 12:21:21 Dst port: 2048 Aug 10 12:21:21 TCP flags: 0x0 Aug 10 12:21:21 IP proto num: 1 Aug 10 12:21:21 TOS: 0x0 Aug 10 12:21:21 Src AS: 1000 Aug 10 12:21:21 Dst AS: 34464 <<<<< Aug 10 12:21:21 Src netmask len: 32 Aug 10 12:21:21 Dst netmask len: 32 PR1111731
  • This issue might be seen if following conditions are met: * AE sub-interface with firewall filters * FPC reboot or new FPC is coming up * shared-bandwidth-policer or regular policers (not a must - but easier to hit) If at the time of FPC restarting if a timing condition presents itself whereby the filter for that sub-interface isn't received, this can cause FPC to panic and crash. PR1113915
  • On MX Series platform with MX-FPC/DPC, M7/10i with Enhance-FEB, M120, M320 with E3-FPC, when there are large-sized IPv6 firewall filters(for example, use prefix lists with 64k prefixes each) enabled, commit/commit check would fail and dfwd process would crash after configuration commit/commit check. There is no operational impact. PR1120633
  • On all Junos OS platforms, when both the filter and the policer are configured for an interface, in rare cases, the policer template may not be received by the Packet Forwarding Engine (from the Routing Engine) when it is referenced by the filter term (normally the policer template gets received before the filter term referencing it which is ensured by mechanism in the Routing Engine kernel). In this situation, the FPC would crash due to this rare timing issue. This issue might be avoided by the following recommended steps: 1. Deactivate the physical interface (IFD) and commit 2. Enable any filter and policer that attached to the interface (e.g., IFL) and commit 3. Reactivate interface. PR1128518

General Routing

  • In a Layer 3 wholesale configuration, DHCPv6 advertise messages might be sent out with source MAC all zeroes if the subscriber is terminated on the demux interface in a non-default routing instance. For subscribers on the default instance no such issue is observed. PR972603
  • On MX Series platforms, when an aggregated Ethernet bundle participating as an interface within bridge-domain goes down, the following syslog messages could be observed. The messages would be associated with FPC0 even if there are no link(s) from this FPC0 participating in the affected aggregate-ethernet bundle. mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex 636, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-3/3/2 mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex 637, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-3/3/3 mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex 740, ifAdminStatus up(1), ifOperStatus down(2), ifName ae102 fpc0 LUCHIP(0) Congestion Detected, Active Zones f:f:f:f:f:f:f:f:f:f:f:f:f:f:f:f fpc0 LUCHIP(0) Congestion Detected, Active Zones 2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm set: FPC color=RED, class=CHASSIS, reason=FPC 0 Major Errors craftd[1601]: Major alarm set, FPC 0 Major Errors fpc0 LUCHIP(0) Congestion Detected, Active Zones 2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm cleared: FPC color=RED, class=CHASSIS, reason=FPC 0 Major Errors craftd[1601]: Major alarm cleared, FPC 0 Major Errors fpc0 LUCHIP(0): Secondary PPE 0 zone 1 timeout. fpc0 PPE Sync XTXN Err Trap: Count 7095, PC 10, 0x0010: trap_nexthop_return fpc0 PPE Thread Timeout Trap: Count 226, PC 34a, 0x034a: nh_ret_last fpc0 PPE PPE Stack Err Trap: Count 15, PC 366, 0x0366: add_default_layer1_overhead fpc0 PPE PPE HW Fault Trap: Count 10, PC 3c9, 0x03c9: bm_label_save_label fpc0 LUCHIP(0) RMC 0 Uninitialized EDMEM[0x3f38b5] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 1 Uninitialized EDMEM[0x394cdf] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 2 Uninitialized EDMEM[0x3d9565] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 3 Uninitialized EDMEM[0x3d81b6] Read (0x6db6db6d6db6db6d). These messages would be transient in nature. The discrepancy of next-hop handling that is addressed in this PR can also manifest itself in form of other issues in the system. Basically when the next hops go out of sync we are bound to see either Packet Forwarding Engine crashes/traps or Routing Engine crashes. The fix in this PR should take care of this behavior and ensure we handle the nexthops correctly to maintain the synchronization between master Routing Engine, backup Routing Engine, and all Packet Forwarding Engine peers. PR990023
  • MPC with Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC (MIC-3D-4COC3-1COC12-CE) might crash. This problem is very difficult to replicate and a preventive fix will be implemented to avoid the crash. PR1050007
  • It is observed that the syslog messages related to kernel and Packet Forwarding Engine may get generated at an excessive rate, especially in a subscriber management environment. Most of these messages may appear repeatedly, for example, more than 1.5 million messages may get recorded in 2 hours, and there are only 140 unique messages. Besides, these messages are worthless during normal operation and due to the excessive rate of log generation, high Routing Engine CPU consumption (for example, Routing Engine CPU utilization can be stuck at 100% for a long time [minutes or hours], it depends on the activity of subscribers (frequency of logins and logouts) and on the AI scripts used by the customer) by event process (eventd) might be observed on the device. PR1056680
  • PR1060070
  • When a labeled BGP route resolves over a route with MPLS label (e.g., LDP/RSVP routes), after clearing the LDP/RSVP routes, in the short window before the LDP/RSVP routes restore, if the BGP routes resolves over a direct route (e.g., a one-hop LSP), the rpd process might crash. PR1063796
  • When "satop-options" is configured on an E1 with Structure-Agnostic TDM over Packet (SAToP) encapsulation, after Automatic Protection Switching (APS) switchover, some SAToP E1s on the previously protect interface (now working) start showing drops. PR1066100
  • Upon BFD flapping on aggregate interfaces, the Lookup chip (XL) might send illegal packets to the center chip (XMCHIP) and compromise packet forwarding and an FPC restart is needed to recover from this condition. If the Fabric path side is affected, the fabric healing process will initiate this process automatically to recover from such conditions. Corrupted parcels from Lookup chip LU/XL to Center Chip (XM) can also compromise packet forwarding and report DRD parcel timeout errors. An additional parcel verification check is added to prevent sending corrupted parcels to the center chip (XM) PR1067234
  • CFP2-100GBASE-ER4 is supported on MIC6-100G-CFP2/MPC6E/MPC5E from 13.3R8/14.1R6/14.2R3-S4/14.2R4-S1/14.2R5/15.1R2/15.2R1 PR1069112
  • On MX Series platforms with MS-MPC/MS-MIC, when Network Address Translation (NAT), Stateful Firewall (SFW), Traffic Detection Function (TDF), or IPsec service is configured and traffic flows, an ordered packet might miss the descriptor due to the software defect. It results in prolonged flow-control, all data and control paths are blocked, the service PIC goes down and does not come up. PR1079745
  • FPC/MIC usually performs i2c bus transactions to detect presence/absence of SFPs. When it fails to read SFP EEPROM due to i2c bus timing related and/or i2c bus hang issues, the FPC crashes with the interfaces flap. The i2c bus should be held up in bad state because faulty EEPROM SFP or non Juniper qualified SFP might be used. PR1080566
  • The Scheduler: Protect: Parity error for tick table single messages might appear in MPC3E/MPC4E/MPC5E/MPC6E/T4000-FPC5. PR1083959
  • The MIB counter or "show Packet Forwarding Engine statistics traffic" shows junk PPS and invalid total traffic output counter. PR1084515
  • TCP messages do not have their MSS adjusted by the Multiservices MIC and MPC if they do not belong to an established session. PR1084653
  • mspmand core is observed while taking ms-mic offline with IPsec and J-Flow configured on same ms-mic with dynamic IPsec tunnels. PR1086819
  • On MX Series routers with MPCs/MICs, if a rlsq interface is receiving continuous fragmented traffic, doing rlsq switchovers a couple of times might cause the FPC to crash and reboot. PR1088300
  • In a two-members MX Series Virtual Chassis (MXVC) environment, when "set virtual-chassis no-split-detection" is configured, if split master condition happens, which is caused by split events (i.e., loss of all adjacencies by link failure, FPC restarts, chassis power-down, Routing Engine reboots, etc.), then once the VCP adjacency is formed again, the current design could not determine the best chassis to win the protocol mastership election properly. Instead, only the final election step (that is choose the member device with the lowest MAC address) is used to elect the master device (protocol master of the VC, or VC-M). PR1090388
  • Scuba MPC6E Temperature Intake shows as "Testing" in "show chassis environment", but "show chassis environment fpc" and "show chassis fpc detail" are OK and provide the correct Temp information. > show chassis hardware | match fpc FPC 0 REV 66 750-044130 ABDA3551 MPC6E 3D FPC 9 REV 31 750-031087 CADR7177 MPC Type 1 3D FPC 10 REV 66 750-044130 ABCZ2741 MPC6E 3D {master} > show chassis environment | match "intake |state" | match fpc FPC 0 Intake Testing <<<<<<<< Wrong info FPC 9 Intake OK 37 degrees C / 98 degrees F FPC 10 Intake Testing <<<<<<<< Wrong info {master} > show chassis environment fpc | match "fpc|intake|state" FPC 0 status: State Online <<<<<<<<<<<<<<<<<< Correct info Temperature Intake 36 degrees C / 96 degrees F FPC 9 status: State Online Temperature Intake 37 degrees C / 98 degrees F FPC 10 status: State Online <<<<<<<<<<<<<<<<<< Correct info Temperature Intake 42 degrees C / 107 degrees F {master} > show chassis fpc detail Slot 0 information: State Online Temperature 36 <<<<<<<<<<<<<< Correct info Total CPU DRAM 3584 MB Total XR2 518 MB Total DDR DRAM 49920 MB Start time: 2015-05-12 12:36:14 AST Uptime: 9 days, 1 hour, 31 minutes, 38 seconds Max Power Consumption 1088 Watts Slot 9 information: State Online Temperature 37 Total CPU DRAM 2048 MB Total RLDRAM 331 MB Total DDR DRAM 1280 MB Start time: 2015-05-12 12:38:00 AST Uptime: 9 days, 1 hour, 29 minutes, 52 seconds Max Power Consumption 239 Watts Slot 10 information: State Online Temperature 42 <<<<<<<<<<<<<< Correct info Total CPU DRAM 3584 MB Total XR2 518 MB Total DDR DRAM 49920 MB Start time: 2015-05-12 12:36:18 AST Uptime: 9 days, 1 hour, 31 minutes, 34 seconds Max Power Consumption 1088 Watts PR1090671
  • Wrong diagnostic optics info might be seen for GE-LX10 SFP and SFP+ for SumitomoElectric. The issue only for a specific SFP type - "Xcvr vendor part number : SCP6F44-J3-ANE”, it can be seen with "show chassis pic fpc-slot X pic-slot Y". user@device> show chassis pic fpc-slot 0 pic-slot 0 .. PIC port information: Fiber Xcvr vendor Wave- Xcvr Port Cable type type Xcvr vendor part number length Firmware 0 GIGE 1000LX10 SM OPNEXT INC TRF5736AALB227 1310 nm 0.0 1 GIGE 1000LX10 SM FINISAR CORP. FTLF1318P2BTL-J1 1310 nm 0.0 2 GIGE 1000LX10 SM SumitomoElectric SCP6F44-J3-ANE 1310 nm 0.0 <Error SFP>PR1091063
  • In a scaled Broadband Subscriber Management environment (in this case, 16K subscribers), when Access Node Control Protocol (ANCP) CoS adjustment is configured, the minimum rate instead of the shaping-rate might be wrongly applied to some subscribers and causes traffic loss. PR1094494
  • The issue is because of the software problem. Just after the system reboots, the rpd process is determining the Routing Engine mastership mode too early before chassisd is determining the mastership , which would cause overload feature not to work properly. PR1096073
  • Continuous error messages are seen after adding/deleting ae child link. MIC: unknown option 132, ifd 305/xe-4/0/11, cmic_eth_boolean_set IFFPC: 'IFD Ether boolean set' (opcode 55) failed ifd 305; Ether boolean set error (7) There is no known service impact due to these messages. PR1097262
  • Occasionally , AFEB PCI reads from Cortona MIC with ATM OAM traffic might return garbage values even though the actual content in the MIC has the correct value. These corrupted values would lead to AFEB crash , and also PCI error logs such as : afeb0 PCI ERROR: 0:0:0:0 Timestamp 91614 msec. afeb0 PCI ERROR: 0:0:0:0 (0x0006) Status : 0x00004010 afeb0 PCI ERROR: 0:0:0:0 (0x001e) Secondary bus status : 0x00004000 afeb0 PCI ERROR: 0:0:0:0 (0x005e) Link status : 0x00000011 afeb0 PCI ERROR: 0:0:0:0 (0x0130) Root error status : 0x00000054 afeb0 PCI ERROR: 0:0:0:0 (0x0134) Error source ID : 0x02580258 afeb0 PCI ERROR: 0:2:11:0 Timestamp 91614 msec. afeb0 PCI ERROR: 0:2:11:0 (0x0006) Status : 0x00004010 afeb0 PCI ERROR: 0:2:11:0 (0x004a) Device status : 0x00000004 afeb0 PCI ERROR: 0:2:11:0 (0x0052) Link status : 0x00004001 afeb0 PCI ERROR: 0:2:11:0 (0x0104) Uncorrectable error status : 0x00000020 afeb0 PCI ERROR: 0:2:11:0 (0x0118) Advanced error cap & ctl : 0x000001e5 afeb0 PCI ERROR: 0:2:11:0 (0x011c) Header log 0 : 0x00000000 afeb0 PCI ERROR: 0:2:11:0 (0x0120) Header log 1 : 0x00000000 afeb0 PCI ERROR: 0:2:11:0 (0x0124) Header log 2 : 0x00000000 afeb0 PCI ERROR: 0:2:11:0 (0x0128) Header log 3 : 0x00000000 PR1097424
  • After upgrading to Junos OS Release 14.1R1 and higher, loopback ISO family address may be stuck in KRT queue. PR1097778
  • For Junos OS Release 13.3R1 and later, the DPC card might experience a performance degradation when it's transferring bidirectional short packets (64B) in inline rate. PR1098357
  • On a Trio-based platform, when the type of the IPv6 traffic is non-TCP or non-UDP (for example, next header field is GRE or No Next Header for IPv6), if the traffic rate is high (for instance, higher than 3.5Mpps), the packet re-ordering may occur. PR1098776
  • When the clock sync process (clksyncd) is stopped and resumed during link flaps, the clksyncd process might get into an inconsistent state with various symptoms, and the clock source might be ineligible due to "Interface unit missing" or "Unsupported interface" with no Ethernet Synchronization Message Channel (ESMC) transmit interfaces. PR1098902
  • In an MPLS L3VPN network with a dual-homed CE router connected to different PE routers, a protection path should be configured between the CE router and an alternate PE router to protect the best path. When BFD is enabled on the BGP session between the CE and the primary PE router, with local traffic flowing from another CE connected with the primary PE to this CE, after bringing down the interface on the best path, the local repair will be triggered by the BFD session down but it might fail due to a timing issue. This will cause slow converge and unexpected traffic drop. PR1098961
  • When BGP multipath is enabled in a Virtual Routing and Forwarding (VRF), if "auto-export" and "rib-group" are configured to leak BGP routes from this VRF table to another, for example, the default routing table, then traffic coming from the default routing instance might not be properly load balanced because the multipath-route leaked into the default routing table is not the active route. This is a random issue. As a workaround, only use "auto-export" to exchange the routes among the routing tables. PR1099496
  • On MX Series-based platform, before creating a new unilist next hop, there is a check to see if there is at least 512k DoubleWords (DW) free. So, even the attempting NH requires only a small amount of memory (for example, < 100 DWs), if there is no such enough free DWs (that is, 512k), the check will fail and the end result is that the control plane will quit adding this NH prematurely, stopping at ~80% of capacity. With the fix, it will check for 64k free DWs which is a lower reference watermark for available resource, thereby ensuring that it can allocate resource. PR1099753
  • On XL-based cards such as MPC5/MPC6, PPE thread timeout errors (resulting in PPE trap files) can be triggered when the FPC allocates illegal memory space for the forwarding state of router operations. In certain cases, this can result in packet loss, depending on how many packets use this forwarding state. PR1100357
  • In abnormal session close scenario like by pulling-out running ms-mpc or in scaled flow environments, some garbage object can remain due to a bug on internal flow state machine then would trigger mspmand coredump. The fix of this PR clears such a problematic status objects. PR1100363
  • After Junos OS Release 13.3R1, IPCMON infra is added to debug IPCs between PFEMAN and the Routing Engine. When convergence occurs, string processing of IPCMOM will take added time. Then the slow convergence will be seen. It is a performance issue, it is visible in scaled scenarios (for example, more than 100K routes). As a workaround, execute the command "set pfe ipclog filter clear" to disable IPC logging on all FPCs. PR1100851
  • A remote attacker can cause a denial of service to the MX Series router with MPC due to maliciously crafted uBFD packets that are received directly via VPN, MPLS, multicast, broadcast, on vt-interfaces, or otherwise. This issue affects both IPv4 and IPv6 traffic in both Ethernet, and non-Ethernet physical environments, such as ATM or SONET, where the crafted packet is received over physical interfaces. If processed from a DPC through to the MPC, then in-transit traffic will not be susceptible. In a 6PE scenario, if the system is not using LSI/vt, then it is not susceptible. If processed via MPC line card will be affected, the MPC line card will crash. If processed via the MPC line card will be affected, and the MPC line card will crash. If processed via endpoint receiving, the MPC line card terminating tunneling protocols such as MPLS/IPSec VPNs, etc., will be affected; this is considered an in-transit traffic scenario. This crash can happen when the crafted packet is directed directly to the lo0 interface, IP/physical interface, IP/broadcast IPv4 / IPv6 address of the physical interface. As a workaround, we can apply a control plane (lo0) filter to drop uBFD packets. This issue is assigned CVE-2015-7748. More detailed information in the following link: JSA10701PR1102581
  • On a QFX3500 switch with nonstop active routing (NSR) enabled, deleting a routing-instance or logical-system configuration might cause a soft assert of the rpd process. If NSR is not enabled, after you delete a routing-instance or logical-system configuration, executing "restart routing" might trigger this issue, too. This issue has no functional impact. PR1102767
  • With "enhanced-ip" mode and AE interface configured, if SCU/DCU accounting is enabled, the MS-DPC might drop all traffic as regular discard. PR1103669
  • Non-queuing MPC5E and MPC6E might crash continuously if rate-limit under transmit-rate for scheduler is applied. As a workaround, do not configure rate-limit and use firewall policer for forwarding-class instead. MPC5EQ is not exposed. PR1104495
  • When using "write coredump" to invoke a live coredump on an FPC in T-series, the contents of R/SR ASIC memory (Jtree SRAM) will get dumped. Ifthere is a parity error present in the SRAM, then the coredump will abort and the FPC will crash. As a workaround, configuring "set chassis pfe-debug flag disable-asic-sram-dump" before "write coredump" will help to avoid the issue. PR1105721
  • When mspmand (which manages the Multiservice PIC) core dump (when the mspmand crash, it will dump a core file for analysis) is in progress in MS-MPC/MS-MIC and a GRES command is issued at the same time, it is seen that the MS PIC gets stuck and has to be recovered by offlining/onlining the PIC. PR1105773
  • On MPC-3D-16XGE-SFPP line cards, when an optics (for example, 10G-LR-SFP) is disabled and then enabled administratively, if the SFP is not temperature tolerant (non-NEBS compliant), the TX laser may not be turned on due to the fact that the chassis process (chassisd) may keep sending the "disable-non-nebs-optics" command to the optics if the current temperature of FPC reaches the threshold temperature. PR1107242
  • When bridge domain in PBB-EVPN routing instance is modified to add/remove ISIDs, bridge domain can get stuck in destroyed state. This happens when ISIDs in the bridge domain are changed from 1 to many or many to 1. This is only noticed during configuration changes or initial deployment. PR1107625
  • Under an IPv6 VRRP scenario, when a host sends router solicitation messages to a VRRP virtual IPv6 address, the VRRP master replies router advertisement messages with physical MAC address instead of virtual MAC, the VRRP slave replies router advertisement messages with physical MAC address as well. As a result, the host has two default gateways installed and the host will send traffic directly to two devices but not to the VRRP virtual IP. This issue affects VRRP function and traffic. PR1108366
  • On MX Series platforms, continuous error messages might be seen on the MICs (for 10G/40G/100G MICs) from MIC3 onwards (listed as below) when physical interface (IFD) settings are pushed (e.g., booting the MPC). Based on the current observation, the issue may not have any operational impact and the MICs that may encounter this issue are listed as follows: - 10G MICs: MIC3-3D-10XGE-SFPP, MIC6-10G, MIC6-10G-OTN, - 40G MICs: MIC3-3D-2X40GE-QSFPP, - 100G MICs: MIC3-3D-1X100GE-CFP, MIC3-3D-1X100GE-CXP, MIC6-100G-CXP, MIC6-100G-CFP2. PR1108769
  • Due to a software defect found in 13.3R7.3 and 14.1R5.4 inclusively, Juniper Networks strongly discourage the use of Junos software version 13.3R7.3 on routers with MQ-based MPC. This includes MX-Series with MPC1, MPC2; all mid-range MX-Series; and some of EX9200 line cards. PR1108826
  • On MX Series routers , when using FTP Application-level gateway (ALG), if the FTP (including both active mode and passive mode) server requests client to use different IP address for control session and data session (i.e. after the control session is established, the destination IP address of FTP server is changed on which client should transfer the data), although the control session could be built, the data session could not be established due to wrong pinhole creation. The issue would not occur in the scenario that the port is changed while the destination IP address is the same. PR1111542
  • In the scenario that the power gets removed from the MS-MPC, but Routing Engine is still online (for example, on MX960 platforms with high capacity power supplies which split into two separate power zones, when the power zone for the MS-MPC line card loses power by switching off the PEM that supports the MS-MPC situated slot), if the power goes back on(for example, switch on the PEM), the MS-MPC might be seen as "Unresponsive" (checked via CLI command "show chassis fpc") and not coming up back online due to failure of reading memory. PR1112716
  • Under certain conditions, when the Junos OS Routing Engine tries to send an IP packet over an IPIP tunnel, the lookup might end up in an infinite loop between two IPIP tunnels. This is caused by a routing loop causing the tunnel destination for Tunnel#A to be learned through Tunnel#B and the other way round. PR1112724
  • On all Junos OS platforms, when the Junos OS Routing Engine tries to send an IP traffic over a GRE tunnel, the route lookup might end up in an infinite loop between two GRE tunnels (the infinite loop is caused by a routing loop causing the tunnel destination for Tunnel A to be learned through Tunnel B and the other way round), the kernel would crash as a result. As a workaround, the issue can be avoided by preventing the tunnel destination of a tunnel to be learned through a second tunnel (and the other way round). PR1113754
  • On ACX Series routers with Junos OS Release 12.3X54-D20 or 12.3X54-D25, Inverse multiplexing for ATM (IMA) interfaces on MIC-3D-4COC3-1COC12-CE may not come up due to "Insufficient Links FE" alarm. This is due to data corruption on the physical layer. PR1114095
  • On MX-VC with a heartbeat connection, if it is in a scaled subscribers environment, when powering down both VCM Routing Engines, there might be a delay (minutes) for the backup chassis to be master and during which time, traffic blackhole might be seen. PR1115026
  • After VC Protocol Master Switch, new VCMm could allocate STP index of 1 (which is global discarding state) to new IFDs resulting in STP status incorrectly marked to discarding on the FPCs of the current VCBm. Please note for the fix to be effective, it is required that MXVC setup is rebooted once after upgrade of all the Routing Engines of the MXVC chassis with new fixed image following normal upgrade procedure, and hence unified ISSU based upgrades are not supported. PR1115677
  • For MPC6E with CFP2, there was a race condition between the interrupt service routine and the periodic, as a result interface up/down will not happen for laser off/on. PR1115989
  • On MX240/MX480/MX960 platforms with MS-DPC card, in some race conditions, after deactivating member interface of the aggregated multiservices (AMS) interface, the service PIC daemon (spd) might crash due to memory corruption. As a workaround, offline the member PICs before changing the AMS configuration and then online the PICs. PR1117218
  • alg-logs and pcp-logs are not supported under [edit edit services service-set <ss-name> syslog host local class] on ms interface as of now. Added warning message for the same during configuration commit. PR1118900
  • The rpd process might crash when executing the CLI command "show evpn database" with the combination of "vlan-id" and "mac-address". PR1119301
  • In the multicast environment with pd interface (interface on the rendezvous point (RP) that de-encapsulates packets), if execute GRES multiple times, and the GRES interval is less than 30 minutes, the routes on master Kernel are added and deleted for a short while. In rare conditions, backup Kernel will not be able to see them. So after Routing Engine switchover, the new master Kernel will delete the next-hop ID for such routes, but Packet Forwarding Engines will not see this deleted message. As a result, the Kernel/Packet Forwarding Engine are out of sync for such particular next-hop ID, and might trigger a reset of all the Packet Forwarding Engines. As a workaround, do the Routing Engine switchover in more than 30 minutes intervals. PR1119836
  • On MS-MPC equipped MX Series platforms, during the "three-way handshake" process, when receiving ACKs (e.g., after sending SYN and receiving SYN/ACK) with window size 0 (as reported, it is set to 0 by TCP client when using some proprietary protocol), the ACKs would be incorrectly dropped by the line card due to failure in TCP check. This issue could be avoided by preventing software from dropping packets that fail in the check. For example, by CLI command below, re# set interfaces ms-3/0/0 services-options ignore-errors tcp. PR1120079
  • Router is using BFD with its ECMP neighbours, when FPCs are rebooted, normally FPC would resolve ARP one by one and update unilist and corresponding selector. But in this case, due to a software defect, unilists remained stale and disabled. So the traffic might be dropped or not be load balanced. PR1120809
  • The commit latency will increase along with the increasing lines under [edit system services static-subscribers group <group-name> interface]. Use ranges to create static demux interfaces is a recommended option: [edit system services static-subscribers group PROFILE-STATIC_INTERFACE] + interface demux0.10001001 upto demux0.10003000; PR1121876
  • ovs-vxlan -- irb mac address is missing in ovs data base PR1122826
  • In multihoming EVPN scenarios and the customer-facing interface is an AE interface, after moving an interface from the EVPN instance into a VPLS instance, traffic loss might be seen on CE-facing FPC. PR1126155
  • In an EVPN scenario, the EVPN route table between the master Routing Engine and backup Routing Engine would be different (unused garbage routes will appear) once Routing Engine switchover (e.g, by rebooting the "old" master Routing Engine or performing a graceful Routing Engine switchover) is performed, which might cause a kernel crash on the new master Routing Engine in some cases. PR1126195
  • On MX Series platform, agentd daemon causes high disk (e.g. SSD) Input/Output activity (e.g. about 25MB/s I/O activity) due to new feature of SDN-telemetry (as known as agentd) added in Junos OS Release 14.2 onward and fabric statistics sensor is per default enabled updating the Database every 2 seconds. As more FPCs are installed in the system as higher the database record update rate. The CLI command "set system processes SDN-Telemetry disable" is not working and could not be used to disable the process. PR1130475
  • In the PPP environment, when a subscriber is logged out, its IFL index is freed, but in rare conditions the session database (sdb) entry is not freed. When the IFL index is assigned to a new IFL, it is still mapped to an old sdb entry, so the jpppd process might crash because of mismatching. The issue is not really fixed, the developer just adds some debug information. PR1057610
  • In dynamic subscriber management scenario, when we executing CLI command "show subscribers physical-interface <interface_name> count" from the master Routing Engine, the active and total subscriber counts might be always shown as zero. As a workaround, we can execute this command from the backup Routing Engine. PR1096348
  • FFP is a generic process that will be called during the commit process, and FFP calls the PDB initialization as part of its process. On the PDB-unsupported platforms (MX Series, M10i, M120, M320 is PDB-supported), when committing configuration, some error messages will be seen. PR1103035
  • Log sdb_free_snapshot_handle: trying to free an already freed snapshot appearing in messages log after upgrade to 13.3R7. This message was intended to be a trace message but was mistakenly written to the messages log. There is no impact associated with this log message. PR1116795

