Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Open Issues

Learn about open issues in this release for MX Series routers.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Class of Service (CoS)

  • Show Class-of-service Interface might not show the Classifier bind info on an IFL with only Inet/Inet6 (without family mpls or not with any rewrite rules). Show issue, Classifier will be still present and functional. There is no impact to the traffic. PR1652342

  • The AE interfaces in per-unit-scheduler mode and committing CoS configuration on AE IFLs in a single commit leads to race-conditions.PR1666010


  • In PBB-EVPN (Provider Backbone Bridging - Ethernet VPN) environment, ARP suppression feature which is not supported by PBB might be enabled unexpectedly. This could cause MAC addresses of remote CEs not to be learned and hence traffic loss. PR1529940

  • EVPN-MPLS multi-homing control MACs are missing after vlan-id removal and adding back on a trunk IFL of one of the multi-homing PEs. This is not a recommended way to modify vlan-id configuration. Both MH PEs need to be in symmetric always . PR1596698

  • This problem happens only with translation VNI when mac moved one from DC1 to DC2. VM move across DC where there is not translate VNI configuration in the interconnect works as designed. PR1610432

  • EVPN Local ESI Mac limit configuration might not get effective immediately when it has already learned remote MH Macs. Clear the Mac table from all MH PEs and configure the Mac limit over local ESI interfaces. PR1619299

  • This is a case where interface is disabled and comes up as CE after a timeout. A manual intervention of clear ce interface command should restore this. As workaround, perform the following steps:

    • Clear auto-evpn ce-interface interface-name.

    • Configure editactivate interface-name family inet inet6.


Flow-based and Packet-based Processing

  • Use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

Forwarding and Sampling

  • When the fast-lookup-filter statement is configured with a match that is not supported in the FLT hardware, traffic might be lost. PR1573350


  • The following IPC timeouts logs might be seen for statistics query to kernel (queried from CLI or daemons querying internally) when there is configuration churn, or large number of IPCs getting exchanged between kernel and pfe in the system. if_pfe_msg_handler: pfe_peer_msg_handler error: error for msg type type, msg subtype subtype, opcode op and peer index indexDefault IPC timeout value in kernel for IPC statistics request is 10s. PR1629930

Interfaces and Chassis

  • The memory usage of the rpd process on the backup routing engine might increase indefinitely due to leak in krt_as_path_t. PR1614763

  • On EVO platforms during lacpd process restart, child IFD indexes from the port options IFD based data, which gets stored in kernel by lacpd, might not get reused due to old indexes not being freed. When this occurs, new indexes might be generated repeatedly, which might cause the port numbers exhaustion problem in Aggregated Ethernet (ae) interface bundle.PR1647145

  • The transportd.core core file is seen with fabric configuration. PR1649019

  • Due to the issue, there is an error log printed and DCD is restarted. But there is no functionality impact for BFD sessions. There may be a slight delay in the new configuration to take effect as DCD is restarted.


Juniper Extension Toolkit (JET)

  • In Junos OS Evolved, there are two different gRPC Python files for each JAPI file. The names of the files are * and * The stub creation functions are present in * PR1580789

  • Until Junos OS Release 21.3 release mgd is 32-bit binary on EVO. libsi can only be linked with 64-bit binaries. To access data/WAN ports in EVO we need libsi to be linked with the binary. By default the shell on the EVO device includes libsi, but it's not available to CLI commands as CLI will make mgd invoke cscript to run a Python script via CLI. PR1603437

Layer 2 Features

  • In case of the access-side interfaces used as SP-style interfaces, when a new logical interface is added and if there is already a logical interface on the physical interface, there is 20--50 ms traffic drop on the existing logical interface. PR1367488


  • BFD session flaps during unified ISSU only in mpc7e card (BFD sessions from other cards of DUT to peer routers did not flap during ISSU). The issue is not seen frequently. PR1453705

