Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Open Issues

Learn about open issues Junos OS Release 21.2R3 for MX Series routers.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Class of Service (CoS)

  • On MX platforms, deactivating or activating the target-mode using the set chassis satellite-management fpc target-mode command leads to a bad state at the Packet Forwarding Engine on the extended ports, which leads to traffic disruption. PR1593059

  • On MX platforms with MPC10 and MPC11 line cards, if you apply Class-of-Service (CoS) ieee-802.1 rewrite rule on the aggregated Ethernet interface with VLAN circuit cross-connect encapsulation, the rewrite rule might not work as expected. PR1604943


  • A few duplicate packets might be seen in an A/A EVPN scenario when the remote PE device sends a packet with an IM label due to MAC not learned on the remote PE device, but learned on the A/A local PE device. The nondesignated forwarder sends the IM-labeled encapsulated packet to the PE-CE interface after MAC lookup instead of dropping the packet, which causes duplicate packets to be seen on the CE side. PR1245316

  • With Junos OS Release 19.3R1, VXLAN OAM host-bound packets are not throttled with DDoS policers. PR1435228

  • In PBB-EVPN (Provider Backbone Bridging - Ethernet VPN) environment, ARP suppression feature which is not supported by PBB might be enabled unexpectedly. This might cause the MAC addresses of remote CEs not to be learned and hence traffic loss. PR1529940

  • EVPN-MPLS multi-homing control MACs are missing after vlan-id removal and adding back on a trunk IFL of one of the multi-homing PEs. This is not a recommended way to modify vlan-id configuration. Always both MH PE devices must be in symmetric. PR1596698

  • Issue occurs with translation VNI when MAC moved one from DC1 to DC2. VM move across DC where there is not translate VNI configuration in the interconnect works as expected. PR1610432

  • EVPN Local ESI MAC limit configuration might become effective immediately when it has already learned remote MH Macs. Clear the Mac table from all MH PE devices and configure the MAC limit over the local ESI interfaces. PR1619299

Flow-based and Packet-based Processing

  • You can use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

Forwarding and Sampling

  • fast-lookup-filter with match not supported in FLT hardware might cause the traffic to drop. PR1573350

General Routing

  • AFEB crashes with PTP thread hog on the device. Through it fixes the PTP packet processing when PTP is enable, which is when PTP configuration is active. If the PTP configuration is not there, PTP packet processing is ignored even if FPGA displays PTP packet is available. PR1068306

  • On MX104 devices, when RE CPU usage is going high, sporadic I2C error message gets generated. The I2C access might succeed in the next polling. PR1223979

  • If a vmhost snapshot is taken on an alternate disk and there is no further vmhost software image upgrade, the expectation is that if the current vmhost image gets corrupted, the system boots with the alternate disk so the user can recover the primary disk to restore the state. However, the host root file system and the node boots with the previous vmhost software instead of the alternate disk. PR1281554

  • Backup Routing Engine might crash after GRES occurs continuously for more than 10 times. PR1348806

  • When VLAN is added as an action for changing the VLAN in both ingress and egress filters, the filter does not get installed. PR1362609

  • Due to transient hardware condition, single-bit error (SBE) events are corrected and have no operational impact. Reporting of those events had been disabled to prevent alarms and possibly unnecessary hardware replacements. This change applies to all Platforms using Hybrid Memory Controller (HMC). PR1384435

  • Due to a timing issue during the sxe interface bring up (w.r.t i40e driver). Recovery can be done by rebooting the complete board. PR1442249

  • In race condition, if a BGP route is resolved over the same prefix protocol next hop in a routing table that has routes of the prefix from different routing protocols, when the routes are flapping (firstly these routes are down and then up), the BGP route will be re-resolved, and then the rpd might crash. PR1458595

  • Either static routes (or) implicit filters should be configured for forwarding DNS traffic to service pic. It solves DNS packet looping issue. PR1468398

  • Currently, IP options are not supported for egress firewall attach points. The issue might occur in the IP-options router alert traffic not hitting the egress firewall filter. PR1490967

  • On MX204 and MX10003 routers, MPCs MPC7E through MPC10E, and JNP10K-LC2101, an error syslog unable to set line-side lane config (err 30) might be generated. PR1492162

  • When you run the show pfe filter hw filter-name filter name command, the command fails to retrieve the Packet Forwarding Engine programming details of the filter. PR1495712

  • After backup Routing Engine halt, CB1 goes offline and comes back online causing the backup Routing Engine to boot up and generate the 0x1:power cycle/failure message. PR1497592

  • On all platform with BGP SR-TE (Spring-TE), in the SR topology the transit IPv4 traffic might have missing labels and might get dropped in first hop, when ingress is forwarding traffic. All labels might be missed out except the last hop in the v4 traffic forwarded by nexthop interface. PR1505592