High Availability (HA) and Resiliency

  • On dual Routing Engine platforms with NSR enabled, when committing scaling configuration (for example, deactivating 500 IFLs and performing commit, then activating 500 IFLs and commit, the process may need to be performed 3-6 times) to the device, the master Routing Engine would be busy processing the commit, due to which the backup does not get data or keepalive from master. In this situation, the protocols (for example, OSPF, or LDP) may get down on the backup Routing Engine due to keepalives timeout. PR1078255
  • On MX Series Virtual Chassis (MX-VC) with scaled configuration, for example, 110000 DHCP and 11600 PPP subscribers, the unified in-service software upgrade (ISSU) might fail due to the management daemon (MGD) timer expiring before field-replaceable units (FRUs) update finish. PR1121826

Infrastructure

  • When the "show version detail" CLI command has been executed, it will call a separate gstatd process with parameter "-vvX". Because the gstatd could not recognize these parameters, it will run once without any parameter then exit. In the results of "show version detail", the following information could be seen: user@hostA> show version detail Hostname: hostA Model: mx960 Junos: 13.3R6-S3 JUNOS Base OS boot [13.3R6-S3] JUNOS Base OS Software Suite [13.3R6-S3] .. <snipped> file: illegal option -- v usage: gstatd [-N] gstatd: illegal option -- v usage: gstatd [-N] <snipped> At the same time, log lines like following might be recorded in syslog: file: gstatd is starting. file: re-initializing gstatd mgd[14304]: UI_CHILD_START: Starting child '/usr/sbin/gstatd' gstatd: gstatd is starting. gstatd: re-initializing gstatd gstatd: Monitoring ad2 gstatd: switchover enabled gstatd: read threshold = 1000.00 gstatd: write threshold = 1000.00 gstatd: sampling interval = 1 gstatd: averaged over = 30 mx960 mgd[14304]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/gstatd', PID 14363, status 0x4000 mgd[14304]: UI_CHILD_EXITED: Child exited: PID 14363, status 64, command '/usr/sbin/gstatd' PR1078702
  • On dual Routing Engine platforms, if GRES is configured (triggered by "on-disk-failure"), when a disk I/O failure occurs on the master Routing Engine due to hardware issue (for example, SSD failure), the graceful Routing Engine switchover might not be triggered immediately after initial IO failure has been detected. As a result, Routing Engine might enter a state in which it responds to local pings and interfaces remain up, but no other processes are responding. PR1102978

Interfaces and Chassis

  • dcd will crash if targeted-distribution is applied to ge ifd via dynamic-profile. PR1054145
  • For Junos OS Release 13.3R1 or later, after multiple (e.g., 26) iterations of graceful Routing Engine switchover (GRES), the TNP address of management interface might be deleted incorrectly during switchover, which leads to all FPCs being offline. PR1060764
  • Currently the redundant logical tunnel (rlt) interface only supports limited vlan range (0..1023), it should support the extended vlan range (0..4094) as the logical tunnel does. PR1085565
  • On T4000/TXP-3D platform with HCFPCs (FPC Type-5) as source FPCs, if there are multiple online/offline/restart of FRUs(FPC/Sib) happening together, for example, at system boot time/GRES time/SPMB reboot time, the FM (Fabric Manager) will process these events sequentially and be busy. If one destination FPC flaps at this time, all HCFPCs might drop traffic to this FPC. PR1087798
  • Trap messages are not logged on logical interface (ifl) after deleting the "no-traps" configuration statement, in spite of setting explicit "traps". PR1087913
  • In anMX Series Virtual Chassis (MXVC) environment, when rebooting the system or the line cards which contain all the Virtual Chassis port (VCP) links, because line cards may fail to complete the rebooting process within 5 minutes, the timer (that is, the amount of time allowed for the LCC to connect to the SCC) started by the master router may expire which may cause the VCP links establishment failure. In addition, this issue is not specific to the line cards type, based on the observation, the timer (5 min) may expire on a MX2020 with all 20 FPCs equipped as well. PR1095563
  • During failure notification state machine, CFM does not correctly transit from DEFECT CLEARING state to RESET once the error indication has been cleared. As a consequence, all the forthcoming errors will be considered post errors and will be reported right away without incurring the fngAlarmTime. This is a cosmetic problem. PR1096346
  • On PB-2OC12-ATM2-SMIR PIC, port 0 and port 1 are configured with clock source as external, if Loss of signal (LOS) is inserted on port 0, the port 0 will go down; the expected behavior is clock being used from port 1. But in this case, port 0 down will results in port 1 flapping and reporting SONET phase lock loop (PLL) errors. PR1098540
  • In VRRP environments, with VRRP configured over double-tagged interface and VRRP delegate-processing enabled, the PDUs are generated with only one tag and the outer tag is not added, because of which, the PDUs will get dropped at the receiving end. The similar configuration that may cause the issue might be seen as follows: .. protocols { vrrp { delegate-processing; <<<<< "delegate-processing" is enabled for VRRP } .. .. interfaces { xe-0/0/3 { flexible-vlan-tagging; unit 0 { vlan-tags outer 2000 inner 200; <<<<< VRRP is configured over double tagged interface family inet { address 10.10.10.147/29 { vrrp-group 17 { virtual-address 10.10.10.145; priority 100; accept-data; } } } } } } .. PR1100383
  • After configuring related ae interface config, we might find some ae interfaces disappear in MX-VC. It seemed that ae interfaces are not allocated a MAC address from chassisd properly. * This issue only happens first configuration timing after rebooting/restarting chassisd. So even if you configure related ae interface config repeatedly, you cannot find this issue. When this issue happens, these messages will be found in messages logs: ------------------------------------------------- lab@router_re0> show log messages| match CHASSISD_MAC_ADDRESS_AE_ERROR Jun 26 16:04:34.064 router_re0 scchassisd[2008]: CHASSISD_MAC_ADDRESS_AE_ERROR: chassisd MAC address allocation error for ae4 Jun 26 16:04:34.105 router_re0 /kernel: Jun 26 16:04:34.064 router_re0 scchassisd[2008]: CHASSISD_MAC_ADDRESS_AE_ERROR: chassisd MAC address allocation error for ae4 ------------------------------------------------- Restore ae interfaces * This is not a workaround. Deactivate/activate ae interfaces. (We need to do this to all disappeared ae interfaces.) PR1100731
  • VRRP inet6 group interface does not send Router Advertisement (RA) when the interface address and virtual address are same. run show ipv6 router-advertisement interface ge-0/2/0.430 Interface: ge-0/2/0.430 Advertisements sent: 0 Solicits received: 0 Advertisements received: 0 PR1101685
  • Because of the error injection rate configured by the user on a Routing Engine via the CLI command "bert-error-rate" may not be programmed in the hardware register, the PE-4CHOC3-CE-SFP, PB-4CHOC3-CE-SFP, MIC-3D-4COC3-1COC12-CE, and MIC-4COC3-1COC12-CE-H may fail to inject bit errors during a Bit Error Ratio Test (BERT). PR1102630
  • The 'optics' option will now display data for VCP ports: show interfaces diagnostics optics vcp-0/0/0. PR1106105
  • On MX240 or MX480 platforms with at least two DC modules (PN: 740-027736) equipped, when shutting down one of the PEMs and then turning it on again, even the PEM is functioning, the "PEM Fan Fail" alarm might be observed on the device due to software logic bug. There is no way to clear the ALARM_REASON_PS_FAN_FAIL for I2C_ID_ENH_CALYPSO_DC_PEM once it has been raised. PR1106998
  • On all Junos OS Series platforms, if the "HDD /var" slice (for example, "/dev/ad1s1f" depending on the type of Routing Engine) is not mounted (for example, label missing, file system corrupted beyond repair, HDD/SDD is removed from the boot list, etc.), the system may build emergency "/var/", however, no alarm or trap is generated due to the incorrect operation of the ata-controller. Although the boot messages may present the logs, it may not be sufficient to identify the issue before encountering other problems (for example, Junos OS upgrade failure and the Routing Engine may hang in a recovery shell). In addition, as a method to check where Routing Engine is running from, a manual check could be done as follows: user@re0> show system storage | match " /var$" /dev/ad2s1f 34G 18G 13G 57% /var <Indicate that "/var" is mounted from the HDD/SSD user@re0>show system storage | match " /var$" <<<No output here, it means that the Routing Engine is running from "emergency /var">PR1112580
  • Junos OS Series now checks ifl information under the ae interface and prints only if it is part of it PR1114110
  • Sometimes IQ2 PIC connection with kernel may drop after FEB redundancy switchover under N:1 scenario, which will cause packets to drop on this PIC. PR1120097
  • When using Ethernet OAM Connectivity Fault Management (CFM), the CFM process (CFMD) may crash in either of the following scenarios, - Scenario 1 When CFMD is restarted or GRES. There is no specific defined configuration which could cause this crash, but normally this would be seen with VPLS or Bridge domain with multiple Mesh-groups. The crash happens rarely in this scenario. - Scenario 2 When configuring 2 interfaces in the same bridge-domain (BD) or routing-instance, and both interfaces have maintenance association end point (MEP) configuration along with action-profile enabled. Also there is no maintenance association intermediate point (MIP) configuration on that BD or routing-instance. The crash might be seen with the above configurations and when one of the interfaces is flapped or deleted and then re-created. In addition, in this scenario, this issue may not happen always as this depends on the ordering of kernel event. PR1120387
  • On Junos OS platforms, an aggregateEthernet bundle having more than one member link can show incorrect speed which wouldn't match to the total aggregate bandwidth of all member links. The issue is seen when LFM is enabled on the aggregateEthernet bundle. The issue is triggered when one of the member link flaps. Although after the flap, the current master Routing Engine will show correct aggregate speed, the backup Routing Engine will report an incorrect value. In this state, when Routing Engine mastership is switched, the new master Routing Engine (which was backup) will show a value. One of the side effects of this issue is that RSVP also reflects incorrect bandwidth availability for the affected aggregateEthernet bundle, this can cause under-utilization of the link with LSP having bandwidth constraints. PR1121631
  • Since a bug which was introduced in Junos OS Release 15.1R1, loopback sub-interfaces always have a Flag down in the output of the CLI command "show interfaces". PR1123618
  • The connectivity fault management (CFM) log message "Adjacency up" should only be logged when the router first detects a remote MEP or the peer interface goes down and up causing adjacency failure for this remote MEP. Now it is wrongly logged when any peer sets/clears the Remote defect indication (RDI) bit in continuity check messages (CCMs). PR1125164
  • With incomplete cfmd configuration, for example, only MD (maintenance-domain) configured and no MA (maintenance-association) configured, or MD and MA configured but no MEP configured, SNMP walk in CFM MD table results in infinite loop and process cfmd is spinning at around 90% CPU. PR1129652

J-Web

  • Junos: Multiple vulnerabilities in J-Web (CVE-2016-1261); Refer to https://kb.juniper.net/JSA10723 for more information. PR1082543
  • Junos: Multiple vulnerabilities in J-Web (CVE-2016-1261); Refer to https://kb.juniper.net/JSA10723 for more information. PR1085428

Junos Fusion Provider Edge

  • On a Junos Fusion Provider Edge topology, broadcast Ethernet traffic with an unknown Ethertype might generate the following log entries: fpc0 XL[0:0]_PPE 1.xss[0] ADDR Error and fpc0 XL[0:0]_PPE 1 Errors async xtxn error. PR1123040
  • When configuring "chassis satellite-management" for the first time on the aggregation device (AD) in a Junos Fusion environment, one of the initialization steps by the satellite discovery and provisioning daemon (sdpd) may not complete due to a timing issue. This will affect software upgrade and conversion of satellite devices. To recover from this state, restart the sdpd daemon using the CLI command “restart satellite-discovery-provision-process”. PR1131762
  • On a Junos Fusion Provider Edge topology, if you configure Junos Fusion on an MX Series aggregation device, corresponding system log messages might not be received by a remote syslog server. PR1134269

Layer 2 Features

  • If equipped with both MPC/MSDPC and other type of DPCs, for local switching at mesh group level, split horizon on PW interfaces won't work and could cause packets to loop back to the same PW interface. PR1084130
  • In MX Series Virtual Chassis (MXVC) environments, when packets come from a interface (for example, xe-16/0/1.542) situated on one member of VC (for example, VC member 1), if the ingress Packet Forwarding Engine (for example, FPC16 PFE0, which runs hash to determine which interface it should send the packet to) decides that it should send the packet via another interface (for example, xe-4/0/1.670) situated on a different member (for example, VC member 0), it will send the frame to member 0 via the vcp- intf. If xe-4/0/1.670 belongs to an AE bundle which has multiple child links, a hash needs to be run on the Packet Forwarding Engine carrying the VCP port (receiving side on member 0) to determine which one is the egress Packet Forwarding Engine within member 0 to send the packet out after vcp- intf gets the packet. This hash result should get the same result as the ingress Packet Forwarding Engine. If it is not the case, then the packet would get dropped on the Packet Forwarding Engine on member 0. PR1097973
  • In a scenario that BGP-based VPLS stitching with L2circuit, with "pseudowire-status-tlv" configured under L2circuit's mesh-group, if L2circuit neighbor doesn't configure "pseudowire-status-tlv", then the status of "Negotiated PW status TLV" of VPLS connection is "NO", and the BGP-based VPLS connection cannot up even the L2circuit is up due to the fact that check of neighbor state may incorrectly based on the presence of the configuration statement. PR1108208

Layer 2 Ethernet Services

  • With scaled subscribers connected, restarting one of MPCs might cause subscribers to be unable to log in for about 2 mins. PR1099237
  • V44 defines the next generation of Juniper Fabric using MX Series as the aggregation device (AD) and EX4300/QFX5100Â’s as the Satellite Devices (SD). When V44 port extension is in use, after switching from Master to Backup Routing Engine, the ppman daemon on the SDs may crash and not be restarted. The aggregated Ethernet (ae) bundle over v44 extended ports does not come up. PR1101266
  • On MX Series platforms with Dynamic Host Configuration Protocol (DHCP) maintain subscriber feature enabled, after rebooting the FPC hosts the Demux underlying interfaces, the next-hop for some DHCP subscribers might be marked as dead in the forwarding table. When this issue occurs, execute the CLI command "clear dhcp server binding <address>" to restore. PR1118421
  • For PVSTP/VSTP protocols, when an MX Series router inter-operates with a Cisco device, due to the incompatible BPDU format (there are additional 8 bytes after the required PVID TLV in the BPDU for the Cisco device), the MX Series might drop these BPDUs. PR1120688
  • In a scenario where DHCP relay is used along with Virtual Extensible Local Area Network (VXLAN), if a DHCP discover packet is received with the broadcast bit set via a VXLAN interface on the MX Series platform (which is acting as DHCP relay), the OFFER back from the DHCP server will not be forwarded back to the client over the VXLAN interface. Unicast offers (that is, DHCP offer packet with unicast bit set) over VXLAN and both broadcast and unicast offers over native VLAN interfaces work fine. PR1126909
  • In some rare scenarios, the MVRP PDU might unable to be transmitted, which could cause memory leak in layer 2 control plane daemon (l2cpd), and finally results in the l2cpd process crash. PR1127146

Multiprotocol Label Switching (MPLS)

  • In Resource Reservation Protocol (RSVP) environments, if CoS-Based Forwarding (CBF) for per LSP (that filter out traffic not related to that LSP) is configured, and either the feature fast-reroute or link-protection is used on the device, when the primary link is down (for example, turning off the laser of the link), due to some next hops of the traffic may be deleted or reassigned to different class of traffic, and the RSVP local repair may fail to process more than 200 LSPs at one time and the traffic may get dropped by the filter on the device before the new next hop is installed. In this situation, the feature (fast reroute or link protection) may take longer (for example, 1.5 seconds) to function and the traffic loss might be seen in the meantime. In addition, the issue may not be seen if the CBF for per LSP is not configured on the device. PR1048109
  • Junk characters are being displayed in output of “show connections extensive” command. PR1081678
  • When an LSP is link-protected and has no-local-reversion configured, if the primary link (link1) is down and LSP on bypass (link2), then another link (link3) is brought up, before the LSP switch to link3, if link1 is enabled and link3 is disabled, the LSP will get stuck in bypass LSP forever. This is a timing issue. PR1091774
  • If LDP is enabled via the 'protocols ldp' configuration option on a device running Junos OS, receipt of a spoofed, crafted LDP packet may cause the RPD routing process to crash and restart. Refer to JSA10715 for more information. PR1096835
  • On dual Routing Engine platforms with GRES, the kernel synchronization process (ksyncd) may crash on the backup Routing Engine when adding a route pointing to indirect next hop on the system. PR1102724
  • In Junos OS Release 13.2R1 and later, in an MPLS L3VPN scenario, when the "l3vpn-composite-nexthop" configuration statement is enabled on a PE router and an interface style service set is attached to the ingress interface, the L3VPN packets with the MPLS labels will be sent to the service card and dropped. As a workaround, disable "l3vpn-composite-nexthop". PR1109948
  • If "optimize-timer" is configured under P2MP branch LSP, this branch LSP will not be re-established if the link flaps on egress node. If "optimize-timer" is configured at the protocols/mpls level, this issue could be avoided. PR1113634
  • For an MPLS L3VPN using LDP-signaled LSPs, in a rare racing condition (e.g., large-scale environment or Routing Engine CPU utilization is high), the rpd process might crash after an LDP neighbor go down. PR1115004
  • On MX Series router with FPC, when MPLS-labled fragmented IPv6 packets arriving at PE router (usually seen in 6PE and 6VPE scenario), the Packet Forwarding Engine might mistakenly detect such IPv6 headers and then drop these packets as "L3 incompletes" in the output of "show interface extensive". PR1117064
  • When multipoint LDP (M-LDP) in-band signaling is enabled to carry multicast traffic across an existing IP/MPLS backbone and routing process is enabled to use 64-bit mode, the rpd might crash due to accessing uninitialized local variables. PR1118459

Network Management and Monitoring

  • The SNMPv3 message header has a 4-byte msgID filed, which should be in (0....2147483647), when the snmpd process has been running for a long time, the msgID might cross the RFC defined range and cause Net-SNMP errors, "Received bad msgID". PR1123832
  • In Junos OS Release 14.1R1, SNMP informs are not sent out to the network management system (NMS) when significant events occur on a device running Junos OS. As a workaround, we can configure an dummy trap-group. PR1127734

