Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for MX Series 5G Universal Routing Platforms


These release notes accompany Junos OS Release 17.1R3 for the MX Series routers. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at .

New and Changed Features

This section describes the new features and enhancements to existing features in the Junos OS main release and the maintenance releases for MX Series.

Release 17.1R3 New and Changed Features

Interfaces and Chassis

  • Enhancement to increase the threshold of corrected single-bit errors (MPC7E, MPC8E, MPC9E on MX Series)—In Junos OS Release 17.1R3, the threshold of corrected single-bit errors is increased from 32 to 1024, and the alarm severity is changed from Major to Minor for those error messages. There is no operational impact on corrected single-bit errors. Also, a log message is added to display how many single-bit errors have been corrected between the reported events as follows:

    EA[0:0]: HMCIF Rx: Link0: Corrected single bit errordetected in HMC 0 - Total count 25

    EA[0:0]: HMCIF Rx: Link0: Corrected single bit errordetected in HMC 0 - Total count 26

    [See Alarm Overview.]

Restoration Procedures and Failure Handling

  • Device recovery mode introduced in Junos OS with upgraded FreeBSD (MX Series)—In Junos OS Release 17.1R3, for devices running Junos OS with upgraded FreeBSD, provided you have saved a rescue configuration on the device, an automatic device recovery mode exists to help recover the system should it go into amnesiac mode. The system retries to boot with the saved rescue configuration. In this circumstance, the system that boots displays a banner Device is in recovery mode in the CLI (in both operational and configuration modes). In earlier releases, there is no automatic process to recover from amnesiac mode: Instead, a user with load and commit permission has to log in using the console and fix the issue in the configuration before the system can reboot.

    [See Saving a Rescue Configuration File.]

Subscriber Management and Services

  • RADIUS attributes added to LNS messages (MX Series)—Starting in Junos OS Release 17.1R3, the LNS includes the following RADIUS attributes when it sends an Access-Request message to the RADIUS server:

    • Tunnel-Type (64)

    • Tunnel-Medium-Type (65)

    • Tunnel-Client-Endpoint (66)

    • Tunnel-Server-Endpoint (67)

    • Acct-Tunnel-Connection (68)

    • Tunnel-Assignment-Id (82)

    • Tunnel-Client-Auth-Id (90)

    • Tunnel-Server-Auth-Id (91)

  • Controlling search behavior for address allocation from linked pools (MX Series)—Starting in Junos OS Release 17.1R3, you can use the linked-pool-aggregation statement at the [edit access] hierarchy level to change how addresses are allocated from linked IP address pools. When you configure the statement, addresses can be assigned from a later pool in the chain before an earlier pool is depleted. When the statement is not configured, IP addresses are assigned contiguously, so that all addresses are allocated from the matching pool and then the first pool in the chain before addresses are assigned from a linked pool.

    [See Configuring Address-Assignment Pool Linking.]

Release 17.1R2 New and Changed Features

Interfaces and Chassis

  • Enhancement to ambient-temperature statement (MX Series)—In Junos OS Release 17.1R2 and later, the default ambient temperature is set at 40° C on MX480, MX960, MX2010, and MX2020 Universal Routing Platforms. You can override ambient temperature by setting the temperature at 55° C or 25° C.

    When a router restarts, the system adjusts the power allocation or the provisioned power for the line cards on the basis of the configured ambient temperature. If enough power is not available, a minor chassis alarm is raised. However, the chassis continues to run with the configured ambient temperature. You can configure a new higher ambient temperature only after you make more power available by adding new power supply modules or by taking a few line cards offline. By using the provisioned power that is saved by configuring a lower ambient temperature, you can bring more hardware components online.

Routing Protocols

  • IGP cost calculation for next-hop-based dynamic tunnels(MX Series)—Starting in Junos OS Release 17.1R2, IGP cost calculation is supported for next-hop-based dynamic tunnels. In multihoming networks with next-hop-based GRE or UDP tunnel, rpd chooses the best path by calculating IGP metrics. However, in single-homed networks, rpd installs the tunnel composite next hop in the Packet Forwarding Engine without any IGP cost calculation.

    In earlier Junos OS releases, BGP preferred a path with the lowest router ID, which was not cost effective. When multiple PE devices advertise the same route, BGP did not take into account the IGP cost to those devices. This new feature allows BGP to choose an IGP path with the lowest metric and set up a tunnel to a PE device with the lowest cost. Note that in the absence of IGP connectivity, Junos OS does not install the advertised routes in the Packet Forwarding Engine or create a dynamic tunnel.

Subscriber Management and Services

  • Configurable grace period for unresponsive RADIUS servers (MX Series)—Starting in Junos OS Release 17.1R2, you can use the timeout-grace statement at the [edit access radius-options] hierarchy level to configure a grace period that determines when an unresponsive RADIUS authentication server is marked as down or unreachable. When the server fails to respond to any of the attempts made for an authentication request, it times out, the time is noted, and the grace period begins. If the server is unresponsive for subsequent authentication requests, the grace period is checked each time the server times out. When the check determines that the grace period has expired, the server is marked as down or unreachable.

    You can configure the grace period in the range 0 through 30 seconds; the default is 10 seconds. Use a short grace period to declare servers unavailable sooner and direct requests to available servers. Use a long grace period to give unresponsive servers more opportunities to respond.

    In earlier releases, the grace period is 10 seconds and is not configurable.

  • Support for excluding tunnel attributes from RADIUS Access-Request messages (MX Series)—Starting in Junos OS Release 17.1R2, you can use the exclude statement at the [edit access profile profile-name radius attribute] hierarchy level to exclude the following tunnel attributes from RADIUS Access-Request messages in addition to the previously supported Accounting-Start, and Accounting-Stop messages:

    • acct-tunnel-connection—RADIUS attribute 68, Acct-Tunnel-Connection

    • tunnel-assignment-id—RADIUS attribute 82, Tunnel-Assignment-Id

    • tunnel-client-auth-id—RADIUS attribute 90, Tunnel-Client-Auth-Id

    • tunnel-client-endpoint—RADIUS attribute 66, Tunnel-Client-Endpoint

    • tunnel-medium-type—RADIUS attribute 65, Tunnel-Medium-Type

    • tunnel-server-auth-id—RADIUS attribute 91, Tunnel-Server-Auth-Id

    • tunnel-server-endpoint—RADIUS attribute 67, Tunnel-Server-Endpoint

    • tunnel-type—RADIUS attribute 64, Tunnel-Type

Release 17.1R1 New and Changed Features


  • Support for ODU path delay measurement for 100-Gigabit DWDM OTN MIC and 100-Gigabit DWDM OTN PIC (MX Series)—Starting in Junos OS Release 17.1R1, Junos OS supports ODU path delay measurement for the 100-Gigabit DWDM OTN MIC (MIC3-100G-DWDM) on MPC3E (MX-MPC3E-3D) and MPC3E-NG (MPC3E-3D-NG) on MX Series routers and for the 100-Gigabit Ethernet DWDM OTN PIC (PTX-5-100G-WDM) on PTX3000 and PTX5000 routers. Delay is measured by transmitting a known pattern (delay measurement pattern) in a selected bit of the delay measurement (DM) field and measuring the number of frames that are missed when the delay measurement pattern is received at the transmitting end (local interface).

    To enable delay measurement, first enable looping of the delay measurement pattern at the remote interface by including the remote-loop-enable statement at the [edit interfaces interfacename otn-options odu-delay-management] hierarchy level. Then, measure the delay by including the start-measurement statement at the [edit interfaces interfacename otn-options odu-delay-management] hierarchy level. Use the stop-measurement statement to stop measuring the delay. To disable looping of the delay measurement pattern at the remote interface, use the no-remote-loop-enable statement.

  • 1-port 100-Gigabit DWDM OTN MIC with CFP2 (MX240, MX480, MX960, MX2010, and MX2020)—Starting in Junos OS release 17.1R1, support is provided for the 1-port 100-Gigabit Ethernet dense wavelength division multiplexing (DWDM) optical transport network (OTN) MIC (MIC3-100G-DWDM) with CFP2 analog coherent optical (CFP2-ACO) pluggable optics on MPC3E (MX-MPC3E-3D) and MPC3E NG (MPC3E-3D-NG). The 100-Gigabit Ethernet DWDM OTN MIC supports the following features:

    • Transparent transport of 100-Gigabit Ethernet signals with optical channel transport unit, OTU4 (V) framing

    • Dual-polarization quadrature phase shift keying (DP-QPSK) modulation with coherent receiver and soft-decision forward error correction (SD-FEC) for long-haul and metro applications

    • International Telecommunication Union (ITU)-standard OTN performance monitoring and alarm management

    • Extensive optical, digital signal processing (DSP), and bit error ratio (BER) performance monitoring statistics for the optical link

    [See 100-Gigabit DWDM OTN MIC with CFP2-ACOand Configuring OTN Interfaces on MIC3-100G-DWDM MIC.]

Class of Service (CoS)

  • Copy ToS bits from incoming IP header to outer GRE IP header (MX Series with MPCs)—Starting in Junos OS Release 17.1R1, you can set GRE tunnel interfaces to copy the ToS bits (DSCP value) from the incoming IPv4 header to the outer GRE IP header for transit traffic. You can set this at the individual GRE interface level by including the copy-tos-to-outer-ip-header-transit statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number] hierarchy level, or globally by including the copy-tos-to-outer service-type ([ gre ] | [ mt ]) statement at the [edit chassis] hierarchy level.

    You can also now rewrite the DSCP/IP precedence value in both the inner and outer headers with the rewrite rules ([ dscp ] | [ inet-precedence ]) default protocol ([ inet-both ] | [ inet-outer ]) statement at the [edit class-of-service interfaces interface-name] hierarchy level.

    [See Configuring a GRE Tunnel to Copy ToS Bits to the Outer IP Header.]


  • Support for multihoming in an MSAN scenario with EVPN (MX Series routers with MPCs)—Starting in Junos OS Release 17.1R1, the EVPN multihoming feature enables you to connect a customer site to two or more provider edge (PE) devices to provide redundant connectivity. A customer edge (CE) device can be multihomed to different PE devices or the same PE device. A redundant PE device can provide network service to the customer site as soon as a failure is detected. Thus, EVPN multihoming helps maintain EVPN service and traffic forwarding to and from the multihomed site in case of network failures such as:

    • Failure of the link between PE device to CE device

    • PE device failure

    • MPLS-reachability failure between the local PE device and a remote PE device

    [See EVPN Multihoming Overview.]

  • Support for VPWS with EVPN signaling mechanisms (MX Series)—The Ethernet VPN (EVPN)-virtual private wire service (VPWS) network provides a framework for delivering the VPWS with EVPN signaling mechanisms. The VPWS with EVPN signaling mechanisms supports single-active or all-active multihoming capabilities and inter-autonomous system (AS) options associated with BGP-signaled VPNs. Starting with Junos OS Release 17.1R1, the vpws-service-id statement identifies the endpoints of the EVPN-VPWS network based on the local and remote identifiers configured on the provider edge (PE) routers in the network. These endpoints are autodiscovered by BGP and are used to exchange the service labels (learned from the respective PE routers) that are used by autodiscovered routes per EVPN instance (EVI).

    Use the show evpn vpws-instance command to verify the routes and interfaces of the VPWS instance of the EVPN.

    [See Overview of VPWS Service with EVPN Signaling Mechanisms.]

  • Support for inter-data center connectivity over pure Layer 3 network with EVPN (MX Series routers with MPCs)—Starting in Junos OS Release 17.1R1, the control plane EVPN Type-5 supports IP prefix for inter-subnet connectivity across data centers. The data packet is sent as the L2 Ethernet frame encapsulated in the VXLAN header over the IP network across the data centers to reach the tenant through the connectivity provided by the EVPN Type-5 IP prefix route.

    [See EVPN Type-5 Route with VXLAN encapsulation for EVPN/VXLAN.]

  • Support for LACP in EVPN active-active multihoming (MX Series routers with MPCs)—Starting with Junos OS Release 17.1R1, an extra level of redundancy can be achieved in an Ethernet VPN (EVPN) active-active multihoming network by configuring the Link Aggregation Control Protocol (LACP) on both the endpoints of the link between the multihomed customer edge (CE) and provider edge (PE) devices. The link aggregation group (LAG) interface of the multihomed CE-PE link can either be in the active or in the standby state. The interface state is monitored and operated by LACP to ensure fast convergence on isolation of a multihomed PE device from the core.

    When there is a core failure, a traffic black hole can occur at the isolated PE device. With the support for LACP on the CE-PE link, at the time of core isolation, the CE-facing interface of the multihomed PE device is set to the standby state, thereby blocking data traffic transmission from and toward the multihomed CE device. After the core recovers from the failure, the interface state is switched back from standby to active.

    To configure LACP in an EVPN active-active multihoming network:

    • On the multihomed CE device

      • Include the lacp active statement at the [edit interfaces aex aggregated-ether-options] hierarchy.

    • On the multihomed PE device

      • Include the lacp active statement at the [edit interfaces aex aggregated-ether-options] hierarchy.

      • Include the service-id number statement at the [edit switch-options] hierarchy.

    [See Example: Configuring LACP for EVPN Active-Active Multihoming.]

  • Support for IPv6 over IRB interfaces with EVPN (MX Series routers with MPCs)—Starting in Junos OS Release 17.1R1, IPv6 addresses are supported on IRB interfaces with EVPN using the Neighbor Discovery Protocol (NDP). The following capabilities are introduced for IPv6 support with EVPN:

    • IPv6 addresses on IRB interfaces in master routing instances

    • Learning IPv6 neighborhood from solicited NA message

    • NS and NA packets on the IRB interfaces are disabled from network core

    • Virtual gateway addresses are used as Layer 3 addresses

    • Host MAC-IP synchronization for IPv6

    You can configure the IPv6 addresses in the IRB interface at the [edit interfaces irb] hierarchy level.

    [See EVPN with IRB Solution Overview.]

  • Support for VLAN bundle service for EVPN (MX Series)—Starting in Junos OS Release 17.1R1, Junos OS supports the VLAN bundle service for EVPN. The VLAN bundle service maps multiple VLAN IDs to one EVPN instance. Because a separate instance for each VLAN ID is not needed, this feature lowers the control plane overhead on the router by reducing the number of EVPN instances.

    [See VLAN Bundle Service for EVPN.]

General Routing

  • PHY timestamping support for MIC-3D-20GE-SFP-EH, MIC-3D-20GE-SFP-E, and built-in 10-Gigabit Ethernet ports (MX104)—Starting with Junos OS Release 17.1R1, timestamping at the physical layer, also known as PHY timestamping, is supported on MIC-3D-20GE-SFP-EH, MIC-3D-20GE-SFP-E, and the built-in 10-Gigabit Ethernet ports on MX104 routers. PHY timestamping is the timestamping of the IEEE 1588 event packets at the physical layer. Timestamping the packet at the physical layer eliminates the noise or the packet delay variation (PDV) that is introduced by the Packet Forwarding Engine.

    To enable PHY timestamping on MX104 routers, include the phy-timestamping statement at the edit [protocols ptp] hierarchy level.

    [See PHY Timestamping.]

  • Support for PTP over Ethernet, hybrid mode, and G.8275.1 profile (MPC5E and MX104)—Starting in Junos OS Release 17.1R1, MPC5E and MX104 support the following features:

    • PTP over Ethernet—PTP over Ethernet enables effective implementation of packet-based technology that enables the operator to deliver synchronization services on packet-based mobile backhaul networks. PTP over Ethernet uses multicast addresses for communication of PTP messages between the slave clock and the master clock.

    • Hybrid mode—In hybrid mode, the synchronous Ethernet equipment clock (EEC) derives the frequency from Synchronous Ethernet and the phase and time of day from PTP.

    • G.8275.1 profile—G.8275.1 is a PTP profile for applications that require accurate phase and time synchronization. It supports the architecture defined in ITU-T G.8275 to enable the distribution of phase and time with full timing support and is based on the second version of PTP defined in IEEE 1588. You can configure the G.8275.1 profile by including the profile-type g.8275.1 statement at the [edit protocols ptp] hierarchy level.

      [See Profile Type.]

High Availability (HA) and Resiliency

  • ISSU Feature Explorer—The unified ISSU Feature Explorer is an interactive tool that you can use to verify your device’s unified ISSU compatibility with different Junos OS releases.

    [See ISSU Feature Explorer.]

  • Support for unified ISSU on MX Series routers and MX Series Virtual Chassis with MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, MPC2E-3D-NG-Q, and MPC5E (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Junos OS Release 17.1R1, unified in-service software upgrade (ISSU) is supported on MX Series routers and MX Series Virtual Chassis with MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, MPC2E-3D-NG-Q, and MPC5E.

    Unified ISSU is supported on MPC5E with the following MICs in non-OTN mode:

    • 3X40GE QSFPP

    • 12X10GE-SFPP OTN

    • 1X100GE-CFP2

    • 2X10GE SFPP OTN


    Unified ISSU is not supported on MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, and MPC2E-3D-NG-Q with the following MICs:

    • MS-MIC-16G

    • MIC-3D-8DS3-E3

    • MIC-3D-1OC192-XFP

    Unified ISSU enables you to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic.

    [See Protocols and Applications Supported by MX240, MX480, MX960, MX2010, and MX2020 MPC2E, Protocols and Applications Supported by the MX240, MX480, MX960, MX2010, and MX2020 MPC3E, and Protocols and Applications Supported by the MX240, MX480, MX960, MX2010, and MX2020 MPC5Es.]

  • Unified in-service software upgrade support for 100-Gigabit DWDM OTN MIC (MX960)—Starting with Junos OS Release 17.1R1, unified in-service software upgrade (unified ISSU) is supported for the 1-port 100-Gigabit Ethernet dense wavelength division multiplexing (DWDM) OTN MIC (MIC3-100G-DWDM) on MX960 routers with MPC3E (MX-MPC3E-3D) and MPC3E-NG (MX-MPC3E-NG).

    Unified ISSU is a process to upgrade the system software with minimal disruption of transit traffic and no disruption of the control plane. You can use unified ISSU only to upgrade to a later version of the system software. When unified ISSU completes, the new system software state is identical to that of the system software when the system upgrade is performed through a cold boot.

    [See Unified ISSU System Requirements.]

  • New options for the show vrrp track command (MX Series)—Starting with Junos OS Release 17.1R1, the show vrrp track routes command gives you the option to view all tracked routes. Another new option for the show vrrp track command, all, is equivalent to the already existing command show vrrp track.

    [See show vrrp track.]

Interfaces and Chassis

  • Getting load-balancing hash result information (MX Series)—Starting in Junos OS Release 17.1R1, you can get the details for load-balancing hash results. You can get information for up to three levels of load balancing.

    To get load-balancing results for routed IPv4, IPv6, and other L3 traffic, use the show forwarding-options load-balance ingress-interface <interface-name> family <family-type> source-address <src-IP> destination-address <dest-IP> transport-protocol <transport-protocol> source-port <src-port> destination-port <dest-port> tos <TOS> command. To get load-balancing results for raw packet dumps, use the show forwarding-options load-balance ingress-interface <interface-name> family <family-type> packet-dump <pkt-dump> command.

    [See show forwarding-options load-balance.]

  • Support for PPP-TCC encapsulation on MIC-3D-16CHE1-T1-CE (MX Series)—Starting in Junos OS Release 17.1R1, Junos OS supports PPP-TCC encapsulation on channelized E1/T1 Circuit Emulation MIC (MIC-3D-16CHE1-T1-CE). PPP-TCC encapsulation is used for circuits with different media on either sides of the connection.

  • Removing the native VLAN ID from untagged traffic (MX Series)—Starting in Junos OS Release 17.1R1, you can send untagged traffic without a native VLAN ID to the remote end of the network. To do this, remove the native VLAN ID from the untagged traffic configuration by setting the no-native-vlan-insert statement. If you do not configure this statement, the native VLAN ID is added to the untagged traffic.

    [See Sending Untagged Traffic Without VLAN ID to Remote End.]

  • Inline MultilinkPPP, Multilink FrameRelay, and Multilink FrameRelay End-to-End for time-division multiplexing WAN interfaces (MX Series)—The ability to provide bundling services through the Packet Forwarding Engine without requiring a PIC or DPC by using inline Multilink PPP (MLPPP), Multilink Frame Relay (MLFR) FRF.16, and MLFR end-to-end FRF.15 for time-division multiplexing (TDM) WAN interfaces was first rolled out in Junos OS Release 14.1. Starting in Junos OS Release 17.1R1, this feature is also supported on the following MPCs: MPC5E (MX240, MX480, MX960, MX2010, and MX2020 routers) and MPC6E (MX2010 and MX2020 routers). Support includes multiple links on the same bundle as well as multiclass extensions for MLPPP. You can enable bundling services without additional DPC slots, freeing the slots for other MICs.

    [See Inline MLPPP for WAN Interfaces Overview, Example: Configuring Inline MLPPP and Multilink Frame Relay End-to-End (FRF.15) for WAN Interfaces,] and [Example: Configuring Inline Multilink Frame Relay (FRF.16) for WAN Interfaces.]

  • Enhancement to policer configuration (MX Series)—Starting in Junos OS Release 17.1R1, you can configure the MPC to take a value in the range 0 through 5 for the policer tick byte by using the policer-limit statement at the [edit chassis] hierarchy level. If this statement is not configured, the policer tick byte can take values up to 7, which is the default behavior. You can use the set chassis policer-limit command to enable this feature.

    You must restart the MPC or the router for the changes to take effect.

  • Support for inline Two-Way Active Measurement Protocol (TWAMP) server and client on MPC7E (MX240, MX480, MX960)—Starting in Junos OS Release 17.1R1, MX Series routers with MPC7E cards support the inline Two-Way Active Measurement Protocol (TWAMP) control-client and server for transmission of TWAMP IPv4 UDP probes between the session-sender (control-client) and the session-reflector (server). The TWAMP control-client and server can also work with a third-party server and control-client implementation.

    TWAMP is an open protocol for measuring network performance between any two devices that support TWAMP. To configure the TWAMP server, specify the logical interface on the service PIC that provides the TWAMP service by including the twamp-server statement at the:[edit interfaces si-fpc/pic/ port unit logical-unit-number rpm] hierarchy level. To configure the TWAMP client, include the twamp-client statement at the:[edit interfaces si-fpc/pic/ port unit logical-unit-number rpm] hierarchy level.

    [See Two-Way Active Measurement Protocol Overview.]

  • Support for frame relay inverse ARP on MIC-3D-16CHE1-T1-CE (MX Series)—Starting in Junos OS Release 17.1R1, Junos OS supports frame relay inverse ARP requests on channelized E1/T1 Circuit Emulation MIC (MIC-3D-16CHE1-T1-CE). You can configure MIC-3D-16CHE1-T1-CE to operate in either T1 or E1 mode. By default, all the ports operate in T1 mode.

    [See Configuring Inverse Frame Relay ARP.]

Layer 2 Features

  • Enhancement to MAC limit function (MX Series with MPCs)—Starting in Junos OS Release 17.1R1, the handling of a burst of packets with new source MAC addresses is improved to reduce resource use and processing time. In earlier releases, new source MAC addresses are learned and placed in the MAC table even after the limit is exceeded. The Routing Engine later deletes the MAC address entries that are over the limit.

    Now, the learning limit configured with the interface-mac-limit statement for new source MAC addresses is enforced at all levels: global, bridge domain, and VPLS. The MAC table is not updated with any new addresses after the limit has been reached. When any static MAC addresses are configured, the learning limit is the configured limit minus the number of static addresses.

    [See Limiting MAC Addresses Learned from an Interface in a Bridge Domain and Limiting the Number of MAC Addresses Learned from Each Logical Interface.]

Layer 2 VPN

  • Support for ETH-SLM and ETH-DM on aggregated Ethernet interfaces and LAG members on MPCs (MX Series)—Starting in Junos OS Release 17.1R1, you can configure ITU-T Y.1731 standard-compliant Ethernet synthetic loss measurement (ETH-SLM) and Ethernet delay measurement (ETH-DM) capabilities on aggregated Ethernet interfaces and LAG members on all MX Series MPCs. These ITU-T Y.1731 OAM services or performance-monitoring techniques can be measured in on-demand mode (triggered through the CLI) or proactive mode (triggered by the iterator application).

    ETH-SLM is an application that enables the calculation of frame loss by using synthetic frames instead of data traffic. ETH-DM provides fine control to operators for triggering delay measurement on a given service and can be used to monitor service-level agreements (SLAs).


  • Support for Junos Telemetry Interface sensor for queue depth statistics (MX Series)—Starting with Junos OS Release 17.1R1 , you can configure a Junos Telemetry Interface sensor that exports queue depth statistics for ingress and egress queue traffic. Telemetry data is exported directly from the line card. You can also apply one or more regular expressions to filter data. Include the resource /junos/system/linecard/qmon/ statement at the [edit system services analytics sensor sensor-name] hierarchy level. Only UDP streaming of data is supported. gRPC streaming of queue depth statistics is not currently supported. Only MPC7E, MPC8E, and MPC9E are supported.

    [See sensor (Junos Telemetry Interface).]

  • gRPC support for the Junos Telemetry Interface (MX Series)—Starting with Junos OS Release 17.1R1, the Junos Telemetry Interface supports using a set of gRPC remote procedure call interfaces to provision sensors, subscribe to, and receive telemetry data. gRPC is based on an open source framework and provides secure and reliable transport of data. Use the telemetrySubscribe RPC to specify telemetry parameters and stream data for a specified list of OpenConfig commands paths. Telemetry data is generated as Google protocol buffers (gpb) messages in a universal key/value format. If your Juniper Networks device is running a version of Junos OS with an upgraded FreeBSD kernel, you must download the Network Agent package, which provides the interfaces to manage gRPC subscriptions. The package is available on the All Junos Platforms software download URL on the Juniper Networks webpage.

    [See Understanding OpenConfig and gRPC on Junos Telemetry Interface.]

  • Support for Junos Telemetry Interface (MX Series)—Starting with Junos OS Release 17.1R1, the Junos Telemetry Interface enables you to export telemetry data from supported interface hardware. Sensor data, such as interface events, are sent directly to configured collection points without involving polling. On MX Series routers, only MPC1 through MPC9E are supported. For sensors that stream data through the User Datagram Protocol, all parameters are configured at the [edit services analytics] hierarchy level. For sensors that stream data through gRPC, use the telemetrySubscribe RPC to specify telemetry parameters. Not all hardware and sensors are supported in those previous releases.

    [See Overview of the Junos Telemetry Interface.]


  • Support for subscriber management over MPLS pseudowire logical interface on virtual chassis (MX Series)—Starting with Junos OS Release 17.1R1, MPLS pseudowire logical interface for subscriber management is supported on virtual chassis. The functionality of Ethernet interface types such as ae/ge/xe, works on virtual chassis.

  • Support for Layer 2 services provisioning on the services side of the pseudowire service logical interface (MX Series)—Starting with Junos OS Release 17.1R1, Layer 2 services provisioning such as bridge domain or VPLS instance is possible on the services side of the pseudowire service logical interface anchored to logical tunnel interface.

    Prior to Junos OS Release 17.1R1, Layer 2 encapsulations and features such as Spanning Tree Protocol (STP), VLAN and many more could not be configured on pseudowire service on the service logical interface.

    [See Layer 2 Services Provisioning on Services Side of Pseudowire Service Interface Overview.]

  • Support for port mirroring on pseudowire subscriber logical interface (MX Series)—Starting with Junos OS Release 17.1R1, port mirroring is supported on the services side of an MPLS pseudowire subscriber logical interface.

    You can configure pseudowire service interface in the same way as the logical interface or physical interface. The main purpose of port mirroring on pseudowire service interface is to allow configurations of pseudowire service interface as a mirrored interface at Layer 2 and Layer 3 levels as supported by firewall filters.

  • Support for LDP pseudowire auto-sensing (MX Series)—Starting with Junos OS Release 17.1R1, Label Distribution Protocol (LDP) pseudowire auto-sensing addresses zero-touch provisioning. LDP pseudowire auto-sensing enables pseudowire headend termination to be dynamically provisioned rather than statically configured. Hence, it is referred to as zero-touch provisioning.

    In Junos OS, pseudowire headend termination on service nodes is supported through the use of pseudowire service logical interfaces and physical interfaces. This approach is considered as superior in scalability to the old logical tunnel interface based approach, due to its capability of multiplexing and demultiplexing subscribers or customers over a single pseudowire. Currently, the creation and deletion of the pseudowire service logical interfaces, pseudowire service physical interfaces, Layer 2 circuits, and Layer 2 VPNs for pseudowire headend termination rely on static configuration. This is not considered as ideal from the perspective of scalability, efficiency, and flexibility, especially in a network where each service node might potentially host a large number of pseudowires.

    [See LDP Pseudowire Auto-Sensing Overview.]

  • Order-aware abstract hops for MPLS LSPs (MX Series)—Junos OS Release 17.1R1 introduces abstract hops, which are user-defined router clusters or groups that can be sequenced and used for setting up a label-switched path (LSP), similar to real-hop constraints.

    The router groups are created using constituent lists that include constituent attributes, which is a logical combination of the existing traffic engineering constraints, such as administrative groups, extended administrative groups, and Shared Risk Link Groups (SRLGs). Ordering among the router groups that satisfy the specified constituent attributes is achieved by using operational qualifiers in the abstract-hop definition.

    A path can use a combination of real and abstract hops as constraints. To configure abstract hops, you need to create constituent lists with traffic engineering attributes, include the lists in the abstract-hop definition, and define path constraints that use the abstract hops.

    [See Abstract Hops For MPLS LSPs Overview and Example: Configuring Abstract Hops for MPLS LSPs.]

  • Support for extension of pseudowire redundancy condition to logical Interfaces (MX Series)—Starting with Junos OS Release 17.1R1, pseudowire redundancy condition is supported on MPLS pseudowire subscriber logical interface. This is similar to the pseudowire redundancy feature for mobile backhaul by using the logical tunnel paired (lt-) interfaces.

    The primary or backup pseudowire is terminated at the provider edge routers (ps0.0) and the corresponding pseudowire (ps0.1 to ps0.n) service logical interfaces connected to Layer 3 domain by configuring those service logical interfaces in the Layer 3VPN routing instances. There is a Layer 2 circuit across MLPS access node and provider edge with the pseudowire service on transport logical interface (ps0.0) as the local interface of Layer 2 circuit terminating at the provider edge device.

    [See Extension of Pseudowire Redundancy Condition Logic to Pseudowire Subscriber Logical Interface Overview.]

  • Increased scaling values for MPLS-over-UDP tunnels (MX Series routers with MPCs/MICs)—The next-hop-based dynamic UDP tunnels are referred to as MPLS-over-UDP tunnels, and support the creation of a tunnel composite next hop for every dynamic tunnel created. Starting in Junos OS Release 17.1, the limit for the maximum number of next-hop-based dynamic MPLS-over-UDP tunnels that can be created on an MX series router with MPCs or MICs is increased. This provides additional scaling advantage for the total number of IP tunnels that can be created on the router.

    [See Example: Configuring Next-Hop-Based MPLS-Over-UDP Dynamic Tunnels.]


  • Rate sensitive upstream multicast hop (UMH) selection for multicast VPN source-active routes (MX Series)—Starting in Junos OS Release 17.1R1, you can use the traffic rate on the ingress PE to trigger the egress PE to use an alternative UHM. Two new commands are introduced to support this feature, min-rate and dampen.

    Use this feature, for example, to ensure that egress PEs only receive Source-Active A-D route advertisements from ingress PEs that are receiving traffic at or above a specified rate. Rather than advertising the Source-Active A-D route immediately upon learning of the S,G, the ingress PE waits the time specified in the dampen command for the traffic rate to remain above the min-rate before it sends Source-Active A-D route advertisements. If the rate drops below the threshold, the Source-Active A-D route is withdrawn. These new commands can be found at the [edit routing-instancesinstance-name protocols mvpn mvpn-mode spt-only source-active-advertisement] hierarchy level.

    [See min-rate and dampen.]

Network Management and Monitoring

  • Support for hrProcessorTable object (MX Series)—Starting in Junos OS Release 17.1R1, support is provided for the hrProcessorTable object (object id: described in the RFC2790, Host Resources MIB. The hrProcessorTable object provides the load statistics information per CPU for multi-core devices.

    [See SNMP MIB Explorer.]

  • Get and walk support for SNMP Timing MIB objects (MX104)—Starting in Junos OS Release 17.1R1, the get and walk functionality is supported for the following SNMP timing MIB objects:

    • jnxPtpClass

    • jnxPtpGmId

    • jnxPtpAdvClockClass

    • jnxPtpUtcOffset

    • jnxPtpUtcValid

    • jnxPtpOperationalSlaves

    • jnxPtpOperationalMaster

    • jnxPtpServoState

    • jnxPtpSlaveOffset

    • jnxTimingFrequencyTraceability

    • jnxTimingTimeTraceability

    • jnxClksyncQualityCode

    • jnxClksyncQualityCodeStr

    • jnxClksyncIfIndex

    • jnxClksyncIntfName

    • jnxClksyncSynceQualityTable

    • jnxClksyncSynceQualityIntfIndex

    • jnxClksyncSynceQualityValue

    • jnxClksyncSynceQualityIntfName

    [See SNMP MIB Explorer.]

  • Support for mplsL3VpnIfConfTable object (MX Series)— Starting in Junos OS Release 17.1R1, support is provided for the mplsL3VpnIfConfTable object (object id: described in RFC 4382, MPLS/BGP Layer 3 Virtual Private Network (VPN) MIB. The mplsL3VpnIfConfTable object represents the Layer 3 VPN enabled interfaces that are associated with a specific Virtual Routing and Forwarding (VRF) instance and shows the bitmask values of the supported protocols. The mplsL3VpnIfConfTable object creates entries for the interfaces that are associated with the VRF instances. If an interface is later removed from a VRF instance, the corresponding entry in the mplsL3VpnIfConfTable object gets deleted. To view details of the mplsL3VpnIfConfTable object, use the show snmp mib walk mplsL3VpnIfConfTable command.

    [See SNMP MIB Explorer.]

  • Port mirroring enhancements (MX Series)—Starting in Junos OS Release 17.1R1, the port mirroring feature supports several new enhancements:

    • Packet mirroring for both ingress and egress directions on subscriber IFLs

    • Support for the encapsulation of mirrored packets onto per-subscriber L2TP tunnels

    • Support for the removal of S-VLAN tags from mirrored packets

    [See Configuring Protocol-Independent Firewall Filter for Port Mirroring.]


  • Destination MAC address rewrites for OpenFlow (MX80, MX240, MX480, and MX960)—Some types of network equipment that function as routers accept and handle packets only if the destination MAC address in the packet is the same as the MAC address of the Layer 3 interface on which the packet is received. To interoperate with these routers, connected devices must also be able to rewrite the destination MAC address of an incoming packet. Starting with Junos OS Release 17.1R1, an OpenFlow controller can configure an MX Series router that supports OpenFlow to rewrite the destination MAC address of an incoming packet.

    [See Understanding How the OpenFlow Destination MAC Address Rewrite Action Works.]

Operation, Administration, and Maintenance (OAM)

  • Enhanced scale support for MIPs per chassis (MXSeries with MPCs)—Starting in Junos OS Release 17.1R1, Junos OS supports 8000 maintenance association intermediate points (MIPs) per chassis for bridge domain and VPLS domain interfaces. Increasing the number of MIPs per chassis for specific domains enables effective Ethernet OAM deployment in scaling networks. To support the increased number of MIPs, configure the network services mode on the router as enhanced-ip. If you do not configure the network services mode, then Junos OS supports only 4000 MIPs.

    [See Configuring Maintenance Intermediate Points (MIPs).]

  • Support for sender ID TLV—Starting with Junos OS Release 17.1R1, you can configure Junos OS to send the sender ID TLV along with the packets. The sender ID TLV is an optional TLV that is sent in continuity check messages (CCMs), loopback messages, and Link Trace Messages (LTMs), as specified in the IEEE 802.1ag standard. The sender ID TLV contains the chassis ID, which is the unique, CFM-based MAC address of the device, and the management IP address, which is an IPv4 or an IPv6 address.

    You can enable Junos OS to send the sender ID TLV at the global level by using the set protocols oam ethernet connectivity-fault-management sendid-tlv and the set protocols oam ethernet connectivity-fault-management sendid-tlv send-chassis-tlv commands. If the sender ID TLV is configured at the global level, then the default maintenance domain, maintenance association, and the maintenance association intermediate point (MIP) half function inherit this configuration.

    The sender ID TLV, if configured at the hierarchy levels mentioned above, takes precedence over the global-level configuration.


    The sender ID TLV is supported only for 802.1ag PDUs and is not supported for performance monitoring protocol data units (PDUs).

    [See Junos OS Support for Chassis ID TLV.]

  • CFM enhancement for interoperability during unified ISSU (MX Series on MPC1, MPC2, MPC2-NG, MPC3-NG, MPC5, and MPC6 cards)—Starting in Junos OS Release 17.1R1, Junos OS CFM works during a unified ISSU when the peer device is not a Juniper Networks router. Interoperating with the router of another vendor, the Juniper Networks router retains session information and continues to transmit CCM PDU (continuity check messages) during the unified ISSU upgrade.

    To provide this interoperability, enable inline (Packet Forwarding Engine) keepalives with the hardware-assisted-keepalives statement at the [edit protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level. You must also configure the continuity-check interval to 1 second with the interval statement at the [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name continuity-check] hierarchy level. Interoperability during unified ISSU is not supported for any other interval value.

    [See Configuring Connectivity Fault Management for interoperability during Unified In-Service Software Upgrades.]

