Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Open Issues

Learn about open issues in this release for MX Series routers.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • When the Secure Shell Protocol (SSH) user accesses the device with TACACS+ authentication, the SSH might crash. The SSH user cannot access the device when the issue happens. PR1601150

Class of Service (CoS)

  • On MX Series platforms, deactivating and activating the target-mode using the set chassis satellite-management fpc target-mode statement will lead to a bad state at Packet Forwarding Engine where the extended port based IFLSET will not have any queues at all while it should have actually had the queues. This will lead to traffic disruption. PR1593059

  • When running NETCONF or any such session and querying interface information in XML format and having such multiple sessions (around 50-60) continuously asking for interface information might cause the child mgd process to get stuck, and if more than one (at least 4-5) child mgd processes gets stuck, the mgd will stop functioning, which might cause any new configuration to not take effect. PR1599024

  • On all Junos platforms with per-unit-scheduler support, when the per-unit-scheduler is configured on aggregate Ethernet interface, after cosd restart or NSR switchover, unbind or bind of scheduler over child interface of aggregate Ethernet might occur. In NSR switchover scenario, traffic loss might be seen. PR1599857

  • On the MX platform with MPC or MIC based line cards, the Class-of-Service rewrite policy might not work if the rewrite rules is tied to CCC interfaces. PR1603909

EVPN

  • In a Provider Backbone Bridging-Ethernet VPN (PBB-EVPN) environment, ARP suppression feature which is not supported by PBB might be enabled unexpectedly. This might cause MAC addresses of the remote CEs not to be learned and hence traffic loss might be seen. PR1529940

  • On all Junos platforms with EVPN-VXLAN scenario, the number of MAC-IP binding counters might reach the limit when MAC-IP is moved between interfaces. Since MAC-IP counters are not decremented when entry is deleted due to this defect, repeated moves will result in a limit (default value is 1024) that will be reached even though there are a fewer entries. Meanwhile, traffic loss might be seen. PR1591264

  • In an EVPN A/A ESI multihoming scenario with dynamic list next hop (DLNH) configured, when one of the multihomed CE-PE links goes down on remote MH-PEs, then traffic loss might be seen. PR1594326

Forwarding and Sampling

  • Traffic drop is seen and filter does not hit as expected for match condition traffic class with flt statement configured. PR1573350

  • On Junos platforms, the snmpwalk might not work for some logical interfaces if the interface filter name is the same for input list filters. PR1601761

General Routing

  • When you issue a show interface command to check the interface details, the system will not check whether the interface name provided is valid or invalid. The system will not generate an error message if the interface name is invalid. PR1306191

  • Source MAC and TTL values are not updated for routed multicast packets in EVPN-VXLAN. PR1346894

  • The ping latency behavior is expected for host generated ICMP traffic due to the design of Packet Forwarding Engine queue polling the packets from ASIC. PR1380145

  • This is a timing issue during the sxe interface bring up (with respect to i40e driver). This can be recovered by rebooting the complete board. PR1442249

  • In a race condition, if a BGP route is resolved over the same prefix protocol next hop in a routing table that has routes of the prefix from different routing protocols, when the routes are flapping (firstly these routes are down and then up), the BGP route will be re-resolved, and then the rpd process crash might be seen. PR1458595

  • VXLAN VNI (multicast learning) scaling, traffic issue is seen from VXLAN tunnel to Layer 2 interface. PR1462548

  • Either static routes or implicit filters should be configured for forwarding DNS traffic to service PIC. It solves DNS packet looping issue. PR1468398

  • On MPC7E, MPC8E, MPC9E, MPC10E, JNP10K-LC2101, and MX204/MX10003, syslog error unable to set line-side lane config (err 30) will occasionally appear. This is does not impact any service and can be ignored. PR1492162

  • The show pfe filter hw filter-name <filter name> command fails to retrieve the Packet Forwarding Engine programming details of the filter. PR1495712

  • On all junos platforms with BGP SR-TE (Spring-TE), the transit v4 traffic in SR topology might miss labels and might get dropped in first hop, when ingress is forwarding traffic. It might miss out all the labels except the last hop in the v4 traffic forwarded by NH interface. PR1505592

  • On a fully scaled system where all the slices are utilized by different families of CLI filters, if we try to delete for one family and add/change for another family with a higher number of filter terms which requires either expansion of the filter or creation of a new filter, the Packet Forwarding Engine fails to add the new filter as we are getting messages out of sequence. That is, the add/change of filter is called earlier than the delete of another filter that will free up the slices. PR1512242

  • A 35 seconds delay is added in reboot time from Junos OS release 20.2R1 compared to Junos OS release 19.4R2. PR1514364

  • Active sensor check fails while checking the show agent sensors | display xml command. PR1516290

  • LFM might flap during MX Virtual Chassis ISSU from this release. PR1516744

  • On the MX Series platforms with NG-RE installed, after upgrading the Intel i40e-NVM firmware to version 6.01, the FRUs disconnection alarms might be seen along with traffic loss. Refer to the TSB17603 to upgrade Junos software and Intel i40e-NVM firmware. PR1529710

  • FIPS mode is not supported. PR1530951

  • Due to BRCM KBP issue route lookup might fail. Need to upgrade KBP to address this issue. PR1533513

