Issues in Junos OS Release 10.3 for M Series, MX Series, and T Series Routers

The current software release is Release 10.3R1. For information about obtaining the software packages, see Upgrade and Downgrade Instructions for Junos OS Release 10.3 for M Series, MX Series, and T Series Routers.

Current Software Release

Current Software Release

Outstanding Issues in Junos OS Release 10.3 for M Series, MX Series, and T Series Routers

Class of Service

On MX Series routers with Enhanced DPCs, bandwidth sharing between two schedulers, one with high and the other with strict-high priority, might not be as expected when the schedulers are oversubscribed. That is, only one queue can use all of the excess bandwidth. This issue occurs when the schedulers are configured on logical interfaces. [PR/265603]
When wildcards are used to configure class-of-service attributes on interfaces, the following limitations apply:
- When a logical interface matches both a wildcard configuration entry and a specific entry, attributes from the wildcard configuration are ignored. Only the attributes in the specific configuration are used to configure the unit.
- When a physical interface matches both a wildcard configuration entry and a specific entry, all attributes from the wildcard configuration are used, except for the input and output scheduler maps. Any attributes configured in the specific entry will then override those inherited from the wildcard entry.
As a workaround, when both wildcard and specific entries must be used, configure all the required attributes explicitly in the specific entry. [PR/519439]
When a logical interface set has a shaping-rate less than the sum of transmit-rates of its queues and when the configuration is corrected so that the logical interface set gets the correct shaping-rate, ADPC might crash. [PR/523507]
Incorrect class of service rewrites might occur when MPLS packets transit between FPC-ES and FPC-E with the copy-plp statement turned off. [PR/533213]
When per-unit-scheduler is applied under the interfaces hierarchy level, and shaping rate is applied under the class-of-service interface hierarchy level in the same commit operation, port shaping rate does not work and the total logical interface transmitted byte rate exceeds the physical interface shaping rate. As a workaround, configure shaping-rate within a traffic-control-profile and apply that to an interface, or deactivate and activate shaping-rate using the class-of-service interface interface-name shaping-rate command. [PR/539590]
Under certain conditions, the class of service configuration might not take effect on an IQ2 PIC. [PR/541814]

Forwarding and Sampling

If a CCC filter has a match condition of "destination-mac-address" and the filter is applied on the output side of family CCC of an interface on an I-chip DPC, to make the destination MAC address filtering work, the "no-control-word" must be specified for the corresponding L2VPN routing instances. [PR/510474]
The policer counter might be missing in the SNMP walk. Reboot the router to solve this problem. [PR/535715]
A scheduler is associated with a forwarding class, and when a forwarding class is mapped to a different queue, the associated scheduler is not applied to the new queue. [PR/540568]

High Availability

The SSH keys are not in sync between the master and backup Routing Engine when SSH is enabled after a graceful Routing Engine switchover (GRES). [PR/455062]

