Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues


This section lists the known issues in hardware and software in Junos OS Release 17.4R2 for MX Series routers.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

General Routing

  • An intermittent issue occurs when an aggregated Ethernet interface is configured with the bypass-queuing-chip configuration statement. The follow-up configuration changes are such that, removing a child link from an aggregated Ethernet bundle and configuring per-unit-scheduler on the removed child link in a single commit causes intermittent issues with the per-unit-scheduler configuration updates to cosd and the Packet Forwarding Engine. Hence, dedicated scheduler nodes might not be created for all units or logical interfaces. PR1162006

  • After loading a CoS-related configuration on MPC5E, MPC6E, MPC2E-NG, or MPC3E-NG line cards, the following error messages might be seen: jnh_ifl_topo_handler_pfe(11591): ifl=495 err=1 updating channel table nexthop and _insert_ifl_channel:6449 ifl 495 chan_index 495 NOENT. PR1186645

  • The source-address based filter forwarding is used under forwarding-options to steer the packets towards the AMS bundle in the Vodafone configuration. When you remove the source-address condition from the filter, the reverse traffic gets looped back into the AMS bundle. Under this condition, prolonged flow control core files are seen. The source-address configured in the SFW rule should have dropped the packets, which are getting looped back into the AMS bundle, but this is not happening, even though SFW functionality works as expected for other packets. PR1192184

  • With MPC8/9 MRATE MIC and plug-in optics module(QSFP28-100GBASE-LR4), bit errors might be seen. PR1200010

  • Upgrading using unified ISSU might trigger a flap in the interfaces on MX Series routers and the following message might be seen: SFP: pointer Null, sfp_set_present. PR1200045

  • After system boot up or after PSM reset, you might see the PSM INP1 or INP0 circuit Failure error message. PR1203005

  • Various common situations lead to different views of forwarding information between kernel and Packet Forwarding Engines. For example, fpc7 KERNEL/PFE APP=NH OUT OF SYNC: error code 3 REASON: NH add received for an ifl that does not exist ERROR-SPECIFIC INFO: nh_id=562 , type = Hold, ifl index 334 does not exist TYPE-SPECIFIC INFO: none. There is no service impact found in MPC2 and MPC3 type cards. PR1205593

  • The following error messages occur during GRES and unified ISSU: syslog errors @ agentd_rts_async_rtbm_msg : FLM : Failed to create private. PR1232636

  • When virtual switch type is changed from IRB type to regular bridge, interfaces under the OpenFlow protocol are removed. The openflow process fails to program any flows. PR1234141

  • After configuring PCEP following log seen - pccd: [89798] Could not decode message from rpd. This might impact in growth of memory of pccd process over time, which can be cleared by restarting the process. PR1235692

  • When gRPC subscription for telemetry data has a 2-second frequency, the jsd process might crash. PR1247254

  • On MX Series routers with an XM chipset (such as, MPC3E/MPC4E/MPC5E/MPC6E/MPC2E-NG/MPC3E-NG), the MPC might reboot after a unified ISSU completion. PR1256145

  • Error messages such as mspmand[190]: msvcs_session_send: Plugin id 3 not present in the svc chain for session ..are seen. They are usually cosmetic. PR1258970

  • When both the OAM protocol and the MACsec protocol are configured on an interface the interface does not come online.This issue occurs when an interface comes online and both OAM protocol and MACsec Key Agreement (MKA) protocol try to establish their respective sessions. Because of contention between these two protocols, OAM takes down the interface and MKA fails to establish connection (because the interface is down, it cannot send out MKA packets). PR1265352

  • On an MX Series Virtual Chassis system in a scaled subscriber management scenario, if a unified ISSU is performed while the BGP protocol sessions are active and such BGP sessions are clients of BFD, then these BGP sessions might go down and come back up again, causing traffic loss. PR1265407

  • During a unified ISSU, only the Packet Forwarding Engine gets wedged. This very specific issue occurs when the Packet Forwarding Engine is oversubscribed with unknown unicast flooding with no MAC learning, which is not a common configuration. However, this issue is not seen when the Packet Forwarding Engine is oversubscribed with Layer 3 traffic or with Layer 2 traffic with MAC learning. PR1265898

  • Guest network functions (GNFs) in a node-slicing setup currently do not support Junos Snapshot Administrator or recovery mechanisms. PR1268943

  • Dynamic endpoint (DEP) does not support dh group group19, encryption algorithm aes-256-cbc, and hash sha-384 in its list of default proposals. These proposals must be configured explicitly in the configuration. PR1269160

  • Sometimes l2cpd core files are generated when LLDP neighbors are cleared. PR1270180

  • There are incorrect counters for output packets on child links of the ae0 interface when configured with the new feature revertive. PR1273983

  • For inline jflow, when both packets and seconds interval are configured for the template-referesh-rate and option-refresh-rate configuration options, the packets interval configuration is not working. PR1274206