  • MACsec PIC stays offline in new primary after ISSU in GNF alone. PR1534225

  • Socket to sflowd closed error comes up when the ukern socket to sflowd daemon (server) is closed. The error is rectified by itself as the client successfully reestablishes the connection in the subsequent attempts. When these errors are consistent, it indicates a communication issue between sflowd and the sFlow running on the FPC. PR1538863

  • On EVPN VXLAN, vmcore files are seen on master and backup Routing Engine with Layer 2 and Layer 3 multicast configuration. PR1539259

  • In a scaled MX2020 router, with vrf localisation enabled, 4 million next hop scale, 800,000 route scale. FPCs might go offline on GRES. Post GRES, router continues to report many fabric related CM_ALARMs. FPC might continue to reboot and does not come online. Rebooting master and backup Routing Engine will help recover and get router back into stable state. PR1539305

  • The Heap malloc(0) detected for jnh_unilist_adaptive_add error messages are seen on loading the configuration. No functional impact due to this error. PR1547240

  • Hardware performance counters might not be correctly exported to the CLI when Packet Forwarding Engine's are disabled. This is purely a display issue and required a high priority clean-up. PR1547890

  • 100G AOC from Innolight does not come up after multiple reboots. It recovers after enabling or disabling interface.PR1548525

  • When the telemetry data for a node which is streamed is deleted during a network churn and the same node is being walked/rendered for the sensor, RPD might generate core dump file. This is a corner case where the rendering and deletion of a particular node has to happen at the same instance. This issue can occur only in case of a unstable network. PR1552816

  • 5M DAC connected between QFX10002-60C and MX2010 does not link up. But with 1M and 3M DAC this interoperability works as expected. PR1555955

  • Resource deadlock avoided messages observed. No functionality impacts are seen. PR1557468

  • Packet Forwarding Engine on a sub-LC (SLC) could show training failure (TF) on one or more planes, after events on other SLC of the same line card or after events that affect complete system. PR1558008

  • On the MX10008 routers, the GRE keepalive adjacency state is Down even though the GRE tunnel is in the Up state. PR1559200

  • VE CE mesh groups are default mesh groups created for a given routing instance. On vlan/bridge-domain add, flood tokens and routes are created for both VE and CE mesh-group/flood-group. Ideally, VE mesh-group does not require on a CE router where IGMP is enabled on CE interfaces. MX Series based CE boxes have unlimited capacity of tokens, so this would not be a major issue. PR1560588

  • Due to a race condition, the show multicast route extensive instance instance-name command output can display the session status as invalid. Such an output is a cosmetic defect and not an indicative of a functional issue. PR1562387

  • Interface hold time needs to be configured to avoid the additional interface flap. PR1562857

  • In a rare scenario, SPMB does not reply during FPC online which is moved from SLC mode to full line card mode. The FPC gets stuck as the training is not complete. PR1563050

  • FPC online or offline through pinhole is not working. PR1563315

  • When SLC is reconfigured from asymmetric mode to symmetric mode in a single commit, it is possible that on some occasions, one of the SLC shows chassis connection as dropped state. The SLC will come online and no functional impact is seen. PR1564233

  • Starting Junos OS release 21.1R1, Junos ships with python3 (python2 is no longer supported). In ZTP process, if a python script is being downloaded, please ensure the python script follows python3 syntax. Also, the python script had #!/usr/bin/python as the first line (that is, the path of the python interpreter), the same needs to be changed to #!/usr/bin/python3 from Junos OS release 21.1R1. PR1565069

  • The show pfe statistics traffic command shows incorrect output and will be disabled in future releases as the correct place to check these statistics is PFE/flow-based show pfe statistic command. PR1566065

  • During the ingress processing we maintain separate counters for Layer 2 unicast, multicast, and broadcast as well as for unknown unicast. where as during egress processing we only maintain the logical interface level stats after the wan out. Hence at egress level output multicast counter always shows 0. PR1566436

  • The chassisd logs are flooded with the pic_create_ifname: 0/0/0 pic type F050 not supported error messages for every port that is connected. This happens repeatedly in a few seconds. PR1566440

  • The tunnel composite next hop (TCNH) entries are present because NSR is not supported for BGP static programmable routes. In backup, this leads to an extra reference count due to which the next hop is not getting freed. This will be fixed when NSR feature is fully supported for this feature. PR1566666

  • With SLC scenarios, the filter actions with discard/reject/send-to-host leads to crash AFTD. PR1567313

  • On all L2NG platforms, MAC address entries might be smaller in the MAC table than in the ARP table, this is because some of the MAC addresses are not relearned successfully after MAC address age timeout. This issue causes traffic loss for non-existing MAC entries. PR1567723

  • Packet Forwarding Engine error message Tunnel id: does not exist can be seen while executing the show dynamic-tunnel database statistics command after deactivating routing-options dynamic-tunnel when you have a high scale of tunnels. This is just a transient error message and has no functional impact. The error can appear while tunnels are getting deleted and will not be displayed after all the tunnels are deleted. PR1568284

  • In high availability mode, ICMP fragment drop messages are not seen. PR1569123

  • BUM traffic replication over VTEP is sending out more packets than expected and there seems to be a loop also in the topology. PR1570689

  • PDB pull or synchronization does not occur in new primary during unified ISSU. This is a timing issue and it is seen whenever ISSU is done from any of the previous releases to Junos OS Release 21.1 or later. PR1570841

  • Copying files to /tmp/ causes a huge JTASK_SCHED_SLIP. Copy files to /var/tmp/ instead. PR1571214