  • On a fully scaled system where all the slices are utilized by different families of CLI filters, if you try to call delete for one family and add/change for another family with a higher number of filter terms, which requires either expansion of the filter or creation of a new filter, the Packet Forwarding Engine fails to add the new filter. PR1512242

  • A delay of 35 seconds gets added in reboot time in Junos OS Release 20.2R1 compared to Junos OS Release 19.4R2. PR1514364

  • Active sensor check fails while issuing the show agent sensors | display xml command. PR1516290

  • When you configure an AMS ifd for the first time or any member of the AMS bundle is removed or added, the PICs on which the members of AMS bundle are present go for a reboot. There is a timer running in the AMS kernel which is used as a delay for the PIC reboot to complete and once that timer expires AMS assumes that the PICs might have been rebooted and it moves into next step of AMS fsm. In scaled scenarios, this rebooting of the PIC is delayed due to DCD. This is because when a PIC goes down, DCD is supposed to delete the IFDs on that PIC and then the PIC reboot happens. But DCD is busy processing the scaled config and the IFD deletion is delayed. This delay is much greater than the timer running in AMS kernel. When the above timer expires, the FSM in AMS kernel wrongly assumes the PIC reboot would be completed by then, but the reboot is still pending. By the time DCD deletes this IFD the AMS bundles are already UP. Because of this, there is a momentary flap of the bundles. PR1521929

  • On the MX platforms with NG-RE installed, after upgrading the Intel i40e-NVM firmware to version 6.01, the FRUs disconnection alarms may be seen along with traffic loss. PR1529710

  • Due to BRCM KBP issue route lookup might fail. PR1533513

  • After performing ISSU (In-Service Software Upgrade) on the Junos node slicing, the ISSU unsupported FRU (Field Replaceable Unit) stays offline until bringing online manually once ISSU finishes. This issue causes a service/traffic impact for the offline FRUs. PR1534225

  • The request system software validate command gets disabled currently from Junos OS Release 19.4 and later. Use the request system software add command to validate. PR1537729

  • If the Packet Forwarding Engine processes distributed IGMP pseudo ifl delete, it attempts to delete all associated multicast flows. On a scaled setup, deleting several thousand multicast flows hogs CPU for long time that gets killed by the scheduler, resulting in generating core file. PR1537846

  • The Socket to sflowd closed error message comes up when the ukern socket to sflowd daemon (server) is closed. The error is rectified by itself as the client successfully reestablishes the connection in the subsequent attempts. When these errors are consistent, it indicates a communication issue between sflowd and the sFlow running on the FPC. PR1538863

  • In scaled MX2020 router, with vrf localisation enabled, 4 million nexthop scale, 800,000 route scale. FPCs may go offline on GRES. Post GRES, router continues to report many fabric related CM_ALARMs. FPC may continue to reboot and not come online. Rebooting the primary and backup Routing Engine helps to recover and get router back into stable state. PR1539305

  • Broadcom has updated that BCMX calls are deprecated and needs to be replaced with BCM calls. PR1541159

  • PTP to PTP noise transfer is passing for impairments profile "400nsp-p_1Hz", but failing for profile "400nsp-p_0.1Hz" and lower BW profiles as well. The issue is common to 10g also. PR1543982

  • Hardware performance counters may not be correctly exported to the CLI when the Packet Forwarding Engine gets disabled. PR1547890

  • Validation of OCSP certificate may not go through for some CA servers using openssl . In some cases, when we get the ca address using getaadrinfo(), the gataddrinfo() api returns multiple entries of the same ca address. Due to this pkid creates multiple socket connections to the same CA and goes into busy state. PR1548268

  • 100G AOC from Innolight does not comes up after multiple reboots.It recovers after interface enables or disables. PR1548525

  • The issue applies to the initial release of CBNG for 22.1. Running the help apropos command in the configuration mode causes an MGD core. The MGD comes back up and as long as the command is not issues again the core will not occur. PR1552191

  • When the telemetry data for a node which is streamed is deleted during a network churn and the same node is being walked/rendered for the sensor, RPD might core dump. This is a corner case where the rendering and deletion of a particular node has to happen at the same instance. This issue can occur only in case of a unstable network. PR1552816

  • 5M DAC connected between QFX10002-60C and MX2010 doesn't link up. But with 1M and 3M DAC this interop works as expected. Also it is to be noted QFX10002-60C and ACX or Traffic generator the same 5M DAC works seamlessly. There seems to be certain SI or link level configuration on both QFX10002-60C and MX2010 which needs to be debugged with the help from HW and SI teams and resolved. PR1555955

  • VE and CE mesh groups are default mesh groups created for a given Routing instance. On VLAN/bridge-domain add, flood tokens and routes are created for both VE and CE mesh-group/flood-group. Ideally, VE mesh-group doesn't require on a CE router where IGMP is enabled on CE interfaces. PR1560588