  • A routine within an internal Junos OS sockets library is vulnerable to a buffer overflow. Malicious exploitation of this issue might lead to a denial-of-service (kernel panic) or be leveraged as a privilege escalation through local code execution. The routines are only accessible through programs running on the device itself, and veriexec restricts arbitrary programs from running on Junos OS. There are no known exploit vectors utilizing signed binaries shipped with Junos OS itself. See, PR1282562

  • On an MX Series Virtual Chassis, when using a channelized configuration on MPC7/8/9 MRATE PIC QSFP interfaces for VCP connections between members, a VCP interface needs to be configured on channel 0 of each QSFP to activate the port. PR1283283

  • Due to a code limitation, an ungraceful removal of summit MACsec TIC from the chassis might cause a crash or an unpredictable result. PR1284040

  • On MX10003, the chassisd hard restart command is not supported due to an infrastructure limitation. The FPC power off does not happen cleanly as the old chassisd process initiates the fpc power off command and exits. Restarting chassisd hard with GRES on an MX10003 causes a new chassisd process to open, reconnect a window, and wait for the connection. The Routing Engine and FPC go out of synchronization and FPC reconnect is not handled, which causes the FPC to be restarted multiple times. Finally, FPC comes online. PR1293314

  • Fixes committed in Junos OS Releases 15.1R5-S4, 16.1R4-S3, 16.1R5, and 17.3R1 with XM-based linecards (such as, MPC3E/4E/5E/6E/2E-NG/3E-NG) might report the chassisd error log message DDR3 TEMP ALARM. PR1293543

  • If OC package upgrade is triggered when telemetry is occuring, the xmlproxyd process might crash. It will recover automatically and xmlproxyd related streaming will restart as the process comes up again. We recommend that you stop the streaming and then upgrade the OC package. PR1295831

  • In some Junos OS for MX Series deployments, random syslog messages are observed for FPC cards fpcx ppe_img_ucode_redistribute Failed to evict needed instr to GUMEM - xxx left. These messages are not an issue and might not have any service impact. These messages are addressed as INFO level messages. On the Packet Forwarding Engine, there are dedicated UMEM and shared GUMEM memory blocks. This INFO message indicates some evicting events between UMEN and GUMEN and can be safely ignored. PR1298161

  • When a GRES or NSR is performed on a BSYS, the master Routing Engine on the GNFs (virtual nodes/network slices) will detect the BSYS chassisd restart and enter an NSR hold-down delay. During this time, CLI commands evoke a switchover on the master Routing Engine indicating that the system is not NSR ready. This situation is similar to that of a standalone MX Series router in which chassisd is restarted on the master Routing Engine. Note that a CLI command on the BU Routing Engine will succeed. This too, is similar to the behavior on a standalone MX Series router. PR1298571

  • The iLatency (calculated by differing producer timestamp and gRPC server timestamp) value can sometimes be negative for Packet Forwarding Engine related telemetry packets because of a drift in the Routing Engine and the Packet Forwarding Engine NTP servers. PR1303376

  • The mgd might crash when an Ephemeral database is used. This type of crash indicates simultaneous operation on an ephemeral instance. When a process wants to open an ephemeral configuration in merge view, some other activity (such as purging, deletion, or re-creation) is being carried out on this ephemeral instance. The occurrence of this crash is rare. PR1305424

  • The message LIBJNX_REPLICATE_RCP_ERROR is repeated multiple times in the syslog log files in the master Routing Engine, when the backup is not reachable. Although the message is marked as an error in the syslog, you can ignore this error because it will not have any impact on the system. PR1305660

  • Telemetry thread on the FPC might overuse the CPU thread in case of certain telemetry features like per service identifier in SR Statistics. This is a generic issue in the FPC telemetry code but gets exposed easily when per prefix stats is enabled through telemetry. This occurs because you walk a lot of prefix (a lot of which might not have any data to export) but do not yield until the buffer is attempted to be filled up. PR1308513

  • Support for enterprise profile is only provided for 10-Gigabit Ethernet interfaces. Use of 40-Gigabit Ethernet and 100-Gigabit Ethernet interfaces might result in a phase alignment issue. PR1310048

  • For sensors belonging to the same producer (for example, BGP and MPLS coming from rpd), if you use the same reporting intervals, then they are not streamed in parallel but are streamed sequentially. As a workaround, use a different reporting rate for sensors that belong to the same producer. PR1315517

  • An alarm is raised if mixed AC PEMs are present. The criteria has been changed to check whether mixed AC is present. If the PEM is AC (high), then the first bit of pem_voltage is set, and if it is AC (low), then the second bit of pem_voltage is set. So if both first and second bit are set, then the mixed AC is present. PR1315577

  • Making changes in services traffic-load-balance for one instance, might lead to a refresh of existing instances. PR1318184