  • In very rare scenario for high availability cluster deployment, when it does redundancy group 0 (RG0) failover and at same time, if the control link is down, then it generates mib2d core file because the master Routing Engine and secondary Routing Engine are out of syncing dcd.snmp_ix information. PR1571677

  • On VM Host platforms with Next-Generation-Routing Engine, the physical management interface is virtualized and mapped to fxp0 interface in guest OS, eth0 and macvlan0@eth0 interface in host OS. Currently, IPv6 is enabled by default on eth0 and macvlan0@eth0 interface on host OS. During system bootup or the management interface coming up, the management interface (that is, eth0 and macvlan0@eth0 interface) on the host OS might respond to IPv6 neighbor discovery protocol packets. It might cause the upstream router to learn the MAC address of eth0 and macvlan0@eth0 interface instead of fxp0 interface in Junos. In certain deployments (based on the upstream router configurations), the upstream router might disable the access to fxp0 interface. PR1571753

  • On all Junos platforms in a subscriber scenario, routes that use static subscriber demux or ge interfaces as qualified next hop might be stuck due to the Destination address required error message after GRES or unified ISSU. This might cause high CPU usage for rpd. The rpd process restarts itself and system recovers automatically. PR1572130

  • On all Junos platforms, traffic loss might be observed due to a rare timing issue when performing frequent Interface Bridge Domain (IFBD) configuration modifications. This behavior is seen when the Packet Forwarding Engine receives out-of-order IFBD(s) from Routing Engine and might lead to the fxpc process crash and traffic drop. PR1572305

  • On the MX series platforms with EVPN-VXLAN setup, ARP MAC move between local side and remote side or moving from a MAC-VRF table to the default switch table might cause DCPFE/FPC to crash. PR1572876

  • The ksyncd process generates core file when we reboot node with EVPN VXLAN configurations. PR1574594

  • After Junos OS upgrade, MAC address changes will be seen on MPC9E PIC1 interfaces. Static MAC configurations will be affected. PR1575009

  • The child inactivity timeout is not set for custom ALG application. This does not impact any functionality. Only user defined custom ALG child timeout will not get affect and it would consider default timeout. PR1575183

  • When the scheduler configuration is not applied to all 8 egress queues of an interface and one or more egress queues is having buffer size remainder configuration, the distribution of buffer to egress queues with buffer size remainder is not distributed correctly, which might lead to unexpected tail drops. PR1575798

  • Max ports used is not getting displayed properly in the show services nat pool pool-name detail command output. PR1576398

  • On MX10016 routers, when Fan Tray 1 Fan x> Failed alarm is cleared, Fan/Blower OK SNMP traps are generated for fan tray 0 [Fan 31 - 41] and fan tray 1 [Fan 11 - 41]. PR1576521

  • With max number of logical interfaces (4000 GRE tunnels per Packet Forwarding Engine) with following configuration:

    1. family inet and associated source and destination for each tunnel.

    2. Configure allow-fragmentation statement on one endpoint of the tunnel and configure reassemble-packets on the other endpoint of the tunnel.

    With the above configuration, if you do deactivate chassis fpc slot, SLIP messages are observed. PR1581042

  • On MX platforms, in a subscriber scenario with scaled around 32,000 connections, the replication daemon might generate core files or stop running, which results in failure on subscriber services on the new Routing Engine after the upgrade or GRES. PR1577085

  • In an EVPN-VXLAN scenario with OSPF configured over the IRB, OSPF sessions might not get established due to connectivity issues. PR1577183

  • In a fully loaded devices, at times, firewall programming fails due to scaled prefix configuration with more than 64800 entries. PR1581767

  • Unable to process route entries between Routing Engine and FPC, it is due to incorrect operations of two internal threads in a race condition, resulting in a tight loop on code and high rpd process CPU usage. PR1582226

  • On MX platforms with SPC3, traffic drop is observed in either of the cases:

    Case 1: when there is an ICMPv6 error message is sent to the Address Family Transition Router (AFTR) IP. The ICMP error can be triggered from the Packet Forwarding Engine or the intermediate node having the AFTR address as the destination address. Flow ICMP vector will not handle this error as the destination is of AFTR and this leads to looping.

    Case 2: When there is a normal IP-IP session opened instead of a DSLITE session in case of the server to client session establishment and upon force tunnel session close by session timeout configuration or session clear command on the tunnel session and also with a timing case. PR1582447

  • USB boot with Junos OS 21.2 image will get stuck in windriver mode. PR1582592

  • When VRF localisation is enabled, CE or access facing FPC might generate core file when aggregate interface configuration is added or changed. PR1583901

  • Multicast EVPN-VXLAN instance is down since local VTEP logical interface is not associated to EVPN instance post deactivate or activate of routing instance. PR1584109

  • If a BSYS Routing Engine switchover is triggered by simulating a kernel crash on a node-sliced platform, the FPCs or SLCs stay in present state while the related GNFs become unreachable. A system reboot is required to resolve this issue. This issue is seen only on MX2020 platforms with the REMX2K-X8-128G Routing Engine. PR1584478

  • During reboot in certain instances, the device might get into a state where Junos OS virtual machine hangs until the NMI is triggered and reboots fully. The system recovers after ~30 minutes. PR1584902

  • CoS classifiers and rewrites are not supported on a logical tunnel (LT interface) with Ethernet-CCC or Ethernet-bridge encapsulation. The cosd process does not prevent a commit but then the classifiers/rewrites are not bound to the LT interface at Packet Forwarding Engine and hence does not work. PR1585374