Platform and Infrastructure

  • On MX Series-based line cards, when GRE keepalive packets are received on a Packet Forwarding Engine that is different from the tunnel interface hosted, the keepalive message will apply the firewall filter configured on the default instance loopback interface. PR934654
  • Bad UDP checksum for incoming DHCPv6 packets as shown in monitor traffic interface output. The UDP packet processing is normal; this is a monitor traffic issue as system decodes checksum=0000. PR948058
  • In the dual Routing Engines scenario with NSR configuration, the configuration statement "groups re0 interfaces fxp0 unit 0" is configured. If you disable interface fxp0, the backup Routing Engine is unable to proceed with commit processing due to SIGHUP not received, the rpd process on the backup Routing Engine might crash. PR974430
  • Junos: Multiple vulnerabilities in cURL and libcurl; Refer to https://kb.juniper.net/JSA10743 for more information. PR1068204
  • On Trio based platform, when delete/deactivate configuration of AE interfaces, FPC might crash due to de-referencing a NULL logical interface pointer. PR1069411
  • Junos: Manipulating TCP timestamps can lead to resource exhaustion denial of service (CVE-2016-1269); Refer to https://kb.juniper.net/JSA10736 for more information. PR1073571
  • On MX Series-based platforms, when learning the MAC address from the pseudo-IFL (for example, label-switched interface), if the MAC address is aged out in the source FPC where the MAC got learned, due to the delay (around 2 to 3 milliseconds) of MAC address deleting message processed in the source FPC and the egress FPC (destination FPC of the traffic), the MAC address might be deleted first from the egress Packet Forwarding Engine but get added again during these 2-3 millisecond time intervals. (As there is continuous traffic coming on the egress FPC destined to this MAC, the MAC query is generated and sent to the Routing Engine and source FPC. Since the source FPC has not yet processed the MAC-deleted message, it sends the response, so stale MAC will get added on the egress Packet Forwarding Engine.) In this situation, no L2 flooding would occur for the "unknown" unicast (since the MAC address is present on the egress Packet Forwarding Engine). PR1081881
  • If there are scaling unicast routes (e.g., 500k) in NG-MVPN VRF, and the provider-tunnel is PIM, when PIM on PE has multiple upstream neighbors and any of them could be its rpf neighbor, performing GRES/NSR Routing Engine switchover might cause multicast traffic loss due to the different view of the rpf neighbor between the master Routing Engine and the slave Routing Engine. PR1087795
  • Issue is specific to 64bbit RPD and config-groups wildcard config specific as in below case: set groups TEST routing-instances <*> routing-options multicast forwarding-cache family inet threshold suppress 200 set routing-instances vrf1 apply-groups TEST set routing-instances vrf1 routing-options multicast forwarding-cache family inet threshold suppress 600. With this daemon(rpd) reads suppressed value ?200? (i.e., coming from groups) instead of reading value ?600?from foreground and customer sees unexpected behavior with respect to threshold-suppress. Workaround: Replace the wildcard with actual routing-instance name as in this example: set groups TEST routing-instances vrf1 routing-options multicast forwarding-cache family inet threshold suppress 200 set routing-instances vrf1 apply-groups TEST set routing-instances vrf1 routing-options multicast forwarding-cache family inet threshold suppress 600 PR1089994
  • On MX Series routers, if ifl (logical interface) is configured with VID of 0 and parent ifd (physical interface) with native-vlan-id of 0, when sending L2 traffic received on the ifl to the Routing Engine, the VID 0 will not be imposed, causing the frames to get dropped at the Routing Engine. PR1090718
  • When a P2MP LSP is added or deleted at ingress LSR, traffic loss is seen to the existing sub-LSP(s) at the transit LSR which replicates and forwards packet to egress PEs. This issue only affects Junos OS-based line cards with MPCs/MICs. PR1097806
  • The "shared-bandwidth-policer" configuration statement is used to enable configuration of interface-specific policers applied on an aggregated Ethernet bundle to match the effective bandwidth and burst-size to user-configured values. This feature is broken from Junos Release 14.1R1 when "enhanced-ip" is configured on MX Series platforms with pure MPCs/MICsbased line cards. The bandwidth/burst-size of policers attached to aggregated Ethernet interfaces are not dynamically updated upon member link flaps. PR1098486
  • When BFD or VRRP is running on a multi LU (lookup chip) Packet Forwarding Engine (such as MPC3 or MPC4), some incoming BFD or VRRP packets might be incorrectly evaluated by a firewall filter configured on a loopback interface of a different logical system or routing instance. Therefore, packets might be unexpectedly discarded, leading to session/mastership flaps. PR1099608
  • From Junos Release 14.1 and above, IPv6 mobility packets with Heartbeat option that the length of the mobility header (including the Ethernet encapsulation and main IPv6 header) extends beyond 128 bytes will be discarded as bad IPv6 option packets due to a logic error in packet handling. PR1100442
  • Large-scaled inline BFD session (in this case, 6000 inline BFD sessions) are loaded with the minimum-interval value 50 ms. If FPC restarts, some BFD sessions might flap. PR1102116
  • On an MPC3E or MPC4E or on an EX9200-2C-8XS line cards, when the flow-detection feature is enabled under the [edit system ddos-protection] hierarchy, if suspicious control flows are received, two issues might occur on the device. Issue 1: Sometimes, the suspicious control flow might not be detected on the MPC or line cards. Issue 2: Once the suspicious control flows are detected, they might never time out even if traffic flows no longer violate control parameters. PR1102997
  • The following fields have been added to v10 Sampling (IPFIX) template and data packets: - SAMPLING RATE - SAMPLING INACTIVE TIMEOUT - SAMPLING ACTIVE TIMEOUT - TOTAL PACKETS EXPORTED - TOTAL FLOWS EXPORTED. PR1103251
  • On T4000 platform equipped with FPC Type-5 , after performing unified ISSU, due to the fact that only 6 out of 16 temperature sensors may get initialized, the temperature reading for the line card may be shown as "Absent". PR1104240
  • Any configuration or logical interface (IFL) change will introduce 160-bytes (20 bytes) memory leak on MPC heap memory when we have any type of inline sampling configured (ipfix or version 9). Only trigger of issue is the configuration of inline sampling, even without traffic being sampled. The leak is more evident in a subscriber management scenario when we have many IFL additions/deletions. Rebooting MPC in a controlled maintenance window is the only way to restore memory. PR1105644
  • When "shared-bandwidth-policer" is configured with aggregate Ethernet (AE) and has more than one member link on the same Packet Forwarding Engine and the policer is configured with the "physical-interface-policer" configuration statement, if reconfiguration occurs (for example, adding/deleting new logical units, logical interface flap...), Packet Forwarding Engine may problem wrong policer during this reconfiguration process, which could ultimately lead to unexpected packet drop/loss within the referenced wrong shared policer. PR1106654
  • When a filter with a policer is referenced by multiple IFLs of the same interface (A), with traffic coming into that interface A and going out from another interface B, whenever the policer is updated (for example, deactivating and activating interface A. Or adding/deleting AE legs when A is an AE interface and shared-bandwidth-policer is configured), it might be seen that there is counter statistics for the counter which is placed in the ingress direction of interface C, even though interface C is an unrelated interface which is not in the traffic path. Also FPC core dump and FPC going offline might be seen. PR1106887
  • When a common scheduler is shared by multiple scheduler maps which apply to different VLANs of an aggregated Ethernet (AE) interface, if the configuration statement "member-link-scheduler" is configured at "scale", for some VLANs, the scheduler parameters are wrongly scaled among AE member links. As a workaround, we should explicitly configure different schedulers under the scheduler maps. PR1107013
  • CVE-2015-5477 A vulnerability in ISC BIND's handling of queries for TKEY records may allow remote attackers to terminate the daemon process on an assertion failure. See http://kb.juniper.net/JSA10718. PR1108761
  • DHCP End options (option 255) is missing by DHCP-relay agent (where 20 bytes DHCP options 82 inserted) for client DHCP discover message with 19 bytes padding. PR1110939
  • An IPv4 filter configured to use the filter block with term that has both "from precedence" and another non 5-tuple (i.e., not port, protocol, address) will cause an XL/EA based board to reboot. Example: set firewall family inet filter FILTER fast-filter-lookup set firewall family inet filter FILTER term TERM from precedence PRECEDENCE set firewall family inet filter FILTER term TERM from tcp-established PR1112047
  • When inline BFD sessions and inline J-Flow are configured on the same Packet Forwarding Engine, with the increasing of active flows (about 65k), the BFD session might flap constantly and randomly due to the outgoing BFD packets being dropped. PR1116886
  • When inline static NAT translation is used, if two rules defined in two service sets are pointing to the same source-prefix or destination-prefix, changing the prefix of one of the rule and then rolling back the changes is not changing back all the pools correctly. PR1117197
  • On Junos OS-based line cards with MPCs/MICs, the firewall filter may have some issues when matching on Authentication Header (AH) protocol. This can affect VRRP (among others) when authentication is used, and a Routing Engine (RE) firewall filter is matching on protocol AH. As a workaround, we can change the filter to match on other criteria (e.g., source or destination address). PR1118824
  • Tnetd is a daemon used for internal communication between different components like Routing Engine (RE) and Packet Forwarding Engines. . It is used mainly to initialize the right server for rsh, rcp, rlogin, tftp, or bootp clients. It might crash occasionally due to the tnetd process not handling signals properly. PR1119168
  • When the AC Single Phase Power Distribution Module (PDM) is installed on an MX2010 or MX2020 router running Junos OS Release 14.1 or 14.2, the system does not recognize the FRU and alarms are triggered as a result. PR1121068
  • After changing an outer vlan-tags, the ifl is getting programmed with incorrect STP state (discarding), so the traffic is getting dropped. PR1121564
  • With "fast-synchronize" configured, adding a new configuration-group that has configuration relevant to the rpd process and apply it and commit, then any configuration commits might cause the rpd process on the backup Routing Engine (RE) to crash. Reboot the backup Routing Engine to restore. PR1122057
  • On Junos OS-based line cards with MPCs/MICs, for GRE over IPv6 packet with layer 4 length less than 8 bytes, it will be discarded by reason "L4 len too short". PR1126752
  • On MX Series platform, when fragmented packets go through the inline NAT (including source NAT, destination NAT, and twice NAT), the TCP/UDP checksum would not be correctly updated. In this situation, checksum error would occur on the remote end (inside and outside device). Non-fragmented packets would not be affected by the issue. If possible, this issue could be avoided by either of the following workarounds, * Enable "ignore-TCP/UDP-Checksum errors" at the inside or outside device which processes TCP/UDP data OR * Make sure there will not be any fragments subjected to inline NAT functionality by appropriate MTU adjustment or setting PR1128671
  • Parity error at ucode location which has instruction init_xtxn_fields_drop_or_clip will lead to a LU Wedge. LU is lookup ASIC inside the Trio. The LU wedge will cause the fabric self ping to fail which will lead to a FPC reset. This is a transient HW fault, which will be repaired after the FPC reset. There is no RMA needed unless the same location continues to fail multiple times. PR1129500
  • On Junos OS devices running with DHCP Relay configuration but without accounting config, and the accounting license does not exist, when the first DHCP control traffic is received, the following subscriber-accounting license grace period alarms might be triggered: alarmd[1650]: Alarm set: License color=YELLOW, class=CHASSIS, reason=License grace period for feature subscriber-accounting(30) is about to expire craftd[1592]: Minor alarm set, License grace period for feature subscriber-accounting(30) is about to expire. PR1129552

Routing Policy and Firewall Filters

  • On M7i/M10i with enhanced CFEB, M320 with E3-FPC, M120, and MX Series with DPC, when the flood filter is configured in a VPLS instance on the Packet Forwarding Engine, if the Packet Forwarding Engine receives a filter change (for example, FPC reboot occur and comes up), the line card may fail to program the filter. PR1099257

Routing Protocols

  • Support for the Pragmatic General Multicast protocol (daemon pgmd) is being phased out from Junos. In Junos OS Release 14.2, the CLI is now hidden (although the component is still there and configurable). In Junos OS Release 15.1, the code and its corresponding CLI are removed. PR936723
  • For FEC 129 VPLS (also known as LDP VPLS with BGP-based autodiscovery), if abandoned VRF and VPLS instances are left after all of the other pieces of configuration are removed, and the BGP protocol is deactivated in the master instance, the rpd process might crash continuously when committing a new configuration. As a workaround, remove all the unused VRF and VPLS instances. PR1006689
  • In Junos OS Release 14.1R1 or later, the rpd process might crash while executing CLI command "show isis backup spf results". PR1037114
  • During NSR switchover, inline BFD transmit entries might take long time to replicate to backup RE and BFD may flap. PR1063303
  • When a multicast group in protocol independent multicast (PIM) dense mode has a large number of multicast sources, the RPD process can crash after a Routing Engine switchover. PR1069805
  • There are two issues in the PR: (1) In multicast environments, incoming interface list (IIF) list has only RPF interface, designated forwarder (DF) winners are not added in the list in backup Routing Engine. (2) "Number of downstream interfaces" in “show pim join extensive” is not accounting pseudo-VXLAN interface. PR1082362
  • If the command to trace ppm is issued from the FPC shell and a malformed incoming packet (required to be handled by PPM) is in the buffer, the FPC may crash. An example of such a malformed packet would be a multihop BFD packet with an incorrect length (larger than normal). PR1082878
  • On large-scale BGP RIB, the advertised-prefixes counter might show the wrong value due to a timing issue. PR1084125
  • In BGP environments, when configuring RIB copy of routes from primary routing table to secondary routing table (for example, by using the CLI command "import-rib [ inet.0 XX.inet.0]") and if the second route-table's instance is type "forwarding", due to the BGP routes in secondary routing table may get deleted and not correctly re-created, the routes may be gone on every commit (even commit of unrelated changes). As a workaround, for re-creating the BGP routes in secondary route table, use the CLI command "commit full" to make configuration changes. PR1093317
  • When route convergence occurred, the new gateway address is not updated correctly in inline-jflow route-record table (route-record table is used by sampling), and the sampling traffic forwarding might be affected, but normal routing would be not affected. PR1097408
  • Due to software bug, Junos OS cannot purge so called doppelganger LSP, if such LSP is received over a newly formed adjacency shortly after receiving CSNP from the same neighbor. PR1100756
  • When polling SNMP OID isisPacketCounterTable 1.3.6.1.2.1.138.1.5.3, the rpd process might crash. PR1101080
  • When the ISIS configuration is removed, the ISIS LSDB contents get flushed. If at the same time of this deletions process, there is an SPF execution, which is trying to access the data structures at same time when a fraction of secs after freeing its content, a routing protocol process (rpd) crash occurs. PR1103631
  • A vulnerability in OpenSSH may allow a remote network-based attacker to effectively bypass restrictions on the number of authentication attempts, as defined by MaxAuthTries settings on Junos OS. This may enable brute force password attacks to gain access to the device. Background: The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos, etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/<policy name>, /usr/local/etc/pam.conf, or /usr/local/etc/pam.d/<policy name>. The PAM API is a de facto industry standard which has been implemented by several parties. FreeBSD uses the OpenPAM implementation. This issue is assigned CVE-2015-5600. Refer to JSA10697 (http://kb.juniper.net/JSA10697) for more information. PR1106752
  • When the Multicast Source Discovery Protocol (MSDP) is used, if the RP itself is the First-Hop Router (FHR) (i.e., source is local), the MSDP source active (SA) messages are not getting advertised by the RP to MSDP peers after reverse-path forwarding (RPF) change (e.g., the RPF interface is changed). PR1115494
  • When a logical unit of an interface is associated with a Bidirectional Forwarding Detection (BFD) session, if changing the unit number of the interface (for example, change the unit number for a running BFD session from ge-1/0/0.2071 to ge-1/0/0.285), the device may fail to change the name due to the missing check for logical interface (IFL) index change. PR1118002
  • On dual Routing Engine platform, with nonstop active routing (NSR) and authentication of the Bidirectional Forwarding Detection (BFD) session enabled, BFD process (bfdd) memory leak may occur on the master Routing Engine and the process may crash periodically once it hits the memory limit (RLIMIT_DATA). The problem does not depend on the scale, but the leak will speed up with more BFD sessions (for instance 50 sessions). As a workaround, if possible, disabling BFD authentication will stop the leak. PR1127367
  • When protocol MSDP is configured and then deleted, the NSR sync status for MSDP might stuck in "NotStarted", and ISSU might fail on the master Routing Engine with reason "CHASSISD_ISSU_ERROR: Daemon ISSU Abort -1(NSR sync not complete: MSDP)". PR1129003
  • Deleting mvpn configuration from routing instance "delete routing-instances <instance-name> protocols mvpn" might cause routing daemon on master Routing Engine to crash. PR1141265

Services Applications

  • When an MX Series router configured as an LNS sends an Access-Request message to RADIUS for an LNS subscriber, the LNS now includes the Called-Station-ID-Attribute when it receives AVP 21 in the ICRQ message from the LAC. PR790035
  • In the L2TP scenario with dual Routing Engines, after subscriber management infrastructure daemon (smid) is being restarted, because the delete notification to backup Routing Engine might be lost, the subscriber database (SDB) information does not synchronize between master Routing Engine and standby Routing Engine. After Routing Engine switchover is executed, the Layer 2 Tunneling Protocol daemon (jl2tpd) might crash, and new L2TP subscribers are unable to dial. PR968947
  • On an L2TP access concentrator (LAC) device with more than 8K L2TP sessions up, if execute command "clear services l2tp session all" and then stop the command by using ctrl-C, the Layer 2 Tunneling Protocol process (jl2tpd) might crash. PR1009679
  • When polling to jnxNatSrcNumPortInuse via SNMP MIB get, it might not be displayed correctly. PR1100696
  • In Junos OS Release 13.3 and later, when configuring a /31 subnet address under a NAT pool, the adaptive services daemon (SPD) will continuously crash. PR1103237
  • SIP one-way audio calls when using X-Lite SIP Softphone, in case that SIP media is switched to another media gateway through a SIP Routing Engine-Invite message. PR1112307
  • In a CGNAT environment, when a service PIC is in heavy load continuously, there might be a thread yielding loop in CPUs, which will cause the CPU utilization to be high, and might cause one of the CPUs to be reset. PR1115277
  • In a CGNAT scenario, when we establish simultaneous TCP connects, we need to install timers for each TCP connection/flow. Due to this bug, we ended up creating two timers for the forward and reverse flow separately. Ideally there needs to be only one timer for both the forward and reverse flow. Whenever the session was deleted due to timer expiry, the PIC crashed whenever the code tried to delete the same flow again. PR1116800

Software Installation and Upgrade

  • Add the "on <host> " argument to to "request system software validate" to allow validation on a remote host/Routing Engine running Junos OS. PR1066150
  • In certain conditions, when /var is not mounted from a persistent filesystem, executing a Junos OS upgrade will have unexpected results. This is caused by an inexact check of whether it is running from an Emergency VAR. PR1112334

Subscriber Access Management

  • In scaled DHCP subscribers environment, the authd process might crash and generate a core file after clearing DHCP binding or logging out subscribers. PR1094674
  • In subscriber management environment, the authentication process (authd) crash may occur. This issue is not reproduced yet, possibly, it might be seen when generating a CLI Change of Authorization (CoA) request (e.g. via CLI command "request network-access aaa subscriber add service-profile filter-service session-id 10"), then logging out the subscriber (the one with service just activated), if the management CLI session is closed before subscriber entry is reused, the crash may occur. PR1127362

VPNs

  • In NG-MVPN spt-only mode with a PE router acts as the rendezvous point (RP), if there are only local receivers, the unnecessary multicast traffic continuously goes to this RP and is dropped though it is not in the shortest-path tree (SPT) path from source to receiver. PR1087948
  • In scenario involving pseudowire redundancy where the CE facing interface in the backup neighbor (can be non-standby, standby, or hot-standby type), if the virtual circuit (VC) is not present for the CE facing interface, the CE facing interface may go up after committing an unrelated VC interface configuration (e.g., changing description of another VC interface) even though the local pseudowire status is in a down state. PR1101886
  • In an L2VPN or VPLS scenario with Junos OS Release 14.2R4, after executing some negative operations, e.g., deactivate/active BGP and IGP, or restart FPCs, the rpd process might crash due to a NULL pointer access in code. PR1104472
  • In Internet multicast over an MPLS network by using next-generation Layer 3 VPN multicast (NG-MVPN) environment, when rib-groups are configured to use inet.2 as RPF rib for a Global Table Multicast (GTM, internet multicast) instance, the ingress PE may fail to add P-tunnel as downstream even after receiving BGP type-7 routes. In addition, this issue only affects GTM. PR1104676
  • In Global Table Multicast (GTM) scenario (instance-type mpls-internet-multicast), when the GTM instance and master instance are used, if the name of the GTM instance is changed, the routing protocol process (rpd) may crash due to the usage of the incorrect routing table handle. PR1113461

Resolved Issues: 14.2R4

Class of Service (CoS)

  • In SNMP environments, when performing multiple walks or parallel snmpget for the same interface at the same time (for example, SNMP bulk get/walk, or SNMP polling from multiple devices) on CoS-related MIBs (jnxCos table), if the interface state changes or the request gets timed out when FPC is responding the request, a memory leak of Class-of-Service process (cosd) about 160 bytes (up to 1500 bytes) may occur, which may cause cosd to crash eventually when the limit is exceeded. PR1058915
  • Starting in Junos OS Release 12.3R1, on MX Series platform configured for IP network-services (default) and with MS-DPC/Tunnel-Interface, virtual-tunnel (vt) interfaces are created automatically to support ultimate-hop-popping upon enabling "protocol rsvp". These interfaces are associated with default IP and MPLS classifiers along with MPLS re-write rule. When "protocol rsvp" is disabled/enabled or MS-DPC/FPC (with tunnel-service) restarts, the vt interfaces are deleted and re-added to the system. However, during the deletion, these interfaces are not getting released from the cosd process and this lead to a memory hold in cosd. PR1071349
  • On MX Series platforms, when an aggregated Ethernet (AE) interface is in link aggregation group (LAG) Enhanced mode, after deactivating and then activating one child link of the LAG , the feature that runs on the AE interface rather than on the child link (for example, IEEE-802.1ad rewrite rule) may fail to be executed. PR1080448
  • After restarting chassisd or doing an unified in-service software updgrade from Release 13.2R8.2 to 13.3R7.3 results in the following messages seen in the syslog: cosd_remove_ae_ifl_from_snmp_db ae40.0 error 2. These messages appear to be harmless with no functionality impact. PR1093090
  • When performing the RE switchover without GRES enabled, due to the fact that the Class-of-Service process (cosd) may fail to delete the traffic control profile state attached to logical interface (IFL) index, the traffic-control-profile may not get programmed after the ifl index is reused by another interface. PR1099618

Forwarding and Sampling

  • On MX Series router with MPCs/MICs, when deleting a firewall filter and the routing instance it is attached to, in some race conditions, the filter might not be deleted and remains in resolved state indefinitely. PR937258
  • The issue is seen while moving an interface from one mesh group to another. PR1077432
  • In some rare cases, SNMP might get Output bytes of Local statistics instead of the Traffic statistics when retrieving Output bytes of Traffic statistics on a logical interface. PR1083246
  • In rare cases, SSH or telnet traffic might hit incorrect filter related to SCU (Source Class Usage) due to the defect in kernel filter match; this issue comes when the filter has match condition on source class ID. PR1089382
  • In rare cases, MX Series routers might crash while committing inline sampling-related configuration for INET6 family only. PR1091435
  • In PTX Series Carrier-Grade Service Engine (CSE) jflow solution environment, because the sampling process (sampled) may get into a continuous loop when handling asynchronous event (for example, aggregated tethered services interface flapping, or route update, or IFL/IFD update), the sampled may never come out of that loop which may result in high CPU usage (up to 90 % sometimes). Because, sampled is not able to consume any states (such as route updates, interface updates) generated by kernel and this results in memory exhaustion, finally resulting in the router not making any updates and forcing a router reboot. PR1092684

