Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for EX Series Switches

 

These release notes accompany Junos OS Release 15.1R7 for the EX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 15.1R7 for the EX Series.

Note

The following EX Series platforms are supported in Junos OS Release 15.1R7: EX3300, EX4200, EX4300, EX4500, EX4550, EX4600, EX6200, EX8200, and EX9200.

Note

A new J-Web distribution model was introduced in Junos OS Release 14.1X53-D10, and the same model is supported in Junos OS Release 15.1R1 and later. The model provides two packages:

  • The J-Web Platform package—Installed as part of Junos OS; provides basic functionalities of J-Web.

  • The J-Web Application package—Optionally installable package; provides complete functionalities of J-Web.

The J-Web Platform package is included in the EX2200, EX3300, EX4200, EX4300, EX4500, EX4550, and EX6200 Junos OS Release 15.1R1 install images.

For details about the J-Web distribution model, see Release Notes: J-Web Application Package Release 15.1A3 for Juniper Networks EX Series Ethernet Switches  .

Hardware

  • EX9200-MPC line card for EX9200 switches—Starting with Junos OS Release 15.1R3, EX9200 switches support the new EX9200-MPC line card. It is a modular line card that has two slots on the faceplate in which you can install any of the following modular interface cards (MICs):

    • EX9200-10XS-MIC: It has 10 10-Gigabit Ethernet small form-factor pluggable plus (SFP+) ports, which can house SFP+ transceivers. These ports support 10GBASE-SR, 10GBASE-LR, 10GBASE-ER, and 10GBASE-ZR transceivers.

    • EX9200-20F-MIC: It has 20 1-Gigabit Ethernet small form-factor pluggable (SFP) ports with Media Access Control Security (MACsec) capability, each of which can house 1-gigabit SFP transceivers. These ports support 1000BASE-T, 1000BASE-SX, 100BASE-FX, 1000BASE-LX, 1000BASE-BX-U, 1000BASE-BX-D, 100BASE-BX-U, 100BASE-BX-D, and 1000BASE-LH transceivers.

    • EX9200-40T-MIC: It has 40 RJ-45 ports.

    You can install the MICs in the following configurations:

    • One EX9200-10XS-MIC

    • One EX9200-20F-MIC

    • One EX9200-10XS-MIC and one EX9200-20F-MIC

    • Two EX9200-10XS-MICs

    • Two EX9200-20F-MICs

    • One EX9200-40T-MIC

    You can transmit up to 130 gigabits of traffic through the line card without a packet drop.

  • New optical transceiver support—Starting with Junos OS Release 15.1R3, the 40-Gigabit Ethernet quad small form-factor pluggable plus (QSFP+) ports on EX9200-4QS and EX9200-6QS line cards for EX9200 switches support the transceiver JNP-QSFP-40G-LX4.

Authentication and Access Control

  • Central Web authentication (EX2200, EX3300, and EX4300)—Starting with Junos OS Release 15.1R3, you can configure central Web authentication to redirect Web browser requests to a login page that requires the user to input a username and password. Upon successful authentication, the user is allowed to access the network. The login process is handled by a central Web authentication server, which provides scaling benefits over local Web authentication, also known as captive portal.

    Central Web authentication is useful for providing network access to temporary users, such as visitors to a corporate site, who are trying to access the network using devices that are not 802.1X-enabled. Web authentication can also be used as a fallback authentication method for regular network users who have 802.1X-enabled devices, but fail authentication because of other issues, such as expired network credentials.

    [See Understanding Central Web Authentication.]

  • RADIUS-initiated changes to an authorized user session (EX2200, EX3300, and EX4300)—Starting with Junos OS Release 15.1R3, EX2200, EX3300, and EX4300 switches support changes to an authorized user session that are initiated by the authentication server. The server can send the switch a Disconnect message to terminate the session, or a Change of Authorization (CoA) message to modify the session authorization attributes. CoA messages are typically used to change data filters or VLANs for an authenticated host.

    [See Understanding RADIUS-Initiated Changes to an Authorized User Session.]

  • Flexible authentication order (EX2200, EX3300, and EX4300)—Starting with Junos OS Release 15.1R3, you can configure the order of authentication methods that the switch will use to authenticate an end device. By default, the switch will first attempt to authenticate using 802.1X authentication, then MAC RADIUS authentication, and then captive portal. You can override the default order of authentication methods by configuring the authentication-order statement to specify that the switch use either 802.1X authentication or MAC RADIUS authentication first. Captive portal must always be last in the order of authentication methods.

    [See Understanding Authentication on EX Series Switches.]

  • RADIUS accounting interim updates (EX4300)—Starting with Junos OS Release 15.1R3, you can configure an EX4300 switch to send periodic updates for a user accounting session at a specified interval to the accounting server. Interim accounting updates are included in the exchange of messages between the client and the accounting server. In RADIUS accounting, the client sends Accounting-Request messages to the server, which acknowledges receipt of the requests with Accounting-Response messages. Interim accounting updates are sent in Accounting-Request messages with the Acct-Status-Type set to Interim-Update.

    [See Understanding 802.1X and RADIUS Accounting on EX Series Switches.]

  • Support for multiple terms in a filter sent from the RADIUS server (EX4300)—Starting with Junos OS Release 15.1R3, you can use RADIUS server attributes to implement dynamic firewall filters with multiple terms on a RADIUS authentication server. These filters can be dynamically applied on all switches that authenticate supplicants through that server, eliminating the need to configure the same filter on multiple switches. You can define the filters directly on the server by using the Juniper-Switching-Filter attribute, which is a RADIUS attribute specific to Juniper Networks, also known as a vendor-specific attribute (VSA). Filter terms are configured using one or more match conditions and a resulting action.

    [See Understanding Dynamic Filters Based on RADIUS Attributes.]

  • EAP-PAP protocol support for MAC RADIUS authentication (EX2200, EX3300, and EX4300)—Starting with Junos OS Release 15.1R3, you can configure the switch to use the Password Authentication Protocol (PAP) when authenticating clients with the MAC RADIUS authentication method. PAP transmits plaintext passwords over the network without encryption. It is required for use with LDAP (Lightweight Directory Access Protocol), which supports plaintext passwords for client authentication. This feature is configured by using the authentication- protocol CLI statement at the [edit protocols dot1x authenticator interface interface-name mac-radius] hierarchy level.

    [See Understanding Authentication on EX Series Switches.]

Interfaces and Chassis

  • Half-duplex link support (EX4300 switches)—Starting with Junos OS 15.1R4, half-duplex communication is supported on all built-in network copper ports on EX4300 switches. Full-duplex communication means that both ends of the communication can send and receive signals at the same time. Half-duplex is also bidirectional communication, but signals can flow in only one direction at a time. Half-duplex is configured by default on EX4300 switches. If the link partner is set to autonegotiate the link, then the link is autonegotiated to full duplex or half duplex. If the link is not set to autonegotiation, then the EX4300 link defaults to half-duplex unless the interface is explicitly configured for full duplex.

    To explicitly configure full duplex:



    [edit]

    user@switch# set interfaces interface-name speed 10m-or-100m
    [edit]

    user@switch# set interfaces interface-name ether-options no-auto-negotiate

    To verify a half-duplex setting, issue one of:

    user@switch> show interfaces interface-name media
    user@switch> show interfaces interface-name extensive

    To query the OID:

    user@switch> show snmp mib get dot3StatsDuplexStatus.SNMP-ifIndex

    [See Documentation Updates.]

  • LACP minimum link support on LAGs (EX9200 switches)—Starting with Junos OS Release 15.1R3, LACP minimum link support is added to the existing minimum link feature. The minimum-link configuration specifies that a required minimum bandwidth is provided for LAG interfaces. When there are not enough active links to provide this minimum bandwidth for a LAG interface, the LAG interface is brought down. The LACP minimum-link feature enhances the existing minimum-link feature by bringing down the LAG interface on the peer device as well as on the device on which you have configured minimum links. Before the LACP minimum link enhancement was made, if you configured the minimum link feature on one device but could not or had not configured it on the peer device, traffic would exit the LAG interface on the peer device although it would be dropped at the destination because the LAG interface on the peer is not be brought down. LACP minimum link is enabled by default when you configure minimum links.

  • Support for MC-LAG on logical systems (EX9200 switches)—Starting with Junos OS Release 15.1, you can configure multichassis link aggregation (MC-LAG) interfaces on logical systems within an EX9200 switch. When you configure multichassis aggregated Ethernet interfaces on a logical system, ensure that these interfaces are added with the same multichassis aggregated Ethernet identification number and redundancy group identifier for the MC-LAG on both peers or devices that are connected by the MC-AE interfaces. Ensure that the Inter-Chassis Control Protocol (ICCP) to associate the routing or switching devices contained in a redundancy group is defined on both peers within the logical systems of the devices. Such a configuration ensures that all packets are transmitted using ICCP within the logical system network. The logical system information is added, and then removed, by the ICCP process to prevent each packet from containing the logical system details. This behavior enables multiple disjoint users to employ MC-LAG capabilities within their networks transparently and seamlessly. A unique ICCP definition for a logical system is created, thereby enabling you to wholly manage ICCP parameters on one logical system without the need for access permissions to view other logical system networks on the same device.

    Configuration of MC-LAG interfaces on logical systems enables MC-LAG to be used across multiple routing tables and switch forwarding tables in active-active and active-standby modes of MC-LAG interfaces.

    [See Multichassis Link Aggregation on Logical Systems Overview.]

  • IPv6 support on multichassis aggregated Ethernet interfaces (EX9200 switches)—Starting with Junos OS Release 15.1, multichassis aggregated Ethernet interfaces on EX9200 switches support IPv6 and Neighbor Discovery Protocol (NDP). IPv6 neighbor discovery is a set of ICMPv6 messages that combine IPv4 messages such as ICMP redirect, ICMP router discovery, and ARP messages.

    [See Understanding IPv6 Neighbor Discovery Protocol and MC-LAGs on EX9200 Switches.]

Junos OS XML API and Scripting

  • Support for replacing patterns in configuration data within NETCONF and Junos XML protocol sessions (EX Series)—Starting with Junos OS Release 15.1, you can replace variables and identifiers in the candidate configuration when you perform a <load-configuration> operation in a Junos XML protocol or NETCONF session. The replace-pattern attribute specifies the pattern to replace, the with attribute specifies the replacement pattern, and the optional upto attribute indicates the number of occurrences to replace. The scope of the replacement is determined by the placement of the attributes in the configuration data. The functionality of the attribute is identical to that of the replace pattern configuration mode command in the Junos OS CLI.

    [See Replacing Patterns in Configuration Data Using the NETCONF or Junos XML Protocol.]

Management

  • Support for YANG features, including configuration hierarchy must constraints published in YANG, and a module that defines Junos OS YANG extensions (EX Series)—Starting with Junos OS Release 15.1, the Juniper Networks configuration YANG module includes configuration constraints published using either the YANG must statement or the Junos OS YANG extension junos:must. Constraints that cannot be mapped directly to the YANG must statement, which include expressions containing special keywords or symbols such as all, any, unique, $, __, and wildcard characters, are published using junos:must.

    The junos-extension module contains definitions for Junos OS YANG extensions, including the must and must-message keywords. The junos-extension module is bound to the namespace URI http://yang.juniper.net/yang/1.1/je and uses the prefix junos. You can download Juniper Networks YANG modules from the website, or you can generate the modules by using the show system schema operational mode command on your local device.

    [See Using Juniper Networks YANG Modules.]

  • Support for enforcing RFC-compliant behavior in NETCONF sessions (EX Series)—Starting with Junos OS Release 15.1, you can require that the NETCONF server enforce certain behaviors during the NETCONF session by configuring the rfc-compliant statement at the [edit system services netconf] hierarchy level. If you configure the rfc-compliant statement, the NETCONF server explicitly declares the NETCONF namespace in its replies and qualifies all NETCONF tags with the nc prefix. Also, <get> and <get-config> operations that return no configuration data do not include an empty <configuration> element in RPC replies.

    [See Configuring RFC-Compliant NETCONF Sessions.]

MPLS

  • New command to display the MPLS label availability in RPD (EX Series)—Starting with Junos OS Release 15.1, a new show command, show mpls label usage, is introduced to display the available label space resource in RPD and also the applications that use the label space in RPD. Using this command, the administrator can monitor the available labels in each label space and the applications that are using the labels.

    [See show mpls label usage.]

Network Management and Monitoring

  • MIB support for media attachment unit (MAU) information (EX2200, EX3300)—Starting with Junos OS Release 15.1R4, EX2200 and EX3300 switches support standard and enterprise-specific MIBs that allow users to gather information about MAUs connected to those switches. The switches populate the entityMIB (RFC 4133) and entityStateMIB (RFC 4268) standard SNMP MIBs, and a new MIB table, ifJnxMediaTable, which is part of the Juniper enterprise-specific Interface MIB extensions. The objects in ifJnxMediaTable represent MAU information such as media type, connector type, link mode, and link speed. Users can gather this information using the Junos OS CLI command show snmp mib or other remote SNMP MIB object access methods.

    [See SNMP MIB Explorer.]

Port Security

  • Media Access Control Security (MACsec) support (EX9200 switches)—Starting with Junos OS Release 15.1R1, MACsec is supported on all SFP interfaces on the EX9200-40F-M line card when it is installed in an EX9200 switch. MACsec is an industry-standard security technology that provides secure communication for all traffic on point-to-point Ethernet links. MACsec is capable of identifying and preventing most security threats, and can be used in combination with other security protocols to provide end-to-end network security. MACsec can only be enabled on domestic versions of Junos OS software. MACsec is standardized in IEEE 802.1AE.

    [See Understanding Media Access Control Security (MACsec).]

  • MAC move limiting support (EX9200 switches)—Starting with Junos OS Release 15.1R1, MAC move limiting is supported on EX9200 switches. MAC move limiting provides port security by controlling the number of MAC address moves that are allowed in a VLAN in one second. When MAC move limiting is configured, the switch tracks MAC address movements on access and trunk interfaces. A MAC address move occurs when an interface on the switch receives a packet with a source MAC address that has already been learned by the switch, but on a different interface. If a MAC address moves more than the configured number of times within one second, you can configure an action to be taken on incoming packets with new source MAC addresses. The incoming packets can be dropped, logged, or ignored. You can also specify an action to shut down or temporarily disable the interfaces associated with that MAC address.

    [See Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches.]