  • MX Series routers with MPC11E line card and scaled pseudowire headend termination (PWHT) configurations, transient traffic loss is seen during iterative enhanced mode ISSU. The loss is usually seen in second or third ISSU iteration and ranges from 40-90 seconds. No traffic loss is seen in first ISSU iteration. Line cards and Routing Engine are not rebooted between ISSU iterations. PR1586337

  • With preserve statement ON and option c is used with BGP CT; the VPN CT stitching routes at ASBR if resolving over an SR-TE tunnel having single label; then the forwarding mpls.0 route programming will be incorrect on MX boxes. PR1586636

  • MX Series routers with MX-SPC3 services card, in USF mode, NAT EIM mapping is getting created even for out to in FTP ALG child sessions. PR1587849

  • MX Series routers with MX-SPC3 services card, in USF mode, with NAPT44, EIM, APP, and PCP configurations, show services session count on vms- interface is not as expected for FTP traffic initiated from public side. PR1588046

  • Rpd core is seen at the rt_iflnh_set_nhid. Core is due to assertion caused by failure of hbt_insert for nhid belonging to a logical interface. It is seen that there is a duplicate entry present which causes the hbt_insert failure. PR1588128

  • A cloud LED on the device indicates the phone home client states and device connectivity state with the cloud. When the grpc application is configured with non root user, then the cloud LED will not display any pattern related to day1 states. The LED pattern will still be displaying the previous day0 state as applicable. PR1589321

  • Fabric training failure might be seen on Packet Forwarding Engine, when the Packet Forwarding Engine sees a fabric self ping error and later if FPC hosting that Packet Forwarding Engine is restarted due to CLI or any other reasons. PR1590054

  • Minor transient traffic drop will be seen during MBB of RSVP LSP without optimize-adaptive-teardown statement. PR1590656

  • On MX Series platforms with PTP feature enabled with phy-timestamping, frequent phydriver sync_state toggling occurs due to incorrect calculation of the Phytimestamp. PR1591667

  • With warm standby being configured for an aggregated multiservices (AMS) interface, if switchover is performed for the specified warm standby AMS interface or crash occurs on the service PIC where the AMS member interfaces are present, the mobiled daemon might crash. The mobiled daemon will restart automatically and be self-recovered after crash. PR1592345

  • On MX platforms with dual Routing Engines, with GRES enabled and in PTP hybrid mode, if using the building-integrated timing supply (BITS) interface from backup Routing Engine for clock recovery, that will not work. PR1592657

  • On MX platforms with SPC3 used, if adding the PS interfaces on the Routing Engine after SPC3 is up and running, the packet from the PS interface is sent to SPC3 for services like NAT, SFW, IDS, and etc might be dropped by SPC3. PR1592706

  • Base system (BSYS) to guest network function (​GNF) chassisd connection might be temporarily disrupted when two MS-MPC line cards, which are assigned to GNF, are booting up at the same time. If GRES is configured, there might be a mastership switch between GNF Routing Engine 0 and Routing Engine 1. PR1591598

  • There can be a routes mismatch among SPRING-TE routes on master and backup Routing Engine when specific conditions are met:

    • Restart routing is done on master-rpd.
    • There are BGP-SRTE tunnels present in SPRING-TE.

    This mismatch does not present problems, post-swtch-over and no service impact is seen. As a workaround, restart routing on the backup Routing Engine. PR1596095

  • A rare and intermittent AFT crash is seen after performing back to back deactivate and activate interface actions. PR1596320

  • When configuring interface associated with service set is changed, during handling of this configuration change, crash happens due to incorrect pointer typecasting. This crash is seen intermittently. PR1596578

  • In the case of HMC failure, the packet drop might be seen if traffic is moving from one FPC to another FPC. PR1594244

  • On a node sliced platform with MPC11E line card sliced into sub line cards, it is possible that the aftd-trio[13014]: [Error] IF:IfdCfgMsg, ifd not found, ifdIndex:2399 syslog error message might appear, when GNF has configuration that does not pertain to its Packet Forwarding Engines. This message does not have any functional impact. PR1594816

  • On MX platforms with Virtual Chassis, firmware upgrading might fail due to improper Trivial Network Protocol (TNP) server address, so the firmware will fail to be downloaded to MIC. PR1595693

  • When suspend-for is configured and user frequently restarts dot1x-protocol in CLI will end up MACsec session being not recovered at all. This is because unable to send MACsec suspension messages within short interval and ends with no new SAK programmed in hardware. Due to this, traffic loss occurs permanently. To recover the affected port, deactivate and activate MACsec on the port. PR1596854

  • Carrier-​Grade Network Address Translation (CGNAT) MX SPC3 AMS warm-standby 1:1 redundancy problem with CLI CPU statistics lost data after PIC failover. The show services service-sets cpu-usage command does not display service sets show services sessions utilization. The output does not display session count, the rates, and CPU values. PR1596976

  • On all MX Series platforms, changing configuration AMS 1:1 warm-standby to load-balance or deterministic NAT might generate vmcore file and traffic loss might be seen. PR1597386

  • On all Junos platforms with EVPN-VXLAN environment, when MAC/IP is moved from one Ethernet segment identifier (ESI) to another ESI from the same peer, the withdraw route might not be sent to the remote Virtual Tunnel End Point (VTEP), only MAC withdraw route is sent to the remote VTEP. PR1597391