General Routing

  • Changing the static route configuration from next-hop to qualified-next-hop might result in static route getting missed from the routing table. Restarting routing process can bring back the routes but with the rpd will crash. PR827727
  • On dual Routing Engine platforms, after performing unified graceful Routing Engine switchover (GRES) with 8K subscribers, the ksyncd process may crash due to the replication error on a next-hop change operation. The issue is hit when there's a memory pressure condition on the Routing Engine and in that case, it may lead to null pointer de-reference and ksyncd crash. Or in some cases, the kernel on the new master Routing Engine might crash after Routing Engine switchover if the Engine is under memory pressure due to missing null check when trying to add a next hop and the next hop is not found at the time. PR942524
  • Optics lane#3 and lane#4 TX, RX power alarm data was ignored but the lane#1 and lane#2 data was used for lane#3 and lane#4, respectively. This causes incorrect/false alarm on lane#3 and lane#4. PR1001670
  • When there are no services configured, datapath-traced daemon is not running. In the PIC, the plugin continues to try for the connection and continuous connection failure logs are seen. PR1003714
  • On MPC5, MPC6, MIC6-10G, and MIC6-100G line cards, in order to increase the resiliency of the system, changes have been made to monitor board voltage levels and ASIC currents periodically against the expected values, and update current threshold values as per updated values provided by HW group. PR1004431
  • Link flapping might cause data traffic corruption. On T-series platform running Junos OS 12.3R7, 13.1R4, 13.2R4-S1, 13.2R5, 13.3R2, 14.1R1, and later release and with FPC1/2/3/4-ES linecard installed, in rare cases, link flapping might lead to "IP - Pkt Len Mismatch error" followed by FPC reboot. PR1013522
  • SNMP MIB walk of object "jnxSpSvcSet" gives hardcoded value as "EXT-PKG" for SvcType. PR1017017
  • With Multiservices MPCs (MS-MPCs) or Multiservices MICs (MS-MICs) installed on MX Series platforms, when trying to view the Network Address Translation (NAT) mappings for address pooling paired (APP) and/or Endpoint Independent Mapping (EIM) from a particular private or a public IP address, all the mappings will be displayed. PR1019739
  • On the Type 5 PIC, when the "hold-time down" of the interface is configured less than 2 seconds and the loss of signal (LOS) is set and cleared repeatedly in a short period (for example, performing ring path switchover within 50 ms), the "hold-time down" may fail to keep the interface in "up" state within the configured time period. PR1032272
  • On a Virtual Chassis topology with SNMP enabled, the system might not send an SNMP traps (jnxVccpPortUp/jnxVccpPortDown) when the VCP up/down events occurring. PR1033723
  • In an MX Series Virtual Chassis (MXVC) environment, if the VC-ports are configured on MPC2E-3D-NG, MPC2E-3D-NG-Q, MPC3E-3D-NG, and MPC3E-3D-NG-Q line cards for which is installed the corresponding Junos OS continuity package (Junos OS Continuity package is a feature that allows new hardware to be deployed on already shipping releases), the Virtual Chassis Port (VCP) ports are getting oscillated and the MPC is crashing MPC2E-3D-NG, MPC2E-3D-NG-Q, MPC3E-3D-NG, and MPC3E-3D-NG-Q line cards that are not supported on MX-VC in Junos OS Release 14.2R3. PR1034420
  • FX sfp is supported on 20x1Ge -E/-EH mics in this release. PR1038923
  • Queue stats on LSQ interfaces are not properly cleaned up when queuing is enabled on the IFD and the queues hosted at IFD level. This happens with a subsequent delete and create of LSQ interface (not always though) - 14.1R4.10. PR1044340
  • The following message is generated every 5 second in MX104 on 14.2R1~R3 and 15.1R1. xxx chassisd[1362]: Cannot read hw.chassis.startup_time: No such file or directory .. PR1049015
  • On all Junos based platforms, there are two different types of memory blocks that might be leaked. The first issue is rpd-trace memory block leak. There is one block each for any trace files opened for rpd. They could be leaked for each time a configuration commit is done. Around 40 bytes are leaked per operation. The issue does not occur in Junos OS Release prior to 14.1. The second issue is rt_parse_memory block leak which could happen during the configuration of aggregate routes, configuration information might not be freed. Around 16384 bytes are leaked per operation. This issue is a day-1 issue. PR1052614
  • As a precautionary measure, a periodic sanity check is added to the FPC situated on M7i/M10i with enhanced CFEB, M320 with E3-FPC, M120 and MX Series with DPC. It checks FPC error conditions and performs the appropriate actions in case of an error. PR1056161
  • On MX Series routers, the interrupt-driven basis link down detection (an interrupt-driven link-down notification is generated to trigger locally attached systems to declare the interface down within a few milliseconds of failure) may fail after performing unified in-service software upgrade (ISSU). The interrupt might have been prevented after performing unified ISSU due to disabling the interrupt registers before unified ISSU, but never restored after. PR1059098
  • When a route points to an aggregated multiservices (AMS) logical interface, then after manually bouncing this logical interface by disabling it and then enabling it again, the aggregate next-hop referred by that route will have the child unicast next hop pointing to the .discard.0 interface instead of member interface (mams) interfaces. As a result, traffic ingress on MPC card and routed to that route will be discarded. PR1065944
  • When setting the syslog to debug level (any any), you may note reoccurring messages of the form "ifa for this rt ia is not present, consider ifa as ready". These messages are logged for IPv6 enabled interfaces when receiving forwarded packets and cause no harm. Set a higher debug level to avoid seeing them. PR1067484
  • The static route prefers the directly connected subnet route for resolving the next hop rather than performing a longest prefix match with any other available routes. In case of longest prefix route being desired in customer deployment, it will result in traffic loss issues. Now a new configuration statement "longest-match" is introduced to enable longest prefix matching behavior when desired: set routing-options static route <destination-prefix> next-hop <address> resolve longest-match. PR1068112
  • With basic NAT44, when the router the receiving packets on a GRE tunnel, NAT was dropping all protocols other than PPTP on the GRE tunnel. PR1069872
  • On MX Series routers with MPC based line cards in a setup involving Packet Forwarding Engine fast reroute (FRR) applications, when a BFD session flaps, the next-hop program in the Packet Forwarding Engine may get corrupted. It may lead to incorrect selection of next-hop or traffic blackhole. PR1071028
  • Higher baseline CPU utilization and periodic CPU spikes might be seen on XM-based MPC as compared to MPC-3D-16XGE-SFPP cards due to the following reasons: On XM-based MPC, low priority threads which monitor various things in the background on a periodic basis such as voltage, temperature, stats counters, hardware status, and so on exist. When the system is idle, these threads are allowed to take more of the load and that is why higher baseline CPU/CPU spikes are seen. This does not prevent other higher priority threads from running when they have to, as these are non-critical activities being done in the background and hence this is a non-impacting issue. PR1071408
  • The dfwd process might crash when kernel messages for objects such as IFL or IFF are sent to the dfwd process soon after its dynamic profile delete request. This is a race condition. PR1074068
  • For Network Address Translation (NAT), Traffic Detection Function (TDF), or IPsec service configured on MX Series platforms with MS-MPC/MS-MIC, the received fragmented IPv4/IPv6 packets will be re-assembled and sent out. Under a scaled environment, the mspmand process might crash while MS-MPC/MS-MIC is under process of assembling the fragmented packets. PR1075454
  • Traffic throughput test between the MPC1/1E/2/2E card and MPC2E/3E NG card, the flowing from MPC1/1E/2/2E card to MPC2E/3E NG card is lesser than from MPC2E/3E NG card to MPC1/1E/2/2E card. PR1076009
  • When a router with AMS infrastructure has MAC flow control enabled, the continuous fragmented packets might crash the NPU and mspmand process (which manages the Multi-Services PIC). PR1076033
  • Vendor provided the fix, which includes conditional check PR1076369
  • On MX Series router, the CLI command “set interfaces interface-name speed auto-10m-100m” is not supported. PR1077020
  • The license-check process may consume more CPU utilization. This is due to a few features trying to register with the license-check daemon which license-check would not be able to handle properly and result in high CPU on Routing Engine (RE). Optimization is done through this fix to handle the situation gracefully so that high CPU will not occur. PR1077976
  • Starting from Junos OS Release 14.1R1, if the hidden configuration statement "layer-4 validity-check" is configured, the Layer4 hashing will be disabled for fragmented IP traffic. Due to a defect, the multicast MAC rewrite is skipped in this case, the fragmented multicast packets will be sent with an incorrect destination MAC. PR1079219
  • In a subscriber management environment, the PPP daemon (jpppd) might crash repeatedly due to a memory double-free issue. PR1079511
  • On MX Series platforms with MS-MPC/MS-MIC, in some mspmand process crash scenarios, after the mspmand coredump is finished or almost finished, PIC kernel also crashes and dumps vmcore. The mspmand cores in these scenario are readable but vmcores are not. PR1081265
  • This may be a false log message - the risk of false log is minor, however, the underlying error, e.g., continuous fi recorder timeout, may impact traffic and can be major. When the specific log message is observed in the message file, please advise customer to investigate if there are continuous fabric errors, such as late cell, cell timeout, etc, on the reporting line card and recover those errors first. PR1081771
  • MPC is showing the below log messages and will generate core as the logic for clearing references to JNH memory pools that have been discarded did not handle those in Bulk DMEM. jnh_private_mem_pool_free(898): No private mem_pool for 0x00300000/00100000 PR1081855
  • When a MX Series chassis network-services is "enhanced-ip" and an AE is part of a Layer 2 bridge (bridge-domain or VPLS), there is a possibility that an incorrect forwarding path may be installed causing traffic loss. This could happen when first applying the configuration, restarting the system or restarting the line card. PR1081999
  • In multi-homing and signal active EVPN scenario, if IRB interface is included in the instance, when the DF-CE link flaps, due to a timing issue, the DF might send L3 EVPN routes with label 0 to remote PEs, causing traffic to be dropped at remote PE. PR1082287
  • “show interfaces queue <ifl>“ stats are not correct with RLSQ warm-standby mode. Issue seen on MPCs and MICs as well in 14.1R4.10. PR1082417
  • On PTX platform, the FPC may crash when the interface goes down (e.g. disabling the interface or interface flap occurs) due to failure during CNH NH change (composite next hop, e.g. created in P2MP LSP scenario). Based on the current observation, the probability of the issue might be low. PR1082429
  • OTN based SNMP traps such as jnxFruNotifOperStatus and jnxIfOtnNotificationOperStatus are raised by offline/online MIC although no OTN interface is provisioned. PR1084602
  • Invalid Ethernet Synchronization (ESMC) frames may be transmitted by the MX Series router when activating LAG and tag-protocol-id under interfaces. PR1084606
  • On a device with lt and ams interfaces configured, walking ifOutOctets or other similiar OID's may cause a "if_pfe_ams_ifdstat" message to print. This is a cosmetic debug-level entry, which was incorrectly set to critical-level. PR1085926
  • In some rare conditions, depending on the order in which configuration steps were performed or the order in which hardware modules were inserted or activated, if PTP master and PTP slave are configured on different MPCs on the MX Series router acting as BC, it might happen that the clock is not properly propagated between MPCs. This PR fixes this issue. PR1085994
  • MACsec using static secure association key (SAK) security mode does not work properly on MX80 routers and FPC slots other than slot 0 of MX104 routers. PR1086117
  • mspmand core is observed while taking ms-mic offline with IPsec and J-Flow configured on same ms-mic with dynamic IPsec tunnels. PR1086819
  • If the ALG is receiving UDP fragmented control traffic (e.g., SIP control packets) continuously, the mspmand process (which manages the service PIC) might crash due to buffer error. PR1087012
  • In the specific configuration of an LT interface in a VPLS instance and the peer-unit of this LT interface configured with family inet6 using vrrp, the kernel may crash when the FPC is online. PR1087379
  • In the dual Routing Engines scenario with GRES and ae0 interfaces configured, if GRES is disabled on the system, the backup Routing Engine should remove the ae0 bundle. However, it does not and ae0 remains in the backup Routing Engine. After switching Routing Engine mastership to make the other Routing Engine as master, the new master Routing Engine (which was backup earlier) continues to use the invalid MAC address "00:00:00:00:00:00". PR1089946
  • On PTX platforms, some non-fatal interrupts (for example, CM cache or AQD interrupts) are logged as fatal interrupts. The following log messages will be shown on CM parity interrupt: fpc0 TQCHIP 0: CM parity Fatal interrupt,Interrupt status:0x10 fpc0 CMSNG: Fatal ASIC error, chip TQ fpc0 TQCHIP 0: CM cache parity Fatal interrupt has occurred 181 time(s) in 180010 msecs TQCHIP 0: CM cache parity Fatal interrupt has occurred 181 time(s) in 180005 msecs PR1089955
  • Incorrect ESH checksum computation with non-Zero Ethernet padding in the Junos MX Series router. PR1091396
  • The mspmand process might crash due to prolonged flow-control with TCP ALGs under the following possible scenario, mostly when the following conditions happen together. 1. When the system is overloaded with TCP ALG Traffic 2. There are lots of retransmissions and reordered packets PR1092655
  • When the control path is busy/stuck for service PIC, the AMS member interface hoisted by it might be down, but when the busy/stuck condition is cleared, the member interface might not recover, and AMS bundle still shows the PIC as inactive. PR1093460
  • On TCP ALG, if there are a lot of retransmissions and reordered TCP packets, and the system is overloaded due to the TCP traffic, the mspmand (which manages the service PIC) process might crash. PR1093788
  • There are entries for PEM in jnxFruEntry in VMX. It is not necessary and is cosmetic. PR1094888
  • Extensive header integrity checks will be done for packets that match a service set that has NAT/SFW configured. 1. Enable header integrity checks by default when SFW or NAT is configured in same service set. This is inline with ukernel behavior. 2. Retain the configuration statement for use by other plugins such as IPsec which may want to enforce header integrity if needed. 3. Ensure that the command "show services service-sets statistics integrity-drops" works if SFW/NAT is configured. PR1095290
  • If a service-PIC is configured to simultaneously function as both an MS interface and as a member of an AMS interface, then some settings under services-options may not apply correctly. These settings are A) syslog_rate_limit, B) fragment-limit, C) reassembly-timeout, and D) jflow_log_rate_limit. PR1096368
  • On Junos OS-based platform, when the type of the IPv6 traffic is non-TCP or non-UDP (for example, next header field is GRE or No Next Header for IPv6), if the traffic rate is high (for instance, higher than 3.5 Mpps), the packet re-ordering may occur. PR1098776
  • On MX Series-based line cards, when the prefix-length is modified from higher value to lower value for an existing prefix-action, heap gets corrupted. Due to this corruption, the FPC might crash anytime when further configurations are added/deleted. The following operations might be considered as a workaround: Step 1. Delete the existing prefix-action and commit Step 2. Then re-create the prefix-action with newer prefix-length PR1098870
  • Non-queuing MPC5E and MPC6E might crash continuously if rate-limit under transmit-rate for scheduler is applied. As a workaround, do not configure rate-limit and use firewall policer for forwarding-class instead. MPC5EQ is not exposed. PR1104495
  • Due to a software defect found in 13.3R7.3 and 14.1R5.4 inclusively, Juniper Networks strongly discourages the use of Junos OS Release 13.3R7.3 on routers with MQ-based MPCs. This includes MX-Series with MPC1, MPC2 and all mid-range MX-Series routers. PR1108826

Infrastructure

  • When "show version detail" cli command has been executed, it will call a separate gstatd process with parameter "-vvX". Because the gstatd could not recognize these parameters, it will run once without any parameter then exit. In result of "show version detail", following information could be seen: user@hostA> show version detail Hostname: hostA Model: mx960 Junos: 13.3R6-S3 JUNOS Base OS boot [13.3R6-S3] JUNOS Base OS Software Suite [13.3R6-S3] .. <snipped> file: illegal option -- v usage: gstatd [-N] gstatd: illegal option -- v usage: gstatd [-N] <snipped> At the same time, log lines like following might be recorded in syslog: file: gstatd is starting. file: re-initializing gstatd mgd[14304]: UI_CHILD_START: Starting child '/usr/sbin/gstatd' gstatd: gstatd is starting. gstatd: re-initializing gstatd gstatd: Monitoring ad2 gstatd: switchover enabled gstatd: read threshold = 1000.00 gstatd: write threshold = 1000.00 gstatd: sampling interval = 1 gstatd: averaged over = 30 mx960 mgd[14304]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/gstatd', PID 14363, status 0x4000 mgd[14304]: UI_CHILD_EXITED: Child exited: PID 14363, status 64, command '/usr/sbin/gstatd' PR1078702

Interfaces and Chassis

  • Power-off by pushing the Offline button on the master Routing Engine causes lots of packets to be although GRES/NSR is configured. FPC gets rebooted after Routing Engine switchover, which also causes traffic loss. PR1034164
  • Configuring ODU FRR on 2x100G DWDM under otn-options could result in an FPC core.PR1038551
  • The "show chassis network-services" command might not show the correct configured value when executed on the backup Routing Engine. This command should only be executed on the master Routing Engine. PR1054915
  • On DPC only chassis, after software upgrade or not graceful Routing Engine switchover, Ethernet OAM related LAG bundles might not come up due to the Link Fault Management (LFM) packets arriving on the AE interface instead of the physical link interface. PR1054922
  • There is a mismatch in mac statistics, where few frames go unaccounted. This is a day-1 issue with the software fetching of mac statistics, the snap and clear bits wereset together on pm3393 chip driver software, so even before the copy of stats to shadow registers happened, clear was happening which used to go unaccounted. PR1056232
  • On M120 router with scaled configuration, when restarting an FPC, the chassis management daemon (chassisd) might crash if it didn't get FPC offline ACK from one of the FEBs in time. PR1059475
  • When the Maximum Receive Unit (MRU) value is not set under group-profile ppp-options hierarchy, a default value (1492) will be used. If MRU value is set, the new value will take effect. But if the configured MRU value is deleted from the group profile, the MRU value remains the configured one and fails to fall back to the default one. PR1059720
  • For transit traffic on INLINE LSQ redundancy (rlsq) interface, the input firewall-filter counters are logging zero packet count regardless of traffic flow. Output filter counters are logging correctly. For host-bound traffic, the firewall output counter will get double accounted on Classical rlsq and triple accounted on INLINE rlsq. This issue is targeted to be fixed in Junos OS Release 14.1R5. PR1060659
  • In scaling PPP subscriber environment, when the device is under a high load condition (for example, high CPU utilization with 90% and above), the long delay in session timeout may occur. In this situation, the device may fail to terminate the subscriber session (PPP or PPPoE) immediately after three Link Control Protocol (LCP) keepalive packets are missed. As a result, subscriber fails in reconnect due to old PPP session, and corresponding Access-Internal routes are still active for some time. In addition to this, it is observed that the server is still sending KA packets after the session timed out. PR1060704
  • On MX Series routers, INET MTU (PPP payload MTU, that is IP header plus data excluding any L2 overhead) is being set to lowest MRU of either MX (local device) or peer. This behavior is not inline with ERX behavior, which is set to min (local MTU, peer MRU). This might cause the packet drops in the customer network in the downstream path. PR1061155
  • When adding new VCP port MX-VC, some of traffic drops are seen. PR1067111
  • When the Ethernet Link Fault Management (LFM) action profile is configured, if there are some errors (refer to the configuration, for example, frame errors or symbol errors) happening in the past (even a long past), due to the improper handling of error stats fetching from kernel, the LFM process (lfmd) may generate false event PDUs and send the false alarm to the peer device. PR1077778
  • On MX Series Virtual Chassis (MX-VC) platforms, due to a timing issue, the physical interface (ifd) on the same Modular Interface Card (MIC) with Virtual Chassis port (VCP) might not be created or take a very long time to be created after rebooting the hosted Modular Port Concentrator (MPC). PR1080032
  • On MX-VC with SCB (no Enhanced SCB equipped), if the fabric redundant-mode is not explicitly configured, after rebooting whole VC, the VC-Mm will stay in Redundant mode but not Increased-bandwidth mode. PR1080301
  • MAX-ACCESS value has been changed in jnx-otn.mib for the following oids: jnxOtnIntervalOdu15minIntervalNumber, jnxOtnIntervalOtu15minIntervalNumber, jnxOtnIntervalOtuFec15minIntervalNumber. The value has been changed from read-only to not-accessible to be inline with newer MIBs. PR1080802
  • In MX Series Virtual Chassis (MXVC) scenarios, during unified ISSU operation, the new master Routing Engine does not have the MXVC SCC's system MAC address. It just has its local system MAC address. The address is not replicated between local Routing Engines, and the new master Routing Engine has not yet connected to the MXVC SCC to receive it. Hence, the possibility exists to overwrite the FPC with an address that does not match the previous address. PR1084561
  • The VRRP preempt hold time is not being honored during NTP time sync and system time is changed. PR1086230
  • On MX Series Virtual Chassis (MX-VC) platform swith "subscriber-management" enabled, after power up/reboot, the VC backup router (VC-B) experiences a rapid sequence of role transitions from no-role to VC master router (VC-M) to VC-B and the expected local GRES and a reboot of the former master Routing Engine might not happen on the VC-B, and some of the FPCs on it might be stuck in "present" state and eventually rebooted. PR1086316
  • When an interface on SFPP module in MIC is set to disabled, after pulling out the SFPP and then inserting it, the remote direct connected interface might go up unexpectedly. PR1090285
  • After removing a child link from AE bundle, in the output of "show interface <AE> detail", the packets count on the remaining child link spikes, then if we add the previous child link back, the count recovers to normal. PR1091425
  • After configuring related ae interface config, we might find some of ae interfaces disappear in MX-VC. It seemed that ae interfaces are not allocated MAC address from chassisd properly. * This issue only happens first configuration timing after rebooting/restarting chassisd. So even if you configure related ae interface config repeatedly, you cannot find this issue. When this issue happens these message will be found in messages logs. ------------------------------------------------- lab@router_re0> show log messages| match CHASSISD_MAC_ADDRESS_AE_ERROR Jun 26 16:04:34.064 router_re0 scchassisd[2008]: CHASSISD_MAC_ADDRESS_AE_ERROR: chassisd MAC address allocation error for ae4 Jun 26 16:04:34.105 router_re0 /kernel: Jun 26 16:04:34.064 router_re0 scchassisd[2008]: CHASSISD_MAC_ADDRESS_AE_ERROR: chassisd MAC address allocation error for ae4 ------------------------------------------------- Restore ae interfaces * This is not workaround. deactivate/activate ae interfaces. (We need to do this to all disappeared ae interfaces.) PR1100731

J-Web

  • Junos: Multiple vulnerabilities in J-Web (CVE-2016-1261); Refer to https://kb.juniper.net/JSA10723 for more information. PR1085428
  • Junos: Multiple vulnerabilities in J-Web (CVE-2016-1261); Refer to https://kb.juniper.net/JSA10723 for more information. PR1085470

Layer 2 Features

  • In MX Series Virtual Chassis (MXVC) environment, when packets come from a interface (for example, xe-16/0/1.542) situated on one member of VC (for example, VC member 1), if the ingress Packet Forwarding Engine (for example,FPC16 PFE0,who runs hash to determine which interface it should send the packet to) decides that it should send the packet via another interface (for example, xe-4/0/1.670) situated on different member (for example, VC member 0), it will send the frame to member 0 via the vcp- intf. In case of xe-4/0/1.670 belongs to an AE bundle which has multiple child links, a hash need to be run on Packet Forwarding Engine carrying the VCP port (receiving side on member 0) to determine which one is the egress Packet Forwarding Engine within member 0 to send the packet out after vcp- intf gets the packet. This hash result should get the same result as the ingress Packet Forwarding Engine. If it is not the case, then the packet would get dropped on Packet Forwarding Engine on member 0. PR1097973

Layer 2 Features

  • BGP peer configured between two routers over an lt (logical tunnel) interface, if deactivating and activing at scaled configuration a few times, in rare conditions, the lt interface might reject all the ARP reply packets. Hence, the ARP resolution does not happen over this interface, so the unicast routes are not in the correct states, and a ping to such an lt interface will fail. PR1059662
  • With Dynamic Host Configuration Protocol (DHCP) maintain subscriber feature enabled, when the subscriber's incoming interface index is changed, for example, the interfaces go away and come back after changing the MTU configuration of interface, the existing subscribers may get dropped and new subscribers fail in connection. PR1059999
  • LACP partner system ID is shown incorrectly when the AE member link is connected to a different device; which might misguide while troubleshooting the LAG issues. PR1075436
  • On MX Series routers, when configuring the dynamic access routes for DHCP subscribers based on the Framed-Route RADIUS attribute, the access route may be created on the device; however, the framed routes may not be installed for subscriber interface (under the "Family Inet Source Prefixes"). PR1083871
  • MTU change is not advised on the Ethernet ring protection (ERP) ring interfaces unless the ring is in idle condition. Changing ring interface MTU while a ring is not in idle state may result in change in the forwarding state of the interface, which can lead to loop in the ring. PR1083889
  • When family bridge was configured and committed, l2ald repeated restarting with core. After l2ald repeated restarting several times, it stopped working due to thrashing condition. Core of l2ald will be seen with the following configuration: .

    set interfaces fxp0 unit 0 family bridge interface-mode access

    set interfaces fxp0 unit 0 family bridge vlan-id 100

    When the configuration is committed, message like following is logged and core is generated. l2ald[1624]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: insist '!err' failed l2ald[1734]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: insist '!err' failed l2ald[1769]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: insist '!err' failed l2ald[1993]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: insist '!err' failed l2ald[2195]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: insist '!err' failed ... init: l2-learning is thrashing, not restarted PR1089358

  • During interface flaps, a high amount of TCN (Topology Change Notification) might get propagated, causing other switches to get behind due to a high amount of TCN flooding. This problem is visible after the changes done in Release 11.4R8 onwards which propagates TCN BPDU immediately and not in the pace of the 2-second BPDU Hello interval to speed up topology change propagation. The root cause is the TCNWHILE timer of 4 seconds is always reset upon receiving TCN notifications, causing the high churn TCN propagation. PR1089580
  • V44 defines the next generation of Juniper Network Fabric using MX Series router as the aggregation device (AD) and EX4300/QFX5100Â’s as the Satellite Devices (SD). When V44 port extension is in use, after switching from master to backup Routing Engine, the ppman daemon on the SDs may crash and not be restarted. It results in the aggregated Ethernet (ae) bundle over v44 extended ports not to come up. PR1101266

