Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for EX Series Switches


These release notes accompany Junos OS Release 17.4R3 for the EX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 17.4R3 for the EX Series.


Starting in Junos OS Release 17.4R1, MC-LAG is not supported on EX switches except for EX9200. Use the Virtual Chassis feature instead to provide equivalent functionality.


The following EX Series switches are supported in Junos OS Release 17.4R3: EX4300, EX4600, and EX9200.


In Junos OS Release 17.4R3, J-Web is supported on the EX4300 and EX4600 switches in both standalone and Virtual Chassis setup.

The J-Web distribution model being used provides two packages:

  • Platform package—Installed as part of Junos OS; provides basic functionalities of J-Web.

  • Application package—Optionally installable package; provides complete functionalities of J-Web.

For details about the J-Web distribution model, see Release Notes: J-Web Application Package Release 17.4A1 for EX4300 and EX4600 Switches.

Release 17.4R3 New and Changed Features

  • There are no new features or enhancements to existing features for EX Series Switches in Junos OS Release 17.4R3.

Release 17.4R2 New and Changed Features


  • EVPN proxy ARP and ARP suppression without IRB interfaces (MX Series routers with MPCs, EX9200 switches)—MX Series routers and EX9200 switches that function as provider edge (PE) devices in an Ethernet VPN-MPLS (EVPN-MPLS) or EVPN-Virtual Extensible LAN (EVPN-VXLAN) environment support the proxy Address Resolution Protocol (ARP) and ARP suppression. Both ARP capabilities are enabled by default.

    Starting with Junos OS Release 17.4R2, these features no longer require the configuration of an IRB interface on the PE device. Any interface configured on a PE device can now deliver ARP requests from both local customer edge (CE) devices only. Proxy ARP and ARP suppression are not supported on remote CE devices.

    Also, you can now control the following aspects of the MAC-IP address bindings database on a PE device:

    • The maximum number of MAC-IP address entries in the database.

    • The amount of time a locally learned MAC-IP address binding remains in the database.

    [See EVPN Proxy ARP and ARP Suppression.]

Restoration Procedures and Failure Handling

  • Device recovery mode support introduced in Junos OS with upgraded FreeBSD (EX Series)—Starting in Junos OS Release 17.4R2, devices running Junos OS with an upgraded FreeBSD and a saved rescue configuration have an automatic device recovery mode should the system go into amnesiac mode. The new process has the system automatically reboot with the saved rescue configuration. Then the system displays "Device is in recovery mode” in the CLI (in both operational and configuration modes). Previously, there was no automatic process to recover from amnesiac mode. A user with load and commit permission had to log in using the console and fix the issue in the configuration before the system would reboot.

    [See Saving a Rescue Configuration File.]

Release 17.4R1 New and Changed Features


  • Aggregation device support on EX9200 with EX9200-RE2 routing engine (Junos Fusion Enterprise)—Starting with Junos OS Release 17.4, EX9200 switches with the EX9200-RE2 Routing Engine module are supported as aggregation devices in a Junos Fusion Enterprise. The EX9200-RE2 module supports virtual machine (VM) architecture in an EX9200 switch.

    [See Understanding Junos Fusion Enterprise Software and Hardware Requirements.]

Authentication, Authorization and Accounting (AAA)

  • Periodic refresh of authorization profile on TACACS server (EX Series)—Starting with Junos OS Release 17.4R1, periodic refresh of the authorization profile that is received from the TACACS server is supported. The authorization profile that is configured for the user on the TACACS server is sent to the Junos OS device after the user is successfully authenticated. The authorization profile is stored locally on the Junos OS device. With the periodic refresh feature, the authorization profile is periodically fetched from the TACACS server to refresh the authorization profile that is stored locally. User authorization is reevaluated using the refreshed authorization profile.

    [See Configuring Periodic Refresh of the TACACS+ Authorization Profile.]


  • EVPN-MPLS interworking with Junos Fusion Enterprise and MC-LAG (EX9200 switches)—Starting with Junos OS Release 17.4R1, you can use Ethernet VPN (EVPN) to extend your Junos Fusion Enterprise or MC-LAG network over an MPLS network. Typically, Junos Fusion Enterprise is extended to a geographically distributed campus or enterprise network, while an MC-LAG network is extended to a data center network or geographically distributed campus or enterprise network.

    The EVPN-MPLS interworking feature offers the following benefits:

    • Ability to use separate virtual routing and forwarding (VRF) instances to control inter-VLAN routing.

    • VLAN translation.

    • Default Layer 3 virtual gateway support, which eliminates the need to run such protocols as Virtual Router Redundancy Protocol (VRRP).

    • Load balancing to better utilize both links when using EVPN multihoming.

    • The use of EVPN type 2 advertisement routes (MAC+IP) reduces the need for flooding domains with ARP packets.

    [See Understanding EVPN-MPLS Interworking with Junos Fusion Enterprise and MC-LAG.]

  • Support for duplicate MAC address detection and suppression (EX9200 switches)— When a MAC address relocates, PE devices can converge on the latest location by using sequence numbers in the extended community field. Misconfigurations in the network can lead to duplicate MAC addresses. Starting in Junos OS Release 17.4R1, Juniper supports duplicate MAC address detection and suppression.

    You can modify the duplicate MAC address detection settings on the switch by configuring the detection window for identifying duplicate MAC address and the number of MAC address moves detected within the detection window before duplicate MAC detection is triggered and the MAC address is suppressed. In addition, you can also configure an optional recovery time that the switch waits before the duplicate MAC address is automatically unsuppressed.

    To configure duplicate MAC detection parameters, use the detection-window, detection-threshold, and auto-recovery-time statements at the [edit routing instance routing-instance-name protocols evpn duplicate-mac-detection] hierarchy level.

    To clear duplicate MAC suppression manually, use the clear evpn duplicate-mac-suppression command.

    [See Overview of MAC Mobility. ]

Junos OS XML API and Scripting

  • Automation script library additions and upgrades (EX Series)—Starting in Junos OS Release 17.4R1, devices running Junos OS include new and upgraded Python modules as well as upgraded versions of Junos PyEZ and libslax. On-box Python automation scripts can use features supported in Junos PyEZ Release 2.1.4 and earlier releases to perform operational and configuration tasks on devices running Junos OS. Python automation scripts can also leverage new on-box Python modules including ipaddress, jxmlease, pyang, serial, and six, as well as upgraded versions of existing modules. In addition, SLAX automation scripts can include features supported in libslax release 0.22.0 and earlier releases.

    [See Overview of Python Modules Available on Devices Running Junos OS and libslax Distribution Overview.]

Layer 2 Features

  • Layer 2 protocol tunneling support (EX4600 switches and Virtual Chassis)—Starting with Junos OS Release 17.4R1, Layer 2 protocol tunneling (L2PT) is supported on EX4600 switches and EX4600 Virtual Chassis. You can configure the switch to tunnel any of the following Layer 2 protocols: CDP, E-LMI, GVRP, IEEE 802.1X, IEEE 802.3AH, LACP, LLDP, MMRP, MVRP, STP (including RSTP and MSTP), UDLD, VSTP, and VTP.

    [See Layer 2 Protocol Tunneling.]

  • Q-in-Q support on redundant trunk links using LAGs with link protection (EX4300 switches and Virtual Chassis)—Starting in Junos OS Release 17.4R1, Q-in-Q is supported on redundant trunk links (also called “RTGs”) using LAGs with link protection. Redundant trunk links provide a simple solution for network recovery when a trunk port on a switch goes down. In that case, traffic is routed to another trunk port, keeping network convergence time to a minimum.

    Q-in-Q support on redundant trunk links on a LAG with link protection also includes support for the following items:

    • Configuration of flexible VLAN tagging on the same LAG that supports the redundant links configurations

    • Multiple redundant-link configurations on one physical interface

    • Multicast convergence

    [See Q-in-Q Support on Redundant Trunk Links Using LAGs with Link Protection.]