Platform and Infrastructure

  • Virtual broadband network gateway support on virtual MX Series router (vMX)—Starting in Junos OS Release 17.1R1, vMX supports most of the subscriber management features available with Junos OS Release 17.1 on MX Series routers to provide a virtual broadband network gateway on x86 servers.

    vBNG runs on vMX, so it has similar exceptions; the following subscriber management features available on MX Series routers are not supported for vBNG:

    • High availability features such as hot-standby backup for enhanced subscriber management and MX Series Virtual Chassis.

    To deploy a vBNG instance, you must purchase these licenses:

    • vMX PREMIUM application package license with 1 Gbps, 5 Gbps, 10 Gbps, or 40 Gbps bandwidth

    • vBNG subscriber scale license with 1000, 10 thousand, 100 thousand, or 1 million subscriber sessions for one of these tiers: Introductory, Preferred, or Elite

  • Virtual MX Series router (vMX)—Starting in Junos OS Release 17.1R1, you can deploy vMX routers on x86 servers. FreeBSD 10 is the underlying OS for Junos OS for vMX. vMX uses DPDK 2.2 to support improved performance.

    vMX supports most of the features available on MX Series routers and allows you to leverage Junos OS to provide a quick and flexible deployment. vMX provides the following benefits:

    • Optimizes carrier-grade routing for the x86 environment

    • Simplifies operations by consistency with MX Series routers

    • Introduces new services without reconfiguration of current infrastructure

Routing Protocols

  • IS-IS import policy and route prioritization ( MX Series)—Beginning with Junos OS Release 17.1R1, you can prioritize IS-IS routes that are installed in the routing table for better convergence. In a network with a large number of interior gateway protocol prefixes with BGP Layer 3 VPN or label-based pseudowire service established on top of some interior gateway protocol prefixes, it is important to control the order in which routes get updated in the forwarding table.

    In previous releases, Junos OS installed IS-IS routes lexicographically in the routing table. Starting with Junos OS Release 17.1R1, you can configure an import policy to prioritize IS-IS routes as per your network requirements. Use a route tag, or filter the routes based on their prefix before setting a priority of high, medium, or low. Use the reject policy option to reject routes from a specific prefix or routes marked with a particular tag. The IS-IS protocol downloads routes to the rpd routing table based on the configured priority. If you do not configure an import policy, all routes are set to a medium priority by default.

    [See Example: Configuring a Routing Policy to Prioritize IS-IS Routes.]

  • Adjustable TCP MSS values (MX Series)—Starting in Junos OS Release 17.1R1, you can use the tcp-mss statement to configure the maximum segment size (MSS) for transient TCP packets that traverse a router. Adjusting the TCP MSS value helps reduce the likelihood of fragmentation and packet loss. The tcp-mss statement can be enabled on dynamic interfaces and supports protocols families inet and inet6.

    [See tcp-mss.]

  • BGP advertises multiple add-paths based on community value (MX Series)—Beginning with Junos OS 17.1R1, you can define a policy to identify eligible multiple path prefixes based on community values. BGP advertises these community-tagged routes in addition to the active path to a given destination. If the community value of a route does not match the community value defined in the policy, then BGP does not advertise that route. This feature allows BGP to advertise not more than 20 paths to a given destination. You can limit and configure the number of prefixes that BGP considers for multiple paths without actually knowing the prefixes in advance. Instead, a known BGP community value determines whether or not a prefix is advertised.

    [See Example: Configuring a Routing Policy to Select and Advertise Multipaths Based on BGP Community Value.]

  • Selective advertising of BGP multiple paths (MX Series)—Beginning with Junos OS Release 17.1R1, you can restrict BGP add-path to advertise contributor multiple paths only. Advertising all available multiple paths might result in a large overhead of processing on device memory and is a scaling consideration, too. You can limit and configure up to six prefixes that the BGP multipath algorithm selects. Selective advertising of multiple paths facilitates internet service providers and data centers that use route reflector to build in-path diversity in IBGP.

    [See Example: Configuring Selective Advertising of BGP Multiple Paths for Load Balancing.]

  • System performance enhancements for rpd, Packet Forwarding Engine, and kernel (MX Series)—Beginning with Junos OS Release 17.1R1, performance of the routing protocol process (rpd), the Packet Forwarding Engine, and the kernel is enhanced to speed up the process with which the rpd learns the route states and changes, and reflects these changes in the ASIC-based Packet Forwarding Engine residing in the line cards. The key enhancements are faster route download rates when a router comes up after a reboot, or when you add a new line card, and faster update of the data plane in convergence scenarios. We recommend disabling daemons, such as Layer 2 address learning process (l2ald) and connectivity-fault management process (cfmd) —if they are not required— to improve system performance. Though these enhancements are mainly for the MX Series, other platforms might see some performance improvements as well.

Services Applications

  • Support for inline 6rd and 6to4 (MX Series routers with MPC5Es and MPC6Es)—Starting in Junos OS Release 17.1R1, you can configure inline 6rd or 6to4 on MPC5Es and MPC6Es. You can use the inline capability to avoid the cost of using MS-DPCs for required tunneling, encapsulation, and decapsulation processes. Anycast is supported for 6 to 4 using next-hop service interfaces. Hairpinning is also supported for traffic between 6rd domains.

    [See Tunneling Services for IPv4-to-IPv6 Transition Overview, show services inline softwire statistics, and clear services inline softwire statistics.]

  • Support for IP reassembly on GRE tunnel interfaces (MX Series routers with MPCs)—Starting in Junos OS Release 17.1R1, you can configure fragmentation and reasssembly of generic routing encapsulation (GRE) packets on GRE tunnel interfaces on MX Series routers with the following Modular Port Concentrators: MPC2E-NGs, MPC3E-NGs, MPC5Es, and MPC6Es.

    [See Configuring Unicast Tunnels.]

  • Support for 464XLAT PLAT on MS-MPCs and MS-MICs (MX Series)—Starting in Junos OS Release 17.1R1, the XLAT464 provider-side translater (PLAT) is supported on MS-MICs and MS-MPCs. The 464XLAT architecture provides a simple and scalable technique to provide IPv4 client-server connectivity across an IPv6-only network without having to maintain an IPv4 network and assign additional public IPv4 addresses on the customer side.

    [See 464XLAT Overview.]

  • Logging and reporting framework (MX Series with MS-MPC and MS-MIC)—Starting in Junos OS Release 17.1R1, the logging and reporting framework (LRF) enables you to log data for subscriber application-aware data sessions and send that data in an IP flow information export (IPFIX) format to an external log collector, using UDP-based transport. These data session logs can include subscriber information, application information, HTTP metadata, data volume, time-of-day information, and source and destination details. An external collector, which is not a Juniper Networks product, can then use this data to perform analytics that provide you with insights about subscriber and application usage.

    [See Logging and Reporting Function for Subscribers.]

  • Network attack protection for MS-MPCs and MS-MICs (MX Series)—Starting in Junos OS Release 17.1R1, the MS-MPC and MS-MIC can detect and prevent network probing attacks, network flooding attacks, header anomaly attacks, and suspicious packet pattern attacks.

    [See Configuring Protection Against Network Attacks (MS-MPCs and MS-MICs).]

  • Support for inline video monitoring on MPC7E, MPC8E, and MCP9E (MX Series)—Starting in Junos OS Release 17.1R1, support for video monitoring using media delivery indexing (MDI) criteria is expanded to include the following Modular Port Concentrators: MPC7E, MPC8E, and MCP9E.

    [See Inline Video Monitoring Overview.]

  • CLI command parity for carrier-grade NAT and stateful firewall (MX Series with MS-MPC)—Starting in Junos OS Release 17.1R1, new operational commands and configuration options provide information previously available only when using the MS-DPC as the services PIC.

    • To display information equivalent to that provided by show services stateful-firewall flow-analysis for the MS-DPC, use show services sessions analysis for the MS-MPC.

    • To display information equivalent to that provided by show services stateful-firewall subscriber-analysis for the MS-DPC, use show services subscriber analysis for the MS-MPC.

    • To drop sessions after a certain session setup rate is reached, include the new CLI option max-session-creation-rate at the [edit services service-set service-set-name] hierarchy level.

    [See max-session-creation-rate (Service Set), show services subscriber analysis, and show services sessions analysis.]

  • Enhancements to stateful synchronization (MS-MIC, MS-MPC)—Starting in Junos OS Release 17.1R1, stateful synchronization for long-running flows is enhanced for MS-MPC services PICs. These enhancements include:

    • Automatic replication of NAT flows for all service sets: NAT44 flows are automatically synchronized for all eligible service sets. You can selectively disable replication for individual service sets.

    • Checkpointing of IPv4 and IPv6 stateful firewall flows and NAPT-44 with address pooling paired (APP), with configurable timeout for checkpointing.

    [See Configuring Inter-Chassis Stateful Synchronization for Long Lived Flows (MS-MPC, MS-MIC).]

  • Subscriber-aware and application-aware traffic treatment (MX Series with MS-MPC)—Starting in Junos OS Release 17.1R1, Junos OS can perform subscriber-aware and application-aware policy enforcement for mobile or fixed-line subscribers. Junos OS determines the subscriber identity of traffic flow and applies the subscriber’s policy rules to the flow. Application identification is performed through deep packet inspection (DPI) at Layer 7 and Layer 4. Subscriber policy actions can include:

    • Redirecting HTTP traffic to another URL or IP address

    • Forwarding packets to a routing instance to direct packets to external service chains

    • Setting the forwarding class

    • Setting the maximum bit rate

    • Performing HTTP header enrichment

    • Setting the gating status to blocked or allowed

    [See Subscriber-Aware and Application-Aware Traffic Treatment User Guide.]

  • Usage monitoring for subscribers (MX Series with MS-MPC)—Starting in Junos OS Release 17.1R1, Junos OS can monitor the volume of traffic and the amount of time that a subscriber uses during a session if that subscriber’s policy control rules are controlled by a policy and charging rules function (PCRF) server. The PCRF initiates this monitoring, and the MX Series sends the reports to the PCRF. Monitoring can take place for the entire subscriber session or for only specific data flows and applications. The PCRF provides threshold values to indicate when the Service Control Gateway sends a report to the PCRF, or the PCRF can request a report at any time.

    [See Understanding Usage Monitoring for TDF Subscribers.]

  • Traffic Load Balancer (MX Series with MS-MPCs)—Starting in Junos OS Release 17.1R1, traffic load balancing is supported on MS-MPCs. The Traffic Load Balancer (TLB) application distributes traffic among multiple servers in a server group, and performs health checks to determine whether any servers should not receive traffic. TLB supports multiple VRFs.

    [See Traffic Load Balancer Overview.]

  • Support for H.323 gatekeeper mode for NAT on MS-MPC and MS-MIC (MX Series routers)—Starting in Junos OS Release 17.1R1, H.323 gatekeeper mode is supported in NAPT44 and NAT64 rules and IPv4 stateful-firewall rules on the MX Series. H.323 is a legacy VoIP protocol.

    [See ALG Descriptions.]

  • Support for IKE and IPsec pass-through on NAPT44 and NAT64 (MX Series routers with MS-MPCs and MS-MICs)—Starting in Junos OS Release 17.1R1, you can enable the passing of IKE and IPsec packets through NAPT44 and NAT64 rules between IPsec peers that are not NAT-T compliant by using the IKE-ESP-TUNNEL-MODE-NAT-ALG Application Layer Gateway (ALG) on MS-MPCs and MS-MICs. This ALG supports only ESP tunnel mode.

    [See ALG Descriptions.]

  • Class-of-service (Cos) marking and reclassification for the MS-MICs and MS-MPCs—Starting with Junos Release 17.1R1, the MS-MIC and MS-MPC support CoS configuration, which enables you to configure differentiated services code point (DSCP) marking and forwarding-class assignment for packets transiting the MS-MIC or MS-MPC. You can configure the CoS service alongside the stateful firewall and NAT services, using a similar rule structure.

    [See Configuring CoS Rules.]

  • Services support for MPC7E (MX Series)—Starting in Junos OS Release 17.1R1, the MPC7E (Multi-Rate) MPC supports the redirection of packets to the MS-MPC for the following services: carrier-grade NAT and stateful firewalls.

  • Support for distributing dynamic endpoint IPsec tunnels among AMS interfaces (MX Series routers with MS-MPCs)—Starting in Junos OS Release 17.1R1, you can distribute IPsec tunnels with dynamic endpoints among aggregated multiservices (AMS) interfaces.

    [See Configuring Dynamic Endpoints for IPsec Tunnels.]

  • Enhancements to the RFC2544-based benchmarking tests (MX Series)—Junos OS Release 17.1R1 extends support for the RFC2544 on MX Series routers with MPC3E (MX-MPC3E-3D), MPC3E-NG (MX-MPC3E-3D-NG), MPC4E (MPC4E-3D-32XGE-SFPP and MPC4E-3D-2CGE-8XGE), MPC5E (MPC5E-40G10G, MPC5EQ-40G10G, MPC5E-100G10G, and MPC5EQ-100G10G) and the MPC6E (MX2K-MPC6E).

    The RFC2544 tests are performed to measure and demonstrate the service-level agreement (SLA) parameters before activation of the service. The tests measure throughput, latency, frame loss rate, and back-to-back frames. Starting from Junos OS Release 17.1R1, RFC2544-based benchmarking tests on MX Series routers supports the following reflection function:

    • Layer 2 reflection (ingress direction) for family bridge, vpls

    To run the benchmarking tests on the MX Series routers, you must enable reflection feature on the corresponding MPC slot. To configure the reflector function on the MPC, use the chassis fpc fpc-slot-no slamon-services rfc2544 statement at the [edit] hierarchy level.

    [See RFC2544-Based Benchmarking Tests Overview.]

  • Service redundancy daemon support for redundancy across multiple gateways (MX Series routers with MS-MPCs)—Starting in Junos OS Release 17.1R1, you can configure redundancy across multiple service gateways. The redundancy actions are based on the results of monitoring system events, including:

    • Interface and link down events

    • FPC and PIC reboots

    • Routing protocol daemon (rpd) aborts and restarts

    • Peer gateway events, including requests to acquire or release mastership, or to broadcast warnings

    [See Service Redundancy Daemon Overview.]

Subscriber Management and Services

  • Support for access-line-identifier interface sets based on the Agent Circuit ID (ACI), the Agent Remote ID (ARI), or both (MX Series)—Starting in Junos OS Release 17.1R1, you can configure interface sets for dynamic subscriber VLANs based on the access-line identifiers (ALI) that are received in a DHCPv4, DHCPv6, or PPPoE discovery packet. The set can be created when the identifier received is the ACI, the ARI, both the ACI and the ARI, or when neither the ACI nor the ARI is received. These interface sets model subscriber identities in a 1:N S-VLAN access model, where a single VLAN exists per service, but more than one subscriber might be using the service. In earlier releases, only the ACI could create the interface sets (ACI sets); when it was not present, the discovery packet was dropped.

    You can configure the creation of either ALI sets using this method or ACI interface sets using the legacy method, but not both. A CLI check prevents you from configuring both of these methods. The legacy ACI method might be deprecated in a future release.

    [See Access-Line-Identifier-Based Dynamic VLANs Overview.]

  • Static provisioning of unique subscriber ID including interface description (MX Series)—Starting in Junos OS Release 17.1R1, you can configure DHCP local server and DHCP relay agent to concatenate the interface description with the username during the subscriber or client authentication process. Use the interface-description statement to include either the logical interface description or the device interface description. The interface description is separated from the other username fields by the specified delimiter, or by the default delimiter “.” when you do not specify a delimiter. The specified delimiter must not be part of the interface description.

    [See Creating Unique Usernames for DHCP Clients.]

  • Flat file output for service filter-based accounting (MX Series)—Starting in Junos OS Release 17.1R1, you can configure service accounting statistics to be collected and reported in a local flat file as an alternative to being collected and automatically reported to a RADIUS server. Statistics collection is initiated when the service profile is attached to the subscriber interface.

    To configure local flat-file reporting:

    1. Create a flat-file profile and specify the service-accounting option at the [edit accounting-options flat-file-profile flat-file-profile-name fields] hierarchy level.
    2. Specify this profile with the local statement in the subscriber access profile.
    3. Configure the access profile for local reporting by setting the accounting-order either to local or—if you plan to activate the service with a CLI configuration or command—to activation-protocol at the [edit access profile profile-name service accounting-order] hierarchy level.

    [See Configuring Service Accounting in Local Flat Files.]

  • Support for asymmetric DHCP leasing (MX Series)—Starting in Junos OS Release 17.1R1, you can configure an override to the DHCP configuration—typically on the relay agent—to send a shorter (asymmetric) lease to a DHCP client than the lease granted by the DHCP local server. When the local server sends a client an acknowledgment packet in response to the client’s offer, the relay agent generates a new acknowledgment packet with the shorter time that you configured. When the client requests a lease renewal, the relay agent re-creates the short lease based on the original lease, rather than passing the request back to the local server. The relay agent continues to renew the shorter lease until the long lease renew time expires, at which time the asymmetric lease is no longer valid. Subsequent renewal requests from the client are forwarded to the server for consideration. If the client does not renew the lease before the short lease renew time expires, then the lease is considered to be abandoned by the client. The address is freed earlier than it would be if the granted lease was used. This feature is available for both DHCPv4 and DHCPv6 configurations.

    [See Configuring DHCP Asymmetric Leasing.]

  • shmlog support for CoS and firewall filter plug-ins (MX Series)—Starting in Junos OS Release 17.1R1, you can use the svc-sdb-id filter option with the show shmlog command to display only the shmlog filter table entries associated with a service session identifier. For example, the following command displays only shmlog entries that include service session 3:

    user@host> show shmlog entries logname all svc-sdb-id 3

    Any client session can have multiple associated service sessions. When you specify only the client session ID, the output includes the entries for the client session in addition to entries for all the service sessions related to that client session:

    user@host> show shmlog entries logname all sdb-id 2

    Although you can specify multiple shmlog filters at the same time, inaccurate results are returned when you combine svc-sdb-id with any filter other than sdb-id. For example, if you combine svc-sdb-id with vlan, the output does not display entries for the VLAN and service session. Instead, it displays no entries or only service session entries.


    The svc-sdb-id filter applies only to subscriber-based entries, because non-subscriber-based entries cannot be filtered. You can display those entries with the existing global commands. For example, for non-subscriber-based CoS and firewall entries, you can use the following commands:

    user@host> show shmlog entries logname all
    user@host> show shmlog entries logname *cos*
    user@host> show shmlog entries logname *dfw*
  • LAC support for IPv6 address family and firewalls (MX Series)—Starting in Junos OS Release 17.1R1, you can configure the LAC to create the IPv6 address family (inet6) when tunneling the subscriber to the LNS. By default, the LAC requires only family inet to enable forwarding into an IP tunnel. It can apply IPv4 firewall filters to the session. Even when family inet6 is included in the dynamic profile, by default it is not created and IPv6 firewall filters cannot be applied.

    Include the enable-ipv6-services-for-lac statement at the [edit services l2tp] hierarchy level to allow the IPv6 family to be created and IPv6 filters to be applied.

    Use the show services l2tp summary command to display the current state, Disabled or Enabled, in the IPv6 Ssrvices for LAC sessions field.

    [See enable-ipv6-services-for-lac.]

  • Dynamic subscriber and service management on statically configured interfaces (MX Series)—Starting in Junos OS Release 17.1R1, enhanced subscriber management supports dynamic service activation and deactivation for static subscribers. These static subscribers work with the native Juniper Networks Session and Resource Control (SRC), or you can configure RADIUS to activate and deactivate the services with change of authorization (CoA) messages.


    However, with RADIUS, authentication failure does not prevent the underlying interface from coming up and forwarding traffic. Instead, it prevents the subscriber from coming up, and thus service activation or deactivation. Authorization parameters such as IP addresses, net masks, policy lists, and QoS are also not imposed when using RADIUS.

    Use the following commands to provide administrative control of static subscribers:

    • request services static-subscribers login interface interface-name

    • request services static-subscribers logout interface interface-name

    • request services static-subscribers login group group-name

    • request services static-subscribers logout group group-name

    Use the following commands to monitor static subscribers:

    • show static-subscribers

    • show static-subscribers interface interface-name

    • show static-subscribers group group-name

  • Subscriber management and services feature parity (MX240, MX480, MX960)—Starting in Junos OS Release 17.1R1, the MX240, MX480, and MX960 routers with the Routing Engine RE-S-X6-64G support all subscriber management and services features. These services include DHCP, PPP, L2TP, VLAN, and pseudowire.

  • Packet injection enhancements (MX Series)—Starting in Junos OS Release 17.1R1, you can configure packet injection by using the packet-inject-enable option and a reserved policy map named packed-inject-flow. When a packet marked with the packet-inject-flow policy map egresses out of a logical interface that has the packet-inject-enable option enabled, it is sent for packet injection.

    The show interfaces statistics command output includes additional information about packet injection.

    [See packet-inject-enable.]


  • Anti-spoofing protection for next-hop-based dynamic tunnels (MX Series Routers with MPCs)—Starting in Junos OS Release 17.1R1, anti-spoofing capabilities are added to next-hop-based dynamic IP tunnels, where checks are implemented for the traffic coming through the tunnel to the routing instance using reverse path forwarding in the Packet Forwarding Engine.

    Currently, when traffic is received from a tunnel, the gateway router does a destination address lookup before forwarding. With anti-spoofing protection, the gateway router does a source address lookup of the encapsulation packet IP header in the VPN to ensure that only legitimate sources are injecting traffic through their designated IP tunnels (strict mode). When a packet comes from a nondesignated tunnel, the reverse path forwarding check passes only in the loose mode. Traffic coming from nonexistent sources fails the reverse path forwarding check.

    This feature is supported on virtual routing and forwarding (VRF) routing instances with strict mode as the default.

    To enable anti-spoofing for dynamic tunnels, include the ip-tunnel-rpf-check statement at the [edit routing-instances routing-instance-name routing-options forwarding-table] hierarchy level.

    [See Anti-Spoofing Protection for Next-Hop-Based Dynamic Tunnels and Example: Configuring Anti-Spoofing Protection for Next-Hop-Based Dynamic Tunnels.]

  • Increased scaling values for next-hop-based dynamic GRE tunnels (MX Series routers with MPCs/MICs)—Starting in Junos OS Release 17.1R1, the limit for the maximum number of next-hop-based dynamic generic routing encapsulation (GRE) tunnels that can be created on an MX Series router with MPCs or MICs is increased. This provides additional scaling advantage for the total number of IP tunnels that can be created on the router.

    The increased scaling values of next-hop-based dynamic GRE tunnels benefits data center networks, where a gateway router is required to communicate with a number of servers over an IP infrastructure; for example, in Contrail networking.

    [See Example: Configuring a Next-Hop-Based Dynamic GRE Tunnels.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 17.1R3 for MX Series routers.

Class of Service (CoS)

  • Support for 48 classifiers per family (MX Series)—Starting with Junos OS Release 17.1R3, you can configure up to 48 classifiers per family at the [edit class-of-service classifiers] hierarchy level. In earlier releases, you could only configure up to 32 classifiers per family.

    [See CoS Features and Limitations on MX Series Routers.]

General Routing

  • Support for deletion of static routes when the BFD session goes down (MX Series)—Starting with Junos OS 17.1R3, the default behavior of the static route at the [edit routing-options static static-route bfd-admin-down] hierarchy level is active. So, the static routes are deleted when the BFD receives a session down message.

Interfaces and Chassis

  • Support for maximum queues configuration on MPC7E, MPC8E, and MPC9E (MX Series)—Starting in Junos OS 17.1R1, you can configure the maximum number of queues per MPC on MPC7E, MPC8E, and MPC9E. By default, these MPCs operate in per port queuing mode.

    You can use the set chassis fpc slot-number max-queues queues-per-line-card command to configure number of queues per MPC. The possible values for queues-per-line-card are 8k, 16k, 32k, 64k, 128k, 256k, 512k, or 1M.

    Per-unit scheduling and hierarchical queuing on MPC7E, MPC8E, and MPC9E are licensed features.

    You cannot configure the max-queues and the flexible-queuing-mode statements at the same time. You use the flexi-queuing-mode statement to configure a maximum of 32,000 queues per MPC.

    If the max-queues statement is not configured, which is the default mode, the MPC starts with a message similar to the following:

    FPC 0 supports only port based queuing. A license is required for per-VLAN and hierarchical features.

    If the max-queues statement is configured and the value is less than or equal to 32,000, the MPC starts with a message similar to the following:

    FPC 0 supports port based queuing and is configured in 16384 queue mode. A limited per-VLAN queuing license is required for per VLAN and hierarchical queuing features.

    If the max-queues statement is configured and the value is greater than 32,000, the MPC starts with a message similar to the following:

    FPC 0 supports port based queuing and is configured in 524288 queue mode. A full scale per-VLAN queuing license is required for per VLAN and hierarchical queuing features.

    [See Understanding Hierarchical Scheduling for MIC and MPC Interfaces

    and Flexible Queuing Mode Overview.]

  • Changes to show interfaces interface-name extensive output (MX Series)—Starting in Junos OS Release 15.1R7, 16.1R5, 16.2R2, and 17.1R2, the MAC Control Frames field of the show interface interface-name extensive command for a specified 10-Gigabit Ethernet interface displays a value of zero. In previous releases, the value for this field was calculated. Because of continuous traffic and as a result of the calculations, the value displayed for this field changed continuously.

  • Recovery of PICs that are stuck because of prolonged flow controls (MS-MIC, MS-MPC, MS-DPC, MS-PIC 100, MS-PIC 400, and MS-PIC 500)—Starting in Junos OS Release 16.1R7, if interfaces on an MS-PIC, MS-MIC, MS-MPC, or MS-DPC are in stuck state because of prolonged flow control, Junos OS restarts the service PICs to recover them from this state. However, if you want the PICs to remain in stuck state until you manually restart the PICs, configure the new option up-on-flow-control for the flow-control-options statement at the [edit interfaces mo-fpc/pic/port multiservice-options] hierarchy level. In releases before Release 16.1R7, there is no action taken to recover service PICs from this state unless one of the options for the flow-control-options statement is configured, or service PIC is manually restarted.

  • Deprecated maximum transmission unit configuration option for virtual tunnel interfaces—Starting In Junos OS Release 17.1R3, you cannot configure the maximum transmission unit (MTU) size for virtual tunnel (vt) interfaces because the mtu bytes option is deprecated for vt interfaces. Junos OS sets the MTU size for vt interfaces by default to unlimited.

Intrusion Detection and Prevention

  • Importing IS-IS tag value into LDP (MX Series)—Starting in Junos OS Release 17.1R1, when a tag value is assigned to an IS-IS route, the IS-IS tag value is imported and used by LDP while installing the route in the inet.3 and mpls.0 routing tables if the track-igp-metric command is configured. This enables policy configuration to be applied on the inet.3 and mpls.0 routing tables based on the imported tag value.

Junos OS XML API and Scripting

  • XML output change for show subscribers summary port command (MX Series)—Starting in Junos OS Release 17.1R1, the display format changed for the show subscribers summary port command to make parsing the output easier. The output is displayed as in the following example:

    user@host> show subscribers summary port | display xml

    In earlier releases, that output is displayed as in the following example:

    user@host> show subscribers summary port | display xml

Layer 2 VPN

  • Support for LSP on EVPN-MPLS—Starting in Junos OS Release 17.1R3, Junos supports the mapping of EVPN traffic to specific label-switched paths (LSPs). Prior to this release, the traffic policies mapping extended community to specific LSPs did not work properly.


  • Enhancement to Junos Telemetry Interface (MX Series)—Starting with Junos OS Release 17.1R1, Junos Telemetry Interface data streamed through gRPC no longer includes the phrase oc-path in the prefix field. For example, a physical interface sensor streaming data for interface et-0/0/0:0 now displays the following output: str_value:/interfaces/interface[name='et-0/0/0:0']/.

  • Enhancement to NPU memory sensors for Junos Telemetry Interface (MX Series)—Starting with Junos OS Release 17.1R2, the path used to subscribe to telemetry data for network processing unit (NPU) memory and NPU memory utilization through gRPC has changed. The new path is /components/component[name="FPC<fpc-id>:NPU<npu-id>"]/

    [See Guidelines for gRPC Sensors.]

  • Enhancement to NPU memory sensors for Junos Telemetry Interface (MX Series)—Starting with Junos OS Release 17.1R3, the format of telemetry data exported through gRPC for NPU memory and memory utilization implements prefix compression. This change reduces the payload size of data exported. The following example shows the new format:

    key: __prefix__

    str_value: /components/component[name='FPC0:NPU0']/properties/property

    key: [name='mem-util-edmem-size']/value

    uint_value: 12345

    Telemetry data is exported in key-value pairs. Previously, the data exported included the component and property names in a single key string.

    [See Guidelines for gRPC Sensors.]


  • Representation for OSPF DR node—Up until version -10 of the BGP-LS draft, the OSPF DR node representation was ambiguous. One could represent DR node as 'AdvertisingRouterId-InterfaceIpAddress' or 'InterfaceIpAddress-1'. Junos OS used to follow 'InterfaceIpAddress-1' format. Starting with version '-11' of the BGP-LS draft, the representation for OSPF DR node must be 'AdvertisingRouterId-InterfaceIpaddress'. Junos OS now follows the latest format.

  • PPPoE subscribers do not bind over ps interfaces (MX Series)—Starting with Junos OS Release 17.1R1, the termination of single, multiple, and dual-tagged service delimited VLANs are transported over a single Ethernet CCC pseudowire using ps virtual port devices. This feature provides scaled Layer 3 service application at the pseudowire head-end termination appliance. This behavior is as an extension and evolution for Ethernet pseudowire that is described in RFC 4448.

  • New field for LSP ping egress interface failure (MX Series)—Starting in Junos OS 17.1R1, if an LSP ping is started and the chosen egress interface fails, pings are still sent to the failed interface and then dropped. The ping must be manually stopped and restarted to select a working interface to the destination (if one exists). To help detect this ping situation, a new field, Packets dropped due to ifl down, has been added to the output of the show system statistics mpls command.

    [See show system statistics mpls.]

  • Support for inet.0 and inet.3 labeled unicast BGP route for protocol LDP (MX Series)--- Starting in Junos OS Release 17.1R3, LDP egress policy is supported on both inet.0 and inet.3 routing Information bases (RIBs) also known as routing table for labeled unicast BGP routes. If a routing policy is configured with a specific (inet.0 and inet.3) RIB, the egress policy is applied on the specified RIB. If no RIB is specified and a prefix is present on both inet.0 and inet.3 RIBs for labeled unicast BGP routes, then inet.3 RIB is preferred. However, prior to Junos OS Release 12.3R1 and starting with Junos OS Release 16.1R1, LDP egress policy is always preferred on inet.0 RIB and support for inet.3 RIB egress policy for labeled unicast BGP routes was disabled. In Junos OS Release 12.3R1 and later releases up to Junos Release 16.1R1, LDP egress policy was supported in inet.3 RIBs, in addition to inet.0 RIBs, for labeled-unicast BGP routes.

  • Starting in Junos OS Release 16.1R7, 16.2R3, and 17.1R3, the previously hidden configuration statement, session, can be configured at the [edit protocols ldp] hierarchy level. This statement enables you to configure the LDP session parameters by specifying the session destination address.

    [See session.]

  • New option in show mpls lsp autobandwidth command (MX Series)—Starting in Junos OS Release 17.1R3, a new option —name lsp-name— is introduced in the show mpls lsp autobandwidth command to specify the name of the LSP for which the autobandwidth information is displayed. With the name option, the autobandwidth information specific to the LSP name that has been provided can be obtained in the command output.

    [See show mpls lsp autobandwidth.]

  • Disable M-LDP from using RSVP-TE LSPs for tunneling (MX Series)—Starting in Junos OS Release 12.3R1, Junos OS provides support for multipoint LDP for targeted LDP sessions with unicast replication, in addition to link sessions. As a result, the current default behavior of multipoint LDP over RSVP tunneling is similar to unicast LDP.

    However, because targeted LDP is chosen over LDP and link sessions to signal point-to-multipoint LSPs, you can enable LDP natively throughout the network, so the point-to-multipoint LSPs take the LDP paths.

    [See p2mp (Protocols LDP).]

  • Loss of traffic over bypass MPLS LSPs—If RSVP link or node protection is enabled along with global RSVP authentication, there is loss of traffic over bypass MPLS LSPs at the time of local repair, when the point of local repair (PLR) and the merge point devices have different versions of the Junos OS software installed on them. That is, one device is running a release prior to Junos OS Release 16.1, and the other device is running a release starting with Junos OS Release 16.1R4-S12.

Network Management and Monitoring

  • SNMP syslog messages changed (MX Series)—Starting in Junos OS Release 17.1R1, two misleading SNMP syslog messages have been rewritten to accurately describe the event:

    • OLD —AgentX master agent failed to respond to ping. Attempting to re-register

      NEW —AgentX master agent failed to respond to ping, triggering cleanup!

    • OLD —NET-SNMP version %s AgentX subagent connected

      NEW —NET-SNMP version %s AgentX subagent Open-Sent!

    [See the MIB Explorer.]

  • MIB buffer overruns only be counted under ifOutDiscard (MX Series)—The change done via PR 1140400 introduced a CVBC where qdrops (buffer overruns) were counted under ifOutErrors along with ifOutDiscards. This is against RFC 2863 where buffer overruns should only be counted under ifOutDiscards and not under ifOutErrors. In Junos OS Release 17.1R1, this is now fixed.

  • Hard-coded RFC 3635 MIB OIDs updated (MX Series)—In Junos OS Release 17.1R2, the following RFC 3635 MIB OIDs have been updated as default values:

    • dot3StatsFCSErrors and dot3HCStatsFCSErrors, framing errors

    • dot3StatsInternalMacReceiveErrors and dot3HCStatsInternalMacReceiveErrors, MAC statistics: Total errors (Receive)

    • dot3StatsSymbolErrors and dot3HCStatsSymbolErrors, code violations

    • dot3ControlFunctionsSupported, flow control

    • dot3PauseAdminMode, flow control

    • dot3PauseOperMode, auto-negotiation

    [See the SNMP Explorer.]

  • Enhancement to SMNPv3 traps for contextName field (MX Series)—Starting in Junos OS Release 17.1R2, the contextName field in SNMPv3 traps generated from a non-default routing instance, is populated with the same routing-instance information as is given in SNMPv2 traps. SNMPv2 traps provide the routing-instance information as context in the form of context@community. This information gives the network monitoring system (NMS) the origin of the trap, which is information it might need. But in SNMPv3, until now, the contextName field was empty. For traps originating from a default routing instance, this field is still empty, which now indicates that the origin of the trap is the default routing instance.

    [See SNMP MIB Explorer.]

  • Update to SNMP support of apply-path statement (MX Series)—In Junos OS Release 17.1R2, SNMP implementation for the apply-path configuration statement supports only two lists:

    • apply-path "policy-options prefix-list <list-name> <*>"

      This configuration has been supported from day 1.

    • apply-path "access radius-server <*>"

      This configuration is supported as of this release.

  • Juniper MIBs Loading Errors Fixed (MX Series)—In junos OS Release 17.1R1, duplicated entries and errors while loading MIBs on ManageEngine MIB browser are fixed for the following MIB files:

    • jnx-gen-set.mib

    • jnx-ifotn.mib

    • jnx-optics.mib

    [See MIB Explorer.]

  • New context-oid option for trap-options configuration statement to distinguish the traps which come from a non-default routing instance and non-default logical system (MX Series)—In Junos OS Release 17.1, a new option, context-oid, for the trap-options statement allows you to handle prefixes such as <routing-instance name>@<trap-group> or <logical-system name>/<routing-instance name>@<trap-group> as an additional varbind.

    [See trap-options.]

  • Change in default log level setting (MX Series)—In Junos OS Release, 17.1R3, the following changes were made in default logging levels:

    Before this change:

    • SNMP_TRAP_LINK_UP was LOG_INFO for both the physical (IFD) and logical (IFL) interfaces.

    • SNMP_TRAP_LINK_DOWN was LOG_WARNING for both the physical (IFD) and logical (IFL) interfaces.

    After this change:

    • IFD LinkUp -> LOG_NOTICE (since this is an important message but less frequent)

    • IFL LinkUp -> LOG_INFO (no change)

    • IFD and IFL LinkDown -> LOG_WARNING (no change)

    [See the MIB Explorer.]

  • A decrease in the MPLS label-switched path (LSP) statistics pauses the SNMP MIB mplsLspInfoAggrOctets count for one MPLS statistics gathering interval. In such cases, the mplsLspInfoAggrOctets value is updated only after completing one more interval of the MPLS statistics gathering.

Operation, Administration, and Maintenance (OAM)

  • Change in behavior of the Ethernet OAM CFM process (MX Series)—When you deactivate the connectivity fault management (CFM) protocol, the CFM process (cfmd) stops. When you activate CFM protocol, cfmd starts.

    In releases before Junos OS Release 16.1R1, when you deactivate the CFM protocol, the CFM process continues to run.

Routing Protocols

  • Optimization of link-state packets (LSPs) flooding in IS-IS (MX Series)—Starting in Junos OS Release 17.1R1, flooding of LSPs in IS-IS no longer occurs as a result of the commitment of configuration changes unrelated to IS-IS. Now, when the router is not in the restart state, every time a new LSP is generated after a CLI commit, the contents of the new LSP are compared to the contents of the existing LSP already installed in the link-state database (LSDB) between Intermediate Systems. When the contents of the two LSPs do not match, the system does not process the new LSP or install it in the LSDB, and consequently does not flood it through the IS-IS network. The new behavior does not affect the rebuilding of LSPs after they refresh in the LSDB. No configuration is required to invoke the new behavior.

    In earlier releases, IS-IS generates new LSPs even when the configuration changes are not related to IS-IS. Because the new LSPs are flooded across the network and synchronized in the LSDB, this flooding process is time-consuming and CPU intensive in a scaled network environment.

