Open Issues

On all MX Series platforms the deactivation a routing-instance configured with 'vrf-target auto' while also configured with protocol EVPN leads to the rpd crash in all the Routing Engine present in the chassis. PR1821582

In case of filter-base forwarding (FBF) which filter has 'then routing-instance' action term, firewall filter will not work properly after deactivate/activate the routing-instance being done. Even any config is not changed before and after deactivate/activate the routing-instance, packets will not be forwarded to packets' destination device.PR1810237

Whenever the CBS was configured above its limit (earlier 33m), the low-level parameters used to get configured such that the packets would not have any credits available, resulting in them getting marked as RED.PR1837840

You might see a misleading syslog message "L2CKT/L2VPN acquiring mastership for primary" although no VPN/L2CKT is configured on the router. PR1105459

For the MPC10E card line, the IS-IS and micro-BFD sessions do not come up during baseline. PR1474146

In Sync-E configuration, Config 1: ESMC transmit is configured Config 2: if deactivated chassis synchronization source configured OR no chassis synchronization source is configuring is active then commit error is given as "'esmc-transmit' requires 'chassis synchronization source' configuration". PR1549051

The Sync-E to PTP transient simulated by Calnex Paragon Test equipment is not real network scenario. In real network deployment model typically there will be two Sync-E sources (Primary and Secondary) and switchover happens from one source to another source. MPCE7 would pass real network SyncE switchover and associated transient mask. PR1557999

When the active slave interface is deactivated, the PTP lock status is set to 'INITIALIZING' state in show ptp lock-status output for few seconds before BMCA chooses the next best slave interface. This is the day-1 behavior and there is no functional impact. PR1585529

Percentage physical-interface policer is not working on aggregated Ethernet, after switching between baseline configuration to policer config uration.PR1621998

On all Junos OS platforms, agentd process crash will be seen in telemetry streaming longevity test.PR1647568

There will be drop of syslog packets seen for RT_FLOW: RT_FLOW_SESSION_CREATE_USF logs until this is fixed. This will not impact the functionality.PR1678453

%PFE-x: fpcx user.err ppman: [Error] PPM:PROCESSOR_L2TP_SF: PpmProcProtoL2tpSf::processPkt: No tunnel entry found for received L2TP tunnel control packet. LocalAddr: x.x.x.x LocalTunnelId: 0 Timestamp xx:xx:xx device fpcX user.err ppman: [Error] PPM:PROCESSOR_L2TP_SF: PpmProcProtoL2tpSf::processPkt: Received packet Ipv4 header parsing failed. PacketSize:xxPR1689921

On Junos OS platforms, even though there are no active subscribers, a foreign file propagation (ffp) commit error is seen for the class-of-service traffic-control-profile.PR1700993

When LAG is configured with mixed speed interfaces switching to a secondary interface of different port speed, results in a few packet drops for a very short duration. PTP remains lock and there is no further functional impact. PR1707944

Support of "no-confirm" option in ISSU so as to avoid the interactive prompts. This is to suppres the user prompts and proceed for restart upgrade for hitless kernel restart upgrade. If there is any error which can impact traffic then abort the upgrade.PR1713589

Once the device is loaded with the new image, PIC tries to boot up. mspmand is one of the processes inside PIC, crashes sometimes.PR1714416

fec-codeword-rate data with render type decimal64 is rendered as string in grpc python decoder.PR1717520

On all Junos and Junos Evolved platforms BGP traceoptions configuration will have an impact on the CPU, threads will be busy and will take time to recede in spite of disabling it. It is important we enable a specific trace flag and disable it when the CPU goes high. It is also important not to perform switchover and other triggers which can add load to the CPU during traces are enabled. Traces must be enabled discretely.PR1724986

Telemetry Stats are not visible for MPLS LSP(RSVP-based) when the core interface is MPC11/MPC10.PR1731587

PTP state went to Freerun and acquiring before phase-aligning again when the SyncE ESMC is disabled or downgraded from GM or the upstream node one hop above the parent node. PR1738532

On MXVC , Due to some timing issue when RPD is restarted, It will not be spawned again. This issue is rarely reproducible.PR1740083

Error message might occur once in a while with full scale during negative scenarios like 'clear bgp neighbor all' with all the services like EVPN, vrf etc being present.PR1744815

RBU DIAGS REGRESSIONS: MX480 CommonDiag::JDE3(volt_services_show_clients) failing on MPC7e. PR1747033