MPLS

  • LDP is not distributing a label for BGP FEC/prefix to downstream on demand (DoD) sessions when Forwarding Equivalence Class (FEC)/prefix learned this from IBGP peer to whom ldp-tunneling is configured. PR1049329
  • With the BGP prefix-independent convergence (PIC) edge feature enabled, more than one BGP next-hop association will be installed in the Packet Forwarding Engine for MPLS VPN and Internet transit traffic. Deactiving/activating the IGP protocol (IS-IS or OSPF) might cause the backup session to stay down on the Packet Forwarding Engine. PR1058190
  • LDP peer will not advertise all labels to downstream LDP neighbor/s on rare occasions. PR1058694
  • With BGP labeled-unicast egress protection enabled in a Layer 3 VPN, the protected node advertises primary BGP labeled unicast routes that needs protection. When there is next-hop change for a labeled route, for example, deactivating/activating egress-protection configuration statement or route churn, the memory might be exhausted which leads to the rpd process crash. PR1061840
  • The point-to-multipoint (P2MP) label-switched path (LSP) is unable to be re-establish after certain links are down. This issue might be encountered when the links contain the primary and backup LSPs for the P2MP LSP. The P2MP LSP can be restored after the links are up. PR1064710
  • When CSPF computes the path for node-protected bypass, it considers only the SRLG group configured on the next-hop interface along the primary path. However it doesn't consider the SRLG group on the next-to-next-hop interface to adequately provide a diverse path between primary and node-protected bypass. PR1068197
  • In scaling l2circuits environments, the rpd process might crash due to a corruption in the LDP binding database. PR1074145
  • In MPLS environment, if one of minimum-signaling-bandwidth, merging-bandwidth, splitting-bandwidth, maximum-s ignaling-bandwidth is configured, or derived as value 0, the routing protocol process (rpd) may crash when lsp-splitting or lsp-merging (for example, when the traffic comes up/down) occurs. As a workaround, due to the logic of the configuration statements, none of the following configuration statements could be configured or derived as zero: -merging-bandwidth, -minimum-signaling-bandwidth, -splitting-bandwidth, -maximum-signaling-bandwidth. PR1074472
  • In race conditions, the rpd process on the backup Routing Engine might crash when BGP routes are exported into LDP by egress-policy and configuration changes during the rpd process synchronizing the state to backup rpd process. PR1077804
  • On dual RE platform with GRES, the kernel synchronization process (ksyncd) may crash on the backup RE when adding of route pointing to indirect nexthop on system. PR1102724

Platform and Infrastructure

  • On April 22nd, 2009 FreeBSD announced that the db interface in libc in FreeBSD 6.3, 6.4, 7.0, 7.1, and 7.2-PRERELEASE does not properly initialize memory for Berkeley DB 1.85 database structures, which allows local users to obtain sensitive information by reading a database file. Refer to JSA10756 for more information. PR442580
  • When the Network Configuration Protocol (NETCONF) service is used on the device, after the NETCONF session is established, because all the output that contains <error> tag might be incorrectly converted into <rpc error>, the management daemon (mgd) may crash on the device. As in the following example, the output that contains the <error> tag may lead to the crash: user@re0> show subscribers address 1000 | display xml .. <error junos:style="input-error"> <<<<<< The output contains <error> tag and may trigger the crash. PR975284
  • On a router with point-to-point(P2P) SONET/SDH interface, when a P2P interface is disabled, the corresponding host route might still be kept in the forwarding table, if a ping operation is performed, instead of returning message "No route to host" the message "Can't assign requested address" might be seen. PR984623
  • On MX Series Virtual Chassis (MX-VC) platforms, mirroring of OAM packets may not work as expected if the OAM packet traversing through multiple Packet Forwarding Engines (for example, the mirrored port and VCP port are on separate Packet Forwarding Engines). PR1012542
  • In EVPN scenarios, MPC may crash with core-dump when any interface is deleted and then add that interface to an aggregated Ethernet bundle or change the ESI mode from all-active to single-active. PR1018957
  • Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-1271); Refer to https://kb.juniper.net/JSA10739 for more information. PR1019669
  • LSI logical interface input packet and byte stats are also added to core logical interface stats, but when the LSI logical interface goes down and the core logical interface stats are polled, there is a dip in stats. The fix is to restore LSI logical interface stats to core logical interface before deleting the LSI logical interface. PR1020175
  • Changes to the fowarding-table firewall filter list can cause an FPC/TFEB crash. The fowarding-table firewall filter list can be composed of user configured filters under the "forwarding-options" stanza but it can also contain auto-generated filters (also known as "internal" filters or "implicit" filters) and are needed by certain features. For example the "services traffic-load-balance" feature makes use of auto-generated fowarding-table filters and also the "forwarding-options dhcp-relay" feature makes use of auto-generated fowarding-table filters. PR1039003
  • On MX Series routers with MPC3E/MPC4E/MPC5E/MPC6E if the Packet Forwarding Engine has inline NAT configured or is processing inline GRE decapsulation with packet-sizes between 100B-150B in some very corner cases, traffic blackhole might be seen due to incorrect cell packing handling. Another application exposed is Layer 2 family any output port-mirror configuration. On T4000 with FPC type 5, when these cards are processing any packets sizes between 133B-148B in certain sequences results in incorrect cell packing handling. PR1042742
  • Due to a defect in the Junos OS software, when a telnet user experiences some undefined network disconnect, .perm and .env files under /var/run are left behind. This scenario happens only under certain unknown ungraceful network disconnects. When a considerable number of .perm/.env files get accumulated under /var/run, the issue is seen with telnet users who are not able to perform permitted operations on the router, post-login. PR1047609
  • Under very rare situations, Packet Forwarding Engines on the following line cards, as well as the compact MX80/40/10/5 series, may stop forwarding transit traffic: 16x10GE MPC, MPC1, MPC2. This occurs due to a software defect that slowly leaks the resources necessary for packet forwarding. Interfaces handled by the Packet Forwarding Engine under duress may exhibit incrementing 'Resource errors' in consecutive output of “show interfaces extensive” output. A Packet Forwarding Engine reboot via the associated line card or chassis reload is required to correct the condition. PR1058197
  • With the configuration "extend-size", if the user loads and commits the scaled configuration (in this case, 250K Unique Prefix list policy options), then deletes the configuration statement "extend-size", the dfwd process might crash. PR1058579
  • If a Radius server is configured as accounting server, when it is non-reachable, the auditd process might get stressed with a huge number of audit logs to be sent to the accounting server, which might cause auditd to crash. PR1062016
  • Chassisd had a software problem in FPC OFFLINE event handling code. When multiple offline events for a single FPC are coming in short period, chassisd might wrongly stop handling FPC offline process in the middle. As a result, the FPC and fabric state for that FPC will remain abnormal. This PR has resolved the problem. Now chassid will correctly continue the FPC offline process even for such condition. Resolved-In: 12.3R10 13.3R7 14.1R5 14.1X50-D100 14.2R4 15.1R1 15.1X49-D10 PR1063786
  • Starting from Junos OS Release 14.2R1, the CLI command "set date ntp a.b.c.d" may not be working. PR1067107
  • StartTime and EndTime of the flow in inline-jflow (version 9) has a future time stamp. PR1067307
  • In Junos release 13.3R6 or 14.2R3, for PPPoE subscribers over the aggregated Ethernet (ae) interface, the output of "show interface statistics <pp> detail" command shows the ingress/egress traffic statistics for the aggregate interface instead of the statistics for PP/DEMUX logical interface. PR1069242
  • With "shared-bandwidth-policer" on an aggregated Ethernet interface; if a member interface flapped, the NPC to which the interface belongs may restart. The similar issue may also happens when changing firewall policer configuration. PR1069763
  • Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-1271); Refer to https://kb.juniper.net/JSA10739 for more information. PR1069867
  • Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-1271); Refer to https://kb.juniper.net/JSA10739 for more information. PR1069873
  • If with about 1M routes on an MX Series router, there might be more than 1-second (about 1.3s) packets dark window during unified ISSU. PR1070217
  • If port-mirroring and VRRP over ae-irb are configured in a bridge-domain, enabling the Distributed Periodic Packet Management Process (ppmd) for VRRP in this BD might cause the VRRP to flap. PR1071341
  • When inline-sampling is enabled, in race conditions, if a packet gets corrupted and the corrupted packet length shows 0, it may cause a "PPE_x Errors thread timeout error" and eventually cause the MPC card to crash. PR1072136
  • VRRP advertisements might be dropped after enabling delegate-processing on the logical tunnel (lt) interface. It would result in a VRRP master state observed on both routers. PR1073090
  • When integrated routing and bridging (IRB) interface is configured with Virtual Router Redundancy Protocol (VRRP) in Layer 2 VPLS/bridge-domain, in corner cases after interface flapping, MAC filter ff:ff:ff:ff:ff:ff is cleared from the Packet Forwarding Engine hardware MAC table, so the IRB interface may drop all packets with the destination’s MAC address FFFF:FFFF:FFFF (e.g., ARP packet). PR1073536
  • In VXLAN environment, BUM traffic will be duplicated, the duplicate amount depends on how many Packet Forwarding Engines are included in that bridge domain. E.g If there?re 2 physical interfaces located in 2 different Packet Forwarding Engines in bridge domain , traffic leaving vtep will triple due to this issue. That is one copy from ingress Packet Forwarding Engine and other two copies from egress Packet Forwarding Engines where 2 physical interfaces are present. Issue is fixed on 14.1R5, 14.2R4, 15.1R2, 15.1R1 and above. PR1073778
  • Problem: It tries to check allotted power for all the FPCs, here in the CHASSISD_I2CS_READBACK_ERROR logs it shows for the FPCs which are not present in chassis. It just calls i2cs_readback() to read i2c device and fails there as these FPCs? slots are blank and prints those readback errors. Also the errors are harmless: "CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC" Fix: Code to check 'if power has been allotted to this FPC', needs to be executed only if the FPC is present. PR1075643
  • On this PR, It removes unwanted resolve filter log in ichip/Packet Forwarding Engine side and it was fixed since 12.3R10. PR1076563
  • When an SFB on MX2020/MX2010 is experiencing a hardware issue, the SPMB might crash and cause FPC to reboot. Now with the fix, the bad Hardware issue will be handled gracefully and not crash. PR1077074
  • In hierarchical class of service (H-CoS) environments, when the subscriber logs out from the reserved logical interface (ifl) ".32767" unit (for example, xe-x/x/x.32767), the CoS installation of the interface may get wrongly deleted on Packet Forwarding Engine. PR1077098
  • From Junos 13.3, configuration changes like activating "fast-lookup-filter", adding or deleting "interface-specific" or any other filter property, adding or deleting any term, or changing any match condition in any term in the filter, which updates the firewall filter in a rare sequence might result in loss of DMEM and kernel memory resources or some free error messages. This issue only impacts Trio-based line card and occurs in rare cases. The following log messages might be observed from Junos 13.3: [LOG: Err] jnh_free(10040): ERROR [FW/0]:1 Paddr 0x00400000, addr 0x0, part_type 0call_stack 0x404906b4 0x418ecdbc 0x418ed2e0 0x418baca0 0x418becc8. And the following log messages might be observed from Junos 14.2: [LOG: Err] FREE ERR FW[0]: FW, 1 dw (1 blk) @ PA 0x7c63f00d addr 0x23f00d PR1077338
  • Junos: Lazy race condition in RPC allows an authenticated user to improperly elevate privileges (CVE-2016-1267); Refer to https://kb.juniper.net/JSA10730 for more information. PR1078027
  • On MX Series-based platforms, when learning the MAC address from the pseudo-IFL (for example, label-switched interface), if the MAC address is aged out in the source FPC where the MAC got learned, due to the delay (around 2 to 3 milliseconds) of MAC address deleting message processed in the source FPC and the egress FPC (destination FPC of the traffic), the MAC address might be deleted first from the egress Packet Forwarding Engine but get added again during these 2-3 millisecond time intervals. (As there is continuous traffic coming on the egress FPC destined to this MAC, the MAC query is generated and sent to the Routing Engine and source FPC. Since the source FPC has not yet processed the MAC-deleted message, it sends the response, so stale MAC will get added on the egress Packet Forwarding Engine.) In this situation, no L2 flooding would occur for the "unknown" unicast (since the MAC address is present on the egress Packet Forwarding Engine). PR1081881
  • On MX Series routers with certain MPCs, the log message are printed "ddos_clear_one_work_queue: can't return an item to store 4" if DDos violations for all hostbound traffic that exceed bandwiths. PR1082298
  • MPC is showing the following log messages and will generate core: “jnh_private_mem_pool_free(898): No private mem_pool for 0x00300000/00100000” PR1081855
  • When an MX Series chassis network-services is "enhanced-ip" and an AE is part of a Layer 2 bridge (bridge-domain or VPLS), there is a possibility that an incorrect forwarding path may be installed, causing traffic loss. This could happen when first applying the configuration, restarting the system, or restarting the line card. PR1081999
  • LMEM is an internal memory in the LU/XL ASIC chip. It has private and shared regions for Packet Processing Engines. LMEM data errors are very rare events caused by environmental factors (this is not created by software). Due to a software defect, an error in the shared LMEM region will result in corruption of critical data structures of Packet Processing Engines that causes unpredictable communication of the LU/XL ASIC chip with the MQ/XM ASIC chip. These events will corrupt the state in MQ/XM and lead to an MQ/XM wedge. The MQ/XM wedge would cause fabric blackhole and finally reboot the line card. PR1082932
  • On MX Series router with MPCs/MICs , the "RPF-loose-mode-discard" feature is not working when configured within a Virtual Router routing instance. The feature is working only when configured in the main instance. PR1084715
  • In Junos OS Releases 13.3R3, 14.1R1, and 14.2R1, there is a new feature: an extra TLV term is added to accommodate the default action for the "next-interface" when the corresponding next-interface is down. While doing an unified ISSU from an image without the feature to an image with this feature, all MPCs might crash. PR1085357
  • With MX Series routers with FPC, load balance hash seed will be changed after the unified ISSU. Since the hash seed value will be reverted to the original value by rebooting FPC, there would be a hash value inconsistency in the system which might introduce blackholing on multicast flavor traffic (mcast or BUM on vpls/l2-bridge). Affected versions: 12.3R7, 13.2R4-13.2R5, 13.3R2-13.3R3, 14.1R1, 14.1R3-14.1R4, and 14.2R1-14.2R3. PR1086286
  • The prompt for the SSH password changed in Junos OS 13.3 Release, from "user@host's password:" to "Password:". This change breaks the logic in "JUNOS/Access/ssh.pm" which is located in /usr/local/share/perl/5.18.2/ on Ubuntu Linux, for example. PR1088033
  • Junos: A race condition in the Op script Op URL option allows an authenticated remote attacker to fully compromise the system (CVE-2016-1264); Refer to https://kb.juniper.net/JSA10725 for more information. PR1088339
  • On MX Series router with MPCs/MICs or T4000 FPC5, a TCP session with MS-Interface/AMS-Interface configuration is not established successfully with the "no-destination-port" or "no-source-port" configuration statements configured under the forwarding-options hierarchy level. PR1088501
  • In a fib-localization scenario, IPv4 addresses configured on service PICs (SP) will not appear on FIB-remote FPCs although all local (/32) addresses should, regardless of FIB localization role, install on all Packet Forwarding Engines. There is no workaround for this and it implies that traffic destined to this address will need to transit through FIB-local FPC. PR1092627
  • When an interface on an MQ-based FPC is going to link down state, in-flight packets on interface transmit path will be stuck on the interface and never drained until the interface comes up again. As a result, a small number of such stacked packets will be sent out when the interface is going to the UP state. In some cases it might also trigger Host Loopback:HOST LOOPBACK WEDGE DETECTED IN PATH ID [x] reported and traffic forwarding stopped for all interfaces belonging to this Packet Forwarding Engine. Once the interface comes back up, packet forwarding will continue for all interfaces and the Host Loopback wedge alarm gets cleared. The following FPCs are exposed to this symptom: MPC 3D 16x 10GE, MPC1 or MPC2. PR1093569
  • On MX2020 or 2010 routers, an SPMB core file will be seen if there are bad XF chips (Fabric chip) on the SFB, which might trigger Routing Engine/CB switchover. PR1096455
  • On MX Series routers with MPCs/MICs, when the type of the IPv6 traffic is non-TCP or non-UDP (for example, next header field is GRE or No Next Header for IPv6), if the traffic rate is high (for instance, higher than 3.5 Mbps), the packet re-ordering may occur. PR1098776
  • On MX Series routers with MPCs/MICs,, when the prefix-length is modified from a higher value to a lower value for an existing prefix-action, heap gets corrupted. Due to this corruption, the FPC might crash anytime when further configurations are added/deleted. The following operations might be considered as a workaround: Step 1. Delete the existing prefix-action and commit, Step 2. Then re-create the prefix-action with newer prefix-length. PR1098870
  • The "shared-bandwidth-policer" configuration statement is used to enable configuration of interface-specific policers applied on an aggregated Ethernet bundle to match the effective bandwidth and burst-size to user-configured values. But this feature is broken from Junos release 14.1R1 when "enhanced-ip" is configured on MX Seriesplatform with pure trio-based line cards. The bandwidth/burst-size of policers attached to Aggregated Ethernet interfaces are not dynamically updated upon member link flaps. PR1098486
  • Starting in Junos OS Release 14.1 and later, IPv6 mobility packets with the Heartbeat option such that the length of the mobility header (including the Ethernet encapsulation and main IPv6 header) extends beyond 128 bytes will be discarded as bad IPv6 option packets due to a logic error in packet handling. PR1100442
  • Large scaled inline BFD session (in this case, 6000 inline BFD sessions) are loaded with the minimum-interval value 50ms. If FPC restarts, some BFD sessions might flap. PR1102116
  • When "shared-bandwidth-policer" is configured with aggregate Ethernet (AE) has more than one member link on the same Packet Forwarding Engine and the policer is configured with "physical-interface-policer" configuration statement, if reconfiguration occurs (for example, adding/deleting new logical units, logical interface flap...), Packet Forwarding Engine may problem wrong policer during this reconfiguration process, which could ultimately lead to unexpected packet drop/loss within the referenced wrong shared policer. PR1106654
  • When a filter with a policer is referenced by multiple IFLs of the same interface (A), with traffic coming into that interface A and going out from another interface B, whenever the policer is updated (for example, deactivating and activating interface A. Or adding/deleting AE legs when A is an AE interface and shared-bandwidth-policer is configured), it might be seen that there is counter statistics for the counter which is placed in the ingress direction of interface C, even though interface C is an unrelated interface which is not in the traffic path. Also FPC core dump and FPC going offline might be seen. PR1106887

Routing Policy and Firewall Filters

  • In Class-of-Service (CoS) environments, there is a possibility (happened twice so far and not reproducible in the lab) that the routing protocol process (rpd) may crash because the CoS memory getting incorrectly freed and then allocated again. PR1062616

Routing Protocols

  • On M and MX Series platforms with dual RE environment, when nonstop active routing (NSR) and graceful-switchover (GRES) are enabled, during internal pressure test with GRES operations, in very rare condition, the Routing protocol daemon (rpd) might crash and a core-dump would be generated. PR1019052
  • Deletion of a routing-instance may lead to a routing daemon crash. This may happen if the routing-instance's Routing Information Base (RIB) is referenced in an active policy-option configuration. As a workaround, when deactivating the routing-instance, all associated configurations using the route-table names in the routing-instance should also be deactivated. PR1057431
  • In Protocol Independent Multicast (PIM) sparse mode environments, in the situation where the router is being used as the rendezvous point (RP) and also the last-hop router, when the (*,G) entry is present on the RP and a discard multicast route (for example, due to receiving multicast traffic from non-RPF interface) already exists, if the (S,G) entry is learned after receiving source-active (SA) of the Multicast Source Discovery Protocol (MSDP), the SPT cutover may fail to be triggered. There is no traffic impact as receivers still can get the traffic due to the (*,G) route. PR1073773
  • In multi-topologies IS-IS scenarios, there is a huge difference between estimated free bytes and actual free bytes when generating LSP with IPv6 prefix. It might cause LSP fragment exhaustion. PR1074891
  • Receipt of a crafted IGMPv3 protocol message can create a denial of service to a portion of a multicast network. This issue only affects IGMPv3. IGMPv2 is unaffected by this vulnerability. See https://kb.juniper.net/JSA10714 PR1079503
  • In an MPLS L3VPN core network, enabled BGP Prefix-Independent Convergence (PIC) Edge feature on a PE router, if the same VPN route is received with different multiple exit discriminators (MEDs) via two route reflectors (RRs). When the BGP PIC evaluates those two routes, it disregards the one with the higher MED, and hence fails to build a multipath protection/backup path entry. PR1079949
  • When removing scaling BGP configuration, if the BGP sessions is holding stale routes for the benefit of a restarting peer, the routing protocol process (rpd) may crash. As a workaround, the administrator may use the CLI command "show route receive-protocol bgp <peer address> extensive | match STALE" to find the existing stale routes. If no STALE route can be found out, then removing the BGP configuration is safe. PR1081460
  • If a policy statement referred to a routing-table, but the corresponding routing instance is not fully configured (i.e., no instance-type), committing such configuration might cause the rpd process to crash. PR1083257
  • With Multicast Source Discovery Protocol (MSDP) and nonstop active routing (NSR) configured on the Protocol Independent Multicast (PIM) sparse-mode rendezvous point (RP), the rpd process might permanently get stuck when multicast traffic is received shortly after Routing Engine (RE) switchover. PR1083385
  • The rpd process might crash on both master and backup Routing Engines when a routing instance is deleted from the configuration, if the routing instance is cleaned up before the interface delete is received from the device control daemon (dcd). This is a rare timing issue. PR1083655
  • When there are a number of secondary BGP routes in inet.0, an SNMP walk of inet.0 by the bgp4 MIB can cause a core if the corresponding primary routes are being deleted. PR1083988
  • When a BGP route is leaked to a routing-instance and there is an import policy to overwrite the route preference, if damping is also configured in BGP, the BGP routes which were copied to a second table can't be deleted after routes were deleted in the master table. This is a day-1 issue. PR1090760
  • When removing BGP Prefix-Independent Convergence (PIC) from the configuration, the expected behavior is that any protected path would become unprotected. But in this case, the multipath entry that contains the protection path (which is supposed to be removed) remains active, until the BGP session flaps or the route itself flaps. As a workaround, we can use the "commit full" command to correct or to commit. PR1092049
  • In Junos OS Release 9.1 and later, RFC 4893 introduces two new optional transitive BGP attributes: AS4_PATH and AS4_AGGREGATOR. These new attributes are used to propagate 4-byte AS path information across BGP speakers that do not support 4-byte AS numbers. In this case, when AS4_AGGREGATOR attribute (18) is received from a 2-byte AS peer (note that AS4_AGGREGATOR attribute is only received when the aggregator has 4-byte AS, but this peer only supports 2-byte AS), NSR synchronization with the standby RE would fail, causing the session to be constantly bouncing on the standby RE (hogging CPU). PR1093615
  • The rpd process might crash when resolve-vpn and rib inet.3 are configured under separate levels (BGP global, group, and peer). The fix is if anybody configures a family at a lower level, reset the state created by either of the configuration statements from higher levels. This behavior conforms with our current behavior of family configuration, which is that any configuration at a lower level is honored and the higher level configuration is reset. PR1094499
  • The OpenSSL project has published a set of security advisories for vulnerabilities resolved in the OpenSSL library in June and July 2015. Junos OS is affected by one or more of these vulnerabilities. Refer to JSA10694 (http://kb.juniper.net/JSA10694) for more information. PR1095598
  • When BGP routes have multiple protocol next hops, including discard/reject and other IGP next hops, the discard/reject next hop will be selected as BGP next hop, which will cause traffic loss. PR1096363
  • When route convergence occurred, the new gateway address is not updated correctly in inline-jflow route-record table (route-record table is used by sampling), and the sampling traffic forwarding might be affected, but normal routing would be not affected. PR1097408