  • Range of flow route rate-limit modified (MX Series)—Starting with Junos OS Release 17.1R1, the range of flow route rate-limit has changed from [9600..1000000000000] to [0..1000000000000]. Earlier Junos OS releases had range restrictions for flow route rate-limit at the [edit routing-options flow route flow then] hierarchy level. Junos OS can now accept any configured rate-limit value. If the rate limit is set in the range of 0 through 999, the Packet Forwarding Engine discards the packets. For configured rate limit value between 1000 and 1000000000000, Junos OS sets the corresponding value in kbps as the rate limit.

  • Change in default behavior of router capability (MX Series)—In Junos OS Release 17.1R1 and later releases, the router capability TLV distribution flag (S-bit), which controls IS-IS advertisements, will be reset, so that the segment-routing-capable sub-TLV is propagated throughout the IS-IS level and not advertised across IS-IS level boundaries.

  • Support for configuring higher PDU size for IS-IS hello packets (MX Series)—Starting with Junos OS Release 17.1R1, you can configure the maximum protocol data unit (PDU) size of an IS-IS hello packet to up to 16000 bytes. You can achieve the maximum PDU size by configuring the max-hello-size configuration statement at [edit protocol isis interface interface-name] hierarchy and [edit protocol isis] hierarchy and by configuring the hello-padding strict configuration at the[edit protocol isis] hierarchy. The max-hello-size statement configured at the interface level has a higher precedence than the configuration at the [protocol isis] instance level.


    The maximum hello-size configuration at the [protocol isis] instance level must be less than or equal to the max-hello-size at the interface International Organization for Standardization (ISO) maximum transmission unit (MTU) level and not the interface MTU.

    Previously, you could configure the max-hello-size configuration statement only at [edit protocol isis] hierarchy and the maximum size of IS-IS hello packets that were supported was 1492 bytes.

  • Weighted ECMP supports IS-IS SPRING next hops (MX Series)—Starting in Junos OS Release 17.1R1, one hop weighted ECMP feature supports iS-IS SPRING based next hops. Currently weighted ECMP for SPRING routes does not support multiple next hop addresses.

  • MPLS configuration mandatory for indirect next-hop interfaces (MX Series)—Starting in Junos OS Release 17.1R3, it is mandatory for an indirect next-hop’s forwarding interface to have family MPLS configured. In a BGP network if the MPLS configuration for an indirect next-hop’s forwarding interface is deleted or when the BGP labeled unicast interface is deactivated, all routes with indirect next hop undergo a route resolution again, which might impact traffic routing until the route resolution is completed. In earlier Junos OS releases, when family MPLS was deleted, the indirect next-hop route was removed from the forwarding table and could not be recovered even when MPLS was reactivated.

  • Modified output of show route forwarding-table (MX Series)—Starting in Junos OS Release 17.1R3, the output of the show route forwarding-table command does not display the next-hop address for static routes that use point-to-point (P2P) interfaces.

    [See show route forwarding-table.]

  • For link-state distribution using an interior gateway protocol (IGP), ensure that OSPF is enabled on the donor interface for an unnumbered interface configuration, so the donor IP address is reachable to establish OSPF sessions.

    [See Configuring an Unnumbered Interface.]


  • Packet types added for DDoS protection L2TP policers (MX Series routers with MPCs, T4000 routers with FPC5)—Starting in Junos OS Release 17.1R1, the following eight packet types have been added to the DDoS protection L2TP protocol group to provide flexibility in controlling L2TP packets:









    Previously, no individual packet types were available for this protocol group and all L2TP packets were policed the same based on the aggregate policer value. The default values for the bandwidth and burst policers for all packet types is 20,000 pps. The default recover-time is 300 seconds for each of the L2TP packet types.

    [See protocols (DDoS).]

  • Global configuration for DDoS protection flow detection mode and flow level control (MX Series)—Starting in Junos OS Release 17.1R1, you can configure the mode of operation (on, off, or automatic) for flow detection and tracking globally. You can also configure globally how traffic in culprit flows is handled (drop, keep, or police). Both configurations apply to all protocol groups and packet types in the traffic flow unless overridden by the configuration for a protocol group or packet type for all or some flow aggregation levels.

    In earlier releases, you cannot configure the behavior globally; you can configure the behavior only for individual protocol groups or packet types, or at the individual flow aggregation levels: physical interface, logical interface, or subscriber.

    See Configuring How Flow Detection Operates Globally and Configuring How Traffic in a Culprit Flow Is Controlled Globally.

Services Applications

  • Deprecated security IDP statements (MX Series)—In Junos Release 17.1R1 and later releases, [edit security idp] configuration statements are deprecated for the MX Series routers.

  • Device discovery with device-initiated connection (MX Series)—In Junos OS Release 17.1R1 and later releases, when you configure statements and options under the [system services ssh] hierarchy and commit the configuration, make sure that the system reaches a stable state before you commit any outbound-ssh configurations.

    You use the device discovery feature in the Devices workspace to add devices to Junos Space Network Management Platform. By default, Junos Space manages devices by initiating and maintaining a connection to the device.

    [See Device Discovery Overview.]

  • Change in enforcement of maintenance mode for changes to PCC action profiles (MX Series)—Starting with Junos OS Release 17.1R1, a commit error occurs when you change the logging-rule or steering statements at the [edit unified-edge pcef pcc-action-profiles profile-name] hierarchy level if the TDF gateway is not in maintenance mode. Prior to Junos OS Release 17.1R1, a commit error was not displayed.

  • Change in error message displayed while fragmenting or de-fragmenting IPv6 GRE tunnel interface (MX Series routers)—In Junos OS Release17.1R3, on a IPv6 GRE tunnel interface, when you enable fragmentation using the allow-fragmentation command or disable fragmentation using the do-not-fragment command, the following error message is displayed:

    Fragmentation for V6 tunnels is not supported

    In earlier Junos OS releases, the following message was displayed:

    dcd_config_ifl_tunnel:Fragmentation for V6 tunnels is notsupported

Software Defined Networking

  • The output of the show mpls lsp ingress locally-provisioned command is expected to display only label-switched paths (LSPs) that have been provisioned locally by the Path Computation Client (PCC). However, the locally-provisioned option was displaying all the LSPs, instead.

    Starting in Junos OS Release 17.1R3, the locally-provisioned option in the show mpls lsp ingress command is behaving as expected.

Subscriber Management and Services

  • Changes to the test aaa authd-lite user, test aaa dhcp user, and test aaa ppp user commands (MX Series)—Starting in Junos OS Release 17.1R1, the following changes have been made to the test aaa user commands:

    • The Virtual Router Name and Routing Instance fields became the Virtual Router Name (LS:RI) field.

    • The Redirect VR Name field was renamed to Redirect VR Name (LS:RI).

    • The Attributes area in the CLI output header section was renamed to User Attributes.

    • The IGMP field was renamed to IGMP Enable.

    • The IGMP Immediate Leave and the MLD Immediate Leave default values changed from disabled to <not set>.

    • The Chargeable user identity value changed from an integer to a string.

    • The Virtual Router Name field was added to the display for the DHCP client.

    • The commands display only attributes that are supported by Junos OS; these attributes appear even when their values are not set. The Virtual Router Name (LS:RI) field matches the Juniper Networks Virtual-Router VSA (26-1), if present; otherwise, the field displays default:default. The displayed value for all other attributes that are not received is <not set>.

      [See test aaa authd-lite user, test aaa dhcp user, and test aaa ppp user.]

  • interfaces statement restored for ESSM subscriber secure policy (MX Series)—Starting in Junos OS Release 17.1R1, the interfaces statement was undeprecated at the [edit services radius-flow-tap] hierarchy level. When you use subscriber secure policies to mirror ESSM interfaces, you must configure the virtual tunnel (vt) interfaces that are used to send the mirrored packets to a mediation device. In some earlier releases, this statement was erroneously deprecated and hidden.

    [See interfaces (Subscriber Secure Policy).]

  • New option to display all pending accounting stops (MX Series)—Starting in Junos OS Release 17.1R1, the brief option is added to the show accounting pending-accounting-stops command. This option displays the current count of pending RADIUS accounting stop messages for subscribers, services, and total combined stops. The output is displayed as follows:

    user@host> show accounting pending-accounting-stops brief

    [See show accounting pending-accounting-stops brief.]

  • Change to DHCP option 82 suboptions support to differentiate duplicate clients (MX Series)—Starting in Junos OS Release 17.1R2, only the ACI (suboption 1) and ARI (suboption 2) values from the option 82 information are considered when this information is used to identify unique clients in a subnet. Other suboptions, such as Vendor-Specific (suboption 9), are ignored.

  • Change in display of IPv6 Interface Address field by the show subscribers extensive command (MX Series)—Starting in Junos OS 17.1R2, the show subscribers extensive command displays the IPv6 Interface Address field only when the dynamic profile includes the $junos-ipv6-address predefined variable.

    In earlier releases, the command always displays this field, even when the variable is not in the profile. In this case, the field shows the value of the first address from the Framed-IPv6-Prefix attribute (97).

  • Traffic shaping and L2TP tunnel switches (MX Series)—Starting in Junos OS Release 17.1R1, when a dynamic profile attaches a statically configured firewall filter to an L2TP tunnel switch (LTS) session, the filter polices traffic from the LTS (acting as a LAC) to the ultimate endpoint LNS, in addition to the previously supported traffic from the LAC to the LTS (acting as an LNS). In previous releases, the firewall filter applied to only the traffic from the LAC to the LTS.

  • Default L2TP resynchronization method changed and statement deprecated (MX Series)—Starting in Junos OS Release 17.1R2, the default resynchronization method for L2TP peers in the event of a control connection failure is changed to silent failover. In earlier releases, the default method is failover-protocol-fall-back-to-silent-failover. The silent failover method is preferred because it does not keep tunnels open without traffic flow, waiting for the failed peer to recover and resynchronize. You can use the new failover-resync statement at the edit services l2tp tunnel hierarchy level to specify either failover protocol or silent failover as the resynchronization method.

    Because silent failover is now the default, the disable-failover-protocol statement is no longer needed and has been deprecated. If you upgrade to this release with a configuration that includes this statement, it is supported, but the CLI notifies you it is deprecated.

  • IPv6 Link Local Addresses Assigned to Underlying Static Demux Interfaces (MX Series)—Starting in Junos OS Release 17.1R2, when you are using Router Advertisement for IPv6 subscribers on dynamic demux interfaces that run over underlying static demux interfaces, configure the software to use the same link-local address for both interfaces. In this case, the link-local address for the underlying interface should be based the MAC address of the underlying interface. The following statement causes the system to assign an address using the 64-bit Extended Unique Identifier (EUI-64) as described in RFC 2373:

  • Wildcard supported for show subscribers agent-circuit-identifier command (MX Series)—Starting in Junos OS Release 17.1R3, you can specify either the complete ACI string or a substring when you issue the show subscribers agent-circuit-identifier command. To specify a substring, you must enter characters that form the beginning of the string, followed by an asterisk (*) as a wildcard to substitute for the remainder of the string. The wildcard can be used only at the end of the specified substring; for example:

    In earlier releases, starting with Junos OS Release 14.1, the command requires you to specify the complete ACI string to display the correct results. In Junos OS Release 13.3, you can successfully specify a substring of the ACI without a wildcard.

  • Support for IPv6 all-routers address in nondefault routing instance (MX Series)—Starting in Junos OS Release 17.1R3, the well-known IPv6 all-routers multicast address, FF02::2, is supported in nondefault routing instances. In earlier releases it is supported only for the default routing instance; consequently IPv6 router solicitation packets are dropped in nondefault routing instances.

  • Correction to CLI for L2TP tunnel keepalives (MX Series)—Starting in Junos OS Release 17.1R3, the CLI correctly limits to 3600 seconds the maximum duration that you can enter for the hello interval of an L2TP tunnel group. In earlier releases, the CLI allows you to enter a value up to 65,535, even though only 3600 is supported.

    See hello-interval (L2TP).

  • Memory mapping statement removed for Enhanced Subscriber Management (MX Series)— In Junos OS Release 17.1R3, use the following command when configuring database memory for Enhanced Subscriber Management:

    set system configuration-database max-db-size

    CLI support for the set configuration-database virtual-memory-mapping process-set subscriber-management command has been removed to avoid confusion. Using the command for subscriber management now results in the following error message:

    WARNING: system configuration-database virtual-memory-mapping not supported. error: configuration check-out failed.

    [See Interface Configuring Junos OS Enhanced Subscriber Management for an example of how to use the max-db-size command.]

  • Source-specific multicast (SSM) CLI changes for dynamic IGMP and dynamic MLD (MX Series)—Starting in Junos OS Release 17.1R3, the ssm-map ssm-map-name statement at the [edit dynamic-profiles profile-name protocols (igmp | mld) interface interface-name] hierarchy level is deprecated and is no longer supported. Instead, you define an SSM map policy with the policy-statement statement at the [edit policy-options] hierarchy level. Apply the policy for dynamic IGMP or dynamic MLD with the ssm-map-policy ssm-map-policy-name statement at the [edit dynamic-profiles profile-name protocols (igmp | mld) interface interface-name] hierarchy level.

    If you upgrade from a release that does not support enhanced subscriber management (any release earlier than Junos OS Release 15.1R4) with a configuration that includes ssm-map, the configuration is allowed. However, the configuration has no effect and subscribers cannot log in.

  • Disabling a pseudowire underlying interface (MX Series)—Starting in Junos OS Release 17.1R3, you cannot disable the underlying logical tunnel (lt) interface when a pseudowire is anchored on that interface. If you want to disable the underlying interface, you must first deactivate the pseudowire.

    [See Configuring a Pseudowire Subscriber Logical Interface Device.]

  • Bandwidth options match for inline services and tunnel services (MX Series)—Starting in Junos OS Release 17.1R3, you can configure the same bandwidth options for inline services with the bandwidth statement at the [edit chassis fpc slot-number pic number inline-services hierarchy level as you can configure for tunnel services with the bandwidth statement at the [edit chassis fpc slot-number pic number tunnel-services] hierarchy level.

    [See bandwidth (Inline Services) and bandwidth (Tunnel Services).]

System Management

  • Peers option not supported in batch configuration mode— Starting in Junos OS Release 17.1R1, the peers option at the [edit system commit] hierarchy level is not supported in batch configuration mode.

User Interface and Configuration

  • Integers in configuration data in JSON format are displayed without quotation marks (MX Series)—Starting in Junos OS Release 17.1R1, integers in Junos OS configuration data emitted in JavaScript Object Notation (JSON) format are not enclosed in quotation marks. Prior to Junos OS Release 17.1R1, integers in JSON configuration data were treated as strings and enclosed in quotation marks.

  • Changes to the show system schema module juniper-command output directory (MX Series)—Starting in Junos OS Release 17.1R1, when you issue the show system schema module juniper-command operational command in the Junos OS CLI, the device places the generated output files in the current working directory, which defaults to the user’s home directory. Prior to Junos OS Release 17.1R1, the generated output files are placed in the /var/tmp directory.

  • SLAX scripts included as part of the Junos OS image (MX Series)—In Junos OS Release 17.1R1 and later releases, the Stylesheet Language Alternative Syntax (SLAX) scripts services-oids-ev-policy.slax, services-oids.slax, and utils.slax are included as part of the Junos OS image and automatically copied to the required location on the router when you install Junos OS.

  • Junos OS prohibits configuring ephemeral configuration database instances that use the name default (MX Series)—Starting in Junos OS Release 17.1R3, user-defined instances of the ephemeral configuration database, which are configured using the instance instance-name statement at the [edit system configuration-database ephemeral] hierarchy level, do not support configuring the name default.


  • EVPN E-tree extended community (MX Series)—In Junos OS Releases 17.1R2, and later releases, the E-tree leaf indication bit and leaf label in EVPN E-tree extended community follows the E-tree Extended Community as defined in the E-TREE Support in EVPN & PBB-EVPN IET IETF draft. A mixed network environment with routers running versions of Junos OS without this fix and routers with this fix would encounter unexpected forwarding behavior. Junos OS Release 16.1R4 has the incorrect label indication bit and leaf label encoding.

  • EVPN extended community and ISID using standard IANA value (MX Series)—Starting in Junos OS Release 17.1R2, the router MAC extended community and service identifier (ISID) sub-type values have been corrected to use the Internet Assigned Numbers Authority (IANA) standardized value. In Junos OS Release 17.1R1, when you configure EVPN extended community using a pure type 5 routing mode with VXLAN encapsulation, you might encounter routing issues with the router from another vendor.

  • Support for ping on a virtual gateway address (MX Series)—In Junos OS Release 17.1R2, Junos supports pinging an IPv4 or IPv6 address on the preferred virtual gateway interface. To set up support for ping, you must include both the virtual-gateway-accept-data and the preferred statements at the [edit interfaces irb unit] hierarchy of the preferred virtual gateway. This enables the interface on the preferred virtual gateway to accept all packets for the virtual IP address, including ping packets.

Known Behavior

This section contains the known behavior, system maximums, and limitations in hardware and software in Junos OS Release 17.1R3 for MX Series routers.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Class of Service (CoS)

  • Filtering for Routing Engine sourced packets (MX Series)—Starting in Junos OS Release 17.1R1, support is added for filtering on Differentiated Services Code Point (DSCP) and forwarding class for Routing Engine sourced packets. This includes IS-IS packets encapsulated in generic routing encapsulation (GRE). With this change comes a new order of precedence. When upgrading from a previous version of Junos OS where you have both a class of service (CoS) and firewall filter, and both include DSCP or forwarding class filter actions, the criteria in the firewall filter automatically takes precedence over the CoS settings. The same is true when creating new configurations; that is, where the same settings exist, the firewall filter takes precedence over the CoS, regardless of which was created first.


  • Routing instances of type EVPN configured with a VLAN ID will advertise MAC (type 2) routes with the VLAN value in the Ethernet tag field of the MAC route. Advertising MAC routes with a nonzero VLAN is incompatible with the EVPN VLAN-based service type. To enable interoperability between a Junos OS routing instance of type EVPN and a remote EVPN device operating in VLAN-based mode, the Junos OS routing instance should be configured with vlan-id none so that the Ethernet tag in advertised MAC routes is set to zero. PR945247

  • A PE device running EVPN IRB with an IGP configured in a VRF associated with the EVPN instance will be unable to establish an IGP adjacency with a CE device attached to a remote PE device. The IGP instance running in the VRF on the PE device might be able to discover the IGP instance running on the remote CE device through broadcast or multicast traffic, but will be unable to send unicast traffic directly to the remote CE device. PR977945

  • EVPN VPWS convergence and association with traffic loss is tied to the type of redundancy and the route exchange through BGP. In A/A this traffic loss is low because of the distribution of the traffic as well as protocols that can be used on the CE-PE link to steer the traffic away from the failed link as soon as the failure occurs. Here is the data for AA and AS. The number for AS are higher and are due to inherent limitations of this redundancy scheme. AA: a) ESI Goes DOWN : <10 msec. b) ESI comes UP: <50msec (for Traffic Items corresponding to 80RIs ? 1VPWS CKT per RI) = 350 msec approx. (For Traffic item corresponding to 2000CKTs in one RI) AS: a) ESI goes Down: 4950msec (Approx.) b) ESI Comes UP: 2100 msec (Approx.) PR1181523

  • In scaled up EVPN VPWS configuration (approximately 8000 EVPN VPWS), during a Routing Engine switchover, rpd scheduler slip messages might be seen. PR1225153

  • An incorrect PE router is attached to an ESI when the router receives two copies of the same AD/ESI route (for example, one through eBGP and another one received from an iBGP neighbor). This causes a partial traffic that is discarded without notification and with stale MAC entries. You can confirm the issue by checking the members of the ESI: user@router> show evpn instance extensive ... Number of ethernet segments: 5 ESI: 00:13:78:00:00:00:00:00:00:01 Status: Resolved Number of remote PEs connected: 3 Remote PE MAC label Aliasing label Mode 0 0 all-active 200 0 all-active <<<< this PE is not part of the ESI 200 0 all-active PR1231402

  • When you activate and deactivate the Route Target per bridge domain in EVPN, the rpd process might crash resulting in traffic loss. We recommend that you do not toggle to this configuration in Junos OS Release 17.1R1. PR1244956

Forwarding and Sampling

  • We have an interface for a direct route starting in ifdown condition. The remote side is then brought up, so I/F goes to ifup. Since it is a direct route, rpd does not install the route or nexthop. It receives that info from the kernel, and just updates a next hop in rpd local storage. The route and next hop for the interface are taken care of in the kernel. There is no route change in rpd. The route_record depends on route flash to find out about updates. Because there is no route change, there is no route flash, so route_record is unaware. In order to change this, we would need to decide that we want a route flash for this case. Currently, for direct and local routes/next hops, these are "don't care" in rpd, as far as route updates go. We just update our next hop information, without marking for any other notifications. A complication for the solution is a change that was done for PR 1002287, where if the NOTINSTALL flag is set, do not send the update to srrd. That flag is set for direct and local routes. Incidentally, this is day 1 operation. If the interface is up at startup, it should all work correctly. FIB table can provide OIF/GW only. SRC_MASK, DST_MASK, SRC_AS and DST_AS are not available in PFE FIB Table. So SRRD connection is required. Listening to both SRRD and FIB table, and consolidating information will complicate implementation. Scanning the entire FIB Table just for the few such routes will have performance impact and will complicate present implementation. This is day 1 implementation for SRRD/Sampled. Workarounds: There are two possible workarounds. 1) Have the far end interface up when the DUT interface is brought up. In cases where that is not happening, a recovery would be to disable the DUT interface, then enable it again. At that point, everything should be initially brought up in the state we are looking for. 2) Enable the nexthop-learning command. PR1224105

  • FreeBSD 10.x based Junos OS is not supported on 32-bit Routing Engines in Junos OS Release 17.1R1. PR1252662

General Routing

  • The rpd process might crash if ECMP routes have more than 38 IS-IS IPv6 next hops—If the maximum-ecmp 64 statement is enabled and ECMP routes have more than 38 IS-IS IPv6 next hops, then the rpd process might crash because the next hop gateway addresses get overwritten and stored in a circular buffer.


    If all the next-hop IP addresses are IPv6 addresses, you can configure only 38 ECMP next-hop addresses for IS-IS.

  • Support for simultaneous PTP over Ethernet and PTP over IPv4 master streams is not available for G.8275.1 profile (MPC5E and MX104)—In Junos OS Release 17.1R2, support for simultaneous PTP over Ethernet encapsulation and PTP over IPv4 master clock interface is not available on MPC5E and MX104, for a G.8275.1 PTP profile.

  • On MX Series routers with MS-MPC or MS-MIC, memory leaks can be seen with jnx_msp_jbuf_small_oc object, upon sending millions of Point-to-Point Tunneling Protocol control connections (3 through 5 million) alone at higher cells per second (cps) (greater than 150,000 cps). This issue is not seen with up to 50,000 control connections at 10,000 through 30,000 cps. PR1087561

  • NAT64: Source-prefix filtering and protocol filtering of the CGNAT sessions are incorrect. For example, the show services sessions extensive protocol udp source-prefix <0:7000::2> command displays incorrect filtering of the sessions. PR1179922

  • Chef for Junos OS supports additional resources to enable easier configuration of networking devices. These are available in the form of netdev resources. The netdev resource developed for interface configuration has a limitation to configuring the XE interface. The netdev interface resource determines that speed is a configurable parameter that is supported on a GE interface but not on an XE interface. Hence, the netdev interface resource cannot be used to configure an XE interface due to this limitation. This limitation is applicable to packages chef-11.10.4_1.1.*.tgz chef-11.10.4_2.0_*.tgz in all platforms {i386/x86-32/powerpc}. PR1181475

  • When LACP is used and considers the member link to be ready to forward traffic, the member link must not be used by the load balancer until all the micro-BFD sessions of the particular member link are in the up state. PR1192161

  • In certain interface scaling scenarios, during configuration commit or rollback, you might see an fpcx error message. You can safely ignore this message because of the FPGA monitor mechanism on DPC cards for logical interface mapping (ifl_map). Between the deletion of a physical interface and the monitoring event, this mechanism checks through the stored logical interfaces. While the mechanism tries to find the family of a recently deleted logical interface that was not cleaned from the ifl_map, harmless messages might populate the log file. PR1210877

  • PIC gets rebooted without generating a core file, in spite of having dump on flow control configured. PR1217167

  • The ptp master streams on IP and Ethernet are not supported simultaneously. PR1217427

  • There is no unified ISSU from a Junos OS Release with NPU image size less than 60 MB to a Junos OS Release with NPU image size greater than 60 MB. PR1222540

  • In this feature(next-hop-based tunnel), GRE/UDP tunnel does not have any tunnel liveness protocol, which can state tunnel up/down event. With the current implementation, tunnel will be up if the next hop is installed in the kernel or the Packet Forwarding Engine. This next hop will be withdrawn only if the BGP router is removed from the bgp.l3vpn.o table. PR1223727

  • OSPF is used as routing protocol between the clients and the DEP router with TD configured. The OSPF protocol traffic brings the IPsec up on spokes and DEP router. The IPsec SAs are distributed on the DEP router. The neighbor state between the OSPF peers move to full but it does not stay in that state. States change to init, 2-way, ex-start, and to full again. As a result, the data traffic between the routers is getting dropped. Thus tunnel distribution with protocol traffic is not supported. PR1232277

  • vMX does not detect interface link state correctly in SR-IOV mode with i40e driver. PR1271902

  • CFM is not supported for L2-over-GRE tunnel. CCM can pass through as transit traffic through GRE interfaces transparently using datapath. Link trace functionality uses MAC-learning and re-injecting LTM on GRE interface in case the bridge is configured with CFM. This is not supported feature. PR1275833

  • With Junos OS Release 16.2R1 or later, the error message about jlaunchd, jlaunchd: %AUTH-1: commit-batch is thrashing, not restarted, might be seen after a system reboot or a Routing Engine switchover. PR1284271

High Availability (HA) and Resiliency

  • Unified ISSU incompatibility with VPLS dynamic profiles (MX Series)—Using unified ISSU to upgrade from an earlier Junos OS release to Junos OS Release 17.1R1 does not work if VPLS dynamic profiles are configured and enhanced subscriber management is not configured.

    [See ISSU System Requirements]

Interfaces and Chassis

  • Reordering of MAC addresses after a Routing Engine switchover—In Junos OS Release 14.2 and later, if you configure multiple aggregated Ethernet interfaces, the MAC address of the aggregated Ethernet interfaces displayed in the show interfaces ae number command output might get reordered after a Routing Engine switchover or restart.

    As a workaround, you can configure static MAC addresses for aggregated Ethernet interfaces. Any external dependency, such as filtering of the MAC addresses that are assigned before the reboot, becomes invalid if the MAC address changes.

  • The same IP address could be configured on different logical interfaces from different physical interfaces in the same routing instance (including master routing instance), but only one logical interface was assigned with the identical address after commit. There was no warning during the commit, only syslog messages indicating incorrect configuration. PR1221993


  • When Flow-Label (FL) is enabled for pseudowire, the OAM packets are not sent with Flow-Label because rpd is not aware of the Flow-Label values assigned by the Packet Forwarding Engine software. Hence, the packets were getting dropped by the Packet Forwarding Engine at the egress. The remote PE was expecting the packet with Flow-Label and pseudowire label. PR1217566

Platform and Infrastructure

  • The FPC reports the following errors and it is not able to connect any subscriber: Pkt Xfer:** WEDGE DETECTED IN PFE 0 TOE host packet transfer: %PFE-0: reason code 0x1" Also, the MQ FI may be wedged and the following log can be seen: Apr 11 12:09:11.945 2013 NSK-BBAR3 fpc7 MQCHIP(0) FI Reorder cell timeout Apr 11 12:09:11.945 2013 NSK-BBAR3 fpc7 MQCHIP(0) FI Enqueuing error, type 1 seq 404 stream 0 Apr 11 12:09:11.945 2013 NSK-BBAR3 fpc7 MQCHIP(0) MALLOC Pre-Q Reference Count underflow - decrement below zero PR873217

Routing Protocols

  • When a Junos OS aggregation gateway uses an IPv6 address as next hop for IPv4 aggregates announced to downstream, it might attract traffic prematurely before Packet Forwarding Engines are programmed with more specific IPv4 routes. This happens when the IPv6 address is advertised in BGP inet6-labeled-unicast family. PR1220235

  • With GRES+ NSR enabled, the master Routing Engine replicates kernel states and protocol states on the backup Routing Engine. Both kernel state (ifstates) and protocol state replication are independent processes. The ksyncd takes care of ifstates replication. The rpdinfra takes care of replication (mirror) connection between two Routing Engines. And NSR-supported protocols have their own mechanism to replicate their database using mirror connection. According to PIM/MVPN NSR design, on the backup Routing Engine, it walks through the replication database (RDB). Once a PIM/MVPN state is processed on the backup Routing Engine, the associated RDB is deleted. If kernel replication is restarted. it can lead to interface deletions and additions only on the backup Routing Engine. PIM states on the backup Routing Engine go out of synchronization. PR1224155

Services Applications

  • Account Session ID, Interface Identifier, and Subscriber User Name trigger attributes are optimized for a scaled subscriber management environment. If you include any of the other, non-optimized, trigger attributes in a scaled subscriber management environment, a significant delay might be observed between the time when the DTCP ADD message is sent and the time when forwarding starts for the mirrored traffic. For example, if there are 10,000 subscriber sessions on the router, forwarding of the mirrored traffic might be delayed for 20 minutes. This delay occurs when you specify any non-optimized attribute, with or without any optimized attribute. The delay occurs regardless of the order of attributes in the DTCP packet. PR1269770

  • Broadband-edge platforms do not support service-set integration with dynamic profiles when the service set is representing a carrier-grade NAT configuration. As a workaround, you can use next-hop service set configurations and routing options to steer traffic to a multiservices (ms) interface where NAT functionality can be exercised. The following configuration snippet shows the basics of statically configuring the multiservices interface next hop and a next-hop service set. Traffic on which the service is applied is forced to the interface inside the network by configuring that interface as the next hop. This configuration does not show other routing-options or NAT configurations relevant to your network.

    [See Configuring Service Sets to be Applied to Services Interfaces.]

Software Installation and Upgrade

  • On a broadband network gateway (BNG) that is running enhanced subscriber management, you must take the service cards offline before you can perform an in-service software upgrade (ISSU) to Junos OS Release 17.1 from a Junos OS release that includes the application-aware policy control feature (16.1R4 and later).

  • Unified ISSU not supported with an active RPM configuration—If you have an active real-time performance monitoring (RPM) configuration, you cannot perform a successful unified in-service software upgrade (ISSU) to a Junos OS 17.1 release. The warning ISSU is not supported for RPM configuration appears.

Subscriber Management and Services

  • If a graceful Routing Engine switchover (GRES) is triggered by an operational mode command, the state of aggregated services interfaces (ASIs) are not preserved. For example:

    However, if GRES is triggered by a CLI commit or FPC restart or crash, the backup Routing Engine updates the ASI state. For example:


  • The all option is not intended to be used as a means to perform a bulk logout of L2TP subscribers. We recommend that you do not use the all option with the clear services l2tp destination, clear services l2tp session, or clear services l2tp tunnel statements in a production environment. Instead of clearing all subscribers at once, consider clearing subscribers in smaller group, based on interface, tunnel, or destination end point.

  • Before you make any changes to the underlying interface for a demux0 interface, you must ensure that no subscribers are currently present on that underlying interface. If any subscribers are present, you must remove them before you make changes.

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 17.1R3 for MX Series routers.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • Platform-specific callbacks are not getting initialized. PR1354855

Class of Service (CoS)

  • If the interface-set statement is configured for CoS, then the FPC might crash when the CoS configuration tries to access an interface-set-related pointer that was freed after the FPC or device was reloaded. PR1224046

  • The cosd might crash during commit through NETCONF if xcess-priority is configured. It is a timing issue. PR1403147


  • When unknown unicast traffic is received on the egress EVPN PE divice, the input packet and rate will be counted as twice as large as the actual input packet and rate. PR830535

  • Show evpn vpws-instance SID NNN is not supported. PR1122695

  • The l2ald process might generate a core file a scaled Layer 2 setup with bridge domain, VPLS, and EVPN. The core file generation usually follows a kernel page fault. In most cases the issues resolves on its own after the generation of the l2ald core file. In some cases, you need to manually restart the process. Logs: /kernel: %KERN-3-BAD_PAGE_FAULT: pid 69719 (l2ald), uid 0: pc 0x88beb5ce got a read fault at 0x6ca, x86 fault flags = 0x4 /kernel: %KERN-6: pid 69719 (l2ald), uid 0: exited on signal 11 (core dumped) init: %AUTH-3: l2-learning (PID 69719) terminated by signal number 11. Core dumped! PR1142719

  • EVPN VPWS convergence and association with traffic loss is tied to the type of redundancy and the route exchange through BGP. In A/A this traffic loss is low because of the distribution of the traffic as well as protocols that can be used on the CE-PE link to steer the traffic away from the failed link as soon as the failure occurs. Here is the data for 1and 2. The numbers for 2 are higher and are due to inherent limitations of this redundancy scheme.

    1: a) ESI goes down: <10 ms.

    b) ESI comes up: <50 ms (for traffic items corresponding to 80RIs ? 1VPWS CKT per RI) = 350 ms approx. (For traffic item corresponding to 2000CKTs in one RI)

    2: a) ESI goes down: 4950 ms (approx.)

    b) ESI comes up: 2100 ms (approx.)