  • When an xmlproxy YANG file is configured through the request system yang add package <package-name> proxy-xml module <module-name> CLI command, then a notification related to new rendering schema is sent to all the Junos OS processes instead of being sent only to a limited set of processes (xmlproxyd and agentd). This might cause some processes, such as chassisd and jsd to restart, resulting in a telemetry session bounce as well. PR1320211

  • In JDM (running on a secondary server), a jdmd process might generate a core file if GNF add-image is aborted by pressing Ctrl+C. PR1321803

  • With commit full, the na-grpd process might restart causing a disconnection of the streaming telemetry. PR1326366

  • Under some race conditions with fail-over and multiple core interface flapping on Ethernet virtual private network (EVPN) / Virtual Extensible LAN (VXLAN) network, the rpd process can be with high CPU causing some issues in intercommunication with the l2ald process, then causing the l2ald process to coredump and restart. PR1333823

  • On MX204, MX10003, MPC7E, MPC8E, or MPC9E, the 100-Gigabit interface might keep flapping or stay down due to an interoperation issue between the Juniper Networks device and the remote transport device it is connected to. PR1337327

  • In an MPLS-EVPN environment, when label-switched path (LSP) flapping causes RSVP LSP reroute, LSP might stick in down state with Record route: <self> ...incomplete. PR1343289

  • On MX Series routers with 100M SFP used on MIC-3D-20GE-SFP-E/MIC-3D-20GE-SFP-EH, SFP might not work if it is not from Fiberxon or Avago. PR1344208

  • There is a possibility of MACsec sessions not establishing if FPCs go through a continuous cycle of offline or online many times (greater than 10 times), followed by restarting the dot1xd process. PR1344358

  • The Junos OS hidden hierarchies are not published in the Junos OS YANG schema and hence Junos OS should not emit these hidden hierarchies as part of the configuration. But in case of hidden choices, Junos OS is publishing a list without a key value because the key is hidden in the Junos OS schema. Hence, the ODL controller is not able to parse get-config response from Junos. As a workaround, you can remove such problematic hidden configurations from the device. The impact is limited only to the OpenDaylight controller. PR1348503

  • On a single Routing Engine system, after the graceful Routing Engine switchover (GRES) configuration is removed, the Routing Engine mastership keepalive timer is not resumed to the default value with GRES enabled. PR1349049

  • In some cases, OIR (removal followed by reinsertion) of a MIC on a FPC can lead to black holing of traffic destined to the FPC. The only way to recover from this is to restart the FPC. The issue will not be seen if you use the corresponding CLI commands to offline and then online the MIC. PR1350103

  • On MX platform with the subscriber-management feature enabled, if the combination of an Ascend-Data-Filter (ADF) and a redirect filter is applied to the subscribers, it may cause a leak in the Broadband Edge (BBE) filter index. The index is not released when the subscriber logs out. Due to this issue, new subscribers are not able to connect when all the indexes are used up. PR1353672

  • The system might take a longer period of time to reboot or the kernel might panic if rebooted during a broadcast storm on the mgmt port. PR1351977

  • On an MX10003, a vmcore is observed Kernel panic - not syncing: NMI: Not continuing. PR1353158

  • On MX Series routers with the subscriber management feature enabled, if the combination of an Ascend Data Filter (ADF) and a redirect filter is applied to the subscribers, it might cause a leak in the Broadband Edge (BBE) filter index. The index is not released when the subscriber logs out. Because of this issue, new subscribers are not able to connect when all the indexes are used up. PR1353672

  • The "ipv4-flow-table-size" is used to configure the size of the IPv4 flow table in units of 256K entries. However, in "inline-jflow" scenario, if the knob "ipv6-extended-attrib" is configured, changing flow table configuration or clear the flow entries might lead to the condition that even the "ipv4-flow-table-size" has been changed to a number larger than 149, the maximum number of IPv4 flows still remains at 37372900. PR1355095

  • DHCP subscriber unable to reach gateway as arp request dropped under pfe as dv discard. PR1356101

  • When you use "show agent sensors verbose" FPC VTY command on MPC7E, the FPC might crash. PR1366249

  • On ISSU to this release, there could be some impact to forwarding of packets of some destinations. PR1366811

  • In some configurations, ISSU prepare time on MPC5E takes longer than usual. As a result, the chassisd triggers restart/crash of the MPC . The ISSU completes after the crash. PR1369635

Class of Service (CoS)

  • A CoS scheduler update can fail when all of the following conditions are met: (1) Dynamic subscribers exist on an aggregated Ethernet bundle. (2) CoS traffic-control-profile or scheduler-map (or both) applied to these dynamic subscribers is from a static configuration. (3) The relevant static CoS is modified in the same configuration commit as a modification to the aggregated Ethernet bundle (either a leg add or leg remove) containing the subscribers. (4) The leg add or leg remove in the commit is the first or last leg to be added or removed from a line card. To avoid this issue, do not commit a bundle change in the same commit as a static CoS change. In this event, one of the following logs will be displayed in the message system log: subscriber cos update not applied to interface <interface-name> status <id> or subscriber cos update not applied to interface-set <interface-set-name> status <id>. This message indicates that the last update to the subscriber or interface set was not applied. If this event occurs, the workaround to fix the state is to: (1) Remove the last class-of-service update. (2) Commit the configuration. (3) Re-apply the class-of-service update. (4) Commit the configuration. PR1276459


