Issues in JUNOS Release 10.2 for M Series, MX Series, and T Series Routers

The current software release is Release 10.2R1. For information about obtaining the software packages, see Upgrade and Downgrade Instructions for JUNOS Release 10.2 for M Series, MX Series, and T Series Routers.

Current Software Release

Current Software Release

Outstanding Issues in JUNOS Release 10.2 for M Series, MX Series, and T Series Routers

Class of Service

On MX Series routers with Enhanced DPCs, bandwidth sharing between two schedulers, one with high and the other with strict-high priority, might not be as expected when the schedulers are oversubscribed. That is, only one queue can use all of the excess bandwidth. This issue occurs when the schedulers are configured on logical interfaces. [PR/265603]
On an Ichip-based platform for strict high priority queue (SHQ), the buffer size allocated by the Packet Forwarding Engine is capped by the tx-rate. If the tx-rate is configured to a very small value or is not configured, and is automatically allotted a zero or a very small remaining value; the queue is also allotted a proportionately small delay buffer. This can sometimes lead to Red and Tail drops on the SHQ when there is a burst of traffic (with a certain traffic pattern) on it. As a workaround, configure a nominal tx-rate value (5 percent) for the SHQ. [PR/509513]
On M Series and T Series routers, the forwarding class information is lost when the packet enters the GRE tunnel with clear-dont-fragment-bit enabled. Additionally, on an Enhanced FPC or M120 FEB, the packet is also likely to be dropped if it is classified to a packet loss priority (PLP) value other than low. [PR/514162]

Forwarding and Sampling

While the JUNOS Software adopts random as its sampling algorithm, the SAMPLING_ALGORITHM in the flow monitoring version 9 template shows 0x01 (deterministic) instead of 0x02 (random). [PR/438621]
Under rare circumstances, if the filter is changed while a counter query is in progress and the system is under heavy load, the system might crash. [PR/447033]
When a filter with ip-options "any" firewall match is applied on an interface on the MX-MPC, the filter is not applied. If the hardware is present at the time of the configuration commit, a commit warning is issued. However, the commit does not fail and the rest of the configuration is applied. [PR/524519]
On T640 and T1600 routers with ST chipset FPCs, in some cases when the IPv6 firewall filter with match conditions configured on address prefixes is longer than 64 bits, the filter may not be evaluated correctly. This might lead to loss of packets. [PR/524809]

High Availability

The SSH keys are not in sync between the master and backup Routing Engine when SSH is enabled after a graceful Routing Engine switchover (GRES). [PR/455062]
When an ISSU upgrade is performed to or from JUNOS Releases 9.6R3 or 10.0R2, the logical interface and logical interface sets that have traffic control profiles configured on them will be affected. [PR/491834]
When the standby Routing Engine is upgraded, ISSU aborts with the error message “replication_err soft_mask_err.” [PR/508028]
An intermittent failure in the non-stop Routing Engine might cause a core file to be generated. However, the system does not go down. [PR/527686]