  • Due to a race condition, the output of the show multicast route extensive instance instance-name command displays the session status as invalid. PR1562387

  • To avoid the additional interface flap, interface hold time needs to be configured. PR1562857

  • In a rare scenario, SPMB does not reply during FPC online which was moved from SLC mode to full line card mode. PR1563050

  • When SLC is reconfigured from asymmetric mode to symmetric mode in a single commit it is possible that on some occasions one of the SLC shows chassis connection dropped state. The SLC becomes online. PR1564233

  • Starting Junos OS Release 21.1R1, Junos OS ships with python3 (python2 is no longer supported). In ZTP process, if a python script is being downloaded, please ensure the python script follows python3 syntax (there are certain changes between python2 and python3 syntax). Also, so far (until 20.4R1), the python script had #!/usr/bin/python as the first line (the path of the python interpreter). The same needs to be changed to #!/usr/bin/python3 from 21.1R1 PR1565069

  • In Dual CPE scenario, after RG0 failover, the best path link status displayed as PARTIAL SLA VIOLATED instead of SLA MET due to active probe result gone wrong in certain scenarios. PR1565777

  • During the ingress processing we maintain separate counters for Layer 2 unicast, multicast, and broadcast as well as for unknown unicast. Whereas during egress processing we only maintain the ifl level stats after the wan out. Hence, at egress level output multicast counter always shows 0. PR1566436

  • Stale TCNH entries are seen in new primary Routing Engine after switchover with NSR even though all the prpd routes are deleted. These TCNH entries are present because NSR is not supported for BGP static programmable routes. This leads to an extra reference count in the backup Routing Engine, due to which the next hop is not freed. PR1566666

  • In an external server-based Junos Node Slicing scenario, the logical partitions (called sub line cards or SLCs) can be additionally configured for MX2K-MPC11E and assigned to different guest network functions (GNFs). If the inline services and services are applied to SLCs, some issues might happen during processing these services along with firewall process (dfwd) filter actions. It might cause SLCs to reboot and aftd crash. PR1567313

  • Packet Forwarding Engine error message Tunnel id: does not exist gets generated while executing the show dynamic-tunnel database statistics command after deactivating routing-options dynamic-tunnel when we have a high scale of tunnels. This is just a transient error message and has no functional impact. The error can appear while tunnels are getting deleted and will not be displayed after all the tunnels are deleted. PR1568284

  • In MX Series devices, the device may not send pause frames in case of congestion. PR1570217

  • Copying files to /tmp/ causes a huge JTASK_SCHED_SLIP. Copy files to /var/tmp/ instead. PR1571214

  • Under very rare conditions for HA cluster deployment, when it does RG0 failover and at same time, the control link is down, then it will hit this mib2d core because the primary Routing Engine and secondary Routing Engine are out of syncing dcd.snmp_ix information. PR1571677

  • On all Junos platforms, traffic loss might be observed due to a rare timing issue when performing frequent IFBD (Interface Bridge Domain) configuration modifications. This behavior is seen when the Packet Forwarding Engine receives out-of-order IFBD(s) from Routing Engine and might lead to the fxpc process crash and traffic drop. PR1572305

  • After Junos OS upgrade, MAC address changes will be seen on MPC9E PIC1 interfaces. Static MAC configurations will be affected. PR1575009

  • Max ports used is not getting displayed properly in the show services nat pool pool-name detail command. PR1576398

  • On MX platforms, in subscriber scenario with scaled around 32,000 connections, the Replication Daemon might generate core files or stop running, which results in failure on subscriber services on the new RE after the upgrade/GRES. The fix is to increase the max capacity of the ifl Stats DB shared memory. PR1577085

  • In EVPN/VXLAN scenario with OSPF configured over the IRB, OSPF sessions might not get established due to connectivity issues. PR1577183

  • This issue is caused by /8 pool with block size as 1, when the config is committed the block creation utilizes more memory causing NAT pool memory shortage which is currently being notified to customer with syslog tagged RT_NAT_POOL_MEMORY_SHORTAGE. PR1579627

  • In a fully loaded devices, at times, firewall programming was failing due to scaled prefix configuration with more than 64,800 entries. However, this issue is not observed in development setup. PR1581767

  • If a BSYS Routing Engine switchover is triggered by simulating a kernel crash on a node-sliced platform, the FPCs or SLCs stay in present state while the related GNFs become unreachable. A system reboot is required to resolve this issue. This issue is seen only in the MX2020 platform with the REMX2K-X8-128G Routing Engine. PR1584478

