Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues


This section lists the known issues in hardware and software in Junos OS Release 17.1R2 for MX Series routers.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Forwarding and Sampling

  • Firewall module (daemon dfwd) on Routing Engine always leaks some memory upon configuration commit with following statements: set routing-options forwarding-table export qos3 , set policy-options policy-statement <policy-name> term 1 from source-address-filter <ip-address>, and set policy-options policy-statement <policy-name> term 1 then forwarding-class <forwarding-class>. PR1157714

  • When a policing filter is applied to an active LSP carrying traffic, the LSP resignals and drops traffic for approximately 2 seconds. It can take up to 30 seconds for the LSP to come up under the following conditions: (1) Creation of the policing filter and application of the same to the LSP through configuration occurs in the same commit sequence and (2) Load override of a configuration file that has a policing filter and policing filter application to the LSP is followed by a commit.PR1160669

  • Inline JFlow (MXVC): NextHop Address/OIF being reported by IPv6 template on MXVC setup is correct—Root Cause of the Problem: +++++++++++++++++++++++++ As per the investigation from RPD : we have is an interface for a direct route starting in ifdown condition. The remote side is then brought up, so I/F goes to ifup. Since it is a direct route, rpd does not install the route or nexthop. It receives that info from the kernel, and just updates a nexthop in rpd local storage. route and nexthop for the interface are taken care of in the kernel. There is no route change in rpd. route_record depends on route flash to find out about updates. Since there is no route change, there is no route flash, so route_record is unaware. PR1224105

  • Firewall filter family "any" with shared-bandwidth-policer on MC-AE interface does not reconfigure bandwidth or carve up the policer when standby becomes active after A/S switchover; it drops all packets. PR1232607

  • After executing show firewall command, "dfwinfo: tvptest:dfwlib_owner_create tvp driven policer_byte_count support 0" message is seen in messages logs. This message is a cosmetic issue and it can be ignored safely. This message can be seen with the following sample config. << sample config >> set interfaces ge-0/0/0 unit 0 family inet filter input test_filter set interfaces ge-0/0/0 unit 0 family inet address set firewall family inet filter test_filter term policer then policer policer_test set firewall policer policer_test if-exceeding bandwidth-limit 100m set firewall policer policer_test if-exceeding burst-size-limit 125k set firewall policer policer_test then loss-priority lowPR1248134

  • FreeBSD 10.x based Junos OS is not supported on 32-bit Routing Engines in Junos OS Release 17.1R1. PR1252662

General Routing

  • ICMP echo_reply traffic with applications like IPSec will not work with the MS-MIC and MS-MPC cards in an asymmetric traffic environment since these cards employ a stateful firewall by default. The packet will be dropped at the stateful firewall because it acknowledges an ICMP Reply that has no matching session. PR1072180

  • Show evpn vpws-instance SID NNN is not supported. PR1122695

  • In a situation where both mirrored interface and mirrored destination are on MPC card and mirror destination interface is a unilist next-hop(for example,an ae interface), mirrored packets may get dropped. PR1134523

  • Queue bps rates is more than expected when AE child reconfigured with per-unit-scheduler. This is an intermittent issue. Assuming that Aggregated Ethernet is configured with the bypass-queuing-chip configuration statement. Now , followup configuration changes are such that removing child link(s) from AE bundle, and configuring per-unit-scheduler on the removed child link(s) in a single commit causes intermittent issues with per-unit-scheduler configuration updates to cosd and the Packet Forwarding Engine. Hence, dedicated scheduler nodes might not be created for all units or IFLs. PR1162006

  • Chef for Junos supports additional resources to enable easier configuration of networking devices. These are available in the form of netdev-resources. The netdev-resource developed for interface configuration has a limitation to configure XE interface. Netdev-interface resource assumes that 'speed' is a configurable parameter which is supported on a GE interface but not on an XE interface. Hence netdev-interface resource cannot be used to configure an XE interface due to this limitation. This limitation is applicable to packages chef-11.10.4_1.1.*.tgz chef-11.10.4_2.0_*.tgz in all platforms {i386/x86-32/powerpc}. PR1181475