  • Enhancements to LSP events sensor for Junos Telemetry Interface (EX4600 and EX9200 switches) —Starting with Junos OS Release 17.4R1, telemetry data streamed through gRPC for LSP events and properties is reported separately for each routing instance. To export data for LSP events and properties, you must now include /network-instances/network-instance/[name_'instance-name']/ in front of all supported paths. For example, to export LSP events for RSVP Signaling protocol attributes, use the following path: /network-instances/network-instance[name_'instance-name']/mpls/signaling-protocols/rsvp-te/. Use the telemetrySubscribe RPC to specify telemetry parameters and provision the sensor. If your device is running a version of Junos OS with an upgraded FreeBSD kernel, you must download the Junos Network Agent software package, which provides the interfaces to manage gRPC subscriptions.

    [See Guidelines for gRPC Sensors.]

  • Support for multiple, smaller configuration YANG modules (EX Series)—Starting in Junos OS Release 17.4R1, the YANG module for the Junos OS configuration schema is split into a root configuration module that is augmented by multiple, smaller modules. The root configuration module comprises the top-level configuration node and any nodes that are not emitted as separate modules. Separate, smaller modules augment the root configuration module for the different configuration statement hierarchies. Smaller configuration modules enable YANG tools and utilities to more quickly and efficiently compile and work with the modules, because they only need to import the modules required for the current operation.

    [See Understanding the YANG Modules That Define the Junos OS Configuration.]

  • Enhancement to BGP sensor for Junos Telemetry Interface (EX4600 and E9200 switches)—Starting with Junos OS Release 17.4R1, you can specify to export the number of BGP peers in a BGP group for telemetry data exported through gRPC. To export the number of BGP peers for a group, use the following OpenConfig path: /network-instances/network-instance[name_'instance-name']/protocols/protocol/

    . The BGP peer count value exported reflects the number of peering sessions in a group. For example, for a BGP group with two devices, the peer count reported is 1 (one) because each group member has one peer. To provision the sensor to export data through gRPC, use the telemetrySubcribe RPC to specify telemetry parameters.

    [See Guidelines for gRPC Sensors.]


  • MLD snooping versions 1 and 2 (EX4600 switches and Virtual Chassis)—Starting with Junos OS Release 17.4R1, EX4600 switches and EX4600 Virtual Chassis support Multicast Listener Discovery (MLD) snooping version 1 (MLDv1) and version 2 (MLDv2). MLD snooping constrains the flooding of IPv6 multicast traffic on VLANs. When MLD snooping is enabled on a VLAN, the switch examines MLD messages encapsulated within ICMPv6 packets transferred between hosts and multicast routers. The switch learns which hosts are interested in receiving traffic for a multicast group and forwards multicast traffic only to those interfaces in the VLAN that are connected to interested receivers instead of flooding the traffic to all interfaces. You configure MLD snooping parameters and enable MLD snooping using configuration statements at the [edit protocols] mld-snooping vlan vlan-name hierarchy.

    [See Understanding MLD Snooping on Switches.]

Routing Protocols

  • Support for EBGP route server (EX Series)—Starting in Junos OS Release 17.4R1, BGP feature is enhanced to support EBGP route server functionality. A BGP route server is the external BGP (EBGP) equivalent of an internal IBGP (IBGP) route reflector that simplifies the number of direct point-to-point EBGP sessions required in a network. EBGP route server propagates unmodified BGP routing information between external BGP peers to facilitate high scale exchange of routes in peering points such as Internet Exchange Points (IXPs). When BGP is configured as a route server, EBGP routes are propagated between peers unmodified, with full attribute transparency (NEXT_HOP, AS_PATH, MULTI_EXIT_DISC, AIGP, and Communities).

    The BGP JET bgp_route_service.proto API has been enhanced to support route server functionality as follows:

    • Program the EBGP route server.

    • Inject routes to the specific route server RIB for selectively advertising it to the client groups in client-specific RIBs.

    The BGP JET bgp_route_service.proto API includes a peer-type object that identifies individual routes as either EBGP or IBGP (default).

    [See BGP Route Server Overview.]

  • Support for importing IGP topologies into BGP-LS (EX Series)—Starting in Junos OS Release 17.4R1, you can import IGP, that is IS-IS and OSPF topologies into BGP-LS. Prior to Junos OS Release 17.4R1, Junos OS BGP-LS implementation exports only Traffic Engineering enabled (RSVP-enabled) links. This feature allows you to export IGP links (that do not have RSVP enabled) and Traffic Engineering enabled links into BGP-LS.

Software Installation and Upgrade

  • Configuration validation for image upgrade or downgrade (EX4300)—Starting in Junos OS Release 17.4R1, when you install a new version of Junos OS on the switch, the system validates that the existing configuration is compatible with the new image. Without the validation feature, configuration incompatibilities or insufficient memory to load the new image might cause the system to lose its current configuration or go offline. With the validation feature, if validation fails, the new image is not loaded, and an error message provides information about the failure.

    Image validation is supported only on the jinstall package.

    If you invoke validation from an image that does not support validation, the new image is loaded but validation does not occur.

    Invoke validation by issuing either request system software add or request system software nonstop-upgrade. You can also issue request system software validate to run just configuration validation.

    Image validation does not work in a downgrade from Release 17.4 to 17.2 or earlier if graceful switchover is enabled and image loading is done without NSSU. Use one of the following options:

    • To downgrade with graceful switchover but without image validation—Issue the request system software add image-name reboot no-validate command.

    • To downgrade with image validation but without graceful switchover—Remove the graceful-switchover configuration and then issue the request system software add image-name reboot command.

    • To downgrade with image validation and graceful switchover—Use NSSU by issuing the request system software nonstop-upgrade image-name command.

    [See Understanding Software Installation on EX Series Switches.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 17.4R3 for the EX Series.


  • Change to show vlans evpn command (EX9200 switches)—Starting with Junos OS Release 17.4R2, the show vlans evpn command is replaced by the show ethernet-switching evpn command.

  • On EX9200 switches, you can configure EVPN to extend a Junos Fusion Enterprise or multichassis link aggregation group (MC-LAG) network over an MPLS network to a data center or campus network. For both Junos Fusion Enterprise and MC-LAG use cases, you must include the bgp-peer configuration statement in the [edit routing-instances name protocols evpn mclag] hierarchy level. This configuration enables the interworking of EVPN-MPLS with Junos Fusion Enterprise or MC-LAG. If you do not include the bgp-peer configuration statement in your configuration, unexpected behavior and a core dump could result. To enforce this configuration, we now check for this configuration during the commit. If the configuration is not present, an error occurs.

    See [Understanding EVPN-MPLS Interworking with Junos Fusion Enterprise and MC-LAG .]

Interfaces and Chassis

  • No support for performance monitoring on AE Interfaces (EX4300)—Y.1731 performance monitoring (PM) over aggregated Ethernet interfaces is not supported on EX4300 switches. [See sla-iterator-profile.]


  • Changes to Junos OS YANG module naming conventions (EX Series)—Starting in Junos OS Release 17.4R1, the native Junos OS YANG modules use a new naming convention for the module's name, filename, and namespace. The module name and filename include the device family and the area of the configuration or command hierarchy to which the schema in the module belongs. In addition, the module filename includes a revision date. The module namespace is simplified to include the device family, the module type, and an identifier that is unique to each module and that differentiates the namespace of the module from that of other modules.

    [See Understanding Junos OS YANG Modules.]


  • Support for per-source multicast traffic forwarding with IGMPv3 (EX4300)—Starting in Junos OS Release 17.4R2, EX4300 switches forward multicast traffic on a per-source basis according to received IGMPv3 INCLUDE and EXCLUDE reports. In releases prior to this release, EX4300 switches process IGMPv3 reports, but instead of source-specific multicast (SSM) forwarding, they consolidate IGMPv3 INCLUDE and EXCLUDE mode reports for a group into one route for all sources sending to the group. As a result, with the prior behavior, receivers might get traffic from sources they didn’t specify.