Interfaces and Chassis

On a 2-port OC12 ATM2 IQ interface, the total virtual path (VP) downtime might not display correctly in the show interfaces command output. [PR/27128]
For Automatic Protection Switching (APS) on SONET/SDH interfaces, there are no operational mode commands that display the presence of APS mode mismatches. An APS mode mismatch occurs when one side is configured to use bidirectional mode, and the other side is configured to use unidirectional mode. [PR/65800]
The output of the show interfaces diagnostics optics command includes the "Laser rx power low alarm" field even if the transceiver is a type (such as XENPAK) that does not support this alarm. [PR/103444]
On the M120 router, hot-swapping the fan tray might cause the Check CB alarm to activate. [PR/268735]
On the JCS1200 platform, when you issue the clear -config -T switch[1] command using the management module, the switch module returns to its factory default setting instead of the Juniper Networks default setting. As a workaround, do not issue the command. [PR/274399]
On the Juniper Control System (JCS) platform, the control and management traffic for all Routing Engines shares the same physical link on the same switch module. In rare cases, the physical link might become oversubscribed, causing the management connection to Protected System Domains (PSDs) to be dropped. [PR/293126]
On a Protected System Domain (PSD) configured with a large number of BGP peers and routes (for example, 5000 peers and 1,000,000 routes), FPCs might restart during a graceful Routing Engine switchover (GRES). [PR/295464]
When two routers connected via SONET/SDH interfaces are configured as container interfaces and the Routing Engine on one router reboots, the container interfaces on the other router might go down and come up again. [PR/302757]
While using an AE-20 on a TX matrix router, the AE link might not respond after the chassis control is restarted. As a workaround, deactivate and activate the AE interface. [PR/458926]
The bridge-domain MAC learn limit on the Packet Forwarding Engine can sometimes become negative if the bridge domain is deleted and added immediately as part of a configuration change. If that happens, the MAC learning on that bridge domain can be affected. As a workaround, deactivate and activate the bridge domain or VPLS routing instance configuration. [PR/467549]
Due to the large number of components, Trio MPCs take more time to boot up than comparable MX Series boards. [PR/468665]
If a firewall show command is followed by the clear command in a very quick succession, there is a possibility that the show command will time out. If the show command is issued after a few seconds (5 seconds ideally), this issue will not be seen. [PR/479497]
On MX Series routers, the traffic is forwarded over the backup link even after the primary link is disabled and enabled again. [PR/493861]
The Loss of Signal (LOS) is not detected on 2x10GE and 4x10GE MICs when the interface is configured on WAN-PHY mode by pulling off the fiber. This is because the LOS register is not set by the vendor's PHY. However, the LOS is reported when the XFP is removed. [PR/498613]
On 2x10GE and 4x10GE MICs, when the peer interface is taken offline or a Loss of Frame (LOF) is detected, the Alarm Indication Signal-line path (AIS-L and AIS-P) might not be detected by the WAN PHY. If this occurs, the output of the show interfaces xe-x/y/z command will not show AIS-L and AIS-P. [PR/504213]
If a T640-FPC4-ES is installed in a T1600 router and an SIB statistics collection is performed, the message log might report "JBUS: U32 read error, client .." only if one of the SIBs is faulted or in the offline state. This system log message will also appear if the T640-FPC4-ES FPC is removed from the chassis. There is no operational impact. [PR/504363]
On 2x10GE and 4x10GE MICs, on detecting an Alarm Indication Signal-line (AIS-L), the WAN PHY might not be able to detect the AIS-P defect. As a result, the AIS-P defect will not appear in the output of the show interfaces xe-x/y/z command. [PR/504544]
On a 4x CHOC3/CHSTM1 SONET CE SFP PIC, if a SONET Automatic Protection Switching (APS) is configured on COC3/CSTM1 interfaces and an IMA group is created, APS will not work for those IMA groups. There is no workaround. [PR/513343]
When a frame relay interface goes down, the interface statistics might still indicate that the data-link connection identifier (DLCI) is active. [PR/516497]
Discrepancies exist in MAC and filter statistics between Trio and I+EZ DPCs. [PR/517926]
On IQ2 and IQ2E 10GE PICs operating in WAN-PHY mode, the path trace information does not get transmitted to the remote end. [PR/518331]
In JUNOS Release 10.0 and above, the mib value for OID ifSpeed and ifHighSpeed on the aggregated Ethernet logical interface is shown incorrectly as 0. This occurs when the bandwidth of the logical interface is not configured for the aggregated Ethernet interface. [PR/519855]
When two PICs are configured with a large number of IMA links, and one PIC is reset and rebooted more than once ,a few IMA E1 links do not come up. As a workaround, reset and reboot the peer PIC. [PR/520915]
When one of the two Ethernet connections to another Routing Engine is not present, the mastership is not switched. [PR/521833]
If a donor logical interface does not have a valid ifa (i.e. atleast one address which is unique to the logical interface in the routing instance), the DCD might crash. [PR/524989]
On virtual LAN demux interfaces over an Aggregate Ethernet with Trio MPCs, the changes made to the configuration are not applied when the commit command is issued. As a workaround, restart the MPC for the committed changes to take effect. [PR/528188]