  • EVPN VPWS convergence and association with traffic loss is tied to the type of redundancy and the route exchange via BGP. In A/A this traffic loss is low due to distribution of the traffic as well as protocols that can be used on the CE-PE link to steer the traffic away from the failed link as soon as the failure occurs. Here is the data for AA and AS: The number for AS are higher and are due to inherent limitations of this redundancy scheme. AA: a) ESI Goes DOWN : <10 msec. b) ESI comes UP: <50msec (for Traffic Items corresponding to 80RIs ? 1VPWS CKT per RI) = 350 msec approx. (For Traffic item corresponding to 2000CKTs in one RI) AS: a) ESI goes Down: 4950msec (Approx.) b) ESI Comes UP: 2100 msec (Approx.) PR1181523

  • With NAT translation-type as napt-44, a few sessions are getting stuck upon deactivating/activating service-set or corresponding applications with traffic running. The same symptom is seen upon deactivating/activating service-set with traffic running and with 'deterministic-napt44' translation type as well. PR1183193

  • AMS redundant interfaces are not listed under possible-completions of operational commands. PR1185710

  • On MX Series platforms with Junos OS Release 15.1R1 or later, LLDP PDU gets dropped on the FXP interface. PR1188342

  • As described in RFC7130, when LACP is used and considers the member link to be ready to forward traffic, the member link MUST NOT be used by the load balancer until all the micro-BFD sessions of the particular member link are in Up state. PR1192161

  • GUMEM errors for the same address may continually be logged if a parity errors occurs in a locked location in GUMEM. Since GUMEM utilizes ECC memory, any error is self-correcting and has no impact to router's operation. In a rare case, such parity error may appear repeatedly at a specific location. As a workaround, such errors can be cleared by rebooting the FPC. PR1200503

  • When ppm deviation exceeds 10 ppm, do not display off-frequency if the clock source is still being locked. Display as 'in-use#' instead. This indicates that it is still locked to the source, although the clock has a considerably large ppm deviation. PR1202327

  • A dynamic tunnel gets timed out every 15 mins by default, and then re-tries to create another tunnel. This happens if the route obtained from IGP is non-forwarding. PR1202926

  • MPC might crash after firewall filter configuration is changed and all interfaces/protocols are flapped. The issue is due to access to a stale or invalid pointer which caused a particular check based on the pointer structure field to unpredictably fail, resulting in the assert later in the code. The issue happened when a sequence of events related to firewall filters resulted in filter structure getting deleted and re-created again. PR1205325

  • The ptp master streams on IP and Ethernet not supported simultaneously. PR1217427

  • The /etc/passwd file is created in the process of the first commit when a pristine jinstall image is used to boot for the first time. If event-options is configured, the system will try to read the configuration from the available event scripts, which requires privileges obtained from the /etc/passwd file. This causes a circular dependency because the commit will not pass if the configuration includes event-options the first time a pristine image boots up (which is the case of an upgrade performed with virsh create). PR1220671

  • The problem of tunnel stream getting misconfigured for LT interfaces is due to internal programming and to evaluate multiple lt interfaces for FPC and PIC slot combination. PR1223087

  • Wth qmon sensor, when you issue an operational clear command, such as clear interfaces statistics all, the counters at the telemetry jvision server are not reset. Hence qmon sensor stats at jvision server will not match the CLI/VTY commands output, after the clear interfaces statistics commands. PR1226948

  • Continuously increasing normal discard count in 'show pfe statistics traffic' occurs without any user traffic. This occurs because internal control traffic that is expected to be dropped silently is unexpectedly being counted as 'normal discard'. There is no impact on user traffic with this issue. PR1227162

  • An incorrect PE is being attached to an ESI when the router receives two copies of the same AD/ESI route (for example, one through eBGP and another one received from an iBGP neighbor). This causes partial traffic blackhaule and stale MAC entries. You can confirm the issue by checking the members of the ESI: user@router> show evpn instance extensive ... Number of ethernet segments: 5 ESI: 00:13:78:00:00:00:00:00:00:01 Status: Resolved Number of remote PEs connected: 3 Remote PE MAC label Aliasing label Mode 0 0 all-active 200 0 all-active <<<< this PE is not part of the ESI 200 0 all-active PR1231402