Interfaces and Chassis

For Automatic Protection Switching (APS) on SONET/SDH interfaces, there are no operational mode commands that display the presence of APS mode mismatches. An APS mode mismatch occurs when one side is configured to use bidirectional mode, and the other side is configured to use unidirectional mode. [PR/65800]
The output of the show interfaces diagnostics optics command includes the "Laser rx power low alarm" field even if the transceiver is a type (such as XENPAK) that does not support this alarm. [PR/103444]
When the RX power level is a negative value, the SFP diagnostics output displays an invalid receiver power level reading. [PR/235771]
On the M120 router, hot swapping the fan tray might cause the Check CB alarm to activate. [PR/268735]
On the JCS1200 platform, when you issue the clear -config -T switch[1] command using the management module, the switch module returns to its factory default setting instead of the Juniper Networks default setting. As a workaround, do not issue the command. [PR/274399]
On the Juniper Control System (JCS) platform, the control and management traffic for all Routing Engines shares the same physical link on the same switch module. In rare cases, the physical link might become oversubscribed, causing the management connection to Protected System Domains (PSDs) to be dropped. [PR/293126]
On a Protected System Domain (PSD) configured with a large number of BGP peers and routes (for example, 5000 peers and 1,000,000 routes), FPCs might restart during a graceful Routing Engine switchover (GRES). [PR/295464]
When two routers are connected via SONET/SDH interfaces that are configured as container interfaces and the Routing Engine on one router reboots, the container interfaces on the other router might go down and come up again. [PR/302757]
The bridge-domain MAC learn limit on the Packet Forwarding Engine can sometimes become negative if the bridge domain is deleted and added immediately as part of a configuration change. If this happens, the MAC learning on that bridge domain can be affected. As a workaround, deactivate and activate the bridge domain or VPLS routing instance configuration. [PR/467549]
Due to a larger number of components on the Neo board, it takes more time to boot up than a comparable MX Series board. [PR/468665]
If a firewall show command is followed by the clear command in quick succession, there is a possibility that the show command will time out. If the show command is issued after a few seconds (5 seconds ideally), this issue will not be seen. [PR/479497]
After an 8216 Routing Engine upgrade to Junos OS Release 9.6 with "chassis" deactivated, the backup Routing Engine starts to reboot with the panic message "panic: filter_idx_alloc: invalid filter index" and crashes when the “chassis” configuration is enabled and committed. After the Routing Engine finally comes online, the CLI response is slow and the Routing Engine reboots again after approximately three minutes. To stop these reboots, deactivate the chassis on the backup Routing Engine. [PR/489029]
On M7i routers with Junos OS Release 8.5 or later, the output of the show interfaces fxp0 command shows the fxp0 interface to be in the link up state even when the interface is disabled with no cables connected. [PR/508261]
On a 4x CHOC3/CHSTM1 SONET CE SFP PIC, if a SONET Automatic Protection Switching (APS) is configured on COC3/CSTM1 interfaces and an IMA group is created, APS will not work for those IMA groups. There is no workaround. [PR/513343]
When the VRRP6 master changes, there is no log output for VRRP IPv6. [PR/514821]
Upon a link up event, old packets from the previous link down are still dequeued. This leads to huge latency reports. [PR/515842]
Discrepancies exist in MAC and filter statistics between Trio and I+EZ DPCs. [PR/517926]
The queue counter of the aggregated Ethernet is counted up after the statistics is cleared and the FPC is restarted. [PR/528027]
The output of the show chassis environment pem command displays the voltage used in the FPC slots 0 through 3, even after the FPC is taken offline. [PR/528821]
If no dot1p classifier is explicitly configured for the logical interface of vid=0, to accept priority tagged packets, packets without an IP header such as STP will determine the forwarding class based on the priority tag value. [PR/529207]
The multipoint-destination configuration statement is not supported on IQE PICs. While the configuration of this statement is accepted without problems initially, subsequent reconfiguration of the interface might cause the FPC and Packet Forwarding Engine to reboot. [PR/529423]
When Automatic Protection Switching (APS) is configured on a 4x STM-1 SDH, SMIR PIC, the transmitted value of the K2 byte shows 0x00 for both unidirectional and bidirectional instead of 0x04 and 0x05, respectively. [PR/531030]
The SCB displays an incorrect state when it is removed without taking it offline using the CLI or buttons. This is not a cosmetic error and might impact the traffic. [PR/536866]
The "frame-relay-ether-type" encapsulation is not programmed to the hardware properly. Due to this, the incoming packet parsing fails and the packets are discarded. [PR/539484]
The model number of the production IBM-OEM box is not proper. It displays 45W4428 instead of the IBM specific model number. [PR/539977]
On MX Series routers with 10.x Power Budget, after a “Power Budget: Chassis experiencing power shortage” alarm occurs, the alarm does not clear even after the power budget problem is cleared. [PR/540522]

Layer 2 Ethernet Services

The release message is not sent to the DHCP server even though the send-release-on-delete flag is set under the DHCP relay configuration. As a workaround, to deactivate or deconfigure an interface, clear all the bindings on the interface before you deactivate or delete the interface. To deactivate or deconfigure the relay, clear all the bindings before you deactivate or delete the relay. [PR/498920]