  • COS classifiers and rewrites not supported on a logical tunnel (LT interface) with Ethernet-CCC or Ethernet-bridge encapsulation. COSD does not prevent a commit but then the classifiers/rewrites are not bound to the LT interface at PFE and hence wont work. Sample configuration: set interfaces lt-11/0/0 unit 0 encapsulation ethernet-ccc set interfaces lt-11/0/0 unit 0 peer-unit 1 set interfaces lt-11/0/0 unit 0 statistics set interfaces lt-11/0/0 unit 1 encapsulation ethernet-bridge set interfaces lt-11/0/0 unit 1 peer-unit 0 set interfaces lt-11/0/0 unit 1 statistics set bridge-domains data vlan-id none set bridge-domains data interface lt-11/0/0.1 set bridge-domains data interface xe-11/0/3:2 set protocols l2circuit neighbor interface lt-11/0/0.0 virtual-circuit-id 100 set class-of-service interfaces lt-11/0/0 forwarding-class expedited-forwarding Attaching fixed classifier to LT tunnel interface where the tunnel carries etherent-ccc/ethernet-bridge encapsulation. PR1585374

  • With preserve hierarchy statement ON and option c is used with BGP CT, the VPN CT stitching routes at ASBR if resolving over an SRTE tunnel having single label. Then, the forwarding mpls.0 route programming will be incorrect on MX boxes. PR1586636

  • The rpd process generates core file at rt_iflnh_set_nhid. Core is due to assertion caused by failure of hbt_insert for nhid belonging to an ifl. It is seen that there is a duplicate entry present which causes the hbt_insert failure. PR1588128

  • Transient Traffic drop will be seen during MBB of RSVP LSP without "optimize-adaptive-teardown delay 60" knob PR1590656

  • On all devices running Junos OS Release 19.1R3-S5-J3, the subscriber IFL(logical interface) might be in a stuck state after the ESSM (Extensible Subscriber Services Manager) deletion. PR1591603

  • On DUT with MPC11E linecard and scaled pseudowire headend termination configs,on performing iterative enahaced mode ISSU, PPE(packet processing engine) traps and BGP peer flaps are seen. These result in transient traffic loss of several minutes on DUT. traps and protocols flaps are NOT seen in first iteration, but subsequent iterations. RE and linecards are NOT rebooted between enhanced mode ISSU iterations. PR1593335

  • On a node sliced platform with mpc11e sliced into Sub Line cards it is possible that the syslog messagesdisplays the error message aftd-trio[13014]: [Error] IF:IfdCfgMsg, ifd not found, ifdIndex:2399, when GNF has configuration that does not pertain to the Packet Forwarding Engines. PR1594816

  • On all MX platforms, changing configuration AMS 1:1 warm-standby to load-balance or deterministic NAT may result in vmcore and cause traffic loss. PR1597386

  • Continuous offline/online of FPC multiple times can result into FPC restart at init state causing additional 2min in boot time. PR1599469

  • The show chassis fabric plane command might display incorrect plane status in some cases when injecting fec errors. PR1600187

  • In some instances, when FHP recovery action is performed on an SLC due to blackholing, the restart operation on the SLC may result may not be successful and the FHP recovery action may timeout. PR1600559

  • Frame stack messages are seeing during MPC11E subLC boot up, when subLC is added to GNF. PR1600749

  • When the interface transitions from down to up, the carrier transition counter value of a particular interface can be incorrect when the peer interface takes longer time to come up. Configuring hold-time for up and down helps to resolve. PR1601946

  • In Junos OS Release 21.1R2 and Junos OS Release 21.1R3, in chassis with mix of MPC10 or MPC11 and MPC1 to MPC9, and AE bundle configuration with member links on both MPC10/MPC11 and MPC1-MPC9, packet loss may be seen for unicast packets on link flap using ifconfig down/up command in the Routing Engine shell. PR1604073

  • During the Routing Engine switchover if there is a burst of ICMP/BFD/SSH/FTP/TELNET/RSVP packets (around 18,000 pps), new backup Routing Engine restarts. PR1604299

  • On aggregate Ethernet interfaces with some of the member links part of MPC10 or MPC11, and other member links part of other MPC type (MPC1 up to MPC9), if you delete an "ae" interface, other "ae" interfaces may experience unicast packet loss. PR1604450

  • In Junos OS Release 21.1R2 and Junos OS Release 21.1R3, in chassis with mix of MPC10 or MPC11 and MPC1 to MPC9, and AE bundle configuration with member links on both MPC10/MPC11 and MPC1-MPC9, packet loss might be seen for unicast packets on link flap using deactivate bundle/activate bundle. PR1604800

  • In Junos OS Release 21.1R2 and 21.1R3 release, in chassis with mix of MPC10 or MPC11 and MPC1 to MPC9, and AE bundle configuration with member links on both MPC10/MPC11 and MPC1-MPC9, packet loss may be seen for unicast packets on link flap using ifconfig down/up command in the Routing Engine shell. PR1604814

  • When fabric plane offline/online may results in destination error on line cards. PR1605770

  • On the MX240, MX480, and MX960 system with both MPC10E and MPC2, MPC3, MPC4, MPC5, and MPC6 based FPCs are installed, when MPC10E sends high traffic to MPC4E or other mentioned cards as the destination, the destination line card will not be able to cope up with MPC10E traffic flow. PR1606296