    [See IGMP Snooping Overview.]

Network Management and Monitoring

  • Change in default log level setting (EX Series)—In Junos OS Release, 17.4R1, the following changes were made in default logging levels:

    Before this change:

    • SNMP_TRAP_LINK_UP was LOG_INFO for both the physical (IFD) and logical (IFL) interfaces.

    • SNMP_TRAP_LINK_DOWN was LOG_WARNING for both the physical (IFD) and logical (IFL) interfaces.

    After this change:

    • IFD LinkUp -> LOG_NOTICE (because this is an important message but less frequent)

    • IFL LinkUp -> LOG_INFO (no change)

    • IFD and IFL LinkDown -> LOG_WARNING (no change)

    [See the MIB Explorer.]

  • SNMP syslog messages changed (EX Series)—Starting in Junos OS Release 17.4R1, two misleading SNMP syslog messages have been rewritten to accurately describe the event:

    • OLD —AgentX master agent failed to respond to ping. Attempting to re-register

      NEW — AgentX master agent failed to respond to ping, triggering cleanup!

    • OLD — NET-SNMP version %s AgentX subagent connected

      NEW — NET-SNMP version %s AgentX subagent Open-Sent!

    [See the SNMP MIB Explorer.]

  • New context-oid option for trap-options configuration statement to distinguish the traps that come from a non-default routing instance with a non-default logical system (EX Series)—Starting in Junos OS Release 17.4R2, a new option, context-oid, for the trap-options statement allows you to handle prefixes such as <routing-instance name>@<trap-group> or <logical-system name>/<routing-instance name>@<trap-group> as an additional varbind.

    [See trap-options.]

  • The NETCONF server omits warnings in RPC replies when the rfc-compliant statement is configured and the operation returns <ok/> (EX Series)—Starting in Junos OS Release 17.4R3, when you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level to enforce certain behaviors by the NETCONF server, if the server reply after a successful operation includes both an <ok/> element and one or more <rpc-error> elements with a severity level of warning, the warnings are omitted. In earlier releases, or when the rfc-compliant statement is not configured, the NETCONF server might issue an RPC reply that includes both an <rpc-error> element with a severity level of warning and an <ok/> element.

Platform and Infrastructure

  • Enhancement to the show interfaces mc-ae extensive command—You can now view additional LACP information about the LACP partner system ID when you run the show interfaces mc-ae extensive command. The output now displays the following two additional fields:

    • Local Partner System ID?LACP partner system ID as seen by the local node.

    • Peer Partner System ID?LACP partner system ID as seen by the MC-AE peer node.

      Previously, the show interfaces mc-ae extensive command did not display these additional fields.

      [See show interfaces mc-ae]

Routing Protocols

  • Change in the default behavior of advertise-from-main-vpn-tables configuration statement—BGP now advertises EVPN routes from the main bgp.evpn .0 table. You can no longer configure BGP to advertise the EVPN routes from the routing instance table. In earlier Junos OS Releases, BGP advertised EVPN routes from the routing instance table by default.

    [See advertise-from-main-vpn-tables.]


  • Support for logging SSH key changes—Starting with Junos OS Release 17.4R1, the configuration statement log-key-changes is introduced at the [edit system services ssh ] hierarchy level. When log-key-changes configuration statement is enabled and committed (with the commit command in configuration mode), Junos OS logs the changes to the set of authorized SSH keys for each user (including the keys that were added or removed). Junos OS logs the differences since the last time log-key-changes was enabled. If log-key-changes was never enabled, then Junos OS logs all the authorized SSH keys.

  • Syslog or log action on firewall drops packets (EX4600 switches)—Starting in Junos OS 17.4R3, if you configure a syslog or log action on an ingress firewall filter, control packets, and ICMP packets sent to the Routing Engine might be dropped.

Software Licensing

  • Key generator adds one day to make the duration of license show as 365 days (EX Series)—Starting in Junos OS Release 17.4R1, the duration of subscription licenses as generated by the show system license command and shown in the output is correct to the numbers of days. Before this fix, for example, for a 1-year subscription license, the duration was generated as 364 days. After the fix, the duration of the 1-year subscription now shows as 365 days.

    [See show system license.]

Subscriber Management and Services

  • DHCPv6 lease renewal for separate IA renew requests (EX Series)—Starting in Junos OS Release 17.4R2, the jdhcpd process handles the second renew request differently if the DHCPv6 client CPE device does both of the following:

    • Initiates negotiation for both the IA_NA and IA_PD address types in a single solicit message.

    • Sends separate lease renew requests for the IA_NA and the IA_PD and the renew requests are received back-to-back.

    The new behavior is as follows:

    1. When the reply is received for the first renew request, if a renew request is pending for the second address type, the client stays in the renewing state, the lease is extended for the first IA, and the client entry is updated.

    2. When the reply is received for the second renew request, the lease is extended for the second IA and the client entry is updated again.

    In earlier releases:

    1. The client transitions to the bound state instead of staying in the renewing state. The lease is extended for the first IA and the client entry is updated.

    2. When the reply is received for the second renew request, the lease is not renewed for the second address type and the reply is forwarded to the client. Consequently, when that lease ages out, the binding for that address type is cleared, the access route is removed, and subsequent traffic is dropped for that address or address prefix.

    [See Using DHCPv6 IA_NA with DHCPv6 Prefix Delegation Overview.]

Virtual Chassis

  • New configuration option to disable automatic Virtual Chassis port conversion (EX4300 and EX4600 Virtual Chassis)—Starting in Junos OS Release 17.4R2, you can use the no-auto-conversion statement at the [edit virtual-chassis] hierarchy level to disable automatic Virtual Chassis port (VCP) conversion in an EX4300 or EX4600 Virtual Chassis. Automatic VCP conversion is enabled by default on these switches. When automatic VCP conversion is enabled, if you connect a new member to a Virtual Chassis or add a new link between two existing members in a Virtual Chassis, the ports on both sides of the link are automatically converted into VCPs when all of the following conditions are true:

    • LLDP is enabled on the interfaces for the members on both sides of the link. The two sides exchange LLDP packets to accomplish the port conversion.

    • The Virtual Chassis must be preprovisioned with the switches on both sides of the link already configured in the members list of the Virtual Chassis using the set virtual-chassis member command.

    • The ports on both ends of the link are supported as VCPs and are not already configured as VCPs.

    Automatic VCP conversion is not needed when using default-configured VCPs on both sides of the link to interconnect two members. On both ends of the link, you can also manually configure network or uplink ports that are supported as VCPs, whether or not the automatic VCP conversion feature is enabled.

    Deleting the no-auto-conversion statement from the configuration returns the Virtual Chassis to the default behavior, which reenables automatic VCP conversion.

    [See no-auto-conversion].

Known Behavior

This section lists known behavior, system maximums, and limitations in hardware and software in Junos OS Release 17.4R3 for the EX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.