  • The Layer 2 learning process (l2ald) might generate core files in a scaled Layer 2 setup, including bridge-domain, VPLS, EVPN, and so on. The l2ald process generation of core files usually follows a kernel page fault. In most cases, the issue is recovered on its own after l2ald generates the core file. In some cases, you can manually restart the process to recover. Logs: /kernel: %KERN-3-BAD_PAGE_FAULT: pid 69719 (l2ald), uid 0: pc 0x88beb5ce got a read fault at 0x6ca, x86 fault flags = 0x4 /kernel: %KERN-6: pid 69719 (l2ald), uid 0: exited on signal 11 (core dumped) init: %AUTH-3: l2-learning (PID 69719) terminated by signal number 11. Core dumped! PR1142719

  • In an EVPN scenario with static MAC configured in the EVPN instance, the remote EVPN instance can see the MAC route information. However, after deactivating and activating the static MAC in the EVPN instance, and then checking the MAC route information in the remote EVPN instance, no such MAC route is found in the EVPN route table. PR1193754

  • In an EVPN network with VXLAN encapsulation configured for direct-nexthop mode ("pure type 5" mode without overlay gateway addresses), at least one type 5 route per VRF from a remote endpoint must be received and installed in the local routing table of a device. This enables the local device to forward inbound type 5 traffic received from the remote endpoint. If the local device has not installed at least one route with a next hop pointing toward a specific remote endpoint, type 5 VXLAN-encapsulated IP traffic sent by the remote endpoint toward the local device will not be forwarded correctly. PR1305068

  • The issue is applicable to MAC-in-MAC PNN EVPN and does not affect any other scenario. When the provider backbone bridging (PBB) EVPN configuration is reloaded on MX Series routers, error logs are seen while deleting interfaces related to the backbone bridge component. These errors do not result in any functional issues. PR1323275

  • The PBB EVPN will not be able to flood traffic towards the core. Traffic recovers by performing the restart l2-learning command. In addition to this, there is a limitation in PBB EVPN active/active (A/A) unicast traffic forwarding. If entropy in the traffic is not sufficient, then uneven load balancing causes a problem on the MH peer A/A routers. This will cause a drop for return traffic. These issues are applicable to PNN EVPN and do not affect any other scenario. PR1323503

  • In an Ethernet VPN (EVPN) Virtual Extensible LAN (VXLAN) deployment, the rpd process might crash on the new master after performing a Graceful Routing Engine Switchover (GRES). PR1333754

  • On the Junos OS platform, the l2ald process might crash during the MAC address processing. The MAC learning process will be impacted during the period of l2ald crash. The l2ald will recover by itself. PR1347606

  • The bidirectional Layer 2 traffic floods for around 5 second for streams from SH to MH, when the clear mac table command is executed on MX Series routers because MACs getting populated in the system are taking time. The clear mac table command is disruptive, which deletes all dynamic MACs in the system. PR1360348

Forwarding and Sampling

  • When a policing filter is applied to an active LSP carrying traffic, the LSP resignals and drops traffic for approximately 2 seconds. It can take up to 30 seconds for the LSP to come up under the following conditions: (1) Creation of the policing filter and application of the same to the LSP through the configuration occurs in the same commit sequence. (2) Load override of a configuration file that has a policing filter and policing filter application to the LSP is followed by a commit. PR1160669

  • In some stress test conditions, the sampled process crashes and generates a core file when connecting to L2BSA and EVPN subscribers aggressively. PR1293237

  • A heap memory leak occurs on DPC when the flow specification route is changed. PR1305977

  • Firewall Filter not applied as input filter to Extended Port when used for Layer 2 VPN. PR1311013

General Routing

  • The SMID process has stopped responding to the management requests after a jl2tpd (L2TP process) crashes on an MX960 broadband network gateway. PR1205546

  • Sometimes, when PPPoE subscribers log in and log out from Junos OS Release 16.1 and later, the following messages are generated: user@devcie> show log messages | match authd authd[5208]: sdb_app_access_line_entry_read_by_uifl: uifl key 'demux0.xxxxxxxx': snapshot failed (-7) authd[5208]: sdb_app_access_line_entry_read: uifl key 'demux0.xxxxxxxx': read failed These messages indicate that authd daemon for subscriber authentication is attempting to read private data for an underlying interface which no longer exists (-7 = SDB_DATA_NOT_FOUND). These messages have no impact and can be safely ignored, where the authd process is asking sdb for a record that no longer exists. PR1236211