Software Installation and Upgrade

  • Support for FreeBSD 10 kernel for Junos OS (EX9200 switches)—Starting with Junos OS Release 15.1, on EX9200 switches, FreeBSD 10 is the underlying OS for Junos OS instead of FreeBSD 6.1. This feature includes a simplified package naming system that drops the domestic and world-wide naming convention. Because installation restructures the file system, logs and configurations are lost unless precautions are taken. There are now Junos OS and OAM volumes, which provide the ability to boot from the OAM volume upon failures. Some system commands display a different output than on earlier releases and a few others are deprecated.

    [See Understanding Junos OS with Upgraded FreeBSD.]

  • Configuration validation for image upgrade or downgrade (EX3300 switches and EX3300 Virtual Chassis)—Starting in Junos OS Release 15.1R7, EX3300 switches and EX3300 Virtual chassis support configuration validation when upgrading or downgrading a Junos OS jinstall package. When you install a new version of Junos OS on the switch, the system validates that the existing configuration is compatible with the new image. Without the validation feature, configuration incompatibilities or insufficient memory to load the new image might cause the system to lose its current configuration or go offline. With the validation feature, if validation fails, the new image is not loaded, and an error message provides information about the failure. If you invoke validation from an image that does not support validation, the new image is loaded but validation does not occur. Validation is invoked when installing a new Junos OS version with the request system software add or request system software nonstop-upgrade command. Running the request system software validate command performs configuration validation without installing the new version.

    [See Validating the Configuration Image Before Upgrading or Downgrading the Software.]

Spanning-Tree Protocols

  • Global configuration of spanning-tree protocols (EX Series)—Starting with Junos OS Release 15.1R1, global configuration of the spanning-tree protocols RSTP, MSTP, and VSTP is supported on EX Series switches with Enhanced Layer 2 Software (ELS) configuration style.

    In earlier releases, ELS supported configuration of spanning-tree protocols on individual interfaces or on a range of interfaces. It did not support configuration of spanning-tree protocols on all interfaces or disabling spanning-tree protocols on specific interfaces.

    Starting with Junos OS Release 15.1R1, CLI changes in ELS provide the options of configuring spanning-tree protocols on all interfaces, disabling the configuration for individual interfaces, and configuring VSTP on all VLANs or on a VLAN group.

    [See Configuring RSTP (CLI Procedure), Configuring MSTP, and Configuring VLAN Spanning-Tree Protocol.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 15.1R7 for the EX Series.

Dynamic Host Configuration Protocol

  • Format change for DHCP Option 18—On EX9200 switches with DHCP snooping configured, when the VLAN ID is appended to the prefix of DHCP option 18, it appears in decimal format instead of hexadecimal format.

High Availability (HA) and Resiliency

  • VRRP session flap configuring fast-interval (EX9200 switch)—Starting in Junos OS Release 15.1R7, we recommend that you set the fast-interval value to a minimum of 500 milliseconds. A VRRP session can flap if a value less than 500 is configured and committed.

    [See fast-interval.]

Layer 2 Features

  • Configuration option for LLDP and PTOPO trap notifications (EX3300, EX4200, EX4500, EX4550, EX6200, EX8200)—Starting in Junos OS Release 15.1R7, you can enable or disable the Link Layer Discovery Protocol (LLDP) and Physical Topology (PTOPO) MIB traps for a specific interface or for all interfaces on EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 switches by configuring the trap-notification statement at the [edit protocols lldp interface interface-name] hierarchy level.

Management

  • Support for status deprecated statement in YANG modules (EX Series)—Starting with Junos OS Release 15.1R5, Juniper Networks YANG modules include the status deprecated statement to indicate configuration statements, commands, and options that are deprecated.

Virtual Chassis

  • Increased time to rejoin Virtual Chassis after a member is rebooted (EX2200, EX3300, EX4200, and EX8200 Virtual Chassis)—Starting in Junos OS Release 15.1R3, when one or more member switches in an EX2200, EX3300, EX4200, or EX8200 Virtual Chassis are rebooted, the Virtual Chassis master’s delay time before reinstating the rebooted switch as a member in the Virtual Chassis is increased from two minutes to ten minutes. As a result, after rebooting a Virtual Chassis member, up to 15 or 20 minutes total elapsed time might be required for the member to completely rejoin the Virtual Chassis. The increased delay time allows the Virtual Chassis to correctly rebuild its Virtual Chassis port (VCP) adjacency information, and avoids unexpected mastership election contention or failure of the Virtual Chassis to re-form.

  • Automatic software update (EX2200 Virtual Chassis)—Starting in Junos OS Release 15.1R7, the automatic software update feature can be used to automatically update Junos software on members of an EX2200 Virtual Chassis running Junos OS Release 12.3R12 and later. Automatic software update is not supported on an EX2200 Virtual Chassis in releases prior to 15.1R7.

    [See Understanding Automatic Software Update on Virtual Chassis Member Switches.]

  • Automatic Virtual Chassis port conversion disabled by default (EX2200, EX3300, EX4200, EX4500, and EX4550 Virtual Chassis)—Starting in Junos OS Release 15.1R7, automatic Virtual Chassis port (VCP) conversion is disabled by default in an EX2200, EX3300, EX4200, EX4500, and EX4550 Virtual Chassis. Previously, automatic VCP conversion was always enabled by default on these switches in a Virtual Chassis.

    When automatic VCP conversion is enabled, if you add a new member to a Virtual Chassis or add a new link between two existing members in a Virtual Chassis, the ports on both sides of the link are automatically converted into VCPs when all of the following conditions are true:

    • LLDP is enabled on the interfaces for the members on both sides of the link. The two sides exchange LLDP packets to accomplish the port conversion.

    • The Virtual Chassis must be preprovisioned with the switches on both sides of the link already configured in the members list of the Virtual Chassis using the set virtual-chassis member command.

    • The ports on both ends of the link are supported as VCPs and are not already configured as VCPs.

    Automatic VCP conversion is not needed when using dedicated VCPs or default-configured VCPs on both sides of the link to interconnect two members. You can also manually configure network or uplink ports that are supported as VCPs on both ends of the link, instead of using the automatic VCP conversion feature.

    Note

    When automatic VCP conversion is enabled in a Virtual Chassis with switches that have dedicated VCPs (EX4200, EX4500, or EX4550 Virtual Chassis), if network or uplink ports are automatically converted into VCPs to create a redundant link with a dedicated VCP connection, you must reboot the Virtual Chassis to avoid creating a traffic loop within the Virtual Chassis. This step is also required if the ports for the redundant link are manually configured into VCPs.

    To enable automatic VCP conversion in an EX2200, EX3300, EX4200, EX4500, and EX4550 Virtual Chassis, configure the auto-conversion statement at the [edit virtual-chassis] hierarchy level on the Virtual Chassis. Subsequently deleting the auto-conversion statement returns the Virtual Chassis to the default behavior, in which automatic VCP conversion is disabled.

Known Behavior

This section lists known behavior, system maximums, and limitations in hardware and software in Junos OS Release 15.1R7 for the EX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • On EX4300 switches, a maximum of 5K supplicants is supported for dot1xd. PR962292

  • On EX9200 switches, if you configure a firewall filter such that the number of characters in the filter name, term name, and counter name added together exceeds 128 characters, 802.1X (dot1x) authentication might fail and cause the Network Processing Card (NPC) to crash. As a workaround, configure the filter name, term name, and counter name such that when the sum of the number of characters in those three names is added to the sum of the number of characters in the interface name and the MAC address, the total does not exceed 128. PR1083132

  • On EX9200 switches, 802.1X (dot1x) authentication might not be performed if a voice VLAN is changed or modified to a data VLAN after a client is authenticated in that voice VLAN. This problem occurs when a VoIP VLAN is configured, a client is authenticated in a configured data VLAN, and then the VoIP VLAN is configured as a new data VLAN (that is, you delete the VoIP configuration and delete the current data VLAN membership, and configure the original VoIP VLAN as the new data VLAN). PR1074668

  • On an EX4300 or a QFX5100 switch, a MAC address that is specified as part of a MAC-based VLAN is authenticated on an interface, for example, xe-1/1/1, on which 802.1X authentication in multiple supplicant mode is configured. However, the same MAC address might not be authenticated on another interface, for example, xe-2/1/1, if the MAC address moves to interface xe-2/1/1 from interface xe-1/1/1. PR1007589

High Availability (HA) and Resiliency

  • Keepalives might not exit an EX8200 Virtual Chassis; this is a race condition during an NSSU or a switchover. As a workaround, clear all ARP entries and OSPF/BGP neighbors. PR1302562

Infrastructure

  • On EX Series switches, ARP reply packets might get dropped when the switch receives reverse-path forwarding (RPF) multicast failure packets at a high rate (for example, 300 pps). As a workaround, create a static ARP entry for the next-hop device. PR1007438

  • System logging (syslog) messages for EX9200-MPC line cards include error messages on FPC initialization. Initialization can be triggered by FPC restart, insertion and removal, or power off and on. The message is Error "kernel: GENCFG: op 32 (Resync blob) failed; err 7 (Doesn't Exist)". This has no functional impact. PR1171487

  • On EX3300 and EX4200 switches, DHCPv6 packets are duplicated with option18 configured (one packet with option 18 and one without option 18) when switches are configured with dhcpv6-option18 use-option82. This is an expected behavior. PR1184593

  • A MAC hash collision happens when 16K static sequential MAC is configured. If there is an FDB hash collision, an EX Series switch cannot learn the specific MAC address. Also, packet flooding occurs in the same VLAN when the EX Series switch receives a packet with that MAC address as the destination. The MAC hashing algorithm uses vlan-hw and MAC to compute the hash value, and the computation works better for random MACs. Increasing the mac-lookup-length value might improve the situation. Related KB: https://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB32325. PR1303375

  • A MAC hash collision happens when a huge number of static sequential MACs are configured. If there is an FDB hash collision, an EX Series switch cannot learn the specific MAC address. Subsequently, an IGMP snooping entry is not added, leading to traffic loss. The MAC hashing algorithm uses vlan-hw and MAC to compute the hash value, and the computation works better for random MACs. Increasing the mac-lookup-length value might improve the situation. Related KB: https://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB32325. PR1304652 , PR1312322

  • Issuing snmpwalk on the entire MIB tree on a 7-plus member EX3300, EX4200, EX4500, or EX4550 Virtual Chassis can result in the command timing out, and some SNMP subagent daemons such as rpd and rmopd might take more CPU. PR1304114

  • Performing configuration validation on an EX Series switch that does not run under Junos OS with Enhanced Layer 2 Software (ELS) can generate a low memory signal when sufficient free memory in RAM is not available in the switch. PR1307788

  • Fatal errors in the flash storage can trigger a kernel panic in soft-update processing. PR1311909

  • On EX4200 and EX4500 Virtual Chassis, a configuration change with 8K+ static routes might cause a commit failure as /var/rundb runs out of storage space. PR1312341

Interfaces and Chassis

  • Internal management Ethernet interfaces (em-) might fail autonegotiation after a reboot if one of the em- interfaces is in a link-down condition. PR829521

  • On an EX2200 Virtual Chassis with three members, if you configure nine link aggregation groups (LAGs) and eight interfaces per LAG bundle, the LACP links might move down and up continuously. As a workaround, configure eight link aggregation groups and eight interfaces per LAG bundle. PR1030809

  • On EX9200 switches configured with an MC-LAG, the Inter-Chassis Control Protocol (ICCP) might flap if you configure another interchassis link (ICL) that is on new multichassis aggregated Ethernet (MC-AE) interfaces. PR1046022

  • On EX9200 switches on which a MAC limit is configured with packet-action log, a packet drop might occur when interface-mac-limit is configured with mac-table-size on a specific VLAN or on a global VLAN hierarchy. PR1076546

  • On EX9200 switches, if you configure mac-move-limit with packet-action shutdown on a VLAN that includes an MC-AE interface and an access interface, the packet action is not performed if traffic hits the limit between the MC-AE interface and the access interface. PR1079383

  • On EX9200 switches, if you configure mac-move-limit with packet-action shutdown on a VLAN that includes two members of a multichassis link aggregation group (MC-LAG) AE interface, if traffic hits the limit between the two MC-AE interfaces, a peer link belonging to one of the MC-AE interfaces might go down and only 50 percent of the traffic might reach its destination. PR1079436

  • On EX9200 switches, unified in-service software upgrade (ISSU) might not work properly for an upgrade to Junos OS Release 15.1. As a workaround, manually upgrade the Routing Engine. PR1091610

  • On EX9200 switches, traffic loss of more than one second (two through six seconds) might occur on the active node of an MC-LAG when the Inter-Chassis Control Protocol (ICCP) goes down and comes back up. PR1107001

  • If an Inter-Chassis Control Protocol (ICCP) interface on an EX9200 switch in an MC-LAG Active-Active topology is disabled and then reenabled, traffic could be dropped for more than 2 seconds. PR1173923

  • In a scaled environment, configuring more than 96 LAG members in a single commit results in an sfid process hog and interface flaps. We recommend that you configure and commit LAG members gradually. PR1300533

  • As an MTU change is considered a catastrophic event in the dcd process, a DELETE followed by an ADD is sent for all vlan logical interfaces, interface families, and interface addresses whenever there is a change in the MTU on the vlan physical interface. The message error: interface vlan.2001 not foundis observed on issuing the show interfaces vlan.2001command because of a small window in which the logical-interface subtree is not present when the DELETE and ADD operations are performed for all of the logical-interface subtree under the vlan physical interface. In a scaled configuration, we recommend that you give some time for the system to stabilize in a case of a set or delete of MTU on the vlan physical interface before you check the status of any of the logical interfaces by using the show interfaces vlan.logical-interface-number command. PR1313883

J-Web

  • In the J-Web interface, you cannot commit some of the configuration changes in the Port Configuration page or the VLAN Configuration page because of the following limitations for port-mirroring ports and port-mirroring VLANs:

    • A port configured as the output port for an analyzer cannot be a member of any VLAN other than the default VLAN.

    • A VLAN configured to receive analyzer output can be associated with only one interface.