  • NTF-agent is not compatible with latest version of OpenSSL 1.1.1. It uses OpenSSL 1.0.2. PR1597714

  • When MPC10 and MPC11 FPC is coming up, cfmman process might generate core files in case platform shared memory initialization did not happen fine and it tries to access that for getting slot ID information. PR1597812

  • On the MX10008 and MX10016 routers, back to back offline and online of multiple FPC multiple times might result into FPC stuck at announce offline state. PR1598102

  • ALG traffic might be dropped when incoming packet contains HTTP/ and rn characters in data or NAT slipstream packets. PR1598017

  • On all platforms support Junos telemetry interface, when the set services analytics export-profile xxx format gpb-sdm and set services analytics export-profile xxx transport tcp are enabled on Routing Engine sensors, subscriber management related daemons (like, authd, bbe-smgd, bbe-statsd, jdhcpd, and smid) might continuously crash and core files are generated. PR1598351

  • On MX platforms, the Compact Forwarding Engine Board (AFEB) might crash if a MIC-3D-8DS3-E3 having any hardware fault is initialized into the device. The AFEB crash will restore automatically in sometime and faulty hardware need to be replaced. The AFEB crash might impact the traffic forwarding during the time of issue. PR1598411

  • On MX platforms with MS-MPC and MS-PIC, the packet loop might be seen after receiving the PCP mapping request packets to service-set where PCP rule is not configured and the packet loop might cause high CPU utilization. PR1598720

  • Chassis components name exported wrongly. PR1598816

  • MX Series routers with cloud LED on the front panel to indicate the onboarding of the device to cloud (day0) and management after onboarding (day1). If MIST is used as a management entity in cloud then, the cloud LED will display green in situations where device would have lost connectivity to cloud. This is due to MIST using outbound SSH for management. This behavior is not applicable to any other management entity which uses outbound https and LED will display appropriate states to indicate the loss on connection to cloud. PR1598948

  • Unified ISSU might result in FPC core, if the fast-lookup-filter statement is enabled. PR1599045

  • The rpd process generates core file on the standby Routing Engine when all of the following conditions are met:

    1). BGP-SRTE policy tunnels are present.

    2). The rpd process restart is done on the master Routing Engine.

    3). NSR switchover is subsequently done. PR1599446

  • On the MX10008 and MX10016 routers, continuous offline and online of FPC multiple times might result into an FPC restart at init state causing additional 2 min in boot time. PR1599469

  • On MX SPC3 services card, ICMP protocol is not detected and does not allow user to modify inactivity-timeout values. PR1599603

  • In a node sliced platform with MPC11E is being used in sub line card mode, if the configuration of the SLC is moved from asymmetric mode to symmetric mode followed by a swap of Packet Forwarding Engine range between SLC1 and SLC2, generates ukern-platformd and ztchip core files on some rare occasions. The line card will recover on its own and no functional impact will be seen once the line card is online. PR1600040

  • On MX platforms with multiservices card (MS-PIC or MS-MPC) installed, when the user's TCP session is passing the multiservices card, TCP tickle functionality tries to extend TCP session after the inactivity timeout expires by sending self-generated TCP keepalive packets to both parts of TCP connection and expecting the TCP ACK to be seen from both parts. While the expected behavior is to drop that TCP ACK packet on multiservices card upon receiving, it sends to another part of TCP connection, this causes confusion and inability to extend TCP session, and then causes impact on long-lived TCP sessions with low volume of traffic. PR1600619

  • Frame stack messages are seeing during MPC11E subLC boot up, when subLC is added to GNF. There is no functional impact is seen due to the messages. PR1600749

  • On MX platforms with multiple MPC2E NG, MPC3E NG, and MPCE type 3 3D installed and working in redundant mode (some line cards just working as spare role), if you change the mode from redundant to increased-bandwidth (all line cards should be online without any spare role), one of the previous spare line cards might not get online and stay in check status. That might cause traffic loss or performance degradation. PR1602080

  • J-Flow syslog messages are seen when CGNAT is using 0x0000 in IPv4 identification field. This might causes issues for some J-Flow syslog collectors especially when J-Flow syslog packets get fragmented along the path to collector. PR1602528

  • When inband management IRB interface is not assigned with IP address or there is no DNS configured on the device, the cloud LED will display the pattern for NO_CLOUD_RESPONSE state of instead of NO-IP-Addr or NO-DNS. PR1602664

  • On MPC2E-3D-NG and MPC3E--3D-NG line cards with the certain chip set based MIC (like 20x1G MIC and 2x10G MIC), the Packet Forwarding Engine might be disabled while ungracefully removing the MIC from the MPC (for example, without taking the MIC offline using CLI or with a MIC button). PR1602939

  • On the MX10008 and MX10016 routers, during Routing Engine switchover, if there is a burst of ICMP, BFD, SSH, FTP, TELNET, and RSVP packets (~18,000 pps), then the new backup Routing Engine might restart. PR1604299

  • On MX150 platform, when the hold-up time is configured on an interface, if the interface goes from down to up, the up hold-time timer is triggered. But hold-time up does not work as the interface comes up immediately even the timer still does not expire. PR1604554

  • On the MX10008 and MX10016 routers, when fabric plane goes offline and online might result in destination error on line cards. PR1605770