  • OSPF is used as routing protocol between the clients and DEP router with TD configured. The OSPF protocol traffic brings the IPsec up on spokes and the DEP router. The IPsec SAs are distributed on the DEP router. The neighbor state between the OSPF peers moves to full but it does not stay in that state. States change init, 2-way, ex-start, and to full again. As a result, the data traffic between the routers is getting dropped. Thus tunnel distribution with protocol traffic is not supported. PR1232277

  • When changing virtual switch type is changed from IRB type to regular bridge, interfaces under openflow protocol are all removed. Openflow daemon fails to program any flows. PR1234141

  • To distinguish between flow and kernel IFL for VLAN-OOB subscribers, use the option "idl-arch-type": router> show interfaces ge-1/0/3.3221225476 ifl-arch-type ? Possible completions: flow Display flow ifls rtsock Display rtsock ifls PR1236713

  • When the IPv4 or IPv6 address configured as "local-gateway" for the IPSec VPN service is not actually assigned to any interface in UP state (not present a local/direct route in the routing-table), the system still sends ISAKMP packets for IKE exchange. As a source address for these packets, an address of the outgoing interface would be selected. PR1238112

  • On MX Series with rpd in "ASYNC" mode, if the distributed IGMP is configured, rpd core file might be seen, causing rpd crash. PR1238333

  • For ANCP subscribers in Idle state, the previously reported speed in ANCP Port UP message is not applied. PR1242992

  • ANCP neighbors go down after commit when any ANCP related configuration is changed. PR1243164

  • After connecting 1k L2BSA subscriber and running the cli command show ancp subscriber detail | match "Aggregate Circuit Identifier Binary" , the output stops at a certain point and gets stuck for minutes. Even Ctrl-C can not help to terminate the CLI. In some cases entering Ctrl+C causes ANCPD to crash. PR1250996

  • On MX2000 MPC6E, EOAM LFM adjacency flaps when an unrelated MIC accommodated in the same MPC6E slot is onlined with configuring OAM pdu-interval 100 ms and pdu-threshold 3. PR1253102

  • VPLS MAC table is not being populated properly when checked the CLI M command show vpls mac-table", though all subscribers have traffic. Thus this is considered a cosmetic issue. PR1257605

  • Due to transient hardware error conditions only syslog events XMCHIP(x) FI: Cell underflow at the state stage - Stream 0, Count 65535 are reported, which is a sign of fabric stream wedge. Additional traffic flow register pointers are validated and if stalled, a new CMERROR alarm is raised: "XMCHIP(x) FI: Cell underflow errors with reorder engine pointers stalled - Stream 0, late_cell_value 65535, max_rdr_ptr 0x6a9, reorder_ptr 0x2ae." PR1264656

  • Due to transient Hardware events, fabric stream may report 'CPQ1: Queue unrderrun indication - Queue <q#>' in continuous occurrence. For such events, all fabric traffic is queued for this Packet Forwarding Engine reporting the error and causes a very high amount of fabric drops. PR1265385

  • The MTU configuration option for vt/mt/pd/pe interfaces will be removed after the fix of this PR because the MTU on these interfaces is already set to unlimited, so there is no need for configuring MTU on these interfaces. PR1277600

High Availability (HA) and Resiliency

  • In a rare scenario, GRES might not reach the ready state and might fail to start, because the Routing Engine does not receive the state ack message from the Packet Forwarding Engine after performing GRES. This is a timing issue. It might also stop Routing Engine resource releasing and then cause resource exhausting. Reboot the system if this problem occurs. PR1236882


  • The configuration statement: "set system ports console log-out-on-disconnect" logs the user out from the console and closes the console connection . If "set system syslog console any warning" is used along with the previously mentioned statement and there is no active telnet connection to the console, the daemons try to open the console and hang as they wait for a "serial connect", which is received only by doing a telnet to the console. As a workaround, remove the second statement, "set system syslog console any warning", which solves the issue. PR1230657

Interfaces and Chassis

  • After changing the MTU on the IFD, on the static vlan demux interface above the IFD the IPv6 Link Local address is not assigned. PR1063404

