Escolar Documentos
Profissional Documentos
Cultura Documentos
4 Release Notes
Release 10.4R2
11 February 2011
Revision 6
These release notes accompany Release 10.4R2 of the Junos operating system (Junos
OS). They describe device documentation and known problems with the software. Junos
OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX
Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.
You can also find these release notes on the Juniper Networks Junos OS Documentation
Web page, which is located at http://www.juniper.net/techpubs/software/junos.
Contents
Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers,
MX Series Ethernet Service Routers, and T Series Core Routers . . . . . . . . . . . . 6
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
MX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M
Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
MPLS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Current Software Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Previous Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Errata and Changes in Documentation for Junos OS Release 10.4 for M
Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . . 77
Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series,
MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Basic Procedure for Upgrading to Release 10.4 . . . . . . . . . . . . . . . . . . . . 83
Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 86
Upgrading Juniper Network Routers Running Draft-Rosen Multicast
VPN to Junos OS Release 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Upgrading the Software for a Routing Matrix . . . . . . . . . . . . . . . . . . . . . . 88
Upgrading Using ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled
for Both PIM and NSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 90
Downgrade from Release 10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Junos OS Release Notes for Juniper Networks SRX Series Services Gateways
and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
New Features in Junos OS Release 10.4 for SRX Series Services Gateways
and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Hardware FeaturesSRX210, SRX220, and SRX240 Services
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Hardware FeaturesSRX220 Services Gateway with Power Over
Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Hardware FeaturesSRX1400 Services Gateway . . . . . . . . . . . . . . . . . . 119
Hardware FeaturesSRX3400 and SRX3600 Services Gateways . . . . 122
Advertising Bandwidth for Neighbors on a Broadcast Link Support . . . . . . . 123
Group VPN Interoperability with Ciscos GET VPN . . . . . . . . . . . . . . . . . . . . . 123
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX
Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 124
Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Integrated Convergence Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Outstanding Issues In Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . 158
Resolved Issues in Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . 175
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX
Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 178
Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 178
Errata for the Junos OS Documentation . . . . . . . . . . . . . . . . . . . . . . . . . 179
Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . 186
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 189
Transceiver Compatibility for SRX Series and J Series Devices . . . . . . . 189
Power and Heat Dissipation Requirements for J Series PIMs . . . . . . . . . 189
Supported Third-Party Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
J Series CompactFlash and Memory Requirements . . . . . . . . . . . . . . . . 190
Maximizing ALG Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Integrated Convergence Services Not Supported . . . . . . . . . . . . . . . . . . . . . 192
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX
Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 192
Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 192
Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 194
New Features in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . 194
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Limitations in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . . . 197
Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX
Series Ethernet Service Routers, and T Series Core Routers
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series
Routers on page 6
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX
Series, and T Series Routers on page 42
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55
Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX
Series, and T Series Routers on page 77
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers on page 83
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The following features have been added to Junos OS Release 10.4. Following the
description is the title of the manual or manuals to consult for further information.
Class of Service
Ingress traffic is first classified into premium and non-premium traffic before a policer
is applied.
Premium traffic is policed by both the premium policer and the aggregate policer. While
the premium policer rate-limits premium traffic, the aggregate policer only decrements
the credits but does not drop packets. Non-premium traffic is rate-limited by the
aggregate policer only, resulting in the following behavior:
Premium traffic is assured to have the bandwidth configured for the premium policer.
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
DSCP classification for VPLS at the ingress PE (M320 with Enhanced Type III FPC
and M120)Enables you to configure DSCP classification for VPLS at an ingress PE
for encapsulation types vlan-vpls (IQ2 or IQ2E PICs) or ATM II IQ PIC. To configure,
define the DSCP classifier at the [edit class-of-service classifiers dscp dscp-name]
hierarchy level and apply the DSCP classifier at the [edit interfaces at-fpc-pic-port
unit-logical-unit-number classifiers] hierarchy level. The ATM interface must be included
in the routing instance.
[Class of Service]
Traffic Control Profile (TCP) support at the FRF.16 physical interface levelFRF.16
bundle interfaces support multiple data-link connection identifiers (DLCIs). The
bandwidth of each of these DLCIs was previously limited to one of the following:
An aggregate value based on the number of DLCIs under the FRF.16 interface
scheduler-map
delay-buffer
To view the TCP configuration for an FRF.16 bundle, enter the show class-of-service
traffic-control-profile command.
user@host> show class-of-service traffic-control-profile
Traffic control profile: lsq-2/1/0:0, Index: 35757
Shaping rate: 30 percent
Scheduler map: sched_0
Delay Buffer rate: 30 percent
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
[Class of Service]
Extend support for 64-bit Junos OS to include RE-1800 Series Routing Engines
(M120, M320, MX960, MX480, and MX240 routers)Supported Routing Engines
include:
[System Basics]
Ethernet encapsulation for ATM scheduler (M7i, M10i, M120, and M320 [with
Enhanced III FPC] routers)Enables support for the configuration of an ATM scheduler
map on an Ethernet VPLS over a bridged ATM interface.
[Network Interfaces]
On MX80 routers and MX Series routers, MPCs based on G.8261 and G.8262. This
feature does not work on the fixed configuration version of the MX80 routers.
All Ethernet type ports are supported on MX80 routers and MX Series routers with
MPCs
Enhanced container interface allows ATM children for containersM Series and T
Series routers with ATM2 PICs automatically copy the parent container interface
configuration to the children interfaces. Container interfaces do not go down during
APS switchovers, thereby shielding upper layers. This feature allows the various ATM
features to work over the container ATM for APS.
To specify ATM children within a container interface, use the container-list cin statement
and (primary | standby) option at the [edit interface at-fpc/pic/slot container] hierarchy
level.
To configure a container interface, including its children, use the cin statement and its
options at the [edit interface ci-n] hierarchy level.
Container ATM APS does not support inter-chassis APS. MLPPP over ATM CI is also
not supported.
[Network Interfaces]
PIO errors and voltage errors detected by the SPMB CPU to the SIBs.
All PFEs get destination errors on all planes to all destinations, even with the SIBs
staying online.
Complete fabric loss caused by destination timeouts, with the SIBs still online.
When chassisd detects that all fabric planes are down, the router reboots all FPCs in
the system. When the FPCs come back up, the interfaces will not be created again,
since all fabric planes are down.
Once you diagnose and fix the cause of all fabric planes going down, you must then
bring the SIBs back online. Bringing the SIBs back online brings up the interfaces.
Fabric down signaling to neighboring routers offers the following benefits:
FPCs reboot when the control plane connection to the Routing Engine times out.
Extends a simple approach to reboot FPCs when the dataplane blacks out.
When the router transitions from a state where SIBs are online or spare to a state where
there are no SIBs are online, then all the FPCs in the system are rebooted. An ERRMSG
indicates if all fabric planes are down, and the FPCs will reboot if any fabric planes do
not come up in 2 minutes.
An ERRMSG indicates the reason for FPC reboot on fabric connectivity loss.
The chassisd daemon traces when an FPC comes online, but a PIC attach is not done
because no fabric plane is present.
A CLI warning that the FPCs will reboot is issued when the last fabric plane is taken
offline.
10
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
You will need to bring the SIBs online after determining why the SIBs were not online.
When the first SIB goes online, and link training with the FPCs completes, the interfaces
will be created.
Fabric down signaling to neighboring routers functionality is available by default, and
no user configuration is required to enable it.
No new CLI commands or alarms are introduced for this feature. Alarms are already
implemented for when the SIBs are not online.
[Network Interfaces, System Basics]
The following MIB objects are supported by JUNIPER-DOM-MIB for digital optical
monitoring:
jnxDomCurrentTable
jnxDomAlarmSet
jnxDomAlarmCleared
Logging improvementsYou can now control logging speed at the interface level. To
rate-limit the syslogs generated from a service PIC, include the message-rate-limit
statement at the [edit interfaces interface-name services-options syslog] hierarchy
level. This option configures the maximum number of syslog messages per second
that can formatted and sent from the PIC to either the Routing Engine (local) or to an
external server (remote). The default rates are 10,00 for the Routing Engine and 200,00
for an external server.
[Network Interfaces]
Support for SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320,
MX240, MX480, MX960, T640 and T1600 routers) Supports a 4-port SONET/SDH
OC48 Enhanced IQ (IQE) PIC (Type 3) with per data-link connection identifier (DLCI)
queuing. Supported FPCs include T640-FPC3-ES, M320-FPC3-E3, and MX-FPC3.
Class of service (CoS) enables enhanced egress queuing, buffering, and traffic shaping.
CoS supports eight queues per logical interface, a per-unit scheduler, and two shaping
rates: a Committed Information Rate (CIR) and Peak Information Rate (PIR) per
data-link connection identifier (DLCI). Other CoS features include, but are not restricted
to, sharing of excess bandwidth among logical interfaces, five levels of priorities
(including Strict High), ingress behavior aggregate (BA) classification, queue rate-limit
policer, ingress rewrite, egress rewrite, and a forwarding class to queue remapping per
DLCI.
11
The SONET/SDH OC48/STM 16 PIC supports CoS features similar to those in IQ2E
PICs, in terms of behavior and configuration statements. This PIC supports the following
Layer 2 protocols: PPP, Frame Relay, and Cisco HDLC encapsulations.
For more information, see the PC-4OC48-STM16-IQE-SFP documentation for your
router:
SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (MX Series Routers)
IPv6 statistics from IQ2 and IQ2E PICs on M320 routers with Enhanced III FPCs and
T Series routersSupport statistical accounting for IPv6 traffic traversing the IQ2 and
IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers.
For IQ2 and IQ2E PIC interfaces, the IPv6 traffic that is reported will be the total statistics
(sum of local and transit IPv6 traffic) in the ingress and egress direction. The IPv6
traffic in the ingress direction will be accounted separately only if the IPv6 family is
configured for the logical interface.
Statistics are maintained for routed IPv6 packets in the egress direction.
Byte and packet counters are maintained in the ingress and egress direction.
Differences in IPv6 statistics for IQ2 interfaces and all other interfaces are as follows:
IQ2 and IQ2E PIC interfaces report the total statistics for the IPv6 traffic. For other
interfaces, the transit statistics are reported.
IQ2 and IQ2E PIC interfaces report all IPv6 traffic received on the logical interface.
For all other interfaces, only the routed traffic is accounted.
IQ2 and IQ2E PIC interfaces report IPv6 statistics for the Layer 2 frame size. For all
other interfaces, the Layer 3 packet size is accounted.
The IPv6 statistics can be viewed by logging in to the individual IQ2 PIC or IQ2E PIC, or
by using the CLI.
Local statistics are not accounted separately.
To display total IPv6 statistics for IQ2 and IQ2E PICs, use the show interfaces extensive
command.
NOTE: The reported IPv6 statistics do not account for the traffic manager
drops in egress direction or the Packet Forwarding Engine/traffic manager
drops in the ingress direction. Transit statistics are not accounted separately
because the IQ2 and IQ2E PICs cannot differentiate between transit and
local statistics.
12
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
[Network Interfaces]
In VLAN steering mode, the SA multicast bit is not used for packet steering.
In SA multicast bit steering mode, VLAN ID and VLAN mask configuration is not used
for packet steering.
Configuration of packet forwarding mode and VLAN steering mode uses CLI
commands that result in a PIC reboot.
Ingress packet with one VLANThe packet forwards based on the VLAN ID.
Ingress packet with two VLANsThe packet forwards based on the outer VLAN
ID.
VLAN rules describe how the router forwards packets. For VLAN steering, you must
use one of the two rules available in the CLI:
Odd-even ruleOdd number VLAN IDs go to PFE1; even number VLAN IDs go to
PFE0.
High-low rule1 through 2047 VLAN IDs go to PFE0; 2048 through 4096 VLAN
IDs go to PFE1.
When configured in VLAN steering mode, the PIC can be configured in two physical
interface mode or in aggregated Ethernet (AE) mode:
Two physical interface modeWhen the PIC is in two physical interface mode, it
creates physical interfaces et-x/0/0:0 and et-x/0/0:1. Each physical interface can
configure its own logical interface and VLAN. CLI enforces the following restrictions
on commit:
The VLAN ID configuration must comply with the selected VLAN rule.
13
The previous restriction implies that the same VLAN ID cannot be configured
on both physical interfaces.
AE modeIn AE mode, the two physical interfaces on the same PIC are aggregated
into one AE physical interface. PIC egress traffic is based on the AE internal hash
algorithm. PIC ingress traffic steering is based on the customized VLAN ID rule. CLI
enforces the following restrictions on commit:
The PIC AE working in VLAN steering mode includes both links of this PIC, and
only the links of this PIC.
The PIC AE working in SA multicast steering mode can include more than one
PIC to achieve more than 100-gigabit capacity.
To configure the PIC forwarding mode, include the forwarding-mode statement and
its options at the [edit chassis fpc number pic number] hierarchy level.
[Network Interfaces]
New control queue disable feature (T Series routers with 10-Gigabit Ethernet PIC
with oversubscription)Provides a new CLI statement for disabling the control queue
feature for the 10-Gigabit Ethernet PIC with oversubscription. To disable the control
queue, use the no-pre-classifier statement at the [chassis] hierarchy level.
When the no-pre-classifier statement is set, the control queue feature will be disabled
for all ports on that 10-Gigabit Ethernet PIC with oversubscription. Deleting this
configuration results in the control queue feature being re-enabled on all the ports of
that PIC.
[edit chassis]
fpc 2 {
pic 0 {
no-pre-classifier;
}
}
NOTE:
1. This feature is applicable in both oversubscribed and line-rate modes.
2. The control queue feature is enabled by default in both oversubscribed
bounced (offline/online).
14
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Once the control queue feature is disabled, then the Layer 2 and Layer 3 control packets
are subject to queue selection based on the BA classification. However, the following
control protocol packets are not classified using BA classification, as they might not
have a VLAN, MPLS, or IP header:
When the control queue feature is disabled, untagged ARP/IS-IS and other untagged
Layer 2 control packets will go to the restricted queue corresponding to the forwarding
class associated with queue 0.
[Network Interfaces]
Microcode remap (M320 and M120 routers)M320 routers with E3 type-1 FPCs and
M120 routers with a single type-1 FPC mapped to an FEB, support a new microcode
map to resolve microcode overflow resulting in bad PIC combinations.
On M320 routers, the new microcode map is enabled by default and is the only option
available.
On M120 routers, you can enable the new microcode map by using the
ucode-imem-remap statement at the [edit chassis feb slot number] hierarchy level. On
M120 routers, the default microcode map remains configured if the ucode-imem-remap
statement is not configured.
[edit chassis]
feb
slot number
ucode-imem-remap
{
}
[System Basics]
15
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release
10.4
Request Tag Element
CLI Command
<requestdhcpv6-serverreconfigure-information>request_dhcpv6_
server_reconfigure_information
NONE
<request-license-update>
request_license_update
NONE
<request-package-nonstop-upgrade>
request_package_nonstop_upgrade
NONE
<get-amt-statistics> get_amt_statistics
<amt-instance-statistics>
<get-amt-summary> get_amt_summary
<amt-summary>
<get-amt-tunnel-information>
get_amt_tunnel_information
<amt-tunnel-information>
<get-rps-chassis-information>
get_rps_chassis_information
<rps-chassis-information>
<get-bios-version-information>
get_bios_version_information
NONE
<get-coscongestionnotificationinformation>
get_cos_congestion_notification_information
<cos-congestion-notification-information>
<get-firewall-log-information>
get_firewall_log_information
<firewall-information>
<get-interface-information>
get_interface_information
show ingress-replication
<ingress-replication-information>
<get-isis-contextidentifier-origininformation> get_isis_context_
identifier_origin_information
<isis-context-identifier- information>
<get-isis-database-information>
get_isis_database_information
<isis-context-identifier-origin-information>
<get-mpls-cspf-information>
get_mpls_cspf_information
<mpls-context-identifier- information>
<get-authentication-pending-table>
get_authentication_pending_table
<domain-map-statistics>
16
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release
10.4 (continued)
Request Tag Element
CLI Command
<get-ospf-database-information>
get_ospf_database_information
<ospf-context-id-information>
<get-rps-power-supply-information>
get_rps_power_supply_information
<rps-led-information>
<get-rps-status-information>
get_rps_status_information
<rps-power-supply-information>
<get-rps-version-information>
get_rps_version_information
<rps-status-information>
<get-rip-general-statistics-information>
get_rip_general_statistics_information
<rps-version-information>
<get-idp-policy-template- information>
get_idp_policy_template_information
<idp-policy-commit-status>
<get-service-border-signalinggateway-charging-status>
get_service_border_signaling_
gateway_charging_status
<bsg-charging-statistics>
<get-service-bsg-denied-messages>
get_service_bsg_denied_messages
<bsg-charging-status>
<get-services-l2tp-radiusaccounting-statistics-information>
get_services_l2tp_radius_acco
unting_statistics_information
<service-l2tp-destination- information>
<get-service-softwire-statistics-information>
get_service_softwire_statistics
_information
<msp-session-table>
<get_service_sfw_
conversation_
information>
get_service_sfw_conversation
_information
<service-softwire-table- information>
<get_service_
sfw_flow_analysis_
information>
get_service_sfw_flow_analysi
s_information
<service-fwnat-flow-tableinformation>
<get_service_sfw_
flow_table_information>
get_service_sfw_flow_table_i nformation
<service-softwire-statistics-information>
17
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release
10.4 (continued)
Request Tag Element
CLI Command
<get_service_sfw_sip_registerinformation>
get_service_sfw_sip_register_i nformation
<service-sfw-flow-analysis-information>
<get_synchronous_ethernet_esmc-statistics>
get_synchronous_ethernet_esmc-statistics
<clock-synchronization- statistics>
<get_synchronous_ethernet_esmc_transmit>
get_synchronous_ethernet_esmc_transmit
<clock-synchronizationesmc-transmit>
<get_synchronous_ethernet_global_information>
get_-synchronous_ethernet_global_information
show synchronous-ethernet
global-information
NONE
<get_system_resource_cleanup_
processes_information>
get_system_resource_cleanup_
processes_information
<relay-group-information>
<get_rollback_information>
get_rollback_information
<relay-group-member>
<get_dhcp_binding_information>
get_dhcp_binding_information
<relay-summary>
<clear_synchronous_
ethernet_esmc_
statistics>clear_synchronous_
ethernet_e smc_
statistics
<clock-synchronizationclear-output>
Feature support for Trio 3D MPCs and MICs (MX Series routers)Enables you to
configure the following features through Junos OS Release 9.1: load balancing, Ethernet
OAM IEEE 802.1ag Phase 4 MIP support, LLDP, BPDU guard and loop guard, IRB support
for interworking of LDP-VPLS and BGP-VPLS, BGP multihoming for Inter-AS VPLS,
VPLS Ethernet as a core-facing interface, and limitations on next-hop flooding.
[Layer 2 Configuration]
Ethernet CFM support on Trio 3D MPCs and MICs (MX Series routers)Enables
support for Ethernet connectivity fault management (CFM) defined by IEEE 802.1ag
for family bridge interfaces. However, MEP configuration is not supported on aggregated
Ethernet interfaces.
[Layer 2 Configuration]
18
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
MPLS Applications
MPLS support on services PICsAdds MPLS label pop support for services PICs on
Junos OS routers. Previously all MPLS traffic would be dropped at the services PIC. No
changes are required to CLI configurations for this enhancement. In-service software
upgrade (unified ISSU) is supported for tag next hops for MPLS on services PIC traffic,
but no support is provided for tags over IPv6 packets or labels on multiple gateways.
[MPLS]
Adding descriptions for bypass LSPYou can now add a text describing a bypass
LSP using the description option at the [edit protocols rsvp interface interface-name
link-protection bypass bypass-lsp-name] hierarchy level. Enclose any descriptive text
that includes spaces in quotation marks (" "). Any descriptive text you include is
displayed in the output of the show rsvp session bypass command and has no effect
on the operation of the bypass LSP.
[MPLS]
Multicast
Nonstop active routing PIM support for IPv6Starting with Release 10.4, Junos OS
extends the nonstop active routing support for Protocol Independent Multicast (PIM),
which is already supported on IPv4, to include the IPv6 address families. The extension
of nonstop active routing PIM support to IPv6 enables IPv6 routers to maintain
self-generation IDs, multicast session states, dynamic interface states, list of neighbors,
and RPSets across Routing Engine switchovers.