  • When a VLAN uses an IRB interface as the routing interface, the vlan-id parameter must be set to "none" to ensure proper traffic routing. This issue is platform-independent. PR1287557

High Availability (HA) and Resiliency

  • During a nonstop software upgrade (NSSU) on an EX4300 Virtual Chassis, a traffic loop or loss might occur if the Junos OS software version that you are upgrading and the Junos OS software version that you are upgrading to use different internal message formats. PR1123764


  • The issue is specific to a downgrade(17.4T) and a core is seen only once during the downgrade because of a timing issue in the sdk toolkit upgradation, after which dcpfe recovers on its own and no issues are seen after that. PR1337008

Interfaces and Chassis

  • Configuring link aggregation group (LAG) hashing with the [edit forwarding-options enhanced-hash-key] inet vlan-id statement uses the VLAN ID in the hashing algorithm calculation. On some switching platforms, when this option is configured for a LAG that spans FPCs, such as in a Virtual Chassis or Virtual Chassis Fabric (VCF), packets are dropped due to an issue with using an incorrect VLAN ID in the hashing algorithm. As a result, the vlan-id hashing option is not supported in a Virtual Chassis or VCF containing any of the following members: EX4300, EX4600, QFX5100, or QFX5110 switches. Under these conditions, use any of the other supported enhanced-hash-key hashing configuration options instead. PR1293920

Junos Fusion Enterprise

  • On a Junos Fusion Enterprise, show ethernet-switching table takes a few minutes to show entries when an extended port receives with MAC count set to 150000. PR1117567

  • On a Junos Fusion Enterprise, in order to use a non-default port as a clustering port in a clustering port policy, the policy must include at least one port that is a default uplink/clustering port for that platform. PR1241808

Platform and Infrastructure

  • On EX4300 and EX4600 switches, if a remote analyzer has an output IP address that is reachable through a route learned by BGP, the analyzer might be in a down state. PR1007963

  • On an EX4300 Virtual Chassis, when you perform an NSSU, there might be more than five seconds of traffic loss for multicast traffic. PR1125155

  • On EX4300 switches, when 802.1X single-supplicant authentication is initiated, multiple "EAP Request Id Frame Sent" packets might be sent. PR1163966

  • On EX4300 10G links, preexisting MACsec sessions might not come up after the following events: Process (pfex, dot1x) restart or system restart link flaps PR1294526

  • Repeated mode switching by enable/disable interface or setting and removing otn-options rate can cause dfe tuning to get stuck for a long time on the CFP2-DCO tunable DWDM optics resulting interfaces being down for around 30 minutes. PR1452597

Routing Protocols

  • mcsnoopd might crash when all the core facing interfaces that are part of the L2 domain have flapped and it is attempting to flood a packet received over a CE interface, over the core-facing interfaces. PR1329694

Virtual Chassis

  • Virtual Chassis internal loop might happen at a node coming up from a reboot. During nonstop software upgrade (NSSU) on an QFX5100 Virtual Chassis, a minimal traffic disruption or traffic loop(>2s) might occur and its considered to be known behavior. PR1347902

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 17.4R3 for the EX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • The output of the command show lldp detail is not consistently displayed in any organized order. PR1390760


  • When a VLAN uses an IRB interface as the routing interface, the vlan-id parameter must be set to "none" to ensure proper traffic routing. This issue is platform-independent. PR1287557

  • In an EVPN environment, proxy ARP and ARP suppression is enabled on the PE device by default for reducing the flooding of ARP packets. However, in the case of ARP probe packets used in the process of Duplicate Address Detection (DAD), the client might treat the IP address that it is in use as duplicated address after receiving the proxied packets from PE device. PR1427109

General Routing

  • From the code analysis, the CPU rate limiting and corresponding queue points to 100 pps in Junos OS Release 12.3 for ARP traffic. But in case of Junos OS Release 11.4, the rate limiter value was 3 Kpps. PR1165757

  • On an EX9200-12QS line card, interfaces with the default speed of 10 Gigabit Ethernet are not brought down even when the remote end of a connection is misconfigured as 40 Gigabit Ethernet. PR1175918

  • On EX4300 10-Gigabit links, preexisting MACsec sessions might not come up after the following events: process (pfex, dot1x) restart, system restart, or link flaps. PR1294526

  • l2ald process may crash and generate a core file on EX Series VC when converted a trunk port to dot1x access port while tagged traffic is flowing. There might be a race-condition, where interface mode is being changed while traffic is running and l2ald has processed interface delete but dot1x has not. PR1362587

  • Currently, other than QFX5100-24q and EX4600, PIC 1 is not supported on any other platforms inline with QFX5100. The set chassis fpc 0 pic 1 port <x> channel-speed disable-auto-speed-detection command cannot be used on PIC 1. This will result in a commit error [edit chassis fpc 0 pic 1 port 2 channel-speed] channel-speed disable-auto-speed-detection PIC:1 not valid for Auto-speed-disable mode. error: configuration check-out failed. So, if you want to disable auto-channelisation on PIC1, you have to disable auto-speed-detection for whole FPC. set chassis fpc 0 auto-speed-detection disable. PR1362647

  • EX4300 Virtual Chassis systems might fail to register some jnxOperating SNMP OIDs related to the Routing Engines. This behavior is more likely if Virtual Chassis members 0 and 1 (FPC0 and FPC1) are not selected as Routing Engine. PR1368845

  • Scale of 150 VRRP is not tested before, there are no issues observed for 100 VRRP groups. At the higher scale, there are no drops but traffic gets flooded for group beyond 100. PR1371520

  • When show command is taking a long time to display results, the STP might change states as BPDUs are no longer processed and cause lots of outages. PR1390330

  • On QFX5110 line of Series switches, uRPF check in strict mode will not work properly. PR1417546

  • The issue is limited to the database related to MAC-MOVE scenario. When dhcp-security is configured, if multiple IPv4 and IPv6 client's MAC-MOVE occur, the jdhcpd might consume 100 percent CPU and jdhcpd crashes. PR1425206

  • Multiple EX Series switches might be unable to commit baseline configuration after zeroize {master:0}[edit] root# commit check Mar 26 05:50:48 mustd: UI_FILE_OPERATION_FAILED: File /var/run/db/ doesn't exist Mar 26 05:50:48 mgd[1938]: UI_FILE_OPERATION_FAILED: Failed to open /var/run/db/ file error: Failed to open /var/run/db/ file error: configuration check-out failed: daemon file propagation failed. PR1426341

  • On EX9200 line of switches, when configuring too many VLANs and interfaces under VSTP a commit error might occur xSTP:Trying to configure too many interfaces for given protocol. PR1438195

  • When mac-table-aging-time is configured, the bridge domain sequence get incremented unnecessarily. As a result, the MACs get flushed when the change message is received by l2-learning daemon with new sequence number. PR1403358

  • Micro BFD session with timer configured with less than 3x500ms (such as 3x100ms) might flap upon inserting a QSFP to other port. PR1435221

  • On EX Series platforms, if particular 100G port is used, CPU might hang or interface might be stuck down on the 100G port. This issue might cause traffic disruption in the network. PR1440526

  • A sequence issue is observed when Virtual Chassis member is rebooted in aggregated interface. After rebooting VC member, the Routing Engine kernel injects MAC entry to FPC that rebooted. Because of the sequence issue, the Routing Engine added MAC entry, originally source MAC entry, to FPC as remote MAC entry. And MAC entry is never be aged out because it is a remote entry. PR1440574

  • On the EX9214 device, if the MACsec-enabled link flaps after reboot, the error errorlib_set_error_log(): err_id(-1718026239) is observed. PR1448368

  • The sFlow sample packets might stop on one aggregated Ethernet member link if ingress sFlow is configured on the member link. This might cause inaccurate monitoring on the network traffic. PR1449568

  • The l2ald and eventd processes are hogging 100 percent after clear ethernet-switching table command is issued. As a result, continuous syslog errors l2ald[18605]: L2ALD_IPC_MESSAGE_INVALID: Invalid message received (message type 0, subtype 0): null message are observed. PR1452738

  • On EX4300 and EX4600 Virtual Chassis or VCF scenario with VXLAN used, when configuring a firewall filter and commit, the firewall filter might not be able to be applied in a particular VC/VCF member for TCAM space running out. PR1455177

  • Syslog timeout connecting to peer database-replication is generated when command show version detail is issued. PR1457284

  • On QFX5100 and EX4600 platforms, the fxpc (Packet Forwarding Engine manager) process might crash when multiple BGP IPv6 sessions (for instance around 500) are flapped and then restored at the same time. PR1459759

  • When tunnel-services are configured on a PIC, the optics measurements that subscribed through gRPC might not be streamed. PR1468435


  • The set system ports console log-out-on-disconnect command does not work. PR1146891