  • During configuration changes and reuse of Virtual IP on an interface as a interface address; you must delete the configuration do a commit and then add the interface address configuration in another commit. PR1191371

  • IPV6 neighborship is not created on the IRB interface. PR1198482

  • 1. Delay Measurement support for 5-port 100G DWDM PIC and 5-port 100G DWDM MIC is *ONE TIME Delay Measurement*.If you intend to measure Delay 2 points should ensure that Link is up on both sides and then conduct this test one time. The result value is valid one time once the test is finished. The test result on CLI is not valid after one time measurement because the old result might show up on Routing Engine CLI. 2. Remote-loop-enable should be configured first on remote end. Next, start-measurement should be configured. 3. Each time a customer wants to verify this, the test has to be *repeated*. 4. Processing delays in each mode are different HGFEC [For 5-port 100G DWDM MIC] being highest, SDFEC in the interim, and GFEC being least for the same cable length. 5. In summary, any breakage in Transmit/Receive path during the Delay Measurement test will hinder delay measurement. This is true for all FEC modes - GFEC, SDFEC, HGFEC. 6. Currently SNMP walk is not available for Delay Measurement. PR1233917

  • In some rare situations Ethernet Connectivity Fault Management Daemon (cfmd) might crash when committing a configuration where CFM filter refers to a firewall policy. When hitting this issue, all CFM enabled interfaces are down. PR1246822

  • In a VPLS multihoming scenario, the CFM packets are forwarded over the standby PE link, resulting in duplicate packets or loop between the active and standby link PR1253542

  • Junos OS upgrade involving releases 14.2R5 (and above in 14.2 maintenance releases) and 16.1 and above mainline releases with CFM configuration can cause CFMD core after the upgrade. This is due to the old version of /var/db/cfm.db. PR1281073

Layer 2 Ethernet Services

  • After changing the underlying IFD for a static vlan demux interface, the NAS-Port-ID is still formed based on the previous IFD. PR1255377

Layer 2 Features

  • On routers running Junos OS with RE GRES enabled, if vpls is configured with a dynamic-profile association, some traffic loss is observed when the Routing Engine switches from master to standby. This is due to a change in the underlying database that handles the dynamic-profile sessions . As a result, it causes the vpls connection is destroyed and re-created after a Routing Engine switchover. PR1220171


  • When graceful Routing Engine switchover (GRES) is done between master and backup Routing Engines of different memory capabilities. For example, this issue can occur when one Routing Engine has only enough memory to run rpd in 32-bit mode while the other is capable of 64-bit mode. This scenario can occur when using Junos OS Release 13.3 and later with the statement "auto-64-bit" configured or when using Junos OS Release 15.1 or later (even without the configuration statement). As a workaround, use the statement "set system processes routing force-32-bit" to avoid the issue. PR1141728

  • In MVPN scenario, if the active primary path goes down, then PLR (Point of Local Repair) needs to send Label Withdraw for the old path and new Label Mapping for the new path to the new upstream neighbor. In this case, LDP P2MP path may stay in "Inactive" state for an indefinite time if an LSR receives a Label Release, immediately followed by a Label Mapping for the same P2MP LSP from the downstream neighbor. PR1170847

  • A new configuration protocols mpls traffic-engineering bgp-igp-both-ribs in the routing-instance is required to make cOC work. PR1252043

  • The throughput measurement may be inaccurate when doing performance measurement on an MPLS label-switched path. PR1274822

Network Management and Monitoring

  • Symptom: "MIB2D_RTSLIB_READ_FAILURE: rtslib_iflm_snmp_pointchange" syslog message during config restore. Cause: mib-process daemon sends to the requests to kernel to update snmp ifIndex for the interfaces that it is learning. If this interface was already deleted from kernel, the syslog message is seen. This interface learning by the mib-process daemon will happen later, once the kernel sends the ADD notification for these interfaces. There is no system impact. PR1279488