Services Applications

  • In IPsec environments, after performing the RE switchover (for example, performing graceful Routing Engine switchover) or chassis reboot (that is, whole device is powered down and powered UP again), because the key management daemon (kmd) may be launched before the RE mastership is finalized, it may stop running on the new master RE. PR863413
  • The session-limit-per-prefix feature for the MX Series DS-Lite server does not take Softwire flow into account when calculating the the flow limit. PR1023439
  • On M/MX/T Series routers with Multiservices 100, Multiservices 400, or Multiservices 500 PICs with "dump-on-flow-control" configured, if prolonged flow control failure occurs, the coredump file might generate failure. PR1039340
  • On MX Series routers which are acting as LNS to provide tunnel endpoints, it is observed that the service interfaces are not usable if an MIC corresponding to them is not physically installed on the FPC. If only those service interfaces that belong to the removed PIC are added to service-device-pool, this results in no LNS subscribers being able to log in. Please note that once the MIC is inserted into the FPC, the features could be used. PR1063024
  • Service PIC daemon (spd) might crash with core-dumps due to CGNAT pool's snmp-trap-thresholds configuration. PR1070370
  • Earlier output from "show service l2tp tunnel" will not display tunnels with no sessions. This behavior have been changed, now empty tunnels are also displayed in this command. PR1071923
  • In CG-NAT or stateful firewall environments, due to a null pointer check bug, the MS-DPC might crash every few hours. Note that this is a regression issue. PR1079981
  • When using a Multiservices DPC (MS-DPC) for Carrier-Grade Network Address Translation (CGNAT), if in an HTTP flow, in rare condition, an IPv4 flow is treated as an IPv6 flow. However IPv6 flow objects are treated differently in the Junos Code and as a result the MS-DPC might crash due to memory allocation failure. There is no workaround, but the chances of hitting this issue is very low. PR1080749
  • On Layer 2 Tunnel Protocol (L2TP) network server (LNS), during L2TP session establishment, when receiving Incoming-Call-Connected (ICCN) messages with Last Sent LCP CONFREQ Attribute Value Pair (AVP) but without Initial Received LCP CONFREQ and Last Received LCP CONFREQ AVPs, the jl2tpd process might crash. PR1082673
  • In an L2TP tunnel-switching scenario, if a tunnel-switched tunnel is cleared with "clear services l2tp tunnel peer-gateway" AND an incoming ICRQ is received simultaneously from the LAC side destined for this tunnel-switched tunnel, this leads to jl2tpd crash. This defect has now been rectified. PR1088355
  • On a Trivial File Transfer Protocol (TFTP) Application Layer Gateway (ALG) with NAT translation type "dynamic-nat44" configured, MS-DPC/MS-MPC/MS-MIC might crash when processing the TFTP packets. PR1091179
  • On M Series platforms, in a Layer 2 Tunneling Protocol (L2TP) network server (LNS) environment, not all attributes (Missing NAS-Identifier, NAS-Port-Type, Service-Type, Framed-Protocol attributes) within the Accounting-Request packet are sending to the RADIUS server. PR1095315
  • If MS-DPC is used in a CG-NAT environment, in a very rare condition, when the MS-DPC tries to delete a NAT mapping entry (e.g., entry timeout), an error might occur and the MS-DPC might get rebooted and then dump a core file. PR1095396
  • Some values of the MIB object jnxSrcNatStatsEntry might be doubled when AMS (or rsp) interface and NAT are configured together. PR1095713

User Interface and Configuration

VPNs

  • For VPLS over VPLS topology, when the VPLS payload has two labels (Customer-VPLS-label and Customer-MPLS-label), the frame might be dropped by the core-facing interface hosted on the IQ2 PIC with "L2 mismatch timeout" error. This particular scenario is fixed. But there are some other worse scenarios which might hit this issue again due to the system architecture limitation, which are not fixed but need to be avoided: * Addition of VLAN tags on service provider's or CE's VPLS payload e.g., configuring QinQ. * Addition of MPLS tags on service provider or CE's VPLS payload. * Enabling VPLS payload load balancing on service provider's PE router. PR1038103
  • With NSR, RPD on backup Routing Engine may crash and generate a memory dump when attempting to allocate an MPLS label for L2circuit. This can happen, for example, after configuring new l2circuit on a busy system. PR1068399
  • On a dual Routing Engine, if the MVPN protocol itself is not configured, and nonstop routing is enabled, the show command "show task replication" on the master Routing Engine will list the MVPN protocol even though it is not configured. Other than the misleading show output which may be slightly confusing to the user/customer, there is no functional impact due to this issue. There is no workaround available. PR1078305

Resolved Issues: 14.2R3

Class of Service (CoS)

  • For an ATM interface configured with hierarchical scheduling, when a traffic-control-profile attached at the ifd (physical interface) level and another output traffic-control-profile at the ifl (logical interface) level, flapping the interface might crash the FPC. PR1000952
  • This error message "only per-unit and 2-level hierarchical scheduler are supported on this interface" is a cosmetic regression issue without any functional impact. PR1050512
  • Forwarding class accounting stops working after Routing Engine switchover , this behavior has been corrected in 13.3X2 ,13.3R7,14.1R5,14.2R3,13.3R6 and 15.1 . Issue comes when MPC reboots for any reason with forwarding-class-accounting configured on AE/AS interface. In forwarding-class-accounting feature, counters are allocated based on number of forwarding classes configured in MPC. In error case on MPC reboot, AE interface is getting created before the message for configuring number of forwarding classes in MPC comes. As a result while enabling forwarding-class-accounting feature on AE interface, number of forwarding classes value in MPC is 0 and counters are not allocated causing issue. Cause: Race condition when on MPC reboot AE interface getting created before number of forwarding classes are configured. Fix: When number of forwarding classes are set after MPC reboot, check for any AE interface with forwarding-class-accounting configured and reprogram it. PR1060637
  • 1. With “hierarchical-scheduler” configured at IFD level 2. Under class-of-service hierarchy “output traffic control profile” configured at “interface-set” as well as IFD level, for the same IFD/IFL. With the above two conditions met, when a Junos upgrade is performed on a dual RE system the configuration validation check would fail on the RE that is upgraded latter with the below error message. Error message: ?cannot configure a traffic control profile for this ifl when a parent has a traffic control profile that references a scheduler map: ifl xe-11/0/0.5000 refers to traffic-control-profile TCP_PE-CE_30M. It is also a member of interface set xe-11/0/0_OTag=80 which has traffic-control-profile TCP_PE-CE_80M which references scheduler-map SM_PE-CE? conditon-1: lab-re1> show configuration interfaces xe-11/0/0 { hierarchical-scheduler; <<< Condition-2: lab-re1> show configuration interfaces interface-set xe-11/0/0_OTag=80 { interface xe-11/0/0 { <...>; } } lab-re1> show configuration class-of-service interfaces interface-set xe-11/0/0_OTag=80 { output-traffic-control-profile TCP_PE-CE_80M; <<< } <..> xe-11/0/0 { output-traffic-control-profile TCP_Maxbuff; unit 5000 { output-traffic-control-profile TCP_PE-CE_30M <<< } } PR1069477

Forwarding and Sampling

  • When a firewall filter, which is used to de-encapsulate the IPv4 packets encapsulated in IPv6 GRE header, is attached to interface hosts on MX Series MPC/MIC, the IPv6 GRE header would be de-encapsulated but the inner IPv4 packet would ends up getting dropped and not forwarded. This issue affects the packet with IPv4 over IPv6 GRE header only, and those packets with IPv6 over IPv6 GRE header are not affected. PR1054039: This issue has been resolved.
  • If the template of the policer is changed (for example, change the bandwidth-limit value of policer), shared-bandwidth-policer configuration statement may not function properly anymore. PR1056098: This issue has been resolved.

General Routing

  • On MX Series platforms with Enhanced DPCs equipped, after router is rebooted, the IRB broadcast channel is not enabled, all the broadcast packets that are received in the IRB interface will get dropped. Also when ping is given, the following L2Channel error increases as ping packets are sent: user@router>show interfaces ge-*/*/* extensive | match channel L3 incompletes: 0, L2 channel errors: 10, L2 mismatch timeouts: 0. PR876456: This issue has been resolved.
  • The configuration statement “gratuitous-arp-on-ifup” should send a gratuitous ARP on each unit of a physical interface, but in 12.3 and later versions, only the first unit is seeing the configured behavior. PR986262: This issue has been resolved.
  • In the dual Routing Engines scenario, in rare conditions, while executing GRES and deleting interfaces at the same time, it is possible that a next hop delete message is not sent to the rpd process, causing rpd to keep a next hop index (NHID) that the kernel has already deleted. Later when the kernel allocates this NHID for next new next hop and sends it to the rpd process, the rpd process might crash due to a duplicate NHID. PR987102
  • In Ethernet VPN (EVPN) routing and bridging (IRB) deployment, when all the access interfaces go down under an EVPN bridge domain, the IRB interface in the bridge domain remains up, causing the issue of the remaining IRB subnet being advertised in L3 routing which in turn attracts all L3 VPN traffic for the subnet. PR994909: This issue has been resolved.
  • In the dual Routing Engines scenario with NSR configuration, the backup peer proxy thread is hogging CPU for more than 1 second if there are multiple updates (>5000) going from master Routing Engine to backup Routing Engine. This leads to FPC socket disconnections. The traffic forwarding might be affected. PR996720
  • On MX Series Virtual Chassis with the no-split-detection configured, in some rare circumstances, the transit traffic might get dropped if all of the virtual chassis ports (VCP) go down and come up quickly (within a few seconds). PR1008508: This issue has been resolved.
  • If with some groups has not been applied on a router, in some corner cases, the action that load override configuration might cause the routing process (rpd) to crash. PR1037527: This issue has been resolved.
  • On MX Series platform with nonstop active routing (NSR) is enabled, if with switchover-on-routing-crash configuration statement configured, issuing the CLI command "request system core-dump routing fatal" might not trigger RE switchover and might cause rpd on master RE stuck in inactive. PR1000220: This issue has been resolved.
  • The chassis daemon (chassisd) log file is filled by the following unimportant message. These messages are repeated and will fill up from the chassisd log file. These messages are harmless and are generated as part of fabric health check. “fm_hsl2_is_pb_adpc: jam_fabric: Not present in DB, key: fabric.lc.0x997.enable_grant_bypass fm_hsl2_get_combination_blackhole_pbs: jam_fabric: Not present in DB, key: fabric.lc.0x997.fabric_conct.supports_off_loading_xf” PR1014594: This issue has been resolved.
  • When destinations are pointing to protocol next-hops as unilist type or IP forwarding next-hops as unilist, which in scenarios like using Loop-Free Alternate Routes for OSPF (LFA-OSPF) with link protection or MPLS FRR is enabled. If flapping the active interface very fast, especially an interface comes back up before Kernel gets a chance to delete all the unilist next-hops, those unilist next-hops which have not been deleted yet would be reused. As a result, the corresponding destinations are pointing to discard next-hop(s) or replaced next-hop(s) in Packet Forwarding Engine Jtree. The "discard" next-hop(s) causes traffic blackhole while the "replaced" next-hop(s) diverts traffic to other active next-hop(s) in the unlist. Those unilist next-hops which have been already deleted are safe and get updated accordingly. This is a day-one timing issue. PR1016649: This issue has been resolved.
  • During ISSU on MX-VC platforms, there is a chance that the management process (mgd) on both VC-M and VC-B considers itself as protocol backup, resulting in a reboot of the entire VC. PR1020606: This issue has been resolved.
  • On MPC5E line cards, if a firewall filter with large-scale terms (more than 1300 etc.) is attached to an interface, traffic drop might be seen. PR1027516: This issue has been resolved.
  • Using jnxoptIfOTNPMFECIntervalTable and jnxOpticsPMIntervalTable, it was not possible to walk these tables from the middle before this fix. PR1039030: This issue has been resolved.
  • Incorrect SNMP interface index (index 0) is given to the VCP interface. Due to the wrong index value, the VCP interface description does not appear in SNMP interface table. PR1044331: This issue has been resolved.
  • On MX Series routers with one of the following protocols configurations, flapping the protocols will trigger the Composite Next-hop change operation. In rare conditions, since it is not properly programmed, the FPC might crash. This is a day-1 issue. - LDP - MPLS - Point-to-multipoint LSP - RSVP - Static LSPs PR1045794: This issue has been resolved.
  • Once default route 0.0.0.0/0 is added, deleted, or changed, the PFEMAN thread running on the MPC/FPC5 needs more than 600 msec to program such changes. This is long enough to trigger LFM or BFD flap. Junos OS Release 13.3R2 or later is exposed to this symptom. PR1045828: This issue has been resolved.
  • For PTX router, the unilist next-hop member will have a 'replaced' status on Packet Forwarding Engine (PFE) after interface flapping with ARP timeout. While the problem is happening, routing-table will display correct next-hop status but cannot forward traffic since the forwarding next-hop in the Packet Forwarding Engine is in 'replaced' status and no longer active. PR1046778: This issue has been resolved.
  • This problem is because of a race condition, where other FPCs are not able to drain "which is 1 second" Fabric Streams connecting to the FPC which is going offline. With this situation, even when FPC comes online, other FPCs which have observed the message "xmchip_dstat_stream_wait_to_drain" will not able to send traffic to that particular FPC over fabric. There is no workaround. Rebooting FPCs which observed the error message "xmchip_dstat_stream_wait_to_drain" is a recovery. PR1052472: This issue has been resolved.
  • VCP links do not stay up during the unified ISSU. This causes traffic loss and control plane packet losss which can lead to control protocol flaps. PR1054344: This issue has been resolved.
  • OpenSSL project has published a security advisory for vulnerabilities resolved in the OpenSSL library on January 8th 2015: CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205. Refer to JSA10679 for more information. PR1055295: This issue has been resolved.
  • IFCM error messages may occur in logs when it is not used. We lowered the severity of the message to avoid confusion. PR1057712: This issue has been resolved.
  • When enabling pseudowire subscribers, the "show subscribers extensive" command does not display CoS policies applied to the subscriber interface. This issue was fixed in 13.3R6, 14.1R5 and 14.2R3. PR1060036: This issue has been resolved.
  • Due to an incomplete fix, in releases containing the PR869773 fix, rate limit drops are seen for ingress queuing even though rate-limit is not configured or supported for ingress. PR1061256: This issue has been resolved.
  • On MX Series platforms, after performing unified in-service software upgrade (ISSU) to 14.2R1/14.1X50-D40 and later releases, the clock synchronization might be stuck in "freerun" and the Enhanced SCB (SCBE) clocking interface might appear as down. PR1065308: This issue has been resolved.
  • On PTX series routers, the interrupt-driven basis link down detection (an interrupt-driven link-down notification is generated to trigger locally attached systems to declare the interface down within a few milliseconds of failure) may fail after performing unified In-Service Software Upgrade (ISSU). The interrupt might got prevented after performing unified ISSU due to disable the interrupt registers before ISSU but never restored after. PR1059098: This issue has been resolved.
  • On T Series FPC 1-3 and M320 except E3-FPC with fib-local configuration, if there are multiple FIB local FPCs or the FIB local is a multiple PFE FPC, the TCP packets might be out of order, and packet re-ordering would occur. This reduces the application level throughput for any protocols running over TCP. PR1049613: This issue has been resolved.
  • Problem scenario: Issue is seen only with VMX. It will be seen when the PPPoE session's Keep-alive timer expiry happens. This might be due to non-graceful termination of remote side or due to communication path failure with the remote end. Problem statement: When PPPoE session Keep-alive timer expires the local PPPoE session is NOT closed/logout. PR1034520: This issue has been resolved.
  • In the scenario where a router acts as both egress LSP for core network and BRAS for subscribers, RSVP-TE sends PathErr to the ingress router due to matching to subscriber interfaces wrongly when checking the explicit route object (ERO), if subscribers are associated with same lo0 address as used by RSVP LSP egress address. PR1031513: This issue has been resolved.
  • In IPv6 environments, after enabling the feature "solicit-router-advertisement-unicast", the IPv6 router may fail to reply the Router Advertisement (RA) to the IPv6 host as unicast only. To be exact, the IPv6 router may not only reply to the IPv6 host an RA as unicast to its link local address, but also send the RA as multicast to all nodes groups (Multicast Address: ff02::1). The sample configuration could be as follows: user@router> show configuration protocols router-advertisement interface ge-1/0/3.400 { ... solicit-router-advertisement-unicast; <<<<< "solicit-router-advertisement-unicast" feature is enabled ... } PR1056599: This issue has been resolved.
  • In LDP tunneling over single-hop RSVP-based LSP environment, after enabling "chained-composite-next-hop", the router may fail to create the chained composite next hops if the label value of VPN is equal to the label value of LDP. PR1058146: This issue has been resolved.
  • If with accounting/sampling enabled, an unnecessary update from the routing protocol process (rpd) to the route record database might be triggered by certain configuration change. This process causes jump in CPU utilization of all Packet Forwarding Engines. PR1002107: This issue has been resolved.
  • On PTX or T Series platform running Junos OS Release 12.1 or later, for interfaces connected via optical systems like DWDM, when the interface is admin disabled, there might be a delay (300-400 msec) for the system to detect the event during which time, traffic blackhole might be seen. Please note if you disable the interface by breaking the Rx or Tx link, the issue will not happen. PR1043762: This issue has been resolved.
  • On PTX series routers, the interrupt-driven link down detection may stop working. When the line card is receiving multiple back-to-back fault in very short duration (no matter from remote or local), it may fail to detect all the received interrupts, and this failure may cause delay of the link-down detection (for example, it may take PTX ~300ms to make interface down). PR1060279: This issue has been resolved.
  • If Bidirectional Forwarding Detection (BFD) protocol is enabled via site-to-site IPsec tunnel, the BFD session may fail to come up. It is because, when the BFD protocol is trying to exchange the packet via IPsec tunnel, the value of the TTL in the inner IP header for packet may be decremented, hence the BFD packet gets dropped on the peer side and no BFD session would come up. PR1061342: This issue has been resolved.
  • On MX Series platforms with MS-MPC/MS-MIC, if the "dump-on-flow-control" configuration statement is configured, traffic loss and the mspmand process crash might be observed when the MS-PIC comes up with traffic. PR1037086: This issue has been resolved.
  • When the CPU usage is very high (e.g., 100%) on a Routing Engine, the MS-MIC might get stuck due to kernel deadlock, which triggers the card to crash and generate a core file. PR1038026: This issue has been resolved.
  • If you issue the "show services nat mappings details" command with a large number of service sets configured (such as 1000 service sets) and one or two NAT mappings specified, the command takes a certain amount of time to display the output. During this period, if you deactivate or activate the services, a multiservices PIC management daemon core file is generated. PR1019996: This issue has been resolved.
  • Incorrect flow count is reported in the field 'count' of the V9 header in all the packets sent to the collector. PR1050543: This issue has been resolved.
  • On MX104 routers with SONET/SDH OC3/STM1 (Multi-Rate) MIC. In rare conditions, if the MIC is unplugged from MX104, the Packet Forwarding Engine might crash, and the traffic forwarding will be affected. These MICs as follows belong to the SONET/SDH OC3/STM1 (Multi-Rate) MIC: * MIC-3D-8OC3OC12-4OC48 * MIC-3D-4OC3OC12-1OC48 * MIC-3D-8CHOC3-4CHOC12 * MIC-3D-4CHOC3-2CHOC12 * MIC-3D-8DS3-E3 * MIC-3D-8CHDS3-E3-B * MIC-3D-1OC192-XFP PR997821: This issue has been resolved.
  • For MLPPP interfaces on MX Series routers with MPCs/MICs, in some very rare conditions, the received fragmented packets might be dropped. PR1041412: This issue has been resolved.
  • In the PPP dual-stack subscribers environment, in rare conditions, if bringing up 1000 dual-stack subscribers quickly, the PPP negotiation might fail. When PPP retries negotiation, all subscribers fully establish. PR1050415: This issue has been resolved.
  • In subscriber management environments, the Berkeley Database (DB) may get into a deadlock state. It is brought on by multiple daemons attempting to simultaneously access or update the same subscriber or service record. In this case, due to the access to the database being blocked by the device control daemon (dcd), the subscriber management infrastructure daemon (smid) fails to recover the DB. Consequently, the router may stop responding to all the login/logout requests, as well as statistics activity. This timing related issue is most likely to occur during login or logout and when the system is busy. PR1054292: This issue has been resolved.
  • In subscriber management scenarios, when a dynamic VLAN (DVLAN) demux interface configured on MX Series routers, the interface may get in a stuck stat. It could be observed that the statistics of demux0 may stop incrementing. This is because the Session Database (SDB) may incorrectly calculate the number of subscribers over DVLANs. When the issue occurs, for example, the router may not able to process any PPPoE Active Discovery Initiation (PADI) packets, and fail to establish the PPPoE session. PR1054914: This issue has been resolved.