  • When an SNMP poll is performed for the following OID's, the backup Routing Engine returns the value 6 (6=down) for the FAN and 1 (1=unknown) for the PSU's, even though the FAN and PSU's are UP. Fan: PSU: PR1360962

  • On EX Series platforms, when you configure a large number of firewall filters on some interfaces, the FPC crashes generating core files. PR1434927

  • Packet Forwarding Engine sometimes does not come up after system reboot. Timeout is required to handle the fifo tx/rx error. Debug sysctls are been removed. Mutex been added to handle to race condition. PR1454950

Interfaces and Chassis

  • On GRES switchover, VSTP port cost on aggregated Ethernet interfaces might get changed, leading to topology change. PR1174213

  • When dynamic DHCP sessions are existing in the device, if multiple commits in parallel are performed, the commit might hang up. PR1470622

Junos Fusion Enterprise

  • On a Junos Fusion, when using LLDP, the "Power via MDI" and "Extended Power via MDI" TLVs are not transmitted. PR1105217

  • On a Junos Fusion Enterprise, when the satellite devices of a cluster are rebooted, the output of the CLI command show chassis satellite shows the port state of the cascade ports as "Present". PR1175834

  • In Junos Fusion Enterprise environment, when EX3400 is being used as Satellite Device (SD), the cascade port on aggregation device (AD) might go down after it’s connected SD reboot. PR1382091

  • In Junos Fusion Enterprise environment with EX2300-48P or EX2300-48T acting as satellite devices, loop-detect feature does not work for ports 0-23, since the loop detect filter is not properly applied. PR1426757

  • In a Junos Fusion Enterprise environment, when traffic originates from a peer device connected to the aggregation device and the ICL is a LAG, there might be a reachability issue if the cascade port is disabled and traffic has to flow through the ICL LAG to reach the satellite device. As a workaround, use single interface as the ICL instead of a LAG. PR1447873

Layer 2 Ethernet Services

  • On EX4300, EX4600, switches with spine-leaf scenario, when two or more than two underlay interfaces with ECMP are brought down on leaf devices, the multihop BFD overlay sessions between spines and leafs might flap. And if BFD flaps, the protocols depending on the BFD (typically, IBGP protocols) might also flap, that leads to traffic impact. PR1416941

  • On EX Series platforms with service dhcp enabled, the jdhcpd_era log files constantly consume 121M of space out of 170M, resulting into file system full and traffic impact. Memory usage of /var/log/ will reach 100 percent. PR1431201

  • In DHCP relay scenario, if the device (DHCP relay) receives a request packet with option 50 where the requested IP address matches the IP address of an existing subscriber session, such request packet might be dropped. In such a case, the subscriber might need more time to get IP address assigned. The subscriber might remain in this state until it's lease expires if it has previously bound with the address in the option 50. PR1435039

Layer 2 Features

  • eswd[1200]: ESWD_MAC_SMAC_BRIDGE_MAC_IDENTICAL: Bridge Address Add: XX:XX:db:2b:26:81 SMAC is equal to bridge mac hence don't learn is seen in syslog every few minutes on ERPS owner. The logs occur during ERPS PDU in ERPS setup. PR1372422

  • On EX4600 platforms, if copper base SFP-T is used, it might not get up on physical layer and the MAC/ARP learning might not work if it gets up. The PR fixes both layer-1 and layer-2 issues in this scenario. PR1437577

  • On EX Series platforms with STP disabled, the LLDP function might fail when a Juniper Networks device connects to a non-Juniper one. In this scenario, the LLDP PDU with destination MAC 01:80:c2:00:00:00, which is one of the three reserved MAC addresses for LLDP in IEEE 802.1AB, will be ignored by Juniper LLDP process, and this causes the LLDP function failure. This issue has a service impact. PR1462171


  • IGMP query packets might be duplicated between L2 interfaces with IGMP Snooping is enabled. PR1391753

Platform and Infrastructure

  • On EX4300 switches, when a policer with the action of loss of priority is applied to the lo0 interface, all ICMP packets might be dropped. PR1243666

  • On EX4300 switches, the software upgrade in FIPS mode fails with the following error: ERROR: py-base-powerpc-18.1R1.9.tgz: not a signed package. PR1371427

  • The first IRB stops working on adding the second IRB to an aggregated Ethernet and then removing it. PR1423106

  • On all Junos OS platforms, when a device is upgraded to a newer version and retry-options statement exists in the configuration file, after the upgrade, the older version of the login-attempts and login-locks exist on an upgraded device. Under these circumstances, the device might not be accessible through ssh/telnet/console and the sshd process might crash. PR1435173

  • On EX4300, and EX4600 line of Series switches, DMA buffer leaking might hit once the next-hop of received traffics is not resolved and eventually cause an FPC/pfex to crash if the DMA buffer runs exhaustion. PR1436642

  • In EX4300 switches when 1G SFP is connected to 10G port, autonegotiation (AN) is enabled, many issues like ARP, link down might be caused. Therefore, when AN is disabled somehow corrupting the TX_DISABLE field resulting in Laser Tx remain enabled when disabling and plug-out - plug-in. PR1445626

Routing Protocols

  • On EX4300 and EX4600 Series switches, if host destined packets (that is, the destination address belongs to the device) come from the interface with ingress filter of log/syslog action (for example, 'filter <> term <> then log/syslog'), such packets should not be dropped and reach the Routing Engine. PR1379718

  • If IGMP v2 is used and proxy mode is used for igmp-snooping, multicast traffic might be dropped because by default proxy sends queries/reports in IGMP v3 version, until the device receives new IGMP v2 query or report. PR1425621

  • On EX4600 with service provider (SP) style VLAN configuration (in this method, each VLAN-ID is locally significant to a physical interface), if interface-mac-limit or mac-table-size is configured (that is, software MAC learning is enabled) and the scale of MAC addresses on the box is more than 2000, traffic might be dropped after Q-in-Q enabled interface is flapped or a change is made to the vlan-id-list. PR1441402

Subscriber Access Management

  • The authd reuse address too quickly before jdhcpd completely cleanup the old subscriber with flooding error log. The log such as jdhcpd: %USER-3-DH_SVC_DUPLICATE_IPADDR_ERR: Failed to add as it is already used by 1815. PR1402653

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases for the EX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues:17.4R3

Authentication and Access Control

  • Dot1xd core file might be observed dot1x interface is configured with EAP-PEAP as an authentication protocol. PR1322891

  • Without dot1x configuration, the syslog dot1xd[2192]: task_connect: task PNACAUTH./var/run/authd_control addr /var/run/authd_control: Connection refused is generated repeatedly. PR1406965

Class of Service (CoS)

  • CoS is incorrectly applied on Packet Forwarding Engine, leading to egress traffic drop. PR1329141


  • A few minutes of traffic loss might be observed during recovery from link failure. PR1396597

  • The device might proxy the ARP probe packets in an EVPN environment. PR1427109

  • ARP request/NS might be sent back to the local segment by DF router. PR1459830

Forwarding and Sampling

  • The l2ald process might observe memory leak on Junos OS platforms. PR1455034

General Routing

  • The RE-PFE out-of-sync errors might be seen in syslog. PR1232178

  • Syslogs contain messages with %PFE-3: fpc0 ifd null, port 28 dc-pfe: %USER-3: ifd null, port 28 : %PFE-3: fpc0 ifd null, port 29 dc-pfe: %USER-3: ifd null, port 29. PR1295711

  • EX4300-32F MACsec session stays down on 1G or 10G links after events when events are performed with running traffic. PR1299484

  • MACsec causes dot1xd JTASK_SCHED_SLIP or FPC disconnect. PR1322302

  • QFX5000 platforms might display fpc0 error requesting CMTFPC SET INTEGER, illegal setting 37 observed after upgrade. PR1340897

  • The 40-Gigabit interfaces might not forward traffic. PR1349675

  • When VOIP VLAN is set as NATIVE VLAN on the port, the interface still shows up as a tagged interface and drops all untagged traffic. PR1349712