Network Management

The value of IfHighSpeed for an interface's current bandwidth is in the units of 1,000,000 bits per seconds. According to RFC 2683, the ifHighSpeed must be rounded to the nearest whole value on both the physical interfaces and logical interfaces. [PR/507004]
The SNMP process might restart when a core dump is generated. [PR/517230]

MPLS Applications

The rt column in the output of the show mpls lsp command and the active route counter in the output of the show mpls lsp extensive command are incorrect when per-packet load balancing is configured. [PR/22376]
For point-to-multipoint label-switched paths configured for VPLS, the ping mpls command reports a 100 percent packet loss even though the VPLS connection is active. [PR/287990]
The routing protocol process crashes when configuration changes occur that involves adding an interface to the routing protocols. [PR/456241]
Under NGEN-MVPN with vrf-table-label configured on the provider edge, the provider router connecting to that provider edge might keep an old P2MP MPLS label entry upon label-switched path optimization or reroute. There is no workaround. [PR/538144]

Platform and Infrastructure

On T Series routers, a Layer 2 maximum transmission unit (MTU) check is not supported for MPLS packets exiting the routing platform. [PR/46238]
When you configure a source class usage (SCU) name with an integer (for example, 100) and use this source class as a firewall filter match condition, the class identifier might be misinterpreted as an integer, which might cause the filter to disregard the match. [PR/50247]
If you configure 11 or more logical interfaces in a single VPLS instance, VPLS statistics might not be reported correctly. [PR/65496]
When a large number of kernel system log messages are generated, the log information might become garbled and the severity level could change. This behavior has no operational impact. [PR/71427]
In the situation where a Link Services (LS) interface to a CE router appears in the VPN routing and forwarding table (VRF table) and a fragmentation is required, Internet Control Message Protocol (ICMP) cannot be forwarded out of the LS interface from a remote PE router that is in the VRF table. As a workaround, include the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level. [PR/75361]
Traceroute does not work when ICMP tunneling is configured. [PR/94310]
If you ping a nonexistent IPv6 address that belongs to the same subnet as an existing point-to-point link, the packet loops between the two point-to-point interfaces until the time-to-live expires. [PR/94954]
On T Series and M320 routers, multicast traffic with the "do not fragment" bit is being dropped due to configuring a low MTU value. The router might stop forwarding all traffic transiting this interface if the clear pim join command is executed. [PR/95272]
A firewall filter that matches the forwarding class of incoming packets (that is, includes the forwarding-class statement at the [edit firewall filter filter-name term term-name from] hierarchy level) might incorrectly discard traffic destined for the Routing Engine. Transit traffic is handled correctly. [PR/97722]
The Junos OS does not support dynamic ARP resolution on Ethernet interfaces that are designated for port mirroring. This causes the Packet Forwarding Engine to drop mirrored packets. As a workaround, configure the next-hop address as a static ARP entry by including the arp ip-address statement at the [edit interfaces interface-name] hierarchy level. [PR/237107]
When you perform an in-service software upgrade (ISSU) on a routing platform with an FPC3 or an Enhanced FPC3 with 256 MB of memory and the number of routes in the routing table exceeds 750,000, route loss might occur. If route loss occurs, as a workaround, perform either of the following tasks:
- Replace the FPC3 or Enhanced FPC3 with another FPC that has more memory, or
- After the ISSU is complete, reboot only the FPC3 or Enhanced FPC3.
[PR/282146]
For Routing Engines rated at 850 MHz (which appear as RE-850 in the output of the show chassis hardware command), messages like the following might be written to the system log when you insert a PC Card: “bad Vcc request” and “Device does not support APM.” Despite the messages, operations that involve the PC Card work properly. [PR/293301]
