Open Issues

You might see a misleading syslog message "L2CKT/L2VPN acquiring mastership for primary" although no VPN/L2CKT is configured on the router. PR1105459

For the MPC10E card line, the IS-IS and micro-BFD sessions do not come up during baseline. PR1474146

The Sync-E to PTP transient simulated by Calnex Paragon Test equipment is not real network scenario. In real network deployment model typically there will be two Sync-E sources (Primary and Secondary) and switchover happens from one source to another source. MPCE7 would pass real network SyncE switchover and associated transient mask. PR

When the active slave interface is deactivated, the PTP lock status is set to 'INITIALIZING' state in show ptp lock-status output for few seconds before BMCA chooses the next best slave interface. This is the day-1 behavior and there is no functional impact. PR1585529

Percentage physical-interface policer is not working on aggregated Ethernet, after switching between baseline configuration to policer config uration.PR1621998

On all Junos OS platforms, agentd process crash will be seen in telemetry streaming longevity test.PR1647568

There will be drop of syslog packets seen for RT_FLOW: RT_FLOW_SESSION_CREATE_USF logs until this is fixed. This will not impact the functionality.PR1678453

%PFE-x: fpcx user.err ppman: [Error] PPM:PROCESSOR_L2TP_SF: PpmProcProtoL2tpSf::processPkt: No tunnel entry found for received L2TP tunnel control packet. LocalAddr: x.x.x.x LocalTunnelId: 0 Timestamp xx:xx:xx device fpcX user.err ppman: [Error] PPM:PROCESSOR_L2TP_SF: PpmProcProtoL2tpSf::processPkt: Received packet Ipv4 header parsing failed. PacketSize:xxPR1689921

On Junos OS platforms, even though there are no active subscribers, a foreign file propagation (ffp) commit error is seen for the class-of-service traffic-control-profile.PR1700993

When LAG is configured with mixed speed interfaces switching to a secondary interface of different port speed, results in a few packet drops for a very short duration. PTP remains lock and there is no further functional impact. PR1707944

Once the device is loaded with the new image, PIC tries to boot up. mspmand is one of the processes inside PIC, crashes sometimes.PR1714416

fec-codeword-rate data with render type decimal64 is rendered as string in grpc python decoder.PR1717520

JDI-RCT:M/Mx: SMPC crash @ hostif_clear_toe_interrupts, toe_interrupt_handler after fpc restart scenario .PR1733053

PTP state went to Freerun and acquiring before phase-aligning again when the SyncE ESMC is disabled or downgraded from GM or the upstream node one hop above the parent node. PR1738532

On MXVC , Due to some timing issue when RPD is restarted, It will not be spawned again. This issue is rarely reproducible.PR1740083

On all Junos OS and Junos OS Evolved platforms BGP traceoptions configuration will have an impact on the CPU, threads will be busy and will take time to recede in spite of disabling it. It is important we enable a specific trace flag and disable it when the CPU goes high. It is also important not to perform switchover and other triggers which can add load to the CPU during traces are enabled. Traces must be enabled discretely.PR1724986

Error message might occur once in a while with full scale during negative scenarios like 'clear bgp neighbor all' with all the services like EVPN, vrf etc being present.PR1744815

RBU DIAGS REGRESSIONS: MX480 CommonDiag::JDE3(volt_services_show_clients) failing on MPC7e. PR1747033

RBU DIAGS REGRESSIONS: MX2010 Diagnostics::Jde3Diag(phy_reg_access) test is failing. PR1747297

On all MX Series platforms, faulty hardware issue on MIC due to clock sync error generated brings down the interfaces without any major alarm or log notification.PR1749943

MX480: Observed multiple na-mqttd.core-tarball@mosquitto_send_suback,mqtt3_handle_subscribe,mqtt3_pa cket_handle. PR1758264

On Junos MX Series platforms with Trusted Platform Module (TPM), reset of master password got stuck post device reboot.PR1760822

On MX Series platform with a combination of MPC1-9, LC480, LC2101, and MPC10E, MPC11E, LC9600 line cards, when preserve-nexthop-hierarchy knob enabled and maximum-ecmp configured with more than 32 next-hops in the MPLS FRR (Multiprotocol Label Switching fast-Reroute) and BGP (Border Gateway Protocol) Multipath scenario, packet loss when primary path is added back in ECMP nexthop (say after primary interface or session is marked UP) will be higher compared to that on MX platform with MPC1-9, LC480, LC2101 line cards only, OR with MPC10E, MPC11E, LC9600 line cards only. This packet loss is proportional to the value in maximum-ecmp configuration.PR1765856