On Junos using afeb/tfeb way of communication to PFE that is MX80/MX104 platforms with Virtual Router Redundancy Protocol (VRRP) configured, deleting a member link from the Aggregated Ethernet (AE) bundle removes the VRRP filter entry in the Packet Forwarding Engine (PFE) which causes VRRP traffic to get dropped even though other active member links in the AE bundle exists.PR1747289

RBU DIAGS REGRESSIONS: MX2010 Diagnostics::Jde3Diag(phy_reg_access) test is failing. PR1747297

On all MX Series platforms, faulty hardware issue on MIC due to clock sync error generated brings down the interfaces without any major alarm or log notification.PR1749943

On MPC10E line cards based MX Series platforms with aggregated Ethernet interface configured with Link Aggregation Control Protocol (LACP), subscriber management and auto-configure statement enabled, ping to neighbour fails post swapping member-interfaces between two AE (one with VLAN configuration and the other without VLAN configuration). Traffic forwarding on respective interfaces will be impacted as interface is moved from AE having VLAN to AE not having VLAN.PR1751260

On all Junos OS Evolved platforms and device with MX10K-LC2301/ MX10K-LC9600, MX304,LC480,LC2101,LC1201 the voltage threshold cross is reported by MX20796 sensor. PR1752654

On Junos MX Series platforms with Trusted Platform Module (TPM), reset of master password got stuck post device reboot. PR1760822

On MX Series platform with a combination of MPC1-9, LC480, LC2101, and MPC10E, MPC11E, LC9600 line cards, when preserve-nexthop-hierarchy knob enabled and maximum-ecmp configured with more than 32 next-hops in the MPLS FRR (Multiprotocol Label Switching fast-Reroute) and BGP (Border Gateway Protocol) Multipath scenario, packet loss when primary path is added back in ECMP nexthop (say after primary interface or session is marked UP) will be higher compared to that on MX platform with MPC1-9, LC480, LC2101 line cards only, OR with MPC10E, MPC11E, LC9600 line cards only. This packet loss is proportional to the value in maximum-ecmp configuration.PR1765856

On Junos OS platforms, when executed just after line-cards are up after system-reboot, the CLI output for active-errors (show system errors active, show system errors active detail) displays empty output for some initial duration that can run for minutes. Issue is seen when number of errors present in line-card is very high (10K+). Since all these errors need registration with CLI serving daemon running on Routing Engine, before it can display error-info, CLI output for this command is delayed. However, as a workaround alternative CLI (show chassis errors active detail) can be used, which displays similar output. PR1775073

Issue identified when upgrading vmhost, but applies to all Junos OS platforms that support vmhost. When there are tar errors during the upgrade, and the reboot option is used in the upgrade command, the machine will still reboot the Routing Engine despite that the upgrade was not completed correctly. This will break the routing engine. It is necessary to stop the reboot, if error or tar problems occurred during the upgrade.PR1770585

On Junos platforms, when executed just after line-cards are up after system-reboot, the CLI output for active-errors (show system errors active, show system errors active detail) displays empty output for some initial duration that can run for minutes. Issue is seen when number of errors present in line-card is very high (10K+). Since all these errors need registration with CLI serving daemon running on RE, before it can display error-info, CLI o/p for this command is delayed. However, as a workaround alternative CLI (show chassis errors active detail) can be used, which displays similar output.PR1775073

Junos (JET) telemetry that is pre-gNMI telemetry that uses sensors that are of a double data type are converted to a float data type when streamed to a collector.PR1777319

Commit error is needed when streaming server and export-profile is not configured properly. With the incomplete configuration that is missing below might cause the interfaces to go down upon reboot of the unit or FPC. set services analytics streaming-server profile name remote-address ip set services analytics streaming-server profile name remote-port port set services analytics export-profile profile-name reporting-rate rate. This needs to be greater than 1.PR1779722

Even after request vmhost power-off LEDs keep lighting on. The LEDs state should be off because routing-engine doesn't have power in case of request vmhost power-off.PR1781815

The show command cause performance degradation or hog CPU. PR1784219

V6 Endpoint SRTE: 4PE (IPv4 over IPv6) routes in inet.0 table are not getting resolved in inet6color table because 4PE is not supported with inet(6)color model. 4PE can be supported with transport class. PR1786029