On a Protected System Domain, an FPC might generate a core file and stop operating under the following conditions:
- A firewall policer with a large number of counters (for example, 20,000) is applied to a shared uplink interface, and
- The FPC that houses the interface does not have a sufficiently powerful CPU.
As a workaround, reduce the number of counters or install a more powerful FPC. [PR/311906]
When a CFEB failover occurs on an M10i or M7i router that has had 4000 or more IFLs, the following message appears:
```
IFRT: 'IFD ioctl' (opcode 10) failed
ifd 153; does not exist
IFRT: 'IFD Ether autonegotiation config' (opcode 163) failed
```
The message has no operational impact. When the backup CFEB becomes the active CFEB, the message will not display. [PR/400774]
Redirect drops that are not real errors is taken into account for "Iwo HDRF" error statistics that is reported in the output of the show pfe statistics errors command on I-chip based routers. Since redirect drops are expected in a VPLS (and Ethernet in general) environment, this behavior could be misleading. [PR/430344]
The SFC management interface em0 is often displayed as fxp0 in several warning messages. [PR/454074]
The VPN label does not get pushed on the label stack for Routing Engine-generated traffic with l3vpn-composite-next-hop activated. As a workaround, configure per-packet load balancing to push the VPN/tunnel labels correctly. [PR/472707]
On restarting with a large-scale configuration (16,000 logical interfaces per MPC), the MPC-3D-16XGE-SFPP card may take up to 15 minutes to come up. [PR/478548]
Swapping out eight FPC cards and replacing them with a different FPC type causes the kernel to crash when the last FPC is powered on. [PR/502075]
The data channel applications for protocols like FTP, TFTP, RTSP, and SIP are not in the same application group as their control channel applications. For example, the control channel application junos:ftp is in the group junos:file-server, but its corresponding data application junos:system:ftp-data is not in any group. [PR/507865]
The dynamic auto-sensed VPLS interfaces fail after an ri modification. Before making configuration changes to any routing instance, clear any active logical interfaces that are part of the routing instance using the clear auto-configuration interfaces operational command. Modifying a routing instance configuration when the configuration is actively being used by subscribers can result in an unpredictable behavior. [PR/512902]
When IGMP snooping is enabled, a multicast traffic drop might occur if an IGMP join or leave occurs on other interfaces. [PR/515420]
The GRE key tunnel performance reduces by 10 percent when 4000 tunnels or more are configured on the MS PIC. [PR/520855]
No NA packets are returned for NS requests with a static NDP due to an issue with the neighbor advertisement implementation for statically configured neighbors. [PR/527779]
The Packet Forwarding Engine incorrectly imposes a rate limit function for the host-bound virtual LAN tagged packets with IEEE 802.1p value of 1. There is no workaround. [PR/529862]
When a configuration contains a large number of logical interfaces and graceful Routing Engine switchover (GRES) is not configured, the restart chassis-control command can result in some of the FPCs not coming online. As a workaround, enable GRES (set chassis redundancy graceful-switchover). [PR/532030]
A router might send raw IPv6 host-generated packets over the Ethernet towards its BGP IPv6 peers. [PR/536336]

Routing Policy and Firewall Filters

The following features are not supported in a 12-16x10G DPC:
- Known unicast and unknown unicast types in the input match condition 'Traffic-type' in a family bridge/VPLS
- The following match conditions do not work:
  - learn-vlan-1p-priority
  - learn-vlan-1p-priority-except
  - learn-vlan-id
  - learn-vlan-id-except
  - user-vlan-1p-priority
  - user-vlan-1p-priority-except
  - user-vlan-id
  - user-vlan-id-except
- VPLS flood FTF and input FTF
- Simple filters
- Filter action 'then ipsec-sa'
- Filter action 'then next-hop-group'
- MAC-filter output accounting and output policing
[PR/466990]
Port mirroring does not work under the bridge-domain forwarding-option filter. [PR/529272]