High Availability (HA) and Resiliency

  • To avoid such kind of error make sure that space available in /var is twice the size of target image. This is the basic requirement for ISSU to proceed. PR1354069


  • The configuration statement set system ports console log-out-on-disconnect logs the user out from the console and closes the console connection. If the configuration statement set system syslog console any warning is used with the earlier configuration and when there is no active telnet connection to the console, the process tries to open the console and hangs as it waits for a "serial connect" that is received only by telnetting to the console. As a workaround, remove the latter configuration by using the set system syslog console any warning command, which solves the issue. PR1230657

Interfaces and Chassis

  • Junos OS now checks ifl information under the aggregated Ethernet interface and prints only if it is part of it. PR1114110

  • A Junos OS upgrade involving a CFM configuration can cause a cfmd crash after upgrade. This issue occurs because of the presence of the old version of the /var/db/cfm.db file. PR1281073

  • The LAG member links running LACP in slow mode might get disassociated from the LAG bundle with a combination of restart interface-control and FPC offline or online trigger. The issue is seen with scale configuration on the device under test. The scale details are: 2800 CFM sessions, 2800 BFD sessions, 2043 BGP peers, and 3400 VRF instances. PR1298985

  • The Y.1731 delay measurement is not supported on MPC6. PR1303672

  • In a subscriber management scenario with Dynamic demultiplexer (demux) Interfaces configured, some subscribers belonging to one aggregated Ethernet interface might be migrated to a newly configured aggregated Ethernet interface. Subscribers might fail to access the device after deleting the old aggregated Ethernet configuration. PR1322678

Layer 2 Features

  • This issue affects routers equipped with following line cards: T4000-FPC5-3D, MX-MPC3E-3D, MPC5E-40G10G, MPC5EQ-40G10G, MPC6E, and MX2K-MPC6E. If the router is working as a VPLS PE, due to MAC aging every 5 minutes, the VPLS unicast traffic is flooded as unknown unicast every 5 minutes. PR1148971

Layer 2 Ethernet Services

  • After changing an outer vlan-tags, the ifl is getting programmed with incorrect stp state (discarding), so the traffic is getting dropped. PR1121564

Multiprotocol Label Switching (MPLS)

  • When using mpls traffic-engineering bgp-igp-both-ribs with LDP and RSVP both enabled, CSPF for interdomain RSVP LSPs cannot find the exit area border router (ABR) when there are two or more such ABRs. This causes the interdomain RSVP LSPs to break. The RSVP LSPs within the same area are not affected. As a workaround, you can either run only RSVP on OSPF ABR or IS-IS L1/L2 routers and switch RSVP off on the other OSPF area 0/IS-IS L2 routers, or avoid LDP completely and use only RSVP. PR1048560

  • This issue occurs when graceful Routing Engine switchover (GRES) is done between the master and backup Routing Engines of different memory capabilities. For example, one Routing Engine has only enough memory to run a routing protocol process (rpd) in 32-bit mode while the other is capable of 64-bit mode. The situation could be caused by using Junos OS Release 13.3 or later with the configuration statement auto-64-bit configured, or by using Junos OS Release 15.1 or later even without the configuration statement. Under these conditions, the rpd might crash on the new master Routing Engine. As a workaround, this issue can be avoided by using the CLI command set system processes routing force-32-bit. PR1141728

  • When Flow-Label (FL) is enabled for PW, the OAM packets were not sent with Flow-Label because RPD is not aware of the Flow-Label values assigned by PFE software. Hence the packets were getting dropped by PFE at the tail-end PE. The remote PE was expecting the packet with FL and PW label. PR1217566

  • In a CE-CE setup, traffic loss might be observed over a secondary LSP on a primary failover. PR1240892

  • A minimal discrepancy between MPLS statistics and adjusted bandwidth is reported because of the current way of calculating bandwidth. PR1259500

  • It takes longer to set up Layer 3 VPN egress protection starting in Junos OS Release 16.1R1. PR1278535

  • In case of CSPF disabled LSPs, if the Primary path ERO is changed to unreachable strict hop, sometimes the Primary Path stays UP with the old ERO. The LSP does not switch to Standby Secondary. PR1284138

  • Swapping the binding SID between colored and non-colored static SR LSPs might cause rpd to generate a core file. PR1310018

  • There are some LSPs for which a router has link protection available, and the primary link failure is caused by an FPC restart. PR1317536

  • In an LDP over RSVP setup, when the RSVP label-switched paths (LSPs) have protection and a route can be reached through both LDP direct neighbor (IP next hop) and LDP remote neighbor over RSVP LSPs (RSVP next hop), the LDP route next hop is transitioned between the IP next hop and the RSVP LSP next hop. Then RSVP LSP make-before-break (MBB) can happen, and the LDP route might use stale RSVP LSP next hop because of a timing issue. This might cause the rpd process to crash. PR1318480