    PR400814

  • In the J-Web interface, in the Port Security Configuration page, configuring the action option when you configure the MAC limit option is mandatory, even though configuring an action value is not mandatory in the CLI. PR434836

  • On EX4200 switches, in the J-Web interface, if you try to change the position of columns using the drag-and-drop method, only the column headers move to the new position instead of the entire column in the OSPF Global Settings table in the OSPF Configuration page, the Global Information table in the BGP Configuration page, and the Add Interface window in the LACP (Link Aggregation Control Protocol) Configuration page. PR465030

  • When a large number of static routes are configured and you have navigated to pages other than page 1 in the Route Information table in the Static Routing monitoring page in the J-Web interface (Monitor > Routing > Route Information), changing the Route Table to query other routes refreshes the page, but does not return to page 1. For example, if you run a query from page 3 and the new query returns very few results, the Results table continues to display page 3 and shows no results. To view the results, navigate to page 1 manually. PR476338

  • In the J-Web interface for EX4500 switches, the Port Configuration page (Configure > Interfaces > Ports), the Port Security Configuration page (Configure > Security > Port Security), and the Filters Configuration page (Configure > Security > Filters) display features that are not supported on EX4500 switches. PR525671

  • When you open a J-Web interface session using HTTPS, enter a username and a password, and then click the Login button, the J-Web interface takes 20 seconds longer to launch and load the Dashboard page than it does if you use HTTP. PR549934

  • If you access the J-Web interface by using an HTTPS connection through the Microsoft Internet Explorer Web browser, you might not be able to download and save reports from some pages on the Monitor, Maintain, and Troubleshoot tabs. Some affected pages are at these locations:

    • Maintain > Files > Log Files > Download

    • Maintain > Config Management > History

    • Maintain > Customer Support > Support Information > Generate Report

    • Troubleshoot > Troubleshoot Port > Generate Report

    • Monitor > Events and Alarms > View Events > Generate Report

    • Monitor > Routing > Route Information > Generate Report

    As a workaround, use the Mozilla Firefox Web browser to download and save reports while using an HTTPS connection. PR566581

  • If you access the J-Web interface using Microsoft Internet Explorer version 7, on the BGP Configuration page (Configure > Routing > BGP), all flags might be shown in the Configured Flags list (in the Edit Global Settings window, in the Trace Options tab), even though the flags are not configured. As a workaround, use the Mozilla Firefox browser. PR603669

  • On the J-Web interface, on the Route Information page (Monitor > Routing > Route Information), the Next Hop column displays only the interface address, and the corresponding IP address is missing. The title of the first column displays Static Route Address instead of Destination Address. As a workaround, use the show route detail CLI command to fetch the IP address of the next-hop interface. PR684552

  • On the J-Web interface, HTTPS access might work even with an invalid certificate. As a workaround, change the certificate and then issue the restart web-management command to restart the J-Web interface. PR700135

  • On EX2200-C switches, if you change the media type of an uplink port and commit the change, the Ports Configuration page (Configure > Interfaces > Ports) might not list that uplink port. PR742847

  • If either a copper uplink port or a fiber uplink port is connected on an EX2200-C switch, both might be displayed as up in the J-Web dashboard. PR862411

  • On an EX4300 Virtual Chassis, if you renumber the Virtual Chassis members while there is an active J-Web session, a socket error might be created. As a workaround, refresh the J-Web session. PR857269

  • On EX Series switches, the subscriber management infrastructure daemon (smid) might randomly crash when the smid daemon is interleaved with another daemon that is attempting to access the same shared memory. PR1082211

  • On an EX4600 Virtual Chassis, if lossless traffic is passing through a switch in the linecard role over a 10-gigabit SFP+ link configured as a Virtual Chassis port (VCP), traffic on the link might be dropped when the link is congested. PR1006974

  • On EX Series switches except EX4600, if you configure an IPv4 GRE interface on an IPv6 interface, the GRE tunnel might not work properly. Traffic is not forwarded through the tunnel. PR1008157

  • The J-Web dashboard might take longer than usual to load depending on the number of EX8200 Virtual Chassis members, due to time taken for collecting CLI responses. PR806803

Layer 2 Features

  • On EX Series switches, after a switch reboot, a Q-in-Q tunneling interface might not function as expected. The problem occurs when the interface is a member of a PVLAN with mapping set to swap and is also a member of a non-private VLAN. The PVID of the access interface does not get set when the PVLAN is configured before the non-private VLAN. The problem does not occur when the non-private VLAN is configured before the PVLAN. PR937927

  • On ELS (Enhanced Layer 2 Software) platforms (including EX4300, EX4600, EX9200, QFX3500, QFX3600, and QFX5100), if Q-in-Q tunneling is enabled, if you configure an RTG (redundant trunk group) on a Q-in-Q interface, the RTG configuration cannot be applied; there is a commit check error. PR1134126

  • On EX4500 Virtual Chassis, when one member of the Virtual Chassis is switched off, ERPS should be reinitialized on the other members. However, because the interfaces are on the member ERPS ring that is not active anymore, ERPS cannot complete initialization properly and it stays in the init state. Thus, the rest of the interfaces do not converge to a proper state. This is expected behavior. If there is a requirement to have complete ERPS support in a ring topology and to perform a mastership failover test on a Virtual Chassis with ERPS, then Interfaces of the Virtual Chassis that are part of the ERPS link should be configured as aggregated Ethernet (AE) interfaces. Ideally physical interfaces that are part of this AE interface should be spread across all members of the Virtual Chassis. However, this is not necessary—the AE interface can contain only one physical interface and the mastership failover will still work properly. PR1235062

  • If the fast-interval configured value is less than 500ms, the VRRP session can flap. This is due to PPMD not being able to process all the packets. PR1258597

  • A vmember limit warning message might be displayed if the total number of VLANs members exceeds approximately 4093 * 8, assuming 8 members per VLAN. This is a warning message and still allows the configuration. However, in field configurations, this limit is not breached. PR1300513

  • If you configure an uplink or network port as an extended VCP to create a redundant link with a dedicated VCP connection on EX4200, EX4500, or EX4550 switches, to avoid traffic looping within the Virtual Chassis, we recommend rebooting the Virtual Chassis after configuring the port conversion. PR1313088

  • On an EX4200 and EX4500 mixed Virtual Chassis, in a scaled setup, changing the MTU value for interfaces might trigger resetting of adjacencies associated with the interfaces and result in high CPU utilization for the respective daemons, pfem and sfid. During this process, rolling back the configuration and committing it might result in the generation of core files. We recommend ensuring that enough time is provided for the system to stabilize before rolling back the configuration and triggering a successive commit. PR1319164

  • On EX4200 and EX4500 Virtual Chassis, a pfem core file might be generated in a scaled environment when STP flaps, due to which all other configured protocols—VSTP, VRRP, OSPF and LACP—flap. In this case, upon trying to reinstall the multicast route, the TCAM entry for the related route entry is found to be invalid and the pfem core file is generated. PR1355286

MPLS

  • On EX4600 switches, user-to-network (UNI) interfaces that have over 100 pseudowires might not function correctly. Up to 100 pseudowires are supported in active/backup configurations (cold standby). If more than 100 active and backup pseudowires are configured, traffic might not be forwarded correctly after a provider edge (PE) switch is either rebooted or disabled then reenabled. PR1048500

Multicast Protocols

  • On EX4550 switches, if you configure IGMP on all interfaces and create a large number of multicast groups, the maximum scale for IGMP can be achieved on some interfaces but not all interfaces. PR1025169

  • On EX9200 switches, multicast traffic might fail when the source is on an ordinary VLAN and the receiver is on a PVLAN with a primary VLAN ID, with both source and receiver on the same switch. PR1028869

  • On Virtual Chassis models EX2200, EX3300, EX4200, EX4500, EX4550, and EX8200, Layer 3 multicast traffic does not flow if VLAN pruning is enabled for the upstream interface and the VLAN does not have a member on the device on which the downstream interface resides. As a workaround, disable VLAN pruning for the upstream interface if the device where the downstream interface resides does not have a member for that VLAN. PR1156014

Network Management and Monitoring

  • This is a limitation with the physical layer (being used in EX4550-32F), while reading the SFP-T optics registers (16-bit register), hence there is a delay while doing an SNMP walk or an SNMP GET request for interface-specific MIBs. PR832071

  • On EX4300 switches, if you configure a remote analyzer with an output IP address that is reachable through routes learned by BGP, the analyzer state is DOWN. PR1007963

  • On EX8200 switches, some sFlow data might have incorrect input and output interface index values. PR1051435

Platform and Infrastructure

  • You cannot connect EX2200-C-12P-2G switches to the prestandard Cisco IP Phone 7960 using a straight cable. As a workaround, use a crossover cable. PR726929

  • On EX4300 switches, Ethernet ring protection (ERP) fails if the control VLAN is replaced with a different VLAN at runtime. PR817456

  • On EX4300 switches, despite an administrative link being down, child members of an aggregated Ethernet group that is part of a multicast downstream IRB VLAN might be programmed into a multicast route index in the Packet Forwarding Engine, resulting in the failure of multicast replication of packets for some VLANs. PR880769

  • On EX4300 switches, if multicast data packets that fail an RPF check are received on a nonshared tree, the packets might be trapped on the Routing Engine at a high rate, resulting in poor PIM convergence. PR911649

  • On EX4300 switches, in an egress router-based firewall filter, IPv6 Layer 4 headers (of ICMP type) might not work. PR912483

  • On EX9200 Virtual Chassis, commit errors might occur if commits are done frequently. PR1188816

Port Security

  • On EX4300 switches, when storm-control or storm-control-profiles with action-shutdown is configured, if the storm-triggered traffic is control traffic such as LACP, the physical interface will be put into an STP blocking state rather than turned down, so valid control traffic might be trapped to the control plane and unrelated interfaces might be set down as an LACP timeout. PR1130099

Routing Protocols

  • On EX4300, EX4600, and QFX Series switches, a Bidirectional Forwarding Detection (BFD) session might not come up when BFD version 0 is configured. As a workaround, deactivate or delete the version configuration. PR1076052

  • In a highly scaled scenario, deleting an EX4200 or EX4500 Virtual Chassis member and adding it back might lead to session flaps and unintended consequences. We recommend that you plan to delete the Virtual Chassis member after the protocols sessions and interfaces are administratively brought down and then enable it later. PR1309806

Software Installation and Upgrade

  • On EX Series or QFX Series Virtual Chassis or Virtual Chassis Fabric (VCF), nonstop software upgrade (NSSU) cannot be used to upgrade from a Junos OS Release 14.1X53 image to a Junos OS Release 15.1 or later image. PR1087893

  • On EX4600, QFX3500, and QFX5100 switches, the amount of time that it takes for Zero Touch Provisioning to complete might be lengthy because TFTP might take a long time to fetch required data. PR980530

  • In a mixed EX4200 and EX4500 Virtual Chassis or in an EX3300 Virtual Chassis, or on an EX6200 or EX8200 switch, during a nonstop software upgrade (NSSU), packets might be duplicated. PR1062944

  • Substantial traffic losses might occur when executing a nonstop software upgrade (NSSU) on a mixed EX4200 and EX4500 Virtual Chassis or on an EX3300 Virtual Chassis, an EX6200 switch, an EX8200 switch, or an EX8200 Virtual Chassis. PR1062960

  • On an EX8200 Virtual Chassis, an NSSU to Junos OS Release 15.1R1 might fail after the image is pushed to the backup Routing Engine, and a vmcore might be created. PR1075232

  • On EX4300 switches, traffic might be lost for Layer 3 protocols (such as RIP, OSPF, BGP, and VRRP) during a nonstop system upgrade (NSSU). PR1065405

  • In Junos Space, the Junos OS Release 15.1R1 image for EX9200 switches is not mapped to the correct platform. As a workaround, in Junos Space, right-click the device image, and select ex-92xx in Modify device image. PR1090863

  • On EX9200 switches, during an in-service software upgrade (ISSU) from Junos OS Release 15.1R1 to Release 15.1R2, BGP and Layer 3 multicast traffic might be dropped for approximately 30 seconds. PR1116299

  • On an EX4300 Virtual Chassis and on EX8200 switches, when you perform an NSSU, there might be up to five seconds of traffic loss for multicast traffic. PR1125155

  • On EX4300 Virtual Chassis, NSSU is not supported from Junos OS Release 14.1X53-D35 to Release 15.1. PR1148760

Spanning-Tree Protocols

  • On EX4200 and EX4500 Virtual Chassis, in a scaled setup, with 2k VLANs, multiple protocol sessions and LAG interfaces, MSTP instances might not converge. We recommend that you have as few a number of MSTIs as possible. PR1308944

  • On EX4550 Virtual Chassis, in a scaled Virtual Chassis environment, configuring more VSTP instances might lead to convergence issues. We recommend that you configure VSTP only when absolutely needed and that you put VLANs under RSTP. You can use MSTP if the VLANs can be grouped together under a single spanning-tree instance. PR1352986

User Interface and Configuration

  • On EX8200 Virtual Chassis, if you are using the Virtual Chassis wizard in the J-Web interface in the Mozilla Firefox version 3.x browser and select more than six port pairs from the same member to convert from VCPs to network ports, the wizard might display incorrect port conversion status. Also, if you double-click Next after deleting an active member in the Members page, the J-Web interface might stop responding. PR796584

  • If you uninstall the J-Web Platform package by using the CLI, reinstalling the Application package does not restore J-Web. PR1026308

Virtual Chassis

  • On an EX9200 Virtual Chassis, if you restart an FPC with Virtual Chassis ports (VCPs) and there are no other FPCs with VCPs, a Virtual Chassis split might occur and the backup FPC might show a machine check exception and create a Network Processing Card (NPC) core file. PR1083965

  • When two uplink or network ports are connected back to back on an EX3300 Virtual Chassis, there is a chance of unexpected behavior such as traffic looping, a member in the routing-engine role changing to the linecard role, or traffic loss on the ports that are connected back to back. PR1275115

  • If both members of a two-member EX4300 Virtual Chassis are shut down and only one member is powered on again, it will take about 10 minutes until this member transitions from linecard mode to master. PR1278105

  • In a Virtual Chassis composed of EX4200, EX4500, or EX4550 switches, if two member switches are already connected with a dedicated VCP link and a redundant VCP link is added between the two members using uplink ports converted into VCPs, traffic might loop in the Virtual Chassis. The issue can occur whether the redundant link is added intentionally or inadvertently due to miscabling, and whether the link is converted into a VCP link manually or by the VCP automatic conversion feature. As a workaround to stop the looping behavior, reboot the Virtual Chassis after adding the additional VCP link, or reboot the Virtual Chassis after correcting the miscabling and removing unintentional VCP settings.

    Note

    When enabled, VCP automatic conversion is invoked if the Virtual Chassis is preprovisioned, LLDP is enabled on the ports on both sides of the link, and the ports on both sides of the link are network ports that are not already converted into VCPs.