  • Single hop BFD sessions might sometimes flap after GRES in highly scaled setups which have RSVP link or link-node-protection bypass enabled. This happens because sometimes RSVP neighbor goes down after GRES if RSVP hellos are not received after GRES before neighbor timeout happens. As a result of RSVP neighbor going down, RSVP installs a /32 route pointing to bypass tunnel which is required to signal backup LSPs. This route is removed when all LSPs stop using bypass after link comes back up. The presence of this /32 route causes BFD to flap. PR1541814

  • In MVPN case, if the nexthop index of a group is not same between master and backup after a NSR switchover, we might see a packet loss of 250 to 400 ms. PR1561287

  • The use-for-shortcut statement is meant to be used only in SR-TE tunnels which use SSPF (Strict SPF Algo 1) prefix SIDs. If set protocols isis traffic-engineering family inet-mpls shortcuts and set protocols isis traffic-engineering tunnel-source-protocol spring-te are configured on a device, and if any SR-TE tunnel using Algo 0 prefix SIDs is configured with use-for-shortcut statement, it could lead to routing loops or rpd core files. PR1578994

  • When there is scaled RSVP sessions [~21K] and have enabled RSVP for all the interfaces, RPD process walks through all the interfaces, which results in high CPU usage for some time, which also results in LSP flap. PR1595853

  • With the chained-composite statement enabled, the following statement does not have any effect if ingress and egress ports are on the same Packet Forwarding Engine instance on the line card (FPC). For example, the outer label TTL would not be set as 255. Instead, it would be set as (ip TTL-1). PS: This issue is not seen if ingress and egress ports are on different FPC slots or on difference Packet Forwarding Engine instances of the same FPC. set protocols mpls label-switched-path <lsp-name> no-decrement-ttl, chained-compositestatement, and set routing-options forwarding-table chained-composite-next-hop ingress l3vpn PR1621943

  • Ingress will retry after lsp stay down for extended period of time, or customer can clear lsp to speed up the retry. PR1631774

Network Management and Monitoring

  • When maximum-password-length is configured and user tries to configure password whose length exceeds configured maximum-password-length error is thrown, along with error '<ok/>' tag is also emitted. (Ideally '<ok/>' tag should not be emitted in an error scenario.) The configuration does not get committed.PR1585855

  • A minor memory leak is seen in the event-daemon process when multiple GRES switchovers are performed. PR1602536

  • mgd might crash when an invalid value is configured for identityref type leafs/leaf-lists while configuring Openconfig or any other third-party YANG, problem happens with json and xml loads. PR1615773

  • On all Junos and EVO platforms, the "snmpd" process might crash, if there is no response for the SNMP requests, and a timeout happens.PR1666548

Platform and Infrastructure

  • If a vmhost snapshot is taken on an alternate disk and there is no further vmhost software image upgrade, the expectation is that if the current vmhost image gets corrupted, the system boots with the alternate disk so the user can recover the primary disk to restore the state. However, the host root file system and the node boots with the previous vmhost software instead of the alternate disk. PR1281554

  • When VLAN is added as an action for changing the VLAN in both ingress and egress filters, the filter is not installed. PR1362609

  • On MX Series routers with MPC7E, MPC8E, or MPC9E installed, if optics QSFPP-4X10GE-LR from Innolight vendor (subset of modules with part number 740-054050) is used, the link might flap. PR1436275

  • With NAT/Stateful-firewall/TCP tickle (enable by default) configured on MS-MPC/MS-MIC, the vmcore crashes sometimes along with mspmand crash might happen if large-scale traffic flows (that is, million flows) are processed by it. PR1482400

  • When there are hardware link errors occurred on all 32 links on an FPC 11. Because of these link errors, all FPCs reported destination errors towards FPC 11 and FPC 11 was taken offline with reason offlined due to unreachable destinations. PR1483529

  • When running the command show pfe filter hw filter-name <filter name>, the command fails to retrieve the Packet Forwarding Engine programming details of the filter. PR1495712