The nonstop active routing support for PIM on IPv6 is similar to the nonstop active
routing PIM support on IPv4 except for the following:
Nonstop active routing support for PIM on IPv6 supports an embedded rendezvous
point (RP) on non-RP routers.
Nonstop active routing support for PIM on IPv6 does not support auto-RP, as auto-RP
is not supported on IPv6.
For more information about nonstop active routing PIM support on IPv4 and IPv6, see
the Junos OS High Availability Configuration Guide.
[High Availability, Multicast]
MX Series
Support for MX SeriesWhile these features have been available on the MX Series
routers in the past, we have now qualified the following features on the Trio chipset.
For MPLS, RSVP, and LDP:
RSVP Graceful Restart interop with Cisco using Nodal Hello support
RSVP transit
19
For Multicast:
OSPF
NGEN MVPN hub and spoke support with GRE S-PMSI transport
For VPNs:
LDP-VPLS
Miscellaneous:
20
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
ISIS LFA
No new configuration is required to configure this feature. The load balancing over
aggregated links is automatically enabled with this release. For a sample topology and
configuration example, see Junos OS Policy Framework Configuration Guide.
[Policy]
New routing policy system log messageJunos OS Release 10.3 supports a new
routing policy system log message. The RPD_PLCY_CFG_NH_NETMASK system log
message provides information about ignored netmasks. If you have a policy statement
with a term that contains a next-hop address with a netmask, the netmask is ignored.
The following sample shows the new system log message (depending on your network
configuration, the type of message you see might be different):
Jun 18 11:22:43 pro5-d rpd[1403]: RPD_PLCY_CFG_NH_NETMASK: Netmask ignored for
next hop: 10.0.0.1/24.
Support for displaying the firewall filter version informationYou can display the
version number of the firewall filter installed in the Routing Engine. The initial version
number is 1 and increments by one when you modify the firewall filter settings or an
associated prefix action. To show the version number of the installed firewall filter,
use the show firewall filter version operational mode command.
[Routing Protocols and Policies Command Reference]
Routing Protocols
Support for disabling traps for passive OSPFv2 interfacesYou can now disable
interface state change traps for passive OSPF interfaces. Passive OSPF interfaces
advertise address information as an internal OSPF route, but do not run the actual
protocol. If you are only interested in receiving notifications for active OSPF interfaces,
21
disabling traps for passive OSPF interfaces reduces the number of notifications received
and processed by the SNMP server. This allows you to more quickly and easily scan
the logs for potential issues on active OSPF interfaces.
To disable and stop receiving notifications for state changes in a passive OSPF interface,
include the no-interface-state-traps statement at the following hierarchy levels:
[Routing Protocols]
[Routing Protocols]
Support for disabling the attribute set messages on independent AS domains for
BGP loop detectionBGP loop detection for a specific route uses the local autonomous
system (AS) domain for the routing instance. By default, all routing instances belong
to a single primary routing instance domain. Therefore, BGP loop detection uses the
local ASs configured on all of the routing instances. Depending on your network
configuration, this default behavior can cause routes to be looped and hidden.
To limit the local ASs in the primary routing instance, configure an independent AS
domain for a routing instance. Independent domains use the transitive path attribute
128 (attribute set) messages to tunnel the independent domains BGP attributes
through the internal BGP (IBGP) core. If you want to configure independent domains
to maintain the independence of local ASs in the routing instance and perform BGP
loop detection only for the specified local ASs in the routing instance, disable attribute
set messages on the independent domain. To disable attribute set messages, include
the independent-domain no-attrset statement at the following hierarchy levels:
22
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
[Routing Protocols]
Services Applications
NAT-PT with DNS ALG support (M Series and T Series routers)You can configure
Domain Name Service (DNS) application-level gateways (ALGs) using NAT with
protocol translation (NAT-PT) for IPv6 to IPv4. The implementation is described in
RFC 2766 and RFC 2694.
When you configure NAT-PT with DNS ALG support, you must configure two NAT rules.
The first NAT rule ensures that the DNS query and response packets are translated
correctly. For this rule to work, you must configure a DNS ALG application and reference
it in the rule. The second rule is required to ensure that NAT sessions are destined to
the address mapped by the DNS ALG.
To configure the correct translation of the DNS query and response packets, include
the dns-alg-pool dns-alg-pool or dns-alg-prefix dns-alg-prefix statement at the [edit
services nat rule rule-name term term-name then translated] hierarchy level.
To configure destination translation with the DNS ALG address map, use the
use-dns-map-for-destination-translation statement at the [edit services nat rule
rule-name term term-name then translated] hierarchy level. This statement correlates
the DNS query or response processing done by the first rule with the actual data
sessions processed by the second rule.
You can also control the translation of IPv6 and IPv4 DNS queries in the following
ways.
To check that the flows are established properly, use the show services
stateful-firewall flows command or the show services stateful-firewall conversations
command.
23
[Services Interfaces]
Support for the RPM timestamp on the Services SDK (M Series, MX Series, and T
Series)Real-time performance monitoring (RPM), which has been supported on the
Adaptive Services (AS) interface, is now supported by the Services SDK. RPM is
supported on all platforms and service PICs that support the Services SDK.
RPM timestamping is needed to account for any latency in packet communications.
You can apply timestamps on the client, the server, or both the client and server. RPM
timestamping is supported only with the icmp-ping, icmp-ping-timestamp, udp-ping,
and udp-ping-timestamp probe types.
To specify the Services SDK interface, include the destination-interface statement at
the [edit services rpm probe probe-owner test test-name] hierarchy level:
destination-interface ms-fpc/pic/port.logical-unit-number;
To specify the RPM client router and the RPM server router, include the rpm statement
at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:
rpm (client | server);
To enable RPM on the Services SDK on the AS interface, configure the object-cache-size,
policy-db-size, and package statements at the [edit chassis fpc slot-number pic
pic-number adaptive-services service-package extension-provider] hierarchy level. For
the Services SDK, package-name in the package package-name statement is
jservices-rpm.
user@host# show chassis
24
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
fpc 1 {
pic 2 {
adaptive-services {
service-package {
extension-provider {
control-cores 1;
data-cores 1;
object-cache-size 512;
policy-db-size 64;
package jservices-rpm;
syslog daemon any;
}
}
}
}
}
[Services Interfaces]
ALGs using Junos OS Services Framework (JSF) (M Series with Multiservices PICs
and MX Series with MS DPCs)Application-level gateways (ALGs) intercept and
analyze specified traffic, allocate resources, and define dynamic policies to permit
traffic to pass securely through a device. Beginning with Junos OS Release 10.4 on the
specified routers, you can use JSF ALGs with the following services:
Stateful firewall
To use JSF to run ALGs, you must configure the jservices-alg package at the [edit
chassis fpc slot pic slot adaptive-services service-package extension-provider package]
hierarchy level. In addition, you must configure the ALG application at the [edit
applications application application-name] hierarchy level, and reference the application
in the stateful firewall rule or the NAT rule in those respective configurations.
[Services Interfaces]
25
You can also now configure port mirroring to next-hop groups using a tunnel interface.
[Services Interfaces]
Multiple IDP detector support (MX Series routers, M120 routers, and Enhanced III
FPCs in M320 routers)The IDP detector provides information about services, contexts,
and anomalies that are supported by the associated protocol decoder.
The specified routers now support loading multiple IDP detectors simultaneously.
When a policy is loaded, it is also associated with a detector. If the new policy being
loaded has an associated detector that matches the detector already being used by
the existing policy, the new detector is not loaded and both policies use a single
associated detector. However, if the new detector does not match the current detector,
the new detector is loaded along with the new policy. In this case, each loaded policy
will then use its own associated detector for attack detection. Note that with the
specified routers, a maximum of four detectors can be loaded at any given time.
Multiple IDP detector support for the specified routers functions in a similar way to the
existing IDP detector support on J Series and SRX Series devices, except for the
maximum number of decoder binary instances that are loaded into the process space.
To view the current policy and the corresponding detector version, use the show security
idp status detail command.
For more information, see the Junos OS Security Configuration Guide.
[Services Interfaces]
NAT using Junos OS Services Framework (JSF) (M Series and T Series with
Multiservices PICs and MX Series with Multiservices DPCs)The Junos OS Services
Framework (JSF) is a unified framework for Junos OS services integration. JSF Services
integration will allow the option of running Junos OS services on services PICs or DPCs
in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4,
you can use JSF to run NAT on the specified routers.
To use JSF to run NAT, you must configure the jservices-nat package at the [edit chassis
fpc slot pic slot adaptive-services service-package extension-provider package] hierarchy
level. In addition, you must configure NAT rules and a service set with a Multiservice
interface. To check the configuration, use the show configuration services nat command.
To show the run time (dynamic state) information on the interface, use the show
services sessions and show services nat pool commands.
[Services Interfaces]
26
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
To use JSF to run stateful firewall, you must configure the jservices-sfw package at the
[edit chassis fpc slot pic slot adaptive-services service-package extension-provider
package] hierarchy level. In addition, you must configure stateful firewall rules and a
service set with a Multiservice interface. To check the configuration, use the show
configuration services stateful-firewall command. To show the run time (dynamic state)
information on the interface, use the show services sessions command.
[Services Interfaces]
Transition of IPv4 traffic to IPv6 addresses using Dual Stack Lite (DS-Lite)Adds
support for DS-Lite, a means for transitioning IPv4 traffic to IPv6 addresses. This
transition will become necessary as the supply of unique IPv4 addresses nears
exhaustion. New subscriber homes are allocated IPv6 addresses and IPv6-capable
equipment; DS-Lite provides a method for the private IPv4 addresses behind the IPv6
equipment to reach the IPv4 network. An IPv4 host communicates with a NAT endpoint
over an IPv6 network using softwires. DS-Lite creates the IPv6 softwires that terminate
on the services PIC. Packets coming out of the softwire can then have other services
such as NAT applied on them.
[Services Interfaces, System Basics and Services Command Reference]
Round-robin allocation for NATP addressesYou can now specify round-robin address
allocation from NAT pools when you use NATP. In the default method of
address-allocation, NAT addresses are allocated sequentially. All of the addresses in
a given range must be allocated before addresses from a different range are allocated.
The following example illustrates the sequential (legacy) implementation, which is
still available to provide backward compatibility.
pool napt {
address-range low 9.9.99.1 high 9.9.99.3;
address-range low 9.9.99.4 high 9.9.99.6;
address-range low 9.9.99.8 high 9.9.99.10;
address-range low 9.9.99.12 high 9.9.99.13;
port {
range low 3333 high 3334;
}
}
In this example, for each unique source address, a new address range is used for
allocation only when there are no ports available in the previous address range. Address
9.9.99.4:3333 is picked only when all ports for addresses in the first range are exhausted.
27
have been allocated for all addresses in the last range, the allocation process wraps
around and allocates the next unused port for addresses in the first range.
[Services Interfaces]
Enhancement to the show services l2tp destination commandThe show services l2tp
destination command has been extended to display the lockout state of the destination
from the LAC. A destination that is reachable is not locked. An unreachable destination
is locked out. L2TP makes no further attempts to connect to this destination until the
timeout period (300 seconds) expires, unless the unreachable destination is the only
destination in the tunnel configuration list. In that case, L2TP ignores the lockout and
continues trying to connect to the destination.
[Subscriber Access]
Redirecting HTTP redirect requests (MX Series routers)Enables support for HTTP
traffic requests from subscribers to be aggregated from access networks onto a BRAS
router, where HTTP traffic can be intercepted and redirected to a captive portal. A
captive portal provides authentication and authorization services for redirected
subscribers before granting access to protected servers outside of a walled garden. A
walled garden defines a group of servers where access is provided to subscribers
without reauthorization through a captive portal. You can use a captive portal page as
the initial page a subscriber sees after logging in to a subscriber session and as a page
used to receive and manage HTTP requests to unauthorized Web resources. An HTTP
redirect remote server that resides in a walled garden behind Junos OS routers processes
HTTP requests redirected to it and responds with a redirect URL to a captive portal.
28
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Filter support for service packet countingYou can count service packets, applying
them to a specific named counter (__junos-dyn-service-counter), for use by RADIUS.
To enable service packet accounting, specify the service-accounting action at the [edit
firewall family family-name filter filter-name term term-name then] hierarchy level.
[Policy Framework, Subscriber Access]
Support for domain maps that apply configuration options based on subscriber
domain names (MX Series and M Series routers)You use domain maps to apply
access options and session-specific parameters to subscribers whose domain name
corresponds to the domain map name. You can also create a default domain map that
the router uses for subscribers whose username does not include a domain name or
has a non-matching domain name.
Domain maps apply subscriber-related characteristics such as profiles (access,
dynamic, and tunnel), target and AAA logical system mapping, address pool usage,
and PADN routing information.
You configure domain maps at the [edit access domain] hierarchy level.
[Subscriber Access]
L2TP LAC support for subscriber management (MX Series routers)You can now
configure an L2TP access concentrator (LAC) on MPC-equipped MX Series routers.
As part of the new L2TP LAC support, you can configure how the router selects a tunnel
for a PPP subscriber from among a set of available tunnels. The default tunnel selection
method is to fail over between tunnel preference levels. When a PPP user tries to log
in to a domain, the router attempts to connect to a destination in that domain by means
of the associated tunnel with the highest preference level. If the destination is
unreachable, the router then moves to the next lower preference level and repeats the
process. No configuration is required for this tunnel selection method.
You can include the fail-over-within-preference statement at the [edit services l2tp]
hierarchy level to configure tunnel selection failover within a preference level. With this
method, when the router tries to connect to a destination and is unsuccessful, it selects
a new destination at the same preference level. If all destinations at a preference level
are marked as unreachable, the router does not attempt to connect to a destination
at that level. It drops to the next lower preference level to select a destination. If all
destinations at all preference levels are marked as unreachable, the router chooses
the destination that failed first and tries to make a connection. If the connection fails,
the router rejects the PPP user session without attempting to contact the remote
router.
By default, the router uses a round-robin selection process among tunnels at the same
preference level. Include the weighted-load-balancing statement at the statement at
the [edit services l2tp] hierarchy level to specify that the tunnel with the highest weight
within a preference is selected until its maximum sessions limit is reached. Then the
29
tunnel with the next highest weight is selected until its limit is reached, and so on. The
tunnel with the highest configured maximum sessions value has the greatest weight.
Another feature of L2TP LACs on MX Series routers is the ability to control whether
the LAC sends the Calling Number AVP 22 to the LNS. The AVP value is derived from
the Calling-Station-Id and identifies the interface that is connected to the customer
in the access network. By default, the LAC includes this AVP in ICRQ packets it sends
to the LNS. In some networks you may wish to conceal your network access information.
To prevent the LAC from sending the Calling Number AVP to the LNS, include the
disable-calling-number-avp statement at the [edit services l2tp] hierarchy level.
[Subscriber Access]
Support for dynamic interface sets (M120, M320, and MX Series routers)Enables
you to configure sets of subscriber interfaces in dynamic profiles. Interface sets are
used for providing hierarchical scheduling. Previously, interface sets were supported
for interfaces configured in the static hierarchies only.
Supported subscriber interfaces include static and dynamic demux, static and dynamic
PPPoE, and static and dynamic VLAN interfaces.
To configure an interface set in a dynamic profile, include the interface-set
interface-set-name statement at the [edit dynamic-profiles interfaces] hierarchy level.
To add a subscriber interface to the set, include the interface interface-name unit
logical-unit-number statement at the [edit dynamic-profiles interfaces interface-set
interface-set-name] hierarchy level. You apply traffic shaping and scheduling parameters
to the interface-set by including the interface-set interface-set-name and
output-traffic-control-profile profile-name statements at the static [edit class-of-service
interfaces] hierarchy level.
A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set
name, and includes a predefined variable, $junos-interface-set-name. The VSA is
supported for RADIUS Access-Accept messages only; change of authorization (CoA)
requests are not supported.
[Subscriber Access]
Support for service session accounting statistics (MX Series routers)You can now
capture accounting statistics for subscriber service sessions. Subscriber management
supports service session accounting based on service activation and deactivation, as
well as interim accounting. Time-based accounting is supported for all service sessions.
Time and volume-based accounting is supported for classic firewall filter and fast
update firewall filter service sessions only.
To provide volume service accounting, the well-known accounting counter
(junos-dyn-service-counter) must also be configured for the classic firewall filter and
fast update firewall filter service. You define the counter at the [edit firewall family
family filter filter term term then] hierarchy level.
30
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The following VSAs (vendor ID 4874) are used for service accounting:
Attribute
Number
Attribute Name
Description
Value
26-69
Service-Statistics
Enable or disable
statistics for the
service.
0 = disable
26-83
Acct-Service-Session
Name of the
service.
string: service-name
26-140
Service-Interim-Acct-Interval
Amount of time
between interim
accounting
updates for this
service.
range = 60086400
seconds
0 = disabled
[Subscriber Access]
Subscriber secure policy traffic mirroring supported for L2TP sessions on the LAC
(MX Series routers)The L2TP access concentrator (LAC) implementation supports
RADIUS-initiated per-subscriber traffic mirroring. Both subscriber ingress traffic (from
the subscriber into the tunnel) and subscriber egress traffic (from the tunnel to the
subscriber) is mirrored at the (subscriber-facing) ingress interface on the LAC. The
ingress traffic is mirrored after PPPoE decapsulation and before L2TP encapsulation.
The egress traffic is mirrored after L2TP decapsulation. The mirrored packet includes
the complete HDLC frame sent to the LNS.
[Subscriber Access]
Support for static and dynamic CoS on L2TP LAC subscriber interfaces (M120, M320,
and MX Series routers)Enables you to configure static and dynamic CoS for L2TP
access concentrator (LAC) tunnels that transport PPP subscribers at Layer 2 and Layer
3 of the network.
IP and L2TP headers are added to packets arriving at the LAC from a subscriber before
being tunneled to the L2TP network server (LNS). Classifiers and rewrite-rules enable
you to properly transfer the type-of-service (ToS) value or the 802.1p value from the
inner IP header to the outer IP header of the L2TP packet.
For ingress tunnels, you configure fixed or behavior aggregate (BA) classifiers for the
PPP interface or an underlying VLAN interface at Layer 2. You can configure Layer 3
classifiers for a family of PPP interfaces. Layer 2 and Layer 3 classifiers can co-exist
for a PPP subscriber.
For example, to classify incoming packets for a PPP subscriber, include the classifier
type classifier-name statement at the [edit class-of-service interfaces pp0 unit
logical-unit-number] hierarchy level or at the [edit dynamic-profiles class-of-service
interfaces pp0 unit logical-unit-number] hierarchy level.
On egress tunnels, you configure rewrite rules to set the ToS or 802.1p value of the
outer header. For example, to configure a rewrite-rule definition for an interface with
31
Forwarding Class
Loss Priority
Code Point
Outer IP Header
ob001
assured-forwarding
low
001
ob001
L2TP tunnel profiles and AAA support for tunnels in subscriber management (MX
Series routers)You can configure a set of attributes to define an L2TP tunnel for PPP
subscribers. More than one tunnel can be defined for a tunnel profile. Tunnel profiles
are applied by a domain map before RADIUS authentication. When the RADIUS
Tunnel-Group VSA [26-64] is specified in the RADIUS login, then the RADIUS tunnel
profile (group) overrides a tunnel profile specified by the domain map. The tunnel is
then configured according to RADIUS tunnel attributes and VSAs.
To configure a tunnel profile, include the tunnel-profile profile-name statement at the
[edit access] hierarchy level. To define a tunnel for a profile, include the tunnel tunnel-id
statement at the [edit access tunnel-profile profile-name] hierarchy level.
Define the attributes of the tunnel at the [edit access tunnel-profile profile-name tunnel
tunnel-id] hierarchy level. You must configure a preference for the tunnel and the IP
address of the LNS tunnel endpoint; all other attributes are optional. Include the
preference number statement to configure the preference. Include the remote-gateway
address server-ip-address statement to configure the LNS address.
You can optionally configure the remaining tunnel attributes. Include the
remote-gateway name server-name statement to configure the LNS hostname. Include
the source -gateway address client-ip-address statement and the source-gateway name
client-name statements to configure the local (LAC) tunnel endpoint. Although you
can configure a medium type (medium type) and protocol type (tunnel tunnel-type)
for the tunnel, only the default values of ipv4 and l2tp are supported in this release.
Include the identification name statement to configure an assignment ID for the tunnel.