On Junos OS platforms, when executed just after line-cards are up after system-reboot, the CLI output for active-errors (show system errors active, show system errors active detail) displays empty output for some initial duration that can run for minutes. Issue is seen when number of errors present in line-card is very high (10K+). Since all these errors need registration with CLI serving daemon running on Routing Engine, before it can display error-info, CLI output for this command is delayed. However, as a workaround alternative CLI (show chassis errors active detail) can be used, which displays similar output.PR1775073

MX10008 :: PLD is higher than 2000 msec on ungraceful removal of a fabric board.PR1776054

Commit error is needed when streaming server and export-profile is not configured properly. With the incomplete configuration that is missing below might cause the interfaces to go down upon reboot of the unit or FPC. set services analytics streaming-server profile name remote-address ip set services analytics streaming-server profile name remote-port port set services analytics export-profile profile-name reporting-rate rate. This needs to be greater than 1.PR1779722

Even after request vmhost power-off LEDs keep lighting on. The LEDs state should be off because routing-engine doesn't have power in case of request vmhost power-off.PR1781815

The show command cause performance degradation or hog CPU. PR1784219

V6 Endpoint SRTE: 4PE (IPv4 over IPv6) routes in inet.0 table are not getting resolved in inet6color table because 4PE is not supported with inet(6)color model. 4PE can be supported with transport class. PR1786029

When interfaces with different speed are configured as members of AE, some of the members are not added to aggregated Ethernet. And if GRES is enabled, vmcore might be generated on backup Routing Engine. PR1799451

Under scaled configurations with interfaces, FW filters, routing protocols etc certain script based config/unconfig automated operations, in the presence of continuous traffic, can encounter one or more PPE traps that momentarily cause traffic drops. These momentary traffic drops happen at the tail end of the time the business configuration is removed and a baseline configuration is loaded in a single commit. These do not cause any service or functionality impact. PR1800967

On MX Series platforms with SCBE3-MX (MX240, MX480 and MX960) due to a hardware failure of the Control Board, the Routing Engine(RE) switchover might not happen. This will result in the 19.4Mhz clock failure and has potential risk for chassis wide traffic impact. In worst case all revenue ports will be impacted. If the RE switchover is done in a timely manner then the device will recover because FPCs will try using the 19.4Mhz clock from the new primary.PR1801284

MPC11 ISSU command fails from Junos OS Release 24.1R1 to 24.2R1 and causes MPC11 linux crash. The issue only applies to ULC image.PR1803205

This issue is caused because of the fact that peers-synchronize is configured, and master-password is configured to encrypt the config being sync'ed. However, as there is no master-password configured on the peer device, the encrypted configuration cannot be decrypted (this is expected). This has not been supported from day-1, however a workaround can be done in order to get this to work. The workaround is to manually configure the same master password on the peer device manually. At a high level the problem is as follows: Consider there are two devices A and B in a peer-sync config 1. config on dev A contains secrets which need to be encrypted with the master password and synced with the device B 2. The master-password (juniper123+masterpassword) is configured on device A and the configuration is encrypted and written to /tmp/sync-peers.conf 3. The /tmp/sync-peers.conf is then synced to device B but device B does not have the same master-password configured which results in the config failing to decrypt. The master-password itself is not a part of the config-database. Additionally, it cannot be transmitted over an unencrypted HA Link, as this would lead to the master-password getting leaked. This is by design, and would be a security concern if it were to be transmitted across an unencrypted channel. Therefore, this work as designed. In order to work around this issue follow these steps: 1. configure the master-password on device B and commit the config 2. configure the same master-password on device A and commit the config and it should get sync'ed correctly.PR1805835

It's day-1 non-functional issue, where in PFE the unilist is coming with proto as IPv4 for IPv6 unilist nexthop. PR1806717

PLL Access Failure alarms is observed on a MPC11E line card of REV 53 after loading 24.2I-20240429.0.0958 on a MX2010 boxPR1808044

LLDP neighbor does not recover after protocol is enabled globally on the router.PR1811545

Under scaled configurations with interfaces, FW filters, routing protocols etc, certain script based config/unconfig automated operations in the presence of continuous traffic, can encounter one or more PPE traps that momentarily cause traffic drops. These momentary traffic drops happen at the tail end of the time the business configuration is removed and a baseline configuration is loaded in a single commit. These do not cause any service or functionality impact. PR1800967