  • On MX Series with MPCs/MICs based platforms working as MPLS transit router, if entropy label is configured and the ingress interfaces and egress interfaces of the LSP are on the same Packet Forwarding Engine, an extra entropy label might be pushed to the LSP. Traffic loss might be seen if the egress routers cannot handle the extra entropy label (for example, DPC to DPC connection on the egress router with the penultimate router). PR1605865

  • On the MX10008 and MX10016 routers, when the FPC turns offline and online multiple times, FPC online operational command shows incorrect message and the FPC might remain offline. PR1607147

  • In a subscriber management scenario, under a rare condition, the kernel might crash at very rare condition due to a null pointer check when an entry lookup is performed. PR1607282

  • On the MX10008 and MX10016 routers, issues are seen when there is a Packet Forwarding Engine error causing disable-pfe, which is not seen in the normal FRR switchover. PR1609768

  • On the MX10008 and MX10016 routers, the show network agent command output must be null, but which shows statistic per component after GRES. PR1610325

High Availability (HA) and Resiliency

  • When MTU is configured on an interface, a rare ifstate timing issue might occur at a later point resulting in ksyncd process crash on backup Routing Engine. When ksyncd crashes on backup Routing Engine, a live kernel core file is also generated on both the Routing Engines. There is no service impact due to this issue. PR1606779

Infrastructure

  • The show system processes detail CLI command does not display CPU details under the CPU column. PR1588150

Interfaces and Chassis

  • On Junos platforms with VRRP failover-delay configured, changing VRRP mastership might cause peer device to relearn VIP ARP entry on old master interface due to timing issue. PR1578126

  • On all Junos platforms, the dcd process crash might be seen after performing Routing Engine switchover or reboot of the device or management interface configuration change due to memory corruption triggered by a code in the Junos OS kernel. PR1587552

  • On the MX platforms, the dcd internal data structure of the distribution bundle might get corrupt after removing the aggregated Ethernet logical interface of members of a targeted logical interface set from the targeted distribution database. Later, the dcd process crashes when it accesses the corrupted entry. PR1591032

  • With aggregated multiservices interface (AMS) configured, the memory leak on dcd daemon occurs when making configuration changes on any interface. The leak rate is slow and depends on the scale of the logical interfaces on AMS interfaces (for example, if there are 8 AMS physical interfaces with 8000 logical interfaces, the leak is about 5 MB on each commit), which might lead to dcd crash. PR1608281

Juniper Extension Toolkit (JET)

  • The stub creation functions will not be available. PR1580789

Layer 2 Ethernet Services

  • On MX5, MX10, MX40, MX80, MX104 platforms with DHCP server configuration for DHCP subscribers, the jdhcpd memory leak might happen and the memory increase by 15 MB which depends on the number of subscribers when testing the DHCP subscribers log in or log out. PR1432162

  • On MX platforms with DHCP ALQ, the Active Lease Query (ALQ) TCP queue might get stuck. This might cause the subscribers from backup BNG not to be able to sync with master BNG and eventually causing the subscribers in the master starts go down and result in a major outage. PR1590421

  • The jdhcpd generates core file when dhcp process restarts and there is no service impacts. PR1594371

MPLS

  • As the update-threshold configuration changes from an attribute to an object, you need to delete the update-threshold stanza and re-configure it after the downgrade. PR1546447

  • The RSVP interface update threshold configuration syntax has changed between Junos OS Release 18.2X75-D435 and Junos OS Release 20.3X75-D10 to include curly braces around the threshold value. Upgrading and downgrading between these releases is not entirely automatic. The user must delete this stanza if configured before the downgrade and then manually reconfigure. PR1554744

  • When some LSPs that request facility backup protection using bypass tunnels are brought up using respective Resv messages that do not contain the mandatory RECORD_ROUTE object. When such LSPs undergo local repair, then RPD process generates core file with the backtrace specified in this problem. If either the Resv messages originated by egress LERs contain the mandatory RECORD_ROUTE object or if such LSPs brought up with mal-formed Resv message does not undergo local repair, then the core file will not be generated. PR1560059

  • Extended-admin-groups on links are shown as SRLG attribute in TED. PR1575060

  • On the MX10008 and MX10016 routers, when there is scaled RSVP sessions (for example, 21,000) and the RSVP is enabled for all the interfaces, then the rpd process goes through all the interfaces which results into a high CPU utilization for some time. This also results in LSP flap. PR1595853

  • On all Junos platforms with NSR configured, when the dual-tranport is configured under protocols ldp and the inet-lsr-id and inet6-lsr-id is different from the router-id, the LDP replication session might not get synchronized and causing traffic loss during Routing Engine switchover. PR1598174

  • When a protected link goes down, MPLS gets tunnel local repair message from RSVP and trigger CSPF computation. Next, MPLS gets link protection information through RRO notification. If MPLS receives TED notification first before RRO notification, then CSPF computation fails. Since the link protection flag is not set, MPLS thinks it is an unprotected link and brings down the LSP. PR1598207

  • On all Junos platforms with NSR configured, if the dual-transport is configured under protocols ldp and the inet-lsr-id and inet6-lsr-id is different from the router-id, VPLS connection on peer device might get down and traffic loss might occur during Routing Engine switchover. PR1601854

  • On the MX10008 and MX10016 routers, when there is scaled RSVP sessions (for example, 21,000) and RSVP is enabled for all the interfaces, the rpd process goes through all the interfaces which results into high CPU utilization for some time. This might also result in LSP flap, log messages on Routing Engine switchover, and protocol flap. PR1600159