  • Issue occurs when there is an Packet Forwarding Engine error causing disable-pfe, not seen in the normal FRR switchover. PR1609768

  • Output of the show network agent command should be null, which shows statistic per component after GRES. PR1610325

  • In MX240, MX480, and MX960 platforms with SCBE3-MX and Enhanced midplane scenario, in some rare cases, if flooding huge traffic from MPC7, MPC8, and MPC9 to MPC2E, MPC3E, MPC4E, MPC5E and flapping the interface on MPC2E, MPC3E, MPC4E, and MPC5E, it will cause the unexpected request time errors on MPC7, MPC8, MPC9 since the MPC2E, MPC3E, MPC4E, MPC5E might not be able to handle such high volume of requests, it will cause PFE destinations to become unreachable even when the fabrics are online. Then PFE/SIB/SCBE/FPCs might reboot automatically while these accumulated fabric errors hit the fabric connectivity restoration conditions of the Fabric Healing process (FHP). PR1612957

  • In some NAPT44 and NAT64 scenarios, duplicate SESSION_CLOSE syslog messgae gets generated. PR1614358

  • On MX-SPC3 platform, a memory corruption is occurring in the iked daemon occasionally when ams interfaces are used in service-set configuration. Issue is occasionally seen in 21.2R2.4. Issue not seen at all from 21.2R2.8 onwards. PR1620115

  • When installing an IPv6 firewall filter using BGP flowspec, matching traffic counters displays 0 values. PR1623170

  • When traffic selector (optional parameter) and bind interface (required parameter) is configured for a vpn profile and static route is configured for the same remote ip (mentioned in the traffic selector) with same next-hop interface (mentioned in the bind-interface) on MX-SPC3 devices, then the static route takes preference over the route installed by the ipsec daemon (iked) based on the traffic selector, which causes data traffic loss as the packets are routed via the wrong route. PR1624062

  • On Junos OS Release 21.1R2.4, an issue has been introduced on the flowd (service-card) side where any protocol packet expect for TCP/UDP/ICMP/ICMPV6 gets dropped when NAT translation doesn't happen. The mentioned bug has been fixed from 21.2R2.8 junos version onwards. PR1624063

  • On MX platforms that use MPC11E cards, when fast-lookup-filter is enabled, traffic drop might be seen in the node slicing scenario. PR1626115

  • On MX Series platforms with MPC10/MPC11 and MS-MPC/MS-MIC are used, if aggregated multiservices (AMS) interface is configured as next-hop with equal-cost multipath (ECMP), load balancing will not happen properly according to source-ip hashing. PR1628076

  • Bad IP length packets (ip header length field > actual packet size) when encapsulated within MPLS are dropped as expected, but might trigger PPE traps in some cases. PR1628091

  • Zeroize RPC returns no positive reply. PR1630167

  • On MX platform with SPC3 service card installed, TFTP control sessions are getting refreshed with inactivity time out after data session is closed, causing the control session to stay in session table for some more time. Service impact is minor or negligible as the TFTP control session will eventually get deleted after timeout. PR1633709

  • On all MX platforms, when the interface (xe-0/0/x) is equipped with a QSA module, only channel 0 (xe-0/0/x:0) is supported and channels 1 to 3 are not supported, though they show up in the show interface command. But disabling laser for one of these non-supported channels puts the entire optics in low power. As a result, transmit power of channel 0 becomes 0 and the link goes down. PR1636874

  • On Junos platforms equipped with MPC10E/MPC11E/LC2301/MX10K-LC9600 line cards, when any 100G/400G interface with high priority class-of-service scheduler configuration flaps, it might result in series of error messages during high traffic flow. Eventually this would result in PFE-disable action, impacting the related traffic. However, the issue could be recovered after FPC reboot. PR1638410

  • USB installation requires a keypress before reboot to enable removal of USB device before system is restarted. Failing to remove USB stick will cause installation to start again. This fix prompts user for a keypress after installation and before reboot. PR1640143

  • JDHPCD core dump occurs when client attempts connection on pseudowire for dhcp-relay after JUNOS upgrade. PR1649638

  • On MX480 routers, remote-mep-state does not work as expected. PR1623960

  • When ip-fix transfers telemetry files and ntf-agent daemon closes or restartes, there could be a core with the backtrace (CRYPTO_THREAD_unlock). The daemon recovers by itself. PR1617568

  • In the MVPN case, if the nexthop index of a group is not the same between the primary and backup after a nsr switchover, we might see a packet loss of 250 to 400 ms. PR1561287

  • On MX480 router, during the verification of GRES and NSR functionality with VXLAN feature, the convergence is not as expected Layer 2-DOMAIN-TO-Layer 3 VXLAN. PR1561287