Include the max-sessions number statement to configure the maximum number of
sessions permitted for the tunnel. Include the secret password statement to configure
a cleartext password for authentication by the remote tunnel endpoint (LNS). Finally,
you can configure a logical system and routing instance for the tunnel by including the
logical-system logical-system-name and routing-instance routing-instance-name
statements.
32
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The following table shows the RADIUS attributes that are now supported for defining
a tunnel.
Attribute
Number
Attribute Name
Description
64
Tunnel-Type
65
Tunnel-Medium-Type
66
Tunnel-Client-Endpoint
67
Tunnel-Server-Endpoint
69
Tunnel-Password
82
Tunnel-Assignment -Id
83
Tunnel-Preference
90
Tunnel-Client-Auth-Id
91
Tunnel-Server-Auth-Id
The following table shows the RADIUS VSAs that are now supported for defining a
tunnel.
Attribute
Number
Attribute Name
Description
Value
26-8
Tunnel-Virtual-Router
string:
tunnel-virtual-router
26-9
Tunnel-Password
string:
tunnel-password
26-33
Tunnel-Max-Sessions
integer: 4-octet
26-64
Tunnel-Group
string:
tunnel-group-name
33
[Subscriber Access]
Support for ascend data filters (RADIUS attribute 242) in subscriber firewall filters
(MX Series routers)You can now configure subscriber management to use ascend
data filters (ADFs) to create and apply firewall filters to subscriber traffic. The ADF
creates a rule that specifies match conditions on the source and destination IP address,
the protocol, and the source and destination port, and also specifies the action to
perform (such as accept or discard). The ADF rule also specifies the filter direction,
and can optionally provide traffic class and policer information. The router supports
ADF rules for family types inet and inet6.
Subscriber management uses dynamic profiles to obtain the ADF rules from the RADIUS
server. You can use the new Junos OS predefined variables ($junos-adf-rule-v4 for
family inet and $junos-adf-rule-v6 for inet6) to map ADF rules to Junos OS functionality,
or you can statically create ADF rules.
To configure ADF support, use the following stanza at the [edit dynamic-profiles
profile-name interfaces interface-name unit logical-unit-number family family] hierarchy
level:
filter {
adf {
counter;
input-precedence precedence;
output-precedence precedence;
rule rule-value;
}
}
34
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Per-interface DHCP tracing operations (MX Series routers)In addition to the existing
global DHCP tracing operation, you can now trace DHCP operations for a specific
interface or a range of interfaces.
Configuring interface-based tracing is a two-step procedure. First configure the tracing
options that you want to use, such as the file used for the trace operation and the trace
flags. In the second step, enable the tracing operation on the specific interface or range
of interfaces.
To enable tracing on an interface or interface range, use the trace statement at the
[edit system services dhcp-local-server group group-name interface interface-name]
hierarchy level for the DHCP local server, or the [edit forwarding-options dhcp-relay
group group-name interface interface-name] hierarchy level for the DHCP relay agent.
You can also enable tracing for DHCPv6 at the [edit system services dhcp-local-server
dhcpv6 group group-name interface interface-name] hierarchy level.
[Subscriber Access]
Automatic binding of stray DHCP requests (MX Series routers)The default behavior
has changed for handling DHCP requests that are received but which have no entry in
the database (stray requests). Beginning with Junos OS Release 10.4, automatic binding
of stray requests is enabled by default. In Junos OS Release 10.3 and earlier releases,
automatic binding of stray requests is disabled by default.
By default, DHCP relay and DHCP relay proxy now attempt to bind the requesting client
by creating a database entry and forwarding the request to the DHCP server. If the
server responds with an ACK, the client is bound and the ACK is forwarded to the client.
If the server responds with a NAK, the database entry is deleted and the NAK is
forwarded to the client. This behavior occurs regardless of whether authentication is
configured.
In Junos OS Release 10.3 and earlier releases, DHCP relay drops stray requests and
forwards a NAK to the client when authentication is configured. Otherwise, DHCP relay
attempts to bind the requesting client. In those releases, DHCP relay proxy always
drops stray requests and forwards a NAK to the client, regardless of the authentication
configuration.
You can override the new default configuration to cause DHCP relay and DHCP relay
proxy to drop all stray requests instead of attempting to bind the clients. To disable
automatic binding behavior globally, include the no-bind-on-request statement at the
[edit forwarding-options dhcp-relay overrides] hierarchy level. To disable automatic
binding behavior for a group, include the statement at the [edit forwarding-options
dhcp-relay overrides group group-name] hierarchy level. To disable automatic binding
behavior for a specific interface in a group, include the statement at the [edit
forwarding-options dhcp-relay overrides group group-name interface interface-name]
hierarchy level.
35
[Subscriber Access]
NOTE: In this release, Layer 2 wholesaling supports the use of only the
default logical system using multiple routing instances.
The Juniper Networks Layer 2 wholesale solution is similar to the Layer 3 wholesale
solution in many ways. However, when configuring the Juniper Networks Layer 2
wholesale solution, keep the following in mind:
Layer 2 wholesale supports only CoA disconnect and variable modification; CoA
service activation is not supported.
Configure a VLAN dynamic profile. See the Subscriber Access Configuration Guide
for details.
Include the unit statement along with the $junos-interface-unit dynamic variable at
the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name]
hierarchy level.
36
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Include the vlan-tags statement and define the outer VLAN tag using the
$junos-stacked-vlan-id dynamic variable and the inner VLAN tag using the
$junos-vlan-id dynamic variable at the [edit dynamic-profiles profile-name interface
$junos-interface-ifd-name unit $junos-interface-unit] hierarchy level.
Specify the action that you want the input VLAN map to take. See the Network
Interfaces Configuration Guide for details on how to configure input-vlan-map
statement options.
Include the vlan-id statement along with the $junos-vlan-map-id dynamic variable.
Specify the unit family as vpls at the [edit dynamic-profiles profile-name interface
$junos-interface-ifd-name unit $junos-interface-unit family] hierarchy level.
Include the flexible-vlan-tagging statement for any interfaces you plan to use at the
[edit interfaces interface-name] hierarchy level.
37
Include the encapsulation statement for any interfaces you plan to use at the [edit
interfaces interface-name] hierarchy level and specify the encapsulation as follows:
flexible-ethernet-services.
Use the extended-vlan-vpls option if you chose not to specify an option for the
encapsulation statement at the [edit dynamic-profiles profile-name interface
$junos-interface-ifd-name unit $junos-interface-unit] hierarchy level.
NOTE: This encapsulation type can support multiple TPIDs and does
not have a VLAN ID limitation.
Specify the vpls option for the instance-type statement for any retailer routing
instances you plan to use at the [edit routing-instances instance-name] hierarchy
level.
Specify the permanent option for the connectivity-type statement at the [edit
routing-instances instance-nameprotocols vpls] hierarchy level to ensure that the
routing instance (pseudo-wire) remains operational.
Configure the VLAN Interfaces to use the dynamic profile. See the Subscriber Access
Configuration Guide for details.
Define access to your RADIUS server and specify the access profile at the [edit
access] hierarchy level.
To view the logical system and routing instance for each subscriber, use the show
subscriber operational command.
38
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
[Subscriber Access]
System Logging
New and deprecated system log tagsThe following system log messages are new
in this release:
ASP_SFW_DELETE_FLOW
CHASSISD_FM_FABRIC_DOWN
CHASSISD_FPC_FABRIC_DOWN_REBOOT
CHASSISD_FRU_INTEROP_UNSUPPORTED
CHASSISD_RE_CONSOLE_FE_STORM
RPD_AMT_CFG_ADDR_FMLY_INVALID
RPD_AMT_CFG_ANYCAST_INVALID
RPD_AMT_CFG_ANYCAST_MCAST
RPD_AMT_CFG_LOC_ADDR_INVALID
RPD_AMT_CFG_LOC_ADDR_MCAST
RPD_AMT_CFG_PREFIX_LEN_SHORT
RPD_AMT_CFG_RELAY_INVALID
RPD_BGP_CFG_ADDR_INVALID
RPD_BGP_CFG_LOCAL_ASNUM_WARN
RPD_CFG_TRACE_FILE_MISSING
RPD_LDP_GR_CFG_IGNORED
RPD_MC_CFG_FWDCACHE_CONFLICT
RPD_MC_CFG_PREFIX_LEN_SHORT
RPD_MSDP_CFG_SA_LIMITS_CONFLICT
RPD_MSDP_CFG_SRC_INVALID
RPD_MVPN_CFG_PREFIX_LEN_SHORT
RPD_PLCY_CFG_COMMUNITY_FAIL
RPD_PLCY_CFG_FWDCLASS_OVERRIDDEN
RPD_PLCY_CFG_IFALL_NOMATCH
RPD_PLCY_CFG_PARSE_GEN_FAIL
39
RPD_PLCY_CFG_PREFIX_LEN_SHORT
RPD_RSVP_COS_CFG_WARN
RPD_RT_INST_IMPORT_PLCY_WARNING
RPD_OSPF_IF_COST_CHANGE
RPD_OSPF_TOPO_IF_COST_CHANGE
RPD_VPLS_INTF_NOT_IN_SITE
[System Log]
Added interface information to BFD session up/down system log tagsAdded peer
address information for BFDD_TRAP_MHOP_STATE_DOWN and
BFDD_TRAP_MHOP_STATE_UP.
[System Log]
VPNs
Disable TTL propagation behavior for the routes in a VRF routing instanceEnables
you to control TTL decrementing for individual VPNs. In prior releases, Junos OS enabled
control of TTL behavior only at the router level for all LDP-signaled and all
RSVP-signaled label-switched paths. With this feature, you can control the behavior
on individual VPN routes. To configure, include the vrf-propagate-ttl or
no-vrf-propagate-ttl statement at the [edit routing-instances instance-name] hierarchy
level. The instance-specific behavior overrides the router behavior configured at the
[edit protocols mpls] hierarchy level with the no-propagate-ttl statement. The show
route extensive and show route detail commands display the TTL action for each VRF
routing instance.
[VPNs]
Support for Layer 3 VPN composite next hops and a larger number of Layer 3 VPN
labels on T Series routersLayer 3 VPN composite next hops can now be enabled on
T Series routers with Enhanced Scaling FPCs by including the l3vpn-composite-nexthop
statement at the [edit routing options] or [edit logical-systems logical-system-name
routing options] hierarchy levels. This statement enables BGP to accept larger numbers
of Layer 3 VPN BGP updates with unique inner VPN labels. Including the
l3vpn-composite-nexthop statement in the configuration enhances scaling and
convergence performance of PE routers participating in a Layer 3 VPN in a multivendor
environment.
The Junos OS provides the configuration statement memory-enhanced to reallocate
the jtree memory for routes and Layer 3 VPNs. This statement has the following options:
routeInclude this statement when you want to support larger routing tables (with
more routes) over firewall filters. For example, you can enable this option when you
want to support a large number of routes for Layer 3 VPNs implemented using MPLS.
However, we recommend enabling this option only if you do not have a very large
firewall configuration.
40
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
To allocate more memory for routing tables, include the route statement at the [edit
chassis memory-enhanced] hierarchy level:
[edit chassis memory-enhanced]
route;
NOTE:
With Junos Release 10.4, the memory-enhanced route statement at the
[edit chassis] hierarchy level replaces the route-memory-enhanced
statement at the [edit chassis] hierarchy level.
[VPNs, System Basics]
Egress protection LSPsIf there is a link or node failure in the core network, a protection
mechanism such as MPLS fast reroute can be triggered on the transport LSPs between
the PE routers to repair the connection within tens of milliseconds. An egress protection
LSP addresses the problem of when a link failure occurs at the edge of the network
(for example, a link failure between a PE router and a CE device).
To enable an egress protection LSP, you need to configure the following statements:
participating in the egress protection LSP. The context identifier is used to assign an
identifier to the protector PE router. The identifier is propagated to the other PE
routers participating in the network, making it possible for the protected egress PE
router to signal the egress protection LSP to the protector PE router. Configure the
context-identifier statement at the [edit protocols l2circuit neighbor neighbor-address
interface interface-name egress-protection protector-pe] and the [edit protocols mpls
egress-protection] hierarchy levels.
circuit and also configures the protector Layer 2 circuit itself at the [edit protocols
l2circuit] hierarchy level. Configures an LSP as an egress protection LSP at the [edit
protocols mpls label-switched-path lsp-name] hierarchy level. It also configures the
context identifier at the [edit protocols mpls] hierarchy level.
41
router must have a connection to the same CE device as the protected PE router for
the egress protect LSP to function. This statement includes the following
sub-statements: context-identifier and lsp. The lsp statement specifies the LSP to
be used as the actual egress protection LSP. Configure the protector-pe statement
at the [edit protocols l2circuit neighbor neighbor-address interface interface-name
egress-protection] hierarchy level.
[VPNs]
Related
Documentation
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX
Series, and T Series Routers on page 42
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55
Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series,
MX Series, and T Series Routers on page 77
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and
T Series Routers
Class of Service
Changes to the output of the show interfaces queue commandPreviously, the output
of the show interfaces queue interface-name displayed the max-queues-per-interface
information HW supported queues, as shown below:
Egress queues: 4 supported, 4 in use
The first value indicates either the default or the value specified through the
max-queues-per-interface statement. Now this is changed to HW supported queues.
The first value does not change with respect to the changes to
max-queues-per-interface as before.
[Class of Service]
42
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
APR packet policing on TCC Ethernet interfacesIn Junos OS Release 10.4, the APR
packet policing is effective on the TCC Ethernet interfaces.
High CPU utilization of the DFWD processYou might notice a high CPU utilization
by the DFWD process if the interface lo0 is configured as part of the interface group
0.
Bridge domain naming (Layer 2 platforms)You cannot include the slash mark (/)
in a bridge domain name at the [edit bridge-domains bridge-domain-name] hierarchy
level.
[Layer 2]
SFC and LCC Routing Engine (RE) name changesThe SFC Routing Engine name is
changed from RE-TXP-SFC to RE-DUO-2600, and the LCC Routing Engine name is
changed from RE-TXP-LCC to RE-DUO-1800.
[Software Installation and Upgrade]
43
and maintenance domains. You can also use the one-way and two-way options to
clear only one-way delay statistics or two-way delay statistics, respectively.
[Interfaces Command Reference]
Circuit Emulation (CE) interfaces firmware compatibility for ATM IMA on M7i, M10i,
M40e, M120, and M320 routersProvides a Firmware mismatch syslog message and
a show interface command output message in the IMA Group state and IMA Link state
if the PIC's firmware is not compatible in Junos OS Release 10.0 and later releases.
CE PICs manufactured with the 560-028081.pbin firmware will produce the following
entry in /var/log/messages when Junos OS is upgraded to Release 10.0R1 or newer
releases:
Firmware mismatch. Need to upgrade PIC PROM Binary CPU firmware for IMA.
If you configure IMA with this combination of Junos OS and CE PIC firmware, the
following entry will be seen.
Firmware error. Need to upgrade PIC PROM Binary CPU firmware for IMA.
The show interfaces ce-fpc/pic/port command output will show the following:
Physical link is Down
IMA Group state
: NE: Firmware Error
IMA Link state
: Line: Firmware Error
The customer must contact JTAC for a PIC firmware upgrade to proceed with IMA.
[Interfaces Command Reference, System Log Messages Reference]
Set bandwidth value on aggregated Ethernet interfacesYou can now set the
bandwidth value by using the bandwidth value statement at the [edit interfaces
aggregate-interface unit number] hierarchy level.
Additionally, the show interfaces aggregate-inteface extensive and the show interfaces
aggregate.logical-interface commands now show the bandwidth of the aggregate when
it is configured. Also, the SNMP OID ifSpeed/ifHighSpeed of the aggregate logical
interface shows the corresponding bandwidth, when it is configured. When it is not
configured, the command shows it as the sum of the bandwidths of the member links
of the aggregate, as before.
Network interfaces show command output (All platforms)The output of the show
interfaces detail/extensive command now adds a table that shows complete (not
truncated) names of the forwarding classes associated with queues.
[Network Interfaces]
44
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
using the show interfaces extensive command with a 100-Gigabit Ethernet PIC, the
Filter statistics section will not be displayed because the hardware does not include
those counters.
Change to the show interfaces aenumber extensive commandThe output of the show
interfaces aenumber extensive command no longer displays Link Aggregation Control
Protocol (LACP) statistics. To display LACP statistics, use the show lacp statistics
interfaces command.
[Interfaces Command Reference]
Increase in unit numbering for demux0 and pp0 interfacesThe unit numbering for
demux0 and pp0 interfaces has been increased to 1,073,741,823.
warnings).
45
logWrite the specified message to the commit log. This is identical to the CLI
To specify commit options, include the desired options within the <commit-options>
tag. Use the := operator to create a node-set and assign it to a variable. Pass this
variable as the argument for the $commit-options parameter when you call the
jcs:load-configuration template.
For example, to commit the configuration with the synchronize and log options, use
the following syntax for the node-set:
var $options := {
<commit-options> {
<synchronize>;
<log> "synchronizing commit";
}
}
Junos XML management protocol support for the interface-ranges attribute of the
<get-configuration> operationBy default, the Junos XML protocol operation
<get-configuration> parallels the default behavior of the CLI configuration mode show
command, which displays the [edit interfaces interface-range] hierarchy as a separate
hierarchy in the configuration. To display the inherited tag elements of each interface
range as children of the interface elements that are members of that range, a client
application combines the interface-ranges="interface-ranges" attribute with the
inherit="inherit" attribute in the <get-configuration> tag of a remote procedure call
(RPC).
If the inherit and interface-ranges attributes are included in the <get-configuration>
tag and the client application requests Junos XML-tagged output (the format="xml"
attribute is included or the format attribute is omitted), the Junos XML protocol server
includes the junos:interface-range="source-interface-range" attribute in the opening
tags of configuration elements that are inherited from an interface range. The attribute
does not appear if the client application requests formatted ASCII output by including
the format="text" attribute in the <get-configuration> tag.
[XML Management Protocol]
MPLS Application
46
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Enhancement to the show mpls lsp extensive commandIn Junos OS Release 10.3
and later, the show mpls lsp extensive command displays more detailed Constrained
Shortest Path First (CSPF) messages. You can now see the reason(s) for the CSPF
path computation and rejection. The following list shows some of the enhanced CSPF
messages (depending on your network configuration, the type of messages you see
might be different):
17 Aug 3 13:17:33.601 CSPF: computation result ignored, new path less avail bw[3
times]
16 Aug 3 13:02:51.283 CSPF: computation result ignored, new path no benefit[2 times]
[MPLS]
Routing Protocols
New community-count routing policy match condition for BGP routesYou can now
configure the number of BGP community entries required for an incoming route to
match. This allows you to accept BGP routes based on a specific number of or range
of BGP community entries. To configure the number of community entries, specify the
47
from statement and include the community-count value (equal | orhigher | orlower)
[Routing Policy]
48
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Services Applications
New configuration to avoid IDP traffic loss (M120, M320, MX240, MX480, and
MX960 routers)When the Multiservices PIC or DPC configured for a service set is
either administratively taken offline or undergoes a failure, all the traffic entering the
configured interface with an IDP service set would be dropped without notification. To
avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit
services service-set service-set-name service-set-options] hierarchy level and (for TCP
traffic only) the ignore-errors tcp statement at the [edit interfaces interface-name
services-options] hierarchy level. When you configure these statements, the affected
packets are forwarded, in the event of a Multiservices PIC or DPC failure or offlining,
as though interface-style services were not configured. This issue applies only to M120,
M320, and MX Series routers.
[Services Interfaces]
Total
Wildcard
Success
Error
Add
0
Add (emergency) 0
0
0
0
0
0
0
AuditValue
Modify
ServiceChange
Subtract
0
0
0
0
1
1
0
0
0
0
0
0
1
1
0
0
The following is a sample of the section of the output showing inactivity notifications
on the root termination:
ROOT Notify
ocp/mg_overloaded
it/ito
Total
Wildcard
Success
Error
0
1404
0
0
0
1404
0
0
[Border Gateway Function (BGF), System Basics and Services Command Reference]
Support for softwire rulesThe match direction output command is now supported for
softwire rules.
[Services Interfaces]
Summary option for the show services nat mapping commandYou can now display
summary statistics for Network Address Translation (NAT) mapping by using the show
services nat mapping summary command. The following example shows the new
output.