When LC4800 is operated in the worst case operating corner, i.e. all ports running at full line rate, NEBS ambient temperature = 55C, high altitude, there is a possibility that the PCIe switch temp sensor on the SIB8 (JNP10008-SF2) can falsely report a yellow alarm for over temperature. This issue is applicable to Junos 24.2R1 and 24.2R1-S1 releases. Hardware Symptoms tracking signature: cli show system alarms Alarm time Class Description 2024-03-07 02:28:45 PST Minor SFB 2 PCIe Switch Temp Sensor Warm. PR1801778

On MX platforms with LC2101 line cards and 10-gigabit ethernet interfaces configured in loopback mode, when Line card is booted multiple times, the ethernet interfaces on line card remains down and traffic on those interfaces will be impacted. PR1809511

With 24.2R1 software release, some of the 100G and 400G links might remain DOWN after LC4800 FPC restart. Check workaround for recovery. PR1814101

On all Junos OS platforms with Border Gateway Protocol (BGP) rib-sharding enabled and NSR(Nonstop Active Routing) configured, upon deactivation and activation of routing-instances, interfaces and protocols together, memory leak in rpd is observed. There will be no traffic impact at this time because memory leak is very slow. PR1761191

We've noticed that we are experiencing 100% CPU utilization during GRES in the smid and alarmd daemons. After investigating, we discovered that the gRPC client (feature daemon) was sending RPC requests and waiting for responses while the gRPC server (license-check daemon) was down during GRES. If the client doesn't receive a response within the specified deadline time (30 seconds), it should return a GRPC_QUEUE_TIMEOUT type and success value as 0. But, it got stuck in getting "grpc_core::Timestamp::Now ()" API. PR1805723

On MX platforms when LC4800, the fan speed at 25C ambient temperature may exceed 44% of the max speed target. Therefore the system may not meet NEBS acoustic requirements. PR1824343

In order to allow protocol daemons (such as rpd, dot1xd et. al.) to come up fast when master password w/ TPM is configured, the daemons must be allowed to cache the master-password when they read their configuration. In order to cache the master-password, the daemons must individually reach out to the TPM to decrypt the master password and cache it in their memory. This scenario leads the TPM to be flooded with decryption requests, and therefore causes the TPM to be busy and start rejecting decryption requests. To prevent the daemons from core dumping in this scenario, and to allow successful decryption of secrets, we retry the decryption request to the TPM. However, to allow the TPM queue to drain, we introduce a sched_yield() call before retrying to sleep for 1 quantum of time. Without this, we will fail on all our retries. Additionally, a decryption request can also take a large amount of time (> 5 secs). This results in SCHED_SLIP messages being seen in the logs, as the requesting process is idle while the decryption request is being processed by the TPM. This can exceed the SCHED_SLIP timeout, and result in libjtask logging the SCHED_SLIP messages into the configured system log file. These SCHED_SLIPs should not cause any route instability, are benign, and can be ignored as these are seen only during configuration consumption by the various daemons.PR1768316

DHCP asymmetric-lease-time is slow processing large scale requests to terminate 64K subscribers. This condition applies to both DHCP local server and DHCP relay when asymmetric-lease-time is configured. Regardless of the timer value configured the JDHCPD process will only handle 20 request per second which results in longer than expected time to terminate all DHCP subscribers. In DHCP dual stacked environments the client termination is split between protocol type, 10 clients for DHCPv4 and 10 clients for DHCPv6 are terminated per second. In the example of having 64K dual stacked subscribers with minimum asymmetric-lease-time of 600, after network disruption, there is a 600 second interval for detection JDHCPD takes an approximate addition 53 minutes to terminate all 64K subscribers. The engineering fix for this PR will process 100 client request per second rather than the original 20 requests per second.PR1817227

In some NAPT44 and NAT64 scenarios, Duplicate SESSION_CLOSE Syslog will be seen. PR1614358

PCT-VIRTUAL: Firewall filter counters are not incremented as expected when filter is applied to IRB interface in the ingress/egress direction via forwarding tablePR1766471