High Availability (HA) and Resiliency

  • When you perform GRES with the interface em0 (or fxp0) disabled on the primary Routing Engine, then enable the interface on the new backup Routing Engine, it isn't able to access network. PR1372087

Interfaces and Chassis

  • On all Junos platforms with broadband subscriber management protocols being implemented, when redundant logical tunnel interface[rlt0] having 2 member interfaces in 2 different FPCs and it is used as the anchor point for the pseudo subscriber interface[ps0] in an event which can bring the primary member interface down, traffic is not failed over to the backup interface. PR1492864

  • When family bridge is configured, IFLs are not created. If IFLs are not created, l2ald does not create IFBDs (interface to BD association) and if we don't have IFBDs in the system, STP is not enabled on that interface. PR1622024


  • The Firefox browser displays an unsaved changes error message in the J-Web Basic Settings page if the Autofill logins and passwords option is selected under the Browser Privacy and security settings. PR1560549

Layer 2 Ethernet Services

  • On MX5/MX10/MX40/MX80/MX104 Series platforms with DHCP server configuration for DHCP subscribers, the jdhcpd memory leak might happen and the memory increase by 15MB which depends on the number of subscribers when testing the DHCP subscribers log-in/out. PR1432162

  • If the request system zeroize command does not trigger zero-touch provisioning, please re-initiate the ZTP as a workaround PR1529246

  • On MX Series platforms, there may be a mismatch in subscriber information between the devices when the two devices are configured as Dynamic Host Configuration Protocol (DHCP) relay Active lease Query (ALQ) peers. This is a timing issue that occurs frequently when the lease timer is less than 300secs. PR1638050


  • Bfd session flaps during ISSU only in MPC7E card(Bfd sessions from other cards of DUT to peer routers did not flap during ISSU). Issue is not seen frequently. PR1453705

  • Single hop BFD sessions can sometimes flap after GRES in highly scaled setups which have RSVP link or link-node-protection bypass enabled. This happens because sometimes RSVP neighbor goes down after GRES if RSVP hellos are not received after GRES before neighbor timeout happens. As a result of RSVP neighbor going down, RSVP installs a /32 route pointing to bypass tunnel which is required to signal backup LSPs. This route is removed when all lsps stop using bypass after link comes back up. The presence of this /32 route causes BFD to flap. PR1541814

  • As the update-threshold configuration changes from an attribute to an object between Junos OS Release 18.2X75-D65 and Junos OS Release 18.2X75-D521, the user will need to delete the update-threshold stanza and re-configure it after the downgrade. PR1546447

  • The rsvp interface update threshold configuration syntax has changed between Junos OS Release 18.2X75-D435 and Junos OS Release 20.3X75-D10 to include curly braces around the threshold value. Upgrading and downgrading between these releases is not entirely automatic. The user must delete this stanza if configured before the downgrade and then manually reconfigure. PR1554744

  • In MVPN Case, if the nexthop index of a group is not same between master and backup after a nsr switchover, we may see a packet loss of 250 to 400 ms. PR1561287

  • If IS-IS-TE or OSPF-TE is enabled, but extended admin groups (which is configured under routing-options) are configured after the peer router advertises the extended admin groups, the LSP with extended admin groups constraints might fail to be established. PR1575060

  • The use-for-shortcut knob is meant to be used only in SRTE tunnels which use SSPF (Strict SPF Algo 1) Prefix SIDs. If "set protocols isis traffic-engineering family inet-mpls shortcuts" and "set protocols isis traffic-engineering tunnel-source-protocol spring-te" is configured on a device, and if any SRTE tunnel using Algo 0 Prefix SIDs is configured with "use-for-shortcut" knob, it could lead to routing loops or rpd cores. PR1578994

  • When there is scaled RSVP sessions [~21K] and have enabled RSVP for all the interfaces,RPD process walks through all the interfaces which results into high CPU for some time, which also results LSP flap. PR1595853

  • When there is scaled RSVP sessions [~21K] and have enabled RSVP for all the interfaces,RPD process walks through all the interfaces which results into high CPU for some time, which also results LSP flap, will see the log message on RE switch over,due to this protocols also can flap. PR1600159

  • There is no traffic impact but the show route forwarding-table destination < a.b.c.d> command, contains stale entry for around 60 seconds. PR1610620

  • If LSP reoptimization is enabled for the primary and secondary path that is standby, the standby secondary LSP might get stuck on the same path as primary LSP after network change that triggers reoptimization happens. PR1615326

  • When RSVP setup protection is enabled, the LSP over a broadcast segment might stay down, due to a missing function of nexthop check for broadcast segment in code. PR1638145

Platform and Infrastructure

  • MPLS traffic going through the ingress pre-classifier logic may not determine MPLS payload correctly, classifying MPLS packet into control queue versus non-control queue and exposing possible packet re-order. PR1010604