  • The l2ald process might crash and generate a core file on EX Series Virtual Chassis when converting a trunk port to dot1x access port with tagged traffic flowing. PR1362587

  • FPM board status is missing in SNMP MIB walk result. PR1364246

  • OAM Ethernet connectivity-fault-management configured on an aggregated Ethernet interfaces is not supported and no commit error is observed. PR1367588

  • Unable to use Ansible to collect RSI from EX9200. PR1367913

  • IPv6 router advertisement (RA) messages can increase internal Kernel memory usage. PR1369638

  • The dot1xd might crash when dot1xd receives incorrect reply length from the authd. PR1372421

  • The interface might not flap when both flap-on-disconnect and port-bounce are sent. PR1372619

  • MAC refresh packet might not be sent out from the new primary link after RTG failover. PR1372999

  • The rpd process might crash when route flap and LSP flap occur with CBF enabled. PR1374558

  • FPC might crash when flapping the output interface of analyzer or sampling. PR1374861

  • RIPv2 update packets might not send with IGMP snooping enabled. PR1375332

  • Unable to commit with a configuration of packet-length in egress firewall filter on EX9200. PR1378901

  • ARP request packets might be sent out with 802.1Q VLAN tag. PR1379138

  • The dot1x does not work with Microsoft NPS server. PR1381017

  • IRB interface does not turn down when master of VC is rebooted or halted. PR1381272

  • Constant memory leak might lead to FPC memory exhaustion. PR1381527

  • ARP/Ethernet-table is pointing to down aggregated Ethernet interface if MTU is changed. PR1385199

  • On EX9200 platforms, the warning message prefer-status-control-active is used with status-control standby might be seen whenever you commit an operation. PR1386479

  • MAC learning might stop working on some LAG interfaces. PR1389411

  • The input rate statistics might not increase if there are non-standard packets flow. PR1389908

  • The dhcp-security binding table might not be updated due to the renew request with '' value in 'ciaddr'. PR1394341

  • The subscriber bindings might not be successful on EX Series platforms. PR1396470

  • The authd might stop when issuing show network-access requests pending command during the authd restarting. PR1401249

  • The TCP connection between ppmd and ppman might be dropped due to a kernel issue. PR1401507

  • The STP does not work when aggregated interfaces number is "ae1000" or above in QFX5000 and "ae480" or above in EX Series switches. PR1403338

  • The DHCP discover packets are forwarded out of an interface incorrectly if DHCP snooping is configured on that interface. PR1403528

  • In a very rare situation the router can crash with VMCore when there is a logical interface deletion. PR1404507

  • PEM alarm for backup FPC remains on master FPC though backup FPC is detached from Virtual Chassis. PR1412429

  • Virtual Chassis might become unstable and FXPC core files are generated when there are a lot of configured filter entries. PR1422132

  • MACsec connection on EX4600 platforms might not come back up after interface disconnect/reconnect. PR1423597

  • The jdhcpd might consume 100 percent CPU and crash if dhcp-security is configured. PR1425206

  • Rebooting or halting Virtual Chassis member might cause 30 seconds down on RTG link. PR1427500

  • The l2cpd process might crash and generate a core file when interfaces flap. PR1431355

  • The mc-ae interface might get stuck in waiting state in dual mc-ae scenario. PR1435874

  • Commit check error for VSTP on EX9200s: xSTP:Trying to configure too many interfaces for given protocol. PR1438195

  • The DHCP Snooping table might be cleared for VLAN ID 1 after adding a new VLAN ID to it. PR1438351

  • The EX4600 and QFX5100 Virtual Chassis might not come up after replacing Virtual Chassis port fiber connection with DAC cable. PR1440062

  • DHCP snooping static binding not take effect after deleting and re-adding the entries. PR1451688

  • Configuration change in VLAN all option might affect the per-VLAN configuration. PR1453505

  • The correct VoIP VLAN information in LLDP-MED packets might not be sent after commit if dynamic VoIP VLAN assignment is used PR1458559


  • Packets with the DEI/CFI bit set to 1 in the L2 header might not be forwarded. PR1326855

  • Traffic might silently get dropped or discarded with indirect next hop and load balancing. PR1376057

  • The kernel crash when GRES configuration is enabled and committed. PR1376362

  • The traffic to the NLB server might not be forwarded if the NLB cluster works on multicast mode. PR1411549

  • Some of EX Series platforms might generate vmcore by panic and reboot. PR1456668

Interfaces and Chassis

  • The logical interfaces in EVPN routing instances might flap after committing configurations. PR1425339

  • The traffic might be forwarded to incorrect interfaces in MC-LAG scenario. PR1465077

Junos Fusion Enterprise

  • PoE over LLDP negotiation is not supported on Junos Fusion Enterprise setup. PR1366106

  • New satellite device cannot be added to the Fusion scenario. PR1374982

  • The l2ald might crash while issuing clear ethernet-switching table persistent-learning command. PR1409403

  • Extended ports in JFE do not adjust MTU when VoIP is enabled. PR1411179

  • The traffic might get silently dropped or discarded in Junos Fusion Enterprise scenario with dual-AD. PR1417139

  • Loop-detect feature is not working in Junos Fusion Enterprise. PR1426757

Layer 2 Ethernet Services

  • Junos OS core file jdhcpd.core.0 is found in dhcpv6_packet_handle. PR1329390

  • BOOTP packets might be dropped if BOOTP-support is not enabled at the global level. PR1373807

  • The malfunction of core isolation feature in EVPN-VXLAN scenarios causes traffic drop. PR1417729

  • The DHCP DECLINE packets are not forwarded to DHCP server when forward-only is set within dhcp-reply. PR1429456

  • On EX9200, DHCP-relay is stripping the 'GIADDR' field in messages towards the DHCP clients. PR1443516

Layer 2 Features

  • RTG MAC refresh packets will be sent out from non-RTG ports if the RTG interface belonging to the Virtual Chassis master flap. PR1389695

  • The traffic with triple or more 802.1Q tags might fail to forward. PR1415769

Layer 3 Features

  • The l2ald might crash when issuing clear ethernet-switching table persistent-learning. PR1381739

Network Management and Monitoring

  • Over temperature trap does not send out even though there is temperature hot alarm. PR1412161

Platform and Infrastructure

  • Ping does not go through device after WTR timer expires in ERPS scenario. PR1132770

  • Packet drop might be seen on the logical tunnel interfaces lt-x/2/x or lt-x/3/x. PR1345727

  • Interface flapping is seen on EX4300 switch. PR1361483

  • The LLDP TLV with the incorrect switch port capabilities might be sent. PR1372966

  • On EX4300 switches, the software upgrade in FIPS mode fails and an error message py-base-powerpc-18.1R1.9.tgz: not a signed package is observed. PR1371427

  • ECMP route installation failure with log messages like unilist install failure might be observed on EX4300 device. PR1376804

  • Packet drops on interface if the statement gigether-options loopback is configured. PR1380746

  • Traffic loss seen in Layer 2 VPN with GRE tunnel. PR1381740

  • On EX4300 loss-priority high set to multicast packets is overridden. PR1382893

  • EX4300 device chooses incorrect bridge-id as RSTP bridge-id. PR1383356

  • After EX4300 Virtual Chassis is upgraded to Junos OS Release 18.2R1 jdhcpd: shmlog: shared log header is NULL log message can be seen. PR1387871

  • Unicast DHCP request might get misforwarded to backup RTG link. PR1388211

  • ICMPV6 packets are not classified with static or multifield forwarding-class mapping. PR1388324

  • Layer 3 IP route might be deleted after L2 next hop change is seen. PR1389688

  • Continuous log messages get printed on EX4300 after upgrading to Junos OS Release 17.4 or later. PR1391942

  • On EX4300 Series switches when a firewall filter is applied to a loopback interface, other firewall filters for multicast traffic might fail. PR1392082