Layer 2 Ethernet Services

The release message is not sent to the DHCP server even though the send-release-on-delete flag is set under the DHCP relay configuration. As a workaround, to deactivate or deconfigure an interface, clear all the bindings on the interface before you deactivate or delete the interface. To deactivate or deconfigure the relay, clear all the bindings before you deactivate or delete the relay. [PR/498920]

MPLS Applications

The rt column in the output of the show mpls lsp command and the active route counter in the output of the show mpls lsp extensive command are incorrect when the per-packet load balancing is configured. [PR/22376]
For point-to-multipoint label-switched paths configured for VPLS, the ping mpls command reports a 100 percent packet loss even though the VPLS connection is active. [PR/287990]
The RSVP sessions through unnumbered interfaces, with advertise-unnumbered-interfaces enabled under OSPF traffic engineering, are not replicated on the backup Routing Engine. [PR/525297]

Network Management

After an LCC switchover, the SNMP process fails to send traps with resource temporarily unavailable errors. [PR/493385]

Platform and Infrastructure

On T Series routers, a Layer 2 maximum transmission unit (MTU) check is not supported for MPLS packets exiting the routing platform. [PR/46238]
When you configure a source class usage (SCU) name with an integer (for example, 100) and use this source class as a firewall filter match condition, the class identifier might be misinterpreted as an integer, which might cause the filter to disregard the match. [PR/50247]
If you configure 11 or more logical interfaces in a single VPLS instance, VPLS statistics might not be reported correctly. [PR/65496]
When a large number of kernel system log messages are generated, the log information might become garbled and the severity level could change. This behavior has no operational impact. [PR/71427]
In the situation where a Link Services (LS) interface to a CE router appears in the VPN routing and forwarding table (VRF table) and a fragmentation is required, Internet Control Message Protocol (ICMP) cannot be forwarded out of the LS interface from a remote PE router that is in the VRF table. As a workaround, include the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level. [PR/75361]
Traceroute does not work when ICMP tunneling is configured. [PR/94310]
If you ping a nonexistent IPv6 address that belongs to the same subnet as an existing point-to-point link, the packet loops between the two point-to-point interfaces until the time-to-live expires. [PR/94954]
On T Series and M320 routers, multicast traffic with the "do not fragment" bit is being dropped due to configuring a low MTU value. The router might stop forwarding all traffic transiting this interface if the clear pim join command is executed. [PR/95272]
A firewall filter that matches the forwarding class of incoming packets (that is, includes the forwarding-class statement at the [edit firewall filter filter-name term term-name from] hierarchy level) might incorrectly discard traffic destined for the Routing Engine. Transit traffic is handled correctly. [PR/97722]
The JUNOS Software does not support dynamic ARP resolution on Ethernet interfaces that are designated for port mirroring. This causes the Packet Forwarding Engine to drop mirrored packets. As a workaround, configure the next-hop address as a static ARP entry by including the arp ip-address statement at the [edit interfaces interface-name] hierarchy level. [PR/237107]
When you perform an in-service software upgrade (ISSU) on a routing platform with an FPC3 or an Enhanced FPC3 with 256 MB of memory and the number of routes in the routing table exceeds 750,000, route loss might occur. If route loss occurs, as a workaround, perform either of the following tasks:
- Replace the FPC3 or Enhanced FPC3 with another FPC that has more memory, or
- After the ISSU is complete, reboot only the FPC3 or Enhanced FPC3.
[PR/282146]
For Routing Engines rated at 850 MHz (which appear as RE-850 in the output of the show chassis hardware command), messages like the following might be written to the system log when you insert a PC Card: “bad Vcc request” and “Device does not support APM.” Despite the messages, operations that involve the PC card work properly. [PR/293301]
On a Protected System Domain, an FPC might generate a core file and stop operating under the following conditions:
- A firewall policer with a large number of counters (for example, 20,000) is applied to a shared uplink interface, and
- The FPC that houses the interface does not have a sufficiently powerful CPU.
As a workaround, reduce the number of counters or install a more powerful FPC. [PR/311906]
When a CFEB failover occurs on an M10i or M7i router that has had 4000 or more IFLs, the following message appears:
```
IFRT: 'IFD ioctl' (opcode 10) failed
ifd 153; does not exist
IFRT: 'IFD Ether autonegotiation config' (opcode 163) failed
```
The message has no operational impact. When the backup CFEB becomes the active CFEB, the message will not display. [PR/400774]
On M7i routers, kernel panic may occur during route changes. [PR/439420]
In some cases, the alarms displayed in the FPM and the alarms shown using the show chassis alarms sfc 0 command do not match. [PR/445895]
The configured static NDP entry is cleared automatically after a certain interval. [PR/453710]
The SFC management interface em0 is often displayed as fxp0 in several warning messages. [PR/454074]
The VPN label does not get pushed on the label stack for Routing Engine–generated traffic with l3vpn-composite-next-hop activated. As a workaround, configure per-packet load balancing to push the VPN/tunnel labels correctly. [PR/472707]
On restart with a large-scale configuration (16K IFLs per MPC), the MPC-3D-16XGE-SFPP card might take up to 15 minutes to come up. [PR/478548]
An invalid IP protocol version is served as a valid version. The JUNOS router forwards IP packets with the version field set to values other than 4 and 6; for example, 11 or any (unassigned). [PR/481071]
The TTL on the wire is one less than the tunnel TTL configured through the CLI. [PR/506454]
When an AE interface on an ECMP path is taken down, packet drops might occur on traffic that is on another link in the ECMP path. [PR/513102]
A load-balancing issue occurs for egress traffic transiting a SONET aggregated interface bundle when an interface with a different speed or capacity is removed from the bundle. For example, if you have two or more OC12 interfaces and one OC192 interface in a SONET aggregated interface bundle and if the OC192 interface is then removed from the bundle, traffic is not load-balanced properly across the remaining interfaces. As a workaround, deactivate and then activate the SONET aggregated interface to ensure proper load balancing across the member interfaces. [PR/513677]
Setting the TCP maximum segment size (MSS) may not change the actual MSS value. [PR/514196]
When IGMP snooping is enabled, a multicast traffic drop might be seen if an IGMP join or leave occurs on other interfaces. [PR/515420]
When the primary link flaps with the route-memory-enhanced knob enabled, jtree might get corrupted and traffic forwarding is affected. As a workaround deactivate the route-memory-enhanced knob under the chassis stanza. Changes to the route-memory-enhanced knob takes effect only when Packet Forwarding Engine is rebooted. [PR/517919]
When the Destination Class Usage (DCU) is configured with unicast Reverse Path Filter (uRPF) and egress forwarding-table filter within the VRF, a VPN route flap might trigger a jtree memory leak. [PR/521609]

Routing Policy and Firewall Filters

If a routing protocol running an MSDP receives an SA that is filtered via the MSDP import policy, it will still create a forwarding entry if it subsequently receives a (*,G) join for that group. [PR/63053]
The following features are not supported in a 12-16x10G DPC:
- Known unicast and unknown unicast types in the input match condition 'Traffic-type' in a family bridge/VPLS
- The following match conditions do not work:
  - learn-vlan-1p-priority
  - learn-vlan-1p-priority-except
  - learn-vlan-id
  - learn-vlan-id-except
  - user-vlan-1p-priority
  - user-vlan-1p-priority-except
  - user-vlan-id
  - user-vlan-id-except
- VPLS flood FTF and input FTF
- Simple filters
- Filter action 'then ipsec-sa'
- Filter action 'then next-hop-group'
- Mac-filter output accounting and output policing
[PR/466990]
On some M, MX, and T Series routers, when a family CCC filter is applied on multiple interfaces that belong to different L2VPN routing instances, packet loss may occur after the routing instances are deactivated and activated. As a workaround, deactivate and activate the CCC filter on the interfaces. [PR/521357]
On M120, output filters applied on a pppoe interface will not take effect. [PR/528905]