  • The commit synchronize command fails because the kernel socket gets stuck. PR1027898

  • On MX-Series platforms with MPC7/8/9 or MX-204/MX-10003 when the packets which exceed the MTU and whose DF-bit is set go into a tunnel (such as GRE, LT), they might be dropped in the tunnel egress queue. PR1386350

  • The traps are the result of PPE commands injected from the host. One possible reason could be Layer 2 BD code, which is trying to decrement BD MAC count in the data plane. It is unlikely that there is a packet loss during this condition. This could happen during ISSU and this may be due to a problem with ISSU counter morphing used for LU-based cards, where certain counters are not disabled or disabled too late during ISSU. PR1426438

  • Arrival rates are not seen at system level when global-disable fpc is configured on qfx PR1438367

  • Due to software implementation, firewall filter is re-applied during graceful switchover (GRES). This may lead to short duration when filter is not applied to the provoking side effects like drop of traffic. PR1487937

  • With GRES and NSR functionality with VXLAN feature, the convergence time may be slightly higher than expected for L2-DOMAIN-TO-L3VXLAN PR1520626

  • When the DHCP relay mode is configured as no-snoop, we are observing the offer gets dropped due to incorrect asic programming. This issue only affects while running DHCP relay on EVPN/VXLAN environment. PR1530160

  • This issue notes an impact to RPM behavior in non-delegate mode with MPC10 line cards. It is observed that the RPM packets from client are received and processed by RPM server but the response packets are dropped before they are received by the client. PR1556697

  • On MX Series devices and the EX9200 line of switches, the FPC gets restarted and thereby disrupts traffic when there is an out-of-order filter state and terms. This issue might be seen only in back-to-back GRES in more than 40 to 50 iterations. PR1579182

  • The issue is due to output byte count not getting updated properly. The script logs shows that there is no packet loss, There is no functional impact and will be taken up in the upcoming releases. PR1579797

  • On MX platforms, during reboot, the AE ifls are first added, then deleted and again added, this flapping causes corner case where the filter attachment ipc has older AE ifl index on which the filter bind fails. Filter will not be attached to the interface, so any filter related service will not work. PR1614480

Routing Protocols

  • While interoperating with other vendors in a draft-rosen multicast VPN, by default Junos OS attaches a route target to multicast distribution tree (MDT) subsequent address family identifier (SAFI) network layer reachability information (NLRI) route advertisements. But some vendors do not support attaching route targets to the MDT-SAFI route advertisements. In this case, the MDT-SAFI route advertisement without route-target extended communities is prevented from propagating if the BGP route-target filtering is enabled on the device running Junos OS. PR993870

  • Certain BGP traceoption flags (for example, "open", "update", and "keepalive") might result in (trace) logging of debugging messages that do not fall within the specified traceoption category, which results in some unwanted BGP debug messages being logged to the BGP traceoption file. PR1252294

  • LDP OSPF are in synchronization state because the IGP interface is down with ldp-synchronization enabled for OSPF. user@host> show ospf interface ae100.0 extensive Interface State Area DR ID BDR ID Nbrs ae100.0 PtToPt 1 Type: P2P, Address:, Mask:, MTU: 9100, Cost: 1050 Adj count: 1 Hello: 10, Dead: 40, ReXmit: 2, Not Stub Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC Protection type: None Topology default (ID 0) -> Cost: 1050 LDP sync state: in sync, for: 00:04:03, reason: IGP interface down config holdtime: infinity. As per the current analysis, the IGP interface goes down because although LDP notified OSPF that LDP synchronization was achieved, OSPF is not able to take note of the LDP synchronization notification, because the OSPF neighbor is not up yet. PR1256434

  • In rare cases, RIP replication might fail as a result of performing NSR Routing Engine switchovers when the system is not NSR ready. PR1310149

  • On MX platforms, unexpected log message will appear if the CLI command 'show version detail' or 'request support information' is executed: test@test> show version detail *** messages *** Oct 12 12:11:48.406 re0 mcsnoopd: INFO: krt mode is 1 Oct 12 12:11:48.406 re0 mcsnoopd: JUNOS SYNC private vectors set PR1315429

  • SCP command with Routing Instance (-JU) is not supported. PR1364825

  • On all platforms with a large-scale BGP setup (e.g. advertising 300K routes over 500 BGP peers), high CPU utilization (close to 100%) by BGP I/O thread on master RE might be seen for a couple of minutes (like 10 minutes), which may lead to dramatic performance degradation and even traffic loss if NSR is enabled while there is a lot of advertisements and the backup RE is busy (performing "clear bgp neighbor all" on the RR can achieve this). PR1488984

  • TILFA backup path fails to install in LAN scenario and also breaks SR-MPLS tilfa for lan with more than four end-x sids configured per interface. PR1512174