49
500000
500000
0
Command to manage the behavior for reserved ports allocation and port parityPort
allocation in a NAT pool can now be controlled with the preserve-parity and
preserve-range commands. Preserve-parity allocates even ports for packets with even
destination ports, and odd ports for packets with odd destination ports. Preserve-range
allocates ports within a range of 0 through 1023 assuming the original packet contains
a destination port in the reserved range. This behavior is applicable to control sessions
and not to data sessions.
[Services Interfaces]
Border Gateway Function (BGF) apply implicit latching on TCP gates when the gate
is created.By default, latching of gates is done by explicit latch requests. You can
configure implicit latching of gates by entering the set implicit-tcp-latch and set
implicit-tcp-source-filter configuration statements at the [edit services pgcp gateway
gateway-name h248-options] hierarchy level.
The new configuration statements result in the following actions:
on either gate of a gate pair, implicit latching is not applied. If explicit latching has
not been applied on either gate:
When either of the gates latches, latching is automatically disabled on the other
gate.
incoming packets, using the current remote destination address under the following
conditions:
50
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Modification to the show pppoe interfaces command (M120, M320, MX Series, and
J Series routers)In Junos OS Release 9.5 and later, the extensive option for the show
pppoe interfaces command is supported only for J Series routers, which can be
configured as Point-to-Point Protocol over Ethernet (PPPoE) clients. The show pppoe
interfaces command no longer supports the extensive option for M120, M320, and MX
Series routers in Junos OS Release 9.5 and later. When an M120, M320, or MX Series
router is configured as an access concentrator server, the statistics for the PPPoE
server interfaces do not increment. As a result, when you issue the show pppoe interfaces
extensive command on an M120, M320, or MX Series router, the statistics are always
displayed as zeros.
[Interfaces Command Reference]
Enhancement to the clear pppoe statistics command (M120, M320, MX Series, J Series
routers)The clear pppoe statistics command includes a new option,
underlying-interface-name, for M120, M320, and MX Series routers in Junos OS Release
9.5 and later. The option enables you to reset the statistics of the underlying PPPoE
interface for static and dynamic PPPoE interfaces. In Junos OS Release 9.5 and later,
the interface interface-name option for the clear pppoe statistics command is supported
only for J Series routers. The clear pppoe statistics command no longer supports the
interface interface-name option for the M120, M320 and MX Series routers in Junos OS
Release 9.5 and later.
[Interfaces Command Reference]
Support for DSL Forum VSAs (MX Series routers)Digital Subscriber Line (DSL)
attributes are RADIUS VSAs that are defined by the DSL Forum. The attributes transport
DSL information that is not supported by standard RADIUS attributes and which convey
information about the associated DSL subscriber and data rate. The attributes are
defined in RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes. Junos OS uses the
vendor ID 3561, which is assigned by the Internet Assigned Numbers Authority (IANA),
for the DSL Forum VSAs.
Subscriber management supports DSL Forum VSAs in pass-through mode. In
pass-through mode, the router does not process DSL values, but rather passes the
values received from the subscriber to the RADIUS server, without performing any
parsing or manipulation.
[Subscriber Access]
51
52
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
For an IPv4-only configuration, the standard RADIUS attributes report the IPv4
statistics and the IPv6 VSA results are all reported as 0.
For an IPv6-only configuration, the standard RADIUS attributes and the IPv6 VSA
statistics are identical, both reporting the IPv6 statistics.
When both IPv4 and IPv6 are configured, the standard RADIUS attributes report the
combined IPv4 and IPv6 statistics. The IPv6 VSAs report IPv6 statistics.
[Subscriber Access]
Change in the commit | display detail optionIf the number of commit messages
exceeds a page when the commit command is used with the | display detail pipe option,
the more pagination option on the screen is no longer available. Instead, the messages
roll up on the screen by default, just like using the commit command with the | no more
pipe option.
[CLI User Guide]
New configuration statement to configure retry attempts for checking the keepalive
status of a Point-to-Point (PPP) protocol sessionJunos OS introduces the
keepalive-retries number-of-retries statement at the [edit access profile profile-name
client client-name ppp] hierarchy level. Include this statement in the configuration to
reduce the detection time for PPP client session timeouts or failures if you have
configured the keepalive timeout interval (using the keepalive statement).
[System Basics]
53
New option introduced for the show | display inheritance operational mode
commandJunos OS now provides the no-comments option for the show | display
inheritance command. This option enables you to view CLI configuration details without
inline comments marked with ##.
[CLI User Guide]
Enhancement to the show chassis sibs commandThe show chassis sibs command
now displays an appropriate reason when a SIB transitions to the Offline state. For
instance, if ths SIB is taken offline using the request chassis sib command, the output
of the show chassis sibs command displays --- Offlined by cli command --- in the output.
[System Basics and Services Command Reference]
New option for the ping mpls l2vpn and ping mpls l2circuit commandsThe ping mpls
l2vpn and ping mpls l2circuit commands provide a new option reply-mode that enables
you to specify the reply mode for the ping request. The reply-mode option provides the
application-level-control-channel, ip-udp, and no-reply options.
[System Basics and Services Command Reference]
Enhancement to the output of the show chassis hardware detail commandThe show
chassis hardware detail command now displays DIMM information for the following
Routing Engines:
Routers
RE-A-1800x2
Enhancement to the show chassis fpc commandThe show chassis fpc command
now displays accurate temperature readings for the FPC.
[System Basics and Services Command Reference]
VPNs
SCU support for VRF routing instances with vrf-table-label configuredYou can
now configure source class usage (SCU) to count packets on Layer 3 VPNs configured
with the vrf-table-label statement. Include the source-class-usage statement at the
[edit routing-instances routing-instance-name vrf-table-label] hierarchy level. The
source-class-usage statement at this hierarchy level is supported only for the virtual
routing and forward (VRF) instance type. Previously, you could not enable SCU when
the vrf-table-label statement was configured. Destination class usage (DCU) is not
supported when the vrf-table-label is configured.
[VPNs, Network Interfaces]
Related
Documentation
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
on page 6
54
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55
Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series,
MX Series, and T Series Routers on page 77
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers on page 83
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The current software release is Release 10.4R2. For information about obtaining the
software packages, see Upgrade and Downgrade Instructions for Junos OS Release 10.4
for M Series, MX Series, and T Series Routers on page 83.
A high CPU utilization by the DFWD process might occur if the interface lo0 is configured
as part of the interface group 0. [PR/497242]
When a VPN routing and forwarding table (VRF table) is configured in a logical system,
and there is no loopback filter configured in the VRF table while it is configured on the
logical system and the default router, the packets destined for VRF table reach the
filter configured in the logical system. However, they are expected to reach the filter
configured in the default route table. [PR/575060]
On M Series, T Series, and J Series routers, when the installation of a filter that contains
a logical interface policer or a physical interface policer fails (for example, due to
insufficient jtree memory), the FPC might crash. [PR/579271]
High Availability
The SSH keys are not in sync between the master and backup Routing Engine when
SSH is enabled after a graceful Routing Engine switchover (GRES). [PR/455062]
When the Rx power level is a negative value, the SFP diagnostics output displays an
invalid receiver power level reading. [PR/235771]
Upon a link up event, old packets from the previous link down are still dequeued. This
leads to huge latency reports. [PR/515842]
55
Discrepancies exist in MAC and filter statistics between Trio MPC and Enhanced DPCs.
[PR/517926]
When a configuration contains a large number of logical interfaces, and graceful Routing
Engine switchover is not configured, the restart chassis-control command might result
in some of the FPCs staying offline. As a workaround, enable graceful Routing Engine
switchover (set chassis redundancy graceful-switchover). [PR/532030]
When the show interfaces command is used, no service set attachment information
is displayed. This information is visible under the interfaces hierarchy (configuration).
[PR/541574]
On MX Series routers, the following syslog error messages appear when a configuration
change is made and committed:
UI_DBASE_LOGIN_EVENT: User 'regress' entering configuration mode
UI_COMMIT: User 'regress' requested 'commit synchronize' operation
(comment: none)
Shared memory release
vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state
5123
vcdb_extract_db_from_file reading file /config/vchassis/vc.tlv.db
vcdb_extract_db_from_file Error opening file. errno = 2
vcdb_extract_db_from_file reading file /config/vchassis/vc.db
vcdb_extract_db_from_file: DB Files couldn't be read.
vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state
7171
Shared memory release
sysctl_nd6_mmaxtries: 3, max solicit testing setting of
paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of
paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of
paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of
paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of
paramsysctl_nd6_prune: 1, retrans timer testing setting of
paramsysctl_nd6_prune: 1, retrans timer testing setting of
paramsysctl_nd6_prune: 1, retrans timer testing setting of
paramsysctl_nd6_prune: 1, retrans timer testing setting of
paramsysctl_nd6_prune: 1, retrans timer testing setting of param
[PR/548853]
After an MX80 router is upgraded to Junos OS Release 10.3, the "Front Panel Alarm
Indicators" LEDs do not show any status in the output of the show chassis craft-interface
command, even when there is chassis alarm set on the router. [PR/558046]
Under certain conditions, both the primary and the secondary sections of the interface
might get disabled. To recover from this condition, deactivate and activate the interface
configuration. [PR/559656]
56
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
On MPC-3D-x Gigabit Ethernet FPCs, the following IDMEM parity error messages
appear:
MX960-LAB fpc3 LU 2 RD_NACK 2 AP[0x04] TOE Write 0x002913a0
MX960-LAB fpc3 LU 2 IDMEM Parity error in Bank 3, Count 10, IDMEM Bank 3
Offset 0x00014899 IDMEM[0x00052274]
These messages repeat as long as the software encounters the error. These error
messages occur within uninitialized memory locations. [PR/569887]
Incorrect K2 bytes might be transmitted if the mode bits are not set correctly by the
apsd process. [PR/569903]
When the maximum transmission unit (MTU) is set on an AE interface, the AE logical
interfaces inherit an MTU value that is equal to the Ethernets MTU value excluding
the Ethernet header. When a VLAN demultiplexing (demux) logical interface is created
with an underlying AE interface, the VLAN demux logical interface inherits an MTU
value equal to the full Ethernet MTU. This is because the MTU on demux interfaces is
not set correctly. As a workaround, set the proper MTU value when the family is
configured on these interfaces. [PR/579957]
The release message is not sent to the DHCP server even though the
send-release-on-delete flag is set under the DHCP relay configuration. As a workaround,
to deactivate or deconfigure an interface, clear all the bindings on the interface before
you deactivate or delete the interface. To deactivate or deconfigure the relay, clear all
the bindings before you deactivate or delete the relay. [PR/498920]
MPLS Applications
On M Series and T Series routers, the MPLS label-switched path (LSP) log messages
are not logged for nonstandby secondary MPLS LSPs. [PR/560069]
The routing protocol process crashes when an MVPN routing instance is activated and
deactivated. [PR/571131]
Network Management
The SFC management interface em0 is often displayed as fxp0 in several warning
messages. [PR/454074]
On restarting with a large-scale configuration (16,000 logical interfaces per MPC), the
MPC-3D-16XGE-SFPP card may take up to 15 minutes to come up. [PR/478548]
The dynamic auto-sensed VPLS interfaces fail after modifications are made to the
routing instance. Before making configuration changes to any routing instance, clear
any active logical interfaces that are part of the routing instance using the clear
auto-configuration interfaces operational command. Modifying a routing instance
57
configuration when the configuration is actively being used by subscribers can result
in an unpredictable behavior. [PR/512902]
An NTP server might not reply to clients with a source address that is explicitly
configured. [PR/540430]
The IPv6 BGP neighbors might not come back to the up state when an FPC associated
with that session is manually taken offline, removed, and re-inserted. [PR/552376]
No ICMP host redirect messages are generated when there are multiple VLANs
configured on an interface (multiple logical interfaces on a single physical interface).
[PR/559317]
When the same local link address is configured on two interfaces, the message "/kernel:
ip6_getpmtu: Invalid Stored MTU" is displayed continuously. [PR/560079]
When IPv6 packets have a size greater than 1232 bytes, the packets get fragmented.
[PR/571596]
After a few graceful Routing Engine switchover, the firewall filter applied on the
loopback interface might affect the internal control packets from the PICs to the
Routing Engine. The PICs might fail to come back online if the packets are blocked.
[PR/578049]
Routing Protocols
When aggregate interfaces are used for VPN applications, load balancing may not
occur with a Layer 2 circuit configuration. [PR/471935]
Under certain circumstances, the BGP path selection does not follow the local
preference. This might lead to incorrect BGP path selections. [PR/513233]
When an interface is added to a routing instance with rpf-check enabled, the routing
protocol process might crash if a route-distinguisher is also changed at the same time.
[PR/539321]
In Junos OS Release 10.0 and later, a direct route to a VRF with a rib-group is not
advertised as an inet-vpn route to the IBGP neighbor due to the error "BGP label
allocation failure: Need a nexthop address on LAN." [PR/552377]
In some cases, MX Series routers might not send the Link Layer Discovery Protocol
(LLDP) notification trap when the LLDP is disabled on the remote neighbor.
[PR/560855]
When a routing protocol process is restarted after a crash or a mastership switch, the
kernel and the reference counters for the routing protocol process flood branch next
hop might not be in sync anymore. The exposure is high in NGEN-MVPN with many
local receivers and constant churn of joins and prunes of multicast groups. The routing
protocol process might assert and restart while deleting a flooded next hop. As a
workaround, restart the system, or deactivate all MVPN instances to get the kernel
and the routing protocol process to be in sync upon a routing protocol process restart.
[PR/561127]
The 3D Packet Forwarding Engines might experience a rare transient error that
temporarily corrupts one of the lookup engines, resulting in packet loss. A set of
messages similar to the following is displayed:
58
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Restart the Packet Forwarding Engine to clear this error state. [PR/564998]
When a core-facing DPC is restarted, the message "mcsn: cannot perform nh operation
ADDANDGET nhop (null) type indirect index 0 errno 22" appears. A trigger also moves
the interfaces from bridge domains to VPLS instances. To clear this issue, restart
multicast snooping. [PR/576058]
Services Applications
The output of the show services ids destination-table command might not display any
flow and related statistics in the IDS anomaly table for a certain period of time after
the flows are activated. [PR/490584]
The data channel applications for protocols such as FTP, TFTP, RTSP, and SIP are not
in the same application group as their control channel applications. For example,
control channel application junos:ftp is in the group junos:file-server, but the
corresponding data application junos:system:ftp-data is not in any group. [PR/507865]
On M Series and MX Series routers, after a hot-standby RMS, all existing flows are
dropped and it takes some time for new flows to appear with the state. This is due to
the limitation of the RMS. All existing traffic is dropped, and RPC is most impacted as
it has a long retry timer and takes a long time to recover. [PR/535597]
When unit 0 of the Multiservices PIC interface is not specified, the monitor interface
traffic command does not display the input packets number properly for that particular
ms-I/F interface. [PR/544318]
FTP sessions that last long periods (several minutes or hours) are suddenly
disconnected when traffic is still flowing on the data channel. [PR/579475]
In the J-Web interface , the Generate Report option under Monitor Event and Alarms
opens the report in the same web page. [PR/433883]
Selecting the monitor port for any port in the Chassis Viewer page displays the common
Port Monitoring page instead of the corresponding Monitoring page of the selected
port. [PR/446890]
59
On MX Series routers, J-Web does not display the USB-related information under
Monitor>SystemView>System Information>Storage. [PR/465147]
When a new-line character (\n) is used within the op script argument descriptions, the
help output might display incorrectly, and could result in extra output being displayed
when the op script executes. [PR/485253]
In the J-Web interface, the options Access Concentrator, Idle Timeout, and Service Name
for PPPoE logical interfaces are not supported on MX Series routers. [PR/493451]
The J-Web interface does not display the drop-profile-map, excess-priority, excess-rate,
and rate-limit (transmit rate) parameters which are supported for the schedulers
configuration. Use these parameters using the CLI. [PR/495947]
Warning messages related to pending commits are not triggered when the following
operations are performed:
Software->Upload
Software->Install Package
Maintain->Reboot
As a workaround, commit all pending commits before performing the operations listed
above. [PR/514853]
The annotate option does not appear when it is used with the edit private command
for class of service. [PR/535574]
When a HTTPS connection is used for the J-Web interface in the Internet Explorer to
save a report from the View Events page (Monitor->Events and Alarms->View events),
the following error message is displayed Internet Explorer was not able to open the
Internet site.
This issue also appears in the following places on the J-Web interface:
maintain->config management->history
maintain->files
[PR/542887]
The J-Web pages loads inconsistently when Add IPv4 or IPv6 filters are used in the
Internet Explorer and Firefox Web browsers. [PR/543607]
After the "delete:" action is performed, the "replace" actions do not take effect in the
"load replace terminal" operation. [PR/556971]
The javascript error, "Object Expected" occurs when J-Web pages are navigated before
the page loads completely. [PR/567756]
60
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
A commit script that activates an apply group might fail to pass the commit check
logic. [PR/576384]
The show system rollback command does not work in the configuration mode, while
the command works from the operational mode. [PR/580645]
Resolved Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Class of Service
When a firewall filter containing the packet loss priority (PLP) rewrite references a
policer that also contains the PLP rewrite, a two time PLP rewrite occurs with the PLP
bits of the packets matching the filter condition set on the PLP set action in the policer,
and later the PLP set action is set on the firewall filter. [PR/566896: This issue has
been resolved.]
When a Routing Engine sampling is configured, and each flow server corresponds to
a different autonomous system type, the packet size of the exported cflowd v5/8/500
packets might increase. [PR/530008: This issue has been resolved.]
On a sampled traffic on a multi services PIC, the multicast convergence slows down
with the message "RPD_KRT_Q_RETRIES: Indirect Next Hop Update: No buffer space
available." [PR/554363: This issue has been resolved.]
Making any circuit cross-connect (CCC) filter changes might render the Packet
Forwarding Engine busy which might cause a slow statistics response. [PR/554722:
This issue has been resolved.]
When a loopback filter is configured, packets sent by the ASIC to the Packet Forwarding
Engines CPU for generation of TTL expiry notification are dropped. [PR/555028: This
issue has been resolved.]
The mib2d process might crash when a race condition exists between the mib2d
process and the dfwd process. [PR/563419: This issue has been resolved.]
When a firewall filter with multiple terms references the same three color policer and
has the same count variable configured, any IP packets that match the second or later
terms might get corrupted. Use different count variables in each term to prevent this
issue. [PR/567546: This issue has been resolved.]
The Radius Accounting Interim message might not be sent immediately after a Change
of Authorization (CoA), even if the CoA is successfully processed and the
coa-immediate-update option is present in the configuration. [PR/570058: This issue
has been resolved.]
61
High Availability
When a container interface (used in AE interfaces) is freed in the memory, the child
nexthop (member link) on the master Routing Engine is also freed. However, in some
cases, the child nexthop on the backup Routing Engine is not freed resulting in a crash.
[PR/562295: This issue has been resolved.]
On TX Matrix Plus routers, the message "fru_is_present: out of range slot 1 for CIP" is
continuously sent on all the LCCs. [PR/48311: This issue has been resolved.]
During initialization, some garbage data can flow into the unused SONET interface.
This data is small in size and does not contain any SOP or EOP information. This data
consumes some D4P buffer memory. The D4P buffer does not remove this data until
more data comes into the buffer. Periodic health check reports the following status:
D4P-10/1: FROML tx48 stream 1 data path stuck. To resolve this issue, purge the D4P
buffer. [PR/424326: This issue has been resolved.]
The queue counter of the aggregated Ethernet is counted up after the statistics are
cleared and the FPC is restarted. [PR/528027: This issue has been resolved.]
On an MX Series router with a mixed MPC and DPC environment, the first and
subsequent cell drops occur at the DPC. [PR/540283: This issue has been resolved.]
When a large OID registration traffic exists from the subagent to the master agent, the
registration packets encounter random errors during transmission. This affects the
registration process. [PR/555345: This issue has been resolved.]
When a MAC address list is moved, the resulting flush process might be interrupted
when the list is processed. [PR/560730: This issue has been resolved.]
When multiple physical interfaces exist in a 4x Channelized DS3 IQ PIC PIC, errors
might occur when each controller physical interface is deleted while the PIC is taken
offline. [PR/561841: This issue has been resolved.]
In some cases, when a DPC or MPC is restarted, a wrong physical interface index is
assigned to the interface which might cause the MPC to crash. [PR/563056: This issue
has been resolved.]
When a change in the bridge domain membership occurs, and the bridge domain has
an IRB interface and a vt-x/y/z interface, the Packet Forwarding Engine that does not
have any local interfaces on that bridge domain might restart. [PR/566878: This issue
has been resolved.]