  • In an EVPN scenario with static MAC configured on the EVPN instance, the remote EVPN instance can see the MAC route information. However, after the static MAC in the EVPN instance is deactivated and then activated, and the MAC route information in the remote EVPN instance is checked, no such MAC route is found in the EVPN route table. PR1193754

  • This issue is applicable to MAC-in-MAC PNN-EVPN and does not affect any other scenario. When a PBB-EVPN configuration is reloaded on MX Series routers, error logs are seen while deleting interfaces related to backbone bridge component. These errors do not result in any functional issues. PR1323275

  • PBB-EVPN cannot flood traffic toward a core layer. Recover traffic by running restart l2-learning. In addition to this, there is a limitation in PBB-EVPN active/active (A/A) unicast traffic forwarding. If entropy in the traffic is not sufficient, then uneven load balancing causes a problem on MH peer A/A routers. This causes a drop for return traffic. These issues are applicable to MAC-in-MAC private network-to-network PNN-EVPN and do not affect any other scenario. PR1323503

  • When EVPN PE (RR) is configured as single home without ESI, evpn bgp routes from table " bgp.evpn.0 " might leak into default evpn table (__default_evpn__.evpn.0) causing label leak. Leak might lead to all label exhaustion and result in to rpd core. PR1333944

  • In a device running Junos OS platform, the l2ald process might crash during MAC address processing. As a result, the MAC learning process is impacted; however, the l2ald process recovers on its own. PR1347606

  • When EVPN is configured with class-of-service-based forwarding (CBF), traffic might be lost for the CBF services. PR1374211

  • In an EVPN (Ethernet VPN) scenario, if the router receives a Type 2 MAC+IP route advertisement having 2 MPLS labels, and then withdrawal of the same route with only 1 label occurs, the withdrawal will not be processed and that route will be stuck. PR1399726

Forwarding and Sampling

  • When a policing filter is applied to an active LSP carrying traffic, the LSP resignals and drops traffic for approximately 2 seconds. It can take up to 30 seconds for the LSP to come up under the following conditions: (1) Creation of the policing filter and its application to the LSP through configuration occurs in the same commit sequence and (2) Load override of a configuration file that has a policing filter and policing filter application to the LSP are followed by a commit. PR1160669

  • The firewall filter family any configured with the shared-bandwidth-policer statement on an MC-aggregated Ethernet interface does not reconfigure bandwidth or carve up the policer when the standby device becomes the active device after A/S switchover; it drops all packets. PR1232607

  • After the show firewall command is executed, the dfwinfo: tvptest:dfwlib_owner_create tvp driven policer_byte_count support 0 message is seen in messages logs. This message is a cosmetic issue and it can be ignored safely. This message can be seen with the following sample configuration: << sample config >> set interfaces ge-0/0/0 unit 0 family inet filter input test_filter set interfaces ge-0/0/0 unit 0 family inet address set firewall family inet filter test_filter term policer then policer policer_test set firewall policer policer_test if-exceeding bandwidth-limit 100m set firewall policer policer_test if-exceeding burst-size-limit 125k set firewall policer policer_test then loss-priority low PR1248134

  • In some stress test conditions, the sampled process crashes and generates a core file when connecting to Layer 2 Bitstream Access (L2BSA) and EVPN subscribers aggressively. PR1293237

  • Remote CE1 MAC address might take a long time to clear after running clear mac. PR1304866

  • In an EVPN A/A scenario with an MX Series router or EX Series switch acting as a PE device, flood next hops to handle BUM traffic might not get created or miss certain branches when the configuration is performed in a particular sequence. PR1377749

  • LTS subscriber statistics are reported to RADIUS. PR1383354

General Routing

  • This issue occurs when the configured global-MAC limit is less than the interface MAC limit and the same interface is configured with packet action. When the traffic is sent with a higher packet rate, all the MAC entries are learned by the Packet Forwarding Engine. The Routing Engine later trims this to the configured global-MAC limit. When the traffic is sent with a lower packet rate, the Routing Engine learns somewhat more than the configured global-MAC limit and subjects the remaining packets (with newer MACs) to the configured drop action. PR1002774

  • ICMP echo_reply traffic with applications such as IPsec does not work with the MS-MIC and MS-MPC cards in an asymmetric traffic environment, because these cards employ a stateful firewall by default. The packet is dropped at the stateful firewall because it acknowledges an ICMP reply that has no matching session. PR1072180

  • An intermittent issue occurs when the bypass-queuing-chip statement is configured on an aggregated Ethernet interface. The follow-up configuration changes are such that, removing a child link from an aggregated Ethernet bundle and configuring the per-unit-scheduler statement on the removed child link in a single commit causes intermittent issues with the per-unit-scheduler configuration updates to cosd and the Packet Forwarding Engine. Hence, dedicated scheduler nodes might not be created for all units or logical interfaces. PR1162006

  • For the translation types napt-44 and deterministic-napt44, a few NAT sessions are seen to be stuck when service sets or corresponding applications are deactivated or activated with traffic running. PR1183193

  • Reporting fabric self ping blackhole got decoupled from Fabric Hardening events and will execute disable-pfe action per default and will raise a Major Alarm. PR1184761

  • AMS redundant interfaces are not listed under possible completions for operational mode commands. PR1185710

  • IR-mode configuration statement commit failure is seen with MPC7, MPC8, and MPC9. PR1192228

  • GUMEM errors for the same address might continually be logged if a parity error occurs in a locked location in GUMEM. Because GUMEM utilizes ECC memory, any error is self-correcting and has no impact on the operation of the router. In a rare case, such a parity error might appear repeatedly at a specific location. As a workaround, the error can be cleared by rebooting the FPC. PR1200503

  • When ppm deviation exceeds 10 ppm, do not display off-frequency if the clock source is still being locked. Display in-use# instead. This displayed value indicates that it is still locked to the source, although the clock has a considerably large ppm deviation. PR1202327

  • Various common situations lead to different views of forwarding information between kernel and Packet Forwarding Engines. For example, consider the following displayed message: fpc7 KERNEL/PFE APP=NH OUT OF SYNC: error code 3 REASON: NH add received for an ifl that does not exist ERROR-SPECIFIC INFO: nh_id=562 , type = Hold, ifl index 334 does not exist TYPE-SPECIFIC INFO: none. This issue does not seem to have any service impact on MPC2 and MPC3 line cards. PR1205593

  • In an OAM environment with a GRE interface, if the physical interface is brought down, then an OAM keepalive brings down the GRE interface. But within a few second, GRE interface comes up and the OAM keepalive is down. The traffic forwarding might be affected. PR1207017

  • When APS is configured on already present interfaces, without a maintenance window, the rpd might lose the protect interface state due to some sequence of events. This will cause the local route of the protect interface to go into an inconsistent state and any protocol using this local route might also see issues. PR1210951

  • Several files are copied between Routing Engines during the FFP synchronize phase of the commit (such as /var/etc/ and /var/etc/ These files are copied even if there was no corresponding change in the configuration, thus unnecessarily increasing commit time. PR1210986

  • When you issue an operational mode clear command, the queuing monitor sensor counters on the Junos Telemetry Interface (JTI) server are not reset. As a result, after such clear CLI commands are issued, the QMON sensor statistics on the JTI server do not match those in the output of CLI and vty commands. PR1226948

  • The normal discard count in the output of the show pfe statistics traffic command continuously increases, even without any user traffic. This issue occurs because internal control traffic that is expected to be dropped silently is unexpectedly being counted as normal discard traffic. There is no impact on user traffic. PR1227162

  • When a configuration that moves the Packet Forwarding Engine offline and another configuration that brings the Packet Forwarding Engine back online are committed in quick succession, out-of-synchronization syslog errors might occur. Most of the time these are benign errors, but sometimes these errors might result in Packet Forwarding Engine crash. PR1232178

  • The following error messages occur during GRES and unified ISSU: syslog errors @ agentd_rts_async_rtbm_msg : FLM : Failed to create private.PR1232636

  • When the virtual switch type is changed from IRB type to regular bridge, interfaces under the OpenFlow protocol are removed. The openflow process (daemon) fails to program any flows. PR1234141

  • To distinguish between flow and kernel logical interfaces for VLAN-OOB, subscribers use the option idl-arch-type: router> show interfaces ge-1/0/3.3221225476 ifl-arch-type ? Possible completions: flow Display flow ifls rtsock Display rtsock ifls PR1236713

  • When the IPv4 or IPv6 address configured as the local-gateway for the IPSec VPN service is not actually assigned to any interface in the up state (not present a local/direct route in the routing-table), the system still sends ISAKMP packets for IKE exchange. An address of the outgoing interface is selected as the source address for these packets.PR1238112

  • On MX Series routers with the rpd process in ASYNC mode and distributed IGMP configured, rpd might generate a core file and then crash. PR1238333

  • In a BGP or an MPLS scenario, if the next-hop type of label route is indirect, then the following changing events about the next-hop interface family mpls might cause the route to be in the dead state, and the route remains dead even when the family mpls is again activated: Deactivating and activating the interface family mpls. Deleting and adding back the interface family mpls. Changing maximum labels for the interface. PR1242589

  • For ANCP subscribers in Idle state the previously reported speed in the ANCP Port UP message is not applied. PR1242992

  • ANCP neighbors are reinitialized (and could go down) after an ephemeral commit of any ANCP-related configuration. PR1243164

  • Sensors are not reused when the subscriptions have no common paths. When subscribed from multiple servers for the same subscription, sensors are not reused. PR1245902

  • After you connect 1000 L2BSA subscribers and run the CLI command show ancp subscriber detail | match Aggregate Circuit Identifier Binary, the output stops at a certain point and gets stuck for minutes. Even pressing Ctrl-C does not help terminate the CLI output. In some cases, pressing Ctrl-C causes the ancpd process to crash. PR1250996

  • The MX104 Routing Engine might be stuck in boot loop after disabling interface fxp0 in the configuration. PR1253155

  • In a Junos Telemetry Interface (JTI) scenario using Junos OS Release 16.1R3 and later releases with non-upgraded freeBSD, if openconfig is used, then the na-grpcd process experiences memory leak or memory increase continuously (that is, continuous subscribing and unsubscribing or aggressive timers for interfaces for about 2 seconds or other conditions), eventually causing the na-grpcd process to crash due to memory exhaustion. As a result, the collector does not get the streaming data during the na-grpcd crash. PR1254794

  • VPLS MAC table is not being populated properly as verified by using the show vpls mac-table command, although all subscribers have traffic. This is considered a cosmetic issue. PR1257605

  • In earlier releases, the code does not contain strict enforcement of checking the targeting configuration syntax. Thus having targeting-distribution only in the dynamic VLAN profile but not in the client profile is allowed. This leads to confusion and potentially unexpected behavior. With this fix, strict checking is introduced. Targeting-distribution is required at all levels to bring up the client. PR1258955

  • Errors like mspmand[190]: msvcs_session_send: Plugin id 3 not present in the svc chain for session are usually cosmetic. PR1258970

  • On MX Series routers, in a rare case the backup Routing Engine is slow to process replication. Replication on the master Routing Engine continues too long under a purge condition and results in logic problems and smgd process crash on the backup Routing Engine. PR1261268

  • On an MX Series Virtual Chassis system in a scaled subscriber management scenario, if a unified ISSU is performed while the BGP protocol sessions are active and such BGP sessions are clients of BFD, then these BGP sessions might go down and come back up again, causing traffic loss. PR1265407

  • If the dynamic VLAN profile does not have IFF configuration (for example, family PPPoE or family inet), but has a firewall filter configuration, firewall filter indixes are not released after the dynamic VLAN is removed. This eventually leads to depletion of available firewall filter indixes. PR1265973

  • If the rpd process crashes on a device that has the switchover-on-routing-crash statement enabled, on the device, live VM core files might be seen on both Routing Engines without an impact on the system. PR1267796

  • Sometimes l2cpd core files are generated when LLDP neighbors are cleared. PR1270180

  • On all MX Series devices with the Point-to-Point Protocol over Ethernet (PPPoE) subscriber scenario, the unexpected log message VTAG not found in uflow might be seen when a PPPoE subscriber logs on a static virtual local area network (VLAN) logical interface (IFL, i.e., unit ge-0/0/0.40) PR1284966

  • After a Layer 2 routing instance is renamed, A10-NSP interfaces attached to the old routing interface do not get moved to the new routing instance. PR1287070

  • PPPoE cannot dial in because of all padi dropped as "unknown iif" when deactivated or activated aggregated Ethernet configuration which a aggregated Ethernet child leaves and joins bundle in quick succession. And lead to out of order for substructs msg. And the Fix is to process all substructs hanging off the parent logical interface ifstate in the order in which they were enqueued. Restore-only is to reboot FPC. PR1291515

  • iLatency (calculated by differing producer timestamp and gRPC server timestamp) can sometimes be negative for Packet Forwarding Engine related telemetry packets because drift in Routing Engine and Packet Forwarding Engine NTP servers. PR1303376

  • Customer reported that after running a RADIUS disaster backup procedure (disable access interface, change the RADIUS server and enable interfaces), VLAN-OOB sessions came up, but no new ANCP session was established. user@router> show ancp neighbor Version IP Address PartID State Time Subscriber Capabilities Count * 0x32 0 Not Estblshd 21:17 0 Topo, OAM * 0x32 0 Not Estblshd 21:18 0 Topo, OAM user@router> show subscribers summary Subscribers by State Active: 2988 Total: 2988 Subscribers by Client Type VLAN-OOB: 2988 Total: 2988 The customer was running the following steps to reproduce this issue: 1. Bring up 21,000 subscribers with a session mix over all products (DCIP, EVPL, PPP, L2TP, and L2BSA). 2. Run RADIUS backup procedure using the script. Then the procedure waits until all subscribers are logged out of the BNG (duration of about 10 minutes). 3. After the access interface are enabled within the procedure, many VLAN-OOB sessions come up again, even though no new ANCP session gets established. PR1306872

  • The XML request and reply do not have the same prefix. This is an oversight and might cause confusion as the prefixes normally match. However, fixing the reply now would break current installations. This PR serves as a reminder about the mismatch. PR1312364

  • The following harmless logs will be noticed on router's with next generation Routing Engine's Oct 1 22:17:25 abc vhclient.9947.daemon: vhclient instantiated by /bin/sh Oct 1 22:17:25 abc vhclient.9947.daemon: rsh -JU __juniper_private5__ export PATH=$PATH:/usr/sbin:/sbin/ ; date -s '2017-10-01 22:17:25' Oct 2 01:30:08 abc vhclient.23832.daemon: vhclient instantiated by /bin/sh Oct 2 01:30:08 abc vhclient.23832.daemon: rsh -JU __juniper_private5__ export PATH=$PATH:/usr/sbin:/sbin/ ; date -s '2017-10-02 01:30:08' Oct 2 01:30:08 abc vhclient.23845.daemon: vhclient instantiated by /bin/sh Oct 2 01:30:08 abc vhclient.23845.daemon: rsh -JU __juniper_private5__ export PATH=$PATH:/usr/sbin:/sbin/ ; hwclock -w. These logs are harmless however might fill up messages file. PR1315128

  • Making changes in services traffic-load-balance instance for one instance, can lead to refresh of existing instances. PR1318184

  • When certain MPC (Modular Port Concentrator) model like MPC4E has very specific hardware failure and it fails to boot up because of FPC (Flexible PIC Concentrator) internal I2C error, other FPCs might go offline. PR1319560

  • With regards to FPC restarts/Virtual Chassis splits, the design of MX Series Virtual Chassis infrastructure relies on the integrity of the TCP connections and the reactions to failure situation might not get handled gracefully. The TCP connection timeout occurs because of jlock hog crossing boundary value (5 seconds) causing bad consequences in MX Series Virtual Chassis. Currently, the only solution would be to enable marker infrastructure during MX Series Virtual Chassis setup. SPR1332765

  • Some vmhost commands are missing on Zero Touch Provisioning (ZTP) for MX Series platforms with VM host support (that is, next-generation Routing Engines, such as RE-S-X6-64G). This might cause the ZTP for vmhost images to fail on this kind of platform. PR1343338

  • Changed the implementation of AES-GCM-256 to improve compatibility with other vendors' MACSec 256-bit implementation. PR1336834

  • On MX Series platform with 100M SFP used on MIC-3D-20GE-SFP-E/MIC-3D-20GE-SFP-EH, SFP might not work if it's not from Fiberxon or Avago. PR1344208

  • ancpd might generate a core file when ANCP subscribers are cleared in a scaled scenario with enhanced-ip configured. PR1344805

  • During stress conditions, error log messages regarding route add, change, or delete might be incorrect. PR1350713

  • When an ephemeral database instance is configured, if committing changes that are unrelated to IGMP/MLD (such as set interfaces ge-0/0/1.0 description), and the number of ephemeral commits reaches the maximum number, the ephemeral database might purge all commits and roll over. Then it would purge all the commits and rollover. On this purge, the mgd gives all the applications a FULL COMMIT view. And on this FULL COMMIT view, IGMP/MLD deletes all configurations and adds them back again. This might cause PIM to prune the groups on those interfaces and send join messages again. Finally, multicast traffic flapping and drop might be seen. PR1352499

  • In a L2BSA subscriber scenario, if there is a misconfiguration on the RADIUS profile for the L2BSA subscriber (for example, the routing instance returned from RADIUS is not configured as VPLS) or the authentication part is missing from the physical interface configuration, the bbe-smgd process might crash during L2BSA subscriber log in. PR1367472

  • An FPC restart or FPC core file under heavy traffic load might lead to generation of a bbe-smgd core file. The core file is created due to cleanup issues with the VLAN creations in flight. PR1371926

  • On MX Series routers enabled with enhanced subscriber management, if the subscriber profile initiates a filter service for each subscriber, and there area very large number of broadband edge subscribers (for example, 10,000) logging in and out repeatedly, the filter service might fail to get installed for the subscriber. In some rare conditions, it might also lead to an FPC crash. PR1374248

  • On MX Series router routers in a subscriber scenario, if a large number of subscribers (for example, more than 1000) set up connections simultaneously, the setup rate might be 30 percent lower than expected. PR1384722

  • If commit fast-synchronize is enabled, the device with more than five IP addresses configured in the DHCP server group might go into amnesiac mode after reboot. But in practice it should not allow more than five IP addresses based on the implementation, and this validation for "commit check" is skipped when fast-synchronize is configured. PR1385902

  • In low-end 32-bit systems, rpd has a lower level of available memory. It is desired to have a log message to alert customers when the average memory usage or transient memory usage exceeds thresholds. PR1387465

  • After upgrading to Junos OS Release 17.2 or later releases, the chained-composite-next-hop ingress l3vpn extended-space configuration statement cannot be configured any longer on a logical system. PR1402390

  • On MX Series and ACX Series platforms, when you offline and then online the MIC-3D-16CHE1-T1-CE-H card, the related FPC might crash. PR1402563

  • When auto-bandwidth is configured for RSVP LSP, when timeout occurs during LSP statistics query, large bandwidth might be incorrectly reserved for the LSP. If there are no sufficient resources (for example, bandwidth or alternative path) in the network, other LSPs might be torn down, or might not go up. PR1406822

  • The process rpd might crash after a non forwarding route (that is , a route to an indirect next hop association is a non forwarding indirect next hop) that is received from multiple protocols is resolved again by using the non forwarding path. PR1407408

High Availability (HA) and Resiliency

  • Ksyncd might return wrong address if vccpd is slow in setting protocol mode which lead to VC-BM can't sync with VC-MM when VC-B split and reforming Virtual Chassis. Restart ksyncd daemon in VC-BM to restore. PR1361617


  • Starting from Junos OS Release 14.2R3 the show class-of-service fabric statistics command might fail, displaying the Error = Operation timed out message in some cases (especially if there are many FPCs in the chassis). This is because data structures used to query fabric statistics became significantly larger in later releases. Thus when multiple FPCs start transmitting data to the Routing Engine at the same time, some packets might get dropped in the internal Ethernet switch on the Control Board. If re-transmission does not happen within the timeout, the Operation timed out error is seen. PR1228293

  • The set system ports console log-out-on-disconnect command logs the user out from the console and closes the console connection. If the set system syslog console any warning command is used with the earlier configuration and when there is no active Telnet connection to the console, the process tries to open the console and hangs as it waits for a "serial connect" that is received only by using a Telnet connection to the console. As a workaround, remove the later configuration by using the set system syslog console any warning command, which solves the issue. PR1230657

  • System log (syslog) messages are observed when one of the following CLI commands is executed: system syslog file messages kernel any or system syslogfile messages any any. These syslog messages do not indicate any functionality, breakage, or impact. If you need to enable any-any, then you must skip these logs with an appropriate match condition. PR1239651

Interfaces and Chassis

  • During the configuration change and reuse of the VIP address on an interface, you need to stop the configuration, do a commit and then add the interface address configuration in the next commit. PR1191371

  • In a VPLS multihoming scenario, the CFM packets are forwarded over the standby PE device link, resulting in duplicate packets or a loop between the active and standby links. PR1253542

  • Out-of-sequence packets are seen with the LSQ interface. PR1258258

  • In Junos OS BNG solutions, after commit event, when configuration contains duplicate vlan-id configured on aggregate and demux interfaces, the MX Series router might go into database prompt mode and a kernel core file is generated. PR1274038

  • Junos OS upgrade involving Junos OS Release 14.2R5 and later 14.2 maintenance releases, and Junos OS Release 16.1 maintenance releases with CFM configuration can cause cfmd process crash after upgrade. This issue is due the old version of /var/db/cfm.db. PR1281073

  • Y.1731 delay measurement is not supported on MPC6. PR1303672

  • This PR is to suppress the unnecessary cfmd logs such as the following: Mar 9 11:30:51.614 2018 MX cfmd[28796]: %DAEMON-3: jnxSoamLmDmCfgTable_next_lookup: md 0 ma 0 md_cfg 0x0 Mar 9 11:30:51.614 2018 MX cfmd[28796]: %DAEMON-3: jnxSoamLmDmCfgTable_next_lookup: md 0 ma 0 md_cfg 0x8d69160 Mar 9 11:30:51.614 2018 MX cfmd[28796]: %DAEMON-3: jnxSoamLmDmCfgTable_next_lookup: md 0 ma 0 md_cfg 0x0 Mar 9 11:30:51.614 2018 MX cfmd[28796]: %DAEMON-3: jnxSoamLmDmCfgTable_next_lookup: md 0 ma 0 md_cfg 0x8d69160 Mar 9 11:30:51.614 2018 MX cfmd[28796]: %DAEMON-3: jnxSoamLmDmCfgTable_next_lookup: md 0 ma 0 md_cfg 0x0 Mar 9 11:30:51.614 2018 MX cfmd[28796]: %DAEMON-3: jnxSoamLmDmCfgTable_next_lookup: md 0 ma 0 md_cfg 0x8d69160 Mar 9 11:30:51.614 2018 MX cfmd[28796]: %DAEMON-3: jnxSoamLmDmCfgTable_next_lookup: md 0 ma 0 md_cfg 0x0. PR1347650

  • With the following configuration present, the interface flaps after a commit in which an aggregated Ethernet interface is being added: set interfaces <interface-name> otn-options trigger oc-tsf hold-time up <> down <> set interfaces <interface-name> otn-options trigger odu-bei hold-time up <> down <>

  • In a subscriber management environment, the subscriber (for example, subscriber A) might not access the device (A can get IP address x.x.x.x but then the connection will be terminated), because the address x.x.x.x was previously assigned to another subscriber B and then reassigned to A before confirming whether the respective access route for address x.x.x.x was removed. PR1405055

Layer 2 Ethernet Services

  • When MSTP is configured under a routing instance, both the primary and standby VPLS pseudowires get stuck in ST state because of a bug in the software. This issue has been fixed and now the pseudowire status is set correctly. PR1206106

  • After the underlying physical interface for a static VLAN demux interface, the NAS-Port-ID formed is based on the previous physical interface. PR1255377

  • DHCP core file might be generated after deleting and adding the VPLS/BD related configuration in one commit. PR1267810

  • When a configuration change adds an existing interface to a new routing instance or logical system and the same configuration change is used to enable BBE DHCP subscriber functionality on that routing instance, the client creation might fail. PR1294274

  • MX Series routers might display the false positive CB alarm PMBus Device Fail. PR1298612

  • Port-extender (RJ-45 ports only) LAG interfaces are not up after SNOS 3.1R1.4 upgrade. PR1354718

Layer 2 Features

  • Because of MAC aging every 5 minutes, the VPLS unicast traffic is flooded as unknown unicast every 5 minutes on a router functioning as a VPLS PE device and equipped with one of the following line card: T4000-FPC5-3D, MX-MPC3E-3D, MPC5E-40G10G, MPC5EQ-40G10G, MPC6E, MX2K-MPC6E.PR1148971

  • On routers running Junos OS with Routing Engine GRES enabled, if VPLS is configured with a dynamic profile association, some traffic loss is observed when the Routing Engine switches from master to standby. This issue is due to a change in the underlying database that handles the dynamic profile sessions. As a result, the VPLS connection is destroyed and re-created after a Routing Engine switchover. PR1220171

  • If an LDP-VPLS routing instance is configured with active and backup neighbors, and flow label capability is enabled on the active neighbor but not on the backup neighbor, upon switching to the pesudowire to the backup neighbor, Junos OS on the VPLS PE device will continue to send traffic with flow label based on the capability learned from the previously active neighbor. PR1393447


  • When using mpls traffic-engineering bgp-igp-both-ribs with LDP and RSVP both enabled, CSPF for interdomain RSVP LSPs cannot find the exit ABR when there are two or more such ABRs. This causes interdomain RSVP LSPs to break. RSVP LSPs within the same area are not affected. As a workaround, you can either run only RSVP on OSPF ABRs or IS-IS L1/L2 routers and switch RSVP off on other OSPF area 0/IS-IS L2 routers, or avoid LDP completely and use only RSVP. PR1048560

  • The issue occurs when graceful Routing Engine switchover (GRES) is performed between the master and backup Routing Engines of different memory capabilities. For example, one Routing Engine has only enough memory to run routing protocol process (rpd) in 32-bit mode while the other is capable of doing so in 64-bit mode. The issue is seen when you use Junos OS Release 13.3 or later with the configuration statement auto-64-bit configured, or Junos OS Release 15.1 or later even without the configuration statement. Under these conditions, the rpd might crash on the new master Routing Engine. As a workaround, use the CLI command set system processes routing force-32-bit. PR1141728

  • If the minimum-bandwidth and bandwidth options are both present in the configuration, the bandwidth selection of the LSP is inconsistent. PR1142443

  • When flow-label (FL) is enabled for pseudowire, the OAM packets are not sent with flow-label because rpd is not aware of the flow-label values assigned by the Packet Forwarding Engine. Hence, the packets are getting dropped by the Packet Forwarding Engine at the egress PE device. The remote PE device was expecting the packet with FL and pseudowire label. PR1217566

  • In a CE-CE setup, traffic loss might be observed over the secondary LSP when the primary LSP fails over. PR1240892

  • On MX Series and PTX Series platforms, the rpd might crash when the RSVP bypass undergoes reoptimization and the reoptimized instance encounters failure before it becomes the main instance. PR1250253

  • A new configuration, protocols mpls traffic-engineering bgp-igp-both-ribs, in the routing instance is required to make a channelized optical carrier (cOC) work. PR1252043

  • Because of the current way of calculating bandwidth, you see a minimal discrepancy between MPLS statistics and the adjusted bandwidth reported. The algorithm is enhanced so that both values match 100 percent. PR1259500

  • The throughput measurement might be inaccurate when the performance of an MPLS LSP is measured. PR1274822

  • In case of CSPF-disabled LSPs, if the primary path ERO is changed to an unreachable strict hop, sometimes the primary path stays up with the old ERO. The LSP does not switch to standby secondary. PR1284138

  • After the RSVP MPLS LSP link flaps (link goes down and comes back up), RSVP tries to create a second MPLS LSP instance, if Resv/PathErr message drops for the second MPLS LSP instance, then the second MPLS LSP instance is stuck, and no further optimizations are possible. PR1338559

  • If an inet address is not configured for the gr- interface, the gr- interface will borrow an address from the loopback interface. From Junos OS Release 16.1R1 onwards, the RSVP creates a node-neighbor by default. There are duplicate neighbors with the same IP address because the gr- interface is an borrowing address from the loopback interface. The RSVP path lookup will fail because it gets confused with the node neighbor presence. So the RSVP LSP will not come up when it goes through the gr- interface, which is borrowing an address from the loopback interface. PR1340950

  • Executing a restart chassisd in an MX Series Virtual Chassis router with the following elements configured might result in a core file being generated. (1) IGP: OSPF/OSPF3 (area 0, LFA), IS-IS (Level 2, LFA) LDP synchronization, IPv4 and IPv6 (2) IBGP: dual, redundant route reflection, IPv4 and IPv6 (3) MPLS: LDP (IGP synchronization, track IGP metric), RSVP (node link protection, adaptive, auto bandwidth, refresh reduction) (4) L3VPN: OSPF, OSPF3, BGPv4, BGPv6, RIPv2, static, MBGP, next-generation MVPN, L3VPN CNH with ext space, any-to-any, hub and spoke, MPLS access, Ethernet access, multicast extranet. per-VPN and per-prefix labels, SRX Series based network address translation, SRX based firewall (5) Direct Internet Access: EBGP (6) CoS: BA/MF classification, policing/shaping, queuing/scheduling, hierarchical queuing/shaping/scheduling, eight traffic classes (7) BFD/OAM/CFM: liveness detection (8) Load balancing: L2 aggregated Ethernet, IP ECMP , and MPLS ECMP (9) High Availability GRES/NSR, ISSU, fabric redundancy, tail end protection, and BGP prefix independent convergence edge (10) Security: loopback filter, ARP policers, control plane traffic policers, unicast RPF check with all feasible paths, TTL filtering, J-Flow/IPFIX export only, and SRX Series based DDoS. PR1352227

  • Traceroute MPLS from Juniper to Huawei routers does not work as expected due to unsupported TLV. PR1363641

  • If RSVP is disabled and reenabled globally, and in a rare situation, the new RSVP task tries to access memory allocated by the old RSVP task during a particular RSVP Path State Control Block changed path, then the rpd might crash. PR1366243

  • When prototcols ldp dual-transport inet-lsr-id is not the same as router-id, LDP fails to advertise Layer 2 circuit label mapping to its neighbor. Thus, the Layer 2 circuit will not come up properly. PR1405359

Network Management and Monitoring

  • While polling the Ethernet connectivity fault management protocols statistics, the SNMP process might crash. PR1364001

Platform and Infrastructure

  • When there is huge logical interface scaling on aggregated Ethernet interfaces (500 or more) with more than 32 member links and when all FPCs are restarted one by one, followed by member link addition to the link aggregation group (LAG), the state dependency evaluation in the kernel takes a long time given the scale involved. As a result, the FPCs do not get all the states from the Routing Engine. This is an uncommon sequence of events or conditions. PR938592

  • When TCP authentication is enabled on a TCP session, the TCP session might not use the selective acknowledgment (SACK) TCP extensions. PR1024798

  • When using show | compare method to commit, part of the configuration might be treated as noise and return syntax error. PR1042512

  • In configurations with IRB interfaces, during times of interface deletion (for example, FPC reboot), the Packet Forwarding Engine might log errors stating nh_ucast_change:291Referenced l2ifl not found. This condition should be transient, with the system reconverging on the expected state. PR1054798

  • On MX Series routers, parity memory errors might occur in pre-classifier engines within an MPC. Packets are silently discarded because such errors are not reported and hence harder to diagnose. CM errors such as syslog messages and alarms should be raised when parity memory errors occur. PR1059137

  • CoS error messages might appear when a nonexistent path for a database file is configured for CoS. These messages do not affect any service or traffic. PR1158127

  • Access to a stale or invalid pointer causes a particular check based on the pointer structure field to unpredictably fail, resulting in the assert later in the code. The issue occurs when a sequence of events related to firewall filters results in the filter structure getting deleted and re-created. PR1205325

  • Several files such as /var/etc/, /var/etc/ are copied between Routing Engines during the ffp synchronize phase of the commit. These files are copied even if there is no corresponding change in the configuration, thus unnecessarily increasing commit time. PR1210986

  • In Junos OS Release 17.1R1 and earlier, MGD with extend-db feature supports a database of 2.5 GB size (maximum) on 64-bit platforms, which is a problem solved through this PR. After this PR, the maximum configurable database size supported with the extend-db feature is 1.5 GB on i386 platforms (both 32 bit and 64 bit). PR1228629

  • Starting In Junos OS Release 13.3, SRX Series clusters need to run auditd on both nodes. However, on MX-VC Bm and TXP all LCC also add auditd. Because LCC and VC-BM do not have a route for the accounting server, the following message is generated: 813 unreachable infor. user@router> show system processes extensive | match "-re|audit" sfc0-re0: -------------------------------------------------------------------------- 2565 root 1 96 0 3304K 2620K RUN 0:01 0.00% auditd lcc0-re0: -------------------------------------------------------------------------- 2398 root 1 96 0 3240K 2536K select 0:01 0.00% auditd lcc1-re0: -------------------------------------------------------------------------- 2791 root 1 96 0 3244K 2544K select 0:01 0.00% auditd %DAEMON-3: auditd[2398]: sendmsg to failed: Network is down %DAEMON-3: auditd[2398]: AUDITD_RADIUS_REQ_SEND_ERROR: auditd_rad_send: sendto/sendmsg: Network is down PR1238002

  • When certain hardware transient failures occur on an MQ-chip-based MPC, traffic might be dropped on the MPC, and syslog errors Link sanity checks and Cell underflow are reported. There is no major alarm or self-healing mechanism for this condition. PR1265548

  • This issue occurs when 120 bridge domains (among a total of 1000 bridge domains) have XE/GE links toward the downstream switch and LAG bundles as uplinks towards upstream routers. The XE/GE link is part of the physical loop in the topology. Spanning tree protocols such as VSTP/RSTP/MSTP are used for loop avoidance. Some MAC addresses are not learned on DUT when LAG bundles that are part of such bridge domains are flapped and other events such as spanning tree root bridge change occur. PR1275544

  • Even though multicast appears to be active with show multicast route extensive command, it is not forwarded to the subscriber interface. PR1277744

  • When chassis control restartis done with the CoS rewrite rule configured on the aggregated Ethernet interface, the Platform failed to bind rewrite message could be seen in syslog. This issue is specific to aggregated Ethernet interfaces. It is a timing issue that can occur when the logical interface deletion is delayed due to high scale and when the logical interfaces come up again after restart they have different indixes. PR1315437

  • Output policing action for EVPN-VXLAN might not be applied to an interface despite configuration on the IRB interface. PR1348089

  • On MX Series routers enabled with next-generation subscriber management, if subscribers are enabled with distributed IGMP, and there are some stressful operations (for example, subscribers log in or log out as well as join or leave IGMP groups repeatedly) some line cards might crash due to the timing issue. PR1355334

  • In a layer 3 VPN topology, traceroute to a remote PE for a CE-facing network see the ICMP TTL expired reply with a source address of only one of the many CE-facing networks. In 15.1R5, 16.1R3, and 16.2R1+ there is a kernel sysctl value, icmp.traceroute_l3vpn. Setting this to 1 will change the behavior to selected an address based on destination specified in the traceroute command. This PR adds the option to the configuration. PR1358376

  • Sometimes the OSPF flaps while performing unified ISSU from Junos OS Release 16.2R2 to Release 17.2R3. PR1371879

Routing Protocols

  • When you configure damping globally and use the import policy to prevent damping for specific routes, and a peer sends a new route that has the local interface address as the next hop, the route is added to the routing table with default damping parameters, even though the import policy has a nondefault setting. As a result, damping settings do not change appropriately when the route attributes change. PR51975

  • When only the default routing instance is present, the show bgp summary command does not show the BGP establish state. If the BGP state is not an established state, then it shows the states as design (that is , active, idle, connect). If there is a routing instance configured (apart from the master routing instance, inet.0), the BGP establish state is showed properly. This issue occurs for IPv4 BGP sessions only. On IPv6, we always see all the BGP states as default. PR600308

  • Soft core files might be continuously generated because of the bgp-path-selection code. The routing protocol process (rpd) forks a child and the child asserts to produce a core file. The problem is with route ordering, which is automatically created after the soft-assert-core file is collected, without any impact to the traffic or service. PR815146

  • In rare cases, rpd might generate a core file with the rt_notbest_sanity: Path selection failure on ... error. The core is soft, which means there should be no impact to traffic or routing protocols. PR946415

  • During interoperation with other vendors in a draft-rosen multicast VPN, by default the Junos OS attaches a route target to multicast distribution tree (MDT) subsequent address family identifier (SAFI) network layer reachability information (NLRI) route advertisements. But some vendors do not support attaching route targets to the MDT-SAFI route advertisements. In this case, the MDT-SAFI route advertisement without route-target extended communities will be excluded from propagating if the BGP route target filtering is enabled on the device running Junos OS. PR993870

  • On MX Series routers, when an instance type is changed from VPLS to EVPN, and in the same commit operation an interface is added to the EVPN instance, the newly added EVPN interface might not be able to come up. PR1016797

  • When LDP is deactivated, in a rare case, the result of remote loop-free alternate (remote LFA) might be computed to go through the deactivated LDP node. The situation is self-recovered in the next SPF calculation. PR1202392

  • JTASK_SCHED_SLIP for rpd might be seen on doing restart routing or ospf protocol disable with scaled bgp routes in MX104 router PR1203979

  • In the context of a large number of configured VPNs, routes changing during a BGP path-selection configuration change can sometimes lead to the generation of an rpd core file. The core file has been seen to be generated after the always-compare-med option is removed. PR1213131

  • The rpd process leaks memory as a result of topology and configuration. However, adding or deleting static flowspec routes in isolation does not cause any memory leak. The exact configuration that causes the leak is currently unknown. PR1213959

  • Certain BGP traceoption flags (for example, "open", "update", and "keepalive") might result in (trace) logging of debugging messages that do not fall within the specified traceoption category, which results in some unwanted BGP debug messages being logged to the BGP traceoption file. PR1252294

  • A few Bidirectional Forwarding Detection (BFD) protocol sessions flap while coming up after an FPC reboot. The flapping does not impact the system, because it occurs during the bring-up phase. The issue occurs because of a race condition in PPMAN code. PR1274941

  • When route-distinguisher-id is configured and VRF with a route distinguisher is automatically assigned with the auto-rd feature configured, the MX Series BNG allows the configuration to be committed but this is followed by rpd process crash. PR1278582

  • In an MVPN (multicast VPN) scenario, if routing-instances <instance name> protocols pim static is configured, the rpd might crash when the deactivate routing-instances instance name protocols pim static to deactivate the routing instance of PIM static. PR1284760

  • Backup Routing Engine scheduler slips when Cisco Rosen7 PE with MDT-SAFI is enabled. However, the MDT-SAFI update does not include the route-target extended community attribute, NSR is enabled, policies are set to import or export the inet-mdt table, but Rosen is not configured. PR1295712

  • An MX104 is connected to an SRX1500. IS-IS is running between these device and BFD has been configured between the IS-IS peers. Unfortunately, BFD does not come up between these devices successfully. PR1312298

  • The rpd process might crash and generate core files in a distributed IGMP environment. PR1314679

  • In RPKI (Resource Public Key Infrastructure) scenario, the validation replication database might have much more entries than the validation database after restarting RPKI cache server and the validation session is reestablished. PR1325037

  • When route target filtering (RTF) is configured for VPN routes and multiple BGP sessions flap, there is a slight chance that some of the peers might not receive the VPN routes after the flapped sessions come up. PR1325481

  • In BGP, LDP, and IS-IS configurations, deleted IS-IS routes might still be present in the routing table. The PR does not affect or have any impact on route selection or other functionality of rpd. Just that deleted IS-IS routes do not get removed with specific configurations. PR1329013

  • In a large-scale OSPF network (for example. there are more than 500 devices in an area), OSPF remote loop-free alternate default PQ node selection algorithm does not provide the proper protection paths. PR1335570

  • On all platforms running Junos OS and enabled with GRES and NSR, if Routing Engine switchover is executed, the BGP peers in the new master Routing Engine might flap due to hold-timer expiry after GRES. PR1390113

  • With GRES and NSR enabled, if executing switchover, all the BGP sessions might flap. PR1391084

Services Applications

  • On MX Series routers with L2TP configured, the L2TP packet in the ICRQ re-transmission message is set to an incorrect value, and this causes frequent L2TP session flapping. PR1206542

  • It is not recommended to configure an ms- interface when the ams bundle in one-to-one mode has the same member interface. PR1209660

  • The NAT auto-injected routes might fail to install when back-to-back commits with changes made to service sets or NAT rules are performed. This issue occurs with a unique configuration where thousands of routes are added by the service PIC process (spd), which manages installation of NAT return routes and destination routes. PR1223729

  • On a Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) router where Access Node Control Protocol (ANCP) is used for bandwidth adjustment, the L2TP Connect Speed Update Notification (CSUN) message might be sent to the L2TP network server (LNS) after a short delay after the ANCP Port Up message with updated access line parameters was received. This delay is caused by the current interaction scheme between ANCP and L2TP daemons and can last up to 5 seconds. In a production network scenario, this delay should not be visible as the L2TP daemon checks for state updates each time there is an L2TP packet to be sent or received. PR1234674

  • If an L2TP subscriber has a static pp0 interface on the LAC side, LCP renegotiation is configured on the LNS side, and CPE has been changed, an issue with successful negotiation of the PPP session between LNS and the CPE device can occur. PR1235554

Subscriber Access Management

  • On MX Series routers with the subscriber management feature enabled, after GRES switchover the show network-access aaa statistics radius command command displays only zeros and the clear network-access aaa statistics radius command does clear statistics as it should. This is a cosmetic issue and communication with the RADIUS server is working fine. However, the affected CLI commands do not work as expected. PR1208735