  • Executing a restart chassisd in a MXVC router with the following elements configured might result in a core. 1) IGP OSPF/OSPF3 (area 0, LFA) ISIS (level 2, LFA) LDP synchronization ipv4 and ipv6 2) IBGP dual, redundant route reflection ipv4 and ipv6 3) MPLS LDP (IGP synchronization, track IGP metric) RSVP (node link protection, adaptive, auto bandwidth, refresh reduction) 4) L3VPN OSPF OSPF3 BGPv4 BGPv6 RIPv2 static MBGP NGEN-MVPN l3vpn cnh with ext space any to any hub and spoke MPLS access Ethernet access multicast extranet per vpn and per prefix labels SRX based network address translation SRX based firewall 5) Direct Internet Access EBGP 6) CoS BA/MF classification policing/shaping queuing/scheduling hierarchical queuing/shaping/scheduling 8 traffic classes 7) BFD/OAM/CFM liveness detection 8) Load Balancing L2 aggregate ethernet IP equal cost multi path MPLS equal cost multi path 9) High Availability GRES/NSR ISSU fabric redundancy tail end protection BGP prefix independent convergence edge 10) Security loopback filter arp policers control plane traffic policers urpf check with all feasible paths ttl filtering jflow/ipfix export only SRX based DDOS PR1352227

  • On optimize timer expiry, when the ted version number match indicates a CSPF has already run for the path, if an optimization has not yet been done with that version, it will be run despite the version number match. (Having a per path optimize-seq-no that is updated with ted seq no only on optimization.) When path-cc-updated is false and CSPF fails for optimization, disable the path just like we do for the ones on avoid colors/invalid ERO, making sure this does not interfere with global repair/local reversion PR1365653

  • With static label-switched path (LSP) for MPLS configured with next-hop, the next-hop might get stuck in dead state when only changing the network mask but keeping the IP address unchanged for the outgoing interface via which the LSP next-hop is reachable. PR1372630

Platform and Infrastructure

  • Starting in Junos OS Release 13.1R1 and later, if no-fast-sync is used with configure-private mode, the commit operation might throw errors after the configuration statements under choice (such as protocol [ ospf pim tcp ]) are added or deleted. Also, after those configuration statements under choice are deleted or added, the whole hierarchy is shown as changed when the show configuration | compare command is used. This is a day one issue. PR1042512

  • The login_getclass: unknown class 'j-idle-timeout' error is displayed when the user has not configured a timeout value for the root user. If the user has not a configured timeout value, j-idle-timeout entry is not present in the login.conf file and an error message is displayed because j-idle-timeout class is not found. To Reproduce: (1) Log in to router as a root user. (2) Clear log messages. (3) Exit and go to CLI mode and perform the show log messages command. The login error is logged in the messages. User@MX-re0> start shell user root Password: root@MX-re0:/var/home/lab # cli User@MX-re0> clear log messages all User@MX-re0> exit User@MX-re0:/var/home/lab # cli User@MX-re0> show log messages Jan 5 14:55:06.132 MX-re0 mgd[96513]: %INTERACT-6-UI_CHILD_STATUS: Cleanup child '/usr/libexec/ui/clear-log', PID 96517, status 0 Jan 5 14:55:06.132 MX-re0 mgd[96513]: %INTERACT-6-UI_FILE_CLEARED: 'messages' logfile cleared by user 'lab' Jan 5 14:55:08.047 MX-re0 mgd[96513]: %INTERACT-6-UI_CMDLINE_READ_LINE: User 'lab', command 'exit ' Jan 5 14:55:08.048 MX-re0 mgd[96513]: %INTERACT-6-UI_LOGOUT_EVENT: User 'lab' logout Jan 5 14:55:10.310 MX-re0 cli: %USER-3: login_getclass: unknown class 'j-idle-timeout' <<<<<<<<<<< Login error Jan 5 14:55:10.318 MX-re0 mgd[96527]: %DAEMON-7: check_regex_add: 1059 regex_add = 0 Jan 5 14:55:10.319 MX-re0 mgd[96527]: %INTERACT-6-UI_AUTH_EVENT: Authenticated user 'root' at permission level 'super-user' Jan 5 14:55:10.320 MX-re0 mgd[96527]: %INTERACT-6-UI_LOGIN_EVENT: User 'lab' login, class 'super-user' [96527], ssh-connection '', client-mode 'cli' Jan 5 14:55:15.496 MX-re0 mgd[96527]: %INTERACT-6-UI_CMDLINE_READ_LINE: User 'lab', command 'show log messages ' User@MX-re0> exit root@MX-re0:/var/home/lab # cat /var/etc/ | grep autologout root@MX-re0:/var/home/lab # cat /var/etc/login.conf | grep j-idle No idle timeout values are seen in "/var/etc/ and /var/etc/login.conf" files. PR1097799