Interfaces and Chassis

  • REG_ERR errors might be observed on MX Series routers with Enhanced SCBs and a mix of MPC and DPC cards. PR821742: This issue has been resolved.
  • Ether OAM or DPC 10ge interface module changed link-fault status from down to up after being changed link status to down by "asynchronous-notification". PR973840: This issue has been resolved.
  • The fix is available in 14.1R4 and 14.2R2. Need to apply the workaround before ISSU in 14.1 prior to R4 and in 14.2 prior to R2. PR997255: This issue has been resolved.
  • On MX Series routers, CFM sessions over AE interfaces, whose child links are on DPC FPC, can be scaled to a maximum of 300. PR1020222: This issue has been resolved.
  • If DPCE 20x 1GE + 2x 10GE X card is present in the chassis, BFD sessions over AE interfaces may not be distributed. PR1032604: This issue has been resolved.
  • Some duplicate entries are reported in jnx-chas-defines.mib. This patch removes the duplicate entries to fix the issue. PR1036026: This issue has been resolved.
  • Configuring ODU FRR under otn-options for 2x100G DWDM PIC is unsupported command on PTX router, wrongly add such configuration could result in an FPC crash and restart. PR1038551: This issue has been resolved.
  • PTX with 2x100Gig PIC might return incorrect values for jnxOtnIntervalOtuFec15minCorrectedErrors and jnxOtnCurrentOtuFec15minCorrectedErrors. This is happening because 2x100Gig PIC is not supporting jnx-otn.mib. Instead please use jnx-ifotn.mib or jnx-bl.mib. With this fix, the jnx-otn.mib should not return anything on 2x100Gig PIC. $ snmpwalk -v 2c -Obs -c public [IP address] jnxOtnIntervalOtuFec15minCorrectedErrors jnxOtnIntervalOtuFec15minCorrectedErrors = No Such Instance currently exists at this OID $ snmpwalk -v 2c -Obs -c public [IP address] jnxOtnCurrentOtuFec15minCorrectedErrors jnxOtnCurrentOtuFec15minCorrectedErrors = No Such Instance currently exists at this OID On 4x100Gig PIC using jnx-otn.mib for jnxOtnIntervalOtuFec15minCorrectedErrors and jnxOtnCurrentOtuFec15minCorrectedErrors, the correct values are reported if the error rate is below 900. Otherwise the CLI values will give us the right data. PR1038577: This issue has been resolved.
  • On Ethernet PICs with longer hold-down timer configured, a flapping interface within the hold time might cause traffic loss longer than the hold period. PR1040229: This issue has been resolved.
  • In case of the IQ2 or IQ2E PIC are working in tunnel-only mode, rebooting the tunnel PIC while the traffic is passing through the tunnel might cause the tunnel PIC to not transfer traffic anymore. PR1041811: This issue has been resolved.
  • “clear interfaces interface-set statistics all” fails due to memory limitation. PR1045683: This issue has been resolved.
  • On MX Series routers (platforms) with Enhanced Switch Control Board (SCBE), when the fan tray is inserted or pulled out, the chassisd process might crash. PR1048021: This issue has been resolved.
  • When configuring the Virtual Router Redundancy Protocol (VRRP) on an interface which is included in a routing-instance via applying groups settings, if changes are made to the interface, the VRRP process (vrrpd) memory leak might be observed on the device. PR1049007: This issue has been resolved.
  • dcd is cored by configuring the IPv6 address on fxp0.0 with master-only option under interfaces configuration. PR1049450: This issue has been resolved.
  • When Inherit is part of a lower IFL Unit, VRRPD parses it before Active. In this case, VRRPD attaches a dummy Active to the Inherit, with the assumption that the Active will be available soon and then replication of information from Active to Inherit will take place. However, the replication of the priority was not done correctly, due to which the Inherit group was stuck with priority of 0. PR1051135: This issue has been resolved.
  • In a Virtual Router Redundancy Protocol (VRRP) environment, after restarting the FPC, due to the Router Advertisement (RA) deletion being incorrectly sent to routing protocol process (rpd) by the VRRP process, the ICMPv6 may not be activated on the corresponding interfaces on the router that is acting as the master. In this case, no RA message can be sent out.PR1051227: This issue has been resolved.
  • Two redundant logical tunnels (rlt) interfaces are configured with the configuration statement "per-unit-mac-disable" enabled. After configuring the second one, the first rlt interface goes down: rlt0 { logical-tunnel-options { per-unit-mac-disable; <<<<<< } } PR1055005: This issue has been resolved.
  • The CLI description of the new 100-Gigabit Metro DWDM OTN PIC (PTX-2-100G-WDM-M) is different from the existing 100-Gigabit DWDM OTN PIC (P1-PTX-2-100G-WDM). The 100-Gigabit Metro DWDM OTN PIC's transceiver is identified as OTN-100G-M in the output from the “show chassis hardware” CLI command, and the cable type is identified as 100G METRO in the output from the “show chassis pic” CLI command. PR1055325: This issue has been resolved.
  • After performing a unified in-service software upgrade (ISSU) on the MX Series Virtual Chassis (MX-VC) platform, all physical interfaces may go down. The interfaces remain down until a graceful Routing Engine switchover (GRES) is performed. PR1055327: This issue has been resolved.
  • When a dynamic PPPoE subscriber with targeted-distribution configured on a dynamic VLAN demux interface over aggregated ethernet, the device control daemon (dcd) process might crash during a commit if the VLAN demux has mistakenly been removed. The end users can't visit internet after the crash. This is a rare issue and not easy to be reproduced. PR1056675: This issue has been resolved.
  • In subscriber management environment, PPP client process (jpppd) might crash as a result of a memory allocation problem. PR1056893: This issue has been resolved.
  • In multichassis link aggregation groups (MC-LAGs) environments, the MC-LAG peers have the MAC and port information and can forward the traffic appropriately. If a single VLAN is modified to a different VLAN, and then the administrator rolls back the VLAN configuration to the original one, the remote MAC might be stuck in the "Pending" state and not be installed in the bridge MAC-table, which cause traffic forwarding to be affected. PR1059453: This issue has been resolved.
  • For multichassis link aggregation groups (MC-LAGs) running in active-active mode with back-to-back square topology, when the Interchassis Control Protocol (ICCP) is broken between any MC-LAG devices, the non-preferred device reverts to its own local system ID. But its Link Aggregation Control Protocol (LACP) partner on the remote side does not remove the flap link from AE bundle and it remains UP. This might cause a network-wide loop, resulting in traffic outage until manual intervention. PR1061460: This issue has been resolved.
  • After chassis restart or non graceful RE switchover, few VRRP sessions may start sending VRRP packets while still in VRRP backup state. PR1062929: This issue has been resolved.
  • Error message is continuously logged every second after a particular copper-SFP [P/N:740-013111] is plugged into a disabled port on MIC: ***** error message **** mic_sfp_phy_program_phy: ge-*/*/* - Fail to init PHY link mic_periodic_raw: MIC(*/*) - Error in PHY periodic function PQ3_IIC(WR): no target ack on byte 0 (wait spins 2) PQ3_IIC(WR): I/O error (i2c_stat=0xa3, i2c_ctl[1]=0xb0, bus_addr=0x56) mic_i2c_reg_set - write fails with bus 86 reg 29 mic_sfp_phy_write:MIC(*/*) - Failed to write SFP PHY link 0, loc 29 mic_sfp_phy_mdio_sgmii_lnk_op: Failed to write: ifd = 140 ge-*/*/*, phy_addr: 0, phy_reg: 29 ala88e1111_reg_write: Failed (20) to write register: phy_addr 0x0, reg 0x1d Fails in function ala88e1111_link_init. PR1066951: This issue has been resolved.

Layer 2 Features

  • LDP-VPLS with BGP autodiscovery stays down after a GRES event when NSR is enabled. PR1046887: This issue has been resolved.
  • On multiple Routing Engines systems with NSR enabled, if the FEC129 VPLS instance has "no-tunnel-service" configured, the VPLS might show status as "OL" (no outgoing label) after performing Routing Engine switchover. PR1050744: This issue has been resolved.
  • After change the way of getting site ID of VPLS from fixed site-id to automatic-site-id on one site while other sites are still using the fixed site-id in the network, the rpd process might crash because the site ID get by "automatic-site-id" may conflict with the site ID which was configured as the fixed site ID on other sites. PR1054985: This issue has been resolved.

Layer 2 Ethernet Services

  • If a customer is using SNMP and performs an snmpwalk on the DHCP binding table not all of the entries may be displayed. This fix resolves that issue so that bindings for all ip addresses are displayed. PR1033158: This issue has been resolved.
  • In DHCP dynamic subscriber management scenarios, when maintain DHCP subscribers during interface delete is configured, some interface indices might be reused by a new interface if system is under stress (such as high connection speed, many clients and individual log files configured to be larger than 100M). In this case, it might result in subscriber being associated with an interface that no longer exists. PR1044002: This issue has been resolved.
  • If the ppmd does not send replies to lacpd's periodic request to gather port statistics, the lacpd process may crash and restart due to the process memory consumption being slowly increased and finally reaching RLIMIT_DATA value, which is 128 MB. PR1045004: This issue has been resolved.
  • The Layer 2 Control Protocol process (l2cpd) leaks memory when interface config is applied to LLDP-enabled interfaces using 'apply-groups'. Size of the leak is ~700 bytes per commit. PR1052846: This issue has been resolved.
  • When the MX Series router acts as the Virtual Extensible Local Area Network (VXLAN) Layer 3 gateway, the integrated routing and bridging (IRB) interfaces are configured to connect the VXLANs. The VXLAN packets are dropped when the route to reach a remote virtual tunnel endpoint (VTEP) interface is over an IRB interface. PR1057005: This issue has been resolved.
  • After FPC is rebooted, the filter under the Packet Forwarding Engine of ERPS bridge domain might program the incorrect ifl index, which will cause the router to be unable to receive any ERPS packets. PR1070791: This issue has been resolved.

MPLS

  • Error "tag_icmp_route:failed to find a chain composite ahead of fwd nh" might be observed when doing traceroute. PR999034: This issue has been resolved.
  • On the P2MP LSP transit router with link protection enabled, if the LSP is the last subLSP, tearing the last subLSP (for example, a RESV tear message is received from downstream router) might crash the routing process (rpd). PR1036452: This issue has been resolved.
  • After upgrading Junos OS release to Junos OS release 13.2 or later from previous releases, logical-system cannot start and run. The rpd continuously crashes every time when trying to deactivate/activate the logical-system. PR1044781: This issue has been resolved.
  • When node-protection is enabled for a specified LSP and optimize-timer for a node-protecting bypass LSP is configured on router, the bypass route might get optimized in such a way that it traverses through the very node that the bypass is trying to protect during re-optimization. As a consequence, the node-protecting bypass LSP only provides link protection instead of node protection. PR1045055: This issue has been resolved.
  • In NG-MVPN extranet scenarios, if there are mix of VT interface and LSI (vrf-table-lable is used) interfaces on NG-MVPN egress node, after changing some vrf policies, the routing daemon (rpd) might crash and reset. PR1045523: This issue has been resolved.
  • In LDP link protection which is protected by a dynamic RSVP LSP scenario, when flaping the interface having LDP link-protection enabled, the rpd process might crash on the backup RE as soon as the bypass LSP is established. PR1053426: This issue has been resolved.
  • On M/MX/T/PTX Series routers, dynamic-rsvp-lsp is configured under interface link-protection hierarchy level. After interface flap, the bypass LSP does not come up. PR1054155: This issue has been resolved.
  • Please see CVBC section PR1054491: This issue has been resolved.
  • With graceful-restart configured, an inter-domain point-to-multipoint (P2MP) label-switched path (LSP) with ERO defined and CSPF enabled might fail to come up after rpd process restart. PR1058271: This issue has been resolved.
  • This is a regression issue on all Junos related to a timing factor. When an LDP session flaps, over which entropy label TLV or any unknown TLV is received, the LDP speaker might not send label withdraw for some prefixes to some neighbors. As a result, these neighbors will still use stale labels for the affected prefixes. PR1062727: This issue has been resolved.
  • From Junos 13.2 onwards, the "load-balance-label-capability" configuration statement is introduced to enable the router to push and pop the load balancing label and causes LDP and RSVP to advertise the entropy label TLV to neighboring routers. MX, T4000 and PTX platform have the capability and is reflected in their default forwarding-options configuration. A software defect is found in the way Entropy Label Capability (ELC) TLV is encoded in the LDP label mapping message. It might cause the LDP session between routers go down. PR1065338: This issue has been resolved.
  • Bypass enabled with optimize-timer will flap during every re-optimization event. PR1066794: This issue has been resolved.
  • When a primary LSP gets re-routed due to better metric, Link/Node protection for this LSP is expected to come up within 7 seconds provided the bypass-lsp protecting the next-hop link/node is already available. However in some corner cases, the Link/Node protection for re-routed primary LSP will not come up within 7sec even with bypass-lsp availability. The PR fixes this issue and reduces the delay of associating bypass-lsp with primary-lsp from 7 seconds to 2 seconds. PR1072781: This issue has been resolved.

Network Management and Monitoring

Platform and Infrastructure

  • With inline jflow enabled, if the low 12 bits of the packet counter are zero (0x000) while copying packets count from hash record into flow export packet, the packetDeltaCount counter might be incorrect in inline jflow records. There is no traffic impact but this may impact billing. PR886222: This issue has been resolved.
  • For inline BFD over aggregated Ethernet (AE) interface which member links are hosted on different FPCs, BFD packets coming on ingress line card will be steered to anchor Packet Forwarding Engine (PFE) through fabric. If FPC reconnect to master RE (such as RE switchover operation), the inline BFD session punts the BFD packet to host, the BFD packet should go through loopback interface filter of VRF on which it is received. But in this case, the BFD packet might hit the wrong loopback interface filter from the wrong routing-instance since the VRF information is not carried across fabric. PR993882: This issue has been resolved.
  • BFD session within default routing-instance are not coming up once inline-services PIC is configured and fixed class-of-service forwarding-class is assigned. BFD session operating in no-delegate-processing are not affected. PR999647: This issue has been resolved.
  • CPQ RLDRAM ECC single- and double-bit error will generate CM alarm. The "show chassis alarms" command can be used to view CM alarms. Details ======= 1> CPQ RLDRAM ECC single-bit error in last 10 secs will raise minor CM alarm. 2> No CPQ RLDRAM ECC single-bit error in last 10 secs will clear minor CM alarm. 3> CPQ RLDRAM ECC double-bit error will raise Major CM alarm (this alarm will not be cleared until the FPC is restarted). PR1023146: This issue has been resolved.
  • On MX Series platforms with scaled setup, after deactivating/activating or renaming a bridge domain (BD) which has an IRB interface associated, the IGMP snooping configured under the BD might not work anymore. This happens only when the router is in "network-services enhanced-ip" mode. PR1024613: This issue has been resolved.
  • A Packet Forwarding Engine memory leak is seen when multicast receivers are connected in a bridge domain where IGMP snooping is enabled and IGMP messages exchanged between the multicast receivers and the Layer 3 IRB (Integrated Routing and Bridging) interface. PR1027473: This issue has been resolved.
  • Inline BFD sessions, through AE interface when only the member interface of the AE is hosted on the MX Series MPC4E line card, might flap continuously. PR1029341: This issue has been resolved.
  • On Trio 3D MPC, when there is a congested Packet Forwarding Engine destination, the non-congested Packet Forwarding Engine destinations might experience an unexpected packet drop. PR1033071: This issue has been resolved.
  • The micro BFD sessions won't come up if incoming untagged micro BFD packets contain a source MAC where the last 12 bits are zero. PR1035295: This issue has been resolved.
  • configuration.yang had posix regex pattern, while as per the YANG RFC, it should have been xml regex, that is why it had compilation issues. Now it is fixed. PR1040151: This issue has been resolved.
  • When IRB interface is configured with VRRP in Layer 2 VPLS/bridge-domain, in corner cases IRB interface may not respond to ARP request targeting to IRB sub-interface IP address. PR1043571: This issue has been resolved.
  • In a scaled subscriber management environment, the output of the CLI command "show subscribers" and its sub-flavors might print more pages and has to be terminated by "Ctrl+c" or "q". But this was not closing the back-end Session Database (SDB) connection properly. Over a period of time, this caused inconsistency and the subscriber management infrastructure daemon (smid) failed to register and no new subscribers could connect. PR1045820: This issue has been resolved.
  • On T4000 and FPC Type 5-3D or TXP-3D platforms , BFD sessions operating in 100 msec intervals with default multiplier of 3 might randomly flap after the enhancements implemented via PR967013. BFD sessions with lower intervals of 100 msec or higher intervals are not exposed. The internal FPC thread, monitoring the High Speed Fabric links, had a run time of longer then 100 msec. PR1047229: This issue has been resolved.
  • On MX Series platforms with Extensible Subscriber Services Management (ESSM) subscribers configured using a Junos OS commit script, after performing a sequence of operations repeatedly with the same set of configurations (subscribers apply-macros'), like adding subscribers, then deleting same subscribers again, then adding, then deleting again and again, the memory would leak on mgd process. In a generic scenario where a script just commits transient change and then exits, the issue will not be experienced. PR1048770: This issue has been resolved.
  • By default, after 16x10GE MPCs comes up, about 75% of queues were allocated to support rich queuing with the MQ chip. Such allocation causes the MQ driver software module to poll stats. Polling stats causes this rise in CPU usage. PR1048947: This issue has been resolved.
  • For a Routing Matrix, if different Routing Engine (RE) models are used on switch-card chassis (SCC)/switch-fabric chassis (SFC) and line-card chassis (LCC) (for example, RE-1600 on SCC/SFC and RE-DUO-C1800 on LCC), where the out-of-band (OoB) management interfaces are named differently (for example, fxp0 on SCC/SFC RE and em0 on LCC RE), then the OoB management interface configuration for LCC RE will not be propagated from SCC/SFC RE during commit. PR1050743: This issue has been resolved.
  • NTP.org has published a security advisory for multiple vulnerabilities resolved in ntpd (NTP daemon) that have been assigned four CVE IDs. Junos OS has been confirmed to be vulnerable to one of the buffer overflow vulnerabilities assigned CVE-2014-9295, which may allow remote unauthenticated attackers to execute code with the privileges of ntpd or cause a denial of service condition. Refer to JSA10663 for more information. PR1051815: This issue has been resolved.
  • After committing the Network Time Protocol (NTP) configuration, if the number of routing-instances per source-address exceeds 18, it may cause the NTP daemon (ntpd) crash. In this scenario, the NTP feature may not be functional. For example, there are 19 routing-instance names per source address statement in the following sample configuration: ntp { server X.X.X.X; source-address X.X.X.X routing-instance [ X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11 X12 X13 X14 X15 X16 X17 X18 X19 ]; (19 routing-instance names) } PR1058614: This issue has been resolved.
  • On an MX Series router with MPCS/MICs with Junos 12.3R3 and later, the system does not push the configured Tag Protocol ID (TPID) value (for instance, 0x88a8) to the packets while sending out the packets, instead it pushes the default TPID 0x8100. This might lead to traffic drop on the peer device if it is expecting a particular TPID (for instance, 0x88a8) but it receives a different one. PR1059225: This issue has been resolved.
  • Modifying the IEEE-802.1ad rewrite-rule on the fly might be unable to change IEEE-802.1p ToS values for the inner VLAN in QinQ. PR1062817: This issue has been resolved.
  • Observation domain ID in exported flow records is incorrect in 100G and 10G line cards and in 200G 40X10G MPCs and 200G 40X100G MPCs. PR1066319:
  • On MX Series routers with MPCs and T4000 routers with Type 5 FPCs, the feature "enhanced-hash-key" is configured to select data used in the hash key for enhanced IP forwarding engines. If "type-of-service" is configured at the [edit forwarding-options enhanced-hash-key family inet] hierarchy level, or "traffic-class" is configured at the [edit forwarding-options enhanced-hash-key family inet6] hierarchy level, the last significant two bits of the TOS/TC bytes under the IPv4/IPv6 header are extracted incorrectly as load-sharing input parameters, and this might cause unexpected load balancing results. PR1066751: This issue has been resolved.
  • Firewall filters that have a prefix-action can't be configured under [edit logical-system <name> firewall family inet] because the Packet Forwarding Engine won't be programmed for the filter. PR1067482: This issue has been resolved.
  • On MX Series routers, when using Trio-based FPC with feature inline sampling activated, memory partition error messages and memory leak might be observed on the FPC. In some cases, this issue only affects sample route-records but not regular Packet Forwarding Engine routes or next-hops, however, in the extreme case, it is also possible to cause the Packet Forwarding Engine failing in installing routes into forwarding next-hops and hence traffic drop. On MX Series routers, when using Trio-based FPCs, Junos 13.3R5 14.1R4 14.2R1 or higher is exposed. On T4k or TXP-3D routers, when using FPC-3D FPC's, Junos 14.2R1 or higher is exposed. PR1071289: This issue has been resolved.
  • VPLS filter applied under forwarding-options might drop a VPLS frame unexpectedly when it is coming from an lt- interface. There is no workaround. PR1071340: This issue has been resolved.
  • When inline-sampling is enabled, in race conditions, if packet gets corrupted and the corrupted packet length shows 0, this may cause "PPE_x Errors thread timeout error" and eventually cause the MPC card to crash. PR1072136: This issue has been resolved.
  • After IPv6 RPM (real-time performance monitor) support, the SNMP server cannot receive some of IPv6 PING-MIB info. For example, the SNMP server receives a "pingCtlRowStatus(23)" and "pingCtlAdminStatus(8)" errors and cannot get "pingResultsTable" and "pingProbeHistoryTable" info. << example >> ** The following logs are SNMP server logs: "snmpset -v 2c -c xxxxxx" commands are used. ----pingCtlRowStatus(23) error info. Error in packet. Reason: inconsistentValue (The set value is illegal or unsupported in some way) Failed object: SNMPv2-SMI::mib-2.80.1.2.1.23.7.79.87.78.69.82.95.65.6.84.69.83.84.95.65 ---pingCtlAdminStatus(8) error info. Error in packet. Reason: inconsistentValue (The set value is illegal or unsupported in some way) Failed object: SNMPv2-SMI::mib-2.80.1.2.1.8.7.79.87.78.69.82.95.65.6.84.69.83.84.95.65 ** The following logs are snmp server logs. "snmpwalk -v 2c -c xxxxxx" commands are used. pingResultsTable(3) SNMPv2-SMI::mib-2.80.1.3 = No Such Object available on this agent at this OID pingProbeHistoryTable(4) SNMPv2-SMI::mib-2.80.1.4 = No Such Object available on this agent at this OID. PR1072320: This issue has been resolved.

Routing Protocols

  • If with the BGP PIC edge feature enabled and OSPF protocol as IGP, when the primary route is changed, there is a chance that the Packet Forwarding Engine forwarding entry will stay in reroute state, which causes session down. PR1015598: This issue has been resolved.
  • When BGP add-path feature is enabled on the BGP route-reflector (RR) router, and if the RR router has mix of add-path receive-enabled clients and add-path receive-disabled (which is default) clients, due to a timing issue, the rpd process on RR might crash when routes update/withdraw. PR1024813: This issue has been resolved.
  • When a BGP peer goes down, the route for this peer should be withdrawn. If an enqueued BGP route update for this peer has not been sent out, issuing the CLI command "show route advertising-protocol bgp <peer-addr>" might crash the routing protocol process (rpd). This is a very corner issue and will hardly be experienced. PR1028390: This issue has been resolved.
  • If labeled BGP routes are leaked from inet.3 table to inet.0, then activation of the BGP "add-path" feature might crash the routing process (rpd). PR1044221: This issue has been resolved.
  • BFD session might reset on commit if version is configured. The adaptive RX interval gets set to 0, which results in the reset. A sample configuration of BFD version is as follows: protocols { bgp { bfd-liveness-detection { version 1; minimum-interval 1000; transmit-interval { minimum-interval 1000; } } } PR1045037: This issue has been resolved.
  • When BGP and ICCP are the client of the same multi-hop BFD session, BFD runs in centralized (non-distributed) mode. But if nonstop-routing configuration is added and enabled, the running mode of BFD is changed to distributed mode. This behavior is incorrect but it would not affect protocols that are clients of the BFD session. However, if Routing Engine switchover is performed after enabling NSR, the BFD session will become unstable and all the client protocols also become unstable. PR1046755: This issue has been resolved.
  • On MX Series routers with multiple Routing Engines, if an aggregate Ethernet (AE) interface spreads over multiple FPCs, the inline BFD session over the interface might flap during GRES. PR1048940: This issue has been resolved.
  • Junos Multicast Source Discovery Protocol (MSDP) implementation is closing an established MSDP session and underlying TCP session on reception of source-active TLV from the peer when this source-active TLV has an "Entry Count" field of zero. "Entry Count" is a field within the SA message which defines how many source/group tuples are present within the SA message. PR1052381: This issue has been resolved.
  • Either "rib inet.3" or "resolve-vpn" feature is available to be configured in the lower hierarchy for BGP labeled-unicast family routes. These two features are mutually exclusive and only one of them could be used at a single BGP group. If the administrator swaps the two features (for example, using the "resolve-vpn" first, then deactivate it and using "rib inet.3" instead, then use "resolve-vpn" back), the secondary routes (routes in inet.3 which including the ones from this BGP group and from other BGP groups) may got accidentally removed every time on "commit" operation take place. PR1052884: This issue has been resolved.
  • After deactivating/deleting a BFD configuration, the Packet Forwarding Engine receives a BFD session down event and it marks corresponding next hops as down and traffic drops consequently. PR1053016: This issue has been resolved.
  • The BGP session sending add-path prefixes can cause an rpd crash when the add-path IDs that it allocates roll over from 65535 to 0. If the routes contributing add-path prefixes are changing, the allocated path-id can eventually reach this value. This fix changes the allocation scheme to always use the lowest available free path-id, so a rollover will never occur. PR1053339: This issue has been resolved.
  • After multicast traffic source incoming interface and source IP RPF (reverse path forwarding) route switching to a different interface, the multicast route cache upstream interface might not be refreshed to be in sync with the PIM join upstream interface. This is incorrect and will cause packet blackhole for the affected multicast stream. PR1057023: This issue has been resolved.
  • BGP LINK STATE (BGP-LS) was using unofficial code point of '99' for the LINK-STATE path attribute. Starting with Junos OS Release 14.2R3, BGP-LS uses the IANA-assigned value of '29'. Therefore, previous versions of BGP-LS are not compatible with the code point change. Also, if the user was already running BGP-LS, they cannot do unified ISSU to this version of the code. PR1060162: This issue has been resolved.
  • When running Simple Network Management Protocol (SNMP) polling to specific IS-IS Management Information Base (MIB) with invalid variable, it will cause routing protocol process (rpd) crash. PR1060485: This issue has been resolved.
  • In PIM environments, Bootstrap Router (BSR) can be used only between PIMv2 enabled devices. When deactivating all the interfaces that are running PIM bootstrap, the system changes to operate in PIMv1. At this time, all the information learned about/from the current BSR should be cleaned, but actually, the BSR state is not cleaned. If the interface which was the previous “elected BSR” is activated, BSR state is PIM_BSR_ELECTED (should be cleaned previously) and the system assumes the BSR timer is still there. When the system tries to access the null BSR timer, the rpd process might crash. PR1062133: This issue has been resolved.
  • Allow the last 2-byte AS, 65535, to be used as local-as and peer-as, but it will be considered private in all other regards. PR1069307: This issue has been resolved.