  • In an RSVP environment with fast-reroute enabled, when an LSR in a detour LSP goes down in particular scenario, the newly signaled detour path might be brought down and remain in incomplete state, due to a defect in RSVP-IO thread that it continues sending incorrect path refresh which brings down the detour path. PR1603613

  • On the MX10008 and MX10016 routers, the show route forwarding-table destination address shows stale entry for ~60 sec. There is no traffic impact due to this. PR1610620

  • The rpd process might crash on standby Routing Engine LDP module when VPLS mac-flush enabled on peer by default or configurared. The core files are generated only when the peer sends LDP. The address_withdrawal_message with first TLV other than address_tlv. This issue occurred particularly with extreme networks as peer VPLS PE. PR1610638

Network Management and Monitoring

  • The SNMP polling failures timeout might be observed when the number of outstanding requests to any subagent (for example, mib2d, snmpd-subagent) reaches 500. This will impact the SNMP polling functionality. PR1585409

  • When the ARP entry gets removed in the ARP table, and if there is a presence of a static route referring to the removed next hop IP, the refcount will not be 0. In that case, the kernel will not send a DELETE message to mib2d. As a result, SNMP still has the ARP entry even after it is expired in the ARP cache. PR1606600

Platform and Infrastructure

  • MPLS traffic going through the ingress pre-classifier logic might not determine MPLS payload correctly, classifying MPLS packet into control queue versus non-control queue and exposing possible packet re-order. PR1010604

  • On MX Series platforms with MPC7, MPC8, and MPC9 line card or MX-204 and MX-10003, when the packets which exceed the MTU and whose DF-bit is set go into a tunnel (such as GRE, LT), they might be dropped in the tunnel egress queue. PR1386350

  • Loss of traffic on switchover when using filter applied on logical interface. PR1487937

  • With GRES and NSR functionality with VXLAN feature, the convergence time might be slightly higher than expected for Layer 2 domain to Layer 3 VXLAN. PR1520626

  • On MX Series routers, the blockpointer in the ktree is getting corrupted leading to core file generation. There is no functional impact such as FPC restart or system down. PR1525594

  • When the DHCP relay mode is configured as no-snoop, we are observing that the offer gets dropped due to incorrect ASIC programing. PR1530160

  • RPM behavior in non-delegate mode with MPC10 line cards: The RPM packets from client are received and processed by RPM server but the response packets are dropped before they are received by the client. PR1556697

  • A buffer overflow vulnerability in the TCP/IP stack of Junos OS allows an attacker to send specific sequences of packets to the device thereby causing a Denial of Service (DoS). PR1557881

  • On all MX platforms, the L2TP tunnel will not work with filter-based encapsulation for the breakout interface. This issue is seen as the parsing logic in Packet Forwarding Engine for getting the tunnel parameters could not handle breakout interface scenarios. PR1568324

  • This issue might be seen only in back to back GRES in about more than 40 to 50 iterations. No workaround available and FPC gets restarted. PR1579182

  • Ethernet-output-bytes are not in expected range while verifying Ethernet MAC level with both IPv4 and IPv6 traffic for VLAN tagged interfaces. The issue is due to output byte count not getting updated properly. The script log shows that there is no packet loss and there is no functional impact. PR1579797

  • A buffer overflow vulnerability in the TCP/IP stack of Juniper Networks Junos OS allows an attacker to send specific sequences of packets to the device thereby causing a Denial of Service (DoS). PR1595649

  • On platforms with both enterprise style and service provider style configurations, an interface with enterprise style logical interface and flexible-vlan-tagging configured, VLAN tagged traffic might be dropped due to incorrect programming in the system. PR1598251

  • In an enhanced subscriber management environment, if a service filter is applied to a dynamic service set, the service filter instance will be created on Packet Forwarding Engine based on the configured service filter template. If the configured service filter template is changed at the same time a service filter instance is instantiated, the service filter might get incorrectly programmed in Packet Forwarding Engine due to a rare timing issue. This issue might cause the service failure. PR1598830

  • When a Virtual Chassis is scaled with different feature configurations and device is stressed with traffic, device might not respond for CLI commands for a short period of time and a vmcore file might be reported at that time. Once VM core is saved, device will continue to operate normally. PR1599498

  • On all Junos platforms with authentication-key-chain configured for BGP, if restarting BGP connections after deleting the authentication-key-chains, the kernel might crash. The deleted operation can be executed by the delete security authentication-key-chains command. PR1601492

  • On MX platform working as PE in MVPN, when traffic is received (from core) on upstream multicast LSI interface and then forwarded over VPLS via IRB interface, the packets are forwarded without vlan-tags, which leads to traffic drop at the remote VPLS PE due to missing vlan-tags. PR1607311

Routing Policy and Firewall Filters

  • The dns-name entries in policies might not be resolved if the routing instance is configured under a system name server. PR1539980

Routing Protocols

  • While interoperating with other vendors in a draft-rosen multicast VPN, by default Junos OS attaches a route target to multicast distribution tree (MDT) subsequent address family identifier (SAFI) network layer reachability information (NLRI) route advertisements. But some vendors do not support attaching route targets to the MDT-SAFI route advertisements. In this case, the MDT-SAFI route advertisement without route-target extended communities are prevented from propagating if the BGP route-target filtering is enabled on the device running Junos OS. PR993870