Routing Protocols

When you configure damping globally and use the import policy to prevent damping for specific routes, and a new route is received from a peer with the local interface address as the next hop, the route is added to the routing table with default damping parameters, even though the import policy has a non-default setting. As a result, damping settings do not change appropriately when the route attributes change. [PR/51975]
When you issue the show ldp traffic-statistics command, the following system log message might be generated for all forwarding equivalence classes (FECs) with an ingress counter set to zero: "send rnhstats GET: error: ENOENT — Item not found." [PR/67647]
If ICMP tunneling is enabled on the router and you configure a new logical system that does not have ICMP tunneling enabled, the feature is globally disabled. [PR/81884]
Setting the advertise-high-metric option while using IS-IS overload also suppresses route leaking. [PR/419624]
When aggregate interfaces are used for VPN applications, load balancing may not happen with a Layer 2 circuit configuration. [PR/471935]
When PPMD delegation of BFD sessions is configured over AE interfaces, graceful Routing Engine switchover and NSR do not work. [PR/505058]
The BGP BMP message for IPv6 withdraw encoding does not follow the BMP-draft. [PR/512780]
The configured robust count value is not applied on the non-querier router when it receives a robust count value of 0. It uses the default value (2) instead of the configured value. [PR/520252]
When a l2circuit id greater than 2,147,483,647 is configured, and l2circuit tracing is enabled using the set protocols l2circuit traceoptions command, some of the trace messages provide the wrong value (a negative number) for the virtual circuit ID. [PR/523492]
The tag_encoder is unable to handle attempts to stack EXPLICIT_V6_ NULL (label 2) over an existing stack with label 2 on top. Additionally, the BGP module does not send label 2 when readvertising a prefix from an inet6 unicast session to a inet6 labeled-unicast session. [PR/523824]
An ISSU upgrade to JUNOS Release 10.2 with PIM NSR configured fails whenever an incompatble FRU (PIC) is required to be taken offline during a Routing Engine switchover. As a workaround, disable NSR for PIM using the set protocols pim nonstop-routing disable command for the ISSU uppgrade to be successful. [PR/527668]
On the M120 router, the output firewall filter does not properly classify pppoe subscribers. [PR/528905]

Services Applications

The show services accounting flow-detail extensive command sometimes displays incorrect information about input and output interfaces. [PR/40446]
When a routing platform is configured for graceful Routing Engine switchover (GRES) and Adaptive Services (AS) PIC redundancy, and a switchover to the backup Routing Engine occurs, the redundant services interface (rsp-) always activates the primary services interface (sp-), even if the secondary interface was active before the switchover. [PR/59070]
Detection of failure of remote PPP clients on the LNS through LCP echo requests will take longer due to the increase in the number of echo request retries. [PR/250640]
In JUNOS Release 10.0R2, a performance related issue is seen when the IDP plug-in is enabled. The connection per second value for HTTP (64 bytes) with AACL, AI, and IDP (with Recommended Attacks group) plug-ins have been downgraded to 7,600 through 7,900 per second. [PR/476162]
When a standard application is specified at the [edit security idp idp-policy policy-name rulebase-ips rule rule-name match application] hierarchy level, the IDP does not detect the attack on the non-standard port (for example, junos:ftp on port 85). [PR/477748]
The IPv6 gateway may have a NULL value when the destination address points to an aggregated next hop. [PR/516058]