    PR1346438

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 15.1R7 for the EX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • On an EX4300 Virtual Chassis that is configured for 802.1X authentication, an invalid supplicant might remain in a connecting state instead of moving to a held state. PR1149008

  • On a dot1x-enabled interface, sometimes when you log in, log off, and then log in within a short interval (within subseconds), the logical interface plus the bridge domain or VLAN remain in a pending state, and you will not be able to access the network. As a workaround, restart the l2-learning process to recover the port/interface from the problematic state. PR1230073

General routing

  • On EX Series switches that run Enhanced Layer 2 Software (ELS), when an interface is removed from a private VLAN (PVLAN) and then added back, the corresponding MAC entry might not be deleted from the Ethernet table. PR1036265

Layer 2 Features

  • On an EX9200-6QS line card, storm control might not work for multicast traffic. PR1191611

  • The dest-MAC validation feature uses MLP handshakes to detect stale destination-MAC addresses. If a stale MAC address is detected, the system automatically deletes it. The deletion of destination MACs does not cause traffic drops, as the next packet is flooded and valid MACs are relearned. On an EX9200 Virtual Chassis, MLP handshakes are occasionally dropped across Virtual Chassis members. This drop is random and occurs only when a source-MAC and its related dest-MACs are on different member chassis. This causes intermittent dest-MAC deletion and flooding; however, no packet drop results because of this. PR1249788

Security

  • On EX4300, EX4600, and QFX5100 switches, when a VLAN is mirrored, the mirrored packets might contain 38 additional bytes. The IP address in this packet is randomly generated and might appear as one of many existing, valid IP addresses on the Internet. It might appear as ERSPAN as well, which is a proprietary non-Juniper protocol. These addresses and packet types can be ignored. They might appear as alerts in certain IDPs or IDSs and in packet analyzer applications, which you can ignore. PR1170589

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: Release 15.1R7

Authentication and Access Control

  • On EX Series switches, captive portal authentication is used to redirect Web browser requests to a login page. After the client is successfully authenticated, there might be a delay of 1-3 minutes before captive portal redirects the browser to the login page, and sometimes the redirection might fail. PR1026305

  • On a dot1x-enabled interface, sometimes when you log in, log off, and then log in within a short interval (within subseconds), the logical interface plus the bridge domain or VLAN remain in a pending state, and you will not be able to access the network. PR1230073

  • In 802.1X (dot1x) single-supplicant mode, after username and password were configured on interfaces and dot1x supplicants were started, the users were authenticated with the Radius_DataVlan VLAN, but the Ethernet-switching table was not updated for one of the interfaces. PR1283880

  • In Power over Ethernet (PoE) using Link Layer Discovery Protocol(LLDP) scenario, the LLDP Power-via-MDI TLV and LLDP Media Endpoint Discovery (LLDP-MED) TLV will transmit the wrong power class type. PR1296547

  • On EX Series platforms, dot1x might stop authentication if continuous dot1x clients reauthentication requests cannot be processed. PR1300050

  • If dynamic assignment of VoIP VLAN is used, the switch might not send the correct VoIP VLAN information in LLDP-MED packets after a configuration change and commit. PR1311635

  • On EX Series standalone switches or their Virtual Chassis with dot1x configured, there will be memory leaks for port-based network access control authentication (PNAC AUTH) in dot1xd. Once the memory block of PNAC AUTH used by dot1xd grows to its limit size, the switch might not process client authentications further, resulting in dot1x clients reauthenticating constantly. The dot1xd process always runs irrespective of configuration and as part of its initialization it tries to connect with authd; if authd is not running, then there is a memory leak in dot1xd. PR1313578

DHCP

  • On EX Series switches (except EX4300, EX4600, and EX9200), the switch cannot send DHCP option 2 when the extended DHCP local server is configured. The switch sends DHCP option 2 incorrectly when a traditional DHCP server is configured. PR1252437

  • On EX4200 Virtual Chassis, if dhcp-relay under forwarding-options helpers is configured along with bpdu-block and an interface configured with bpdu-block receives a BPDU and the interface is disabled and reenabled, a memory allocation issue might be seen that can lead to a memory exhaustion issue for DHCP relay. PR1259918

  • DHCP requests or discovers are duplicated between L2 interfaces on Junos OS Release 15.1R5. PR1268550

  • On all EX Series switches (except for EX4300, EX4600, and EX9200), in a DHCP relay with an option 82 scenario, the jdhcpd memory might leak if dhcp-relay with option 82 is configured. The messages are logged as follows and the process stops working: /kernel: Process (3126,jdhcpd) attempted to exceed RLIMIT_DATA: attempted 131076 KB Max 131072 KB . PR1277433

Hardware

  • On EX4200 platforms using PSU module EX-PWR3-930-AC, the PSU is not detected by the show chassis hardware command and is listed as “absent” in the show chassis environment command output. PR1256980

Firewall Filters

  • On EX4300 switches with the firewall loopback rule ip-options, only any is available for an ip-options match. PR1173347

Infrastructure

  • On EX4600 and EX4300 switches, when the system receives traffic when the TTL is 1 and the DF bit is set (for example, reply for a trace router), the system replies with ICMP Destination Unreachable ( Fragment needed ) and MTU 0. PR1251523

  • When an EX4550-32T boots up, a 1G interface is up for 60 seconds, then turns down, and then turns up again a few seconds later. While the unexpected link up is seen, a peer device sends traffic to that port, causing a traffic black hole. PR1257932

  • On EX2200, EX3300,EX4200, EX4500, EX6200, and EX8200 switches and on jdhcpd relay for the IRB case, permanent ARP entries might be seen in the ARP table, even if for those entries there is no static MAC set and during the time of issue the connectivity to those hosts might be lost. PR1258489

  • On EX8200 switches, if a Layer 3 interface is configured with vlan-tagging, then the switch might use the wrong source MAC address when it routes traffic to this Layer 3 interface. PR1262928

  • Starting in Junos OS Release 13.2X50-D15, for EX Series Virtual Chassis (except EX4300, EX4600, and EX9200), when small UDP (<80 bytes) packets are forwarded between endpoints across a Virtual Chassis port (VCP) link, a certain UDP destination port gets black-hole traffic. PR1262969

  • No space in an EX8200 line card to save Packet Forwarding Engine manager (pfem) core files. PR1263024

  • In a mixed Virtual Chassis scenario (EX4500-40F with EX4200; EX4500-40F is a master), if a speed of 100 Mbps is configured on an EX4200 PIC interface of a Virtual Chassis member, then the configuration will not get applied on the interface as it is unsupported by the PIC. The speed remains 1000 Mbps on the interface. This issue is only seen on an EX4500-40F platform. PR1291992

  • On EX2200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 switches with DHCP snooping enabled, an sfid memory leak and core file might occur if a socket connection between the sfid and eswd fails. PR1303241

  • On EX2200, EX3300, EX4200, EX4500, EX4550, EX6200, or EX8200 switches or Virtual Chassis, when the ternary content-addressable memory (TCAM) is in an "out of memory space" condition, a pfem core file might be seen when you add a new route entry in the TCAM. PR1304299

  • On EX2200, EX3300, EX4200, EX4500, EX4550, EX6200, or EX8200 platforms, file system corruption might happen if bad blocks are in the flash or filesystem. The upgrade might fail. PR1317628

  • On an EX4600 switch, priority-based flow control (PFC) frames might not work. PR1322439

  • ifinfo core files might be created on EX4600 Virtual Chassis. PR1324326

  • On EX2200, EX3300, EX4200, EX4500, or EX4550 platforms, a high CPU load for the sfid process might be seen if a high rate of ARP packets is received (for example, 500pps) and IGMP snooping is enabled for that VLAN. PR1325026

  • Support for archiving a dmesg file; currently, only the Last reboot logs are recorded. PR1327021

  • On EX4200, EX4500, EX4550, and EX8200 Virtual Chassis, VLAN pruning might not work as expected and a VCP might have traffic flooding if the VCP flaps when VLAN pruning is enabled. PR1328294

  • VLAN translation (swap) is not working if the packet destination is the IRB interface of the translation switch. PR1342432

Interfaces and Chassis

  • If an interface on an EX4550-32T switch is configured with a fixed speed of 100 Mbps without autonegotiation, sometimes the interface does not come up, because the peer device that supports auto-MDI detects incorrectly, causing the link to go down. PR1235868

  • On EX4500 or EX4550 switches that have two routing instances configured with the same IP address, after you commit the configuration, you will get an IP address conflict in the configuration and the commit will fail. PR1256904

  • For EX Series switches, in a rare condition (for example: rebooting the switch or reloading configuration), the MAC address of an AE interface and its member links might be inconsistent, which causes unexpected behavior for some routing protocols. PR1272973

  • On EX Series platforms where MC-LAG with IPv6 is supported, the l2ald memory might leak for every IPv6 Neighbor Discovery Protocol (NDP) message that it receives from a peer MC-LAG. The leak does not free the memory allocated, causing l2ald memory exhaustion and an l2ald process crash. PR1277203

  • On a Virtual Chassis, when the master member FPC reboots and the interface on which the ARP is learned goes down along with the master FPC, traffic loss might be observed for about 10 seconds. At that time, the ARP entry cannot be learned from the remaining FPC. PR1283702

  • On EX4300 Virtual Chassis, when persistent learning with a mac-limit value of 1 is enabled on the interface, the switch might not forward the Internet Group Management Protocol (IGMP) report upstream to the router or any Layer 2 device connected through the interface. PR1285807

  • On EX4300 switches, filter-based forwarding (FBF) might not work properly after deactivating or activating. PR1293581

  • When a non-root user accesses the device via SSH, issues the load replace terminal CLI command, and attempts to replace the interface stanza in the same operation, the current CLI session might be terminated, leaving the user session hanging. PR1293587

  • On EX2200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 platforms, an eswd core file might be created if apply-groups is configured under interface-range. PR1300709

  • On EX4300 platforms, the FRU PSU removal and insertion traps might not get generated when the PSU is removed or inserted. PR1302729

  • On EX4300 platforms, OSPF packets with IEEE P-bit 6 might change to 0 while being received if OSPF is configured on VLAN-tagged Layer 3 interfaces or IRB interfaces. PR1306750

  • On an EX4300 platform with PIM and IGMP snooping enabled on an IRB interface, if an IGMPv2 report that creates a (*,G) entry is sent first, and then multicast data traffic for the same group is sent, the multicast receiver connected to the EX4300 might not be able to get the multicast streaming. PR1308269

  • On EX4300 Virtual Chassis, IGMP snooping might not learn a multicast router interface dynamically if PIM hello messages are received on the interface where IGMP snooping is configured. PR1312128

  • On EX4300 switch, if an interface with a 1G SFP port is configured with the no-auto-negotiation option, the interface might stay down after the switch reboots. PR1315668

  • On an Enhanced Layer 2 Software (ELS) platform, an l2cpd core filemight be created if the interface is disabled under VSTP and then is enabled under RSTP, causing inconsistency in the spanning tree. PR1317908

  • On EX4300 Virtual Chassis, high latency might be observed between the master and another FPC if a traffic burst is received on the master every 3 to 4 seconds. PR1319795

  • On standalone EX4300 switches or EX4300 Virtual Chassis, if you configure an interface under the vlan stanza—for example, set vlans name interface ge-x/y/z.0—VLAN programming does not happen appropriately in hardware, possibly causing improper Spanning Tree Protocol (STP) convergence for certain VLANs. PR1320719

  • On EX4200 Virtual Chassis and EX4550 Virtual Chassis, if an aggregated Ethernet (AE) interface is configured with links on both master and backup members of the Virtual Chassis, there might be too long of a delay of Link Aggregation Control Protocol (LACP) failover when the member that has the active AE member link is rebooted. PR1322345

  • On an EX4300 platform, multicast traffic might not be forwarded to one of the receivers if IGMPv3 and IGMPv2 reports are received for the same group on the same VLAN. PR1323499

  • If an interface is configured as a member of an interface set, it may not work properly after an unrelated FPC (not the one where the interface resides) restarts. The affected FPC is the restarted one. PR1329896

  • On all Junos OS platforms with a LAG enabled, l2cpd might create a core file if set protocols layer2-control mac-rewrite or set protocols layer2-control bpdu-block is configured on any child members of the LAG. PR1325917

  • On EX4300 switches, if an interface is configured as a redundant trunk group (RTG) backup interface and multicast-router-interface is configured on the same interface under igmp-snooping, a loop might be generated between RTG interfaces and cause Internet Group Management Protocol (IGMP) packets to go out of the RTG backup interface. PR1335733

Layer 2 Features

  • The destination-MAC validation feature uses MLP handshakes to detect stale destination-MAC addresses. If a stale MAC address is detected, the system automatically deletes it. The deletion of destination MACs does not cause traffic drops, as the next packet is flooded and valid MACs are relearned. On EX9200 Virtual Chassis, MLP handshakes are occasionally dropped across Virtual Chassis members. This drop is random and occurs only when a source MAC and its related destination-MAC addresses are on different member chassis. This causes intermittent destination-MAC deletion and flooding; however, no packet drop results because of this. PR1249788

  • A memory leak might happen due to the eswd daemon on some EX Series platforms. A message like the following will be displayed in the system log: eswd[1330]: JTASK_OS_MEMHIGH: Using 212353 KB of memory, 158 percent of available /kernel: KERNEL_MEMORY_CRITICAL: System low on free memory, notifying init (#2). /kernel: Process (1254,eswd) has exceeded 85% of RLIMIT_DATA: used 114700 KB Max 131072 KB . PR1262563

  • On EX Series switches (except for EX4300, EX4600, or EX9200), in a Virtual Chassis scenario, a LAG interface with bpdu-block disabled might go into a down state after the master Flexible PIC Concentrator (FPC) switch is rebooted. PR1262703

  • On EX9200 switches, if a command such as set protocols rstp interface all edge is configured, all interfaces might go into bridge protocol data unit (BPDU) block, even if an interface is explicitly disabled under the [edit protocols rstp] hierarchy level. PR1266035

  • The eswd process might crash after doing an RE switchover in an EX Series Virtual Chassis scenario. The crash happens due to disordered processing of a VLAN or a vmember by eswd and L2PT modules. As the order of processing does not remain the same every time, the crash is random across the switchover. PR1275468

  • Configuration statements that were allowed in Junos OS Release 12.3 are invalid in Junos OS Release 14.1X53 and 15.1. As a result, when you upgrade an EX Series switch from Junos OS Release 12.3 to 14.1X53 or 15.1R1, the switch might lose its configuration and run in line-card mode or go to "amnesiac" mode. PR1281947

  • On EX Series platforms (except for EX4300, EX4600, or EX9200), the Multiple Spanning Tree Protocol (MSTP) might not be able to detect topology changes after a nonstop software upgrade (NSSU) process, which might lead to a packet loop. The topology change count is shown as 0 after that. PR1284415