Routing Protocols

When you configure damping globally and use the import policy to prevent damping for specific routes, and a new route is received from a peer with the local interface address as the next hop, the route is added to the routing table with default damping parameters, even though the import policy has a non-default setting. As a result, damping settings do not change appropriately when the route attributes change. [PR/51975]
When you issue the show ldp traffic-statistics command, the following system log message might be generated for all forwarding equivalence classes (FECs) with an ingress counter set to zero: "send rnhstats GET: error: ENOENT — Item not found." [PR/67647]
If ICMP tunneling is enabled on the router and you configure a new logical system that does not have ICMP tunneling enabled, the feature is globally disabled. [PR/81884]
When aggregate interfaces are used for VPN applications, load balancing may not occur with a Layer 2 circuit configuration. [PR/471935]
When PPMD delegation of BFD sessions is configured over AE interfaces, graceful Routing Engine switchover (GRES) and NSR do not work. [PR/505058]
Under certain circumstances, the BGP path selection does not follow the local preference. This might lead to incorrect BGP path selections. [PR/513233]
The mirror receive task variable may not be cleared when the routing protocol process is heavily scaled. Hence, the NSR replication for RIP status stays in the "InProgress" state indefinitely. [PR/516003]
Upon an NSR mastership switch or ISSU upgrade, the multicast resolve route for IPv4 224/4 or inet6 ff00::/8 might be missing within the forwarding-table. To recover from this condition, deactivate and activate the protocol pim stanza, or restart the routing protocol process. [PR/522605]
When the received next hop for a route has the same address of the EBGP peer to which the route is readvertised, next hop is erroneously set to the peer's address instead of the next hop to self. [PR/533647]
The overload bit in the ISIS LSP MT-TLV may trigger the IS-IS to install a default route to the overload bit advertiser. And the output of the show isis database extensive command displays an unknown TLV. [PR/533680]
When a certain combination of route damp parameters is configured for BGP, the resulting internal calculations result in an attempt to allocate 0 bytes of memory, causing the routing protocol process to crash and restart. As a workaround, avoid the exact combination of poison values in the configuration. [PR/534780]
When an IGMP snooping host interface goes down, mcsnoopd does not update the affected nexthops for the statically configured groups. When the interface comes back up, the affected nexthops remain in the inconsistent state leading to traffic outage. As a workaround, restart the mcsnoopd process. [PR/536109]
The UDP length field does not update properly after it is fragmented with the multicast data packets with a large length. [PR/537276]
If there is enough join state associated with a neighbor and that neighbor goes down and comes back up quickly, then that join state may be stranded in an unresolved state until the clear pim join command is issued. [PR/539962]
The routing protocol process might crash when a BGP connection attempt meets with an RST from the peer. This is due to an unlikely race condition. [PR/540895]

Services Applications

The show services accounting flow-detail extensive command sometimes displays incorrect information about input and output interfaces. [PR/40446]
When a routing platform is configured for graceful Routing Engine switchover (GRES) and Adaptive Services (AS) PIC redundancy, and a switchover to the backup Routing Engine occurs, the redundant services interface (rsp-) always activates the primary services interface (sp-), even if the secondary interface was active before the switchover. [PR/59070]
Detection of failure of remote PPP clients on the LNS through LCP echo requests will take a longer time due to the increase in the number of echo request retries. [PR/250640]
When a standard application is specified under the [edit security idp idp-policy policy-name rulebase-ips rule rule-name match application] hierarchy level, the IDP does not detect the attack on the non-standard port (for example, junos:ftp on port 85). [PR/477748]

Subscriber Access Management

The destination and destination-profile options for address and unnumbered-address within the family inet and inet6 are allowed to be specified within a dynamic profile, but are not supported. [PR/493279]