  • A delay of 35 seconds is added in reboot time in Junos OS Release 20.2R1 compared to Junos OS Release 19.4R2. PR1514364

  • When an AMS ifd is configured for the first time or any member of the AMS bundle is removed or added, the PICs on which the members of AMS bundle are present go for a reboot. There is a timer running in the AMS kernel which is used as a delay for the PIC reboot to complete and once that timer expires AMS assumes that the PICs might have been rebooted and it moves into next step of AMS fsm. In scaled scenarios, this rebooting of the PIC is delayed due to DCD. This is because when a PIC goes down, DCD is supposed to delete the IFDs on that PIC and then the PIC reboot happens. But DCD is busy processing the scaled configuration and the IFD deletion is delayed. This delay is much greater than the timer running in AMS kernel. When the above timer expires, the FSM in AMS kernel incorrectly assumes the PIC reboot would be completed by then, but the reboot is still pending. By the time DCD deletes this IFD the AMS bundles are already UP. Because of this, there is a momentary flap of the bundles. PR1521929

  • In Mac OS platforms when Juniper Secure Connect client connects successfully, the client is not getting minimized to tray icon and needs to be minimized manually.PR1525889

  • Due to BRCM KBP issue route lookup might fail. Need to upgrade KBP to address this issue. PR1533513

  • The Flexible PIC Concentrator (FPC) might generate a core file (or dump file) if the flap-trap-monitor feature under set protocols oam ethernet cfm performance-monitoring sla-iterator-profiles is used and performance monitoring flap occurs.PR1536417

  • In scaled MX2020 router, with vrf localisation enabled, 4 million nexthop scale, 800k route scale. FPCs might go offline on GRES. Post GRES, router continues to report many fabric related CM_ALARMs. FPC might continue to reboot and not come online. Rebooting master and backup Routing Engine will help recover and get router back into stable state. PR1539305

  • During Routing Engine switchover interface flap might be seen along with Scheduler slippage. PR1541772

  • Unsupported configuration is being attempted by the script that then hits the maximum threshold for the given platform. PR1555159

  • 5M DAC connected between QFX10002-60C and MX2010 doesn't link up. But with 1M and 3M DAC this interop works as expected. Also it is to be noted QFX10002-60C and ACX or Traffic generator the same 5M DAC works seamlessly. There seems to be certain SI or link level configuration on both QFX10002-60C and MX2010, which needs to be debugged with the help from HW and SI teams and resolved. PR1555955

  • The SyncE to PTP transient response is a stringent mask to be met with two way time error. The SyncE to PTP transient response mask might not be met for MPC7E-1G and MPC7E-10G line cards. PR1557999

  • VE and CE mesh groups are default mesh groups created for a given routing instance. On adding VLAN or bridge-domain add, flood tokens and routes are created for both VE and CE mesh-group and flood-group. Ideally, VE mesh-group does not require a CE router where IGMP is enabled on CE interfaces. MX Series based CE boxes have unlimited capacity of tokens. So, this would not be a major issue. PR1560588

  • Support switchover on routing-crash configuration statement during abnormal termination of rpd. PR1561059

  • The session status becomes nonresponsive in the invalid state after the core-facing link fails in the primary PE devices. PR1562387

  • Configure an interface hold time to avoid the additional interface flap. PR1562857

  • On MX480 routers, traffic loss is observed with a scale of 4000 tunnels 800 VRF test. The problem is with Layer 1 node not reflecting correct bandwidth configured for tunnel services. When baseline has 1G configuration on some FPC or PIC in groups global chassis and if we override with local chassis tunnel service in 10G bandwidth scaled scenario. Out of 10 Gbps bandwidth configured only 1 Gbps is allowed per 1G speed configured in baseline configuration.PR1568414

  • When inline Jflow is configured and high sampling rate (more than 4000 per second) is set, high CPU utilization might be observed and this might result in relevant impacts on traffic analysis and billing. PR1569229