Platform and Infrastructure

  • FPC reports the following errors and the FPC is not able to connect any subscriber: "Pkt Xfer:** WEDGE DETECTED IN PFE 0 TOE host packet transfer: %PFE-0: reason code 0x1". Also, the MQ FI may be wedged and the following log can be seen: Apr 11 12:09:11.945 2013 NSK-BBAR3 fpc7 MQCHIP(0) FI Reorder cell timeout Apr 11 12:09:11.945 2013 NSK-BBAR3 fpc7 MQCHIP(0) FI Enqueuing error, type 1 seq 404 stream 0 Apr 11 12:09:11.945 2013 NSK-BBAR3 fpc7 MQCHIP(0) MALLOC Pre-Q Reference Count underflow - decrement below zero. PR873217

  • When TCP authentication is enabled on a TCP session, the TCP session might not use the selective acknowledgement (SACK) TCP extensions. PR1024798

  • In configurations with IRB interfaces, during times of interface deletion, (for example, an FPC reboot) the Packet Forwarding Engine may log errors stating "nh_ucast_change:291Referenced l2ifl not found". This condition should be transient, with the system reconverging on the expected state. PR1054798

  • On MX Series platform, parity memory errors might happen in pre-classifier engines within an MPC. Packets will be silently discarded because such errors are not reported and are therefore harder to diagnose. The correct behavior is for CM-ERRORs, such as syslogs messages and alarms, to be raised when parity memory errors occur. PR1059137

  • CoS error messages might appear when a nonexistent path for a database file is configured for CoS These messages do not affect any service and traffic. PR1158127

  • In a very rare scenario, during TAC accounting configuration change, auditd daemon crashes due to a race condition between auditd and its sigalarm handler. PR1191527

  • Several files are copied between Routing Engines during 'ffp synchronize' phase of the commit (e.g. /var/etc/, /var/etc/, etc). These files are copied even if there was no corresponding change in the configuration thus unnecessarily increasing commit time. PR1210986

  • Starting from Junos OS 13.3, the SRX Series cluster need to run auditd on both nodes. However, on MX-VC Bm and TXP all LCC also add auditd. Because LCC and VC-BM do not have route for the accounting server, the following message is generated: 1813 unreachable infor. user@router> show system processes extensive | match "-re|audit" sfc0-re0: -------------------------------------------------------------------------- 2565 root 1 96 0 3304K 2620K RUN 0:01 0.00% auditd lcc0-re0: -------------------------------------------------------------------------- 2398 root 1 96 0 3240K 2536K select 0:01 0.00% auditd lcc1-re0: -------------------------------------------------------------------------- 2791 root 1 96 0 3244K 2544K select 0:01 0.00% auditd %DAEMON-3: auditd[2398]: sendmsg to failed: Network is down %DAEMON-3: auditd[2398]: AUDITD_RADIUS_REQ_SEND_ERROR: auditd_rad_send: sendto/sendmsg: Network is down PR1238002

  • On rare occasions during the route add/delete/change operation, the kernel might encounter a crash with the panic string "rn_clone_unwire no ifclone parent". PR1253362

Routing Protocols

  • When you configure damping globally and use the import policy to prevent damping for specific routes, and a peer sends a new route that has the local interface address as the next hop, the route is added to the routing table with default damping parameters, even though the import policy has a nondefault setting. As a result, damping settings do not change appropriately when the route attributes change. PR51975

  • On MX Series router, when a instance type is changed from VPLS to EVPN, and in the same commit an interface is added to the EVPN instance, the newly added EVPN interface might not be able to come up. PR1016797

  • For devices populated with a master and backup Routing Engines (RE) and configured for nonstop active routing (NSR) and Protocol Independent Multicast (PIM) configuration, the routing protocol process (RPD) may crash on the backup Routing Engine due to a memory leak. This leak occurs when the backup Routing Engine handling mirror updates about PIM received from the master Routing Engine deletes information about a PIM session from its database. But due to a software defect, a leak of 2 memory blocks (8 or 16 bytes) may occur for every PIM leave. If the memory is exhausted, the rpd may crash on the backup Routing Engine. There is no impact seen on the master Routing Engine when the rpd crashes on the backup Routing Engine. Use the show system processes extensive command to check the memory. PR1155778

  • The VRF related routes which are leaked to the global inet.0 table and advertised by the access routers are not being advertised to global inet.0 table on the core. PR1200883