Subscriber Access Management

During restart, the interface control process will crash if the PPPoE logical interface is configured without PPPoE options.. For example:
pp0 {unit 0 {}}
[PR/528824]

User Interface and Configuration

On M20 routers, after a Routing Engine mastership switchover, it might not be possible to enter CLI configuration mode on the new master Routing Engine. Also, the request system reboot and request system halt commands do not clearly fail but do not return the CLI prompt either. [PR/64899]
The “Local Password:" is prompt appears even though the authentication order has a password configured. [PR/94671]
The logical system administrator can modify and delete master administrator-only configurations by performing local operations such as issuing the load override, load replace, and load update commands. [PR/238991]
After AI scripts are added, the existing management sessions (including the one used to add the AI scripts) must exit the edit mode and reenter for any subsequent configuration changes to take effect. Changes made in these existing edit sessions are not written to the candidate configuration. [PR/297475]
On M Series, MX Series, and T Series routers, the user cannot differentiate between active and inactive configurations for system identity, management access, user management, and date and time pages. [PR/433353]
Selecting the monitor port for any port in the Chassis Viewer page displays the common Port Monitoring page instead of the corresponding Monitoring page of the selected port. [PR/446890]
J-Web does not display the USB option under Maintain>Reboot>Reboot from the media. [PR/464774]
On MX Series routers, J-Web does not display the USB-related information under Monitor>SystemView>System Information>Storage. [PR/465147]
On M7i and M10i routers with Enhanced CFEB installed, the chassis viewer plugin does not display the Routing Engine in the front view and the E-CFEB in the rear view. However, the chassis contents from the system (left side tab) displays all the list of components correctly. [PR/483375]
In the J-Web interface, the options Access Concentrator, Idle Timeout, and Service Name for PPPoE logical interfaces are not supported on MX Series routers. [PR/493451]
The licenses are not synced between the master and backup Routing Engine unless the knob system license traceoptions file file-name is configured. Configuring the knob will cause the licenses installed on the master Routing Engine to be synced with the backup Routing Engine. [PR/501443]
The group inherited configuration at the [interface-range] hierarchy level does not take effect. [PR/522872]
In the J-Web interface, when RIP, BGP, OSPF and DHCP are not configured in box, the validation message "not configured" displays in the respective screen in the monitor tab. The options for the commit, help and log out window are displayed behind the validation message. Because of this issue, the user is unable to click on the above options. This issue occurs only in the Firefox web browser. As a workaround, refresh the J-Web interface if you have already opened the log out window, or use these options in other menus. [PR/528346]

VPNs

When you modify the frame-relay-tcc statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level of a Layer 2 VPN, the connection for the second logical interface might not come up. As a workaround, restart the chassis process (chassisd) or reboot the router. [PR/32763]
Once a VPLS NLRIS is received with the Local Preference value of zero, it is assumed that the remote site is not designated even if there is one remote site. As a workaround, use a non-zero Local Preference value. [PR/70601]
When you configure inter-AS VPLS with MAC processing at the autonomous system (AS) boundary router along with multihoming, and if a designated forwarding AS boundary router fails and then comes back up again, traffic flowing to the local AS from the other AS’s boundary router might be lost. The loss occurs in the time period (tenths of a second) during which the old designated forwarding AS boundary router is taking back the role of designated forwarder. [PR/312730]
On a router configured for nonstop active routing (NSR) (the nonstop-routing statement is included at the [edit routing-options] hierarchy level), if a nonstop active routing switchover occurs after the configuration for routing instances changes in certain ways, the BGP sessions between PE and CE routers might not be established after the switchover. [PR/399275]
While upgrading JUNOS Software with l2circuit configuration underthe logical systems, the validation might fail with an "interface version mismatch" error. You can ignore this error and upgrade the JUNOS Software using the no-validate option. [PR/497190]
The routing protocol process crashes repeatedly on the new master, a few minutes after a graceful Routing Engine swithover. [PR/527465]