  • When EX2200, EX3300, EX4200, EX4500, EX4550, EX6200, EX8200, or XRE200 platforms are configured with Spanning Tree Protocol and nonstop bridging (NSB), interface flapping (link up/down events) causes eswd memory leaks. PR1287184

  • In an x Spanning Tree Protocol (xSTP) scenario on EX4500 or EX4550 switches, some ports may not come up on PIC 1 or PIC 2 when the third PIC is inserted. PR1298155

  • An Ethernet ring protection switching (ERPS) route update fails during the addition of a new member to the ERPS-configured VLAN. PR1301595

  • In a Multiple VLAN Registration Protocol (MVRP) scenario with the no-dynamic-vlan related configuration statement configured, if one of the multiple access ports configured with the same VLAN on the access or edge node is deactivated or activated, then the corresponding VLAN on the aggregation or distribution node may be deleted improperly after the involved interface comes up. PR1311825

Network Management and Monitoring

  • After the reboot of the EX4600 Virtual Chassis, authentication of SNMPv3 users fails due to the change of the local engine ID. PR1256166

  • On EX2200, EX3300, EX4200, EX4500, EX4550, EX8200, or XRE200 platforms configured with sFlow and mac-radius authentication, MAC authentication requests might incorrectly be sent because transit DHCPv6 traffic is picked up by the sFlow agent. PR1298646

  • In EX2200, EX3300, EX4200, EX4500, and EX4550 platforms with a Virtual Chassis environment, the SNMP output for some SNMP values (for example, CPU, memory, temperature, and so on) might not be read anymore if the member ID is changed from (0,1) to different IDs. PR1299330

Platform and Infrastructure

  • An unauthenticated root login may allow upon reboot when a commit script is used. A commit script allows a device administrator to execute certain instructions during commit, which is configured under the [system scripts commit] stanza. Please Refer to https://kb.juniper.net/JSA10835 for more information. PR1179601

  • On EX9200 platforms with MPC5E installed, in a high-temperature situation, the temperature thresholds for triggering the high temperature alarm and controlling fan speed are based on the FPC level. Any sensor values in the FPC that exceed the temperature threshold of the FPC trigger the actions associated with temperature thresholds. PR1199447

  • On EX4300 switches with redundant trunk groups (RTGs) configured, Layer 3 protocol packets, such as OSPF or RIP packets, might not be sent. PR1226976

  • On EX4300 switches, Dynamic Host Configuration Protocol (DHCP) with a PXE boot server is not working as expected due to a PXE unicast ACK packet drop. The communication between the DHCP client and PXE server might be affected. PR1230096

  • During bootup, EX4200, EX4550, and EX4300 switches might have no display or might display gibberish on the LCD. This is an LCD corruption issue. PR1233580

  • The egress PE device (EX4300) sends out LLDP frames toward the CE device with a destination MAC address that is a duplicated frame and is rewritten by the ingress (PE) device. PR1251391

  • On EX4300 switches, traffic is not forwarded through the GRE tunnel in some cases. PR1254638

  • On an EX4300 platform with power redundancy in the N+N mode, PoE interfaces flap when any power supply unit (PSU) is removed and only one PSU is left. PR1258107

  • On EX4300 Virtual Chassis, pfex might restart during a master reboot or during a nonstop software upgrade (NSSU) if the old master reboots at the end of NSSU phases. PR1258863

  • On EX4300 switches with flexible-vlan-tagging and extended-vlan-bridge configured, a traffic black hole might be observed if a VLAN ID for a logical interface does not match a VLAN ID for a VLAN configuration. PR1259310

  • On EX4300 Virtual Chassis, a 10-gigabit VCP might not get a neighbor after a system reboot. PR1261363

  • Cannot use secure shell (SSH) or telnet to the switch and sshd core files are generated. PR1266045

  • On Enhanced Layer 2 Software (ELS) platforms, due to a memory leak issue, the l2ald process might crash when many dot1x clients are being reauthenticated. PR1269945

  • On Virtual Chassis based on EX4300, EX4600, or EX9200 switches, the IRB interfaces that are only associated with physical interfaces on the master do not turn down when the master is rebooted or halted. PR1273176

  • The jdhcpd process might generate a core file due to a memory leak if Dynamic Host Configuration Protocol (DHCP) security is enabled, and then DHCP relay might stop working. As a result, a DHCP client might not get an IP address from the DHCP server. PR1273452

  • On EX4300 and EX4600 platforms, with DHCP relay traffic flowing, CPU usage of pfex_junos might go high. The issue might be seen if the DHCP relay function is on and DHCP relay packets are received continuously. PR1276995

  • Starting in Junos OS Release 15.1R3, the 40G-gigabit link with SR4 transceivers on an EX4550 device will fail to come up after a PIC offline or online event or a link up and down event. PR1281983

  • On EX4600 switches, if an interface is configured with a speed of 100 Mbps explicitly and no-auto-negotiation, the interface might be down after a reboot. PR1283531

  • On EX4200 Virtual Chassis, there is a memory leak for the chassisd process. PR1285832

  • On EX2200 switches, when a redundant power system (RPS) is connected and not powered on, the small form-factor pluggable (SFP) interface might flap and this has an impact on traffic forwarding. PR1307748

  • On EX3300 platforms, when a network port is used for a Virtual Chassis port, it does not work properly. Once it goes down, it does not come up even though it is physically correct. This issue has been seen only on network ports and this issue has service impact. PR1310819

Routing Protocols

  • An rpd core file might be generated if there is a high load in the system when an OSPF area is removed internally. PR1199629

  • On EX4600 switches, when a new filter-based forwarding (FBF) firewall filter is applied on an integrated routing and bridging (IRB) interface that is not a Layer 3 interface, or while binding or unbinding the FBF filter on Layer 3 interfaces, the FXPC might hit 100 percent CPU usage. PR1263896

  • On Junos OS-based platforms with IS-IS enabled, a slow memory leak is caused when IS-IS processes update (the more updates or link flaps, the faster the leak). The available memory may run low due to this memory leak, eventually resulting in the system hanging or halting on both the master and backup. PR1283272

  • When an incorrect IP address is duplicated with an existing address on a common subnet and is configured, it is expected that Open Shortest Path First (OSPF) forms an adjacency. After removing the wrong configuration, OSPF neighbors can form an adjacency (full state) and the entire database can be received. However, the OSPF routes cannot be installed to the routing table, and the corresponding traffic cannot be forwarded until the link-state advertisement refresh timer expires. PR1316348

Security

  • On EX4600 switches, when LACP is configured together with MACsec, the links in the bundle might not all work. Rebooting the switch might solve the problematic links but might also create the same issue on other child interfaces. PR1093295

  • On EX4600 standalone switches and Virtual Chassis, MACsec connections are deleted randomly after a switch reboot, optics removal, deactivation or activation of a MACsec configuration, or fxpc process restart. PR1234447

  • After the MACsec session flaps, data traffic sent over the MACsec-enabled link might not be properly received, and the receiving device might report the received frames as framing errors in the output of the show interfaces command. PR1269229

  • On EX2200, EX3300, EX4200, EX4500, EX4550, EX6200, or EX8200 platforms with DHCP snooping enabled, when the switch gets rebooted and the DHCP daemon attempts to fetch the DHCP snooping binding database before the interfaces come up, the DHCP snooping binding database might fail to be fetched from the TFTP server. PR1318374

Software Installation and Upgrade

  • On EX9200 switches, if unified in-service software upgrade (ISSU) is used to upgrade Junos OS, it is possible that an unnecessary thread would run on a Flexible PIC Concentrator (FPC) after the upgrade procedure. This thread could potentially enter into a loop and trigger a stop of forwarding traffic on that particular FPC. PR1249375

  • Upgrading EX8200 Virtual Chassis through NSSU from any Junos OS Release 15.1Rx branch or to a Junos OS Release 15.1Rx branch might not be successful. PR1305813

  • Configuration validation support is added for EX4500 and EX4550 switches. PR1313501

Spanning Tree Protocols

  • On EX8200 platforms with dual Routing Engines, rebooting both Routing Engines at the same time with any STP protocol configured, the port might continue to stay in a blocking state if it continues to receive BPDUs from the peer end. PR1305954

  • On EX Series switches (except for EX4300, EX4600, or EX9200), the VoIP interfaces might be blocked by Rapid Spanning-Tree Protocol (RSTP) if the voice VLAN is running VLAN Spanning Tree Protocol (VSTP) and the data VLAN is running RSTP. PR1306699

System Management

  • If you issue the command request system snapshot on a Virtual Chassis, some Virtual Chassis members might go down if traceoption or syslog is enabled. This might occur because of a snapshot copy causing a CPU-busy condition with multiple kernel errors and also the Virtual Chassis Control Protocol (VCCP) adjacency going down. PR1180386

  • On EX2200, EX3300, EX4200, EX4500, and EX4550 platforms, typing boot -s after the loader prompt can start up the system in single-user mode. Users can set up password recovery in that mode. If boot -s is typed after the loader prompt in Junos OS Releases 15.1R1 through 15.1R6, the system does not go into the single-user mode but reboots from the alternate slice. PR1265386

Virtual Chassis and Virtual Chassis Fabric

  • When you add an EX4300 switch to a VCF, the following error message is seen: ?ch_opus_map_alarm_id alarm ignored: object 0x7e reason?. PR1234780

  • When the linecard role FPC is removed and rejoined to the Virtual Chassis immediately, the LAG interface on the master or backup would not be reprogrammed in the rejoined FPC. PR1255302

  • On an EX4550 switch in a Virtual Chassis configuration, the fast-failover function for a VCP will work properly when you initially add this configuration. However, if the device is rebooted, the function would not take effect next time. PR1267633

  • On EX Series switches (except for EX4300, EX4600, or EX9200), packet drops might be seen during the failover or switchover from the master switch to the backup switch in a Virtual Chassis, due to the delay in ARP updates during the failover or switchover of the master Routing Engine. PR1278214

  • On EX4300 FRUs, the removal or insertion trap is not generated for non-master (backup or line card) FPCs. PR1293820

  • On EX2200, EX3300, EX4200, EX4500, EX4550, or EX8200 Virtual Chassis platforms, the interface MAC address might not be restored after the configuration is deleted or rolled back, possibly causing the hardware address and the current address to not be the same. PR1319234

Resolved Issues: Release 15.1R6

Authentication and Access Control

  • On EX9200 Virtual Chassis, MAC address learning might fail on an authenticated interface assigned to the voice VLAN by dynamic VLAN assignment in single-secure mode. PR1212826

  • On EX4200 switches, in some scenarios, the thirty-sixth port in a captive portal configuration is not redirecting to the URL as configured. This problem is seen with set system services web-management https system-generated-certificate configured. PR1217743

  • On EX9200 switches, a MAC address corresponding to an authenticated session (dot1x) might age out as soon as traffic is not received from this MAC address for more than a few seconds (approximately 10 seconds). This leads to deletion of the authenticated session and a corresponding traffic loss. As a workaround, you can prevent the session deletion by configuring the no-mac-binding statement on the dot1x configuration:

    PR1233261

  • On an EX4300 switch or Virtual Chassis with 802.1X (dot1x) enabled, in a scenario with more than 254 clients (supplicants), many of the clients might be going to the server-reject VLAN and have limited access to the server-reject VLAN although the clients have correct credentials. For a few authenticated clients, the authentication method might be displayed as Server-Reject although the client was authenticated in the data VLAN. PR1251530

  • On EX3300 switches, an AUTHD core file is created every time with authentication. PR1241326

Dynamic Host Configuration Protocol (DHCP)

  • On EX4300 switches with DHCP relay configured, DHCP return packets—for example, DHCPREPLY and DHCPOFFER—that are received across a GRE tunnel might not be forwarded to clients, which can impact DHCP services. PR1226868

High Availability (HA) and Resiliency

  • On EX4300 and QFX Series Virtual Chassis, when a switchover with GRES enabled is performed, this warning might appear: All Packet Forwarding Engines are not ready for RE switchover and may be reset. PR1158881

  • On EX4600, QFX3500, and QFX5100 Virtual Chassis, VRRP might be preempted in case of a priority tie, but functionality is not impacted. PR1204969

Infrastructure

  • On EX4300 switches, starting in Junos OS Release 15.1R3, a pfex_junos core file might be created when you add or delete a native VLAN configuration with flexible-vlan-tagging. PR1089483

  • On EX4300 switches, if you configure a firewall filter on a loopback (lo0) interface to accept BGP flow and an OTHER term with the discard action, and the receiving host-inbound traffic with a designated TCP port 179 to the Routing Engine, existing BGP sessions might go down. PR1090033

  • If you use the request system snapshot slice alternate command on EX2200 and EX3300 switches, a timeout error might occur and prevent completion of the file copy. The error message error: timeout waiting for response from fpc0 is displayed when the timeout value expires before the files are copied. PR1229520

  • When you load and commit a configuration on an EX2200 or EX3300 switch, the system might automatically go into db mode. As a result, you might not be able to access the switch through SSH, and a vmcore file is generated. PR1237559

  • On EX4500 Virtual Chassis, there is a busy condition where the device reports incorrectly that PIC 3 has been removed. As PIC 3 is not hot-swappable, this condition should not be allowed. If this situation arises, then the device attempts to clear this illegal state by crashing chassisd. PR1238981

  • EX Series switches running the ESWD process might not learn MAC addresses after a reboot if a duplicate Interface index is seen. The show ethernet-switching interfaces detail | match Index command can be used to confirm if each interface is showing a duplicate Interface index or if the same index is provided to two different ports. This issue is seen intermittently after a reboot when the count of Number of VLANs * Number of Ports carrying VLANs is in multiples of thousands. PR1248051

  • On EX2200-C switches, the switch might show the Failed state for an item when you issue the show chassis environment operational command. This issue does not have service or traffic impact. PR1255421

Interfaces and Chassis

  • On EX4300 switches, multicast traffic might be dropped after an IGMP join is received on an MC-LAG interface. PR1167651

  • On EX Series Virtual Chassis that support PoE, when the master Routing Engine member is rebooted, PoE devices connected to the master might not come back online after the reboot. As a workaround, when configuring PoE interfaces, use the set poe interface all configuration command instead of configuring specific interfaces individually. To recover connections after seeing this issue, disable and reenable the ports with the issue. PR1203880