  • In the context of a large number of configured VPNs, routes changing in the midst of a bgp path-selection configuration change can sometimes lead to an rpd core files. This core file has been seen with the removal of the "always-compare-med" option. PR1213131

  • RPD leaks memory with the topology and configuration. However, adding/deleting static flowspec routes in isolation does not cause any memory leak. The exact configuration that causes the leak is currently unknown. PR1213959

  • PIM NSR Design : With GRES+ NSR enabled, the master Routing Engine (RE) replicates kernel states and protocol states on backup RE. Both kernel state (ifstates) and protocol state replication are independent processes. The ksyncd takes care of ifstates replication. RPD infra takes care of replication (mirror) connection between the two Routing Enginess. NSR supported protocols have their own mechanism to replicate their database using mirror connection. As per PIM/MVPN NSR design, the backup RE, it walks through the replication database (RDB) with consume and delete action. That is once a PIM/MVPN states is processed on the backup RE, associated RDB is deleted. If kernel replication is restarted, it can lead to interface deletions and additions only on the backup RE. PIM states the backup goes out of sync. - ?kernel replication? restart lead to interface delete/add on Backup-RE only - PIM/MVPN does not have RDB on the backup RE, so on interface delete, it deletes the relevant PIM state..Once an interface is added by kernel, PIM has no state to consume. No change occurs on the master Routing Engine to reinitiate the protocol. replicationThis .PIM/MVPN out-of-sync issue can be seen with following events :- Manually "restart kernel-replication" - PIM out of sync - ksyncd cored & restarted - PIM out of sync - ksyncd restarted as workaround of kernel replication issues- PIM out of sync. PR1224155

  • On rpd crash with ?switchover-on-routing-crash? enabled on box, live vmcores may be seen on both Routing Engines without an impact on the system. PR1267796

Services Applications

  • On MX series with L2TP configured, the L2TP packet in ICRQ retransmission message is set to incorrect value, and this causes frequent L2TP session flaps. PR1206542

  • On Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) router where Access Node Control Protocol (ANCP) protocol is used for bandwidth adjustment, L2TP Connect Speed Update Notification (CSUN) message to L2TP network server (LNS) may be sent after a short delay after ANCP Port-Up with updated access line parameters was received. This delay is caused by the current interaction scheme between ANCP and L2TP daemons and can last up to 5 seconds. In a production network scenario this delay should not be visible, because the L2TP daemon checks for state updates each time there is an L2TP packet that has to be sent or received. PR1234674

  • If the l2tp subscriber has static pp0 interface on the LAC side, LCP renegitiation is configured on the LNS side, and CPE has been changed, an issue with negotiation of PPP session between LNS and CPE can occur. PR1235554

  • Account Session ID, Interface Identifier, and Subscriber User Name trigger attributes are optimized for a scaled subscriber management environment. If you include any of the other, non-optimized, trigger attributes in a scaled subscriber management environment, a significant delay might be observed between the time when the DTCP ADD message is sent and the time when forwarding starts for the mirrored traffic. For example, if there are 10,000 subscriber sessions on the router, forwarding of the mirrored traffic might be delayed for 20 minutes. This delay occurs when you specify any non-optimized attribute, with or without any optimized attribute. The delay occurs regardless of the order of attributes in the DTCP packet. PR1269770

Subscriber Access Management

  • On MX Series routers with subscriber management feature enabled, after GRES switchover results of the show network-access aaa statistics radius CLI command display only zeros and clear network-access aaa statistics radius" does not clear statistics as it should. However this is a cosmetic issue and communication with the RADIUS server is working fine; the only impact is that affected CLI commands do not work as expected. PR1208735

  • Subscribers get stuck in terminated state during PPPoE login/logout test. PR1262219

User Interface and Configuration

  • When persist-groups-inheritance is configured and you issue a rollback, it will be seen that the configuration is not propagated properly after a commit. PR1214743


  • In NG-MVPN scenario, when "forwarding-cache timeout never non-discard-entry-only" is configured for an MVPN instance, even though the cache lifetime is shown as forever in the output of the CLI command show multicast route instance X extensive", the route disappears after 7-8 minutes. PR1212061