On MX100008 and MX100004, if 25G and 50G optics are JIJO within 1 second manually, then sometimes the interface does not come up. As a workaround, do not JOJI within a 1 second time period. It is recommended that the duration between JIJO is minimum 3 seconds.PR1786404

Additional logging has been added to the primry Routing Engine. This is to help narrow down the issue which chassisd process restarted unexpectedly at snmp_init_oids( ) function on the primary Routing Engine while booting up.PR1787608

When interfaces with different speed are configured as members of AE, some of the members are not added to aggregated Ethernet. And if GRES is enabled, vmcore might be generated on backup Routing Engine. PR1799451

Under scaled configurations with interfaces, FW filters, routing protocols etc certain script based config/unconfig automated operations, in the presence of continuous traffic, can encounter one or more PPE traps that momentarily cause traffic drops. These momentary traffic drops happen at the tail end of the time the business configuration is removed and a baseline configuration is loaded in a single commit. These do not cause any service or functionality impact. PR1800967

Due to a the disk failure reboot support was not added for dual disk scenario, hence system was not booting in case of disk failure on sdb (the other disk) on QFX platform.PR1800862

On all MX platforms(except MX80) with multi line card chassis, when PTP slave or stateful streams are configured across multiple linecards with clock from same PTP time provider and the announce msg parameters changes from the upstream device, the best master clock (BMC) slot switchover is observed and is restored back within few seconds. Although the slot time interval is very less, it can still lead to major impact as the active PTP slot and clock path is switched over and results in re-routing of the clocks.PR1803105

MPC11 ISSU command fails from Junos OS Release 24.1R1 to 24.2R1 and causes MPC11 linux crash. The issue only applies to ULC image.PR1803205

This issue is caused because of the fact that peers-synchronize is configured, and master-password is configured to encrypt the config being sync'ed. However, as there is no master-password configured on the peer device, the encrypted configuration cannot be decrypted (this is expected). This has not been supported from day-1, however a workaround can be done in order to get this to work. The workaround is to manually configure the same master password on the peer device manually. At a high level the problem is as follows: Consider there are two devices A and B in a peer-sync config 1. config on dev A contains secrets which need to be encrypted with the master password and synced with the device B 2. The master-password (juniper123+masterpassword) is configured on device A and the configuration is encrypted and written to /tmp/sync-peers.conf 3. The /tmp/sync-peers.conf is then synced to device B but device B does not have the same master-password configured which results in the config failing to decrypt. The master-password itself is not a part of the config-database. Additionally, it cannot be transmitted over an unencrypted HA Link, as this would lead to the master-password getting leaked. This is by design, and would be a security concern if it were to be transmitted across an unencrypted channel. Therefore, this work as designed. In order to work around this issue follow these steps: 1. configure the master-password on device B and commit the config 2. configure the same master-password on device A and commit the config and it should get sync'ed correctly.PR1805835

PLL Access Failure alarms is observed on a MPC11E line card of REV 53 after loading 24.2I-20240429.0.0958 on a MX2010 boxPR1808044

Feature names will be used across license alarms and logs generated. This has a 1:1 mapping to the feature names used in output of 'show system license' command.PR1808084

set chassis no-reset-on-timeout is a debug command for SPC3 to prevent it from rebooting in case of issue. It is not to be set during normal operations since SPC3 may need reboots to come online.PR1809929

Traffic loss will be seen on 1G-SFP-T if speed is configured to 100m. 1G SFP-T has the AN feature enabled but the PHY we have b/w SFP-T and switch ie., PHY82756 doesn't support AN and this mismatch is causing the traffic loss. This needs feature enhancement PR1817992

On MX Series platforms with MS-MPC and Carrier-Grade Network Address Translation (CGNAT) configured, a large number of "out-of-address" errors and stale NAT mappings for SIP (Session Initiation Protocol) traffic can occur. This can lead to a lack of available resources and cause new connections to be dropped.PR1826847

As per OpenSSH 9.0/9.0p1 release notes: "This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default." In this case, since we are running OpenSSH 9.0 and above- OpenSSH_9.7p1 , this uses the "SFTP" protocol by default when scp command is invoked from shell. However, vSRX3.0 supports the "SCP" protocol by default when scp command is invoked. So to use the legacy "SCP" protocol from shell, please use the -O command line option For example: scp -O other options or arguments Note: Incoming SCP connections from outside hosts that are running OpenSSH version greater than or equal to 9.0/9.0p1 could fail since sftp-server is disabled by default in Junos OS . Hence, users should either use the -O option on remote host while initiating scp file transfer OR enable sftp-server in the Juniper configuration. To enable sftp-server in Juniper configuration, use the following hierarchy: "set system services ssh sftp-server". PR1827152