MPLS

  • If an EX9200 switch is configured as a PE router connected to a multihomed site in an EVPN/MPLS network, RPD core files might be created on the EX9200 when more than 255 logical interfaces from the same physical interface/ESI are added to the virtual switch instance configuration. Then some logical interfaces are removed from the ESI (that is, rollback of the configuration). PR1251473

Multicast Protocols

  • IGMP snooping is for IPv4 and should not affect IPv6 multicast traffic. On EX4300, EX4600, and QFX5100 switches in a Virtual Chassis configuration, IPv6 multicast packets might be affected and not be flooded in a VLAN if IGMP snooping is enabled and the ingress interface is on a different FPC than the egress interface. PR1205416

  • On EX3300 and EX8200 switches, IGMP-snooping host routes might be retained after IGMP snooping has been deactivated. PR1231751

Network Management and Monitoring

  • On EX4300 switches with sFlow configured, some harmless log messages regarding sFlow might be seen continuously. PR1116568

  • Despite the EX4300 switch or the QFX5100 switch being configured with the network analytics feature, the analytics process might not run. As a result, the network analytics feature might be unable to collect traffic, queue statistics, and generate reports. PR1165768, PR1184720

  • On EX4600 switches, when temperatures for FPCs are polled, the temperatures might not be polled for all SNMP members. PR1232911

Platform and Infrastructure

  • On an EX4300 switch, aggregated Ethernet interfaces do not display statistics for logical interfaces. PR984998

  • On an EX4300 switch with Bidirectional Forwarding Detection (BFD) configured, the BFD packets might be forwarded to the best-effort queue (queue 0) instead of to the network-control queue (queue 3). When queue 0 is congested, the BFD session might flap continuously. PR1032137

  • On EX4300 switches and EX4300 Virtual Chassis, PIM register messages are not forwarded to a rendezvous point (RP) when the RP is not directly connected to the first-hop router of the multicast source. PR1134235

  • An EX4300 switch might drop packets received on a Layer 2 interface (for example, set interfaces ge-1/0/24 unit 0 family ethernet-switching) under the following conditions: (1) The interface is divided into one or more Layer 3 subinterfaces (for example, set interfaces ge-1/0/24 unit 30 family inet address 10.0.0.254/24). (2) The destination MAC address in the packet matches the MAC address of the Layer 3 subinterface in the routing table and in MY STATION TCAM. PR1157058

  • On an EX4300 Virtual Chassis with Q-in-Q enabled, when vlan-id-list is configured on a C-VLAN interface and, for example, if the VLAN range vlist element is in [1-3] or [5-50], C-VLAN traffic is not sent properly across the Q-in-Q network from the C-VLAN interface. PR1159854

  • On EX4300 switches with IGMP snooping enabled with flexible-vlan-tagging configured on ingress and egress interfaces for passthrough multicast traffic, IGMPv2 membership report messages might not be forwarded from the receiver to the sender. PR1175954

  • On EX4300 switches and EX4300 Virtual Chassis, Hot Standby Router Protocol (HSRP) packets might be dropped in a VLAN if IGMP snooping is configured. As a workaround, configure the switch to flood multicast 224.0.0.2. PR1211440

  • On an EX4300, if you install a firewall filter with filter-based forwarding rules to multiple bind points, it might exhaust the available TCAM. In this case, the filter is deleted from all the bind points. You can work around this issue by applying the filter to the bind points with a series of commits, applying the filter to some of the bind points with each commit. PR1214151

  • On EX4300 switches, EBGP packets with ttl=1 and non-EBGP packets with ttl=1, whether destined for the device or even transit traffic, go to the same queue. In the event of a heavy inflow of non-EBGP ttl=1 packets, occasionally valid EBGP packets might be dropped, causing EBGP to flap. PR1215863

  • When the set vlans vlan-name interface all configuration is used on EX4300, EX4600, or QFX Series switches, the Junos OS device control process (dcd) might crash as this is an unsupported configuration option on these platforms. PR1221803

  • On EX Series switches except EX4300, EX4600, and EX9200 switches, Over temperature SNMP traps are sent when the CPU temperature gets higher than the bad fan temperature threshold even when there are no bad fans in the chassis. PR1226388

  • On EX4300 switches, if a Layer 3 interface receives a frame with the CFI/DEI bit set to 1, this frame might be dropped and not be processed further. PR1237945

  • At startup, occasionally the SFP+ ID EEPROM read fails and as a result, the SFP+ module is not recognized. As a workaround, reseat the unrecognized SFP+; for an unattended device, issue another system reboot. PR1247172

  • On EX4300 switches, problems with connectivity might arise on 100M interfaces set to full duplex and half duplex or on 10M interfaces set to full duplex or half duplex. The links appear, but connectivity to end devices might not work. The port does not transmit packets even though port statistics show packets as transmitted. As a workaround: (1) Move the device to a different port. (2) Set the port to negotiate and connect a device that will autonegotiate to 1 G, full duplex; then reset the port to 10/100 full duplex or half duplex and reconnect the device. (3) Restart the pfex process. PR1249170

Port Security

  • On EX2200 and EX3300 switches, ARP requests might be dropped when IP source guard is enabled and 802.1X (dot1x) authentication assigns a new dynamic VLAN to the client MAC. PR1169150

  • High CPU caused by fxpc can lead to MACsec session drops. PR1247479

Routing Policy and Firewall Filters

  • On EX Series switches other than EX9200, EX4300, and EX4600 switches, if a static MAC entry and a static ARP entry are configured, an incorrect firewall filter counter value might be displayed in command output. PR1159940

  • On EX8200 Virtual Chassis, if you configure scaled firewall filters and if total terms with its own match conditions across all these filters exceed TCAM space, and you configure examine-dhcp, traffic will drop. PR1215704

  • On EX9200 switches, if a firewall filter that has action tcp-reset is applied to an IRB interface, action tcp-reset does not work properly. PR1219953

Software Installation and Upgrade

  • On EX9200 switches, after an ISSU is performed, storm control takes effect only after you delete the storm control configuration and then re-create it. PR1151346

User Interface and Configuration

  • On an EX Series switch that is supporting the zeroize feature, after the switch is booted up from request system zeroize and then a configuration is saved, the saved configuration won't be restored after the switch is rebooted. PR1228274

Virtual Chassis

  • On EX4300 Virtual Chassis, a message such as /kernel: %KERN-5: tcp_timer_keep: Dropping socket connection due to keepalive timer expiration might be seen repeatedly. There is no service impact from the condition that causes the message (a Packet Forwarding Engine timeout trying to connect to a process that is not active). As a workaround, you can use a system-logging (syslog) filter to mask the messages. PR1209847

  • On member switches in an EX Series Virtual Chassis, the request virtual-chassis vc-port set CLI command allows specifying an invalid or nonexistent Virtual Chassis port (VCP) interface name. An entry with the invalid VCP interface name is added to the database, and the CLI command show virtual-chassis vc-port displays these entries with the invalid VCP interface names, but these entries cannot subsequently be removed. PR1215004

  • OID jnxFruState disappears after one of the members of the Virtual Chassis is rebooted on EX2200, EX3300, EX4200, EX4500, or EX4550 Virtual Chassis. PR1221943

Resolved Issues: Release 15.1R5

Authentication and Access Control

  • On EX4200 and EX4300 switches, dot1x server fail might not work as expected. PR1147894

  • On EX9200 and EX4300 switches, 802.1X supplicants might not be reauthenticated by server fail fallback authentication after the server becomes reachable. PR1157032

  • On EX9200 switches, captive portal services might not work on a switch running under Junos OS Release 15.1R4. PR1191640

  • On EX4300 and EX9200 switches, dot1x scenarios involving the single-supplicant mode, mac-radius, and the server-fail deny or no server-fail action is configured, the supplicant authentication sessions might not recover after the Quiet While timer expires, once it enters the Held state. As a restoration workaround, disable and enable the interface to bring the authentication session back to the Connecting state. PR1193944

Infrastructure

  • On EX8200 switches, the pfem process might crash and generate a core file. This might impact traffic. PR1138059

  • On QFX5100 and EX4600 switches, in a rare timing condition, if there was already a request to gather some info from the QSFP and remove it at the same time, the packet forwarding engine manager (fxpc) might crash. PR1151295

  • On EX2200-C switches, during a software upgrade to Junos OS Release 14.1X53-D35 or 15.1R3, the error messages Triggering freezing circuitry or Triggering overheat circuitry might be generated after rebooting, and then the switch shuts down. PR1183631

  • On an EX8200 Virtual Chassis, doing Routing Engine failovers before booting up the line cards might cause the VLAN interface MAC address to be automatically and incorrectly set to 00:00:00:00:00:01. PR1185678

  • On EX4300, EX4600, QFX3500, QFX3600, or QFX5100 switches with vlan-rewrite configured on an AE interface, a VLAN rewrite might fail and result in traffic loss. PR1186821

  • On EX9200 switches, periodic packet management (PPM) core files might be generated following a commit. This happens only on a large-scale setup, when the logical interface number of PFE exceeds 64. PR1187104

  • On EX4200 Virtual Chassis, when an interface flaps and it has hold-time up configured over a long period of time (for example, 16 days), a chassis manager (chassism) process memory leak might occur due to the incorrectly accumulated task timer. About 128 bytes of the process leak every time the memory leak is triggered. PR1188403

  • On EX4300 switches, VLAN rewrite does not work on aggregated links. PR1194585

  • On an EX4600 switch, when you remove the 40GBASE-ER4 QSFP+ module, the show chassis hardware command still shows that the module is inserted. PR1208805

  • On EX4200 switches and Virtual Chassis, firewall filters with syslog might not work, because as part of packet processing, packets were incorrectly mapped to the ppmd queue instead of the DFW queue. PR1208491

  • On EX4200 Virtual Chassis or EX4500 or EX4550 Virtual Chassis, the Packet Forwarding Engine might not update learned MACs to an RTG active interface after RTG failover. This issue is seen with RTGs that areconfigured across FPCs in a Virtual Chassis setup. PR1208491

  • On EX2200-C switches, the alarm Major Management Ethernet Link Down is not properly generated in cases of management link failure. PR1209323

Interfaces and Chassis

  • If an EX4550-32F switch in a Virtual Chassis reboots and comes online, LACP interfaces on any member of the Virtual Chassis might go down and not come up. PR1035280

  • On EX Series switches except EX9200, EX4300, and EX4600, if PoE is configured, when one IP phone is connected with a PoE interface, the phone cannot receive PoE power from the switch. PR1174025

  • PoE might not work on all EX4300 ports on a mixed-mode Virtual Chassis (mixed-mode EX4600 and EX4300 or mixed-mode QFX5100 and EX4300). PR1195946

  • On EX4200 and EX4550 switches on which you can configure mdi-mode manually the mode does not work properly with 15.1 releases. PR1216549

Layer 2 Features

  • If an EX2200 switch is configured as a part of an ERPS ring, deactivating or deleting the ERPS configuration might cause traffic to stop forwarding through one or more VLANs. PR1189585

  • An EX Series switch might not process ERPS PDUs that are received from other nodes. This could lead to the ERPS ring not operating correctly. PR1190007

  • On EX4300 Virtual Chassis, a Layer 2 interface might not be associated with the default VLAN after you add the interface to the ethernet-switching family. PR1192679

  • On EX9200, EX4300, EX4600, QFX3500, QFX3600, QFX3500, and QFX5100 switches, if 'set protocols xstp interface all edge' is configured in combination with 'set protocols xstp bpdu-block-on-edge', interfaces do not go down (Disabled - Bpdu-Inconsistent) when they receive BPDUs; they transition to non-edge. If an interface is configured specifically with 'set protocols xstp interface interface-name edge', then when that interface receives a BPDU, it goes down or transitions into Disabled - Bpdu-Inconsistent correctly. As a workaround, configure set protocols layer2-control bpdu-block interface all.PR1210678

Layer 3 Features

  • On a switch that has secure-access-port configured, when you change the MTU size of interfaces and commit, VRRP sessions might flap between the VRRP master and backup. PR1163652

  • On EX2200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 switches, when VRRP configuration changes from ethernet-switching to inet family and vice-versa, then the local IP of the master VRRP switch cannot be reached on the backup VRRP switch and vice-versa. Virtual IP is always reached on both switches. PR1171220

MPLS

  • On EX4600 switches, when traffic enters an MPLS interface and is destined to the loopback interface in the routing instance, the firewall filter might not work properly. PR1205626

Platform and Infrastructure

  • If you use the load replace command or the load merge command to configure a device and have included an annotation just before a delete action in the loaded configuration file, the management daemon (mgd) might create a core file. PR1064036

  • On EX4300 Virtual Chassis, if a Q-in-Q S-VLAN interface with MC-LAG is configured, when a backup EX4300 is acting as master, the connection to the management IP address through the interface might be lost, causing a management traffic loss. PR1131755

  • On EX4300 switches, when xSTP is configured, if you unplug and then plug in one loopback cable between ports of different FPCs, an interface might go down and a BPDU error might bedetected on this port, causing traffic to drop on another egress port. PR1160114

  • On EX4300 switches, when DHCP security is enabled on a VLAN, unicast packets (for example, DHCP Offers and ACKs ) might be forwarded to all ports in the VLAN. PR1172730

  • On EX4300 switches, if an Ethernet port receives a frame with a CFI/DEI bit set to 1, then this frame would not be bridged to an untagged (access) port; it could be bridged to a trunk port. PR1176770

  • When IGMP snooping and storm control are enabled, EX Series switches are supposed to forward traffic with destination IP address 224.0.0.0/24 to all ports on a VLAN. But for EX4300, except for the well-known addresses in this range—for example, 224.0.0.5/6 for OSPF, 224.0.0.20 for VRRP—all other multicast traffic with a destination in 224.0.0.0/24 is dropped. PR1176802

  • If you upgrade the Power over Ethernet (PoE) firmware on a member of an EX4300 Virtual Chassis, the PoE firmware upgrade process might fail or get interrupted on that member switch. You can recognize that this problem has occurred if the member switch is not listed in the command output when you issue the "show poe controller" command. The problem is also indicated if you issue the ?show chassis firmware detail? command and the ?PoE firmware? version field is not shown in the output or has a value of 0.0.0.0. PR1178780

  • On EX4300 switches, if there is a mismatch in the speed configuration between two interfaces, the link might be autonegotiated to half-duplex mode instead of full-duplex mode. PR1183043

  • On EX4300 switches configured with dscp and 802.1p rewrite rules on an interface, if you delete 802.1p rewrite-rules from the interface, the 802.1p rewrite might still happen along with the dscp rewrite. PR1187175