62
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
When the chassisd process receives a temporary error code (such as Device Busy, Try
Again, No Buffer Space, or No Memory), while trying to add both the PIC and physical
interfaces present in the PIC to the kernel, the chassisd process may not retry adding
the physical interface back to the kernel until it succeeds. The device or physical
interface will not recover. It is recommended to restart the router or the FPC when this
issue is encountered. [PR/570206: This issue has been resolved.]
On TX Matrix Plus routers, the set craft-lockout command might cause an FPM interrupt
flooding. [PR/571270: This issue has been resolved.]
On any Junos OS device that supports Ethernet OAM, the cfmd process might crash
when a malformed delay measurement message (DMM) is received. [PR/571673: This
issue has been resolved.]
The PIM neighborship does not appear over the IRB interface after the dense port
concentrator (DPC) is restarted. [PR/559101: This issue has been resolved.]
MPLS Applications
Under certain circumstances, the routing protocol process might crash when
configuration changes are made to label-switched paths at the [edit protocol mpls]
hierarchy level. [PR/550699: This issue has been resolved.]
When the no-decrement-ttl statement is included at the [edit protocols mpls] or the
[edit protocols mpls label-switched-path path-name] hierarchy level, the VPN Label
TTL action field in the output of the show route extensive command displays
vrf-propagate-ttl as the action. This is a display issue only and has no operational
impact on the forwarding behavior. This is relevant to Layer 3 VPN scenarios where
BGP routes resolve over RSVP LSPs and the no-propagate-ttl statement is not
configured at the [edit protocols mpls] hierarchy level. [PR/563505: This issue has
been resolved.]
A point-to-multipoint LSP with bandwidth requirement might fail to retrace the original
path after a graceful restart, and might not come up until the end of the recovery period.
[PR/574308: This issue has been resolved.]
Network Management
SNMP might stop working after a router, a DPC, an FPC, or an MPC is restarted, or after
a graceful Routing Engine switchover. [PR/525002: This issue has been resolved.]
Under certain circumstances, the message NH: Failed to find nh (xxxx) for deletion
appears for the child links of an aggregate interface. However, this message should
appear only when the child next hop is not found. This message is only cosmetic.
[PR/494528: This issue has been resolved.]
In a Layer 2 circuit setup with a link services intelligent queuing interface (LSQ) in the
core, and the control-word option is enabled, a ping between two CE interfaces fails.
As a workaround, use the no-control-word option. [PR/551207: This issue has been
resolved.]
63
A DPC or an MPC may reset when Aggregate Ethernet (AE) interfaces are provisioned
with IRB. In some case, a DPC may also reset when a member link of an AE interface
flaps. [PR/559887: This issue has been resolved.]
With the IRB and AE interfaces in a bridge-domain, the old nexthop data is not cleared
from the Packet Forwarding Engines when they are updated. This causes the Packet
Forwarding Engine to crash when that nexthop is later referenced. [PR/560813: This
issue has been resolved.]
On an MX960 router, when an MPC is installed and OSPF and IS-IS is activated
simultaneously, the "jtree memory free using incorrect value 8 correct 0" message is
displayed for all DPCs. [PR/562719: This issue has been resolved.]
On standalone routers with GRES enabled (using the set chassis redundancy
graceful-switchover command), or on multichassis platforms (TX and TXP routers),
FPCs can crash creating a core file when interfaces are moved from one aggregate
bundle to another aggregate bundle in a single configuration commit operation. As a
workaround, split the operation into two commits. Remove the interface from one
bundle and perform a commit, and later add it to another bundle and perform another
commit. [PR/563473: This issue has been resolved.]
The MPC might crash when multicast traffic is forwarded and interfaces are deactivated.
[PR/565454: This issue has been resolved.]
In Junos OS Release 10.2 and later, the Packet Forwarding Engine process tracing is
enabled by default. This results in the MIB2D process not being able to communicate
with the Packet Forwarding Engine process. [PR/566681: This issue has been resolved.]
On MX Series routers running Junos OS Release 10.2 and later, when a new link from
a newly inserted FPC is configured to an existing aggregate configuration, the newly
added link information might not appear in the Link:, LACP info:, LACP Statistics:, and
Marker Statistics: fields in the output of the show interface aex extensive command.
Deactivate and then activate the aggregate interface to resolve this issue. [PR/571245:
This issue has been resolved.]
Routing Protocols
In rare situations, the routing protocol process might restart due to a software validation
failure. [PR/476143: This issue has been resolved.]
With a large number of peers in a single BGP group, continuous large route churn may
trigger scheduler slips in the routing protocol process. [PR/544573: This issue has been
resolved.]
In instances with scaled LACP configurations, the periodic packet management process
(ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.]
A rare race condition might cause the routing protocol process to crash when an
(s,g)/(*,g) entry is removed. [PR/551949: This issue has been resolved.]
64
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
On an NSR LDP, an LDP database entry mismatch exists between the master and the
backup Routing Engines. The backup Routing Engine does not replicate the LDP socket
with the error "jsr_sdrl_set_data: No space dlen." [PR/552945: This issue has been
resolved.]
When a default route target is sent by a BGP peer, th eBGP does not track the VPN
routes covered by this route target. When the default route target goes away, the BGP
does not withdraw the VPN routes that were previously covered by that default route
target. [PR/556432: This issue has been resolved.]
On a 3D MPC, the load balance might be broken when a BGP multipath is configured.
[PR/557099: This issue has been resolved.]
On M Series, MX Series, and T Series routers, the Virtual Router Redundancy Protocol
(VRRP) process might become unresponsive when processing is delegated to the
Packet Forwarding Engine. As a workaround, remove the delegate-processing option
from the [protocols vrrp] hierarchy level. [PR/559033: This issue has been resolved.]
When the advertise-default option is used with the route-target family, and a new VPN
is added, the necessary route refresh is not sent. [PR/561211: This issue has been
resolved.]
When the Link Layer Discovery Protocol (LLDP) advertisement interval value is changed
from 30 seconds to 60 seconds, and the show lldp detail command is executed, the
output shows 60 seconds. However, the Routing Engine forwards the LLDP packet
every 30 seconds. When the interface is deactivated and activated again, the LLDP
packets are forwarded every 60 seconds correctly. [PR/560857: This issue has been
resolved.]
Under certain circumstances, the routing protocol process crashes while receiving the
IGMP SNMP GetNext request. [PR/561842: This issue has been resolved.]
The multicast snooping process might crash and prevent a commit when the
apply-group statement is used at the bridge-domain <*> hierarchy level. [PR/562776:
This issue has been resolved.]
Communities are added in the import policy of the second VPN routing and forwarding
(VRF) table.
On M10i and M7i routers, the distributed PPMD process is disabled by default. However,
it should be enabled by default since it is supported by the Enhanced CFEB (CFEB-E).
[PR/565957: This issue has been resolved.]
IS-IS might not use the MPLS label-switched paths (LSPs) if the names of the
label-switched paths are similar in the first 32 characters. [PR/568093: This issue has
been resolved.]
65
If the always-compare-med option is configured when a route change occurs, the routing
protocol process might occasionally crash due to a soft assertion. However, the soft
assertion does not impact the user traffic. [PR/568725: This issue has been resolved.]
During a nonstop active routing (NSR) switchover with a large number of remote Layer
3 VPN prefixes, and a local eBGP session with short hold timers, routing protocol
process scheduler slips might occur, which causes the BGP session to flap. [PR/568756:
This issue has been resolved.]
Under certain circumstances, processing of links with maximum metric set by IS-IS
shortest path first (SPF) computation algorithm might lead to suboptimal routing
decisions. [PR/569649: This issue has been resolved.]
Services Applications
In scaled environments, the thread in the Multiservices PIC or DPC for cflow might run
too long. This causes the PIC or DPC to crash. [PR/494457: This issue has been
resolved.]
On Multiservices 500 PICs with graceful Routing Engine switchover, wrong record
values are seen for the IPv4 netflow export packets. This error occurs when the route
records does not get installed. [PR/545422: This issue has been resolved.]
The Multiservice 400 PIC crashes due to a memory allocation failure when the PIC
tries to respond to a Routing Engine CLI request. [PR/558237: This issue has been
resolved.]
The Multiservices PIC might crash when traffic is received on a Layer 2 Tunneling
Protocol (L2TP) session (MLPPP bundle), and a teardown request is also received at
the same time. [PR/561039: This issue has been resolved.]
If a class-of-service rule is applied to a service set, the inactive timeout under the
user-configured application does not take effect. As a workaround, match the
application in the class-of-service rule. [PR/571304: This issue has been resolved.]
VPNs
In MVPN routing-instances with local receivers, a flood next hop is created for each
S,G entry for multicast traffic received from the CE. After the local receivers are joined
66
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
or pruned, a new flood next hop is created. However, old flood nexthops are not deleted.
This leads to a memory leak within the routing protocol process. When this routing
protocol process reaches a size of 2 GB, it triggers an assertion and a restart.
[PR/569621: This issue has been resolved.]
In local-switched Layer 2 Virtual Circuit scenario, the control and forwarding plane
might not be properly updated by the routing protocol process when one of the logical
interfaces forming an Layer 2 Virtual Circuit is taken down. [PR/572780: This issue has
been resolved.]
Previous Releases
Release 10.3R2
The following issues have been resolved since Junos OS Release 10.3R2. The identifier
following the description is the tracking number in our bug database.
Class of Service
When a VLAN ID is changed, the following message appears in the messages log:
"COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL 74. Reason:
File exists. This log message appears when the configuration is committed with VPLS
configured on the Gigabit Ethernet interface, and a class-of-service classifier or rewrite
rules that contain IEEE 802.1P on the interface are used. [PR/408552: This issue has
been resolved.]
When a logical interface set has a shaping-rate less than the sum of transmit-rates of
its queues and when the configuration is corrected so that the logical interface set gets
the correct shaping-rate, ADPC might crash. [PR/523507: This issue has been resolved.]
During a graceful Routing Engine switchover, the traffic control profile might not be
applied on the interfaces. As a workaround, deactivate and reactivate class of service.
[PR/533862: This issue has been resolved.]
When per-unit-scheduler is applied under the interfaces hierarchy level, and shaping
rate is applied under the class-of-service interface hierarchy level in the same commit
operation, port shaping rate does not work and the total logical interface transmitted
byte rate exceeds the physical interface shaping rate. As a workaround, configure
shaping-rate within a traffic-control-profile and apply that to an interface, or deactivate
and activate shaping-rate using the class-of-service interface interface-name shaping-rate
command. [PR/539590: This issue has been resolved.]
Under certain conditions, the class of service configuration might not take effect on
an IQ2 PIC. [PR/541814: This issue has been resolved.]
When the rate-limit option is configured on a physical interface on IQ2 PICs, the show
interface queue command might not display the RL-dropped counters. [PR/547218:
This issue has been resolved.]
The egress rate limit over a logical interface may drop large packets. [PR/547506: This
issue has been resolved.]
In Junos OS Release 10.2 and later, the cosd process might crash while a configured
commit is processed, as this process accesses a memory location that has already
been freed. However, this issue is encountered rarely. [PR/548367: This issue has been
resolved.]
67
Port mirroring does not work under the bridge-domain forwarding-option filter.
[PR/529272: This issue has been resolved.]
The policer counter might be missing in the SNMP walk. Reboot the router to solve this
problem. [PR/535715: This issue has been resolved.]
When logical systems are configured, the show bridge-domains command might time
out and return the following error message: error: timeout communicating with
l2-learning daemon. [PR/536604: This issue has been resolved.]
In Junos OS Release 10.2, the Routing Engine-based sampling might not work if the
routing table inet.0 has a route for 128.0.0.1. The issue occurs when this route points
to an external interface. [PR/540891: This issue has been resolved.]
A GRE interface might experience an incoming packet loss if a firewall filter is configured
on the forwarding table. [PR/541901: This issue has been resolved.]
High Availability
On M120 routers, the message: "stream blocked detected message" displays when an
FEB is switched from the backup to the primary. [PR/540644: This issue has been
resolved.]
An OAM trace displays an incorrect next-hop MAC value. [PR/494588: This issue has
been resolved.]
When traffic flows into the MPC on which a bridge-domain configuration is being
changed or the card is booting up, the forwarding software tries to access uninitialized
memory for a short duration. This is a cosmetic issue and does not have any functional
impact. [PR/506344: This issue has been resolved.]
On M7i routers with Junos OS Release 8.5 or later, the output of the show interfaces
fxp0 command shows the fxp0 interface to be in the link up state even when the
interface is disabled with no cables connected. [PR/508261: This issue has been
resolved.]
When the VRRP6 master changes, there is no log output for VRRP IPv6. [PR/514821:
This issue has been resolved.]
68
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
When a SIB is taken offline via a CLI command, the output of the show chassis sibs
command does not display the message Offlined by cli command. However, this
message is correctly displayed for the FPCs. [PR/519842: This issue has been resolved.]
The statistics get for LSQ interfaces fails in a scaled LSQ configuration when the show
interfaces queue lsq-w/x/y:z command is executed. [PR/523260: This issue has been
resolved.]
When MLPPP interfaces of an MS-PIC are taken offline, the following syslog message
displays: RT: itable unset idx 372 to proto MLPPP iftable failed (Invalid arguments)
on FE -1. [PR/528649: This issue has been resolved.]
In Junos OS Release 10.0 and later, a significantly large number of the following
messages appear on the MX960 and SRX5800 routers:
MX960 /kernel: PCF8584(WR): transmit failure on byte 1
MX960 /kernel: PCF8584(WR): (i2c_s1=0x80, group=0xe, device=0x54)
MX960 /kernel: PCF8584(WR): busy at start, attempting to clear
MX960 /kernel: PCF8584(WR): (i2c_s1=0x00, group=0xe, device=0x54)
MX960 /kernel: PCF8584(RD): ack failure on 2nd last byte
These messages are not an indication of a fan failure. They are cosmetic and can be
ignored. [PR/531253: This issue has been resolved.]
On MX960 routers, the link status stays in the "Link ok" state when the SCB is removed
without taking it offline using the CLI or switch. [PR/536860: This issue has been
resolved.]
The SCB displays an incorrect state when it is removed without taking it offline using
the CLI or buttons. This is not a cosmetic error and might impact the traffic.
[PR/536866: This issue has been resolved.]
On MX Series routers with 10.x Power Budget, after a Power Budget: Chassis
experiencing power shortage alarm occurs, the alarm does not clear even after the
power budget problem is cleared. [PR/540522: This issue has been resolved.]
The MX-MPC1-3D-Q accepts VLAN tagged packets even when the interface is not
configured with VLAN tagging. [PR/540620: This issue has been resolved.]
The link-up time on a 16x 10-Gigabit Ethernet MPC is not less than the other platforms
(ADPC and other MPCs) due to the emission dispersion compensation (EDC)
69
functionality of the PHY device on the MPC. This causes a delay of 50 mS to 150 mS
and cannot be changed. [PR/540694: This issue has been resolved.]
The sonet-options raise-rdi-on-rei and trigger options do not work well together. Turning
the raise-rdi-on-rei option on and off again requires the trigger option to flap in order
to assert or clear the RDI-L alarm. As a workaround, when both sonet-options
raise-rdi-on-rei and trigger options are configured, flap the sonet-options trigger as well.
[PR/540745: This issue has been resolved.]
With Junos OS Release 10.2 and later, when a logical interface on an ATM-II IQ PIC is
disabled, the FPC is taken offline and brought back online, and the PIC is reenabled,
the logical interface stays down with atm_maker_check_indq error messages.
[PR/541688: This issue has been resolved.]
When a Gigabit Ethernet or an XE interface on IQ2 PICs is disabled, and the link status
is up, the traffic received from the interface might still be forwarded. [PR/543388: This
issue has been resolved.]
When logical interfaces are created, the NPC crashes and the FPC goes down.
[PR/545314: This issue has been resolved.]
Chassisd crashes when the show chassis clocks command is executed. [PR/545510:
This issue has been resolved.]
When configuration changes are made that are unrelated to the interfaces, interface
sets, or PICs, a commit failure occurs with the following error message: "error: iflset
xxxx configured for nonexisting ifd ge-x/x/x." [PR/546184: This issue has been resolved.]
On a 10-Gigabit Ethernet PIC, a log is generated when the SFP is plugged in. However,
no log is generated when the SFP is not plugged in. [PR/548251: This issue has been
resolved.]
A CFM ping command fails when the maintenance domain or maintenance association
is longer than 32 characters. [PR/550014: This issue has been resolved.]
If a bridge-domain contains more than one Aggregated Ethernet, and the IRB interfaces
experiences the right sequence of MAC moves, the FPC might restart. [PR/550824:
This issue has been resolved.]
If the number of VPLS connection exceeds 31, frequent FPC and NPC crashes might
occur. [PR/552099]
The EOA family configurations over a container ATM interface might be deleted and
added again upon every commit (including unrelated commits). [PR/553077: This
issue has been resolved.]
70
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
When a remote PE's address is configured on a local loopback interface, the MVPN
PIM neighborship to that PE in a different VRF might be affected. [PR/558584]
On MX Series routers, when both the top and bottom fan trays are enhanced and a
mastership switch is performed, the alarm "craftd[1337]: Minor alarm set, Mix of
FAN-TRAYS" displays. This only occurs after a switchover or an upgrade. This alarm
is temporary, is cleared within a few seconds, and does not cause any routing or
forwarding issues on the chassis. [PR/541617: This issue has been resolved.]
The AE interface does not show the system identifier for the attached interfaces in
actor role. Because of this, the AE interface gets stuck in the detached state after it is
rebooted from both ends. Additionally, the AE interface flaps when the backup Routing
Engine is rebooted and a graceful Routing Engine switchover (GRES) is performed.
[PR/547739: This issue has been resolved.]
The DHCP relay bindings remain in a release state with a negative lease time.
[PR/549520: This issue has been resolved.]
The L2CPD might have a memory leak when LLDP is enabled. [PR/549531: This issue
has been resolved.]
MPLS Applications
With BFD enabled over IGP and an RSVP session built across it, when the RSVP peer
does not support RSVP Hello (or is disabled), the BFD session down event triggers
only the IGP neighbor to go down. The RSVP session remains up until a session timeout
occurs. [PR/302921: This issue has been resolved.]
The rlist entry corresponding to the previously existing rlist is not removed, which causes
the routing protocol process to crash. [PR/513160: This issue has been resolved.]
When a protected link flaps, certain RSVP routes do not lose association with the
p2mp_nh. [PR/530750: This issue has been resolved.]
Under NGEN-MVPN with vrf-table-label configured on the provider edge, the provider
router connecting to that provider edge might keep an old P2MP MPLS label entry
upon label-switched path optimization or reroute. There is no workaround. [PR/538144:
This issue has been resolved.]
An LSP with auto-bw might stay down for approximately 30 minutes after a Routing
Engine switchover or a Routing Engine restart when graceful restart fails. As a
workaround, disable and reenable the MPLS or OSPF stanza. [PR/539524: This issue
has been resolved.]
On a P2MP LSP setup, the routing protocol process of the transit router might core
when the topology changes with respect to the ingress sub-LSP router. There is no
workaround. [PR/549778: This issue has been resolved.]
71
In Junos OS Release 10.2, when the clear mpls lsp autobandwidth command is executed
at the ingress router, the updated Maximum AvgBW Utilization field displays a value
that is much higher than the actual bandwidth. [PR/550289: This issue has been
resolved.]
On MX80 routers, the MPLS LSP statistics do not record the transit traffic on a
single-hop LSP with an implicit NULL label. [PR/551124: This issue has been resolved.]
When a large number of P2MP LSPs exist during periods of high network instability
with many links flapping, and MBB re-routing of a P2MP LSP occurs, an MPLS route
can become stale. This can cause a routing protocol process assertion failure on a
transit router. [PR/555219: This issue has been resolved.]
Network Management
The SNMP process might restart when a core dump is generated. [PR/517230: This
issue has been resolved.]
In Junos OS Release 10.2 and later, the size of the MIB2D process might increase as a
result of memory leaks. This causes the MIB2D process to crash as it reaches its
maximum permitted size. [PR/546872: This issue has been resolved.]
In Junos OS Release 9.2 and later, a memory leak occurs in the subagent in a scenario
where the snmpd process is not running, or there are issues in communication with a
subagent and traps are being generated by the subagent. [PR/547003: This issue has
been resolved.]