  • In Point-to-Point Protocol over Ethernet (PPPoE) subscribers scenario with a large number of subscribers (for example, 3000), during login and logout operations, some subscribers might be stuck in an error state of "Terminated". This issue impacts the traffic for these subscribers. PR1262219

  • Authd generates a core file when gx-plus is enabled in getDynamicRequestSource. PR1277137

  • Usage-monitoring-information AVP as part of PCRF gx-plus provisioning is causing service accounting activation. PR1391411

  • In a subscriber scenario, the authd might crash multiple times due to a memory corruption issue. PR1402012

User Interface and Configuration

  • When frequent load replace operations are being performed on the router, commit might take longer. PR1029477

  • When persist-groups-inheritance is configured, doing configuration changes and issuing rollback might cause persist-groups tree corruption and eventually cause improper configuration propagation after commit. This situation might lead to mgd process (daemon) crash as well. PR1214743

  • The log messages ffp[52861]: %DAEMON-3: "dynamic-profiles": Profiles are being modified can appear after a configuration is change but the dynamic profiles are not modified. The issue was reproduced by changing the configuration by using NETCONF but without commit so the configuration changes were cleared after ending the NETCONF session. The next configuration change with commit generates the log messages Profiles are being modified. PR1234446


  • In a next-generation MVPN scenario, when forwarding-cache timeout never non-discard-entry-only is configured for an MVPN instance, even though the cache lifetime is shown as forever in the output of the CLI command show multicast route instance X extensive, the route disappears after 7—8 minutes. PR1212061

  • In an MVPN setup with the SPT-only option, if the source or receiver is connected directly to the candidate RP PE router and the MVPN data packet arrives at the candidate RP PE router before its transition to SPT, the MVPN data packet will be dropped. PR1223434

  • Starting in Junos OS Release 15.1F5, under the next-generation MVPN environment, when multicast production data is stopped, VRF S,G entry and MVPN/BGP routes might persist, whereas they should be deleted. PR1236733

  • In a multicast VPN with Border Gateway Protocol (next-generation MVPN) scenario with only SPT mode configuration, under certain conditions the PIM register-stop packet might be sent before the Source Tree Join (Type-7) packet, which might cause some multicast packets to drop. PR1238916

  • In an MVPN scenario with I-PMSI tunnels and multihomed source, if the link between Source and PIM-DR PE1 goes down, then the second PE2 takes the PIM-DR role and starts to advertise Type-5 prefixes. Then as the link between the Source and PE1 comes back up and PE1 takes the PIM-DR role back, PE1 might not generate Type-5 BGP prefixes for active sources in some multicast groups. Without Type-5 prefixes from the ingress PE device, the receivers’ PE device do not generate Type-6 or Type-7 and the ingress PE device does not send multicast traffic. Workaround: Clear PIM joins in the affected instance. PE1> clear pim join instance _MVPN_instance_name_. PR1242493

  • When a C-multicast route (Type 7 or Type 6) for inter-as non-segmented option C topology is sent with the originator's IP address, Junos source PE does not accept this route and hence the PIM join fails. PR1327439

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 17.1R3

Application Layer Gateways (ALGs)

  • IPsec IKEv2 negotiation fails when IKE ALG is enabled. PR1300448

  • IKEv2 negotiation might fail when IKE ESP ALG is enabled in an IKEv2 redirection scenario. PR1329611

Authentication and Access Control

  • MAC move might occur in a DHCP security scenario. PR1369785

Class of Service (CoS)

  • The Routing Engine level scheduler-hierarchy command misses a forwarding class when the per-unit-scheduler mode is configured. PR1281523

  • CoS wildcard configuration is applied incorrectly after router restart. PR1325708

  • The Routing Engine might get into amnesiac mode after restarting if excess-bandwidth-share is configured. PR1348698

  • The 802.1P rewrite might not work on inner VLAN. PR1375189

  • The FPC might reboot when changing CoS mode from hierarchical-scheduler to per-unit-scheduler. PR1387987


  • In an EVPN scenario, the rpd might crash during MAC moving in Active-Active and Active-Standby multihomed PE devices. PR1216144

  • MAC entry is incorrectly programmed in the Packet Forwarding Engine, leading to some traffic to be discarded with notification. PR1231402

  • In VXLAN-EVPN, the VLAN tag of egress ARP reply is removed if egress interface is lt-. PR1252522

  • Rpd might crash with signature similar at evpn_mirror_mac_process_update_instance. PR1258835

  • An FPC or MPC might crash in an EVPN/MPLS or EVPN/VXLAN environment. PR1274976

  • Ethernet A-D route per Ethernet segment (Type-1 Per es) is not generated with a new route target after the vrf-target is changed. PR1279529

  • EVPN traffic mapping to specific LSPs is not working. PR1281415

  • Local preference for EVPN type-5 route might cause unexpected results if BGP multipaths are configured. PR1292234

  • Traffic might be dropped after updated ARP route update packets are received from the peer Layer3 gateway in an EVPN/VXLAN scenario. PR1306024

  • In an EVPN enviroment the rpd might crash on QFX10002 after the rpd process is restarted. PR1320408

  • Discard EVPN route is installed on the local PE device after connection flaps on a remote PE device in a multihomed EVPN topology. PR1321125

  • The rpd might crash during EVPN-VXLAN configuration changes. PR1321839

  • In an EVPN/NSR scenario, the rpd process crashes and generates a core file on the backup Routing Engine when any configuration is changed on the master Routing Engine. PR1336881

  • The rpd might crash if the IRB interface and routing instance are deleted together in the same commit operation. PR1345519

  • The rpd might crash if the EVPN instance refers to a vrf-export policy that does not have “then community”. PR1360437

Forwarding and Sampling

  • Firewall daemon might leak some memory when a filter-based forwarding (FBF) configuration is committed. PR1157714

  • Accounting Interim Interval is reset after GRES. PR1261472

  • Unexpected messages might be seen in logs. PR1270686

  • Sampled stops collecting data on Routing Engine based sampling supported platforms. PR1270723

  • Firewall filter might not be matched when a wildcard (*.*) is specified as a matching condition. PR1274507

  • Unicast traffic is forwarded out of the logical interface even after the interface is disabled. PR1277697

  • The sampled route reflector process (srrd) might crash in the large routes churn situation. PR1284918

  • The mib2d process might crash if an SNMP walk is active when a configuration is committed or rolled back. PR1286448

  • sampled core at, strlen.c:100 when sampling is enabled or modified on an interface. PR1289530

  • Observing pfed core files in pfed_process_session_state_notification_msg, pfed_timer_manager_c::remove_serv_id,pfed_delete_timer_id_by_serv_sid (serv_sid=0, serv_info=0x0) at ../../../../../../src/junos/usr.sbin/pfed/ PR1296969

  • Some accounting files might be missed in case the remote archive sites are unreachable. PR1300764

  • There is memory leak on mib2d when firewall MIBs are polled. PR1302553

  • The dfwd process might crash during the execution of the show firewall templates-in-use command. PR1305284

  • The second archive site in the accounting-file configuration is not used when the first one uses SFTP and is not reachable. PR1311749

  • Accounting files with no records might be unexpectedly uploaded to the archive site. PR1313895

  • The commit might fail when the nexthop-learning configuration statement is enabled for J-Flow v9. PR1316349

  • The FPC CPU usage might continue to be at 100% if shared-bandwidth-policer is configured. PR1320349

  • DHCP service crashes after switch/router is set to factory default by zeroize. PR1329682

  • Some firewall filter counters might not be created in SNMP. PR1335828

  • The error logical interface under VPLS might be blocked after MAC moving if the logical interfaces are on the same physical interface. PR1335880

  • The L2ALD daemon might crash if a duplicate MAC is learned by two different interfaces. PR1338688

  • In EVPN-VXLAN, the clear ethernet-switching table command might not work correctly. PR1341328

  • Junos OS allows firewall filters with the same name under edit firewall and edit firewall family inet hierarchy levels. PR1344506

  • Commit fails when you attempt to delete any demux0 unit numbers that are greater than or equal to 1000,000,000. PR1348587

  • Backup Routing Engine writing dummy interface accounting records. PR1361403

  • The filter counter is not written to the accounting file when accounting is enabled on the bridge firewall filter. PR1392550

General Routing

  • Enhanced IP/enhanced-Ethernet and MS-DPC compatibility. PR1035484

  • ICMP reply traffic might get dropped on MS-MPC line cards. PR1059940

  • In timing hybrid mode MX MPC2 cards are not working with ACX with VLAN (native-vlan-id.). PR1076666

  • Memory leak on when an Layer 3 VPN configuration is committed for a Layer 3 VPN scaling test. PR1115686

  • The show storm_cntl halp database command on the FPC might cause a crash. PR1127870

  • No warning is raised when the bridge family is configured with interface-mode trunk but without VLAN-tagging or flexible-VLAN-tagging . PR1154024

  • The ksyncd process might crash because of transient replication errors between Routing Engines. PR1161487

  • Unexpected MobileNext Gateway Activation license alarm is raised when TDF gateway is configured. PR1162518

  • Kernel displays I2C bus timeout errors when there are multiple commit processes. PR1174001

  • The KRT queue might be stuck if the rpd sends two deleted requests to the kernel for the same next hop. PR1186334

  • SNMP trap sent for PEM Input failure alarm is not generated when a single input feed fails on MX960. PR1189641

  • The replacement PIC might bounce when the PIC PB-4OC3-4OC12-SON-SFP (4x OC-12-3 SFP) is replaced with PB-4OC3-1OC12-SON2-SFP (4x OC-3 1x OC-12 SFP) and the configuration is committed. PR1190569

  • The CLI commands request vmhost zeroize and request vmhost zeroize both might work only on the local Routing Engine. PR1197152

  • The chassisd[1825]: pvidb_get_root_node: Error(2) retrieving rootnode value error messages might be seen. PR1198817

  • The rpd might crash after the configuration is committed. PR1200174

  • The RSVP auto-mesh is flapping every 15 minutes for BGP peers that have only EVPN address family enabled and data is going across the PE device. PR1202926

  • Stale VBF states occur without sdb sessions. PR1204369

  • SMID daemon stopped responding to the management requests. PR1205546

  • IPsec phase2 soft lifetime calculation is different between Junos OS Release 11.4R12 and Junos OS Release 14.2R6. PR1209883

  • TACACS access does not work after upgrade. PR1220671

  • CMIC:CMIC(0/1): Unable to deregister sub error (131072) for error(0x1b0001) for module MIC. Error messages are seen on MPC5E. PR1221337

  • mqtt Routing Engine scope : continuous pdb_open error messages for Routing Engine scope MQTT broker. PR1224705

  • CoS service with Reflexive CoS-rule should modify CoS values for reverse flow. PR1227021

  • Error log cc_mic_irq_status: CC_MIC(5/2) irq_status(0x1d) does not match irq_mask(0x20), enable(0x20), latch(0x1d) is seen continuously for MIC-3D-4OC3OC12-1OC48. PR1231084

  • MPC2E-NG and MPC3E-NG generate core files with a specific MIC because of a tight loop of PCI express critical exceptions. PR1231167

  • False AC PEM failure(status bits: 0xff) alarm/SNMP trap is seen with MX5, MX10, MX40, and MX80 routers. PR1231893

  • FPC might crash and PTP might remain in INITIALIZING state after configuration commit. PR1232740

  • Power OK SNMP trap (jnxPowerSupplyOk) is not raised when PEM and SCB are inserted in the chassis. PR1232885

  • Major errors related to XQ-chip L4NP parity errors might be reported on the MPC. PR1232952

  • The MS-MPC might crash when OSPFv3 IPv6 traffic goes through it. PR1233459

  • FPCs go offline with FPC Incompatible with SCB during system restart. PR1235132

  • No DNS information in the output of the show subscribers extensive command for DHCP subscribers. PR1237525

  • The multicast-replication setting cannot be reflected in the redundancy environment after rebooting both Routing Engines. PR1240524

  • Tracking PR for enabling mobiled for an MX-VC environment. PR1241857

  • JDI-RCT:vRCT: chassisd[9132]: LIBJSNMP_NS_LOG_NOTICE: NOTICE: netsnmp_ipc_client_connection: unix connection error: socket(-1) main_session(0x9812f80) error messages are seen after chassis-control restart. PR1243364

  • XM chip-based line card might drop traffic under high temperature. PR1244375

  • MX104 router does not report the HSL2 CMERROR alarm upon HSL2 CRC errors. PR1247707

  • The error messages about "jlock hog" might be seen after restarting routing in large scale of routes. PR1248246

  • The RPT-PHY-RIAD:shm-rtsdbd.core@0x080529e3 in rtsdb_async_msg (state=0x88715844, rtsb_addr=...) core is seen at ../../../../../../src/junos/lib/libshm-rtsdb/rtsdb_server.c:1729. PR1249116

  • MACsec session fails with the generation of dot1x core files. PR1251508

  • The EOAM LFM adjacency on an MX Series MPC or EX9200 might flap when an unrelated MIC, which is in the same MPC slot, is brought online. PR1253102

  • KRT queue remain stuck with "'EINVAL -- Bad parameter in request'" in the new master Routing Engine after unified ISSU. PR1254519

  • The validation-state:unverified routing entry might not be shown with proper location in show route. PR1254675

  • Prolonged flow-control core observed for the TFTP ALG traffic (10,000 simulated users). PR1255973

  • Dynamically injected routes for the concentrator and the IPv6 prefix can be programmed with the wrong precedence. PR1256672

  • MIB walk ascii jnxFabricMib provides wrong DropBytes statistics. PR1257569

  • The rpd might crash during a next-hop change, if unicast reverse path forwarding (uRPF) is used. PR1258472

  • The rpd might crash during the next-hop change, if unicast RPF is used. PR1258472

  • The device control process (dcd) crashes during an ATM-related configuration commit. PR1258744

  • MX/QFX/VMX Licensing: license keys entered through the configuration system license keys can be lost (not effective anymore) after certain events or changes. PR1259460

  • HEAP: Free at interrupt level /Free interrupt violation! syslog messages might be seen when an interface is down. PR1259757

  • Many LCP Term Req and PADT messages are not processed during PPPoE subscriber logout. PR1260626

  • The wrong XML RPC command output is shown for show route bgp advertise-protocol/receive-protocol. PR1261421

  • Traffic drops when an MPC has a high rate of cell underflow drops after link sanity check. PR1262868

  • vMX FPC core - panic (format_string=format_string@entry=0x9e509c4 "Thread %s attempted to %s with irq priority at %d\n"). PR1263117

  • Duplicate sensor resources are created when the difference is trailing "/" . PR1263446

  • Extra link transitions might be seen after an MPC is restarted. PR1264039

  • BGP hold time might expire after a GRES or NSR switchover. PR1264436

  • The rpd might crash after some VRF instances are deleted, if vrf-table-label is configured. PR1264464

  • PTP is lost when the master line card is restarted. PR1264530

  • All traffic received from specific fabric streams is dropped with only XMCHIP FI: cell underflow error syslog event. PR1264656

  • PCC-controlled LSP metric does not get updated on the controller-PCE-delegated LSPs do not come up. PR1265864

  • The first and last addresses are not translated. PR1266774

  • MPC might report a parity error with the when the fast-lookup-filter statement is configured. PR1266879

  • ISSU-related limitation under highly scaled scenarios. PR1267680

  • Junos OS: bbe-smgd process denial of service while processing VLAN authentication requests/rejects (CVE-2018-0006). PR1268129

  • RSI output is augmented by detailed "nhinfo" dumps. PR1268460

  • The openflowd process might get stuck at 100% CPU usage when an OpenFlow filter is deleted and queried at the same time. PR1268527

  • On MX Series, the show chassis led command should not be displayed in possible completions of the show chassis command. PR1268848

  • A low-memory condition putting the Service PIC into the red zone on the MS-MIC or MS-MPC might cause the SIP ALG to generate a core file. PR1268891

  • Wrong "Voltage Threshold Crossed" alarms are seen if keep suspends/re-starts Junos. PR1269157

  • MIC error interrupts excessively loads the CPU when MIC/fpc restart is initiated. PR1270420

  • Multicast traffic silently dropped without notification when uplink is flapping with MoFRR enabled. PR1270939

  • The management daemon (MGD) might crash after you invoke a specific RPC. PR1271024

  • Messages related to Logical Addr xxxxxxx is invalid seems when FPC restart also passing traffic. PR1271810

  • Virtual forwarding plane failed to load files from the virtual control plane if the interconnection has an MTU less than 1500. PR1273365

  • The mspm and log messages about memory zone level are generated incorrectly.PR1273901

  • Some received packets might be incorrectly dropped by DA rejects after a 40-Gigabit Ethernet or 100-Gigabit Ethernet port is configured under a LAG. PR1274073

  • L2-over-GRE tunnel uses the underlying physical interface MTU directly without deducting the IP/GRE header length. PR1274203

  • The IPv6 ping might fail after route leaking policy deployment is done between two Layer 3 VPN routing instances. PR1274339

  • The show subscribers detail,show subscribers extensive, show subscribers count client-type <>, and other commands fail to execute because the subscriber management database is unavailable. PR1274464

  • The FPC might crash when a route is received through BGP and sampled through J-Flow. PR1275021

  • Link stays down after a flap on next-generation MPCs with QSFP+40G direct attach copper (DAC) cable. PR1275446

  • Fixing the default behavior of the configuration statement added for static route's dependency on BFD_ADMIN_DOWN, through PR 1070477. PR1275973

  • When the static link protection mode is configured and the backup state is down, the primary port goes to down state instead of the secondary port, and the secondary port remains in up state. PR1276156

  • Fabric input stream might drop all packets upon sustained oversubscription or when CRC errors are injected on single plane. PR1276301

  • Junos OS does not use the complete TCP window size and slows the connection when JET application over grpc is installed on Junos. PR1276443

  • FPC connections might drop with syslog messages: CHASSISD_MAIN_THREAD_STALLED: main chassis-control thread stalled for XXX sec -- exiting. PR1276605

  • Spd memory leak might be observed after the service-set statement is added or removed. PR1276809

  • The KRT asynchronous queue might be stuck, which might impact the synchronization for RIB and FIB. PR1277079

  • The l2ald memory might leak for every IPv6 ND message it receives from peer MC-LAG and it is not freeing the memory allocated. PR1277203

  • L2C BUS stuck causes SFP+ thread hogging and MPC restart. PR1277467

  • IS-IS adjacencies over MLPPP links do not connect to the LSQ bundle interface. PR1278377

  • bbe-smgd might generate core files in certain cases when using logical interface sets in Universal Call Admission Control policy mode. PR1278543

  • jnh_vbf_flow_get_oif_index: Rollback cmd not found for flow syslog messages generated by MPC during subscriber login. PR1278580

  • The routing protocol process (rpd) might be stuck at 100% when the same BGP prefix routes are learned in different routing instances with multipath and auto-export configured. PR1279260

  • On MX104 with GRES enabled, the chassis network-services might not get set as "Enhanced-IP". PR1279339

  • BBE-smgd core files are generated when the packet is received with unexpected TPID. PR1279402

  • VLAN out-of-band subscriber session fails in auto configured mode. The physical interface goes down even if it is physically up. PR1279612

  • CoS attachment might be attached to the wrong link if issuing some changes to the aggregated Ethernet bundle. PR1279788

  • The temperature value is being displayed as "Testing" in the output of show chassis fpc detail after GRES. PR1280030

  • After a MS-MPC or MS-PIC is offline or brought online or bounced (because of an AMS configuration change), sometimes the PIC can take approximately 400 seconds to come up. PR1280336

  • MIC Error code: 0x1b0001 alarm might not be cleared for MIC on MPC7/8/9 when the voltage has returned to normal. PR1280558

  • Authenticated subscriber dynamic VLAN interface might get disconnected immediately after a successful connection. PR1280990

  • MTU for a Layer 2 over GRE gr- interface should be unlimited. PR1281173

  • The ingress service-accounting-deferred statement is not providing the correct IP traffic statistics for for L2BSA subscribers. PR1281201

  • Subscribers might get stuck in Init state if there is an SDB access error during their login. PR1281896

  • The subscribers might fail to bind after FPC restart followed by bbe-smgd restart. PR1281930

  • Optics levels are not sent in Junos Telemetry Interface for down interfaces. PR1281943

  • Buffer overflow in sockets library (CVE-2017-2344). PR1282562

  • The kernel might crash in a rare corner case. PR1282573

  • Inline J-Flow unrelated configuration changes related to a routing instance result in invalid or incomplete J-Flow data packets. The Commit full command resumes proper functionality. PR1282580

  • The rpd process might crash if dynamic interfaces are used by multiple applications. PR1282854

  • VBF flows are not programmed correctly on aggregated Ethernet interfaces. PR1282999

  • GRE OAM fails to come up when the GRE tunnel source and family inet address are the same. PR1283646

  • Junos: bbe-smgd process denial of service while processing VLAN authentication requests/rejects (CVE-2018-0006). PR1284213

  • Bad MPLS encoding in Junos Telemetry Interface. PR1284317

  • PPTP session could not be established on MS-MPC when both stateful firewall and NAT were enabled. Also, the address could not be translated. PR1285207

  • The enhancement of reporting total SBE errors when the corrected single-bit errors threshold of 32 is exceeded for MPC7E, MPC8E, MPC9E. PR1285315

  • LC, PFH, and Packet Forwarding Engine interface are not coming up on RE1. PR1285606

  • The J-Flow data template sequence number is zero for MPLS flows. PR1285975

  • With CoS-based forwarding, when the primary path of one of the next-hop LSPs flaps, traffic carried by the other next-hop LSP could get load-balanced across the primary and secondary paths. PR1285979

  • Internal latency increases overtime for Packet Forwarding Engine sensors with streaming telemetry. PR1286286

  • The missing statement Shared bandwidth policer not supported for interface ge-x/x/x is seen, during a failed commit in Junos OS Release 16.1R3. PR1286330

  • Unified ISSU is not supported from Junos OS Release 15.1 onward, because the source release includes one or more BBE features such as logical interface (IFL) options, CoS fragmentation map, MLPPP, advisory options, advanced services, and multicast distribution. PR1286507

  • DDoS culprit flows are not reported by CLI or during login to an MX Series router with a single Packet Forwarding Engine. PR1286521

  • Framed routes might get struck in the KRT queue. PR1286849

  • The one-set/leaf-list configuration might not get deleted with the delete operation through JSON. PR1287342

  • The LTS to LNS connection is not working if the rewrite-rule statement is applied to the dynamic profile. PR1287788

  • SNMP query for IF-MIB::ifOutQLen reports 'Wrong Type should be Gauge32 or Unsigned32' for a dynamic VLAN DEMUX0 interface. PR1287852

  • The services-oids-ev-policy.slax and services-oids.slax files built in the Junos OS image are not the latest versions. PR1287894

  • The bbe-smgd process might crash and generate a core file on the standby Routing Engine during a reboot upgrade with active locally terminated PPPoE subscribers. PR1288121

  • During unified ISSU (FRU upgarde) micro BFD flap is observed. PR1288433

  • Performance issues can be seen when nontranslated traffic is introduced to a service set using a large number of NAT terms. PR1288510

  • After GRES smid was declared thrashing and was not restarted after fatal SDB error. PR1288871

  • Kernel 'rtdata' memory leak is found on an MX Series Virtual Chassis with the heartbeat command enabled. PR1289363

  • FPC memory leak might happen in a BBE subscriber environment. PR1289365

  • The interfaces might be in down state after GRES. PR1289493

  • NAT-T and DPD functionality do not work for aggressive mode. PR1290689

  • Incorrect temperature is displayed for MPCP5 and MPC7 in the show chassis fpc command output. PR1290771

  • Memory leak in bbe-smgd process on subscriber logout for subscribers who have joined any multicast group. PR1290918

  • LSP traffic might silently drop and get discarded after a link goes down in the bypass path. PR1291036

  • The routing protocol process (rpd) might generate a core file when the process is restarted. PR1291110

  • The switch might wrongly learn its own IRB MAC address. PR1291184

  • JDI-RCT-RPD: Device going to the DB prompt db@jsr_jsm_send_ka_after_merge,send_proto_keepalive was observed on the master Routing Engine. PR1291247

  • L2TP ICCN fast retransmission occurs after tunnels go down. PR1291557

  • Kernel is not installing the route and throwing an error. PR1291917

  • The bbe-smgd process might crash and subscribers might get stuck when a large group of different types of subscribers log in or log out. PR1291969

  • Recursive lookup in Packet Forwarding Engine might happen over a dynamic tunnel. PR1292425

  • An error in vbf_filter_add_orphan_check might be seen when the subscribers using filters log out or log in. PR1292582

  • An error message might be seen while bringing up the subscriber in a subscriber management environment. PR1293057

  • DDR3 TEMP ALARM messages are logged in chassisd log. PR1293543

  • CPCDD core files are generated when Routing Engine based HTTP-redirect is used. PR1293553

  • Performing load replace terminal and attempting to replace the interface stanza might terminate the current CLI session and leave the user session hanging. PR1293587

  • The show extensible-subscriber-services sessions command displays an incorrect timestamp after a unified ISSU. PR1293800

  • MX Series router might not honor the do-not-fragment bit in subscriber environment. PR1294282

  • The flow export rate remains lower than the configured export rate in an inline sampling scenario. PR1294296

  • Loss of DHCP/PPPoE subscribers is observed during unified ISSU from 16.1-20170718_161_r4_s5.0 to 16.1-20170718_161_r4_s5.0. PR1294709

  • During PPPoE subscriber login, errors such as [ vbf_flow_src_lookup_enabled ] and [ failed to find iff structure, ifl ] were seen on the FPC. PR1294710

  • The rpd might crash if the interface or BGP flaps. PR1294957

  • The KRT queue might be stuck with the error RPD_KRT_Q_RETRIES: chain nexthop add: Unknown error: 0. PR1295756

  • xmlproxyd generatre core files during telemetry streaming. PR1295831

  • The service profile's CoS might be overridden by the client profile's CoS when second family DHCP sessions are added in a dual-stack subscriber scenario. PR1296002

  • The mspmand process might crash if you use SCG services on MS-MPC or MS-MIC. PR1296422

  • The jdhcpd might crash when using dhcp-security related command in enhanced subscriber management mode. PR1296461

  • The kernel might crash continuously when a lot of terms are configured for firewall filters. PR1296884

  • In ECMP fast reroute scenario, traffic might get silently dropped or discarded because of a next hop in "hold" state. PR1297251

  • The mgd process might consume high Routing Engine CPU when certain show commands are executed. PR1297728

  • Some random number of ports on MPC7E-10G card might not come up after the remote system or line card restarts or interface flaps. PR1298115

  • The log message about shutdown time is wrong when the system exceeds chassis over temperature limit. PR1298414

  • The bbe-smgd process might crash when traceoption is enabled due to an invalid username character. PR1298667

  • MX Series BNG does not respond to PADI after GRES on some ports/VLANs. PR1298890

  • The error messages about PEM might be seen in an MX Series router with AC PEM. PR1299284

  • The asynchronous-notification feature cannot be implemented properly in a circuit that has MIC-3D-20GE-SFP-E/Tri Rate Copper SFP(740-013111). PR1299574

  • Flat accounting files are not generated according to the configured timers. PR1299597

  • bbe-smgd can generate core files after a Routing Engine mastership switch. PR1299812

  • Subscriber database is stuck in "not-ready" state after GRES. PR1299940

  • Chassisd core is seen after insertion of REMX2K-X8-64 in MX2000 platform along with older RE-S-1800x4. PR1300083

  • After IS-IS TE routes and BGP routes attribute change, traffic loss might be seen because BGP routes point to some stale labels. PR1300425

  • Junos Telemetry Interface: The error error: the SDN-Telemetry subsystem is not responding to management requests is seen on issuing the CLI command show agent sensors if traceoptions is enabled for services analytics. PR1300829

  • ICMP/ICMPv6 error messages might be discarded while forwarding through an AMS interface. PR1301188

  • The rpd might crash when executing the show route extensive command during deletion of the IS-IS configuration. PR1301849

  • The rpd might crash when NSR is enabled and routing-instance specific configurations are committed. PR1301986

  • Continuous interface flapping might lead to unwanted MIC reset. PR1302246

  • Service cookie data that is sent from Packet Forwarding Engine to service PIC can be corrupted and might lead to unexpected behavior. PR1302493

  • The rpd might crash when toggling the vrf-propagate-ttl and no-vrf-propagate-ttl configuration statements. PR1302504

  • The chassisd crashes if ISSU is aborted in FRU upgrade phase. PR1303086

  • The multicast resolve-rate value might go back to the default after system upgrade or reboot. PR1303134

  • Incorrect MTU might be seen on PPP interfaces when PPP MTU is not defined in the dynamic profile. PR1303175

  • The list of available routing instances is no longer provided in the output of the show subscribers routing-instance command. PR1303199

  • The inline-ka PPP echo requests are not generated for aggregated Ethernet interfaces. PR1303249

  • Fan speed changes frequently on MX Series router after an upgrade to Junos OS with the change introduced by PR:1244375. PR1303459

  • The kernel log GENCFG messages with Severity 1 (Alert) might be seen. PR1303637

  • If MPLS LSP self-ping is enabled (self-ping is enabled by default), the kernel might panic with an error message Fatal trap 12: page fault while in kernel mode. PR1303798

  • MX Series MIB polling returns a value that has "sdg". Polling result should include the "svc" generic value. PR1303848

  • Truncated output appears for the show pppoe lockout CLI command. PR1304016

  • The fabric planes might go into "check" state after restarting the line cards with SFB2 used on MX2010 or MX2020 platform. . PR1304095

  • Effective rate of E3 in framed mode is limited to 30 Mbps on certain channelized MICs. PR1304344

  • DSCP value changes are not reflected in LLDP PDU. PR1304627

  • RPF-check strict mode causes traffic drop in next-generation subscriber management release. PR1304696

  • On MX2000 platform with MPC9E and SFB2 installed, certain high amount traffic volume might cause traffic drops with cell underflow messages. PR1304801

  • Commit fails with error: ffp_intf_ifd_hier_tagging_config_verify: Modified IFD "si-1/1/0" is in use by BBE subscriber, active L2TP LNS client. PR1304951

  • Inline J-Flow vMX: OIF field of VPLS data records sometimes report SNMP index value of LSI interface instead of egress physical interface. PR1305411

  • MX Series router is sending immediate-interim for the services pushed by SRC. PR1305425

  • Customers running 32-bit Junos OS might experience the generation of rpd core file when traceoptions are enabled. PR1305440

  • Repeated log messages are seen on the backup Routing Engine when set system internet-options no-tcp-reset drop-all-tcp and NSR option are enabled. PR1305729

  • start shell pfe network fpc command is not working on MX960. PR1306236

  • Bbe-smgd might fail to properly add access-internal routes when the router is extremely busy. PR1306650

  • Smihelperd generates core files when SNMP is polling for JUNIPER-SUBSCRIBER-MIB::jnxSubscriberGeneral.7.0. PR1306966

  • The kmd process error UI_DBASE_OPEN_FAILED is seen because of too many open files. PR1308380

  • License is lost during Routing Engine switchover in scale-subscriber scenario. PR1308620

  • CoS applied to a subscriber demux logical interface is not working. PR1308671

  • FPC syslog errors with pfeman_inline_ka_steering_gencfg_handler: nh not found could mean that steering rules are not installed correctly. PR1308884

  • All the MICs on one FPC, with PWHT subscribers configured, might go offline during the restart of an FPC in another slot. PR1308995

  • Error messages might be often seen after an MPC restarts. PR1309013

  • Incorrect values are found in the Event-timestamp of RADIUS Accounting-Stop packets for L2BSA subscribers. PR1309212

  • MX2020/MX2010: After smooth upgrade from SFB to SFB2, if one plane/SFB is restarted, link training fails between those planes and MPC6 cards. PR1309309

  • bbe-mibd might generate core files after a Routing Enginer mastership switch. PR1309341

  • First access-request fails for L2BSA subscribers when changing the MTU of LACP aggregated Ethernet A10-NSP interface. PR1309599

  • Subscribers might not be able to access the device if dynamic VLAN is used. PR1309770

  • 90% percent subscribers might go down after ISSU from 16.1 to 17.3. PR1309983

  • In next-generation subscriber management release, bbe-smgd process memory leak is seen after deleting or adding the address pool. PR1310038

  • The MS-MIC or MS-MPC memory utilization might stay at a high level in the subscriber management scenario. PR1310064

  • SPD_CONN_OPEN_FAILURE and SPC_CONN_FAILURE log messages are seen in the log for SI interfaces when running SNMP walk on Service PIC NAT OIDs. PR1310081

  • Some harmless syslog messages might be seen. PR1310678

  • Local IPv6 interface from NDRA prefix not removed from service interface when subscriber dual-stack session is removed. PR1310752

  • Performing a commit check just after setting the master password can trigger improper decoding of configuration secrets. PR1310764

  • After BSYS reboot, rpd is sometimes unresponsive on one GNFs. PR1310765

  • An incorrect error number might be reported for syslog messages with the prefix of %DAEMON-3-RPD_KRT_Q_RETRIES . PR1310812

  • The FPC memory might be exhausted with SHEAF leak messages seen in the syslog. PR1311949

  • Rpd core files observed after multiple session flaps on a scaled setup. PR1312169

  • PEM alarms and I2C failures are observed on MX240/MX480/MX960/EX92/SRX5K series. PR1312336

  • MIC-MRATE might restart after port speed change. PR1312504

  • Counter at PPPoE session logical interface is incremented wrongly because the accounting packet contains the wrong Acct-input-packets value and the wrong Acct-input-octets value. PR1312998

  • False overtemperature SNMP trap could be seen when using MPC5, MPC6, MPC7, MPC8, MPC9 on MX2020. PR1391

  • MX-VC: BNG: IPv6 RS (router-solicit) packets are dropped in nondefault RI, for default RI it is working. PR1313722

  • show version detail gives severity error log traffic-dird[20126]: main: swversion pkg: 'traffic-dird' name: 'traffic-dird' ret: 0. PR1313866

  • mspmand core file due to flow-control seen while clearing CGNAT+SFW sessions. PR1314070

  • The [ show version detail | no-more] command hangs for more than 120 seconds in the master Routing Engine and more than 60 seconds in the backup Routing Engine. PR1314242

  • The rpd might crash in an MoFRR scenario. PR1314711

  • MPC7E- IR-mode knob commit failure. PR1314755

  • RPC error while committing system services subscriber-management enable through NETCONF. PR1314968

  • The L2TP LAC might drop packets that have an incorrect payload length while sending packets to the LNS. PR1315009

  • Too many logs are generated after executing many VHclient related commands. PR1315128

  • The RIB and FIB might get out of synchronization if the KRT asynchronous queue is stuck. PR1315212

  • FPC crash is observed when a route has unilist next hops in an RSVP scenario. PR1315228

  • The show version detail generates the severity error log mobiled: main Neither BNG LIC nor JMOBILE package is present,exit mobiled. PR1315430

  • The command of show version detail might generate the severity error log main: name: SRD ret: 0. PR1315436

  • The fan speed might frequently keep changing between normal and full for MX Series Router.PR1316192

  • Demux interface sends neighbor solicitation with source link MAC address with all zeros. PR1316767

  • The output of the show configuration <> | display json command might not be properly enclosed in double quotation marks. PR1317223

  • Linux-based microkernel might panic because of concurrent update on mutable objects. PR1317961

  • The rpd might crash when the link flaps on an adjacent router. PR1318476

  • The daemon bbe-smgd might crash after GRES is performed. PR1318528

  • The FPC crashes on configuration change for Packet Forwarding Engine sensors. PR1318677

  • The bbe-smgd process might crash multiple times and does not recover in a rare scenario. PR1318887

  • MS-MPC and MS-MIC might crash after a new IPsec tunnel is added. PR1318932

  • The task replication might not be complete to certain network protocols after multiple GRES. PR1319784

  • The MIB2D_COUNTER_DECREASING: pfes_stats_delta: counter error message might be seen on VMX. PR1319996

  • Chassis MIB SNMP OIDs for VC-B member chassis are not available after MX-VC ISSU. PR1320370

  • Various types of boards might crash while performing unified ISSU. PR1320683

  • The show subscriber summary command output displays incorrect terminated subscriber count. PR1320717

  • PPP inline keepalive does not work fine as expected when the CPE device aborts the subscriber session. PR1320880

  • MX Series routers send the IPv6 router advertisements and DHCPv6 advertisements before sending IPCPv6 ACK from the CPE device. PR1321064

  • The logical interface bind changes are taking more time, and many log messages like IFL TCP (38) Bind change notify ran for are generated by the FPC. PR1321086

  • MX-VC CoS is not applied to Packet Forwarding Engine when VCP link is added. PR1321184

  • The bbe-smgd process generates core files after a large number of clients log out and log in a PPPoE dual stack subscriber scenario. PR1321468

  • There is CoA-NAK with Error-Cause = Invalid-Request sent back to Radius server if a drop policy is applied under the radius-flow-tap configuration in an L2TP subscriber scenario. PR1321492

  • The rpd might crash when two next hops are installed with the same next hop index. PR1322535

  • MS-MIC logical interfaces remain down after many iterations of taking them offline and bringing them back online. PR1322854

  • Line card might crash upon receipt of specific MPLS packet. PR1323069

  • Memory leaks in MGD-API daemon during Get API Requests and Error Handling during Set API Request . PR1324321

  • Subscribers might fail to log in after the interface is deactivated or activated. PR1324446

  • Memory leak is seen in mosquitto-nossl daemon. PR1324531

  • SNMP interface filter does not work when interface-mib is part of the dynamic-profile configuration. PR1324573

  • The VLAN rewrite function might use the wrong VLAN ID when Ethernet OAM is configured on DPCE cards. PR1325070