  • On EX4300, EX4600, and QFX Series switches with VSTP enabled for multiple VLANs and participated in a VSTP topology, when BPDU packets are received on the Packet Forwarding Engine from other switches, the switch sends BPDU packets to the Routing Engine for further VSTP computing. But, in rare cases, the switch might not send VSTP packets for all VLANs to the Routing Engine. For example, for a VLAN, BPDU packets are not reaching the Routing Engine, even though VSTP is enabled for that VLAN. This will result in this VLAN considering itself the root bridge and advertising itself as the root bridge and sending BPDUs to other VSTP switches. Other switches might block related ports. PR1187499

  • On EX Series Virtual Chassis, a next-hop change message might not be sent from the Routing Engine when a LAG member is added or deleted, and hence packets are dropped in the Packet Forwarding Engine, as the next hop is not updated properly. PR1201740

  • When seating an SFP in a operating EX4300 switch, sometimes the SFP would be recognized as unsupported or as an SFP+-10G. The cause is that the switch reads the EEPROM information of the SFP before waiting long enough for SFP initialization. PR1202730

  • On EX4300 switches, if you activate DHCP security features for IPv6, a JDHCPD core file might be generated. PR1212239

  • On an EX9200 switch, with a services REST configuration, after a reboot, the configuration is not applied and SSH stops working. PR1212425

  • 1G fiber link ports might be down with MACsec configured on EX4300 switches when the switch is rebooted. PR1172833

Routing Protocols

  • On EX4300 Virtual Chassis with IGMP snooping enabled, when IGMP hosts subscribe to the same group, IGMP queries might not go through between a member in the linecard role and the master. PR1200008

Spanning-Tree Protocols

  • On EX Series switches except for EX4300, EX4600, and EX9200, while the switch is processing an xSTP-disabled interface with a BPDU block configuration, current code flow might set the bpdu_control flag for RSTP-enabled interfaces as well. This might result in RSTP-enabled ports becoming blocked when they receive a BPDU. PR1185402

  • On EX9200, EX4300, EX4600, QFX3500, QFX3600, and QFX5100 platforms, when any type of spanning tree (STP, RSTP, MSTP, or VSTP) is configured, the MAC address part of the bridge ID might be set to all zeros (for example, 4096.00:00:00:00:00:00) after you power cycle the device without issuing the request system halt command. As a workaround, issue the restart l2-learning command. PR1201493

Resolved Issues: Release 15.1R4

High Availability (HA) and Resiliency

  • On EX4300 Virtual Chassis, after a nonstop software upgrade (NSSU), the master might detect the backup coming up after the upgrade and reprogram the trunk, even though the backup member links are down. Traffic might drop when the master tries to push the traffic through trunk members that have not yet come up. Traffic resumes after the links come up. PR1115398

  • On EX4300 Virtual Chassis, traffic loss might occur for about 10 seconds when the master leaves the Virtual Chassis for upgrade. PR1173754

Interfaces and Chassis

  • On EX2200 switches, in Ethernet ring protection switching (ERPS) configurations, no VLAN is included in data-channel if data-channel is not explicitly configured, and a MAC flush does not happen for any data VLAN while the switch receives an SF signal, which might cause a traffic issue before the MAC address ages out. PR1152188

  • On EX2200 switches, in an ERPS configuration, many SF (signal failure) packets might appear in a link-end ring node during a link failure that existed for a short time. PR1169372

  • On EX4300 Virtual Chassis, Layer 2 multicast might not work properly when both Layer 2 and Layer 3 entries are present for the same group on two different integrated routing and bridging (IRB) interfaces. PR1183531

Network Management and Monitoring

  • On EX9200 switches, ingress sFlow samples of packets routed on an integrated routing and bridging (IRB) interface might be dropped. PR1147719

  • On EX9200 switches, an sFlow flow sample with an incorrect frame length value in a raw packet header might be generated for frames larger than 128 bytes, and traffic volumes calculated based on frame length and sampling rate values in the sFlow collector might be inaccurate. PR1152275

  • On EX9200 switches, eventd might run out of memory and crash because of excessive kernel logging. PR1162722

Platform and Infrastructure

  • On EX4500, EX4550, EX6200, and EX8200 switches, if you replace a 1-gigabit SFP transceiver with a 10-gigabit SFP+ transceiver on one port, the adjacent port might go down. For example, if you install an SFP transceiver in each of port-0/0/36 and port-0/0/37, and replace each SFP transceiver with an SFP+ transceiver in port-0/0/36 and port-0/0/37, then port-0/0/36 might go down during the insertion of the SFP+ transceiver in port-0/0/37. PR1073184

  • In an EX8200 Virtual Chassis in which the external Routing Engine (XRE200) has two DC power supplies installed, when one power supply fails, no logs or SNMP traps are generated. PR1162165

  • If a configuration is pushed to an EX Series switch using Zero Touch Provisioning (ZTP), then after a subsequent reboot, the configuration might be deleted. PR1170165

  • On EX3300 and EX4200 switches, after the request system zeroize media command has been executed, J-Web might stop responding. PR1177214

  • On an EX4300 switch or Virtual Chassis, the chassisd daemon might get stuck and become unresponsive. If you issue a chassisd-related show command, the command returns the error message error: the chassis-control subsystem is not responding to management requests. PR1038830

  • On ARM platforms such as EX3300 switches, configuring internal IPsec security associations containing the authentication hmac-sha2-256 might throw a kernel alignment exception. PR1149565

  • On EX4300 switches, if IGMP snooping is enabled, packets with destination 224.0.0.0/24 might be dropped, except for well-known addresses (for example, 224.0.0.5/6 for OSPF). PR1167859

  • On EX4300 switches, ICMP-tagged packets might transit the egress interface of a PVLAN access port. PR1169116

Software Installation and Upgrade

  • On EX8200 Virtual Chassis, traffic might be lost for multicast and Layer 3 protocols (such as RIP, OSPF, BGP, and VRRP) during a nonstop software upgrade (NSSU). PR1185456

  • On EX6200 switches, multicast traffic and Layer 3 protocol traffic (such as RIP, OSPF, BGP, and VRRP) might be lost during a nonstop software upgrade (NSSU). PR1185816

  • On EX8200 switches, multicast traffic might be lost during a nonstop software upgrade (NSSU). PR1185888

Spanning Tree Protocols

  • On EX4300, EX4600, and EX9200 switches, when root guard is in effect or cleared, there appropriate system log messages might not be displayed. PR1176240

User Interface and Configuration

  • On a device configured with an SSH public key for which the string buffer size exceeds 1 Kb, if you load the configuration by using the load override command, the management daemon (mgd) might create a core file. PR1153392

Virtual Chassis and Virtual Chassis Fabric (VCF)

  • On EX3300 Virtual Chassis, the vcp-snmp-statistics configuration statement is not listed in the [edit virtual-chassis] hierarchy. PR1178467

Resolved Issues: Release 15.1R3

Note

Some resolved issues at Release 15.1R3 apply to both QFX Series and EX Series switches. Those shared issues are listed in the QFX Series Resolved Issues: Release 15.1R3 section.

Authentication and Access Control

  • On EX2200 switches, if you issue the CLI command request system services dhcp release interface-name, an IP address release message DHCP packet is sent from the client and processed at the server. At the same time, the client clears the IP address on the same interface, and the clearance of the IP address on the interface leads to the acquisition of a new IP address from the server. If you then issue the CLI command show system services dhcp client interface-name, the output of this operational command indicates that the command had no impact. PR1072319

  • On an EX2200 or EX3300 switch on which Dynamic Host Configuration Protocol (DHCP) relay is enabled, when a client requests an IP address, the system might generate a harmless warning message such as: /kernel: Unaligned memory access by pid 19514 [jdhcpd] at 46c906 PC[104de0]. PR1076494

  • On EX9200 switches, when 802.1X (dot1x) authentication is configured, the show dot1x authentication-failed-users command output might not show the Failure Count attribute correctly. PR1080451

  • On EX Series switches, if 802.1X authentication (dot1x) is configured on all interfaces, an 802.1X-enabled interface might get stuck in the Initialize state after the interface goes down and comes back up, and 802.1X authentication fails. Also, if 802.1X authentication (dot1x) is configured on all interfaces and the no-mac-table-binding configuration statement is configured under the [edit protocols dot1x authenticator] hierarchy level, the dot1x process (dot1xd) might generate core files after it is deactivated and then reactivated, and 802.1X authentication might be temporarily impacted until the process restarts automatically. PR1127566

  • On EX Series switches, the use-option-82 statement under the [edit ethernet-switching-options secure-access-port vlan vlan-name dhcpv6-option18] hierarchy might not work as expected after you commit the configuration. PR1146588

  • On EX4300 switches, if you change the server-fail VLAN, all authenticated supplicants are disconnected. They are then authenticated again, and during this disconnection and reconnection, there is a service impact for three through four seconds. PR1151234

Dynamic Host Configuration Protocol

  • On EX9200 switches, DHCP snooping and related access security features ARP inspection, IP source guard, Neighbor Discovery inspection, and IPv6 source guard, are not supported at the [edit logical-systems logical-system-name vlans vlan-name forwarding-options dhcp-security] hierarchy level. PR1087680

High Availability (HA) and Resiliency

  • On EX8200 switches, a nonstop software upgrade (NSSU) might fail during the master Routing Engine upgrade step, and an NSSU process might abort with this message: mgd: unable to execute /var/etc/reboot.ex: Authentication error. PR1122628

Infrastructure

  • On EX2200 switches, system log messages might display IP addresses in reverse order. For example, an ICMP packet from 10.0.1.114 to 10.0.0.7 might be displayed in the log as: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0 R icmp 114.1.0.10 7.0.0.10 0 0 (1 packet). The correct log message is: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0 R icmp 10.0.1.114 10.0.0.7 0 0 (1 packet). PR898175

  • On EX2200 and EX3300 Virtual Chassis, the Internal state in ERPS is not updated properly in certain conditions. As a workaround, check the interface state and update the ERPS engine accordingly so that they are always in sync. PR975104

  • On EX4300 switches, if a Gigabit Ethernet interface is directly connected to an MX104 management interface (fxp0), the physical link will be down. PR1069198

  • On EX4300 switches, traffic sampling is not supported. If you configure traffic sampling, the sampling process (sampled) might generate a core file. PR1091826

  • On an EX4300 Virtual Chassis or a mixed mode Virtual Chassis that has an EX4300 as a member, if you disable root login connections to the console port by issuing the set system ports console insecure command, users can still log in as root from the backup and linecard members of the Virtual Chassis. PR1096018

  • On EX4600 switches, the EX4600-EM-8F expansion module interfaces might not come up if the module is removed and re-inserted or if the PIC is taken offline and then brought online. PR1100470

  • On EX8200 switches with multicast protocols configured, when a multicast-related (non-aggregated Ethernet) interface goes down and comes back up, ARP installation for certain hosts might fail because stale entries have not been cleared, and traffic might be lost as well. PR1105025

  • On EX4200 switches with multiple member interfaces on an aggregated Ethernet (AE) interface and with a large-scale CoS configuration enabled on the AE interface, a Packet Forwarding Engine limit might be exceeded, the Packet Forwarding Engine might return an invalid ID, and the Packet Forwarding Engine manager (pfem) process might generate core files. PR1109022

  • On EX4500 or EX4550 Virtual Chassis, if an NFS/UDP fragmented packet enters the Virtual Chassis through a LAG and traverses a Virtual Chassis port (VCP) link, CPU utilization might become high, and the software forwarding infrastructure (sfid) process might generate a core file. PR1109312

  • On EX Series switches, an interface with an EX-SFP-1GE-LH transceiver might not come up and the transceiver might be detected as an SFP-EX transceiver. PR1109377

  • On EX9200 switches, starting with Junos OS Release 14.1R1, 32k is the minimum value that you must configure for policer bandwidth limits. If you configure a policer bandwidth limit that is less than 32k, an error message is displayed. PR1109780

  • On EX4500 switches, if MPLS and CoS behavior aggregate (BA) classifiers are configured on the same interface, the BA classifiers might not work. As a workaround, use multifield (MF) classifiers instead of BA classifiers. PR1116462

  • On EX4200 and EX4550 switches, the xe- interfaces in a 10-gigabit SFP+ expansion module (EX4550-EM-8XSFP) or an SFP+ MACsec uplink module (EX-UM-2X4SFP-M) might stop forwarding traffic if the module is removed and reinserted or if the PIC goes offline and comes back online. PR1113375

  • On EX Series switches, if you deactivate an output interface that is configured with family mpls, a nondefault CoS classifier configured on the interface might be deleted, placing traffic in the wrong queue. PR1123191

  • On EX4300 switches, when there is a redundant trunk group (RTG) link failover, media access control (MAC) refresh packets might be sent out from a non-RTG interface that is in the same VLAN as the RTG interface, and a traffic drop might occur because of MAC flapping. PR1133431

  • On EX9200 switches, the Layer 2 address learning daemon (l2ald) might crash continuously and create core files after you configure the fxp0 interface as ethernet-switching and commit the configuration. PR1127324

  • On EX4300 switches, if the switch works as part of a target subnet, while receiving the targeted broadcast traffic, packets might be forwarded to the destination with the switch's MAC address as the destination MAC address, rather than the Layer 2 broadcast frame with destination MAC address FFFF.FFFF.FFFF. PR1127852

  • On EX Series switches, an interface with a non-Juniper Networks 1000BASE-EX SFP Module-40km might not come up because register values are not set to correct values. This issue occurs only during initial deployment of the switch or when the switch is upgraded to Junos OS Release 12.3R8, 13.2X51-D30, 14.1X53-D10, or 15.1R2 onwards. PR1142175

  • On EX9200 switches, an IRB unicast next hop in a scenario with a Layer 2 LAG as the underlying interface might result in traffic blackholing. PR1114540

  • On EX9200 switches, a secondary VLAN might be mapped to the primary VLAN IRB interface to facilitate ARP synchronization across MC-LAG peers running a PVLAN configuration. PR1145623

Interfaces and Chassis

  • If an EX4550-32F switch in a Virtual Chassis reboots and comes online, LACP interfaces on any of the member switches of the Virtual Chassis might go down and not come up. PR1035280

  • On a two-member EX8200 Virtual Chassis, if the Link Aggregation Control Protocol (LACP) child interfaces span different Virtual Chassis members, the MUX state in the LAG member interfaces might remain in the Attached or Detached state after you disable and then reenable the AE interface. PR1102866

Layer 2 Features

  • On EX Series switches, if you configure Ethernet ring protection (ERP) with interfaces configured with vlan members all, commit the changes, then add a new VLAN and commit the configuration again, the Ethernet switching process (eswd) might crash when a non-ERP interface goes down and then comes back up. PR1129309