Routing Policy and Firewall Filters

  • RIP route in VRF getting removed once rib-groups are applied with import policy. PR1024946: This issue has been resolved.
  • In the BGP environment, if operator "!" exists in the regex for as-path, the commit operation fails. PR1040719: This issue has been resolved.
  • When configuring the unsupported IPv6 flow specification feature, that is, when configuring the inet6 address as source/destination of the inet-flow route, the configuration can pass the commit check and being committed. But it can cause the rpd process to crash eventually when trying to program this route to the firewall process (dfwd, which manages compilation and downloading of Junos OS firewall filters). If a flow route is received from a BGP neighbor and the prefix-length for source/destination is greater than 32, it can lead to an rpd process crash too. PR1059542: This issue has been resolved.
  • policy displaying is changed and bug fixed PR1060417: This issue has been resolved.

Services Applications

  • The show cli command "service nat pool detail" always displays the Port range starting from 1024, even when privileged ports are used. PR1019783: This issue has been resolved.
  • Added support to bring up tunnel-switched sessions when tunnel-group is not configured at LTS and tunnel attributes are returned from RADIUS. PR1030799: This issue has been resolved.
  • When NAT has multiple terms that refer to the same NAT pool, the command “show snmp mib walk jnxSvcsMibRoot ascii” always prints out jnxNatPoolTransHits for the count of jnxNatRuleTransHits in the first term. PR1035635: This issue has been resolved.
  • When using both Port Control Protocol (PCP) and traditional NAT (For example: DS-Lite), if you try to setup two pools with overlapping address ranges, this can leads to the MS-DPC to crash and generate a core file. PR1036459: This issue has been resolved.
  • In the context of DS-Lite softwire scenario, the MS-PIC/MS-DPC might crash in rare occasions when the DS Lite softwire concentrator is receiving a high volume of outer IPv6 fragmented packets. PR1044143: This issue has been resolved.
  • Inline IPv6 L2TP on MPC subscriber terminated at an LNS breaks adaptive services SP unicast next hops on the MS-DPC. Even one subscriber causes the issue. PR1054589: This issue has been resolved.
  • When the tunnel between the L2TP access concentrator (LAC) and L2TP network server (LNS) is destroyed, the tunnel information will be maintained until destruct-timeout expires (if the destruct-timeout is not configured, the default value is 300 seconds). If the same tunnel is restarted within the destruct-timeout expiry, the LNS will use the previously negotiated non-default UDP port, which might lead to the tunnel negotiation failure. PR1060310: This issue has been resolved.
  • A Layer 2 Tunneling Protocol daemon (l2tpd) crash is seen sometimes when the L2TP service interface unit number is configured higher than 8192. A restriction has been added to force unit numbers below 8192. PR1062947: This issue has been resolved.
  • When configuring Remote Authentication Dial In User Service (RADIUS) authentication for Layer 2 Tunneling Protocol (L2TP), the RADIUS server cannot be recognized becaurse the source address is not being read correctly. As a result, the L2TP session cannot be established. PR1064817: This issue has been resolved.
  • L2TP daemon will core in an LTS scenario while the subscriber logs out. This happens when the subscriber has the "Called Number AVP" attribute. The "Called Number AVP" was not getting relayed correctly across the LTS boundary, hence the daemon cores. PR1065002: This issue has been resolved.

Subscriber Access Management

User Interface and Configuration

VPNs

  • On MX-VC platforms, if with a scaled number of MVPN routes, after adding a new interface in the MVPN instance or changing the traceoptions with related configuration, the CPU on the Routing Engine might experience a high utilization for about 10 minutes. PR1027596: This issue has been resolved.
  • In NG-MVPN, after the route to C-RP flaps, traffic loss might be seen for a short period of time. PR1049294: This issue has been resolved.
  • In NG-MVPN scenarios with the non-zero selective provider tunnel threshold-rate configured and NSR enabled, the selective provider tunnel might flap a few seconds after Routing Engine switchover. The related Type 3 S-PMSI AD route and Type 4 leaf AD route also refreshed. The data traffic might fall to inclusive provider tunnel in a short time, depending on the configuration. This transition will cause packet loss due to unbinding from one tunnel to the other and back. PR1049352: This issue has been resolved.
  • In the VPLS environment with a multichassis link aggregation groups (MC-LAGs) configuration, the standby neighbor is configured with hot-standby mode. If the active link on MC-LAG members facing towards the CE is changed continually (that is active to standby and standby to active), in a rare conditions, the traffic might not shift correctly, and the rpd process might crash. PR1050737
  • In NG-MVPN scenarios, when a source is directly connected to a PE router that is acting as an RP stops sending the traffic, the PE router never withdraws the Type 5 route. This causes the Type 7 routes and forwarding routes to remain on the egress and ingress PEs. PR1051799
  • In L2VPN scenarios with local switching enabled, in corner cases, the rpd process might crash after flapping the PE-CE link. For example, if the L2VPN connection type changes from remote to local after link flaps, for a brief period of time, two route entries (for old remote VC connection and for the new local VC connection) might exist for the same egress route (with interface name as destination prefix). In that case, when deleting the remote VC connection and route entry associated with that remote connection, the rpd might crash due to trying to reset an internal variable which is already reset during route addition for the new local VC connection. PR1053887
  • In the l2circuit environment, when l2ckt configuration has backup-neighbor, the flow-label operation is blocked at the configuration level. PR1056777
  • With a static selective point-to-multipoint LSP configured for an MBGP MVPN, when sending a Type 3 S-PMSI A-D BGP route, the Juniper Networks implementation uses the values taken from the selective P-Tunnel configuration, which is not compliant with the RFC standard. Refer to RFC 6514, section 4.3, which specifies that the source and group length values in Type-3 must be same as the host prefix length. That is, if the Multicast Source field contains an IPv4 address, then the value of the Multicast Source Length field is 32; if the Multicast Source field contains an IPv6 address, then the value of the Multicast Source Length field is 128. The same is true for group length. PR1058193
  • In MVPN RPT-SPT mode, with a mix of local and remote receivers all using (*,g) joins (spt-threshold infinity), the downstream interfaces may not get updated properly and there may be a stuck (s,g) forwarding route. This issue can occur with the following sequence of events: 1. Local receivers are joined 2. Traffic starts, then stops, and the route times out. 3. Remote receiver joins. Both a (*,g) and an (s,g) forwarding route are created. 4. Another local receiver is joined, or an existing one is pruned. 5. In the (*,g) route, the downstream interface list reflects the update, but in the (s,g) route, the downstream interface list does not. 6. When traffic starts again, the (s,g) route -- which has the wrong interface list -- is used. The traffic flows to the wrong set of receivers. PR1061501

Resolved Issues: 14.2R2

Class of Service (CoS)

  • For MX Series routers with DPCs, IQ2 PIC expects Forwarding Class (FC) index in the cookie from the DPC for packet queuing. For Transit traffic, fc index is coming in cookie where are for host outbound traffic, and queue number is coming in cookie to IQ2 PIC. As IQ2 PIC is not aware whether traffic is transit or host outbound, it treats the value received in cookie as FC value and looks into fc_to_q table to fetch the queue number. This is causing an issue in queueing of host outbound traffic in IQ2 PIC in incorrect queue. This is a day–one issue and will come if in FC to Queue mapping, fc ID, and queue number are not the same. PR1033572

General Routing

  • "show services accounting usage" doesnt populate cpu utilization for XLP based cards . Please use "show services service-sets cpu-usage" PR864104
  • If the connection with an OpenFlow controller goes down then comes back up repeatedly, an OpenFlow interface on a QFX5100 switch might send an OFPT_ERROR packet with an XID ID 0 but no data to explain why the error packet was sent. PR1003538
  • On MPC5, MPC6, MIC6-10G, and MIC6-100G line cards, in order to increase the resiliency of the system, changes have been made to monitor board voltage levels and ASIC currents periodically against the expected values, and update current threshold values as per updated values provided by HW group. PR1004431
  • Under corner cases, if there are multiple back-to-back Virtual Chassis port (VCP) related CLI commands, Network Processing Card (NPC) core may be observed and FPC hosting the VC ports might reboot. PR1017901
  • Enabling sampling on an ms- interface is not supported. If 'forwarding-options sampling sample-once' is subsequently deactivated, the FPC may reboot. PR1021946
  • Log Message "MQCHIP(0) mqchip_get_q_forwarded_stats() invalid q_sys 0 q_num " are continously shown in logs. It will cause two GE or XGE interfaces to not forward traffic. PR1021951
  • On TXP-3D platform, the chassisd process may hang in scenarios where an FPC restarts twice, one happening gracefully and the other ungracefully (due to reasons like panic, bad voltage etc). It will cause interfaces on this FPC down. PR1025732
  • On multiple Routing Engines system with NSR enabled, performing GRES when an FPC is in the middle of restarting might cause the traffic to this FPC dropped permanently. PR1026214
  • In ALG environment, the MS-MPC might crash with significant ftp/tftp/http/dns/nat traffic. PR1026562
  • On MPC5E line card, if a firewall filter with large-scale terms (more than 1300 etc.) is attached to an interface, traffic drop might be seen. PR1027516
  • In Virtual Private LAN Service (VPLS) scenario with multicast traffic flowing, if the core-facing interface which is used to reach remote PE is hosted on Dense Port Concentrator (DPC) card and also the forwarding topology that is using unilist nexthop (The unilist is a list of nexthops and is used when router want to forward to one of the component nexthops. It is mostly used for load balancing among the multiple members. For example, a topology where VPLS PW is loadbalanced using a unilist over an aggregate Ethernet interface), the composite-nexthop might not be installed on the DPC card due to the Layer 2 forwarding information getting populated only for the first unicast nexthop. This issue will result in the multicast traffic drop on the egress DPC. PR1027827
  • For Trio-based line cards, FPC memory exhaustion or memory churn might lead to FPC crash. PR1028066
  • Inline BFD sessions, through AE interface when only member interface of the AE is hosted on MX MPC4E line card, might flap continuously. PR1029341
  • In a rare case, rdd core is reported under /usr/sbin/rdd as soon as applying the group and commit is performed. PR1029810
  • PCS statistics counter is now displayed for PTX 100GE interfces in below command: cli > monitor interface <intf> PR1030819
  • With an unrecognized or unsupported Control Board (CB), mismatch link speed might be seen between fabric and FPCs, which results in FPCs CRC/destination errors and fabric planes offline. Second issue is in a race condition. Fabric Manager (FM) might process the stale destination disable event but the error is cleared indeed, which will result in the unnecessary FPC offline and not allowing Fabric Hardening action to trigger and recover. PR1031561
  • This issue only affects OC-48 MICs. If an SFP is inserted into an OC-48 MIC port that has been disabled the SFP will not show up in a >show chassis hardware command. The issue is fixed with a patch. Contact JTAC to find out which version is best for you. PR1031851
  • With VPLS BGP control word configured, intermittent packet loss might be seen in one direction on VPLS circuit due to the control-word not being programmed at Packet Forwarding Engine after member DPC reboot. The problem can happen on below conditions: 1. LSI interface exists across two or more physical interfaces. 2. Those physical interfaces located in different FPCs. 3. Those physical interfaces consist of equal-cost paths. So, LSI will not be flapped with one member FPC down. 4. Flap the member DPC where one of physical interfaces situated. PR1031863
  • In scaled environment, the HTTP redirects might stop working while receiving continues HTTP traffic. PR1032392
  • On MX Seriesplatforms with MPC5/MPC6 installed, in rare cases, a software bug that will cause Uninitialized EDMEM Read Errors (Uninitialized EDMEM Read Error, there could be various triggers. It may occur in a transient state (like during config change), or in a consistent state), the Uninitialized EDMEM Read Errors will trigger fatal CM error that will result in line card reboot (the default action of fatal CM error). PR1032958
  • During an in-service software upgrade (ISSU), if the ISSU aborts after upgrading backup Routing Engine (RE) to the new release, it is possible that the backup RE fails to decode the message from the master RE which is running the old release, causing the ksyncd process crash on backup RE and vmcores (live core) generated on both REs. The master RE will not be upgraded and the backup RE will remain with the new release. There is no rollback to old release. We have to manually bring backup RE to old release. PR1035777
  • In previous versions, a detection mechanism is added for FPC, when single RKME_INT error is encountered, the FPC will be restarted. Now, the behavior is changed, so that the FPC will not be restarted when the error occurs. PR1036506
  • Sometimes AE vlan ifl output byte counters are shown as large value and it is a generic issue. PR1036813
  • In a subscriber scenario with auto-sensed VLAN configured, after scaled subscribers (in this case, 16K subscribers) login/logout for several times, the subscriber management process might stuck and not able to restart due to a Session Database (SDB) deadlock issue. PR1041094
  • On T Series FPC 1-3 and M320 except E3-FPC with fib-local configuration. If there are multiple FIB local FPCs or the FIB local is a multiple PFE FPC, the TCP packets might out of order, packets re-ordering would occur. It reduces the application level throughput for any protocols running over TCP. PR1049613

Interfaces and Chassis

  • With vrf-table-label configured on the routing-instances, when an FPC with Enhanced IQ (IQE) PIC is sharing the same Forwarding Engine Board (FEB) with another FPC, and the FEB has two core-facing interfaces configured with the family mpls on the aforementioned FPCs separately, the label-switched interface (LSI) might be removed incorrectly on the working FPC when the other FPC with IQE PIC is set to offline. PR1027034
  • PTX with 2x100Gig PIC might return incorrect values for jnxOtnIntervalOtuFec15minCorrectedErrors and jnxOtnCurrentOtuFec15minCorrectedErrors. This is happening because 2x100Gig PIC is not supporting jnx-otn.mib. Instead please use jnx-ifotn.mib or jnx-bl.mib. With this fix, the jnx-otn.mib should not return anything on 2x100Gig PIC. $ snmpwalk -v 2c -Obs -c public [IP address] jnxOtnIntervalOtuFec15minCorrectedErrors jnxOtnIntervalOtuFec15minCorrectedErrors = No Such Instance currently exists at this OID $ snmpwalk -v 2c -Obs -c public [IP address] jnxOtnCurrentOtuFec15minCorrectedErrors jnxOtnCurrentOtuFec15minCorrectedErrors = No Such Instance currently exists at this OID On 4x100Gig PIC using jnx-otn.mib for jnxOtnIntervalOtuFec15minCorrectedErrors and jnxOtnCurrentOtuFec15minCorrectedErrors, the correct values are reported if the error rate is below 900. Otherwise the CLI values will give us the right data. PR1038577
  • FRR switching time is much higher than 50 ms (e.g., might be 400-900 ms) when protected links are located on MX Series Gigabit Ethernet enhanced and hardened MICs (that is the MIC model name ends with -E or -EH, currently, the supported MICs are MIC-3D-20GE-SFP-E and MIC-3D-20GE-SFP-EH). PR1038999
  • Using PPP authentication with a specifically crafted PAP Authenticate-Request may cause the Juniper Networks PPP daemon (jpppd) to crash and restart. After PPPoE Discovery and LCP phase is successfully negotiated, when the crafted PAP Authenticate-Request is received, jpppd crashes and no response is sent by the broadband edge router to the subscriber. The jpppd continues to crash every time the subscriber re-sends the PAP Authenticate-Request. Refer to JSA10665 for more information. PR1040665
  • For Ethernet OAM/CFM, if maintenance-association (MA) ICC format name of length less than 13 characters (13 bytes) is used, deactivate/activate of “protocol oam” might cause CFM operation failures. The 'Cross-connect CCM received’ alarm will be seen. There can be other triggers also. ITU CARRIER CODE format uses fixed length size for MA NAME (13 octets). Junos OS creates and maintains the actual size configured by user. However, the length it maintains is 13 octets. For lower the size MA name, the value accessed is not deterministic. It would work fine if the subsequent memory is initialized to zero. Otherwise, it will declare cross-connect error as the accessed MA name to be different compared to the remote end. PR1041482

Layer 2 Features

  • LDP-VPLS with BGP autodiscovery stays down after GRES event when NSR is enabled. PR1046887

Layer 2 Ethernet Services

  • With Link Aggregation Control Protocol (LACP) enabled for aggregated Ethernet (AE) bundles, in rare cases, the interface add message for an old logical interface (IFL) exists in queue that has not got destroyed, while processing this, the old IFL does not exists and it leads to lacpd process crash and all AE bundles flap. PR1015989

MPLS

  • In scenario of egress-protection using stub-alias advertise mode where Point of Local Repair (PLR) use 'dynamic-rsvp-lsp' in LDP link protection, if protected PE get isolated, unexpected packet drops will be observed. PR1030815
  • When configuring point-to-multipoint (P2MP) Label Distribution Protocol (LDP) label-switched paths (LSPs), the labels will never be freed even though they are no longer needed. This could lead to MPLS label exhaustion eventually. To clear the state, the rpd process will restart with core files. PR1032061
  • When an LDP-enabled router receives an LDP label mapping message that includes an unknown TLVs with an unknown and forward bit set, the unknown TLV will be re-advertised along with the LDP message to the upstream LSR. However, due to a merge issue, Junos OS appends these unknown TLVs multiple times during construction of the label mapping message and will have an unknown TLV(0x0000) with length 0 among the appended unknown TLVs. This causes the LDP session with the peer that receives this message to flap. PR1037917

Platform and Infrastructure

  • With inline jflow enabled, if the low 12 bits of the packet counter are zero (0x000) while copying packets count from hash record into flow export packet, the packetDeltaCount counter might be incorrect in inline jflow records. There is no traffic impact, but this may impact billing. PR886222
  • All inline-services do not work for high MPC slot numbers on MX2020. It is due to generic issue in receiving packets. The egress Packet Forwarding Engine instance was chosen incorrectly. PR1012222
  • When receiving traffic coming on MPC and going out on DPC, an Ethernet frame with known DMAC will be flooded to the whole bridge domain after flapping the link which the given MAC is learned for more than 32 times. PR1026879
  • The commit synchronize command fails because the kernel socket gets stuck. PR1027898
  • Junos OS reserves the prefix "junos-" for the identifiers of configurations defined within the junos-defaults configuration group. User-defined identifiers cannot start with the string "junos-". Due to a defect, prior to Junos OS Release 13.3R1, if you configured user-defined identifiers through the CLI using the reserved prefix, the commit would incorrectly succeed. This issue is fixed in 13.3R1 and above releases, configurations that currently contain the reserved prefix for user-defined identifiers other than junos-defaults configuration group identifiers will now correctly result in a commit error in the CLI. But these different behaviors will block software upgrade from Junos OS release before 13.3R1 to Junos OS release 13.3R1 or later. With the new fix, the behavior would be changed to display a warning when a reserved identifier is configured. But commit would go through as shown below: user@router# set applications application junos-tcp protocol tcp warning: Modifying reserved identifier junos-tcp is deprecated [edit] user@router# commit commit complete PR1032119
  • Port-Scheduler:Queues are starving with Scheduler on egress port in WAN-PHY mode PR1035988
  • On Trio-based platform, when using inline Two-Way Active Measurement Protocol (TWAMP) server (the server address is the inline service interface address), because the TWAMP server may incorrectly calculate the packet checksum, the packet may get dropped on the TWAMP client. PR1042132
  • For Junos OS version 13.3R5, if an IPv6 firewall (FW) filter has matching condition 'from payload-protocol' or 'from payload-protocol-except', and the FW filter is applied on DPC card interface or loopback interface, the 'from payload-protocol' statement might be ignored and resulting in the IPv6 FW filter not working well. PR1049590

Routing Protocols

  • In Protocol Independent Multicast (PIM) environment, during processing assert event, routing protocol process (rpd) crash may occur while getting into situation where there is no SG node but there is assert state present. PR907797
  • If with accounting/sampling enabled, an unnecessary update from the routing protocol process (rpd) to the route record database might be triggered by certain configuration change. This process causes jump in CPU utilization of all Packet Forwarding Engines. PR1002107
  • When policy LFA is being used and backup path selection is first based on the root-metric criteria, the root-metric should be taken from the link metric connecting source to the backup neighbor (the one-hop neighbor or a remote router such as an RSVP backup LSP tail-end router), but it is now taken from the shortest-path-first (SPF) metric from source to backup neighbor if root-metric highest is configured. In some topologies, if the two metrics are different, IS-IS might select incorrect backup next-hop. PR1031408
  • When "clear bfd session" is issued immediately (before the Poll - Final sequence is completed) post config check-in for interval change from higher to lower minimum-interval value, BFD sessions don't revert to lower interval. PR1033231
  • OpenSSL released a Security Advisory on 15 Oct 2014 that included CVE-2014-3566 known as the "POODLE" vulnerability. The SSL protocol 3.0 (SSLv3) uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack. OpenSSL has been upgraded to 0.9.8zc (pre-Junos OS 13.3) and 1.0.1j (Junos OS 13.3+), adding support for SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV). Refer to JSA10656 for more information. PR1033938
  • The micro BFD sessions won't come up if incoming untagged micro BFD packets contain a source MAC where the last 12 bits are zero. PR1035295
  • If an IFL is used as the qualified-next-hop (which implies the IFL has unnumbered-address configured), and there are changes in the IFL filter configuration, then the static route might disappear from routing table. To make it reappear, need to delete it from the configuration and add it back. PR1035598
  • Issue in populating isisRouterTable values. Some entries are not filled correctly. This does not block/affect the functionality of ISIS or other components. PR1040234
  • Junos: RPD cores on receiving a crafted L2VPN family BGP update (CVE-2016-1270). Refer to https://kb.juniper.net/JSA10737 for more information. PR1041189
  • BFD session might reset on commit if version is configured. The adaptive RX interval gets set to 0 which results in the reset. A sample configuration of BFD version is as following: protocols { bgp { bfd-liveness-detection { version 1; minimum-interval 1000; transmit-interval { minimum-interval 1000; } } } PR1045037

Services Applications

  • In L2TP scenario, when the LNS is flooded by high rate L2TP messages from LAC, the CPU on RE might keep too busy to bring up new sessions. PR990081
  • The cause of the kmd crash is not known. This is not due to SA(Security Associations) memory corruption. The code looks that SA is getting freed without clearing the table entry. PR1036023
  • On MX Seriesplatform, when using the MS-DPC with MPSDK to support Captive Portal Content Delivery (cpcd) service, the MAC may get stuck on the FPC due to processing the high rate of packets (for example, 5kpps HTTP traffic). In addition, reloading the affected FPC may only temporarily resolve the issue while it will appear again once scaling up. PR1037143

VPNs

  • Problem Description The problem is that MSDP is periodically polling PIM for S,G's to determine if the S,G is still active. This check helps MSDP determine if the source is active and therefore the SA still be sent. There is a possibility that PIM will return that the S,G is no longer active which causes MSDP to remove the MSDP state and notify MVPN to remove the Type 5. One of the checks PIM makes is to determine if it is the local RP for the S,G. During a re-configuration period where any commit is done, PIM re-evaluates whether it is a local RP. It waits until all the configuration is read and all the interfaces have come up before making this determination. The local rp state is cleared out early in this RP re-evaluation process, however, which allows for a window of time where the local RP state was cleared out but it has not yet been re-evaluated. During this window PIM may believe it is not the local rp and return FALSE to MSDP for the given source. If MSDP makes the call into PIM during this window after a configuration change(commit), then it is possible that the Source Active(Type 5) state will be removed. Fix The fix will be to clear out the local rp state right before it is re-evaluated ie after it reads configuration for all interfaces; to not allow any time gap where it could be inconsistent. PR1015155
  • On MX-VC platform, if there is a scaling number of MVPN routes, after adding a new interface in the MVPN instance or changing the traceoptions related configuration, the CPU on RE might experience a high utilization for about 10min. PR1027596
  • Upon receipt of a large set of label blocks containing an updated BGP local preference (due to configuration changes on IBGP peers), RPD may crash with a NULL pointer access exception. The crash was triggered by a large number of BGP-VPLS advertisements with updated BGP local preference values. Refer to JSA10687 for more information. WARNING:Juniper-Confidential-SIRT-PR:see-external-tab! PR1047437
  • In the VPLS environment with Multichassis link aggregation groups (MC-LAGs) configuration, the standby neighbor is configured with hot-standby mode. If the active link on MC-LAG members facing towards CE is changed continually (i.e active to standby and standby to active), in rare condition, the traffic might not shift correctly, and the rpd process might crash. PR1050737

Modified: 2017-12-12