When the firewall filter policer configuration is changed, the SNMP MIBs might not
update correctly. As a result, the counters are inaccessible. [PR/555719: This issue has
been resolved.]
Redirect drops that are not real errors is taken into account for "Iwo HDRF" error
statistics that is reported in the output of the show pfe statistics errors command on
I-chip based routers. Since redirect drops are expected in a VPLS (and Ethernet in
general) environment, this behavior could be misleading. [PR/430344: This issue has
been resolved.]
After an 8216 Routing Engine upgrade to Junos OS Release 9.6 with "chassis"
deactivated, the backup Routing Engine starts to reboot with the panic message "panic:
filter_idx_alloc: invalid filter index," and crashes when the chassis configuration is
enabled and committed. After the Routing Engine finally comes online, the CLI response
is slow and the Routing Engine reboots again after approximately three minutes. To
stop these reboots, deactivate the chassis on the backup Routing Engine. [PR/489029:
This issue has been resolved.]
On T Series routers, the FPC might continuously reboot upon installation. [PR/510414:
This issue has been resolved.]
When the system default-router a.b.c.d command is used, the default route is not
installed in the Packet Forwarding Engine. [PR/523663: This issue has been resolved.]
72
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
In an MPLS environment, the source NAT or PAT for traffic between two remote VPNs
does not work when the vrf-table-label option is removed from the VRF where the
inside-service interfaces are located. [PR/524294: This issue has been resolved.]
When VPLS is configured on the router, the following log messages will appear when
the interface goes down:
RT-HAL,rt_entry_delete_msg_proc,XXX: route add posthandler failed
RT-HAL,rt_msg_handler,XXX: route process failed
These messages can be ignored. [PR/524548: This issue has been resolved.]
After the MS-PICs homing PE interfaces used for MVPN are taken offline and brought
back online, the following message may be logged: flip-re0 fpc3 SLCHIP(0): %PFE-3:
Channel 8189 (iif=701) on stream 32 already exists. [PR/527813: This issue has been
resolved.]
The Packet Forwarding Engine incorrectly imposes a rate limit function for the
host-bound virtual LAN tagged packets with IEEE 802.1p value of 1. There is no
workaround. [PR/529862: This issue has been resolved.]
A router might send raw IPv6 host-generated packets over the Ethernet towards its
BGP IPv6 peers. [PR/536336: This issue has been resolved.]
BGP authentication does not work with the 64-bit Junos OS BGP route reflector on a
JCS platform. BGP sessions fail to establish, and the following error message is
observed: "... /kernel: tck_auth_ok Packet from XXX.XXX.XXX.XXX:XXXXX wrong MD5
digest." [PR/538076: This issue has been resolved.]
On M10i routers, an upgrade to Junos OS Release 10.2 fails and aborts when the PIC
combinations are verified. As a workaround, first verify the PIC combinations manually
against PSN-2010-06-777, then use the force option to override the warnings and force
the upgrade. [PR/540468: This issue has been resolved.]
In Junos OS Release 10.3, the following messages may be seen in the syslog: /kernel:
sysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries:
3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing
setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of
paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of param /kernel:
sysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans
timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of
paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1,
retrans timer testing setting of param. These messages are cosmetic. [PR/540808:
This issue has been resolved.]
During SNMP queries in Junos OS Release 10.2 and later, the size of the MIB2D process
might increase as a result of memory leaks in a statistics-associated library routine
(libstats). This causes the MIB2D process to crash as it reaches its maximum permitted
size. [PR/541251: This issue has been resolved.]
During router bootup, the error messages: "can't re-use a leaf (nd6_prune)!" and "can't
re-use a leaf (nd6_mmaxtries)!" display. [PR/543422: This issue has been resolved.]
73
The backup Routing Engine might cause the kernel to crash when a configuration
change occurs on the AE bundle during a next-hop index allocation. [PR/544092: This
issue has been resolved.]
On TX Matrix routers with T640-FPC3 FPCs and a large number of routes, when an
AE interface in an ECMP path is taken down, small packet drops might occur in the
traffic on the other ECMP link. This issue does not occur when an indirect next hop is
used. [PR/545166: This issue has been resolved.]
In Junos OS Release 10.0 and later, the FPCs in M320 and T Series routers might crash
when the error PFE: Detected error next-hop (corrupted next-hop) is encountered.
[PR/546606: This issue has been resolved.]
On M120 routers, multicast packet drops occur when both the Fast Ethernet and the
SFP Gigabit Ethernet PICs are located on the same Packet Forwarding Engine.
[PR/546835: This issue has been resolved.]
In Junos OS Release 9.3 and later, when routers using Enhanced FPCs (T640-FPCx-ES
or T1600-FPC4-ES FPCs) have a configuration involving CBF LSPs and aggregate
interfaces, a jtree corruption might occur when a flap from a member link in the
aggregate occurs on the remote end, or the FPC of the remote router is rebooted. To
avoid this issue, use the indirect-next-hop option (routing-options forwarding-table
indirect-next-hop). The error message PFE: Detected error nexthop:" indicates a jtree
corruption. [PR/548436: This issue has been resolved.]
Routing Protocols
The output of the show ospf statistics command does not display the hello packet
statistics. [PR/427725: This issue has been resolved.]
The mirror receive task variable may not be cleared when the routing protocol process
is heavily scaled. Hence, the NSR replication for RIP status stays in the "InProgress"
state indefinitely. [PR/516003: This issue has been resolved.]
Under rare circumstances, multiple commits might crash both Routing Engines. The
routing protocol process dumps core and restarts only on the master Routing Engine.
This issue occurs when commits are executed within one minute. [PR/516479: This
issue has been resolved.]
Upon an NSR mastership switch or ISSU upgrade, the multicast resolve route for IPv4
224/4 or inet6 ff00::/8 might be missing within the forwarding-table. To recover from
this condition, deactivate and activate the protocol pim stanza, or restart the routing
protocol process. [PR/522605: This issue has been resolved.]
For Junos OS Release 9.5 and above, the BGP parse community begins with 0 as the
octal value. This behavior is different in earlier releases. [PR/530086: This issue has
been resolved.]
74
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The overload bit in the ISIS LSP MT-TLV may trigger the IS-IS to install a default route
to the overload bit advertiser. And the output of the show isis database extensive
command displays an unknown TLV. [PR/533680: This issue has been resolved.]
The routing protocol process might crash due to an invalid prefix-length value in one
of the flow-spec routes. [PR/534757: This issue has been resolved.]
If there is enough join state associated with a neighbor and that neighbor goes down
and comes back up quickly, then that join state may be stranded in an unresolved state
until the clear pim join command is issued. [PR/539962: This issue has been resolved.]
On Type 2 Trio MPC, multiple changes to a single term in quick succession can cause
an incorrect filter state in the Packet Forwarding Engine. This causes the MPC to crash.
[PR/540674: This issue has been resolved.]
The routing protocol process might crash when a BGP connection attempt meets with
an RST from the peer. This is due to an unlikely race condition. [PR/540895: This issue
has been resolved.]
Under certain timing conditions, an interior gateway protocol topology change can
result in the BGP routes referencing an incorrect egress interface. This problem can
occur when active and inactive BGP routes are learned from the same peer and the
inactive BGP routes are deleted at the time of the topology change. [PR/543911: This
issue has been resolved.]
In instances with scaled LACP configurations, the periodic packet management process
(ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.]
When two identical local interface addresses are shared between two VRFs via
auto-export, the routing protocol process might cause a high CPU utilization.
[PR/547897: This issue has been resolved.]
When the primary loopback address changes, the routing protocol process might crash
when a new data mdt is created. [PR/549483: This issue has been resolved.]
If a PIM <S, G> join arrives when there is no route to the source, PIM RPF checking is
disabled, and a matching multicast route is present, the output interfaces associated
with the PIM <S, G> join are not added to the multicast route. [PR/550703: This issue
has been resolved.]
The IPv6 entries are removed from the output of the show pim interfaces command
when the corresponding interface is in the down state. This is a cosmetic issue.
[PR/550799: This issue has been resolved.]
On MX80 routers, even when static routes are configured, the management port does
not forward traffic to the user ports. [PR/552952: This issue has been resolved.]
When an interface-based IPv6 BGP session with a 2-byte AS format is used, the system
might crash. [PR/553772: This issue has been resolved.]
An IS-IS adjacency flap at a precise interval can cause the routing protocol process to
restart on a neighbor, as it is in the process of purging the LSAs of the previously down
node from the local database. [PR/554233: This issue has been resolved.]
75
Services Applications
In Junos OS Release 10.0 and later, the routing instance name is restricted to 63
characters. [PR/533882: This issue has been resolved.]
The BGP_IPV4_NEXT_HOP field on the jflow v9 record matches the originator ID instead
of the BGP next hop. [PR/534598: This issue has been resolved.]
When traffic is forwarded in an L2TP session and a teardown request is received, the
ASPIC crashes with a memory access violation in mlppp_output. [PR/537225: This
issue has been resolved.]
On M Series routers configured for L2TP tunneling with several thousands of PPP
connections, when all the PPP sessions expire at the same time, the Multiservices PIC
might hang and become unusable. To recover the service, restart the PIC. [PR/541793:
This issue has been resolved.]
On Multiservices 500 PICs with graceful Routing Engine switchover (GRES), wrong
record values are seen for the IPv4 netflow export packets. This error occurs when the
route records are not installed. [PR/545422: This issue has been resolved.]
The IPv6 and MPLS route counts are not reflected in the output of the show service
accounting status command. [PR/550793: This issue has been resolved.]
In a router configured with a large number of interfaces, when few interfaces are
constantly added and deleted, a minor memory leak may be observed in the "pfed"
process. [PR/522346: This issue has been resolved.]
While a configuration with a long as-path is displayed in XML format using the show
configuration | display xml | no-more command, the closing tag for the as-path <path>
is wrongly displayed as </path instead of </path>. [PR/525772: This issue has been
resolved.]
The xnm service currently does not support logging of remote-host addresses in system
accounting. [PR/535534: This issue has been resolved.]
It is possible to login to J-Web from a web browser having a cipher strength of 40 and
56 bits. This could create a security issue. As a workaround, use a web browser that
supports 128 bit of cipher strength. [PR/539477: This issue has been resolved.]
The system continues to use the TACACS server configuration even after it is removed.
As a workaround, deactivate and reactivate the accounting configuration. [PR/544770:
This issue has been resolved.]
When the load set command is used to refresh a script file, the script does not refresh,
and exits from the CLI after displaying the rpc-related errors. [PR/555316: This issue
has been resolved.]
76
Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
VPNs
Related
Documentation
When two MVPN routing instances and at least one L2VPN routing instance are
configured, the commit fails with the following message: RPD_RT_DUPLICATE_RD:
routing-instance xxx has duplicate route-distinguisher." As a workaround, configure
the route-distinguisher-id for each instance manually. [PR/511514: This issue has been
resolved.]
If a VPN routing and forwarding (VRF) instance contains a static route that is resolved
via a route that is auto-exported from another routing instance, the static route may
not be removed when the physical interface goes down. [PR/531540: This issue has
been resolved.]
Under certain circumstances, the container interfaces might not send the proper martini
modes to the routing protocol process. This results in incorrect control-word-related
information sent to the Packet Forwarding Engine. [PR/541998: This issue has been
resolved.]
In a Live/Standby MVPN extranet setup, with the primary provider on PE1, the backup
provider on PE2, and a receiver on PE3 and receivers also on PE1 and PE2, traffic drops
occur for 25 seconds after every 35 seconds. [PR/542984: This issue has been resolved.]
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
on page 6
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX
Series, and T Series Routers on page 42
Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series,
MX Series, and T Series Routers on page 77
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers on page 83
Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and
T Series Routers
Changes to the Junos OS Documentation Set
The following are the changes made to the Junos OS documentation set:
The new index pages launched for Junos OS technical documentation present
documentation links in categories and include brief descriptions of the content of each
link. Related links to platform documentation pages are included in the right-hand
navigation. The new pages contain all of the content on previous versions of the pages,
only the formatting has changed.
77
The term Multiplay has been replaced with Session Border Control in the Junos OS
Release Notes.
The Integrated Multi-Service Gateway (IMSG) pathway page now includes three
complete configuration examples:
IMSGBasic Configuration
IMSGDual BGFs
IMSGServer Clusters
The configuration examples are applicable to Junos OS Release 10.2 and later.
The Junos OS Layer 2 Configuration Guide provides an overview of the Layer 2 functions
supported on Juniper Networks routers, including configuring bridge domains, MAC
addresses and VLAN learning and forwarding, and spanning-tree protocols. It also
details the routing instance types used by Layer 2 applications. This material was
formerly covered in the Junos OS MX Series Ethernet Services Routers Layer 2
Configuration Guide.
Documentation for the extended DHCP relay agent feature is no longer included in the
Policy Framework Configuration Guide. For DHCP relay agent documentation, see the
78
Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
In Junos OS Release 10.3R1 and later, PDF files are not available for individual HTML
pages in the Junos OS documentation set. PDF files are available for the complete
Junos OS Release 10.3 configuration guides at
http://www.juniper.net/techpubs/software/junos/junos103/index.html. PDF files for the
complete hardware guides are accessible at the following URLs:
In addition, individual HTML pages have a Print link in the upper left corner of the text
area on the page.
Errata
This section lists outstanding issues with the documentation.
High Availability
TX Matrix Plus routers and T1600 routers that are configured as part of a routing matrix
do not currently support nonstop active routing. [High Availability]
For the T320, T640, and T1600 routers, external clock synchronization is not supported
on sonic clock generators (SCG) with DB-9 external clock interfaces.
[System Basics, Hardware Guides]
The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces
Configuration Guide states the following:
For Layer 2 circuit cell relay and Layer 2 trunk modes, include the atm-l2circuit-mode
cell statement at the [edit chassis fpc slot pic slot] hierarchy level and the
encapsulation atm-ccc-cell-relay statement at the [edit interfaces interface-name]
hierarchy level.
This configuration is correct and interoperates with routers running all versions of Junos
OS.
However, the chapter does not mention that you can also include the encapsulation
atm-ccc-cell-relay statement at the [edit interfaces interface-name unit
logical-unit-number] hierarchy level. when you include the statement at the [edit
interfaces interface-name unit logical-unit-number]] hierarchy level, keep the following
points in mind:
79
This configuration does not interoperate with other network equipment, including a
Juniper Networks router running Junos OS Release 8.3 or later, unless it is also
configured with the same use-null-cw statement.
For a Juniper Networks router running Junos OS Release 8.3 or later to interoperate
with another Juniper Networks router running Junos OS Release 8.2 or earlier, on the
router running Junos OS Release 8.3 or later, include the use-null-cw statement at
the [edit interfaces interface-name atm-options] hierarchy level.
The use-null-cw statement inserts (for sending traffic) or strips (for receiving traffic)
an extra null control word in the MPLS packet.
[Network Interfaces]
With Junos OS Release 10.1 and later, you need not include the tunnel option or the
clear-dont-fragment-bit statement when configuring allow-fragmentation on a tunnel.
[Services Interfaces]
J-Web Interface
To access the J-Web interface, your management device requires the following
software:
Some features marked as supported on MX Series 3D Universal Edge Routers are not
currently supported on MX80 routers. For a complete list of available features on MX80
routers please contact your sales engineer or the Juniper Technical Assistance Center.
80
Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Services Applications
The rate statement for packet sampling is now configured at the following hierarchy
level: [edit forwarding options sampling input family family].
[Services Interfaces]
The Configuring a Dynamic Profile for Client Access topic erroneously uses the
$junos-underlying-interface variable when a IGMP interface is configured in the client
access dynamic profile. The following example provides the appropriate use of the
$junos-interface-name variable:
[edit dynamic-profiles access-profile]
user@host# set protocols igmp interface $junos-interface-name
obtains this information from the RADIUS server when a subscriber accesses the router.
The version is applied to the accessing subscriber when the profile is instantiated. You
specify this variable at the [dynamic-profiles profile-name protocols igmp] hierarchy
level for the interface statement.
In addition, the Subscriber Access Configuration Guide erroneously specifies the use of
a colon (:) when you configure the dynamic profile to define the IGMP version for client
interfaces. The following example provides the appropriate syntax for setting the IGMP
interface to obtain the IGMP version from RADIUS:
[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name]
user@host# set version $junos-igmp-version
The Subscriber Access Configuration Guide and the System Basics Configuration Guide
contain information about the override-nas-information statement. This statement
does not appear in the CLI and is not supported.
[Subscriber Access, System Basics]
When you modify dynamic CoS parameters with a RADIUS change of authorization
(CoA) message, the Junos OS accepts invalid configurations. For example, if you specify
that a transmit rate that exceeds the allowed 100 percent, the system does not reject
the configuration and returns unexpected shaping behavior.
[Subscriber Access]
We do not support multicast RIF mapping and ANCP when configured simultaneously
on the same logical interface. For example, we do not support when a multicast VLAN
and ANCP are configured on the same logical interface, and the subscriber VLANs are
the same for both ANCP and multicast.
[Subscriber Access]
The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the Subscriber
Access Configuration Guide erroneously states that dynamic CoS is supported for
81
dynamic VLANs on the Trio MPC/MIC family of products. In the current release, dynamic
CoS is supported only on static VLANs on Trio MPC/MIC interfaces.
[Subscriber Access]
In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by
the AAA Service Framework topic and the Specifying an Address Pool in a Domain Map
topic incorrectly indicate that VSA 26-2 (Local-Address-Pool) is supported. Subscriber
management does not support this VSA.
[Subscriber Access]
In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by
the AAA Service Framework table and the RADIUS-Based Mirroring Attributes table
incorrectly describe VSA 26-59. The correct description is as follows:
Attribute Number
Attribute Name
Description
26-59
Med-Dev-Handle
[Subscriber Access]
User Interface and Configuration
The show system statistics bridge command displays system statistics on MX Series
routers. [System Basics Command Reference]
VPNs
In Chapter 19, Configuring VPLS of the VPNs Configuration Guide, an incorrect statement
that caused contradictory information about which platforms support LDP BGP
interworking has been removed. The M7i router was also omitted from the list of
supported platforms. The M7i router does support LDP BGP interworking.
[VPNs]
Related
Documentation
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
on page 6
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX
Series, and T Series Routers on page 42
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers on page 83
82
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers on page 83
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T
Series Routers
This section discusses the following topics:
Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and
NSR on page 89
NOTE: With Junos OS Release 9.0 and later, the compact flash disk memory
requirement for Junos OS is 1 GB. For M7i and M10i routers with only 256 MB
memory, see the Customer Support Center JTAC Technical Bulletin
PSN-2007-10-001 at
https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=
PSN-2007-10-001&actionBtn=Search.
83
NOTE: Before upgrading, back up the file system and the currently active
Junos configuration so that you can recover to a known, stable environment
in case the upgrade is unsuccessful. Issue the following command:
user@host> request system snapshot
The installation process rebuilds the file system and completely reinstalls
the Junos OS. Configuration information from the previous software
installation is retained, but the contents of log files might be erased. Stored
files on the routing platform, such as configuration templates and shell scripts
(the only exceptions are the juniper.conf and ssh files) might be removed. To
preserve the stored files, copy them to another system before upgrading or
downgrading the routing platform. For more information, see the Junos OS
System Basics Configuration Guide.
84
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The download and installation process for Junos OS Release 10.4 is the same as for
previous Junos OS releases.
If you are not familiar with the download and installation process, follow these steps:
1.
Using a Web browser, follow the links to the download URL on the Juniper Networks
Web page. Choose either Canada and U.S. Version or Worldwide Version:
2. Log in to the Juniper Networks authentication system using the username (generally
site.
5. Install the new jinstall package on the routing platform.
Customers in the United States and Canada use the following command:
user@host> request system software add validate reboot
source/jinstall-10.4R2.6-domestic-signed.tgz
router.
For software packages that are downloaded and installed from a remote location:
ftp://hostname/pathname
http://hostname/pathname
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
a different release.
85
Adding the reboot command reboots the router after the upgrade is validated and
installed. When the reboot is complete, the router displays the login prompt. The
loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: After you install a Junos OS Release 10.4 jinstall package, you cannot
issue the request system software rollback command to return to the previously
installed software. Instead you must issue the request system software add
validate command and specify the jinstall package that corresponds to the
previously installed software.