  • The following messages might be seen in the logs from MPC11E line-card: router-re0-fpc8 aftd-trio[18040]: [Warn] AM : IPC handling - No handler found for type:27 subtype:9. There is no functional impact, these logs can be ignored. PR1573972

  • When you commit the configuration /8 pool with block size as 1, the block creation utilizes more memeory causing NAT pool memory shortage. This results in syslog RT_NAT_POOL_MEMORY_SHORTAGE. PR1579627

  • Firewall programming fails due to scaled prefix configuration with more than 64800 entries. PR1581767

  • When you configure interim logging for PBA, syslog messages are generated in regular intervals. Change in information of PBA interim syslog message, the message string change from "allocates port block" to "interim port block". PR1582394

  • When the active secondary interface is deactivated, the PTP lock status is set to 'INITIALIZING' state in show ptp lock-status output for few seconds before BMCA chooses the next best secondary interface. There is no functional impact. PR1585529

  • On all devices running Junos OS Release 19.1R3-S5-J3, when you delete Extensible Subscriber Services Manager (ESSM) the subscriber logical interface might get stuck. PR1591603

  • Currently, SyncE configurations are allowed during unified ISSU but trigger a warning since SyncE state might not be maintained during unified ISSU. PTP configurations, however, need to be deactivated, else the unified ISSU will be aborted. PR1592234

  • Pim VxLAN do not work on TD3 chipsets enabling VxLAN flexflow after Junos OS Release 21.3R1. PR1597276

  • On MX2010 and MX2020 devices, Junos OS does not support unified ISSU for software upgrades from Junos OS 21.2 release to Junos OS 21.3 and 21.4 releases due to a flag day change. PR1597728

  • Rebooting JDM from inside JDM shell changes JDM's main PID as a result systemd's knowledge of JDM PID becomes stale. Due to this reason systemd fails to stop or start JDM. PR1605060

  • Leaf difference w.r.t. memory-usage/heap in the output of Sensor (/junos/system/linecard/firewall) between MPC7E and MPC10E. PR1606791

  • If RPD Agent sends INH deletion/additions out of order(Rarely occurs) to backup RPD, RPD might generate core files. RPD then restarts and works fine. PR1607553

  • IS-IS adjacency remains down in backup Routing Engine during link flap test. PR1608591

  • Dfwd generates core files when accessing ephemeral db files which is deleted through script. PR1609201

  • When user tries to disable AMS ifd using configuration, the ipsec tunnels are not deleted. Deactivating the services will provide the desired result. PR1613432

  • Changing aggregated AE mode (aggregated-ether-options link-protection) with subscribers logged in on that AE will cause undesirable subscriber management behavior. You will need to confirm there are no subscribers on the AE before changing the AE protection mode. PR1614117

  • In some NAPT44 and NAT64 scenarios, Duplicate SESSION_CLOSE Syslog will be seen. PR1614358

  • MAX AE interfaces software index was 128. Hence, a failure is seen when you configure with 218 interfaces. Therefore, we increase the max indexes to 255. PR1618337

  • Memory Zone is not reflecting properly while doing Memory Tests through Vty command test usp service-sets memory-testing start. PR1619499

  • On all MX series platforms with MPC10+, configuring syslog as a filter action might cause the FPC to restart. PR1627986

  • For a topology with VSTP and VRRP configured and IPv6 traffic, if you change VSTP bridge priority a couple of times (to trigger toggling of root bridge), V6 traffic drop might be seen on some of the streams. PR1629345

  • For MX204 and MX2008 "VM Host-based" platforms, starting with Junos OS Release 21.4R1 or later, ssh and root login is required for copying line card image (chspmb.elf for MX2008) from Junos VM to Linux host during installation. The ssh and root login are required during installation. Use deny-password instead of deny as default root-login option under ssh configuration to allow internal trusted communication. Ref PR1629943

  • On MX platform with enhanced subscriber management enabled, when you configure host-prefix-only on the underlying-interface for subscribers, it might not work in FPC. PR1631646