  • SNMP values might not be increased monolithically. PR1325128

  • MPC cards might drop traffic under high temperature. PR1325271

  • IS-IS adjacency fails to establish because of packets drop on Packet Forwarding Engine. PR1325311

  • Denial-of-Service vulnerability in MS-PIC, MS-MIC, MS-MPC, MS-DPC and SRX Series flow daemon (flowd) is related to the SIP ALG. PR1326394

  • The VLAN demux interface does not respond to the ARP request in a subscriber scenario with subscriber-management enabled on MX Series routers running Junos OS releases after Junos OS Release 15.1. PR1326450

  • In an MX Series BNG, a CoS service object is not deleted properly for TCP and scheduler. PR1326853

  • GRE interface might not come up after deactivating/activating the routing instances. PR1327099

  • Some of the show commands were issued twice when request support information is executed. PR1327165

  • With auto-installation usb configured, interface related commits might not take effect due to dcd error. PR1327384

  • Add error message for AMS load-balancing support. PR1329049

  • MS-MIC or MS-MPC might restart when sampling the MPLS traffic. PR1329189

  • When an AMS bundle has a single aggregated multiservices member interface (mams-) added to it, the subinterfaces do not recover after they are disabled. PR1329498

  • On MX platform in dynamic subscriber over PS interface scenario, if CoS host-outbound-traffic is configured for ieee-802.1p rewrite, it might not work correctly for the packet bit. PR1329555

  • SNMP walks of interfaces-related MIB objects are slower than expected in a scaled configuration. PR1329931

  • The show services nat mappings address-pooling-paired command times out and fails. PR1330207

  • 'Too many supplies missing in Lower/Upper zone' alarm flaps (set/clear) every 20 seconds if a zone does not have the minimum required PSMs. PR1330720

  • Rpd core files are generated on the new backup Routing Engine at task_quit,task_terminate_timer_callback,task_timer_dispatch,task_scheduler after NSR and GRES are disabled. PR1330750

  • FPC wedge with fragmented packets on LSQ interface - PT1: Head and tail out of sync. PR1330998

  • Non-NEBS compliant optics might be disabled when chassis temperature exceeds non-nebs-optics-overheat-trigger. PR1331186

  • The FPC might crash due to logical interface index corruption when IPv6 traffic goes through the IRB interface. PR1331911

  • On all Junos OS products, the local DHCPv6 server might incorrectly respond to “Confirm” messages from clients. PR1331995

  • The rpd generates core files in a Layer 2 circuit or a Layer 2 VPN environment. PR1332260

  • Inaccurate J-Flow records might be seen for output interface and next hop. PR1332666

  • The dot1xd might crash if ports in multi-supplicant mode flaps. PR1332957

  • The subinfo process might crash and cause the PPPOE subscribers to get disconnected. PR1333265

  • The MX Series router might not be able to learn the global IPv6 neighbor address of its DHCPv6 subscriber client. PR1333392

  • In AA Multihoming EVPN VXLAN, some race conditions can trigger constant high CPU on the backup Routing Engine. PR1334235

  • The UID limit is reached in a large-scale subscriber scenario. PR1334886

  • When using show subscribers and if the FPC number has two digits, the interface and IPv6 address get connected together for DHCPv6 PD. PR1334904

  • The IPsec rule might not work if both IPv4 ANY-ANY term and IPv6 ANY-ANY term are configured for it PR1334966

  • The RIP route updates might be partially dropped when NSR is enabled. PR1335646

  • The MAC_STUCK message might be seen on MS-MPC or MS-MIC. PR1335956

  • Subscriber might experience SDB DOWN event and drop the clients' connections when issuing show subscribers commands. PR1336388

  • On MX2000 with SFB card installed, high traffic volume on or heavy traffic on MPC7E, MPC8E or MPC9E might cause traffic drops with cell underflow messages. PR1336446

  • With certificate hierarchy, where intermediate CA profiles are not present on the device, in some corner cases, the PKI deamon can become busy and stop responding. PR1336733

  • The hash value generated for 256-bit key length of AES-GCM-256 algorithm is incorrect. PR1336834

  • BBE-SMGD might core when you configure CoS on logical interface sets. PR1336852

  • The link flaps or stays down due to an interoperability issue between MX Series routers or EX9200 switches and a and transport device. PR1337327

  • DDoS counters for OSPF might not increase. PR1339364

  • Error log message sdb_db_interface_remove: del ifl:si- <index> with licnese cnt non zero on can be seen on LTS during subscriber logout. PR1337000

  • Very few of subscribers show wrong accounting values in large-scale subscribers scenario. PR1340512

  • There might be traffic loss on some subscriber sessions when more than 32000 L2TP subscriber sessions are anchored in an ASI interface. PR1341659

  • With discard interfaces (configured with IGMPv3), the KRT queue gets stuck while deleting multicast next hop with error EPERM -- Jtree walk in progress. PR1342032

  • SNMP walk might failed for LLDP related OIDs. PR1342741

  • MX Series routers send the IPv6 router advertisements and DHCPv6 advertisements before sending IPCPv6 ACK from the CPE device. PR1344472

  • The Framed-route "" won't be installed in MX Series platform with Junos enhanced subscriber management releases. PR1344988

  • Dot1x reauthentication issue. PR1345365

  • An rpd crash might be seen if no-propagate-ttl is set in a routing instance that has a specific route. PR1345477

  • New PPPoE users might fail to log in. PR1346226

  • AC system error counter in show pppoe statistics is not working. PR1346231

  • VCCP-ADJDOWN detection is delayed on VC-Bm when deleting one VCP link on VC-Mm. PR1346328

  • NAT might not work and the spd might crash. PR1346546

  • Statistics daemon PFED might generate a core file on an upgrade between certain releases. PR1346925

  • Twice-napt-44 sessions does not sync to the backup SDG when stateful sync is configured. PR1347086

  • IPv6 MAC resolve might fail if the DHCPv6 client uses a non-EUI64 link-local address. PR1347173

  • The rpd might crash when the dynamic-tunnels next hop that is resolving migrates to a more specific IGP route. PR1348027

  • Issue with handling the community_action ("add") in RPC call. PR1348082

  • MIC-3D-20GE-SFP-E might geneate core files due to ISR 2 MIC error interrupt hogging. PR1348107

  • The authd and smgd might crash and create a core file. PR1348727

  • The per-service accounting statistic value is not accurate. PR1348796

  • The chassisd might crash after MPC6E or MPC7E is replaced with MPC9E. PR1348834

  • DHCPv6 Solicit dropped on L2TP LNS in MX-VC when incoming interface is on VC-master and both anchor si- interface and VCP port on VC-backup on MPC2 NG or MPC2 NG. PR1348846

  • Routing Engine mastership keepalive timer is not updated after the GRES configuration is removed. PR1349049

  • Major alarm:"Major PEM 0 Input Failure" might be observed for DC PEM. PR1349179

  • The MPC might crash when the MIC is removed. PR1350098

  • Pseudowire subscriber over redundant logical tunnels function does not work on MPC7 and MPC9. PR1350115

  • The pccd might crash after a delegated LSP is removed in a PCEP scenario. PR1350240

  • Multicast traffic gets dropped as Invalid policy ID exception. PR1350380

  • The VCP port might not come back up after removing and adding it again. PR1350845

  • PPE Errors async xtxn error when FPC is restart or removal. PR1350909

  • The pfed process is consuming 80-90% CPU running subscriber management on PPC-based routers. PR1351203

  • After GRES, the BGP neighbors at Master RE might reset and the BGP neighbors at Backup RE take long time to establish PR1351705

  • Offlining MIC6-100G-CFP2 MIC through CLI command might trigger FPC card to crash. PR1352921

  • Rpd might permanently hog the CPU due to Logical System configuration commit. PR1353548

  • Syslog error: dfw_bbe_filter_bind:1125 BBE Filter bind type 0x84 index 167806251 returned 1. PR1354435

  • The rpd generates core files when adding an inter-region template in a routing-instances. PR1354629

  • Newly provisioned IPsec tunnel could not forward traffic. PR1354757

  • The static-subscribers do not properly update firewall information on the Packet Forwarding Engine when dynamic configuration changes are made to active subscribers. PR1354774

  • Memory leak is found in agentd when running valgrind. PR1354922

  • Changing the ipv4-flow-table-size does not change the amount of available IPv4 flow table memory in an inline J-Flow scenario. PR1355095

  • Some of the inline service interfaces cannot send out packets with the default bandwidth value (100 Gbps). PR1355168

  • Packets destined to Routing Engine might be dropped in the kernel when LACP is configured. PR1355299

  • The fabric chip failure alarms are observed in GRES scenario. PR1355463

  • Rpd crash might be seen when issuing CLI show dynamic-tunnels database terse and when the system have RSVP tunnels configured. PR1356254

  • I2c messages from PEM/PSM are reported if SNMP is enabled. PR1356259

  • The show pppoe underlying-interfaces command in a scaled environment might cause bbe-smgd memory leak. PR1356428

  • The bbe-smgd generates core files in recursive loop between functions bbe_autoconf_if_l2_input and bbe_if_l3_input. PR1356474

  • DHCP subscribers fail after reconfiguration of port from tagged to untagged mode. PR1356980

  • Routing Engine switchover that occurs before the backup Routing Engine is not GRES ready might cause a linecard restart. As a result, the Routing Engine kernel crashes and multiple chassisd crashes occur. PR1357427

  • MPC/FPC might be unable to reply request messages to the Routing Engine in a high subscriber scale scenario. PR1358405

  • Multiple bbe-smgd crashes might be seen when multiple subscribers log in simultaneously. PR1358868

  • The show chassis fpc command might show Bad Voltage meesage for FPC powered off by configuration or CLI command after the show chassis environment fpc command is executed. PR1358874

  • The IPv6 subscriber might fail to access the network. PR1359520

  • The bbe-smgd might fail to add members to some of the aggregated Ethernet interfaces randomly when there are many aggregated Ethernet interfaces in the access configuration. PR1359986

  • The rpd generates core files at Assertion failed rpd[10169]: file "../../../../../../../../src/junos/usr.sbin/rpd/lib/rt/rt_attrib.c", line 3329: "rt_template_get_rtn_ngw(nhp) <= 1" on performing a Routing Engine switchover with SRTE routes. PR1360354

  • Mirrored traffic is not going out through the LT interface. PR1360489

  • FPC core might be observed after GRES switchover. PR1361015

  • An rpd scheduler slip might be seen when you frequently delete, modify, or add groups that are applied on the top level. PR1361304

  • IP over VPLS traffic is affected by EXP rewrite rule on the core-facing MPLS interface. PR1361429

  • MX Series BNG does not generate ESMC/SSM quality level failed SNMP trap. PR1361430

  • The rpd is struck at 100 percent after the clear bgp neighbor operation. PR1361550

  • Spontaneous bbe-smgd core files might be seen on the backup Routing Engine. PR1362188

  • The MS-MPC might reset continuously on MX Series routers. PR1362271

  • Route installation failure might be seen after the BGP neighbor and route flaps. PR1362560

  • Executing the show route prefix proto ip detail command during route churm in a route scale scenario might lead the FPC to crash. PR1362578

  • The non-default routing instance is not supported correctly for NTP packets in a subscriber scenario. PR1363034

  • Select CLI functions are not triggering properly (set security ssh-known-hosts load-key-file, set system master-password). PR1363475

  • MX Series Virtual Chassis: Request to record VCCP heartbeat state change in the syslog by default. PR1363565

  • Some error logs might be seen on MX2010 and MX2020 routers equipped with SFB2. PR1363587

  • The multicast route update might be stuck in KRT queue and the rpd might crash if rpd and kernel go out of synchronization. PR1363803

  • FPM board status is missing in SNMP MIB walk result. PR1364246

  • A traffic loop might occur even though that port is blocked by RSTP in a ring topology. PR1364406

  • Configuration commit might be delayed by 30 seconds. PR1364621

  • Default adapter type is changed from E1000 to VMXNET3. PR1365337

  • MPC7E: A ukern crash and FPC reboot are seen with the vty show agent sensors verbose command. PR1366249

  • MS-MPC/MS-PIC might crash in a NAT scenario. PR1366259

  • The next hop of MPLS path might be stuck in hold state, which could cause traffic loss. PR1366562

  • The show system resource-monitor fpc command might display a nonexisting Packet Forwarding Engine. PR1367534

  • RTG interface status will be shown as incorrect status with show interface. PR1368006

  • In BBE configurations, receipt of a crafted IPv6 exception packet causes denial of service (CVE-2018-0058). PR1368599

  • SNMP MIB walk causes KMD errors. PR1369938

  • Kernel crash might be seen after committing a demux related configuration. PR1370015

  • The rpd might crash after a Routing Engine switchover is performed or the rpd is restarted if interface-based dynamic GRE tunnel is configured. PR1370174

  • Packets exceeding 8000 bytes might be dropped by MS-MPC in an ALG scenario. PR1370582

  • FPC causes high CPU utilization or crash during a hot-banking condition. PR1372193

  • Image installation on SD fails with error Unable to read reply from software add command to re1; error 1. PR1372877

  • The Routing Engine might crash after a non-GRES switchover. PR1373079

  • LDP convergence delay might be seen after IGP metric change with bgp-igp-both-ribs configured. PR1373855

  • Cosmetic log warning: [---] is protected, 'protocols ---' cannot be deleted is seen after commit using "configure private" in a configuration with "protect" flag present. PR1374244

  • FPC might be unable to work properly if one child interface is removed from an aggregated Ethernet bundle in a dynamic VLAN subscriber scenario. PR1374478

  • The bbe-smgd generates core files continiously while deleting a multicast group node from the tree. PR1374530

  • A bbe-smgd core file might be seen after performing GRES. PR1376045

  • MS-MPC might have performance degradation under scaled fragmented packets. PR1376060

  • Interface optic output power is not zero when the port has been disabled. PR1376574

  • Packets might be dropped on the data plane in the inline J-Flow scenario. PR1377500

  • The ICMPv6 packets larger than 1024 might be dropped if icmp-large-packet-check is configured on the IDS. PR1378852

  • PCS statistics (bit errors and errored blocks) could not increment in the Routing Engine CLI output. PR1379147

  • The Routing Engine might crash with various core files due to the deadlock issue on the SDB STS. PR1380231

  • Memory leak observed in MS-MPC card. PR1381469

  • Subscribers not able to log in after double GRES, after reboot, or after configuration. PR1382050

  • The MPC6E might crash while fetching PMC device states. PR1382182

  • Flows are getting exported before the expiration of the configured active timeout value. PR1382531

  • The kmd crashes with a core file after bringing up the IPsec connection. PR1384205

  • Missing interface-description configuration statement for static subscribers. PR1384421

  • IPSec VPN traffic might fail when passing through MS-MPC of MX Series router with CGNAT enabled. PR1386011

  • Output of the show class-of-service interface command incorrectly shows adjusting application as PPPoE IA tags for DHCP subscribers. PR1387712

  • The bbe-smgd might not respond to the NS message for the SLAAC client on dynamic VLAN. PR1388595

  • Fabric drops might be seen if using a newer generation of MPC with SFB2. PR1388780

  • IGMP group threshold exceed log message appears and prints an incorrect demux logical interface. PR1389457

  • The jnxFruState might show incorrect PIC state after replacing an MPC with another MPC having less PICs. PR1390016

  • The CoS adjustment-control-profile configuration for application DHCP tags does not get applied. PR1390101

  • The bbe-smgd process might crash after committing configuration changes. PR1391562

  • The spd might crash when any-ip is configured in the from clause of the NAT rule with the static translation type. PR1391928

  • If FPGA on the new master CB has a specific hardware failure, the chassid might keep crashing after a GRES switchover. PR1393884

  • The MS-MPC might generate a core file when mspmand receives a non-synchronized TCP packet. PR1396785

  • IPsec tunnel cannot be established because the tunnel SA and rule are not installed in the PIC. PR1398849

  • The bbe-smgd process might crash when executing the show pppoe lockout command. PR1398873

  • Smg-service can become unresponsive. PR1403480

  • The FPC might crash in a CoS scenario. PR1404325

  • Fabric performance drop occurs on MPC7, MPC8, MPC9E and SFB2 based MX2000 routers. PR1406030

High Availability (HA) and Resiliency

  • GRES might fail to start because of missing state ack message from the Package Forwarding Engine. PR1236882

  • The backup Routing Engine might go to the database prompt after removing or restoring the configuration. PR1269383

  • The ksyncd might crash. PR1275022

  • Line card reboots after GRES. PR1286393

  • After interface flapping occurs, the GNFs on the server CB ports show the message Switchover Status: Not Ready. PR1306395

  • The ksyncd process might crash continuously on the new backup Routing Engine after GRES is performed. PR1329276

  • Insufficient available space on hard disk is caused by the crashinfo files that is generated by ksyncd when GRES is configured in large-scale configuration scenario. PR1332791

  • VC-Bm cannot synchronize with VC-Mm when the Virtual Chassis splits and then reforms. PR1361617


  • The show system users command output displays users that are not using the router. PR1247546

  • The show interface command does not return any values and sometimes the commad is completely stuck. PR1250328

  • When system ports console log-out-on-disconnect is enabled, system reboot or switchover can result in processes remaining in the wait state and failure of the syslog feature. PR1253544

  • SNMP MIB walk IfHighSpeed returns instable values for em logical interface when no bandwidth is configured for it. PR1257566

  • Vmcore is created because of mbuf leak. PR1261996

  • Some of the syslog records of CGNAT session might have incorrect time. PR1295442

  • The device might fail to upgrade. PR1298749

  • The might create a huge output file, which could cause the router to run out of storage space. PR1306986

  • Kernel crash (vmcore) occurs during broadcast storm after enabling monitor traffic interface fxp0. (CVE-2018-0029) PR1322294

  • Cleanup at thread exit in FreeBSD kernel is causing memory leaks. PR1328273

  • On all platforms running Junos OS, on a port configured with both dot1x static mac by-pass and normal authentication, the hosts configured for static MAC bypass might not be able to send traffic. PR1335125

  • The kernel might crash and the system might reboot in SNMP query reply scenario. PR1351568

  • The show system virtual-memory | display xml validate command displays errors. PR1356423

Interfaces and Chassis

  • The output value is incorrect when querying the optical power of OTN interfaces in the router. PR1216153

  • On an Enhanced DPC, the dcd process might increase the CPU usage to a very high level after commit check is executed. PR1236088

  • VRRP mastership does not change after priority is changed. PR1242243

  • Iterator adjaceny is removed, leading to inability to display sla-iterator-statistics within CFM performance monitoring. PR1244525

  • RL-dropped packets are not displayed in the output of show interfaces <ifl or interface-set ifl> detail/extensive commands. PR1249164

  • At a high logical interface scale, an ifinfo process (daemon) generates a core file when the command show interfaces extensive | no-more is executed. PR1254189

  • The SNMP-set on the supported configuration in the jnxOpticsConfigTable fails if the FPC slot is 10 and above or the port number is 10 and above. PR1259155

  • The MRU of an aggregated Ethernet interface might be reset to the default value. PR1261423

  • The error messages about RLIMIT_STACK and RLIMIT_SBSIZE might be seen in a PPP scenario after issuing show version detail. PR1262629

  • Some error messages might be seen when setting or deleting VCP port for MPC7, MPC8, and MPC9E cards. PR1271089

  • BERT test shows the elapsed time "in progress" but gets stuck after a few seconds and never gets completed. PR1274896

  • MTU configuration for vt- interface causes the vt- interfaces to be removed because the MTU on this interface is already set to unlimited. PR1277600

  • The PPP Chap Challenge-Length option is not initialized with the default value. PR1280263

  • The line card hosting an Ethernet OAM LFM session might reboot during a unified ISSU. PR1283280

  • The monitor interface on aggregated Ethernet logical interfaces displays an incorrect bps value compared to that shown in the show interface output. PR1283831

  • Interface flapping is observed when Routing Engine switchover is performed if the member links of an aggregated Ethernet interface are configured with framing settings. PR1287547

  • No L2TP sessions come up on some si- interfaces after an MPC restart followed by a Routing Engine switchover. PR1290562

  • Family inet is displayed as not-configured after the loopback address is added or deleted. PR1294267

  • In VRRP scenario, when tracked interface or route goes down, the mastership switchover is delayed for a longtime. PR1294417

  • L2TP subscribers might not be cleared if the access-internal routes fail to install. PR1298160

  • An absolute value can be configured for the delay-buffer-rate option on an inline LSQ interface. PR1300281

  • IRB interface shows incorrect bandwidth value. PR1302202

  • VRRP could not support logical interfaces using the same group ID in VRRP delegated-process mode. PR1305327

  • AFEB might not come up when LFM is deactivated. PR1306707

  • After the request system reboot both CLI command is executed, the PPP daemon might become unresponsive. PR1310909

  • The PPPoE subscriber might not log in correctly after authentication failure in a subscriber scenario. PR1311113

  • MPC CPU might reach 100% when otn ufec statement is configured. PR1311154

  • The ifinfo process might crash and generate a core file when the show interfaces name command is executed with the name greater than 128 characters. PR1313827

  • Invalid interface-set configuration might get committed and result in continuous dcd and chassisd crash. PR1316976

  • There is no route to an IP address from a directly connected route. PR1318282

  • The show interfaces interface-set command is displaying an incorrect logical interface. PR1319682

  • IPv6 Framed Interface Id field (from show subscribers extensive output) is not properly matching the negotiated one. PR1321392

  • IPCP negotiation might fail for dual stack PPPoE subscribers. PR1321513

  • Subscribers might fail to access the device after deleting the needless aggregated Ethernet configuration. PR1322678

  • Unexpected log messages might be seen if a BGP session flaps in a dynamic-tunnels GRE scenario. PR1326983

  • Unexpected log messages might be seen on a router that supports subscriber management. PR1328251

  • Traffic loss might be seen after the aggregated Ethernet bundle unit 1 is deleted. PR1329294

  • The interface might not work properly after FPC restarts. PR1329896

  • The dcd process might crash due to memory leak and causing commit failure. PR1331185

  • The last logical interface digit is sometimes truncated in jpppd trace logs. PR1332483

  • The transportd might crash when SNMP query on jnxoptIfOChSinkCurrentExtTable with unsupported interface index. PR1335438

  • A momentary dip in traffic occurs when a GRES is performed. PR1336455

  • Restarting chassisd with GRES is disabled might cause FPC to restart and some demux sessions to be deleted. PR1337069

  • VRRP virtual MAC addresses disappear, which causes VRRP virtual IP to be not reachable. PR1338277

  • The 100-Gigabit DWDM interface might go down for 15 seconds after a loss-of-signal event. PR1343535

  • The PPPoE subscribers might fail to log in for authd running on 100 percent utilized CPU with a high frequency of on-demand IP address allocation requests. PR1348578

  • The link-degrade-monitor configuration might cause commit synchronization failure on the backup Routing Engine. PR1350192

  • The jpppd core file is generated on thebackup Routing Engine in longevity test at ../../../../../../src/junos/usr.sbin/jpppd/ . PR1350563

  • Native VLAN ID support is needed on ps-interface. PR1352933

  • The FPC might be stuck at 100 percentfor a long time when MC-AE with enhanced-convergence is configured with large-scale logical interfavces. PR1353397

  • The aggregated Ethernet interface might flap when the link speed of the aggregated Ethernet bundle is configured to oc192. PR1355270

  • Clients might not get IPv4 address in PPPoE dual-stack scenario. PR1360846

  • Many PPPoE subscribers might be lost after unified ISSU/GRES. PR1360870

  • Error messages like ifname [ds-5/0/2:4:1] is chan ci candidate are seen during a commit operation. PR1363536

  • In case of MPLS, DMR packets are sent with different MPLA expiration bits if the MX Series router receives CFM DMM packets with varying expiration values on the MPLS header. PR1365709

  • In rare cases, there might be L2TP subscribers stuck in the terminated state. PR1368650

  • ISSU could be aborted at Timed out Waiting for protocol backup chassis master switch to complete with MX Virtual Chassis configuration. PR1371297

  • The dcd process might go down when vlan-id none is configured for the interface. PR1374933

  • Duplicate IP cannot be configured on both SONET (so-) interface and other interfaces. PR1377690

  • Some error logs (Tx unknown LCP packet) might be reported by the bbe-smgd daemon on MX Series routers. PR1378912

  • The dcd is restarted unexpectedly after committing a configuration with static demux interface stacking over ps interface. PR1382857

  • The jpppd process might crash if the EPD value contains a format specifier. PR1384137

  • A dcd core file might be seen after a FPC restart if channelized interfaces are configured. PR1387962

  • All DPCs might crash while adding or deleting a logical interface from the aggregated Ethernet bundle. PR1389206

  • The interface-control process thrashes and dcd does not restart after adding an invalid demux interface to the configuration PR1389461

  • The backup Routing Engine might get stuck in amnesiac mode after reboot. PR1398445

  • All dcd operations might be blocked if profile-db is corrupt. PR1399184


  • Denial of service occurs in J-Web (CVE-2018-0062). PR1264695

  • Unauthenticated remote code execution through J-Web interface. PR1269932

Layer 2 Ethernet Services

  • The IPv4/IPv6 packets originating from the Routing Engine might be corrupted when the bridge domain has VLAN ID set to none, but the outgoing Layer 2 interface for the packet is tagged and CoS is enabled. PR1263590

  • DHCP is not using the configured IRB MAC address as the source MAC addressin DHCP offer unicast replies. PR1272618

  • DHCPv6 client bound to IA_PD prefix on reception of DHCv6 Request for IA_NA, MX deletes the existing binding. PR1286359

  • The jdhcpd process crashes, generating a core file, and restart. PR1288475

  • ARP requests are not generated for IRB configured in VPLS over GRE tunnel. PR1295519

  • PPPoE/DHCP clients cannot log in to PPPoE/DHCP dual-stack subscriber scenario. PR1298976

  • A parameter-handling problem might cause the kernel to panic when a neighbor discovery message arrives on an IRB interface. PR1303415

  • Multiple jdhcpd core files are observed in jdhcpd_update_groups at ../../../../../../src/junos/usr.sbin/jdhcpd/jdhcpd_config.c:2290. PR1311569

  • DHCPv6 traffic might be dropped in a subscriber scenario. PR1316274

  • jdhcpd generates core files after DHCP configuration is changed/modified. PR1324800

  • The snmpget for OID: dot3adInterfaceName might not work. PR1329725

  • The l2cpd process leaks memory if the Layer 2 learning process is disabled. PR1336720

  • When DHCP subscribers are in BOUND (LOCAL_SERVER_STATE_WAIT_GRACE_PERIOD) state, if dhcp-service is restarted then the subscribers in this state are logged out. PR1350710

  • DHCP relay agent discard the DHCP request message silently if the requested IP address has been allocated to the other client. PR1353471

  • On MX Series routers, restart of the FPC that hosts micro-bfd link might cause a LACP core file. PR1353597

  • A jdhcpd crash is observed while processing the DHCPv6 Information-Request. PR1368377

  • BOOTP packets might be dropped if BOOTP-support is not enabled at the global level. PR1373807

  • RADIUS accounting statistics are not cleared after subscriber logout. PR1383265

Layer 2 Features

  • The mbuf leaks because of processing of MPLS packets in the VPLS network. PR1272898

  • In scaling VPLS scenario, convergence time is taking more than 10 minutes. PR1279192

  • A misconfiguration that adds an aggregated Ethernet bundle and its member link to a VPLS instance might cause 100% routing protocol process (rpd) utilization. PR1280979

  • On MX Series routers with MPCs or MICs, packets received on the IRB interface in VPLS gets double-tagged. PR1295991

  • The rpd process memory leak is observed when VPLS configuration changes such as deleting or re-configuring VPLS interfaces occur. PR1335914

  • VPLS instance stays in NP state after LDP session flaps. PR1354784

  • The unicast traffic from an IRB interface toward LSI might be dropped due to Packet Forwarding Engine mismatch at egress processing. PR1381580


  • The rpd generates core files in rio_hello_timeout_cb under high CPU load. PR1138190

  • RSVP P2MP sub-LSPs with more than one sub-LSP in down state might not get re-optimized after the transit path goes down. PR1174679

  • Automatic bandwidth underflow is not being registered following the first bandwidth adjustment when there is no traffic flowing over an LSP. PR1233293

  • The rpd might crash when moving a static LSP from one routing instance to another. PR1238698

  • The rpd might crash after performing restart routing or Routing Engine switchover in MPLS environment. PR1239102

  • Potential issues with policy-based selection of RSVP LSPs PR1261739

  • A rpd crash might be seen if egress-policy is configured in LDP. PR1266358

  • The created time value in show mpls lsp extensive drifts by a second when the show command is issued multiple times. PR1274612

  • The ingress RSVP LSP fails to come up after the clear rsvp lsp all command is run on the egress router. PR1275563

  • The rpd might crash in LDP L2circuit scenario. PR1275766

  • The rpd might crash on the egress LER of a fast-reroute protected LSP. PR1276748

  • A crafted MPLS packet might lead to a kernel crash. PR1276786

  • The Routing Engine might crash during next-hop addition in a race condition. PR1284850

  • MPLS l2ckt ping packet incorrectly parsed by the output loopback filter. PR1288829

  • LDP egress policy is not advertising the label for the inet.3 BGP labeled-unicast route. PR1289860

  • The routing protocol process (rpd) crashes because of LDP defect during NSR-enabled Routing Engine switchover. PR1290789

  • Received MTU might not get updated in RSVP MTU signaling. PR1291533

  • In an RSVP environment, a stale LSP might get created after a Routing Engine switchover with nonstop routing (NSR) enabled. PR1292526

  • The rpd might crash when the MPLS LSP path changes. PR1295817

  • The process rpd might crash when MPLS traceroute is performed. PR1299026

  • The traffic in a P2MP tunnel might be lost when NG-MVPN uses RSVP-TE. PR1299580

  • The rpd process might crash in rare conditions where traffic-engineering is configured. PR1303239

  • The kysncd process might crash after removing and inserting the backup Routing Engine in an analytics and MPLS sensor scenario. PR1303491

  • The explicit-null feature might block incoming host-bound traffic from LSPs. PR1305523

  • The RSVP node-hello packet might not work correctly after the next-hop for remote destination is changed. PR1306930

  • The rpd process might crash if the interface is down when UHP-based LSPs are configured. PR1309397

  • The rpd process might crash if LDP updates the label for the BGP route. PR1312117

  • The install-nexthop lsp/lsp-regex statement in the policy does not work with dynamic LSPs (RSVP automesh). PR1313185

  • Delayed show mpls container-lsp output. PR1314960

  • RSVP node-neighbor found even when node-hello has been disabled. PR1317241

  • The rpd might crash after the primary link failure of link protection. PR1317536

  • With dynamic tunnels configured, the rpd might crash when it is restarted or Routing Engine switchover is executed. PR1319386

  • The IPv4/IPv6 multicast traffic might get dropped in MX Series Virtual Chassis when the traffic comes in through the Layer 2 circuit and goes out through an aggregated Ethernet member interface across Virtual Chassis members. PR1320742

  • With dynamic-tunnels configured, the rpd might crash when the rpd is restarted or Routing Engine switchover is executed. PR1319386

  • The rpd might crash because of a memory leak in an RSVP scenario. PR1321952

  • Receipt of specially crafted UDP packets over MPLS might bypass stateless IP firewall rules (CVE-2018-0031). PR1326402

  • SNMP OID counters for mplsLspInfoAggrOctets show a constant value in show mpls lsp statistics for some LSPs even though traffic constantly increases. PR1327350

  • Rpd daemon crashes upon receipt of specific MPLS packet (CVE-2018-0043). PR1328058

  • Packets loss might be observed when auto-bandwidth is enabled for CCC connections. PR1328129

  • The rpd might crash on the backup Routing Engine because of memory exhaustion. PR1328974

  • The rpd might crash with MPLS traceoption configured. PR1329459

  • Whenever there is a decrease in the statistics value across an LSP, the mplsLspInfoAggrOctets value takes two intervals to get updated. PR1342486

  • LDP label is generated for serial interface subnet route unexpectedly. PR1346541

  • The MPLS LSP does not come up after changing admin-group mapping. PR1348208

  • The rpd might crash in an RSVP setup-protection scenario. PR1349036

  • In a very rare scenario, rpd might crash when LDP fails to allocate self-id for the P2MP FEC. PR1349224

  • Nondeterministic load balancing of Routing Engine generated traffic is observed. PR1354738

  • Packets destined to the master Routing Engine might be dropped in the kernel when LDP traffic statistics are polled through SNMP. PR1359956

  • The Layer 2 circuit might flap after an interface goes down even if the LDP session stays up when l2-smart-policy is configured. PR1360255

  • The process rpd might crash during P2MP LSPs churn. PR1363408

  • The LSP might remain UP even if no path is acceptable due to CSPF failure. PR1365653

  • The route prefixes with an assigned label might be missed in the LDP database. PR1366619

  • The rpd might crash in a BGP LU and LDP scenario. PR1366920

  • RSVP authentication might fail between some Junos OS releases and cause traffic loss during local repair. PR1370182

  • The next hop of static LSP for MPLS might get stuck in dead state after changing the network mask of the outgoing interface. PR1372630

  • The traceroute MPLS might fail when traceroute is executed from a Juniper Networks device to another device that does not support RFC6424. PR1372924

  • The traffic might not be load-balanced equally across LSPs with ldp-tunneling configured. PR1373575

  • The rpd process might crash continuously if the nsr-synchronization statement or all flag is used in RSVP traceoptions. PR1376354

  • Receipt of a specifically crafted malicious MPLS packet leads to a Junos OS kernel crash (CVE-2018-0049). PR1380862

  • The rpd might crash on the backup Routing Engine after switchover. PR1382249


  • DHCPv6 r.elay is not working unless DHCP is restarted PR1316210

  • Multicast traffic is not forwarded on the newly added P2MP branch/receiver. PR1317542

  • Some IGMP groups might have wrong upstream interface because an incorrect discard route is installed in the PIM. PR1337591

  • With discard interfaces (configured with IGMPv3), the KRT queue gets stuck while deleting the multicast next hop with the error EPERM -- Jtree walk in progress. PR1342032

Network Management and Monitoring

  • Denial-of-service vulnerability in SNMP MIB-II subagent daemon (mib2d) (CVE-2018-0019). PR1241134

  • jnxDomCurrentLaneTxLaser* SNMP MIBs used for tracking the Tx and Rx power values are not working for P3-15-U-QSFP28 PIC. PR1265412

  • Command Esc-q does not work when the system log is disabled, and syslog messages continue to be displayed. PR1269274

  • SNMP MIB hierarchy is missing. PR1278197

  • mib2d-related syslog messages MIB2D_RTSLIB_READ_FAILURE: rtslib_iflm_snmp_pointchange are seen during the removal and restoration of configurations. PR1279488

  • snmpd denial of service upon receipt of crafted SNMP packet (CVE-2017-2345). PR1282772

  • The mib2d process might crash in the SNMPv3 environment. PR1286005

  • The mib2d process logs "RLIMIT curr 1048576000 max 1048576000" every time a commit is done. PR1286025

  • The mib2d process might crash when polling the OID ifStackStatus.0 after an logical interface of lo0 is deleted. PR1286351

  • The show arp no-resolve interface X command for the nonexistent interface X shows unrelated static ARP entries. PR1299619

  • After SNMP configuration, activation of the snmpd process starts to consume a lot of CPU time. PR1300016

  • The syslog might generate duplicate entries of hostname and timestamp. PR1304160

  • The mib2d might crash during SNMP polling on interface MIBs and meanwhile the FPC restarts or the interface flaps. PR1318302

  • The jnxDomLaneAlarmSet trap is sent with an empty interface description. PR1318913

  • SNMP stops or becomes very slow after a very long period of time. PR1328455

  • With interafce-mib; the MX Series router is responding with type : NoSuchInstance for OIDs when multiple OIDs are polled in one SNMPGET request. PR1329749

  • jnxDcuStatsEntry and jnxScuStatsEntry OIDs are missing post interface config change. PR1354060

Platform and Infrastructure

  • Traffic drop might occur under a large-scale firewall filter configuration. PR1093275

  • Kernel might crash on issuing show arp or clear arp if there is an IPv4 address. PR1120114

  • The LIBJSNMP_NS_LOG_WARNING messages are observed continuously in /var/log. PR1159551

  • FPC crashes with the MAC accounting feature enabled. PR1173530

  • The forwarding-class-accounting enhanced feature is not supported in combination with forwarding-options hyper-mode. Using both features together results in traffic being silently discarded or dropped. PR1198021

  • Unable to roll back to a certain configuration version when using admin users with restricted permissions. PR1206074

  • Packet Process Engine UCODE rebalancing is getting enabled by default. PR1207532

  • Unexpected scheduler queue ID mapping might be seen if an aggregated Ethernet interface is configured with scheduler-map in enhanced-ip mode. PR1236541

  • ISSU might fail, displaying the message Backup Routing Engine not ready. PR1240788

  • With a commit script configured, the mgd process might crash when any feature (statement/option) is configured in private configuration mode. PR1244015

  • The commit complete message is displayed three times on every commit. PR1244031

  • XM chip-based line card might drop traffic under high temperature. PR1244375

  • The MX104 router does not report HSL2 CMERROR alarm upon HSL2 CRC errors. PR1247707

  • The error messages about "jlock hog" might be seen after restarting routing in large scale of routes. PR1248246

  • In some scenarios, certain interface configuration change (otn-options, wan-phy, etc) might trigger shm-rtsdb to generate core files because of unexpected internal messages size exchanged between Kernel and shm-rtsdb daemon. PR1249116

  • One of the processes (dcd, rpd, dfwd, pfed, cosd, sampled) might generate a core file in a large-scale 8000 ESSM login or logout with an ephemeral database. PR1249979

  • Kernel crash might be observed with the panic string "rn_clone_unwire no ifclone parent". PR1253362