NOTE: Before you upgrade a router that you are using for voice traffic, you
should monitor call traffic on each virtual BGF. Confirm that no emergency
calls are active. When you have determined that no emergency calls are
active, you can wait for nonemergency call traffic to drain as a result of
graceful shutdown, or you can force a shutdown. For detailed information
on how to monitor call traffic before upgrading, see the Junos OS Multiplay
Solutions Guide.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine while keeping the
Routing Engine, switch over to the backup Routing Engine to activate the new software.
4. Install the new software on the original master Routing Engine that is now active as
86
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
In Junos OS Release 10.1 and later, you can use the routers main instance loopback
(lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM
state for the multicast VPN. We strongly recommend that you perform the following
procedure when upgrading to Junos OS Release 10.1 if your draft-rosen multicast VPN
network includes both Juniper Network routers and other vendors routers functioning
as provider edge (PE) routers. Doing so preserves multicast VPN connectivity throughout
the upgrade process.
Because Junos OS Release 10.1 supports using the routers main instance loopback (lo0.0)
address, it is no longer necessary for the multicast VPN loopback address to match the
main instance loopback adddress lo0.0 to maintain interoperability.
NOTE: You might want to maintain a multicast VPN instance lo0.x address
to use for protocol peering (such as IBGP sessions), or as a stable router
identifier, or to support the PIM bootstrap server function within the VPN
instance.
Complete the following steps when upgrading routers in your draft-rosen multicast VPN
network to Junos OS Release 10.1 if you want to configure the routerss main instance
loopback address for draft-rosen multicast VPN:
1.
Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the
loopback address for draft-rosen Multicast VPN.
NOTE: Do not configure the new feature until all the M7i and M10i routers
in the network have been upgraded to Junos OS Release 10.1.
2. After you have upgraded all routers, configure each routers main instance loopback
address as the source address for multicast interfaces. Include the default-vpn-source
interface-name loopback-interface-name] statement at the [edit protocols pim]
hierarchy level.
3. After you have configured the routers main loopback address on each PE router,
delete the multicast VPN loopback address (lo0.x) from all routers.
We also recommend that you remove the multicast VPN loopback address from all
PE routers from other vendors. In Junos OS releases prior to 10.1, to ensure
interoperability with other vendors routers in a draft-rosen multicast VPN network,
you had to perform additional configuration. Remove that configuration from both
the Juniper Networks routers and the other vendors routers. This configuration should
be on Juniper Networks routers and on the other vendors routers where you configured
the lo0.mvpn address in each VRF instance as the same address as the main loopback
(lo0.0) address.
This configuration is not required when you upgrade to Junos OS Release 10.1 and use
the main loopback address as the source address for multicast interfaces.
87
For more information about configuring the draft-rosen Multicast VPN feature, see the
Junos OS Multicast Configuration Guide.
A minimum of free disk space and DRAM on each Routing Engine. The software upgrade
will fail on any Routing Engine without the required amount of free disk space and
DRAM. To determine the amount of disk space currently available on all Routing Engines
of the routing matrix, use the CLI show system storage command. To determine the
amount of DRAM currently available on all the Routing Engines in the routing matrix,
use the CLI show chassis routing-engine command.
The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC)
and T640 routers or T1600 routers (LCC) are all re0 or are all re1.
The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC)
and T640 routers or T1600 routers (LCC) are all re1 or are all re0.
All master Routing Engines in all routers run the same version of software. This is
necessary for the routing matrix to operate.
All master and backup Routing Engines run the same version of software before
beginning the upgrade procedure. Different versions of the Junos OS can have
incompatible message formats especially if you turn on GRES. Because the steps in
the process include changing mastership, running the same version of software is
recommended.
For a routing matrix with a TX Matrix router, the same Routing Engine model is used
within a TX Matrix router (SCC) and within a T640 router (LCC) of a routing matrix.
For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using
two RE-1600s is supported. However, an SCC or an LCC with two different Routing
Engine models is not supported. We suggest that all Routing Engines be the same
model throughout all routers in the routing matrix. To determine the Routing Engine
type, use the CLI show chassis hardware | match routing command.
For a routing matrix with a TX Matrix Plus router, the SFC contains two model
RE-DUO-C2600-16G Routing Engines, and each LCC contains two model
RE-DUO-C1800-8G Routing Engines.
88
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
NOTE: It is considered best practice to make sure that all master Routing
Engines are re0 and all backup Routing Engines are re1 (or vice versa). For
the purposes of this document, the master Routing Engine is re0 and the
backup Routing Engine is re1.
To upgrade the software for a routing matrix, perform the following steps:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
(re0) and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping
the currently running software version on the master Routing Engine (re0).
3. Load the new Junos OS on the backup Routing Engine. After making sure that the new
software version is running correctly on the backup Routing Engine (re1), switch
mastership back to the original master Routing Engine (re0) to activate the new
software.
4. Install the new software on the new backup Routing Engine (re0).
For the detailed procedure, see the Routing Matrix with a TX Matrix Feature Guide or the
Routing Matrix with a TX Matrix Plus Feature Guide.
Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM
and NSR
Junos OS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the
following PIM features are not currently supported with NSR. The commit operation fails
if the configuration includes both NSR and one or more of these features:
Anycast RP
Local RP
Junos OS 9.3 Release introduced a new configuration statement that disables NSR for
PIM only, so that you can activate incompatible PIM features and continue to use NSR
for the other protocols on the router: the nonstop-routing disable statement at the [edit
protocols pim] hierarchy level. (Note that this statement disables NSR for all PIM features,
not only incompatible features.)
89
If neither NSR nor PIM is enabled on the router to be upgraded or if one of the unsupported
PIM features is enabled but NSR is not enabled, no additional steps are necessary and
you can use the standard upgrade procedure described in other sections of these
instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use
the standard reboot or ISSU procedures described in the other sections of these
instructions.
Because the nonstop-routing disable statement was not available in Junos OS Release
9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to
be upgraded from Junos OS Release 9.2 or earlier to a later release, you must disable
PIM before the upgrade and reenable it after the router is running the upgraded Junos
OS and you have entered the nonstop-routing disable statement. If your router is running
Junos OS Release 9.3 or later, you can upgrade to a later release without disabling NSR
or PIMsimply use the standard reboot or ISSU procedures described in the other sections
of these instructions.
To disable and reenable PIM:
1.
On the router running Junos OS Release 9.2 or earlier, enter configuration mode and
disable PIM:
[edit]
user@host# deactivate protocols pim
user@host# commit
2. Upgrade to Junos OS Release 9.3 or later software using the instructions appropriate
for the router type. You can either use the standard procedure with reboot or use ISSU.
3. After the router reboots and is running the upgraded Junos OS, enter configuration
mode, disable PIM NSR with the nonstop-routing disable statement, and then reenable
PIM:
[edit]
user@host# set protocols pim nonstop-routing disable
user@host# activate protocols pim
user@host# commit
90
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
For upgrades and downgrades to or from a non-EEOL release, the current policy is that
you can upgrade and downgrade by no more than three releases at a time. This policy
remains unchanged.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
on page 6
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX
Series, and T Series Routers on page 42
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55
Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series,
MX Series, and T Series Routers on page 77
91
Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J
Series Services Routers
Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust
networking and security services. SRX Series Services Gateways range from lower-end
devices designed to secure small distributed enterprise locations to high-end devices
designed to secure enterprise infrastructure, data centers, and server farms. The SRX
Series Services Gateways include the SRX100, SRX210, SRX220, SRX240, SRX650,
SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
Juniper Networks J Series Services Routers running Junos OS provide stable, reliable, and
efficient IP routing, WAN and LAN connectivity, and management services for small to
medium-sized enterprise networks. These routers also provide network security features,
including a stateful firewall with access control policies and screens to protect against
attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320,
J2350, J4350, and J6350 devices.
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers on page 92
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series
Services Gateways and J Series Services Routers on page 124
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers on page 148
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services
Routers on page 158
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers on page 178
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways
and J Series Services Routers on page 189
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers on page 192
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services
Routers
The following features have been added to Junos OS Release 10.4. Following the
description is the title of the manual or manuals to consult for further information.
92
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Hardware FeaturesSRX220 Services Gateway with Power Over Ethernet on page 116
Software Features
Application Layer Gateways (ALGs)
Rewrite rule for DSCP at VoIP ALGsThis feature is supported on all SRX Series and
J Series devices.
Differentiated Services Code Point (DSCP) is a modification of the type-of-service
byte for class of service (CoS). Six bits of this byte are reallocated for use as the DSCP
field, where each DSCP specifies a particular per-hop behavior that is applied to a
packet.
A rewrite rule modifies the appropriate CoS bits in an outgoing packet to meet the
requirements of the targeted peer. Each rewrite rule reads the current CosS value that
is configured at the voice over IP (VoIP) Application Layer Gateway (ALG) level. Every
packet that hits the VoIP ALG is marked by this CoS value.
You can configure a rewrite rule for a DSCP Differentiated Services (DiffServ) marker
at the VoIP ALG level to address VoIP signaling and its respective Real-Time Transport
Protocol (RTP) streams. You can configure the rewrite rule such that all VoIP traffic
hitting the ALG gets a rewrite marker while its respective RTP/Real-Time Control
Protocol (RTP/RTCP) traffic gets a different rewrite marker.
[Junos OS CLI Reference, Junos OS Integrated Convergence Services Configuration and
Administration Guide]
Chassis Cluster
Increasing the number of zones and virtual routersThis feature is supported on
SRX5600 and SRX5800 devices.
The maximum number of zones, virtual routers, and IFLs (IFLs only for chassis cluster
mode) that can be configured on an SRX5800 device has been increased to 2000.
In a chassis cluster environment, as the number of logical interfaces is scaled upward,
the time before triggering a failover needs to be increased accordingly. At maximum
capacity on an SRX5600 or SRX5800 device, we recommend that you increase the
configured time for failover detection to at least 5 seconds. [Junos OS CLI Reference]
Configuration Wizards
This feature is supported on SRX100, SRX210, SRX240, and SRX650 devices.
The J-Web interface now has a set of wizards that simplify the basic configuration of the
SRX Series devices. The Setup wizard automatically appears when you first start the
device or when it is in factory default mode and you point to the Web management URL.
Three other wizards in the J-Web interface enable you to configure basic firewall policies,
basic IPsec VPN settings, and basic NAT settings.
93
Screen logsScreen log enhancement is supported on all SRX Series and J Series
devices.
The new log format captures all required information in the screen log. This allows you
to view all log information for a device instead of having to search through
device-specific logs.
The new log structure is as follows:<67>1 2009-08-18T19:47:23.191 srx5800-00 RT_IDS
- RT_SCREEN_TCP [junos@2636.1.1.1.2.26 attack-name="SYN flood Src-IP based!"
source-address="112.0.0.110" source-port="80" destination-address="111.0.0.113"
destination-port="3033" source-zone-name="mobiles" interface-name="reth1.112"
action="alarm-without-drop"]
94
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Call parkThe call park feature allows users to park an active call and pick up their
call or that of another user later. To use the call park feature, you configure a primary
logical extension, which you can think of as a parking lot. You must also configure a
range of logical extensions following the primary one that are used to park individual
calls.
When you handle a call, you can transfer it to the parking lot without the caller hearing
the transfer process. When you park the call, you are told the logical extension number
of the parking slot before your connection to the call is dropped. You or another user
can pick up the call and resume the conversation from any phone by calling the
extension number of the parking slot.
This feature is supported when the SRX Series SCS is in control. Under normal conditions
when it is reachable, the peer call server provides this service if it is supported.
[Junos OS Integrated Convergence Services Configuration and Administration Guide]
Defining a SIP registrar address separate from the peer call serverBy default, the
SIP registrar and the peer call server (SIP server) are handled by the same service and
therefore have the same address. Under these circumstances, the SRX Series MGW
sends SIP REGISTRAR and INVITE messages to the IP address configured for the peer
call server.
[Junos OS Integrated Convergence Services Configuration and Administration Guide]
Direct inward dialing listsYou can associate a list of direct inward dialing (DID)
numbers with a trunk to be used for assignment to stations. You do not need to assign
these DIDs to stations directly. The software assigns a DID number to a single station
exclusively. If an incoming call is made to an unassigned DID number, it is directed to
and handled by auto-attendant.
[Junos OS Integrated Convergence Services Configuration and Administration Guide]
Disabling SIP registration to the peer call serverThe SRX Series MGW sends
registration messages to the peer call server. For some network environments in which
all media gateways are known to the peer call server, the SRX Series MGW is not
required to register to it. To do so could cause complications. For example, the peer
call server could drop the registration message silently, that is, without informing the
95
SRX Series MGW. In this case, the SRX Series MGW might retransmit the message,
incurring unnecessary processing and adding to the network load.
When you configure peer call server information, you can disable transmission of the
registration message to the peer call server to avoid these problems.
DSCP marking for RTP packets generated by SRX Series Integrated Convergence
ServicesConfigure DSCP marking to set the desired DSCP bits for Real-Time Transport
Protocol (RTP) packets generated by SRX Series Integrated Convergence Services.
Differentiated Services code point (DSCP) bits are the 6-bit bitmap in the IP header
used by devices to decide the forwarding priority of packet routing. When the DSCP
bits of RTP packets generated by Integrated Convergence Services are configured, the
downstream device can then classify the RTP packets and direct them to a higher
priority queue in order to achieve better voice quality when packet traffic is congested.
Juniper Networks devices provide classification, priority queuing, and other kinds of
class-of-service (CoS) configuration under the CoS configuration hierarchy.
Note that the Integrated Convergence Services DSCP marking feature marks only RTP
packets of calls that it terminates, which include calls to peer call servers and to peer
proxy servers that provide SIP trunks. If a call is not terminated by Integrated
Convergence Services, then DSCP marking does not apply.
To configure the DSCP marking bitmap for calls terminated by Integrated Convergence
Services and the address of the peer call server or peer proxy server to which these
calls are routed, use the media-policy statement at the [edit services converged-services]
hierarchy level.
set services convergence-service service-class < name > dscp < bitmap >
set services convergence-service service-class media-policy < name > term < term-name
> from peer-address [< addresses >]
set services convergence-service service-class media-policy < name > term then
service-class < name >
96
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Hunt groupA hunt group enables a group of users to handle calls collectively. A hunt
group specifies a logical extension that outside parties can call. Member stations
belonging to the hunt group are specified in a preconfigured station group. When a call
comes in on the logical extension, the call is directed to the phone whose station is
specified first in the preconfigured station group, and that phone rings. The next
incoming call is directed to the second station specified in the station group and its
phone rings, and so on.
To connect the call, the system hunts through the configured stations in order one at
a time. It rings a phone up to the time limit that you specify before it tries the next phone
in the configured order
This feature is supported when the SRX Series SCS is in control. Under normal conditions
when it is reachable, the peer call server provides this service if it is supported.
[Junos OS Integrated Convergence Services Configuration and Administration Guide]
Interoperability with Microsoft and Cisco call servers and IP phonesThis feature
addresses SRX Series media gateway (SRX Series MGW) interoperability with Microsoft
and Cisco call servers and IP phones, in addition to the current support for Avaya call
servers and IP phones. This feature helps to provide a comprehensive joint enterprise
communications offering.
[Junos OS Integrated Convergence Services Configuration and Administration Guide]
Ring groupA ring group can include up to five members. A ring group allows incoming
calls to be handled by any member of the group. You configure a ring group with a
logical extension that outside parties can call. Calls coming into the logical extension
are forwarded to all phones simultaneously. The first member to answer the call takes
it, and the phones of other members of the group stop ringing. A ring group can include
both SIP and analog stations.
This feature is supported when the SRX Series SCS is in control. Under normal conditions
when it is reachable, the peer call server provides this service if it is supported.
[Junos OS Integrated Convergence Services Configuration and Administration Guide]
97
Half-duplex/full-duplex support
Autonegotiation
Encapsulations
MTU size of 1514 bytes (default) and 9010 bytes (jumbo frames)
Loopback
Virtual router support for route-based VPNsThis feature is supported on all SRX
Series and J Series devices.
This feature includes routing-instance support for route-based VPNs. You can now
configure different subunits of the st0 interface in different routing instances. The
following functions are supported for nondefault routing instances:
NOTE: IKE is not supported in a custom VR (virtual router). The IKE gateway
external interface must reside in the default virtual router (inet.0).
Transit traffic
Self-traffic
VPN monitoring
Hub-and-spoke VPNs
98
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
[Junos OS Administration Guide for Security Devices, Junos OS CLI Reference, Junos OS
Security Configuration Guide]
IPv6 Support
Active/active chassis clusterThis feature is supported on all SRX Series and J Series
devices.
In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6)
can be deployed in active/active (failover) chassis cluster configurations in addition
to the existing support of active/passive (failover) chassis cluster configurations. [Junos
OS Security Configuration Guide]
Advanced flowThis feature is supported on all SRX Series and J Series devices.
IPv6 advanced flow adds IPv6 support for firewall, NAT, NAT-PT, multicast (local link
and transit), IDP, Junos framework, TCP proxy, and session manager on SRX Series
and J Series devices. MIBs are not used in the IPv6 flow.
IPv6 security is available to avoid impact on the existing IPv4 system. If IPv6 security
is enabled, extended sessions and gates are allocated. The existing address fields and
99
gates are used to store the index of extended sessions or gates. If IPv6 security is
disabled, the IPv6 security related resources are not allocated.
New logs are used for IPv6 flow traffic to prevent impact on performance in the existing
IPv4 system.
The behavior and implementation of the IPv6 advanced flow are the same as those
of the IPv4 flow.
Some of the differences are as follows:
Header parseIPv6 advanced flow stops parsing the headers and interprets the
packet as the corresponding protocol packet if it encounters the following extension
headers:
TCP/UDP
ESP/AH
ICMPv6
IPv6 advanced flow continues parsing headers if it encounters the following extension
headers:
Hop-by-Hop
TCP Length
UDP Length
Hop-by-Hop
ICMPv6 packetsIn IPv6 advanced flow, the ICMPv6 packets share the same
behavior as normal IPv6 traffic with the following exceptions:
Host inbound and outbound trafficIPv6 advanced flow supports all route and
management protocols running on the Routing Engine, including OSPF v3, RIPng,
Telnet, and SSH. Note that flow label is not used in the flow.
100
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
IPv4 IPIP
IPv4 GRE
IPv4 IPsec
Dual-stack lite
DNS ALG for routing, NAT, and NAT-PTThis feature is supported on all SRX Series
and J Series devices.
Domain Name System (DNS) is the part of the ALG that handles DNS traffic. The DNS
ALG module has been working as expected for IPv4. In Junos OS Release 10.4, this
feature implements IPv6 support on DNS ALG for routing, NAT, and NAT-PT.
When the DNS ALG receives a DNS query from the DNS client, a security check is done
on the DNS packet. When the DNS ALG receives a DNS reply from the DNS server, a
similar security check is done, and then the session for the DNS traffic closes.
When the DNS traffic works in NAT mode, the DNS ALG translates the public address
in a DNS reply to a private address when the DNS client is on a private network, and
similarly translates a private address to a public address when the DNS client is on a
public network. When DNS traffic works in NAT-PT mode, the DNS ALG translates the
IP address in a DNS reply packet between the IPv4 address and the IPv6 address when
the DNS client is in an IPv6 network and the server is in an IPv4 network, and vice versa.
To support NAT-PT mode in a DNS ALG, the NAT module should support NAT-PT.
[Junos OS Security Configuration Guide]
Softwire Initiator (SI) in the DS Lite home router (SI is not available in Junos release
10.4)
101
FTP ALG for routingThis feature is supported on all SRX Series and J Series devices.
102
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
File Transfer Protocol (FTP) is the part of the ALG that handles FTP traffic. The
PORT/PASV requests and corresponding 200/227 responses in FTP are used to
announce the TCP port, which the host listens to for the FTP data connection.
EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG
supports EPRT/EPSV/229 already, but only for IPv4 addresses.
In Junos OS Release 10.4, EPRT/EPSV/229 commands are updated to support both
IPv4 and IPv6 addresses.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
ICMP ALG for routing, NAT, and NAT-PTThis feature is supported on all SRX Series
and J Series devices. ALGs support Internet Control Message Protocol version 6
(ICMPv6) an integral part of IPv6 that must be fully implemented by every IPv6 node.