  • On MX2000 routers, the show chassis hardware detail might show MICs are installed even after MICs are removed. PR1216413

  • The error message LUCHIP(5) GUMEM1[77a0] mismatch might be seen after an MX MPC card with an LU chipset goes offline or online PR1221195

  • When certain hardware transient failures occur on an MQ-chip based MPC, traffic might be dropped on the MPC, and syslog errors Link sanity checks and Cell underflow are reported. There is no major alarm or self-healing mechanism for this condition. PR1265548

  • MAC addresses are not learned on bridge-domains after an XE/GE interface flap. This issue occurs when 120 bridge domains (among a total of 1000 bridge domains) have XE/GE links toward the downstream switch and LAG bundles as uplinks toward the upstream routers. The XE/GE link is part of the physical loop in the topology. Spanning tree protocols such as VSTP, RSTP, or MSTP are used for loop avoidance. Some MAC addresses are not learned on a device under test when LAG bundles that are part of such bridge domains are flapped and other events such as spanning tree root bridge change occur. PR1275544

  • With a unified ISSU, momentary traffic loss is expected. In EVPN E-Tree, in addition to traffic loss, the known unicast frames can be flooded for around 30 seconds during unified ISSU before all forwarding states are restored. This issue does not affect BUM traffic. As a workaround, nonstop bridging (NSB) can be configured at set protocols layer2-control nonstop-bridging. This reduces traffic flooding to around 10 seconds in a moderate setup. PR1275621

  • Due to a transient hardware error condition, the CPQ Sram parity error and CPQ RLDRAM double bit ECC error syslog errors on an MQCHIP raise a major CM alarm. PR1276132

  • There is an accuracy issue with three-color policers of both types single rate and two rate, where for certain policer rate and burst-size combinations the policer accuracy varies. This issue is present since Junos OS Release 11.4 on all platforms that use a trio ASIC. PR1307882

  • Traffic statistics might not match on PS after clearing the interface statistics. PR1328252

  • On all JunOS platforms, execution of Python scripts through enhanced automation does not work on veriexec images. PR1334425

  • You can configure host syslog from Junos OS guest. Host side: The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7. The keyword security should not be used anymore and the mark is only for internal use and therefore should not be used in applications. However, you might want to specify and redirect these messages. The facility specifies the subsystem that produced the message, that is, all mail programs log with the mail facility (LOG_MAIL), if they log using syslog. The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg). The keywords error, warn, and panic are deprecated and should not be used anymore. The priority defines the severity of the message. Guest side: syslog-facilities-severity-levels.html remote : sync the syslog server configuration from Junos OS to Linux and modify rsyslog.conf set vmhost/app-engine syslog host and set vmhost/app-engine syslog host match xxx. PR1341549

  • For MPC5 , the inline-ka PPP echo requests are not transmitted when anchor-point is lt-x/2/x or lt-x/3/x in a pseudowire deployment. PR1345727

  • In a Layer 3 VPN topology, when you trace route to a remote PE device for a CE-facing network, you see that the ICMP TTL is expired and receive reply with a source address of only one of the many CE-facing networks. In Junos OS Releases 15.1R5, 16.1R3, and 16.2R1 and onwards there is a kernel sysctl value, icmp.traceroute_l3vpn. Setting this to 1 will change the behavior to select an address based on the destination specified in the traceroute command. This PR adds the option to the configuration. PR1358376

  • If a tunnel interface is anchored on Trio-based FPC and the 'class-of-service host-outbound-traffic ieee-802.1 rewrite-rules' knob is configured, the host outbound traffic might get dropped when the traffic goes through this tunnel interface. PR1371304

Routing Protocols

  • When you configure damping globally and use the import policy to prevent damping for specific routes, and a peer sends a new route that has the local interface address as the next hop, the route is added to the routing table with default damping parameters, even though the import policy has a non-default setting. As a result, damping settings do not change appropriately when the route attributes change. PR51975

  • Continuous soft core files might be generated due to a bgp-path-selection code. The routing protocol process (rpd) forks a child and the child asserts to produce a core file. The problem is with route-ordering and it is auto-corrected after collecting the soft-assert-core file, without any impact to the traffic or service. PR815146