  • The fabric statistics counters are not displayed in the output of show snmp mib walk ascii jnxFabricMib. PR1634372

  • Ports speed is stuck and never changes for any port profile changes,if pic bounce is done fast not letting the previous configuration complete. PR1637954

  • The USB device on MX304 can be accessed from host linux instead of junos (as is usually done on most other platofrms) MX304 is similar to PTX1000 in this respect. Regular procedure to access usb in junos on most platforms : Procedure to access usb in host linux (ptx1000, mx304) : grade/topics/topic-map/storage-media-and-routing-engines.html#id-accessing- usb-storage-on-ptx1000-routers PR1639071

  • On all Junos and Junos Evolved platforms, there may be a high Control Processing Unit (CPU) utilization for the routing processor daemon (rpd) during commit. This might only be seen in a scaled static route setup with VRF (Virtual Routing and Forwarding) and Bi-Directional Forwarding and Detection (BFD). The reason for the CPU spike is that kernel routing table (krt) might get stuck and keeps running for a long time. The high CPU might hamper the rpd functionality in rare cases, however, the system recovers by itself when you encounter this issue .PR1639252

  • Script fails while verifying Access Internal Routes after daemon restart during Advanced DHCP test. PR1640567

  • The mspmand daemon running on MS-MPC/MS-MIC cards can occasionally crash when the service card (fpc/pic) is turned offline and then online at regular intervals when the number of service-set configured is moderately high and when extensive hardware crypto operations are being performed. The exact issue is yet to be isolated. PR1641107

  • On MPC10E cards upon many very quick link down and up events in msec range might not always able to drain all traffic in the queue. This causes lost of traffic going through the interface. Traffic volume and class-of-service configuration does influence the exposure. See also PR1638410.PR1642584

  • When we use request vmhost zeroize command it doesn't show entry for no-forwarding option under possible completions. PR1642820

  • WIth PTPoIPv6 on MPC2E 3D EQ, PTP slave stays in acquiring state.PR1642890

  • Committing configuration changes during the Packet Forwarding Engine reset pause window (when PFE is disabled, yet the PFE reset proper has not started yet) has the potential of causing errors and traffic loss. In particular, configuration changes that result in re-allocating policers (which are HMC-based) might lead to traffic being entirely policed out (that is, not flowing). Once the PFE reset procedure has started configuration changes ought to be avoided until the procedure is completely done.PR1644661

  • bb device has to be manually enabled in configuration for DHCP and PPP access models for BNG CUPS. Configuration to enable bb device is as follows:: #set system subscriber-management mode force-broadband-devic. PR1645075

  • On all MX and PTX platforms, EDAC errors are triggered but alarms are not observed until the FPC gets rebooted due to the data corruption in hardware. PR1646339

  • On all MX platforms with the subscriber management scenario, when unified ISSU happens from pre Junos OS Release 18.4 to post Release 18.4, subscribers that re-logged in pre 18.4 are called preNG subscribers. For any of the preNG subscribers, if the ipv4/ipv6 family interface goes up/down, the issue is triggered. PR1646846

  • Observed un expected traffic steering during the verification of path computation client. PR1647073

  • The mobiled.core-tarball.0.tgz core file is seen while testing hcm_dpi_pcef_usf_3.robot". PR1648886

  • The firewall filter might be incorrectly updated in the MPC10E Packet Forwarding Engine when a change (for example, add, delete, deactivate, or activate) of firewall filter terms occurs in some scenarios, such as large-scale term changes or changes happening during MPC reboot. The incorrect firewall filter might cause the traffic to silently drop or discard and even lead to an MPC crash. It is a timing issue. PR1649499

  • Extra frr_inh is seeing in show route table vpn1.inet.0 protocol bgp extensive fib-expanded-nh exact output. PR1651103

  • On MX Series devices, the low priority stream might be marked as a destination error and as a result, the low priority stream is stuck and all traffic might get dropped.PR1657378