  • Error message rnh_iff_delete_nh: no pat-node might be seen when the subscriber logs out. PR1263983

  • Configuration changes under the logical-system statement for a logical system (LSYS) user does not take effect after a single commit with fast-synchronize enabled. PR1265139

  • Transient hardware problem causes high fabric traffic drops. PR1265385

  • An error message might be seen if a new line card or service card is brought comes online. PR1266336

  • Dropping the TCP RST packet incorrectly on the Packet Forwarding Engine might cause traffic drop. PR1269202

  • The queued statistics of interface are not correct for CoS on MX Series routers. PR1271055

  • The RPM Loss percentage values for "over all tests" through SNMP might be incorrect. PR1272566

  • Every few seconds syslog prints messages related to luss_cassxr_hotbank_check CASS XR Heavy Bank Mask: seen on MPCE FPCs. PR1273439

  • The show ddos-protection protocols arp culprit-flows command displayed the wrong source MAC address. PR1274457

  • EVPN-VXLAN traffic gets dropped as Incorrect vxlan fw path executed because of a sampling configuration on the core interface. PR1280539

  • The MPC might crash after an IRB interface is deleted or any other change is made on an IRB interface. PR1281107

  • Password might be required when you issue the request routing-engine login other-routing-engine command. PR1283430

  • Error messages might be observed with MPC5E card. PR1283850

  • The traffic might be classified into the wrong queue when aggregated Ethernet interfaces with child legs are anchored on an MQ-based MPC without a queuing chip. PR1284264

  • The dexp process might crash after set system commit delta-export command is run. PR1284788

  • Administratively disabling an interface might cause high FPC CPU usage. PR1285673

  • Generate-event time-interval usage now triggers the event only on the actual expiry of the time internal. PR1286803

  • Incorrect load-balancing on the aggregated Ethernet interface might occur if traffic goes from MS-DPC to MPC in enhanced-ip mode. PR1287086

  • The output values of the show system resource-monitor command are not accurate. PR1287592

  • There might be memory leak on MPC if the next-hop address that is defined in the next-hop-group is reachable through multiple interfaces. PR1287870

  • Unauthenticated remote root access is possible when RSH service is enabled (CVE-2018-0052). PR1288932

  • The source MAC address learned from Packet Forwarding Engines across aggregated Ethernet interfaces might bounce between aggregated Ethernet member and Packet Forwarding Engines for a long time and might cause an MLP-ADD storm. PR1290516

  • The rmopd might get stuck at sbwait upon receiving a specific response from the HTTP agent. PR1292151

  • Transient flow control is asserted by XLP MAC after MX Series router is upgarded to Junos OS Release 16.1. PR1293232

  • The scale-subscriber license might leak on the backup Routing Engine during bulk subscriber logout. PR1294104

  • The mgd process generates a core file after GRES in a subscriber environment. PR1298205

  • RMOPD_HW_TIMESTAMP_INVALID is reported 2 to 4 times a day, which raises an alarm when polled through jnxRpmResSumPercentLost MIB. PR1300049

  • Packet corruption with EVPN MPLS double label push with 3 or more ieee 802.1Q VLAN tags. PR1300211

  • Traffic might be dropped in the egress Packet Forwarding Engine because of a hashing mismatch. PR1300789

  • Packet Forwarding Engine might crash after an MPC reset in a firewall filter scenario. PR1300990

  • All traffic can be Tail-/RED-dropped on some interfaces when chassis fpc max-queues is configured. PR1301717

  • Classifier does not get applied on the aggregated Ethernet member links on MX Series routers with DPC, on which CoS is configured. PR1301723

  • MX Series FPC wedges when creating more than 4000 logical tunnel interfaces per Packet Forwarding Engine. PR1302075

  • The interface-MAC-limit might fail for aggregated Ethernet interface. PR1303293

  • MQSS parcel error might result in performance degradation or the forwarding through the Packet Forwarding Engine might stall PR1303529

  • The Two-Way Active Measurement Protocol (TWAMP) Request-TW-Session message's Type-P Descriptor format is not RFC-compliant. PR1305752

  • When an "auditd" child process is terminated, the System reaching processes ceiling <low or high or critical> watermark error message might be seen. PR1305964

  • On MX Series routers with MPCs or MICs, the resource monitor (RSMON) thread might be stuck in a loop consuming 100 percent of FPC CPU. PR1305994

  • Service cookie opaque data reset wrongly leading data sent to service pic getting corrupted. PR1310904

  • The built-in MPC in MX5/10/40/80 might crash due to CPU hogging after the chip fails to initialize. PR1312286

  • AMS ICMP error handling forwarding to the correct service PIC-Packet Forwarding Engine. PR1313668

  • Rate limit configured with a small temporal buffer size might cause packet loss. PR1317385

  • Multicast traffic might get duplicated when MoFRR is configured. PR1318129

  • The default severity of the correctable ECC errors on MX Series routers with MPC2E NG Q, MPC3E NG Q, or MPC5E has been changed from Fatal to Major. PR1320585

  • Errors might be observed when fabric-header-crc-enable feature is enabled. PR1320874

  • Traffic with more than two VLAN tags might be incorrectly rewritten and sent out. PR1321122

  • In MX104 router, the sdk-vmmd: %USER-3: is_platform_rainier: Platform could not be detected syslog is logged with the wrong severity level. PR1321622

  • The no-propagate-ttl might not take effect if chained-composite-next-hop ingress l3vpn extended-space is configured. PR1323160

  • MAC addresses might not be learnt on MX Trio-based card due to the negative value of the bridge MAC table limit counter. PR1327723

  • The packet might get dropped in LSR if MPLS pseudowire payload does not have control word and its destination MAC starts with '4' or '6'. PR1327724

  • Traffic loss might be observed on lt- interface. PR1328371

  • Directories and files under /var/db/scripts do not have execution permission or the jet directory is missing under /var/db/scripts causing the error: Invalid directory: No such file or directory error during commit. PR1328570

  • The tcpdump filter might not work in the egress direction on ps and lt- logical interfcaes. PR1329665

  • Denial of service occurs in telnetd (CVE-2018-0061). PR1331234

  • Router opens a database prompt at netisr_process_workstream_proto. PR1332153

  • RPM mib pingResultsMinRtt, pingResultsMaxRtt, pingResultsAverageRtt response as "1" while target address is unreachable,should be "0". PR1333320

  • Traffic loss might be seen for some flows due to network churn. PR1335302

  • Commit might fail with error reading from commit script handler, error: commit script failure. PR1335349

  • Backup Routing Engine kernel crash is observed on commiting set system management-instance. PR1335903

  • The MPC might crash after setting max-queues to a very large number. PR1338845

  • Route corruption in Packet Forwarding Engine with connectivity fault management enabled for Layer 2 circuit. PR1338854

  • While downgrading a Junos OS platform from a later release, the router goes into amnesiac state. PR1341650

  • Configuring the same DHCP server in different routing instances is not supported in a DHCP relay scenario. PR1342019

  • Transition of VRRP backup to master might result in dead next hops. PR1342707

  • Route corruption in Packet Forwarding Engine with connectivity fault management enabled for Layer 2 circuit. PR1342881

  • Junos OS: Multiple vulnerabilities NTP. PR1343195

  • The rpd might crash when performing a Routing Engine switchover with NSR and logical system configurations. PR1345720

  • Packet drop might be seen on the logical tunnel interfaces lt-x/2/x or lt-x/3/x. PR1345727

  • Junos OS: cURL: Multiple vulnerabilities in multiple cURL versions. PR1347361

  • The IPv4 GRPS traffic over aggregated Ethernet interface might be dropped if gtp-tunnel-endpoint-identifier is configured. PR1347435

  • FPC CPU utilization with lt- interfaces is pegged continuously at 100%. PR1348840

  • ICMP error messages are not generated if 'don't fragment' packets exceed the MTU of the multiservice interface. PR1349503

  • JNH memory leak is seen with VTEP traffic. PR1356279

  • Traffic is dropped without notification in a large-scale scenario. PR1357707

  • On Junos OS, the next-hop index allocation fails and private index space gets exhausted through incoming ARP requests to the management interface (CVE-2018-0063). PR1360039

  • Junos OS: Multiple vulnerabilities in libxml2. PR1364019

  • The Disconnected after ISSU and before switchover error message might be seen and FPC is restarted during unified ISSU. PR1364514

  • Subscribers over aggregated Ethernet interface might have tail drops that will affect the fragmented packets due to the QXCHIP buffer getting filled up. PR1368414

  • Forwarding is broken after adding protocol EVPN extended-vlan-id. PR1368802

  • The host outbound traffic might get dropped when class-of-service host-outbound-traffic ieee-802.1 rewrite-rules is configured. PR1371304

  • Traffic might drop on newly added interfaces on MX Series router after unified ISSU. PR1371373

  • JNH memory leaks occur in multicast scenario with MoFRR enabled. PR1373631

  • FPC crash might be seen after the FPC restarts. PR1380527

  • Packet drops on interface if gigether-options loopback is configured. PR1380746

  • MAC learning might get stuck on MX Series routers with DPC and MPC. PR1383233

  • The RVT interface might flap. PR1399102

Routing Policy and Firewall Filters

  • Condition-based policy fails to take action even though the condition is matched. PR1300989

  • The rpd might crash if vrf-target auto is configured for a routing instance. PR1301721

  • The policy configuration might not be evaluated if the policy expression is changed. PR1317132

  • Access-internal route might fail to be leaked between routing instances when from instance is configured in the policy. PR1339689

  • The set metric multiplier offset command might cause overflow or underflow. PR1349462

Routing Protocols

  • The show bgp summary command displays an incorrect result while assisting GR. PR1045151

  • Multipath does not recalculate after enabling the AS-PATH-IGNORE option, and clearing the session triggers rebuilding of the multipath. PR1163945

  • BGP extended communities with sub-type 4 erroneously displayed at LINK_BANDWIDTH. PR1216696

  • The routing protocol process (rpd) on the backup Routing Engine might restart unexpectedly upon the addition of a new L2VPN routing instance. PR1233514

  • The rpd process generates core files in the ASBR when BGP is deactivated in the ASBR before all stale labels have been cleaned up. PR1233893

  • The routes learned from a BGP peer might not be advertised to others if add-path is configured. PR1246349

  • The stale BFD session might remain up on the previous anchor FPC. PR1246363

  • When the advertise-from-main-vpn-tables configuration statement is used under BGP and the route reflector functionality is added, a refresh message is not sent, resulting in some missing routes. PR1254066

  • BGP-LU label might go into "dead" state in the forwarding table after the MPLS address family on the next-hop interface is removed and added again. PR1262180

  • IPv6 BFD session(s) configured under IS-IS might not come up after interfaces comes up. PR1266211

  • MPLS over UDP tunnel creation fails in the absence of a VRF table. PR1270955

  • The rpd might crash after BGP is deactivated or activated. PR1272202

  • PIM is stuck in the “InProgress” state when NSR is enabled. PR1273538

  • BGP-ORR not working correctly in an IS-IS overload scenario. PR1274802

  • The BFD down for BGP might cause customer traffic to be dropped without notification. PR1276497

  • Error messages might be seen when receiving BGP update messages with UNREACH NLRI. PR1276758

  • After bfdd restart, the issue is seen with next-generation MVPN and Layer 2 VPN route exchange causing MVPN and VPLS traffic drop. PR1278153

  • With NSR enabled, rpd might generate core files in the master Routing Engine when there is change in kernel id. PR1278741

  • The rpd core files are generated because of BGP update with malformed optional transitive attributes. PR1279204

  • OSPF neighbors might not come up during router reload under high load if PIM is also configured. PR1279682

  • IS-IS LSPs might be dropped during interoperability with a Cisco device in a segment routing scenario. PR1280522

  • Routing loops might be seen after configuring BGP Prefix-Independent Convergence (BGP PIC). PR1282520

  • BGP updates might not be advertised to peers completely in certain condition. PR1282531

  • The rpd process might crash due to a certain chain of events in a BGP-LU protection scenario. PR1282672

  • The second multicast packet might be discarded on the rendezvous point (RP) router. PR1282848

  • Some BGP-related traceoptions flag settings are not effective immediately after the configuration commit, until the BGP sessions are flapped. PR1285890

  • The rpd might crash if the dynamic rendezvous point goes down in ECMP topology and also if PIM join-load-balance automatic is configured. PR1288316

  • With BGP traceoption enabled, executing the rollback and load merge commands for the configuration might cause rpd to crash. PR1288558

  • BGP-RR sends full route updates to its RR-Clients when any family mpls interface gets bounced due to any fiber cut or manual events causing high CPU spike. PR1291079

  • Multihop BFD sessions flap continuously. PR1291340

  • BGP Monitoring Protocol (BMP) might send malformed route-monitoring messages. PR1292848

  • Graceful Restart helper might lose capabilities during peering establishment. PR1293174

  • Rpd crashes upon receipt of malformed PIM packet (CVE-2019-0013). PR1293306

  • Multicast flow reset might occur on OIF for RPT joined branch when PIM prune comes on another interface. PR1293900

  • lmpd (link mangement protocol daemon) crashes repeatedly when logical-system is configured on the same router. PR1294166

  • The rpd might crash if BGP flap happens. PR1295062

  • ISSU might take more time to complete and the FPC might go offline during ISSU reboot. PR1298259

  • The rpd process might crash because of the AS PATH check error that occurs when RIB groups are added first and later the routing instances are added. PR1298262

  • Inline-BFD on IRB will be broken after GRES/NSR switchover, and the anchor FPC subsequent goes offline. PR1298369

  • MSDP sessions might flap due to data replication stuck between backup and master Routing Engines with huge SA burst between peers. PR1298609

  • The rpd process might crash on the backup Routing Engine. PR1298711

  • Junos OS: The rpd might crash due to a malformed BGP update packet (CVE-2018-0020). PR1299199

  • BGP might send incorrect AS path when alias is enabled and multiple peers are under the BGP group. PR1300333

  • IBGP route damping does not take effect on IBGP inet-vpn address family. PR1301519

  • The rpd process might crash with a core file while deleting a multipath route. PR1302395

  • BGP sessions established without SYNC flag. PR1302426

  • Multicast traffic might be pruned for random groups following a designated router failover. PR1303050

  • Observed mcsnoopd core file at __raise,abort,__task_quit__,task_quit,task_terminate_timer_callback,task_timer_dispatch,task_scheduler_internal (enable_slip_detector=true, no_exit=true) at ../../../../../../src/junos/lib/libjtask/base/task_scheduler.c:275. PR1305239

  • The BFD session might flap when querying interface statistics through SNMP or executing a show command through CLI in vMX. PR1305308

  • BGP traceoption logs are still written when it is deactivated. PR1307690

  • Junos OS Release 16.2 and later releases might give the following error: Request failed: OID not increasing: ospfIfIpAddress. . PR1307753

  • Qualified next-hop resolution fails in some scenarios when there is a next-hop interface specified. PR1308800

  • With resource public key infrastructure (RPKI) enabled, rpd successive crashes are seen during route validation database processing. PR1309944

  • BGP labeled-unicast protection might break multicast reverse path forwarding (RPF). PR1310036

  • The BGP session might flap when the connection between the master Routing Engine and the backup Routing Engine keeps flapping, with NSR configured. PR1311224

  • The rpd might crash when the neighbor IS-ISv6 router is restarted, causing route churn. PR1312325

  • BGP route age gets refreshed when the secondary path goes down, with BGP PIC enabled. PR1312538

  • The IS-IS SPF might be triggered by LSP updates containing changes only in reservable bandwidth. PR1313147

  • The rpd might crash if RIP neighbor is configured with the local interface IP address. PR1313712

  • BGP prefixes with three levels of recursion for resolution get stuck with a stale next hop at the first level after a link down event. PR1314882

  • The rpd might constantly consume high CPU in a BGP setup. PR1315066

  • On a chassis with BMP configured, the rpd might crash when the rpd process is gracefully terminated. PR1315798

  • OSPF routes cannot be installed to the routing table until the lsa-refresh timer expires. PR1316348

  • The primary path of MPLS LSP might switch to another address. PR1316861

  • lsdb entry cleanup might cause rpd crash, if loop free alternative is configured. PR1317023

  • The inactive route cannot be installed in multipath next-hop after disabling and enabling the next hop interface in a Layer 3 VPN scenario. PR1317623

  • The MPLS labels next hop for IPv4 labeled unicast route are incorrect if some changes are made to the active LDP route. PR1317800

  • BGP-LU update oscillates with BGP-PIC. PR1318093

  • Remove syslog message that got added to code unintentionally. PR1318458

  • IS-IS might choose a sub-optimal path after the metric change in ECMP links. PR1319338

  • Traffic might get blackholed temporarily when BGP GR is triggered and the direct interface flaps. PR1319631

  • The rpd process might crash when deactivating the static route if the next-hop interface is of P2P type. PR1323601

  • When prefix limit is reached, increasing maximum-prefixes does not take effect. PR1323765

  • BGP peer is not established after routing engine switchover when graceful-restart and BFD enabled. PR1324475

  • Process mcsnoopd memory leak occurs. PR1326410

  • IGMP snooping might be enabled unexpectedly. PR1327048

  • Multiple next hops might not be installed for IBGP multipath route after an IGP route update. PR1327904

  • The rpd might crash on the backup Routing Engine after the BGP peer is deleted. PR1329932

  • Manual GRES with MX-Virtual Chassis results in some packet loss on core-facing interfaces. PR1329986

  • The conditional route policy cannot withdraw all routes in a BGP add-path scenario. PR1331615

  • LDP route in inet.3 is missing when both OSPF rLFA and LFA protections are available and rejected by backup selection policy. PR1333198

  • The discard next hop is being installed when the primary LSP interface drops. When the primary interface returns, discard next hop remains until BGP LU neighbor is cleared. This impacts only the cloned route (S=0. ) PR1333570

  • IGMP joins are not processed with passive allow-receive configured on IGMP interfaces. PR1334913

  • BGP sessions get stuck in active state after the device is restarted at the remote end (Cisco). PR1335319

  • The rpd might crash if SRLG information is in the protocol IS-IS. PR1337849

  • The rpd might crash after the remote BGP peer closes the TCP session. PR1340379

  • The rpd crashes due to receipt of crafted BGP NOTIFICATION messages (CVE-2018-0037). PR1340689

  • The rpd crash might occur when receiving BGP updates. PR1341336

  • The VRF static route might not be exported when route-distinguisher-id is used on route reflector in a BGP Layer 3 VPN scenario. PR1341720

  • Changes to the displayed value of AIGP in the show route ... extensive command. PR1342139

  • Traffic is discarded without notification if local DUT receives BFD-down. PR1342328

  • The rpd might crash when EBGP neighbor flaps. PR1342481

  • The rpd might crash when deleting or deactivating the VRF routing instance in a BGP Layer 3 VPN environment. PR1343578

  • The rpd process might crash after GRES when multipath is configured. PR1346954

  • The rdp might crash if a route for RPF uses a qualified next hop. PR1348550

  • A rpd crash might be seen after executing a Routing Engine switchover. PR1349167

  • IGMP snooping over LDP VPLS might lose an lsi-bound downstream snooping next hop after certain multicast topology changes. PR1349388

  • Traffic loss might be seen after the upstream interface shifts from one to another during receipt of the PIM prune packet. PR1350806

  • The soure-as community is not appended to RP (display issue in "show route" detail output). PR1353210

  • Ukern memory leak and core crash are seen in BGP environment. PR1366823

  • Static route gets unexpectedly refreshed on commit when configured with resolve. PR1366940

  • About 10 minutes of traffic loss is caused by BGP flap during MX Series ISSU. PR1368805

  • The static route might persist even after its BFD session goes down. PR1385380

  • The rpd might crash after issuing the show route detail command for RIP route. PR1386873

  • Penultimate-hop router does not install BGP LU label, causing traffic to be discarded without notification. PR1387746

  • IGMPv3/MLD membership requests could not work normally. PR1389119

  • An rpd core file might be dropped due to a soft assert if a non-BGP protocol route with an AS_PATH is used. PR1391767

  • The ppmd on the Routing Engine might run with high CPU utilization after Routing Engine switchover. PR1392704

  • The rpd generates core files on the backup Routing Engine during neighborship flap when using an authentication key with more than 20 characters. PR1394082

  • The best and the second-best routes might have the same weight value if BGP PIC is enabled. PR1395098

  • A rpd soft core file might be seen when Layer 2 VPN is used. PR1398685

Services Applications

  • DTCP non-optimized trigger attributes can delay mirrored traffic forwarding in scaled environments. PR1269770

  • Lawful intercept: ingress control packets from the subscriber are mirrored to the mediation device twice. PR1275592

  • Business service fails to get deactivated after Routing Engine switchover. PR1280074

  • Backup Routing Engine goes to the database prompt with a vmcore file if the configuration for the ASI interface that has gone down is deleted. PR1281882

  • PCP mappings cannot be manually cleared when a NAT pool is shared between PCP and standard NAT. PR1284261

  • TLVs in ICRQ for actual-rate-downstream/actual-data-rate-upstream do not reflect PPPoE-IA value. PR1286583

  • One of the internal HA queues get corrupted , which results in mspmand generating a core file on the backup SDG. PR1291664

  • L2TP subscribers are down after a GRES while verifying framed IPv6 route support for an L2TP network server (LNS) at a higher scale with a maximum number of framed IPv6 routes. PR1293783

  • Each subscriber session gets its own L2TP tunnel without "Tunnel-Client-Endpoint" from RADIUS. PR1293927

  • The jl2tpd process might crash shortly after GRES switchover. PR1295248

  • L2TP subscribers might get stuck in terminating state during login. PR1298175

  • [OC/ST] Continuous generation of *jl2tpd_era_lns* log files occurs even though l2tp is not configured. PR1302270

  • LTS clients experience packet drop for large packets due to fragmentation in LTS. PR1312691

  • L2TP Tunnel Tx and Rx Bytes counts sometimes decrease when subscriber sessions are reduced within the tunnel. PR1318133

  • SNMP MIBs do not yield data related to sp- interfaces. PR1318339

  • The MRU might be changed to 1492 instead of the default 1500 in an L2TP scenario. PR1319252

  • A long route remains in forwarding table after subscriber session goes down. PR1322197

  • L2TP LTS might drop the first "CHAP Success" packet from an LNS due to delayed programming of /136 route on Packet Forwarding Engine. PR1325528

  • The jl2tpd might crash if the RADIUS server returns 32 tunnel-server-endpoints. PR1328792

  • Not all CSURQ replied. PR1330150

  • Crash at ../src/junos/lib/libjuniper/mgmt-sock/mgmt_sock_select_info.c:35. PR1337406

  • Command show services stateful-firewall flows count shows incorrect flow count after services configuration change. PR1338704

  • Internal termination code and RADIUS Acct-Terminate-Cause in RADIUS Acct-Stop for a tunneled PPP session might be incorrect. PR1339911

  • The bbe-smgd process might crash if there are 65,535 L2TP sessions in a single L2TP tunnel. PR1346715

  • Session limit per tunnel on LAC does not work as excepted. PR1348589

  • UDP checksum inserted by MS-DPC after NAT64 is not valid when incoming IPv4 packet has UDP checksum set to 0. PR1350375

  • The show services stateful-firewall flows counter shows ridiculously high numbers. PR1351295

  • The Jl2tpd process might crash shortly after one of the L2TP destinations becomes unavailable. PR1352716

  • IPsec tunnels might flap when SNMP walk is executed if IPsec is configured with DPD enabled. PR1353240

  • L2TP access concentrator (LAC) tunnel connection request packets might be discarded on the LNS device. PR1362542

  • Some tunneled PPPoE subscriber stuck in terminating state in corner case. PR1363194

  • Accounting stop message is not sent to RADIUS server after bringing down the L2TP subscriber. PR1368840

  • IPsec-VPN IKE security-associations might get stuck in "Not Matured" state. PR1369340

  • NAT64 does not translate ICMPv6 Type 2 packet (packet is too big) correctly when MS-DPC is used for NAT64. PR1374255

  • Twice NAT is not supported on FTP ALG and causes MS-PIC crash. PR1383964

  • L2TP subscribers might be stuck in initialization state in a corner case. PR1391847

  • Invalid Layer 4 checksum might be observed on IPv4 packets generated by NAT64 with MS-DPC after translating fragmented IPv6 UDP/TCP packets. PR1398542

  • The ICMPv6 packet with embedded IPv6 fragment might not be translated correctly to the IPv4 ICMP packet in a NAT64 with MS-DPC deployment. PR1402450

Software Installation and Upgrade

  • New versions of Junos OS do not have the tool for accessing the aux port - /usr/libexec/interposer. PR1329843

  • Commit might fail in single-user mode. PR1368986

Subscriber Access Management

  • The DNS might not be assigned when authentication-order none is used for subscribers. PR1273034

  • The DHCP subscriber might not get an IP address if the address pool utilization is tight. PR1274870

  • The bbe-smgd might crash after it is restarted in a scaled subscriber management scenario. PR1277099

  • Some RADIUS attributes might not be filtered out of the accounting-on/accounting-off message on an MX Series router. PR1279533

  • The authd might crash when deleting RADIUS configurations in a subscriber environment. PR1283109

  • The IP addresses of subscribers assigned by RADIUS might be counted within the local pool incorrectly after Virtual Chassis switchover. PR1286609

  • The authd process generates a core file at DynamicRequestEntry::addHistory authd_aaa_dyn_req. PR1289215

  • A few IP addresses might be stuck on a policy and charging rules function (PCRF) router. PR1302509

  • Service interim for DHCP subscribers is not working in a JSRC scenario. PR1303553

  • The show network-access aaa accounting command might display additional entries. PR1304594

  • Incorrect Acct-Delay-Time in Radius Accounting-On message is seen after rebooting the MX Series router acting as a BNG. PR1308966

  • Subscriber might be stuck in "Init" state when test aaa xxx command is executed. PR1311263

  • Memory leak might happen after clearing subscriber with script or manually. PR1312517

  • Service interim missing for random users in a JSRC scenario. PR1315207

  • The delegated prefix from RADIUS is incorrectly parsed when the prefix length is fewer than 20 bytes long. PR1315557

  • The unified ISSU is allowed to proceed when the account is suspended. PR1320038

  • IP addresses are assigned discontinuously from the linked IP pools. PR1323829

  • multiple-radius-servers having different dynamic-request-port is not supported. PR1330802

  • In dual stack subscribers scenario with NDRA pool configured, the linked pools are not used when the first NDRA pool is exhausted. PR1351765

  • The subscriber might fail to bind, and some processes might restart in a large-scale subscriber environment due to a rare timing issue. PR1358339

  • The authd process might not be started after executing a Routing Engine switchover on the backup Routing Engine without GRES enabled. PR1368067

  • Address pool does not correctly cycle to the beginning of the pool when linked-pool-aggregation parameter is defined. PR1374295

  • The subscribers might be stuck in terminating state if RADIUS redirect is used. PR1376265

  • CoA updates subscriber with the original dynamic-profile if RADIUS has returned a different dynamic-profile name. PR1381230

  • Some subscribers fail to get SRL service as provided in the RADIUS accept message even though the RADIUS messages can be sent and received. PR1381383

  • The value of predefined-variable-defaults routing-instances overrides the RADIUS-supplied VSA (26-1 Virtual-Router). PR1382074

  • The RAA message might consist of additional AVP Destination-Host even it is not configured for Gx-Plus session. PR1384011

  • The authd: gx-plus: logout: wrong state for request session-id <xyz> log message is seen when a subscriber manually logs out. PR1384599

  • JSRC used RADIUS service accounting protocol instead of JSRC for the SRC installed service. PR1403835

User Interface and Configuration

  • The commitd process might generate a core file when removal of certain configuration is followed by a commit operation. PR1267433

  • CLI session might die while issuing command show configuration | compare rollback 1. PR1331716


  • An rpd memory leak in processing L2CKT/L2VPN configuration leads to its crash as it is out of memory. PR1220363

  • The rpd crashes and generates core files on the backup Routing Engine. PR1258595

  • Next-generation MVPN IPv6 RP bootstrap type 3 S-PMSI AD route prefix ff02::d persists after BSR data stop. PR1269234

  • The routing protocol process (rpd) crashes after a Layer 2 VPN configuration change followed by ping mpls l2vpn. PR1272612

  • Memory leak in rpd in Rosen7 MVPN scenario. PR1276041

  • In a specific CE device environment in which asynchronous-notification is used, after the link between the PE and CE devices goes up, the Layer 2 circuit flaps repeatedly. PR1282875

  • Layer 2circuits stitched through logical tunnel peer interfaces might be stuck in "LD" (local site signaled down) state. PR1305873

  • The rpd might crash on the standby Routing Engine during a Routing Engine switchover if l2circuit is configured. PR1310934

  • Non-optimal route to source might be selected for next-generation MVPN with unicast-umh-election enabled. PR1315011

  • Un-hide set protocols pim mvpn family inet6 disable configuration to allow users to disable inet6 on MVPN. PR1317767

  • The rpd might crash after ISSU in a large scale scenario with PIM configuration. PR1322530

  • Moving an MC-LAG from an LDP-based pseudowire to a BGP-based pseudowire might cause rpd crash. PR1325867

  • MVPN sender-site configuration not allowed with S-PMSI. PR1328052

  • A rpd core file is on the backup Raouting Engine with NG-MPVPN and NSR configuration. PR1328246

  • The rpd might crash on the backup Routing Engine when changing the l2circuit virtual-circuit-id in an NSR scenario. PR1345949

  • The rpd might crash on the backup Routing Engine when changing the virtual-circuit-id in an l2circuit scenario. PR1345949

  • The process rpd might crash after configuration change in a Layer 2 VPN scenario PR1351386

  • In dual-homed next-generation MVPN, the receipt of type 5 withdrawal removes downstream join states for some routes. PR1368788

  • High rpd CPU utilization on the backup Routing Engine might be observed in an MVPN+NSR scenario. PR1392792

  • Downstream interface is not removed from multicast route after receiving a PIM prune. PR1398458

Resolved Issues: 17.1R2

Class of Service (CoS)

  • The cosd process might crash when you execute the command show class-of-service queue-consumption. PR1066009

Forwarding and Sampling

  • In proto file AccessListObjBind message the structure needs to change. PR1230587

  • J-Flow v9 is sending the flows with the source-address inverted in show firewall log. PR1249553

  • In MX Series subscriber management environment, l2ald daemon might crash during EVPL subscriber login logout loop.PR1258853

  • Service stats reported in the wrong direction. PR1262876

  • Routing-instances information is not updated in the flat accounting file. PR1275225

General Routing

  • Temp Sensor Fail alarm might be raised incorrectly while an AS-MCC PIC is coming up. PR1036412

  • ICMP reply traffic might get dropped on MS-MPC line cards. PR1059940

  • MPLS traffic might not route through MX Series platform for ingress LSP with channelized E1/T1 circuit emulation MIC interface as the outgoing interface PR1064515

  • Log message jnh_if_get_input_feature_list(9723): Could not find ifl state. PR1140527

  • Port block efficiency and Unique pool users stats shows negative and INFINITY value respectivity in the NAT pool which is being used by the sessions, upon adding address into the NAT pool which is not being used by the sessions, both NAT pools are used under the same SS. PR1177244

  • The destination-prefix-list support list is added for NAT rule with twice-napt-44 translation. PR1177732

  • Interfaces on the MIC-3D-4XGE-XFP installed in MPC2E-3D-NG or MPC3E-3D-NG might flap when they are connected to a DWDM device. PR1180890

  • MS MIC crash might be seen in some instances when there is a service configuration. PR1183828

  • Syslog "JAM: Plugin installed for %s PIC" logged as ERROR level. PR1189100

  • NAT IP pools information split between AMS members is incorrect after rebooting the FPC/ PIC. PR1190461

  • The CPU of processes might get near 100% and messages are repeatedly logged into syslog when restarting the agentd process several times. PR1192366

  • On MX Series and EX9200 platforms, an enhancement is needed for implementing sensor specific temperature thresholds. PR1199447

  • The command show subscribers summary port extensive output might have the wrong tunneled/terminated sessions count. PR1206208

  • The ppman based sessions might be flapping when executing offline/online MIC-3D-20GE-SFP MIC inserted into MPC2E-NG/MPC3E-NG. PR1211702

  • Syslog message : fpc_pic_process_pic_power_off_config:xxxx :No FPC in slot y is displayed on empty FPC slots with no PIC power off configured. PR1216126

  • The routers equipped with NG-REs might raise memory size mismatch alarm after upgrade. PR1220061

  • CoS service with Reflexive cos-rule should modify CoS values for reverse flow. PR1227021

  • vbf_ifl_bind_change_var_walker:377: ifl .demux.22698 (1073764522): IFL TCP (38) Bind change notify ran for 1480 us log messages are often seen. PR1229967

  • Optional service with blanks in a service string causes session termination. PR1232287

  • High MPC5 CPU on a scaled setup with 64 - 128 K subscribers. PR1233452

  • Dynamic-profile service with service-volume (VSA 67) data collecting interval is not 5 minutes. PR1234887

  • PIC-based MPLS J-Flow not working with MPLS packet sampling at egress side. PR1236892

  • LI enabled subscribers might experience packet drops because of MAC validation failures. PR1237519

  • Junos Telemetry Interface: Frequent disconnects seen in MQTT when IFL sensor is provisioned for longer duration. PR1238803

  • MPC9E might generate FPC core file on Junos OS Release 16.1R2.11, when configured with "mixed-rate AE bundles" and "adaptive load balancing". PR1238964

  • MIB ifJnxTable is not supported. PR1240632

  • Session database synchronization might fail in certain scenarios. PR1241162

  • Untagged bridged traffic might not be mirrored on the second port of the mirrored group. PR1241403

  • ms90 kernel: kern.maxfiles limit exceeded by uid 0, please see tuning(7) message seen after injecting more than 2M routes. PR1243581

  • MXVC-Some VBF flows are missing after FPC restart. PR1244832

  • Route Target per bridge domain for EVPN is not supported. PR1244956

  • MX2010/MX2020 (AC & DC) PSMs goes to Present State whenever there is a feed failure even though the PSM properly gives output power. PR1245459

  • The jsd process might crash while subscribing for telemetry data with 2 seconds frequency. PR1247254

  • The rpd process might crash and restart when a MAC address is learned from a given PE on a different ESI. PR1247338

  • PADI dropped due to duplicate client. PR1248282

  • The bbe-smgd process might crash if duplicate variable names are used for different purposes in the dynamic-profile configuration. PR1248725

  • telemetry_start_polling_fd: evSelectFD failed, errno: 9 messages are continuously seen in the log. PR1248813

  • Only one IA-NA dhcpv6 (without PD request) can establish in case two or more subscribers are provided with the same PD from RADIUS. PR1249837

  • Syslog "JAM:PL: Registered attributes for c23" should be logged as INFO. PR1250091

  • MPC5E/MPC2E-NG/MPC3E-NG/MPC7/MPC8/MPC9 might crash due to a software defect. PR1250335

  • Ukern process crash on Linux based FPC due to a scheduler issue. PR1250691

  • smihelperd core file is generated during subscriber logout process. PR1250760

  • RADIUS Accounting Stats of subscribers get doubled after unified ISSU. PR1250919

  • The rpd might crash when some interfaces go down and some peers go down. PR1250978

  • Cosmetic issue occurs on MS-MIC-16G when you enable it online. PR1251400

  • KRT queue stuck on Routing Engine causes RIB and FIB to go out of sync. PR1251556

  • When a non-0 slot MIC is re-inserted or replaced, the MIC might fail to come online and MIC0 info might disappear. PR1252998

  • show pfe statistics traffic displays 2^64 counter for packets output. PR1253299

  • The Routing Protocol process (rpd) might restart unexpectedly when waiting for an acknowledgment from kernel (with "indirect-next-hop-change-ackhowledgements" configuration option). PR1254735

  • Interface is not coming up on MPC3E-NG/MPC2E-NG line cards between third party switches. PR1254795

  • After switchover, KRT queue might get stuck on the new master RE with the error "ENOENT -- Item not found". PR1254980

  • Incorrect data in the output of 'show subscribers extensive '. PR1255029

  • MX Series FPC crash due to out of memory condition when an IRB is part of a L3 multicast group. PR1255290

  • Multiple Riot core files might be seen in VMX platform. PR1255866

  • The messaged krt_decode_comp read a non specific nh from kernel nhid is constantly seen after upgrading to Junos OS Release to 16.2R1-S1. PR1256197

  • Core files are constantly were observed when NAT term calls application-set with no active applications. PR1258060

  • Unable to run "show subscribers extensive" and some other CLI commands after GRES because the subscriber-management database is unavailable. PR1258238

  • na-grpc log handling needs to be fixed. PR1258484

  • DCD daemon crashes during the ATM related configuration commit. PR1258744

  • When using an AMS interface and running the show interfaces extensive command the sub-interfaces will only show 0 for the packet counters. PR1258946

  • QSFPP-40GBASE-LR4 might remain down after fiber link flap. PR1259930

  • Incorrect egress classification of L3 multicast traffic from ingress VLAN bridge interface after configuration change. PR1260413

  • MPC going offline during unified ISSU. PR1260714

  • A Packet Forwarding Engine saves only the first multicast IPv4 packet when waiting for a resolve request. PR1260729

  • Deviation in dynamic profile service accounting. PR1260898

  • During multicast activation of dynamic subscribers via a service profile, the bbe-smgd daemon in backup Routing Engine could sometimes crash. PR1261285

  • GRPC physical interfaces *-pkts fields zero suppressed by its own counter. PR1261589

  • Dynamic VLAN is removed after 30 seconds if there are no subscribers on it and remove-when-no-subscribers is set regardless of its idle-timeout. PR1262157

  • ICMP network unreachable message is not sent back when the subscriber is terminated in vrf. PR1263094