When the other RE is rebooted/removed the following alarm is observed "Host 0 bme1 : Ethernet Link to other RE Down". Alarm is observed as long as the other RE doesn't come back online. The alarm goes off once the other RE boots up / inserted. This is a part of the periodic which checks for the other RE connectivity. There is no functional impact with the alarm since it is cleared once the other RE comes back online.PR1840810

There will be no impact on traffic, problem on displaying extra lanes in SNMP query.PR1844751

We do not recommend to use ":" in instance name configuration as it is considered as reserved for internal use. PR1849070

Customer is using the Dot1x RADIUS authentication and accounting and noticed that when the Stop Accounting(due to disconnect) is sent to the RADIUS server the Acct-Input-Gigawords and the Acct-Output-Gigawords is having huge value as below which is not expected. AVP: t=Acct-Input-Octets(42) l=6 val=0 AVP: t=Acct-Output-Octets(43) l=6 val=0 AVP: t=Acct-Session-Time(46) l=6 val=12 AVP: t=Acct-Input-Packets(47) l=6 val=520538 AVP: t=Acct-Output-Packets(48) l=6 val=2106672 AVP: t=Acct-Terminate-Cause(49) l=6 val=Admin-Reboot(7) AVP: t=Acct-Input-Gigawords(52) l=6 val=60519852. (AVP: t=Acct-Output-Gigawords(53) l=6 val=185322927)PR1851299

On all Junos and Junos Evolved platforms this is an enhancement for Nexthop APIs to support LDP stitching cases over BGP routes pointing to list of indirects next-hops.PR1851629

Graceful Routing Engine Switchover (GRES) not supporting the configuration of a private route, such as fxp0 , when imported into a non-default instance or logical system. Refer to KB26616 resolution rib policy is required to apply as a work-around.PR1754351

JUNOS MX | iflset stats not getting cleared after issuing clear interfaces stats all and clear interfaces interface-set statistics all CLI commandPR1741282

On all Junos OS platforms where snapshot is supported, when a device is rebooted from recovery mode it fails to commit configuration due to problems with slax import and device might go into amnesiac mode due commit fail.PR1717425

On MX Series platforms in the Dynamic Host Configuration Protocol (DHCP4) and DHCPv6 subscribers in ALQ (Active Leasequery) EVPN-VPWS (Ethernet VPN - Virtual Private Wire Service) without topology-discover scenario, due to incorrect GIADDR (Gateway IP address) DHCP-OFFER gets dropped leading to subscribers not completing the DORA (Discover, Offer, Request, Acknowledge) process. The issue seen for static PS (Pseudowire Service) VLAN interfaces where DHCP subscribers are landing.PR1763331

In order to allow protocol daemons (such as rpd, dot1xd et. al.) to come up fast when master password w/ TPM is configured, the daemons must be allowed to cache the master-password when they read their configuration. In order to cache the master-password, the daemons must individually reach out to the TPM to decrypt the master password and cache it in their memory. This scenario leads the TPM to be flooded with decryption requests, and therefore causes the TPM to be busy and start rejecting decryption requests. To prevent the daemons from core dumping in this scenario, and to allow successful decryption of secrets, we retry the decryption request to the TPM. However, to allow the TPM queue to drain, we introduce a sched_yield() call before retrying to sleep for 1 quantum of time. Without this, we will fail on all our retries. Additionally, a decryption request can also take a large amount of time (> 5 secs). This results in SCHED_SLIP messages being seen in the logs, as the requesting process is idle while the decryption request is being processed by the TPM. This can exceed the SCHED_SLIP timeout, and result in libjtask logging the SCHED_SLIP messages into the configured system log file. These SCHED_SLIPs should not cause any route instability, are benign, and can be ignored as these are seen only during configuration consumption by the various daemons.PR1768316

DHCP-Relay short cycle protection can get stuck in Grace periodPR1835753

In some NAPT44 and NAT64 scenarios, Duplicate SESSION_CLOSE Syslog will be seen. PR1614358