  • SCP command with routing option (-JU) is not supported. PR1364825

  • On all platforms with a large-scale BGP setup (for example, advertising 300,000 routes over 500 BGP peers), high CPU utilization (close to 100 percent) by BGP I/O thread on master Routing Engine might be seen for a couple of minutes, which might lead to dramatic performance degradation and even traffic loss if NSR is enabled while there is a lot of advertisements and the backup Routing Engine is busy. PR1488984

  • TILFA backup path fails to install in LAN scenario and also breaks SR-MPLS TILFA for LAN with more than four end-x SIDs configured per interface. PR1512174

  • Routes are not copied from trasnport ribs (junos-rti-tc-200.inet.3) to bgp.transport.3 in device with transport family enabled. PR1556632

  • A single hop BFD session over IRB interface works in centralised mode if the VPLS instance the IRB belongs to has only LSI interfaces bound to VPLS pseudowires and has no local non-tunnel attachment circuits. PR1563947

  • On Virtual Chassis or Virtual Chassis fabric, inconsistent MCSNOOPD core file is seen when igmp-snooping configuration is removed. PR1569436

  • If Junos OS configuration contains a SHA-1 hashed password for a specific user, that user will be unable to login post upgrade. To identify any SHA-1 hashed passwords, run the following from the edit mode: show | match \$sha1\$. The password format post upgrade is not SHA-1. If the password format is set to SHA-1, the password will be hashed with SHA-512 instead. PR1571179

  • Multiple single-hop BGP sessions on different links using the same link-local address. PR1575179

  • Traffic loss across the LDP path during traffic shift to another device in the MPLS cloud. Here two routers with two different capacities are converging at two different times, so the micro loop occurs between the two nodes. PR1577458

  • The use-for-shortcut statement is meant to be used only in SR-TE tunnels which use Strict SPF Algo 1 (SSPF) prefix SIDs. If [set protocols isis traffic-engineering family inet-mpls shortcuts] and [set protocols isis traffic-engineering tunnel-source-protocol spring-te] is configured on a device, and if any SR-TE tunnel using Algo 0 prefix SIDs is configured with the use-for-shortcut statement, it could lead to routing loops or rpd process core files. PR1578994

  • On all Junos platforms, when a BGP peer flaps, if the received routes are changed by the BGP process from active to inactive while cleaning up these received routes, the rpd crash might be seen. PR1592123

  • On all Junos platforms with OSPFv3 is used, if there are multiple router link-state advertisement (LSA) from the same peer, the rpd process might be stuck at 100 percent during the router LSAs update. PR1601187

  • After changing MTU on an interface, BGP routes that are resolved over IS-IS will be installed in kernel as dead and traffic will drop. PR1605376

  • On all Junos platforms, if both rib-sharding and 4-byte peer-as (AS number 65536 or greater) are configured, then BGP peers with 4-byte peer-as might flap whenever any configuration change occurs. PR1607777

Services Applications

  • Core files has been generated at kmd_gen_fill_sa_pair_sadb_flags @kmd_update_sa_in_kernel @kmd_sa_cfg_children_sa_free. This is not a functional issue but can be seen when kmd is closing and final cleanup is happening. There are no functional impact as kmd is shutting down. PR1600750

Subscriber Access Management

  • In a subscriber scenario, if RADIUS accounting backup is configured and the RADIUS server is unavailable for more than 30 minutes, some subscribers might be stuck in terminated state and cannot be recovered even if the RADIUS server is reachable. PR1600655

Unified Threat Management (UTM)

  • There is no counter for juniper-local default action. PR1570500

User Interface and Configuration

  • When a user tries to deactivate the MPLS related configuration, the commit fails on backup Routing Engine. PR1519367

  • Mgd process generates core file when executing image upgrade command. The issue can be avoided with a simple workaround by providing a valid package during upgrade command. PR1557628

  • Core files are generated at cbsd_util.c:cbsd_db_open:203 along with load override. As a workaround use load update instead of load override. PR1569607

  • When available free physical memory drops below 1.5 GB, configuration commits by Junos Device Management Daemon (JDMD) might not take effect and mustd core files will be seen. This will not have any impact on the running traffic. PR1599641

VPNs

  • During unified ISSU, the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • In some scenario (for example, configuring firewall filter) sometimes routers might show obsolete IPsec SA and NHTB entry even when the peer tears down the tunnel. PR1432925

  • In an MVPN scenario with ingress replication, selective provider tunnel is being used, if the ink-protection statement is added or deleted from the LSP for MVPN, rpd process might be crashed. The reason is that when link-protection is deleted, the ingress tunnel is not deleted, and when link-protection is added back, it tries to add same tunnel. Due to which, the rpd process asserts as same tunnel exists and the rpd generates core files. PR1469028

  • Currently none of the export policies are applied to MVPN route types 4, 6, and 7. This was required to skip the vrf-target communities, not to be applied on these route types. However, if a vrf-export policy is applied on the VRF, then the operator must set the communities appropriately and this export policy should get applied to all routes in that VRF. With this change vrf-export policy will get applied to all MVPN route types. PR1589057

  • In Next Generation Multicast VPN (NG-MVPN) with GRE as transport tunnel, the ddos-protection reason Packets failed the multicast RPF check is seen when mGRE packets flow is received from I-PMSI tunnel to mPE without active subscribers in C-multicast group, it does not look as a correct reason for DDoS violation. PR1591228