  • Dynamic VLAN interface is logged out upon reaching idle-timeout even though there is a client session (PPPoE or DHCP) above it. PR1263131

  • CoS Service Profile without line rate adjust needs to use "adjust-always" for proper revert behavior. PR1263337

  • Socket for JSD is not listening randomly after router reboot or JSD process crash. PR1263748

  • smg-service subsystem is not responding to management requests. PR1264038

  • In the Ethernet frames with more than 2000 bytes of payload, the mspmand process might crash. PR1264712

  • MX LAC does not send packets in the l2tp tunnel for some static ppp subscribers. PR1265414

  • PRPD/JET API: BgpRouteMonitorRegister() might not send end-of-rib operation. PR1265427

  • After high subscriber churn BBE_DFW_FINDEX_EXHAUSTED: Filter index space exhausted error prevented subscribers from connecting. PR1265973

  • BNG accepts IGMPv3/MLDv2 membership reports sent to non-standard multicast addresses. PR1266309

  • Unified ISSU failure might be seen with Junos OS Release 16.1R4-S1. PR1266317

  • ARP requests are hitting AE_RESERVED_IFL_UNIT (AEx.32767) when VSTP is enabled on double tagged AE IFL. PR1267238

  • bbe-smgd core file is generated after following subscriber login/logout on backup Routing Engine under certain boundary conditions. PR1267646

  • The CLI configuration command set chassis effective-shaping-rate is enabled for the MX104. PR1267829

  • HALP-lbnh_xlate_cntr_db_get_stats:250counter id 1573873: Unable to find lbnh xlate counter is flooding the syslog. PR1268452

  • Rpd crash and BGP session flapping might be seen during flapping interfaces or when changing configurations. PR1269116

  • xnm:error in rpc-reply in show arp interface | display xml. PR1269170

  • Router MAC extended community is not using standardized value. PR1269236

  • Log message sdk-vmmd: %USER-3: is_platform_rainier: Platform found as rainier is logged with error severity. PR1271134

  • The Routing Engine might stop all services after GRES or unified ISSU. PR1271306

  • Some received packets might be incorrectly dropped after 40GE/100GE port is configured under a LAG. PR1274073

High Availability (HA) and Resiliency

  • Vmcore file were generated on both VCMm and VCBm at the same time. PR1274438


  • Smartd Offline uncorrectable sectors critical logs keep reporting every 30 minutes. PR1233992

  • A ksyncd crash might be seen on the backup Routing Engine due to stale next hops on the master Routing Engine. PR1250880

  • Kernel core file is generated with userland_sysctl / sysctl_root / sysctl_kern_proc_env / panic_on_watchdog_timeout. PR1254742

  • Device is rebooting due to watchdog timeout. PR1259616

Interfaces and Chassis

  • Configuring ODU FRR related otn-options might crash the FPC without producing a core file. PR1038551

  • MPC might crash during unified ISSU from Junos OS Release 15.1R1 to a later release when QSFP/CXP/CFP2 optics are present. PR1216924

  • LCP packets might still be sent after PADT is sent. PR1234027

  • t3 interface not coming up due to incorrect subrate. PR1238395

  • AE target distribution will need "manual" keyword in configuration. PR1239724

  • MX Series can calculate MTU value incorrectly on pp0 interface. PR1240257

  • DT_LNS: NCP is not responding and gets stuck in ncpResponseBufferDelayed. PR1241946

  • Static PPPoE session cannot be established after GRES. PR1245465

  • The cfmd might crash when CFM filter refers to a firewall policy. PR1246822

  • Need send-chassis-tlv configuration statement help text. PR1248583

  • IPv6 ND does not work for DHCPv6 sessions when using static Demux VLAN with RA. PR1250313

  • SNMP reporting ifHCInUcastPkts counter value is equivalent to (2^64)-1. PR1252716

  • Daemon cfmd memory leak upon commits if bridge-domain is configured. PR1255584

  • For CFM over AE, incorrect Anchor fpc is selected. PR1258490

  • I2C BUS timeout causes SFP thread hogging and MPC restart. PR1260517

  • IPCP/IPv6CP re-negotiation is terminated by MX Series BNG. PR1260829

  • Jpppd might crash when traceoptions is enabled over PPPoE. PR1264000

  • Message appears: MXVC CHASSISD_IPC_WRITE_ERR_NULL_ARGS: FRU has no connection arguments fru_send_msg Global FPC 0. PR1264647

  • Malformed PPP Echo Reply causing keepalive failure. PR1273083

  • dot1agCfmFaultAlarm with dot1agCfmMepHighestPrDefect="-1". PR1273278

Layer 2 Ethernet Services

  • STP status gets wrong after changing outer vlan-tags PR1121564

  • The MAC address might not be learnt due to spanning-tree state "discarding" in kernel table after RE switchover PR1205373

  • The IPv4/IPv6 packets originating from RE might be corrupted when the bridge domain has 'vlan-id' set to none, but the outgoing L2 interface for the packet is tagged and CoS is enabled PR1263590

  • DHCP is not using the configured IRB MAC as the source MAC in DHCP offer unicast replies. PR1272618

  • The IA_PD prefix might be deleted when MX receives a DHCPv6 IA_NA request PR1286359

  • jdhcpd process core and restart PR1288475

  • JDHCPD memory leak during dhcp/pppoe login / logout loop PR1289780

  • ARP requests not generated for IRB configured in VPLS over GRE tunnel. PR1295519

  • PPPoE/DHCP clients cannot login to PPPoE/DHCP dual-stack subscriber scenario PR1298976

  • Kernel panic using irb and neighbor-discovery secure security-level default PR1303415

  • On EX9200 , log messages related to DHCP snooping prints IP address in reverse order. PR1310003

  • Multiple jdhcpd core files are observed in jdhcpd_update_groups at ../../../../../../src/junos/usr.sbin/jdhcpd/jdhcpd_config.c:2290. PR1311569

  • DHCPv6 traffic might be dropped in subscriber scenario PR1316274

  • jdhcpd core dump after making DHCP config changes PR1324800

  • The snmpget for OID: dot3adInterfaceName might not work PR1329725

  • JSA10868 2018-07 Security Bulletin: Junos OS: A malicious crafted IPv6 DHCP packet might cause the JDHCPD daemon to core (CVE-2018-0034) PR1334230

  • The jdhcpd process might spike to 100% from less than 10% when DHCPv6 is used. PR1334432

  • The memory leak might happen in l2cpd if the l2-learning process is disabled PR1336720

  • The DHCPv6 second Solicit message might not be processed when IA_NA and IA_PD are sent in a separate Solicit message PR1340614

  • When DHCP subscribers are in BOUND (LOCAL_SERVER_STATE_WAIT_GRACE_PERIOD) state, if dhcp-service is restarted then the subscribers in this state are logged out PR1350710

  • DHCP relay agent will discard DHCP request message silently if the requested IP address has been allocated to the other client PR1353471

  • Restart FPC which homing micro-bfd link causes LACP core PR1353597

  • JSA10889 2018-10 Security Bulletin: Junos OS: The jdhcpd process crash during processing of specially crafted DHCPv6 message (CVE-2018-0055) PR1368377

  • BOOTP packets might be dropped if BOOTP-support is not enabled at the global level. PR1373807


  • The rpd might crash while making static LSPs go up. PR1084736

  • RSVP LSP might not honor TE metric change. PR1205996

  • Entropy label calculation might not provide good load sharing result. PR1235258

  • The LDP routes are not installing with matched L-IS-IS routes in inet.3 route table. PR1248336

  • RPD on backup Routing Engine might consume excessive CPU time if it cannot connect to the RPD on the master Routing Engine. PR1250941

  • When the configured metric for one of the LSPs used in ECMP is removed, other LSPs with configured metric might not honor the configured metric value. PR1261961

  • Traffic loss is seen during auto-BW MBB on ingress router as "invalid fabric token". PR1264089

  • When "explicit-null" is configured for LDP, label 0 is assigned as IPv6 explicit null label. PR1264753

  • Remote targeted LDP session might remain up, though it should not be up. PR1266802

  • TE++ Container LSP statistics are showing the same 10 LSPs and looping. PR1267774

  • FRR bypass tunnel does not appear to be working; the bypass label looks incorrect. PR1270877

  • The CLI command show route extensive might cause RPD to crash. PR1272993

Network Management and Monitoring

  • Empty responses for SNMPv3 bulk-get requests if SNMP max message size is lower than OID value. PR1207683

  • Eventd process stops sending syslog message to a configured syslog server. PR1246712

  • SNMPv3 trap does not contain routing-instance information in contextName field. PR1265288

Platform and Infrastructure

  • NPC generated core file with reference to [ 0x41490f64 in trinity_policer_free (result_ptr=0x5d671f64, nh_ptr=0x5d671f78).PR1071040

  • MPC cell packing wedge might occur with multicast or bridge flood traffic. PR1180397

  • The "rdd" process is restarted in get_mview_root( ) during GRPC JVISION activation while chassis Packet Forwarding Engines are coming up. PR1225086

  • MAC entry aging is not updated with Source MAC refresh on MPC3E/MPC4E line card at slow traffic rate. PR1230516

  • The apply-path functionality might get broken after you change it. PR1232299

  • The FPC crash or only traffic loss might be seen on MPC1E/2E/3E/4E or MPC-3D-16XGE-SFPP during ISSU. PR1241729

  • Minimum buffer value programmable in the Packet Forwarding Engine changed from 4096 bytes to 1568 bytes. PR1246197

  • MPC or FPC cards report LUCHIP EDMEM errors during ISSU. PR1249395

  • The configuration database is locked when a user that was configure exclusive is logged out unexpectedly. PR1250305

  • The auditd might crash when RADIUS accounting is configured and the RADIUS accounting server becomes unreachable. PR1250525

  • Unexpected flooding for a known unicast VPLS or BRIDGE traffic ingress MPC5 or MPC6 might be observed intermittently toward remote Packet Forwarding Engines. PR1255073

  • GRE tunnel traffic gets dropped after you disable and re-enable the gr- interface. PR1255706

  • FPC might crash and generate a core file during unified ISSU because memory is not properly recycled. PR1258795

  • mgd might crash after you execute the command show ephemeral-configuration | display inheritance. PR1258823

  • Mismatching in/out pps value is shown with show pfe statistics traffic detail. PR1259427

  • Routed traffic going out via irb/l2 interface with VXLAN EVPN is getting dropped after l2 interface switch. PR1259551

  • DHCP/BOOTP reply packet for an unnumbered interface might trigger FUD process failure. PR1260623

  • WRED drop occurs on one VLAN when the other VLAN is congested. PR1260951

  • DDRIF checksum error might lead to a traffic black hole. PR1260983

  • On a MX Series Virtual Chassis running as a MVPN bud node, traffic is not being forwarded to the local receiver. PR1261172

  • FPC might crash with interface-specific firewall filters with policers configured. PR1267908

Port Security

  • Traffic drops are seen on MPC7E cards after rekeying of MACsec. PR1257041

Routing Protocols

  • The RPD might crash in large-scale BGP routes environment with multipath configured. PR1209695

  • The bgpPeerState/bgpPeerTable returns an invalid value when there is an IPv6 peer. PR1233790

  • BGP-LU add-path in combination with per-prefix-label can result in incorrect MPLS.0 routing/forwarding swap state. PR1238119

  • Session uptime in show bfd session detail output omits seconds if uptime is longer than 24 hours. PR1245105

  • The RPD process might crash if static rt-constrain feature is configured but family route-target is not present on any BGP. PR1247625

  • OSPF nex thop might keep flapping, if multi-area rLFA along with policy is configured. PR1248746

  • LLGR feature does not work between Juniper PE to other vendor's RR. PR1248823

  • The configuration statement learn-pim-router not working properly. PR1251439

  • BGP peers remain stuck in idle state after unified ISSU. PR1261902

  • Routing protocol process (rpd) might restart unexpectedly with a reference to ioth_session_delete_internal ( ) routine. PR1261970

  • The rpd might crash if the IS-IS segment routing is configured but a certain interface is not configured with RSVP. PR1262612

  • MPLS label entry for direct route as BGP-LU route is permanently stuck in KRT queue when vrf-table-label is configured in CoS VRF. PR1263291

  • When applying import policy to a BGP neighbor, the rpd might crash continuously. PR1265224

  • "Nexthop AFI=3" is observed in BGP open message after you configure family inet unicast extended-nexthop. PR1272807

Services Applications

  • Backup SDG reported memory-usage zone in RED. PR1202872

  • L2TP tunnels might get stuck in "Terminating" state on MX Series LNS. PR1249768

  • Traffic is dropped when changing the source-address under a NAT rule term for BASIC-NAT translation. PR1257801

  • L2TP Congestion Window set to 128 instead of 1 when tunnel is created. PR1265001

  • KMD process might crash because of apply-group configuration. PR1265404

  • Kernel crash might be seen after performing the CLI command commit. PR1273357

Subscriber Access Management

  • The auth request does not cause the router to send the RADIUS REQUEST message, "Failed to queue the request, will be queued in authd internal queue". PR1178813

  • Configuration statement set access radius-options timeout-grace should be unhidden. PR1249847

  • Need option to exclude tunnel attributes in access-request on LNS. PR1264024

  • Possible CPS degradation for scaled dhcpv4/v6 and pppoev4 subscribers. PR1264052

  • Incorrect number of messages in the queue to RADIUS server in the output show network-access aaa statistics radius detail. PR1267307


  • IoT issue between Juniper and third party for SSM Rosen 07 based Inter-AS MVPN. PR1238807

  • The L2circuit does not switch based on the APS status. PR1239381

  • Rpd memory leak is observed in NG-MVPN environment. PR1259579

Resolved Issues: 17.1R1

Class of Service (CoS)

  • Incorrect CoS rewrite for L3VPN traffic when chained-composite-next-hop is enabled. PR1062648

  • QMON - Queue 3 in both ingress and egress do not have the correct maximum depth values, in the show interfaces queue ... CLI commands. PR1226558

  • The cosd might crash after you activate/deactivate the CoS configuration. PR1236866

  • The error message of cos_check_temporal_buffer_status might be observed when configuring Hierarchical CoS with strict-high scheduling. PR1238719

Forwarding and Sampling

  • Local backup for accounting flat files might not perform after transfer to archive site fails. PR1198095

  • The policer on Trio based card allows more traffic when packet size is less than 128 bytes. PR1207810

  • Commit fails after applying bandwidth-percent policer on ps interface. PR1225977

  • Configuration for ipv4-flow-table-size and ipv6-flow-table-size does not propagate to FPC after reboot if sampling instance is not associated. PR1234905

  • J-Flow version 9 cannot get TCP flag information from IPv6 fragment packets. PR1239817

General Routing

  • The MS-MPC/MS-MIC card might crash after the NAT session is removed. PR1117662

  • Trace-route does not work on Services PIC. PR1163472

  • MX240 DC power shows abnormal electrical current value even its external DC power sources circuit breaker is at off postion. PR1177536

  • DNS Query fails for fragmented DNS traffic. PR1182910

  • Error messages are reported during unified ISSU on MX Series router. PR1200045

  • Login/logout of PPPoE subscriber causing link up/down traps if no-traps command is configured. PR1204949

  • With local source, Continuous iif-mismatch is reported on MoFRR backup interface. PR1206121

  • FPC might crash with any inline feature enabled. PR1210060

  • AMS interface works incorrectly in warm-standby mode. PR1216030

  • Memory allocation might fail in Trio-based FPC due to memory fragmentation. PR1216300

  • RPD consumes high CPU when VPLS instances are configured for the first time or a system with VPLS instances is rebooted. PR1216332

  • Replacing an MQ FPC with an XM one might cause all other MQ-based cards to report "FI Cell underflow at the state stage" on MX Series platform. PR1219444

  • Packet loss might occur when multicast traffic enters and exits the Packet Forwarding Engine in a different FPC. PR1219962

  • On an MX Series Virtual Chasis environment traffic loss might be observed due to incorrectly programmed Aggregated Ethernet interfaces. PR1220934

  • RPD might crash after offilining or onlining FPC/MPC or doing GRES. PR1221183

  • Continuous login and logout PPPoE/DHCP subscribers might cause some subscribers to fail to bind. PR1221690

  • "Show chassis hardware detail" shows ada0 and ada1 entries in reverse order. PR1222330

  • The subscribers are unable to connect due to "uifl inactive issue" error. PR1222829

  • "unnumbered-address" under dynamic profile shows the incorrect value. PR1222975

  • The bbe-smgd process memory might leak in the backup Routing Engine. PR1223625

  • A pfed core file is observed after deleting apply-groups. PR1223847

  • early/opDel: bad stored heap messages seen on sending traffic using captive-portal-content-delivery service. PR1226782

  • The chassisd might crash with show chassis ucode-rebalance command on MX Series platform. PR1227445

  • Openflow: Flowstat reply has incorrect DL type. PR1228383

  • Different behavior might be observed for TCP and non-TCP RE-generated traffic when the route pointing to indirect next-hop is not subjected to 'load-balance per-packet'. PR1229409

  • Unequal load balance over LSP does not work if destination route is IPv6. PR1230186

  • Interface statistics are not restored on MX Series VC after unified ISSU, which causes the RADIUS volume accounting stats value to remain unchanged. PR1230524

  • The dynamic-profile service filter matches the traffic that is not defined in the prefix-list applied to the filter. PR1230997

  • ICMP identifier is not translated back to expected value during ICMP traceroute for TTL exceeded packets on NAT using Multiservice MPC. PR1231868

  • IPsec SAs are not cleared after disabling the ms interface inside a logical interface IFL. PR1232276

  • Optional service with blanks in a service string causes session termination. PR1232287

  • Some Packet Forwarding Engine statistics counters do not work in MPC7/8/9. PR1232540

  • Packet Forwarding Engine statistics input packets pps counter has a large error. PR1232547

  • Input Framing errors are incrementing on interfaces connected to MPC2E-NG with 4x10G MIC. PR1232618

  • Some error messages might be seen during offlining/onlining FPC or link flap. PR1232686

  • RPD core file is generated with mem_assert , rta_route_session_ref_free, rta_parse_session_delete, task_module_dyn_config_server. PR1232742

  • LSP-ping might fail and IP packets with options will not get mirrored in port-mirror environment. PR1234006

  • SNMP trap description does not match the trap signal. PR1234083

  • offlining/onlining SFB2 can trigger another fabric plane to go to check state. PR1234224

  • After the backup Routing Engine is replaced, the new Backup Routing Engine cannot synchronize with Master Routing Engine if 'dynamic-profile-options versioning' is configured. PR1234453

  • With show route forwarding table * enabled protocols field additional flags. PR1234501

  • False login attempts might be seen on MPC7E/8E/9E for receiving noise. PR1234712

  • VLNS(VBNG) - Commit generated a "warning: requires 'l2tp-inline-lns' license" but a valid license is installed. PR1235697

  • The Aggregated Ethernet interface with per-packet load sharing configured might drop packets unexpectedly. PR1235866

  • The outer source MAC in ARP reply packet for IRB interface is different than the inner virtual MAC. PR1236225

  • A stale route is present in inetflow.0 rib after deleting rib-group and deactivating static flow route. PR1236636

  • PIC-based MPLS J-Flow not working with MPLS packet sampling at the egress side. PR1236892

  • Offlining/onlining SFB2 can trigger another fabric plane to go to check state. PR1237134

  • The MS-MPC might crash when receiving internally corrupted frames from another FPC. PR1237667

  • High Routing Engine CPU usage might be seen with router-advertisement configured. PR1237894

  • "Empty license directory copied from the master" logs are seen on backup Routing Engine when the number of licenses for scale-subscriber is exceeded. PR1238615

  • MX Series is sending accounting interim without the update-interval configuration statement. PR1239273

  • Total traffic loss for BGP-PIC learned prefixes occurs on link failure. PR1239357

  • Traceroute will not resolve VRF loopback address where SI and pseudointerface exist. PR1240221

  • Incorrect CoS adjustment and missing adjustment application occur for PPPoE session with dynamic-profile services. PR1241201

  • Delay in PTP clock class changes. PR1241211

  • With IPsec dynamic endpoints (DEP) over IPv6, the ARI IPv6 routes might be missing after GRES with NSR. PR1242503

  • The FPC might crash when adding physical interface sensor. PR1243411

  • The rpd process might crash and restart when a MAC address is learned from a given PE on a different ESI. PR1247338

  • When an IPv6 node receives an ICMPv6 PTB (Packet Too Big) message with MTU < 1280, the node will emit atomic fragments. This behavior might result in denial of service attack. PR1250832

High Availability (HA) and Resiliency

  • Connection might be broken between master and backup Routing Engine after ISSU. PR1234196


  • The gdb can be exploited to allow execution of unsigned binary. PR968335

  • Continuous kernel logs and LDP stats timeout error occurs when you run show ldp traffic-statistics. PR1215452

  • SMART ATA Error Log Structure error: invalid SMART checksum logs are seen after upgrade. PR1222105

Interfaces and Chassis

  • ARP entry learned through Aggregated Ethernet interface does not expire when the ARP IP is no longer reachable. PR1211757

  • MPC might crash during unified ISSU from Junos OS Release 15.1R to later release when QSFP/CXP/CFP2 optics are present. PR1216924

  • Previously, the same IP address could be configured on different logical interfaces from different physical interfaces but in the same routing-instance. Only one logical interface was assigned with the identical address after commit. There was no warning during the commit but just syslog messages indicating incorrect configuration. This issue is fixed and it is now not allowed to configure the same IP address (the length of the mask does not matter) on different logical interfaces. PR1221993

  • RPT MMX Regression: During firewall script run, switchover is performed. The new master takes ownership and stays up but the old master goes to db>. PR1222582

  • Stuck L2TP session remains after session/tunnel termination. PR1228802

  • Interface is not coming up after de-activating and activating "protocols oam ethernet connectivity-fault-management maintenance-domain". PR1231315

  • Commit failure, error: Bandwidth on IFL <static vlan demux interface> cannot be greater than that of its IFD. PR1232598

  • The MX Series routers might fail to send the IPCP Configure-Ack packet to the subscriber. PR1235261

  • NCP is not responding and gets stuck in ncpResponseBufferDelayed. PR1241946

  • JPPPD core file is generated during scaled login/logout. PR1245848

  • VRRP might be stuck in (state: unknown, VR State: bringup) when VRRP is configured on one IFL without VLAN and the lower-unit-number logical interface in same physical interface has VLAN configured. PR1247050

Layer 2 Ethernet Services

  • The MPC might power back on from offline state after you commit the configuration if it is configured to be offline when detecting major errors. PR1218304

  • MX Series is not including Delegated-IPv6-Prefix in accounting interim. PR1231665

  • MX Series BNG waits 30 seconds before replying to any rapid commit option set DHCPv6 Solicit retransmissions messages. PR1234009

  • After upgrading to Junos OS Release 15.1F2-S13 "/var partition is full" alarm might be seen. PR1237218

  • LACP might time out during unified ISSU when LACP is configured in fast periodic along with the fast-hello-issu configuration statement. PR1240679


  • Both load-balance-label-capability and no-load-balance-label-capability could be configured under forwarding-options. PR1126439

  • The command no-install-to-address not always honored for PCC-delegated LSPs. PR1169889

  • The rpd process might crash when dynamic-tunnel is configured but RSVP signaling is disabled. PR1213431

  • FPC sockets disconnects and various scheduling slips occur when executing the show ldp traffic-statistics command with many ECMP links and L3VPN routes. PR1214961

  • Carrier-over-carrier VPN PE router "protocol mpls" under RI breaks existing "protocol connection". PR1222570

  • RPT RIAD VMX Regressions : rsvp-lsp-enh-lp-upstream-status is taking more time for synchronization on the backup Routing Engine on egress. PR1242324


  • Kernel: %KERN-3: fmbb_uc_pfes_pre: rnh_get_pfe_id failed with ENOTSUP 45. This error is not fatal; it just means that FMBB cannot be done. PR1230465

Network Management and Monitoring

  • The statistics of OID ifOutError incorrectly include ifOutDiscards. PR1243071

Platform and Infrastructure

  • The junos:key attribute is not emitted when the configuration is emitted in JSON format. PR1195928

  • Blank firewall log is generated for IPv6 packets with nextheader hop-by-hop. PR1201864

  • The firewall filters are incorrect after GRES. PR1230954

  • The scripts process might crash when some special combination of jcs:printf(...) and some special characters at the boundary of the buffer are used. PR1232418

  • With non-Ethernet frame payload, traffic might not be correctly load-balanced. PR1232943

  • The scale-subscriber license count might increase to an invalid license state with L2TP/LTS clients. PR1233298

  • and FreeBSD have published security advisories for vulnerabilities resolved in ntpd (NTP daemon). Server-side vulnerabilities are only exploitable on systems where NTP server is enabled within the [edit system ntp] hierarchy level. PR1234119

  • Flow-tap-dtcp service login via SSH with key-based authentication fails. PR1234464

  • ADC based line card might fail to boot up on the FPC slot that was previously used for MPC6E. PR1235861

  • J-Flow cannot sample multicast traffic in multi-copy scenario in MX2010/MX2020. PR1237164

  • FPC and Routing Engine might stuck in high CPU usage when DDoS SCFD is turned on. PR1237486

  • FPC might crash during unified ISSU. PR1239304

  • Low temporal buffer configuration is not honored. PR1240756

Provider Edge Satellite Software

  • Traffic forwarding is not working from AD to SD. PR1231227

Routing Protocols

  • The rpd process on the backup Routing Engine might crash because of a memory leak with the PIM configuration. PR1155778

  • The rpd process might crash during MSDP instance deletion. PR1216078

  • The rpd process might crash after performing BGP flapping. PR1222554

  • The rpd might crash when BGP add-path is configured and the same prefix is received from multiple peers with different source AS. PR1223651

  • Rpd core could be seen if MPLS goes down. PR1228388

  • Junos OS 15.1 and later releases might be impacted by the receipt of a crafted BGP UPDATE which can lead to an rpd (routing process daemon) crash and restart. Repeated crashes of the rpd daemon can result in an extended denial of service condition. PR1229868

  • Rpd crash might be seen if ISIS LSP is purged. PR1235504

  • RSVP bandwidth load-balancing is not working after LSPs are advertised in the IS-IS or IS-IS TE shortcuts are configured. PR1237531

  • Rpd generates a core file due to an assertion condition related to changing a policy for a BGP neighbor. PR1239990

  • After doing some configuration modification related to sham-link, the sham-link might not be able to be brought up anymore. PR1240391

  • Multicast route leaking does not work correctly. PR1240656

  • The rpd process might crash if static rt-constrain feature is configured but family route-target is not present on any BGP. PR1247625

Services Applications

  • LNS-Tunnel/session establishment get stalled when the LNS is flooded by high rate L2TP messages. PR990081

  • FTP ALG on MX fails to translate the PORT command when the FTP client uses Active Mode and requests AUTH(SSL-TLS) but the FTP server does not use AUTH. PR1194510

  • The kmd process might consume excessive CPU resources during continuous polling for IKE related data through SNMP. PR1209406

  • Traffic black holes occur due to service-set programming on MS-MPC. PR1223302

  • PPPoE - L2TP subscribers might get stuck in Terminating state in longevity login/logout test. PR1235996

  • MS-DPC - Performance degradation in CGNAT scaling occurs during memory stress. PR1242556

Subscriber Access Management

  • Syslog is not generated when RADIUS server is marked “dead”. PR1207904

  • Gy support is seen for the 3GPP-SGSN-MCC-MNC AVP in CCR messages. PR1233847

  • The DHCPv6 solicits are ignored instead of being responded to with an advertise packet with status code NoPrefixAvail(6) when no delegated prefix is available. PR1234042

  • The authd daemon might generate a core file when traceoption filters are configured during GRES not-ready state. PR1234395

User Interface and Configuration

  • The rpd memory leak might be triggered when configuring or reconfiguring IS-IS interface. PR1243702

  • Uncommitted lines are displayed right after commit with "delta-export". PR1245187


  • After issue "clear pim join" on source PE the multicast flow stops in an NG-MVPN scenario with the asm-override-ssm configuration statement for the SSM group. PR1232623

  • The rpd might crash on backup Routing Engine when changing the l2circuit neighbor in an NSR scenario. PR1241801

Documentation Updates

This section lists the errata and changes in Junos OS Release 17.1R3 documentation for MX Series.

Subscriber Management Access Network Guide

  • The “Configuring a Pseudowire Subscriber Logical Interface Device” and “anchor-point (Pseudowire Subscriber Interfaces)” topics have been updated to state that you cannot dynamically change an anchor point that has active pseudowire devices stacked above it. Both topics describe the steps to follow when you must change such an anchor point.

  • The guide failed to include a feature that enables you to override the information that the LAC sends to the LNS in L2TP Calling Number AVP 22 when the LAC is configured to use the Calling-Station-ID format. You can configure the access profile to override that value for AVP 22 with any combination of the agent circuit identifier and the agent remote identifier received by the LAC in the PADR packet.

    [See Override the Calling-Station-ID Format for the Calling Number AVP.]

  • The guide incorrectly stated that the linked-pool-aggregation statement is located at the [edit access address-assignment pool pool-name] hierarchy level. In fact, this statement is located at the [edit access] hierarchy level.

    [See Configuring Address-Assignment Pool Linking.]

Subscriber Management Provisioning Guide

  • Support for the packet-triggered subscribers and policy control rule base (PTSP) feature was discontinued starting in Junos OS Release 13.1R1, but this was not reflected in the documentation. Text exclusive to PTSP has been removed from the Broadband Subscriber Sessions User Guide. This includes all CLI topics and the following chapters:

    • “Configuring the PTSP Feature to Support Dynamic Subscribers”

    • “Configuring the PTSP Partition to Connect to the External Policy Manager”

    • “Configuring PTSP Services and Rules”

    • “Monitoring and Managing Packet-Triggered Subscribers”

    Topics for other features that refer to PTSP are updated to report the end of support.

  • The Broadband Subscriber Sessions User Guide did not report that you can suspend AAA accounting, establish a baseline of accounting statistics, and resume accounting. This feature was introduced in Junos OS Release 15.1R4.

    [See Suspending AAA Accounting and Baselining Accounting Statistics Overview.]

  • Starting in Junos OS Release 15.1, the Broadband Subscriber Sessions User Guide and the CLI Explorer incorrectly included information about the show extensible-subscriber-services accounting command. This command is not present in the CLI. Instead, you can use accounting profiles to collect statistics from the Packet Forwarding Engine for Extensible Subscriber Services Manager (ESSM) subscribers. See Flat-File Accounting Overview for information about accounting for ESSM subscribers.

Subscriber Management VLANs Interfaces Guide

  • The Broadband Subscriber VLANs and Interfaces User Guide did not clearly indicate that only demux0 is supported for demux interfaces. If you configure a different demux interface, such as demux1, the configuration commit fails.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS for the MX Series. Upgrading or downgrading Junos OS might take several minutes, depending on the size and configuration of the network.

Starting with Junos OS Release 15.1, in some of the devices, FreeBSD 10.x is the underlying OS for Junos OS instead of FreeBSD 6.x. This feature includes a simplified package naming system that drops the domestic and world-wide naming convention. However, in some of the routers, FreeBSD 6.x remains the underlying OS for Junos OS. For more details about FreeBSD 10.x, see Understanding Junos OS with Upgraded FreeBSD.

The following table shows detailed information about which Junos OS can be used on which products:


FreeBSD 6.x-based Junos OS

FreeBSD 10.x-based Junos OS

MX80, MX104



MX240, MX480, MX960,

MX2010, MX2020



Basic Procedure for Upgrading to Release 17.1


Before upgrading, back up the file system and the currently active Junos OS configuration so that you can recover to a known, stable environment in case the upgrade is unsuccessful. Issue the following command:

The installation process rebuilds the file system and completely reinstalls Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the routing platform, such as configuration templates and shell scripts (the only exceptions are the juniper.conf and ssh files) might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform.

Installation and Upgrade Guide and Upgrading Junos OS with Upgraded FreeBSD.

Procedure to Upgrade to FreeBSD 10.x based Junos OS

Products impacted: MX240, MX480, MX960, MX2010, and MX2020.

To download and install FreeBSD 10.x based Junos OS:

  1. Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage:

  2. Select the name of the Junos OS platform for the software that you want to download.
  3. Select the release number (the number of the software version that you want to download) from the Release drop-down list to the right of the Download Software page.
  4. Select the Software tab.
  5. In the Install Package section of the Software tab, select the software package for the release.
  6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by a Juniper Networks representative.
  7. Review and accept the End User License Agreement.
  8. Download the software to a local host.
  9. Copy the software to the routing platform or to your internal software distribution site.
  10. Install the new jinstall package on the routing platform.Note

    We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process.

    All customers except the customers in the Eurasian Customs Union (currently comprised of Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia) can use the following package:

    • For 32-bit Routing Engine version:

      user@host> request system software add no-validate reboot source/junos-install-mx-x86-32-17.1R3.9-signed.tgz
    • For 64-bit Routing Engine version:

      user@host> request system software add no-validate reboot source/junos-install-mx-x86-64-17.1R3.9-signed.tgz

    Customers in the Eurasian Customs Union (currently comprised of Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia) can use the following package (Limited encryption Junos package):

    • For 32-bit Routing Engine version:

      user@host> request system software add no-validate reboot source/junos-install-mx-x86-32-17.1R3.x-limited.tgz
    • For 64-bit Routing Engine version:

      user@host> request system software add no-validate reboot source/junos-install-mx-x86-64-17.1R3.9-limited.tgz

    Replace source with one of the following values:

    • /pathname—For a software package that is installed from a local directory on the router.

    • For software packages that are downloaded and installed from a remote location:

      • ftp://hostname/pathname

      • http://hostname/pathname

      • scp://hostname/pathname

    Do not use the validate option while upgrading from Junos OS (FreeBSD 6.x) to Junos OS (FreeBSD 10.x). This is because programs in the junos-upgrade-x package are built based on FreeBSD 10.x, and Junos OS (FreeBSD 6.x) would not be able to run these programs. You must run the no-validate option. The no-validate statement disables the validation procedure and allows you to use an import policy instead.

    Use the reboot command to reboot the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process might take 5 to 10 minutes.

    Rebooting occurs only if the upgrade is successful.


You need to install the Junos OS software package and host software package on the routers with the RE-MX-X6 and RE-MX-X8 Routing Engines. For upgrading the host OS on these routers with VM Host support, use the junos-vmhost-install-x.tgz image and specify the name of the regular package in the request vmhost software add command. For more information, see VM Host Installation topic in the Installation and Upgrade Guide.


After you install a Junos OS Release 17.1 jinstall package, you cannot return to the previously installed Junos OS (FreeBSD 6.x) software by issuing the request system software rollback command. Instead, you must issue the request system software add no-validate command and specify the jinstall package that corresponds to the previously installed software.


Most of the existing request system commands are not supported on routers with the RE-MX-X6 and RE-MX-X8 Routing Engines. See the VM Host Software Administrative Commands in the Installation and Upgrade Guide.

Procedure to Upgrade to FreeBSD 6.x based Junos OS

Products impacted: MX80, and MX104.

To download and install FreeBSD 6.x based Junos OS:

  1. Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage:

  2. Select the name of the Junos OS platform for the software that you want to download.
  3. Select the release number (the number of the software version that you want to download) from the Release drop-down list to the right of the Download Software page.
  4. Select the Software tab.
  5. In the Install Package section of the Software tab, select the software package for the release.
  6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by a Juniper Networks representative.
  7. Review and accept the End User License Agreement.
  8. Download the software to a local host.
  9. Copy the software to the routing platform or to your internal software distribution site.
  10. Install the new jinstall package on the routing platform.Note

    We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process.

    • All customers except the customers in the Eurasian Customs Union (currently comprised of Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia) can use the following package:

      user@host> request system software add validate reboot source/jinstall-ppc-17.1R3.9-signed.tgz
    • Customers in the Eurasian Customs Union (currently comprised of Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia) can use the following package (Limited encryption Junos OS package):

      user@host> request system software add validate reboot source/jinstall-ppc-17.1R3.x-limited-signed.tgz

    Replace source with one of the following values:

    • /pathname—For a software package that is installed from a local directory on the router.

    • For software packages that are downloaded and installed from a remote location:

      • ftp://hostname/pathname

      • http://hostname/pathname

      • scp://hostname/pathname

    The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release.

    Use the reboot command to reboot the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process might take 5 to 10 minutes.

    Rebooting occurs only if the upgrade is successful.


After you install a Junos OS Release 17.1 jinstall package, you cannot return to the previously installed software by issuing the request system software rollback command. Instead, you must issue the request system software add validate command and specify the jinstall package that corresponds to the previously installed software.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1, 16.1 and 16.2 are EEOL releases. You can upgrade from Junos OS Release 15.1 to Release 16.1 or even from Junos OS Release 15.1 to Release 16.2. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see

Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform the following Junos OS installation on each Routing Engine separately to avoid disrupting network operation:

  1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine, and save the configuration change to both Routing Engines.

  2. Install the new Junos OS release on the backup Routing Engine while keeping the currently running software version on the master Routing Engine.

  3. After making sure that the new software version is running correctly on the backup Routing Engine, switch over to the backup Routing Engine to activate the new software.

  4. Install the new software on the original master Routing Engine that is now active as the backup Routing Engine.

For the detailed procedure, see the Installation and Upgrade Guide.

Downgrading from Release 17.1

To downgrade from Release 17.1 to another supported release, follow the procedure for upgrading, but replace the 17.1 package with one that corresponds to the appropriate release.


You cannot downgrade more than three releases.

For more information, see the Installation and Upgrade Guide.

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product.

To determine the features supported on MX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at:

Hardware Compatibility Tool

For a hardware compatibility matrix for optical interfaces and transceivers supported across all platforms, see the Hardware Compatibility tool.