  • TOS(DSCP+ECN) bits are not getting copied from the Inner Layer 3 header to Outer VXLAN header at the Ingress VTEP. Because of this in the core, ECN marking and DSCP classification are not working.PR1658142

  • DHCPACK is not received at ztp-server after zeroize of the device (client). PR1658287

  • During startup of a cBNG container or when JSD is restarted from the CLI in a cBNG container, JSD might crash creating a core file. JSD should recover from the crash and automatically restart. JSD should function normally after recovering from the crash.PR1659175

  • MPC checks periodic service time. When heavy interrupts occur during periodic service, the periodic service time might exceed 200 microseconds. If it happens, Oinker: Function message will occur, but it doesn't have function impact. This is applicable to Junos OS 16.1R4 to 16.1R7 releases. PR1242915

  • On vMX, the blockpointer in the ktree is getting corrupted leading to core-file generation. There is no function impact such as fpc restart or system down and the issue is not seen in hardware setups. PR1525594

  • When the DHCP relay mode is configured as no-snoop, we are observing the offer gets dropped due to incorrect asic programming. This issue only affects while running DHCP relay on EVPN/VXLAN environment. PR1530160

  • If you use the source-address NTP configuration parameter and issue the command set ntp date from the CLI, packets will be sent with the source address of the outgoing interface rather than the manually configured IP address. Typically the manually configured IP address would be a loopback address. The problem does not apply to automatically generated NTP poll packets. PR1545022

  • In rare occurrence Routing Engine kernel might crash while handling TCP sessions if GRES/NSR are enabled. PR1546615

  • Don't use the control-type light under platforms where this feature is not supported at present. At present IPv4 and IPv6 twamp-light is supported on the platforms using TRIO and PE chipsets. PR1603128

  • VM might generate core files, and you might observe Virtual Chassis split with multicast scale scenario. PR1614145

  • Using static labeled switched path (LSP) configuration, the child node is not removed from the flood composite when the core interface goes down.PR1631217

  • With given multi dimensional scale, if a configuration is removed and restored continuously for more than 24 times, MX Trio based FPC might crash and restart. During the reboot, there can be traffic impact if backup paths are not configured. PR1636758

  • Observing traffic loss after Routing Engine switchover while changing the BGP hold-down timers. PR1650940

  • Micro BFD sessions which are running in distributed mode might flap if ppm thread does not get scheduled on time. This issue is applicable to MPC9 and below trio based line cards.PR1668818

Routing Protocols

  • On all platforms, the issue is when the first time when ESIS is coming up sometimes the ESIS route might not get installed. PR1559005

  • On MX platforms, initial multicast register packets might get dropped, this may affect multicast services. PR1621358

  • Protocols (IS-IS, LDP, BFD) flapped during graceful switchover while testing ldp oam. PR1638882

  • On all Junos and Junos OS Evolved platforms, when configuring the network instance for openconfig, an error might be observed while executing a commit if the configured network instance type is default_instance but the instance name is not default.PR1644421

  • When Junos device receives BGP inetflow route with multiple nexthops, RPD will crash and generate a core file. PR1670630

Services Applications

  • L2TP LAC functionality is not working in this release. PR1642991

User Interface and Configuration

  • On all Junos with persist-groups disabled ( on Junos persist-groups feature is enabled by default Junos OS Release 19.4 onwards) and on EVO platforms where persist groups can be disabled (Junos OS Release 21.4R1 onwards persist-groups cannot be disabled on EVO) this issue can be seen. This issue occurs when grafting happens during configuration expansion (when persist-groups is disabled) and a configuration such as a customer configuration is applied (for example, a configuration in which MTU is inherited from a groups configuration).PR1636085


  • Tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393

  • When using Group VPN, in certain cases, the PUSH ACK message from the group member to the group key server might be lost. The group member can still send rekey requests for the TEK SAs before the hard lifetime expiry. Only if the key server sends any new PUSH messages to the group members, those updates would not be received by the group member since the key server would have removed the member from registered members list. PR1608290