  • In previous versions of RFC 9072's draft-ietf-idr-bgp-ext-opt-param, the optional-parameter length was required to be 255 in order to trigger the updated behavior. Later editions of the Internet-Draft permitted non-zero optional parameter length values to be used to support this feature. PR1554639

  • post configuration change commit, due to race on ordering of routing-instance parsing, and rt-export module processing, rt-export may act on stale handle pointing to the previous incarnation of transport-class auto-created instance. Hence it causes the issue in this PR. PR1556632

  • A single hop BFD session over IRB interface works in centralised mode if the VPLS instance the IRB belongs to has only LSI interfaces bound to VPLS pseudowires and has no local non-tunnel attachment circuits. PPMD daemon responsible for the session distribution to FPC microkernel will be attempting to distribute the session indefinitely failing every time. Upon every distribution failure, the following counter increases by 1, typical counter increase rate is about +40 per minute: > user@router> show ppm distribution-statistics > > PPMD distribution statistics: > PFE not eligible: 0 > Kernel returned no address: 340 Client hash index fail: 0 > PFE marked for deletion: 0 > Client eligibility fail: 0 > PFE is not capable: 0 > DFWD is not capable: 0 > Lo0 subunit missing: 0 This issue could be seen on any JUNOS release/platform supporting distributed or inlined single hop BFD over IRB. Both session distribution failure and endless failing attempts to distribute it are expected to be addressed in JUNOS, there is no confirmed date of the fixes arrival. General centralised mode recommendations like avoiding agressive subsecond BFD timers are applicable to this case. PR1563947

  • Multicast traffic is hogging the switch core when igmp-snooping is removed. The MCSNOOPD will be cored due to the changes in mrouter interfaces and routes PR1569436

  • If the Junos config contains a SHA-1 hashed password for a specific user, that user will be unable to login post upgrade. To identify any SHA-1 hashed passwords, run the following from the edit command line: # show | match \$sha1\$ Post upgrade do not use the SHA-1 password format. If the password format is set to SHA-1, the password will be hashed with SHA-512 instead. PR1571179

  • If OSPF and RSVP are configured, a device that is out of service is transmitting a large number of link-state advertisement (LSAs) (more than 100k), extremely busy neighbors are slow in sending LSACKs, and some LSA churn happens caused by route flaps, then unexpected CSPF link down/deleted events happen on LSPs. This causes other OSPF routers in the OSPF domain to fail their CSPF calculation for the router loopbacks that act as P routers in this topology and thus drop the LSPs, causing traffic impairment. In addition, rpd utilization will be pegged to 100%. PR1576818

  • Traffic loss is seen across the LDP path during traffic shift from one router to another device in the MPLS cloud. Two routers with two different capacities converge at two different times, so a microloop occurs between the two nodes. See workaround provided. PR1577458

  • With max number of IFLs [4K GRE tunnel per PFE] with following configuration. 1.> family inet and associated source and destination for each tunnel 2.> Configure allow-fragmentation knob on one endpoint of the tunnel and configure reassemble-packets on the other endpoint of the tunnel As above configuration, if we do "deactivate chassis fpc slot", we may hit this issue. We are still doing analysis to find out root cause of this issue. PR1581042

  • When mpls traffic-engineering and rib inet.3 protect core knob is enabled then transport routes in inet.3 will not be used for route resolution PR1605247

  • When ip-fix is transferring telemetry files and ntf-agent daemon is closed/restarted there could be a core with the backtrace (CRYPTO_THREAD_unlock). The daemon recovers by itself. PR1617568

  • On all Junos OS platforms, traffic might continue to forward on the aggregated Ethernet interface member link even if MicroBFD(Bidirectional Forwarding Detection) status is in a hold-down state. PR1624085

Unified Threat Management (UTM)

  • UTM web-filtering statistics: Total requests: 0 White list hit: 1 Black list hit: 1 Default action hit: 1 Added this field to show display counter for default action hit Custom category permit: 1 Custom category block: 1 Custom category quarantine: 0 Custom category qurantine block: 0 Custom category quarantine permit: 0 Safe-search redirect: 0 Safe-search rewrite: 0 Web-filtering sessions in total: 128000 Web-filtering sessions in use: 0 Fallback: log-and-permit block Default 0 0 Timeout 0 0 Connectivity 0 0 Too-many-requests 0 0 PR1570500

User Interface and Configuration

  • The commitd process might generate core file when issuing the load override statement after DB resize. PR1569607

  • On all Junos OS platforms, when copy-config, get-configuration, discard-change RPCs run in two parallel NETCONF sessions and the database is also accessed in parallel by two NETCONF sessions, it leads to database corruption and mgd related services might crash. PR1641025


  • In some scenario (e.g configuring firewall filter) sometimes srx5K might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

  • BGP and PIM should have default preference since backup MVPN will choose PIM route based on higher preference only. If BGP is preferred over PIM then PIM route will not be accepted on backup RE. PR1578164