User Interface and Configuration

On M20 routers, after a Routing Engine mastership switchover, it might not be possible to enter CLI configuration mode on the new master Routing Engine. Also, the request system reboot and request system halt commands do not clearly fail but do not return the CLI prompt either. [PR/64899]
The “Local Password:" prompt appears even though the authentication order has a password configured. [PR/94671]
When the CLI screen length is set to zero and the show log command is used, the “more” prompt ignores the CLI screen length of zero and only a fraction of the number of lines is displayed. [PR/103595]
The logical system administrator can modify and delete master administrator-only configurations by performing local operations such as issuing the load override, load replace, and load update commands. [PR/238991]
After AI scripts are added, the existing management sessions (including the one used to add the AI scripts) must exit the edit mode and reenter it for any subsequent configuration changes to take effect. Changes made in these existing edit sessions are not written to the candidate configuration. [PR/297475]
Selecting the monitor port for any port in the Chassis Viewer page displays the common Port Monitoring page instead of the corresponding Monitoring page of the selected port. [PR/446890]
On MX Series routers, J-Web does not display the USB-related information under Monitor>SystemView>System Information>Storage. [PR/465147]
Under the Configuration>OSPF>Traceoptions page, J-Web does not display the available flags. [PR/475313]
In the J-Web interface, the options Access Concentrator, Idle Timeout, and Service Name for PPPoE logical interfaces are not supported on MX Series routers. [PR/493451]
The auto-complete feature is not disabled on the password fields of the J-Web interface. This could lead to a loss of confidentiality of the users if any of them use a shared host or their machine is compromised at some point. [PR/508425]
In a router configured with a large number of interfaces, when few interfaces are constantly added and deleted, a minor memory leak may be observed in the "pfed" process. [PR/522346]
While a configuration with a long as-path is displayed in XML format using the show configuration | display xml | no-more command, the closing tag for the as-path <path> is wrongly displayed as </path instead of </path>. [PR/525772]
In the J-Web interface, when RIP, BGP, OSPF, and DHCP are not configured in-box, the validation message "not configured" displays in the respective screen in the monitor tab. The options for the commit, help, and log-out window are displayed after the validation message. Because of this, the user is unable to click on the above options. This issue occurs only in the Firefox Web browser. As a workaround, refresh the J-Web interface if you have already opened the log-out window, or use these options from other menus. [PR/528346]
The xnm service currently does not support logging of remote-host addresses in system accounting. [PR/535534]
The annotate command does not appear when it is used under the edit private command for class of service. [PR/535574]
The httpd process crashes at irregular intervals when the J-Web pages are accessed. [PR/535768]
After an user establishes an SSH connection, the sshd process is spawned on the server and services the user. After the connection is established, the sshd process listens on a socket and keeps polling in the select() and sleeps until there is something to be processed on the socket. When the client closes the connection, a message is sent on the socket to the server, which reads and processes the tear-down of the connection. However, when a blocking tcp is sent to the client to detect the client's presence, the time out never expires. [PR/538342]
It is possible to login to J-Web from a web browser having a cipher strength of 40 and 56 bits. This could create a security issue. As a workaround, use a web browser that supports 128 bit of cipher strength. [PR/539477]
The behavior of J-Web is undefined when it is launched from any web browser that is based on languages other than English. [PR/540329]

VPNs

When you modify the frame-relay-tcc statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level of a Layer 2 VPN, the connection for the second logical interface might not come up. As a workaround, restart the chassis process (chassisd) or reboot the router. [PR/32763]
On a router configured for nonstop active routing (NSR) (the nonstop-routing statement is included at the [edit routing-options] hierarchy level), if a nonstop active routing switchover occurs after the configuration for routing instances changes in certain ways, the BGP sessions between PE and CE routers might not be established after the switchover. [PR/399275]
Under certain topologies, using NG-MVPN with the RPT-SPT mode can cause traffic to be discarded from RPT before the traffic starts flowing from the SPT, when RPT is switched to SPT. [PR/529518]
If a VPN routing and forwarding (VRF) instance contains a static route that is resolved via a route that is auto-exported from another routing instance, the static route may not be removed when the physical interface goes down. [PR/531540]
When a CE-facing interface in a VPLS instance is deactivated, the routing protocol process may get into a loop leading to a high CPU utilization. [PR/531987]
In a Live/Standby MVPN extranet setup, with the primary provider on PE1, the backup provider on PE2, and a receiver on PE3 and receivers also on PE1 and PE2, traffic drops occur for 25 seconds after every 35 seconds. [PR/542984]