  • EX4300 OAM LFM might not work on extended-vlan-bridge interface with native VLAN configured. PR1399864

  • Traffic drop is seen on EX4300 when 10G fiber port is using 1 Gigabit Ethernet SFP optics with autonegotiation enabled. PR1405168

  • Untagged traffic is single-tagged in Q-in-Q scenario on EX4300 platforms. PR1413700

  • In EX4300 few ports might remain in dot1x 'connecting' state and fail to transition to 'authenticated' state. PR1417270

  • On EX4300 runt counter is never incremented. PR1419724

  • EX4300 does not send fragmentation needed message when MTU is exceeded with DF bit set. PR1419893

  • The pfex process might crash and core files might be generated when SFP is reinserted. PR1421257

  • Traffic loss is seen when one of logical interfaces on LAG is deactivated or deleted. PR1422920

  • Auditd crashes when accounting RADIUS server not reachable. PR1424030

  • SNMP (ifHighSpeed) value does not appear properly for VCP interfaces only. It is appears as zero. PR1425167

  • Interface flapping scenario might lead to ECMP nexthop install failure on EX4300s. PR1426760

  • IPv6 traffic might be dropped when static /64 Ipv6 routes are configured. PR1427866

  • EX4300 does not drop FCS frames with CRC error on XE interfaces. PR1429865

  • Unicast ARP requests are not replied with no-arp-trap option. PR1429964

  • EX4300 enables the soft error recovery feature on the Packet Forwarding Engine, which can automatically detect the Packet Forwarding Engine parity error and recover by itself. PR1430079

  • The ERPS failover does not work as expected on EX4300 device. PR1432397

  • The device might not be accessible after the upgrade. PR1435173

  • The PoE might not work after upgrading the PoE firmware on EX4300 platforms. PR1446915

  • The firewall filters might not be created due to TCAM issues. PR1447012

  • NSSU cause a traffic loss again after the backup to master transitions. PR1448607

  • ERP might not revert back to IDLE state after reload/reboot of multiple switches. PR1461434

Routing Protocols

  • The PPM mode for BFD session in EX4300 is centralized and not distributed by default. PR1361800

  • EX4300 might drop incoming IS-IS hello packets when IGMP or MLD snooping is configured. PR1400838

  • On Junos OS EX4600 switches, console management port device authentication credentials are logged in clear text. PR1408195

  • ICMPv6 RA packets generated by Routing Engine might be dropped on the backup member of Virtual Chassis if igmp-snooping is configured. PR1413543

  • Error message RPD_DYN_CFG_GET_PROF_NAME_FAILED: Get profile name for session XXX failed: -7, might be seen in syslog after restarting routing daemon. PR1439514

  • The bandwidth value of the DDOS-protection might cause the packets loss after the device reboot. PR1440847

  • Junos OS BFD sessions with authentication flaps after a certain time. PR1448649

  • Loopback address exported into other VRF instance might not work on EX Series platforms. PR1449410

  • MPLS LDP might still use stale MAC of the neighbor even the LDP neighbor's MAC changes. PR1451217

Spanning Tree Protocols

  • The l2cpd might crash if the VSTP traceoptions and VSTP VLAN all commands are configured. PR1407469

User Interface and Configuration

  • Switch might unable to commit baseline configuration after zeroize. PR1426341

Virtual Chassis

  • Current MAC address might change when deleting one of the multiple L3 interfaces. PR1449206

Resolved Issues: 17.4R2

Authentication and Access Control

  • Macsec statistics display output is not proper. PR1355339


  • The traffic might get dropped as the core-facing interface is down. PR1343515

  • Proxy ARP might not work as expected in an EVPN environment. PR1368911

High Availability (HA) and Resiliency

  • When igmp-snooping and bpdu-block-on-edge are enabled, IP protocol multicast traffic sourced by the kernel (such as OSPF, VRRP, and so on) gets dropped in the Packet Forwarding Engine level. PR1301773


  • Unable to provide management when em0 interface of FPC is connected to another FPC L2 interface of the same Virtual Chassis. PR1299385

  • The file system might be corrupted multiple times during an image upgrade or a commit operation. PR1317250

  • The upgrade might fail if bad blocks are in the flash/filesystem and corruption occurs. PR1317628

  • PFC feature might not work on an EX4600. PR1322439

  • ifinfo core files can be created on an EX4600 Virtual Chassis. PR1324326

  • There is support for archiving dmesg file /var/run/dmesg.boot.PR1327021

  • Enabling mac-move-limit stops ping on flexible-vlan-tagging enabled interface. PR1357742

  • The dot1x filter might be removed from the Packet Forwarding Engine when static-mac-address ages out or is learned by eswd. PR1335125

Interfaces and Chassis

  • An identical IP address can be configured on different logical interfaces from different physical interfaces in the same routing instance (including the master routing instance). PR1221993

  • An EX4300 Virtual Chassis LACP flap is observed after rebooting a master FPC with PDT configurations PR1301338

  • The interface might not work properly after FPC restarts. PR1329896

  • The MAC address assigned to an aggregated Ethernet member interface is not the same as that of its parent aggregated Ethernet interface upon master node removal. PR1333734

  • An EX4600 MC-lAG is observed after the reboot of a VRRP master and backup There are also black holes in traffic to downstream switches. PR1345316

Platform and Infrastructure

  • After access is rejected, the dot1x process might crash due to a memory leak. PR1160059

  • The mismatch of VLAN-ID between an interface IFL and VLAN configuration might result in a traffic black hole. PR1259310

  • MACsec session cannot be recovered after physically flapping one link of an aggregated Ethernet. PR1283314

  • Performing load replace terminal and attempting to replace the interface stanza might terminate the current CLI session and leave the user session hanging. PR1293587

  • You might observe some eswd core files if apply-groups is configured under interface-range. PR1300709

  • Multicast receiver connected to EX4300 might not be able to get the multicast streaming. PR1308269

  • Traceroute is not working in an EX9200 device for routing instances running on Junos OS Release 17.1R3. PR1310615

  • Autonegotiation is not working as expected between an EX4300 and an SRX5800. PR1311458

  • Traffic loss is observed while performing NSSU. PR1311977

  • IGMP snooping might not learn a multicast router interface dynamically. PR1312128

  • PEM alarms and I2C failures are observed on EX9200 Series. PR1312336

  • The DHCP-security binding table might not get updated. PR1312670

  • Traffic going through an aggregated Ethernet interface might be dropped if there is a mastership change. PR1327578

  • A memory leak is seen for dot1xd. PR1313578

  • The Fan speed might frequently fluctuate between normal and full for MX Series platform. PR1316192

  • The interface with 1G SFP might go down if no-auto-negotiation is configured. PR1315668

  • Replace the show vlans evpn command to the show ethernet-switching evpn command for the EX9200 line of switches.. PR1316272

  • IGMPv3 on EX4300 does not have the correct outgoing interfaces in the Packet Forwarding Engine that are listed in the kernel. PR1317141

  • The L2cpd core files might be seen if the interface is disabled under VSTP and enabled under RSTP. PR1317908

  • The vmcore might be seen and the device might reboot after the ICL is changed from an aggregated Ethernet to a physical interface. PR1318929

  • High latency might be observed between a master Routing Engine and another FPC. PR1319795

  • VLAN might not be processed, which leads to improper STP convergence. PR1320719

  • Multicast traffic might not be forwarded to one of the receivers. PR1323499

  • MAC learning issue and new VLANs creation failure might happen for some VLANs on an EX4300 platform. PR1325816

  • The L2cpd might create a core file. PR1325917

  • Extra EAP request packets might be sent unnecessarily. PR1328390

  • EX4300 crashes when it receives more than 120kpps ARPs on me0 interface. PR1329430

  • EX Series switches do not send RADIUS request after modifying the interface-range configuration. PR1326442

  • The major alarm Fan & PSU Airflow direction mismatch might be seen by removing the management cable. PR1327561