As per the current cos design, we aren't merging the configuration from wildcard and explicit configurations, instead explicit configs takes precedence and we don't apply the wildcard configs. For example: set class-of-service interfaces xe-* scheduler-map sch0 ---> explicit xe-* takes precedence set class-of-service interfaces all unit 0 classifiers dscp cls set class-of-service interfaces xe-* unit 0 classifier dscp cls set class-of-service interfaces xe-3/2/0 unit 0 classifier dscp cls2 -> explicit interface config takes precedence set class-of-service interfaces xe-3/2/0 unit * classifier dscp cls set class-of-service interfaces xe-3/2/0 unit 0 rewrite_rule rw_rule -> takes precedence, classifier won't be applied It's recommended to add the required config also along with the explicit config, like in this reported case, we need to below config to fix this problem. set class-of-service interfaces xe-* scheduler-map sch0 set class-of-service interfaces xe-* unit 0 classifiers dscp clsPR1797119

Few Error message may occurs while deleting multiple EVPN ETREE Routing Instances.PR1808643

LDP OSPF are in synchronization state because the IGP interface is down with ldp-synchronization enabled for OSPF. user@host> show ospf interface ae100.0 extensive Interface State Area DR ID BDR ID Nbrs ae100.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1 Type: P2P, Address: 10.0.60.93, Mask: 255.255.255.252, MTU: 9100, Cost: 1050 Adj count: 1 Hello: 10, Dead: 40, ReXmit: 2, Not Stub Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC Protection type: None Topology default (ID 0) -> Cost: 1050 LDP sync state: in sync, for: 00:04:03, reason: IGP interface down config holdtime: infinity. As per the current analysis, the IGP interface goes down because although LDP notified OSPF that LDP synchronization was achieved, OSPF is not able to take note of the LDP synchronization notification, because the OSPF neighbor is not up yet. PR1256434

On MX Series platforms, unexpected log message will appear if the CLI command 'show version detail' or 'request support information' is executed: test@test> show version detail *** messages *** Oct 12 12:11:48.406 re0 mcsnoopd: INFO: krt mode is 1 Oct 12 12:11:48.406 re0 mcsnoopd: JUNOS SYNC private vectors set. PR1315429

On Junos platforms and Junos Evolved platforms, if a BGP peer goes down and stays down, the system might take an extremely long time to complete removing the BGP routes. The issue is observed when a BGP peer sends many routes, only a small number of routes are selected as the active routes in the routing information base (RIB, also known as the routing table), and if the BGP delete job gets only a small part of the CPU time because other work in the routing process is utilizing the CPU.PR1695062

On all Junos OS platforms and Junos Evolved with scaled BFD sessions, FPC reload/restart results in few BFD session flap.PR1698373

Memory leaks in rt_instance block rpd process when deactivating and then activating protocols, routing-instances and interfaces. PR1761191

With BGP sharding and NSR configured, deactivating or activating routing-instances and interfaces back to back multiple times on active Routing Engine leads to generate rpd core files on backup Routing Engine at rt_flash_queue_insert. PR1781293

Configuration of a global AS number is necessary when route target filter is enabled. Currently JUNOS cli does not enforce configuring a global AS number and it has been the behavior for a long time. Many unexpected issues may be seen without a global AS number. It's been a recommended practice to configure a global AS number in the field.PR1783375

On all Junos OS platforms having BGP (Border Gateway protocol) configured, when route is leaked through rib-group from one routing instance to another having the same AS (Autonomous System) number and one of the routing-instances has BGP configured with local-as, it is observed that even after configuring loops with any value greater than one as the number of loops option, the route still remains hidden instead of being active which results in traffic drop. PR1771344

On Junos MX80, MX240, MX480, MX960 platforms with Multiservices Modular Interfaces Card (MS-MIC), Multiservices Modular Port Concentrators (MS-MPC) service cards, in an issue where an old dynamic security association_configuration (sa_cfg) for a tunnel is present and trying to establish new sets of Internet Protocol Security Security Association (IPSec SAs) using a new Internet Key Exchange (IKE) SA established for the same remote device but with a different request. This can happen, if for some reason old sa_cfg is not cleaned (failed in clean-up). On crash, the Key Management Daemon (kmd) restarts but fails because of kernel instance mismatch present in the kernel database. So all the IPsec tunnels will be impacted.PR1771009

To recover from this and to avoid problem due to problem delta synchronize, "set system commit no-delta-synchronize" can be configured as work-around (no-delta-synchronize is hidden knob but safe to use). It will enforce entire ?juniper.conf? to synchronize rather than delta changes and will help in this case.PR1801136

Upgrade from Junos OS Release 20.3x to 24.2R1 fails if extend-db config stanza is present This issue is happening due to extend-db knob configured in the config. Delete the extend-db knob, reboot the box and then perform the upgrade. Issue is not seen. PR1806109 and PR1807931