Issue: Multiple traps are generated for single event, when more target-addresses are configed in case of INFORM async notifications Cause: INFORM type of async notification handling requires SNMP agent running on router to send a Inform-Request to the NMS and when NMS sends back a get-response PDU, this need to be handled. In this issue state, when more than one target-address(NMS IP) is configured for a SNMP v3 INFORM set of configuration, when Get-Response comes out of order in which the Inform-Request is sent, the PDU is not handled correctly causing snmp agent to retry the Inform-request. This was shows as multiple traps at the NMS side. Work-around: For this issue would be to use 'trap' instead of 'inform' in the "set snmp v3 notify NOTIFY_NAME type inform" CLI config.PR1773863

Heap memory leak on access MPCs used for subscriber termination may be observed in a subscriber-management environment.PR1732690

PCT-VIRTUAL: Firewall filter counters are not incremented as expected when filter is applied to IRB interface in the ingress/egress direction via forwarding tablePR1766471

"Possible out-of-order deletion of AftNode" error messages will be seen after ifconfig down/up. Issue is seen due to out-of-order IPCs received for IRB MACs. This causes the MAC entry not to be deleted from the s/w MAC table which prevents the deletion of associated NH token. 30 minutes post the ifconfig down/up, the error messages will be seen.PR1815922

LDP OSPF are in synchronization state because the IGP interface is down with ldp-synchronization enabled for OSPF. user@host> show ospf interface ae100.0 extensive Interface State Area DR ID BDR ID Nbrs ae100.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1 Type: P2P, Address: 10.0.60.93, Mask: 255.255.255.252, MTU: 9100, Cost: 1050 Adj count: 1 Hello: 10, Dead: 40, ReXmit: 2, Not Stub Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC Protection type: None Topology default (ID 0) -> Cost: 1050 LDP sync state: in sync, for: 00:04:03, reason: IGP interface down config holdtime: infinity. As per the current analysis, the IGP interface goes down because although LDP notified OSPF that LDP synchronization was achieved, OSPF is not able to take note of the LDP synchronization notification, because the OSPF neighbor is not up yet. PR1256434

On MX Series platforms, unexpected log message will appear if the CLI command 'show version detail' or 'request support information' is executed: test@test> show version detail *** messages *** Oct 12 12:11:48.406 re0 mcsnoopd: INFO: krt mode is 1 Oct 12 12:11:48.406 re0 mcsnoopd: JUNOS SYNC private vectors set. PR1315429

On all Junos OS platforms and Junos Evolved with scaled BFD sessions, FPC reload/restart results in few BFD session flap.PR1698373

On all Junos and Junos OS Evolved platforms, multiple simultaneous Command Line Interface (CLI) sessions will lead to high Management Daemon (mgd) CPU utilization, impacting the device's reachability over the loopback interface from IS-IS nodes.PR1749850

With BGP sharding and NSR configured , deactivate/activate routing-instances and interfaces was done back to back multiple time on active RE, leads to the rpd core on backup RE at rt_flash_queue_insertPR1781293

Configuration of a global AS number is necessary when route target filter is enabled. Currently JUNOS cli does not enforce configuring a global AS number and it has been the behavior for a long time. Many unexpected issues may be seen without a global AS number. It's been a recommended practice to configure a global AS number in the field.PR1783375

Loading ROAs from a source-file was a feature introduced as a convenience feature and as such this only affects that feature. This feature is not in widespread use and was created to have a fallback ROA when all sessions go down. This problem scenario requires multiple reloads with the file.cbor being modified back and forth to add and then delete and re-add the database configured in the import policy.PR1853025

To recover from this and to avoid problem due to problem delta synchronize, "set system commit no-delta-synchronize" can be configured as work-around (no-delta-synchronize is hidden knob but safe to use). It will enforce entire ?juniper.conf? to synchronize rather than delta changes and will help in this case.PR1801136

Upgrade from Junos OS Release 20.3x to 24.2R1 fails if extend-db config stanza is present This issue is happening due to extend-db knob configured in the config. Delete the extend-db knob, reboot the box and then perform the upgrade. Issue is not seen. PR1806109 and PR1807931

After switchover in MX2010 platform , test config is removed with load update and then rollbacked. during rollback commit , config commit failed with below error: error: commit-check-daemon : Invalid XML from dfwd error: configuration check-out failedPR1829614

As part of non-ZPL ISSU, traffic loss of max 2secs is expected due to the dark window. PR1797403