  • The SNMP trap message is always sent out with log about Fan/Blower OK on an EX4300 Virtual Chassis switch. PR1329507

  • When exhausting a TCAM table, the filter might be incorrectly programmed. PR1330148

  • The Rpd process crashed and generated core files on the new backup Routing Engine at task_quit,task_terminate_timer_callback,task_timer_dispatch,task_scheduler after disabling NSR and GRES. PR1330750

  • The dot1xd might crash if ports in multi-supplicant mode flaps. PR1332957

  • The interface on which the VSTP is disabled by CLI might stay in the Discarding state after rebooting the device. PR1333684

  • STP BPDUs are not sent out on the other active child when the anchor FPC has no active child. PR1333872

  • MQSS errors and alarms might occur when the interface goes down. PR1334928

  • EX9208: vstp vlan all statement has created L2CPD core files are generated during Routing Engine switchover or commit. PR1341246

  • EX4300 storm control does not generate any action log after adding an RTG configuration. PR1335256

  • IGMP packets are forwarded out of an RTG backup interface. PR1335733

  • An L2cpd memory leak appears on EX Series platforms with VoIP configured. PR1337347

  • The show spanning-tree statistics bridge command output gives 0 for all VLAN instance IDs. PR1337891

  • MAC source address filter with the configuration statement accept-source-mac. does not work if MAC move limit is configured. PR1341520

  • MSTP might not work normally after permitting a commit. PR1342900

  • The filter might not be programmed in the Packet Forwarding Engine even though TCAM entries are available. PR1345296

  • Statistics daemon PFED might generate core files on an upgrade between certain releases. PR1346925

  • After the EX9200 FPC comes online, the other FPC CPU might use 100 percent and has traffic loss for about 30 seconds. PR1346949

  • On EX4300 or EX4600 switches the VLAN translation feature does not work for the control plane traffic. PR1348094

  • On EX4300 platforms, traffic drop might happen if LLC packets are received with DSAP and SSAP as 0x88 and 0x8e. PR1348618

  • Running RSI via console port might cause system crash and reboot. PR1349332

  • EX4600 detects a LATENCY OVER-THRESHOLD event with the incorrect value. PR1348749

  • Commit error observed if box is downgraded from Junos OS 18.2/18.3 release to Junos OS Release 17.3R3. PR1355542

  • On EX4300 platforms (Virtual Chassis and standalone) running Junos OS Release 16.1R5 or Junos OS Release 16.1R6, a firewall filter with a syslog option is unable to send syslog messages to the syslog server. PR1351548

  • A high usage chassis alarm in "/var" does not clear from the EX4300 Virtual Chassis when a file is copied from fpc1 (master) to fpc0 (backup). PR1354007

  • The ports using an SFP-T transceiver might still be up after system halt. PR1354857

  • The FPC might crash due to the memory leak caused by the VTEP traffic. PR1356279

  • Some interfaces cannot be added under STP configuration. PR1363625

  • On EX4300/EX4600 platforms, the l2ald process might crash in dot1x scenario. PR1363964

  • Packet Forwarding Engine might crash if encountering frequent MAC move. PR1367141

  • The request system zeroize non-interactively might not erase the configuration on EX4300. PR1368452

Routing Protocols

  • Observed mcsnoopd core file at __raise,abort,__task_quit__,task_quit,task_terminate_timer_callback,task_timer_dispatch,task_scheduler_internal (enable_slip_detector=true, no_exit=true) at ../../../../../../src/junos/lib/libjtask/base/task_scheduler.c:275.PR1305239

  • OSPF routes cannot be installed on the routing table until the lsa-refresh timer expires. PR1316348

  • BGP peer is not established after a Routing Engine switchover when graceful-restart and BFD are enabled. PR1324475

  • The igmp-snooping might be enabled unexpectedly. PR1327048

Resolved Issues: 17.4R1

Authentication, Authorization, and Accounting (AAA)

  • Dot1x crash on EX4300 can occur when traffic is flooded while a VLAN configuration commit is in progress PR1293011

Class of Service (CoS)

  • On EX4300 or EX4600, traffic might be dropped when there is more than one forwarding-class under forwarding-class-sets. PR1255077


  • An l2ald crash occurs with no apparent trigger. PR1302344


  • EX4300 aggregated Ethernet interface goes down when interface member VLAN is PVLAN and LACP is enabled. PR1264268

Junos Fusion Enterprise

  • CoS shaping is not happening properly according to the configured shaping rate. PR1268084

  • Request chassis satellite beacon functionality to specific SD is not working, causing all the SDs to enable the beacon LED. PR1272956

  • On Dual-AD JFE setup, while applying Routing Engine lo0 filters and setting the cascade port down on AD2, the SD goes to "ProvSessionDown" on that AD2 while it stays online on AD1. PR1275290

  • Issues are seen during conversion from Junos OS release to SNOS. PR1289809

  • VRRP has a split-brain in dual autodiscovery Junos Fusion. PR1293030

  • AD without cascade port cannot reach hosts over ICL link if they are authenticated by dot1x in a different VLAN than the default (manually assigned) VLAN. PR1298880

  • The dot1x authentication might fail in a Junos Fusion setup. PR1299532

  • IPv6 multicast is not forwarded over MC-LAG ICL interface until interface toggle. PR1301698

  • Dot1x might crash in a Junos Fusion setup with dual AD. PR1303909

  • All the dot1x sessions are removed when AUTO ICCP link is disabled. PR1307588

  • LACP aggregated Ethernet interfaces go to a down state when performing commit synchronize. PR1314561

Layer 2 Features

  • Feature swap-swap might not work as expected in Q-in-Q scenario. PR1297772

Network Management and Monitoring

  • The show snmp mib walk command used for jnxMIMstMstiPortState does not display anything in Junos OS Release 17.1R2 on the EX4600 platform. PR1305281

Platform and Infrastructure

  • Layer 3 protocol packets are not being sent out from the switch. PR1226976

  • PXE unicast ACK packets are dropped on EX4300. PR1230096

  • The EOAM LFM adjacency on EX9200 might flap when the unrelated MIC that is in the same MPC slot is brought online. PR1253102

  • The interface-range command cannot be used to set speed and autonegotiation properties for a group of interfaces. PR1258851

  • On EX4300 Virtual Chassis, a 10-Gigabit Ethernet VCP might not get a neighbor after a system reboot. PR1261363

  • CPU utilization for pfex_junos usage might go high if DHCP relay packets are coming continually. PR1276995

  • On EX4300 some functions of IPv6 Router Advertisement Guard do not work. PR1294260

  • ERROR: /dev/da0s1a is not a JUNOS snapshot is seen during system startup. PR1297888

  • On EX4300 switches, when unknown unicast ICMP packets are received by an interface, packets are routed, so TTL is decremented. PR1302070

  • On EX4300 Virtual Chassis, the FRU PSU removal and insertion traps are not generated for master or backup FPCs. PR1302729

Port Security

  • MACsec might not work on a 10-Gigabit Ethernet interface after the switch is rebooted. PR1276730

User Interface and Configuration

  • On EX4300, J-Web allows configuration of source-address-filter. PR1281290

Virtual Chassis

  • On EX4300 FRU removal/insertion trap not generated for non-master (backup/line card) FPCs. PR1293820

VLAN Infrastructure

  • VLAN association is not being updated in the Ethernet switching table when the device is configured in single supplicant mode. PR1283880

Documentation Updates

There are no errata or changes in Junos OS Release 17.4R3 for the EX Series switches documentation.

Migration, Upgrade, and Downgrade Instructions

This section contains the upgrade and downgrade support policy for Junos OS for the EX Series. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. For information about software installation and upgrade, see the Installation and Upgrade Guide.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 17.1, 17.2 and 17.3 are EEOL releases. You can upgrade from Junos OS Release 17.1 to Release 17.2 or from Junos OS Release 17.1 to Release 17.3. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see