  • For single-hop eBGP session, upon interface down event, do not do GR helper logic. In problem state Peer: AS 100 Local: AS 101 Group: EBGP Routing-Instance: master Forwarding routing-instance: master Type: External State: Active Flags: <> Last State: Idle Last Event: Start Last Error: Cease Import: [ reject ] Options: Holdtime: 90 Preference: 170 Local AS: 101 Local System AS: 0 Number of flaps: 2 Last flap event: Stop Error: 'Cease' Sent: 1 Recv: 0 NLRI we are holding stale routes for: inet-unicast Time until stale routes are deleted or become long-lived stale: 00:01:54 >>>>>>>>>> Time until end-of-rib is assumed for stale routes: 00:04:54 Table inet.0 RIB State: BGP restart is complete Send state: not advertising Active prefixes: 14 Received prefixes: 21 Accepted prefixes: 15 Suppressed due to damping: 0 Stale prefixes: 21 >>>>>>>>>>>>>>>>>> With the fix: Peer: AS 100 Local: AS 101 Group: EBGP Routing-Instance: master Forwarding routing-instance: master Type: External State: Active Flags: <> Last State: Idle Last Event: Start Last Error: Cease Import: [ reject ] Options: Holdtime: 90 Preference: 170 Local AS: 101 Local System AS: 0 Number of flaps: 1 Last flap event: Stop Error: 'Cease' Sent: 1 Recv: 0. PR1129271

  • JTASK_SCHED_SLIP for rpd might be seen on doing a restart routing or an ospf protocol disable with scaled BGP routes in an MX104 router. PR1203979

  • The state of LDP OSPF is 'in sync' because the IGP interface is down with LDP synchronization enabled for OSPF. user@host> show ospf interface ae100.0 extensive Interface State Area DR ID BDR ID Nbrs ae100.0 PtToPt 1 Type: P2P, Address:, Mask:, MTU: 9100, Cost: 1050 Adj count: 1 Hello: 10, Dead: 40, ReXmit: 2, Not Stub Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC Protection type: None Topology default (ID 0) -> Cost: 1050 LDP sync state: in sync, for: 00:04:03, reason: IGP interface down config holdtime: infinity. As per the current analysis, "IGP interface down" is observed as the reason because although LDP notified OSPF that LDP sync was achieved, OSPF was not able to take note of the LDP sync notification because the OSPF neighbor was not up yet. PR1256434

  • When generating SNMP traps or notifications for BGP events from the jnxBgpM2 MIB, Junos OS does not emit objects of type InetAddress with the expected length field. This will cause compliant SNMP tools to be able to parse the contents of those objects properly. In particular, the length field for the InetAddress OBJECT-TYPE is omitted. Using the set protocols bgp snmp-options emit-inet-address-length-in-oid command causes these objects to emit in a compliant fashion. PR1265504

  • Two multicast tunnel (mt) interfaces are seen for each of the PIM neighbors after VPN-Tunnel-Source activation or deactivation. However, ideally, the same tunnel source should be used for both IPv4 and IPv6 address families, if both are using the same PIM tunnel. PR1281481

  • When eBGP multihop sessions exchanging EVPN routes are configured, a core can result due to an internal error. PR1304639

  • In rare cases, RIP replication might fail as a result of performing NSR Routing Engine switchovers when the system is not NSR ready. PR1310149

  • The rpd process generates core files at 0x094680ac in task_reconfigure_complete (ctx=0x9dfe940 <task_args>, seqnum=570) at ../../../../../../../src/junos/lib/libjtask/mgmtlib/../module/task_reconfig ure.c:172. As a workaround, avoid doing additions and deletions in a single commit. Instead, first do the fwdclass deletion, wait for a while, and then do the fwdclass addition. PR1319930

  • In a resource public key infrastructure (RPKI) scenario, the validation replication database might have much more entries than the validation database after restarting the RPKI cache server and the validation session is reestablished. PR1325037

  • When route target filtering (RTF) is configured for VPN routes and multiple BGP session flaps, there is a possibility that some of the peers might not receive the VPN routes after the flapped sessions come up. PR1325481

  • When the clear validation database command is issued back-to-back multiple times, it ends up with partial validation database. This eventually recovers after up to 30 minutes (half of the record lifetime), when you do periodical full updates. PR1326256

  • When configuring any cast and prefix segments in SPRING for IS-IS, prefix-segment index 0 is not supported, even though you are allowed to configure 0 as an index. PR1340091

  • Starting in Junos OS Release 16.1 and later, the show bgp neighbor command does not show the correct Last traffic (seconds) correctly. PR1361899

  • On Junos platform, when openconfig is running with sensor for /network-instances/network-instance/protocols/protocol/bgp, changing BGP import or export policy may cause rpd core. PR1366696

  • If IS-IS shortcut is enabled and ISIS "topologies ipv6-unicast" is configured, when any link with no IPv6 address configured in the MPLS LSP path is flapping (or bring down and then up), the route entry go through this flapping link might be missing for about 10 minutes, which might lead to traffic loss. The issue is because when the flapping link is down and then up, the flash route update checks both IPv4 and IPv6 address family, since IPv6 is not configured for this link, the flash route update is not triggered, hence the route entry is missing. PR1372937

Services Applications

  • We do not recommend configuring the ms-interface when AMS bundle in one-to-one mode has the same member interface. PR1209660


  • A VLAN-CCC logical interface for l2ckt remains in CCC-Down when switching from l2ckt to EVPN-VPWS, unless it is deactivated and re-activated manually. PR1312043