  • On EX Series switches except EX4300, EX4600, and EX9200, the Ethernet switching process (eswd) might crash if you delete a VLAN tag and then add the VLAN name by using a single commit, in the configuration under the [edit ethernet-switching-options unknown-unicast-forwarding] hierarchy. PR1152343

Multicast

  • On EX Series switches, unregistered multicast packets are not filtered and are instead forwarded to all unexpected ports, even though IGMP snooping is enabled. PR1115300

  • On an EX3300 switch, if you configure IGMP snooping with a VLAN that is not on the switch, the commit fails. PR1149509

Network Management and Monitoring

  • On EX Series switches (except EX4300, EX4600, and EX9200), when system log is enabled and an RPM probe is set to greater than 8000 bytes, the message ?PING_RTT_THRESHOLD_EXCEEDED? is not displayed, although it should be. PR1072059

  • On EX Series switches, there are two issues regarding SNMP MIB walks: A private interface—for example, pime.32769—must have an ifIndex value of less than 500. If you do not add the private interface to a static list of rendezvous point (RP) addresses, the mib2d process assigns an ifIndex value from the public pool (with ifIndex values greater than 500) to the interface, which then will have an incorrect ifIndex allocation. A random Request failed: OID not increasing error might occur when you issue the show snmp mib walk command, because the kernel response for a 10-gigabit interface during an SNMP walk might take more than one second, and the mib2d process receives duplicate SNMP queries from the snmpd process. PR1121625

  • On EX9200 switches, the value for the udpOutDatagrams object displayed in the output of the show snmp mib walk decimal udpOutDatagrams command is different from that displayed for the same object in the output of the show system statistics udp member 0 command. The value for the datagrams dropped due to no socket field is incorrectly used as the udpOutDatagrams value in the output for show snmp mib walk decimal udpOutDatagrams. As a workaround, use the show system statistics udp member 0 command. PR1104831

Platform and Infrastructure

  • Setting link speed to 100 Mbps does not work in the following situations:

    • When network interfaces are used on an EX4600 switch

    • When an EX4600-EM-8F expansion module is installed in a QFX5100-24Q switch or an EX4600 switch

    PR1032257

  • On EX4300 switches with redundant trunk groups (RTGs) configured, after an RTG primary link comes online from the offline state, it becomes the active link and the other link becomes the backup link. After this, the Layer 2 address learning daemon (l2ald) sends a MAC refresh packet out of the new active RTG logical interface, which is not yet programmed in the Packet Forwarding Engine. This causes the primary link to incorrectly update the MAC entry and also causes traffic loss. PR1095133

  • On EX4300 switches with Virtual Router Redundancy Protocol (VRRP) configured on an integrated routing and bridging (IRB) logical interface, when the IRB logical interface is disabled or deleted, the kernel does not send VRRP dest-mac-filter delete messages to the Packet Forwarding Engine, which might cause loss of traffic that comes from another device's same VRRP group master VIP to the backup (or backup to master). PR1103265

  • On EX4300 switches, VSTP BPDUs are not flooded in the VLAN when VSTP is not configured on the switches. PR1104488

  • On EX4300 switches, if a policer ICMP filter is applied on the loopback interface, incoming ICMP packets might be dropped on the ingress Packet Forwarding Engine and ARP requests might not be generated. PR1121067

  • On EX4300 switches, configuring set groups group_name interfaces interface-name unit 0 family ethernet-switching and committing the configuration might cause the Layer 2 address learning process (l2ald) to generate a core file. PR1121406

  • On EX4300 switches, port vector corruption on a physical port might be caused by the interface flapping multiple times, which leads to a Packet Forwarding Engine manager (pfem) crash and a Routing Engine reboot. PR1121493

  • On EX4300 switches with a Q-in-Q configuration, when Layer 2 protocol tunneling (L2PT) for VLAN Spanning Tree Protocol (VSTP) is enabled, the C-VLAN (inner VLAN or customer VLAN) might not be encapsulated in the PDUs that exit the trunk port. PR1121737

  • On an EX4300 Virtual Chassis, if a redundant trunk group (RTG) interface flaps, when control packets originating from the switch are going over that RTG interface, the core device become nonresponsive and you would have to reload the device to restore connectivity. PR1130419

  • On EX4300 Virtual Chassis, traffic from or to a Routing Engine through an aggregated Ethernet (AE) member interface that is not in the master might be dropped, but traffic transmitted through the switch (that is, hardware switched) is not affected. PR1130975

  • On an EX4300 switch, when an SNMP walk is performed to query the native VLAN, for most of the trunk interfaces, the query might return a value of 0 instead of the configured native VLAN ID. PR1132752

  • On EX4300 switches configured with Ethernet ring protection switching (ERPS), the ping might not go through after the Wait to Restore (WTR) timer expires. PR1132770

  • On EX4300 switches, a filter might not work as expected when you commit a filter-based forwarding (FBF) configuration for the first time after rebooting the switch. PR1135771

  • On EX Series switches, the following DEBUG messages might be incorrectly displayed as output with logging level INFO: %USER-6: [EX-BCM PIC] ex_bcm_pic_eth_an_config %USER-6: [EX-BCM PIC] ex_bcm_pic_check_an_config_change. PR1143904

  • On EX4300 switches, if an IPv6 firewall filter term exceeds the maximum, the Packet Forwarding Engine manager (pfex) might crash continuously. PR1145432

  • On EX4300 switches with redundant trunk groups (RTGs) configured, VSTP BPDUs coming into an RTG backup interface might be incorrectly forwarded out of interfaces other than the RTG primary interface. PR1151113

Software Installation and Upgrade

  • On EX8200 switches, an NSSU from Junos OS Release 15.1R1 to Release 15.1R2 fails with the message: mgd: unable to execute /var/etc/reboot.ex: Authentication error. PR1122628

Spanning-Tree Protocols

  • On EX Series switches with dual Routing Engines or on an EX Series Virtual Chassis, the switch or the Virtual Chassis might send multiple proposal BPDUs on an alternate port after a Routing Engine switchover or a nonstop software upgrade (NSSU), resulting in the peer device receiving multiple proposal BPDUs and triggering a dispute condition. The peer port states constantly alternate between FORWARDING and BLOCKING. PR1126677

  • On EX Series switches with bridge protocol data unit (BPDU) protection configured on all edge ports, edge ports might not work correctly and might revert to the unblocking state when the drop option is configured under the [edit ethernet-switching-options bpdu-block interface xstp-disabled] hierarchy. PR1128258

Virtual Chassis

  • On a two-member EX Series Virtual Chassis in which the same mastership priority is configured on both members, if there are more than 34 SFPs present in the current master and if a reboot is issued in the current master, then the backup becomes the master. When the original master rejoins the Virtual Chassis, it regains mastership. PR1111669

Resolved Issues: Release 15.1R2

Class of Service (CoS)

  • On EX4200 switches, if CoS scheduler maps are configured on all interfaces with the loss-priority value set to high, traffic between different Packet Forwarding Engines might be dropped. PR1071361

Dynamic Host Configuration Protocol

  • On EX9200 switches, when DHCP relay is configured using the forward-only and forward-only-replies statements at the [edit forwarding-options dhcp-relay] hierarchy level, if the DHCP local server is also configured with the forward-snooped-clients statement at the [edit system services dhcp-local-server] hierarchy level, the configuration for forward-snooped-clients takes precedence over the configuration for forward-only and forward-only-replies. As a result, DHCP message exchange between VRFs might not work as expected. PR1077016

  • On EX Series switches except EX9200, the configuration of options for the circuit-id CLI statement at the [edit forwarding-options dhcp-relay group group-name relay-option-82] hierarchy level does not work as expected. The format of the DHCP option 82 Circuit ID must be switch-name:physical-interface-name:vlan-name, but instead, the format is switch-name:vlan-name. PR1081246

  • On EX9200 switches, a DHCPv6 security dynamic entry binding might not work as expected, resulting in the DHCPv6 bindings being stuck in the wait state. PR1092885

  • On EX Series switches except EX9200 switches, with DHCP relay configured on the IRB interface for BOOTP relay, if the client is connected to the physical interface that belongs to the same VLAN as the IRB interface, and sends BOOTP request packets to the server, BOOTP reply packets from the server might be dropped on the IRB interface. PR1096560

Infrastructure

  • Unnecessary fpc0 dfw_counter_get_by_name failed inst 0 policer index 0 status 7 log messages are seen when eithershow firewall counter or snmp mib get jnxFirewallCounterTable is executed. PR1035113

Interfaces and Chassis

  • On EX9200 switches, if an interface range is configured that includes large-scale physical interfaces, and with the family option set to ethernet-switching, the configuration might take a long time to commit. PR1072147

  • On EX9200 switches, if an interface for which the MAC move limit action is set to shutdown goes down and comes up, and then a Layer 2 learning (l2ald) process restarts, the logical interface remains down even if you issue the command clear ethernet-switching recovery-timeout. PR1072358

  • On EX9200 switches, when family ethernet-switching is configured on an interface that is also configured with encapsulation extended-vlan-bridge , then transit packets (for example, IP, ping, or Q-in-Q packets) might be dropped on this interface. PR1078076

  • On EX9200 switches, when a MAC move limit is configured on two VLAN members and the limit is configured with the action vlan-member-shutdown on two VLAN members, if the limit is reached on one VLAN member, both members are disabled, blocking all traffic. PR1078676

  • On EX9200 platforms, if you configure an MC-LAG with two devices, and then delete and re-create an MC-AE interface, broadcast and multicast traffic that is flooded might loop for several milliseconds. PR1082775

  • An EX9200-40F-M line card drops all traffic on an IRB logical interface, including both data plane and control plane traffic. If an IRB logical interface is configured on an EX9200-40F-M line card as part of a VLAN, any device connected through that interface cannot use Layer 3 forwarding outside the subnet, because the EX9200-40F-M line card does not handle the ARP function correctly. Configuring static ARP on devices using the EX9200 as a gateway is not a workaround, because packets are still dropped if the Routing Engine of the EX9200 has the routes and ARP entry for the destination IP. PR1086790

Media Access Control Security (MACsec)

  • On EX4200 and EX4550 switches, if MACsec is configured to transit traffic between switches through Ethernet over SONET, packets might be dropped. PR1056790

Network Management and Monitoring

  • On EX Series switches, configuring an invalid SNMP source address might prevent SNMP traps from being generated, even after the configuration is corrected with a valid SNMP source address. PR1099802

Platform and Infrastructure

  • On EX4500 and EX4550 switches, if an interface on the EX-SFP-10GE-LR uplink module is disabled by using the CLI command set interface disable, and the interface through which a peer device is connected to the interface on the uplink module goes down, CPU utilization of the chassis manager process (chassism) might spike, causing the chassism process to generate a core file. PR1032818

  • On EX Series switches, BFD packets might be sent to a remote neighbor at a rate that exceeds the remote minimum receive interval value. PR1055830

  • On an EX8200 Virtual Chassis, if vlan-tagging is configured without specifying the interface family, the Packet Forwarding Engine might program the local chassis MAC address instead of the router MAC address, which is used for routing. As a workaround, configure family inet on the interface. PR1060148

  • On EX Series switches except EX9200 switches, when configuring large numbers of inet addresses on the switch, for example, more than 1000 IP addresses, gratuitous ARP packets might not be sent to peer devices. PR1062460

  • On EX8200 Virtual Chassis, local ECMP hashing changes when a remote (nonlocal) interface flaps if the number of local interfaces does not equal the number of remote interfaces. This might impact ECMP load balancing. PR1084982

  • On EX8200 switches, when the PIM mode is changed between sparse mode and dense mode, the pfem process might generate a core file. PR1087730

  • On EX9200 switches operating in a routing domain with a PIM-embedded IPv6 rendezvous point (RP), accessing the RP after the memory is freed might cause the routing protocol process to generate a core file. PR1101377

Spanning-Tree Protocols

  • On EX Series Virtual Chassis, if STP is configured, and each member's mastership priority values are different, rebooting some or all of the Virtual Chassis members might cause a traffic failure, even after the reboot has completed. PR1066897

  • On EX Series switches except EX9200, when MSTP is configured, the Ethernet switching process (eswd) might generate multiple types of core files in the large-scale VLANs that are associated with multiple spanning-tree instances (MSTIs). PR1083395

VPLS

  • On EX9200 switches, when you add a VLAN on an existing virtual-switch instance for virtual private LAN service (VPLS), the label-switched interface (LSI) might not be associated with the new VLAN. PR1088541

Resolved Issues: Release 15.1R1

Interfaces and Chassis

  • On EX Series switches on which Link Aggregation Control Protocol (LACP) is enabled on a link aggregation group (LAG) interface, after you reboot the master Routing Engine and if the first LACP packet is dropped during switchover, LACP might get stuck in the same state for a long time (about 10 seconds), causing the LAG interface to flap and traffic drop on the LAG interface. PR976213

Documentation Updates

This section lists the errata and changes in Junos OS Release 15.1R7 for the EX Series switches documentation.

Changes to the Junos OS for EX Series Documentation

Network Interfaces Feature Guide for EX4300 Switches

  • Half-duplex link support has been added to the EX4300 switch starting with Junos OS Release 15.1R4. The Network Interfaces Feature Guide for EX4300 Switches has not yet been updated to show this support. See the description of this feature in New and Changed Features.

Errata in the Junos OS for EX Series Documentation

Junos OS Release 15.1 Release Notes

  • The EX3200 switch is not supported in Junos OS Release 15.1. We have removed references to EX3200 switches in Junos OS Release 15.1 release notes, but note that PDF versions of the release notes that you have downloaded or saved might not reflect those updates.

  • PR976213 was resolved in Junos OS Release 15.1R1 but was erroneously listed in the Known Behavior of the Junos OS Release 15.1 release notes. We have moved the PR to Resolved Issues in the release notes, but note that PDF versions of the release notes might not reflect that update.

Migration, Upgrade, and Downgrade Instructions

This section contains the upgrade and downgrade support policy for Junos OS for the EX Series. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

For information about software installation and upgrade, see the Installation and Upgrade Guide.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 14.1, 14.2, 15.1 and 16.1 are EEOL releases. You can upgrade from Junos OS Release 14.1 to Release 15.1 or from Junos OS Release 15.1 to Release 16.2. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide.

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and the special compatibility guidelines with the release, see the Hardware Guide for the product.

To determine the features supported on EX Series switches in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at https://pathfinder.juniper.net/feature-explorer/.