The ICMP ALG handles ICMP traffic by monitoring all ICMP messages and then
performing the following actions:
In routing mode, the ICMP ALG closes a session if it receives one of the following
message types:
In Network Address Translation (NAT mode), the ICMP ALG performs the following
actions:
Closes the session if it receives an echo reply (type 129) message or a destination
unreachable (type 1) error message
Retains the original identifier and sequence number for the echo reply
Translates the embedded IPv6 packet for the ICMPv6 error message
Closes the session if it receives an echo reply (type 129) message or a destination
unreachable (type 1) error message
Translates an ICMPv4 error message to an ICMPv6 error message and translates its
embedded IPv4 packet to an IPv6 packet
Translates an ICMPv6 error message to an ICMPv4 error message and translates its
embedded IPv6 packet to an IPv4 packet
103
ICMP ALG drops ICMP traffic when translation from IPv4 and IPv6 is not possible. Note
that ICMP ALG is always enabled and cannot be disabled by means of the
command-line interface (CLI).
[Junos OS Security Configuration Guide]
Multicast flowThis feature is supported on all SRX Series and J Series devices.
The IPv6 multicast flow adds or enhances the following features:
Fragment handling
Packet reordering
The structure and processing of IPv6 multicast data session are the same as that of
IPv4. Each data session has the following:
Several sessions
The reverse path forwarding (RPF) check behavior for IPv6 is the same as that of IPv4.
Incoming multicast data is accepted only if RPF check succeeds. In IPv6 multicast
flow, incoming Multicast Listener Discovery (MLD) protocol packets are accepted only
if MLD or PIM is enabled in the security zone for the incoming interface. Sessions for
multicast protocol packets have a default timeout value of 300 seconds. This value
cannot be configured. The null register packet is sent to the rendezvous point.
In IPv6 multicast flow, a mulitcast router has the following three roles:
Designated router
Intermediate router
Rendezvous point
104
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
IPv6 Network Address Translation (IPv6 NAT) provides address translation between
IPv6 hosts. NAT between IPv6 hosts is done in a similar manner and for similar purposes
as IPv4 NAT. IPv6 NAT in Junos OS provides the following NAT types:
Source NAT
Destination NAT
Static NAT
ScreensThis feature is now supported on all SRX Series and J Series devices.
IPv6 support is extended for the following screen features:
Syn-flood/syn-proxy/syn-cookie
Syn-ack-ack-proxy
Ip-spoofing
105
J-Web
J-Web Chassis ViewThe changes and enhancements to the J-Web Chassis View
apply to SRX1400 devices.
The following enhancements have been made to the J-Web Chassis View on the
Dashboard:
Displays the front or rear panel view of the device and shows which slots are occupied.
When you insert or remove a card, the Chassis View reflects the change immediately.
Port colors change to indicate the port link status. For example, the ge port lights
steadily green when the port is up and red when the port is down.
Displays Help tips when your hover the mouse over a port.
106
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
MAC limiting
dropDrop the packet and generate an alarm, an SNMP trap, or a system log entry.
logDo not drop the packet but generate an alarm, an SNMP trap, or a system log
entry.
noneTake no action.
shutdownDisable the interface and generate an alarm. If you have configured the
NOTE: MAC limit is only applied to new MAC learning requests. If you
already have 10 MACs learned and you configure the limit as 5, all the MACs
will remain in the FDB table. Once the MACs are cleared by the user (using
the clear ethernet-switching table command), or they age out, they will not
be relearned.
MAC limiting does not apply to static MACs. Users can configure any number
of static MACs independent of the MAC limit, and all of them will be added
to FDB.
[Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices]
107
R2CP radio-to-router protocol supportThis feature is supported on all SRX Series and
J Series devices.
Junos OS Release 10.4 supports the Network Centric Waveform (NCW) radio-specific
radio-to-router control protocol (R2CP), which is similar to the PPPoE radio-to-router
protocol. Both of these protocols exchange dynamic metric changes in the network
that the routers use to update the OSPF topologies.
In radio-router topologies, the router connects to the radio over a Gigabit Ethernet link
and the radio transmits packets over the radio frequency (RF) link. The radio periodically
sends metrics to the router, which uses RF link characteristics and other data to inform
the router on the shaping and OSPF link capacity. The router uses this information to
shape the data traffic and provide the OSPF link cost for its SPF calculations. The radio
functions like a Layer 2 switch and can only identify remote radio-router pairs using
Layer 2 MAC addresses. With R2CP the router receives metrics for each neighboring
router, identified by the MAC address of the remote router. The R2CP daemon translates
the MAC addresses to link the local IPv6 addresses and sends the metrics for each
neighbor to OSPF. Processing these metrics is similar to the handling of PPPoE PADQ
metrics. Unlike PPPoE, which is a point-to-point link, these R2CP neighbors are treated
as nodes in a broadcast LAN.
You must configure each neighbor node with a per-unit scheduler for CoS. The scheduler
context defines the attributes of Junos class-of-service(CoS). To define CoS for each
radio, you can configure virtual channels to limit traffic. You need to configure virtual
channels for as many remote radio-router pairs as there are in the network. You
configure virtual channels on a logical interface. You can configure each virtual channel
to have a set of eight queues with a scheduler and an optional shaper. When the radio
initiates the session with a peer radio-router pair, a new session is created with the
remote MAC address of the router and the VLAN over which the traffic flows. Junos
OS chooses from the list of free virtual channels and assigns the remote MAC and the
eight CoS queues and the scheduler to this remote MAC address. All traffic destined
to this remote MAC address is subjected to the CoS that is defined in the virtual channel.
A virtual channel group is a collection of virtual channels. Each radio can have only one
virtual channel group assigned uniquely. If you have more than one radio connected
to the router, you must have one virtual channel group for each local radio-to-router
pair.
Although a virtual channel group is assigned to a logical interface, a virtual channel is
not the same as a logical interface. The only features supported on a virtual channel
are queuing, packet scheduling, and accounting. Rewrite rules and routing protocols
apply to the entire logical interface.
[LN1000 Mobile Secure Router User Guide]
108
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Security
Display multiple policy matchesThis feature is supported on all SRX Series and J
Series devices.
The addition of the result-count option in Junos OS Release 10.4 extends the
functionality of the show security match-policies command and lets you display up to
16 policy matches for the given set of criteria. The first policy in the list is the policy
applied to all matching traffic. All policies after the first one are shadow policies
(shadowed by the first one) and are not encountered. [Junos OS Security Configuration
Guide]
DHCPv6 serverThis feature is supported on all SRX Series and J Series devices.
Dynamic Host Configuration Protocol version 6 (DHCPv6) local server is now supported
on all SRX Series and J Series devices to provide addressing for IPv6 clients.
Some features include:
To configure DHCPv6 local server on a device, you include the DHCPv6 statement at
the [edit system services dhcp-local-server] hierarchy level. The DHCPv6 address pool
is configured in the [edit access address-assignment pool] hierarchy level using the
family inet6 statement.
109
Default
SRX3400
2.25 million
3 million
SRX3600
2.25 million
6 million
SRX5800
12.5 million
14.0 million
This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
The SRX Series Image Upgrade using a USB device feature simplifies the upgrading of
Junos OS images in cases where there is no console access to an SRX Series device
located at a remote site. This feature allows you to upgrade the Junos OS image with
minimum configuration effort by simply inserting a USB flash drive into the USB port
of the SRX Series device and performing a few simple steps.
110
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Before you begin the installation, ensure the following prerequisites are met:
Junos OS upgrade image and autoinstall.conf file are copied to the USB device.
Adequate space is available on the SRX Series device to install the software image.
To use a USB flash drive to install the Junos OS image on an SRX Series device:
1.
Insert the USB flash drive into the USB port of the SRX Series device and wait for
the LEDs to blink amber, then steadily light amber, indicating that the SRX Series
device detects the Junos OS image.
If the LEDs do not turn amber, press the Power button or power-cycle the device
and wait for the LEDs to steadily light amber.
2. Press the Reset Config button on the SRX Series device and wait for the LEDs to
turn green, indicating that the Junos OS upgrade image has successfully installed.
If the USB device is plugged in, the Reset Config button always performs as an
image upgrade button. Any other functionality of this button is overridden until you
remove the USB flash drive.
3. Remove the USB flash drive. The SRX Series device restarts automatically and
NOTE: If an installation error occurs, the LEDs light red, which might indicate
that the Junos OS image on the USB flash drive is corrupted. An installation
error can also occur if the current configuration on the SRX Series device
is not compatible with the new Junos OS version on the USB. You must
have console access to the SRX Series device to troubleshoot an installation
error.
TCP Session Check Per PolicyThis feature is supported on all SRX Series devices.
By default, TCP SYN check and TCP sequence check options are enabled on all TCP
sessions. The Junos operating system (Junos OS) performs the following operations
during TCP sessions:
Checks for SYN flags in the first packet of a session and rejects any TCP segments
with non- SYN flags attempting to initiate a session.
The TCP session check per-policy feature enables you to configure SYN checks and
sequence checks for each policy. Currently, the TCP options flags, no-sequence-check
and no-syn-check, are available at a global level to control the behavior of services
gateways. To support per-policy TCP options, the following two options are available:
111
To configure per-policy TCP options, the respective global options must be turned off;
otherwise, the commit check will fail. If global TCP options are disabled and SYN flood
protection permits the first packet, then the per-policy TCP options will control whether
SYN check and/or sequence check are performed.
NOTE:
The per-policy SYN check required option will not override the behavior of
the set security flow tcp-session no-syn-check-in-tunnel CLI command.
Disabling the global SYN check reduces the effectiveness of the device In
defending against packet flooding.
VPNs
IKE and IPsec predefined proposals for dynamic VPNThis feature is supported on
SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
In earlier releases, the administrators had to configure individual Internet Key Exchange
(IKE) and IP Security (IPsec) proposals for all IKE and IPsec policy configurations. This
procedure was tedious and time consuming when the administrators had to configure
many VPN policies because they had to configure custom proposals for all IKE and
IPsec configurations.
Junos OS Release 10.4 supports proposal-set configuration in IKE and IPsec; the
administrator can select basic, compatible, or standard proposal sets for dynamic VPN
clients. Each proposal set consists of two or more predefined proposals. The server
selects one predefined proposal from the set configured and pushes it to the client in
the client configuration. The client uses this proposal in negotiations with the server
to establish the connection.
The default values for IKE and IPsec security association (SA) rekey timeout are as
follows:
112
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
The server sends a predefined IPsec proposal from the configured IPsec proposal
set to the client, along with the default rekey timeout value. For IKE, the server sends
the setting that is configured in the IKE proposal.
NOTE: If IPsec uses the standard proposal set and perfect forward secrecy
(PFS) is not configured, then the default PFS is set as group2. For other
proposal sets, PFS will not be set because it is not configured.
Assigns the address from the predefined (or statically assigned) address pools if
the address matches the criteria specified by the client application.
Note: For client applications that rely on a RADIUS or other external server for
authentication, AUTHD might not assign IP addresses.
This feature is used to perform the following:
Provide a mechanism in AUTHD for linking an address pool to a client profile and
assigning an IP address to the client from the pool.
113
IP address
The IP address can be drawn from a locally configured IP address pool. AUTHD requires
IKE or XAuth to release the IP address when it is no longer in use.
IKE provides a mechanism for establishing IP Security (IPsec) tunnels.
[Junos OS CLI User Guide, Junos OS Security Configuration Guide]
Support group Internet Key Exchange (IKE) IDs for dynamic VPN configuration This
feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
The existing design of the dynamic virtual private network (VPN) uses unique Internet
Key Exchange (IKE) ID for each user connection. For each user, VPN needs to be
configured with an individual IKE gateway, an IPsec VPN, and a security policy using
the IPsec VPN. This is cumbersome when there are a large number of users. The design
is modified to allow a number of users to share a set of IKE or IPsec VPN (or policy
configuration) using shared-ike-id or group-ike-id. This reduces the number of times
the VPN needs to be configured.
The shared-ike-id and group-ike-id allow you to configure VPN once for multiple users.
All users connecting through a shared-ike-id configuration use the same IKE ID and
preshared key. The user credentials are verified in the extended authentication (XAuth)
phase of AUTHD. The credential of a user is configured either in Radius or in the access
database of AUTHD.
When using group-ike-id or shared-ike-id for user connection management and
licensing, the users on the client PC must use the same user credentials for both
WebAuth and XAuth login (that is, the two client login windows) to prevent undesirable
behavior and incorrect CLI output on the server.
For group-ike-id, a part of the configuration for a user IKE ID is common to the group.
The IKE ID is the concatenation of an individual part and the common part of IKE ID.
For example, a user can use a group-ike-id configuration with a common part
".juniper.net" and the individual part X. The IKE ID can be "X.juniper.net". Httpd-gk
generates the individual part of the IKE ID.
The group-ike-id does not require extended authentication (XAuth). However, for
dynamic VPN, XAuth is needed to retrieve the network attributes such as IP address
for the client. Therefore, if XAuth is not configured for group-ike-id and the administrator
uses the IKE gateway in a dynamic VPN client, a warning message appears.
This feature introduces new commands for ike sa and dynamic-vpn and new options
in the IKE Gateway Add/Edit page of J-Web.
114
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Dynamic VPN access through the Junos Pulse clientThis feature is supported on
SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
Junos Pulse enables secure authenticated network connections to protected resources
and services over LANs and WANs. Junos Pulses is a remote access client developed
to replace the earlier access client called Juniper Networks Access Manager. You must
uninstall Access Manager before you install the Junos Pulse client.
Junos Pulse supports remote virtual private network tunnel connectivity to SRX Series
Services Gateways that are running Junos OS. To configure a firewall access
environment for Junos Pulse clients, you must configure the VPN settings on the SRX
Series device and create and deploy a firewall connection on the Junos Pulse client.
For SRX Series devices running Junos OS Releases 10.2 through 10.4, Junos Pulse is
supported but must be deployed separately. In Junos OS Release 11.1 and later releases,
if the Pulse client does not exist on the client machine, the Pulse client is automatically
downloaded and installed when you log in to an SRX Series device. If the Pulse client
exists on the client machine, you must launch the Pulse client.
[Junos OS Security Configuration Guide]
The following key features are supported on the 1-Port SFP Gigabit Ethernet Mini-PIM:
115
Autonegotiation
For more information on the 1-Port SFP Gigabit Ethernet Mini-PIM, see the SRX Series
Services Gateways for the Branch Physical Interface Modules Hardware Guide.
For information on configuring the 1-Port SFP Gigabit Ethernet Mini-PIM, see the Junos
OS Interfaces Configuration Guide for Security Devices.
J-Web interface: Web-based graphical interface that allows you to operate a services
gateway without commands. The J-Web interface provides access to all Junos OS
functionality and features.
Junos OS command-line interface (CLI): Juniper Networks command shell that runs
on top of a UNIX-based operating system kernel. The CLI is a straightforward command
interface. On a single line, you type commands that are executed when you press the
Enter key. The CLI provides command Help and command completion.
Hardware Features
Table 3 on page 116 lists the hardware features supported on the SRX220 Services
Gateway.
DDR memory
1 GB
1 GB
No
No
PoE support
No
116
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
60 W, 12V DC output
28 W
35 W
Console port
USB ports
Mini-PIM slots
LEDs
CompactFlash
1 externally accessible
1 externally accessible
NOTE: The PoE LED is enabled only on the SRX220H-POE model of the
SRX220 Services Gateway. For the SRX220H model, the PoE LED remains
off.
For more details on the SRX220 Services Gateway software features and licenses, see
the Junos OS Administration Guide for Security Devices.
Hardware Interfaces
Table 4 on page 118 summarizes the interface ports supported on the SRX220 Services
Gateway.
117
Specifications
Description
Gigabit Ethernet
118
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Specifications
Description
Introduction
This release supports the SRX1400 Services Gateway.
Juniper Networks SRX1400 Services Gateway expands the SRX Series family of
next-generation security platforms, delivering market-leading performance and extensive
service integration to 10 gigabits per second (10 Gbps) environments that require the
features without the massive scalability and aggregated throughput provided by Juniper
Networks SRX3000 line and SRX5000 line. The SRX1400 Services Gateway provides
firewall support with key features such as IP Security (IPsec), virtual private network
(VPN), and high-speed deep packet inspection features such as intrusion detection and
prevention (IDP).
The SRX1400 is ideally suited for small to medium-size data centers, enterprise, and
service provider network security deployments where consolidation of security
functionality, uncompromised 10 Gbps performance, compact environmental footprint,
and affordability are key requirements.
The SRX1400 Services Gateway is three rack units (U) tall. Sixteen devices can be stacked
in a single floor-to-ceiling rack, for increased port density per unit of floor space. The
device provides common form-factor module (CFM) slots that can be populated with
Network and Services Processing Card (NSPC), and I/O cards (IOCs). The device also
119
has one dedicated slot for System I/O card (SYSIOC), one dedicated slot for the Routing
Engine, two slots for power supplies, and one slot for the fan tray and air filter.
The SRX1400 Services Gateway runs Junos OS. You can use the Junos OS command-line
interface (CLI) or J-Web (Web-based graphical interface) to monitor, configure,
troubleshoot, and manage the SRX1400 Services Gateway.
Supported Models
The SRX1400 Services Gateway is available in four models, which are listed in Table 5
on page 120.
Device Type
SRX1400BASE-GE-AC
SRX1400BASE-GE-DC
SRX1400BASE-XGE-AC
SRX1400BASE-XGE-DC
Hardware Features
Table 6 on page 120 lists the hardware features supported on the SRX1400 Services
Gateway.
Description
Input voltage
100 to 240 V AC
-40 to -72 V DC
Power supplies
2
The SRX1400 Services Gateway allows two power supplies
for redundancy. The following types of power supplies are
supported:
Console port
120
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Description
Auxiliary port
Fans
Fan tray
Air filter
Physical Specifications
Table 7 on page 121 summarizes the physical specifications of the SRX1400 Services
Gateway chassis.
Value
Chassis height
Chassis width
Chassis depth
NSPC weight
SYSIOC weight
IOC weight
121
GR-63-CORE
ETSI 300019-2-1
ETSI 300019-2-2
ETSI 300019-2-3
GR-1089-CORE
Each enhanced DC power supply provides up to 1200 watts of power. In the SRX3400
Services Gateway, the enhanced DC power supply lets you configure your device with
more Services Processing Cards (SPCs), Network Processing Cards (NPCs), or I/O cards
(IOCs) than is possible with the standard 850-watt DC power supply.
NOTE: Mixing of standard and enhanced DC power supplies within the same
chassis is not supported. All installed DC power supplies must be either of
standard or enhanced types.
Table 8 on page 122 shows the different SPC, NPC, and IOC configurations applicable to
the standard and enhanced DC power supplies in the SRX3400 Services Gateway.
Table 8: Supported Combinations of SPCs, NPCs, and IOCs for Standard and Enhanced
DC Power Supplies
Enhanced DC Power Supplies (SKU
SRX3K-PWR-DC2) or
AC Power Supplies (SKU SRX3K-PWR-AC)
NPCs
SPCs
NPCs
4 IOCs
4 IOCs
4 IOCs
4 IOCs
4 IOCs
3 IOCs
4 IOCs
3 IOCs
3 IOCs
2 IOCs
2 IOCs
1 IOCs
2 IOCs
1 IOC
0 IOCs
Not
supported
SPCs
In the SRX3600 Services Gateway, the supported SPC, NPC, and IOC configurations are
the same for both the standard and the enhanced DC power supply.
122
See the SRX3400 Services Gateway Hardware Guide or the SRX3600 Services Gateway
Hardware Guide for detailed information about the enhanced DC power supply and
additional requirements for NEBS and ETSI compliance.
Related
Documentation
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers on page 148
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services
Routers on page 158
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers on page 178
123
To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group
includes a Juniper Networks security device. The Cisco GET VPN server implements a
proprietary ACK for unicast rekey messages. If a group member does not respond to the
unicast rekey messages, the group member is removed from the group and is not able
to receive rekeys. An out-of-date key causes the remote peer to treat IPsec packets as
bad SPIs. The Juniper Networks security device can recover from this situation by
reregistering with the server to download the new key.
Antireplay must be disabled on the Cisco server when a VPN group of more than two
members includes a Juniper security device. The Cisco server supports time-based
antireplay by default. A Juniper Networks security device will not be able to interoperate
with a Cisco group member if time-based antireplay is used since the timestamp in the
IPsec packet is proprietary. Juniper Networks security devices are not able to synchronize
time with the Cisco GET VPN server and Cisco GET VPN members as the sync payload
is also proprietary. Counter-based antireplay can be enabled if there are only two group
members.
According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds
before a key expires and the Cisco GET VPN member triggers rekeys 60 seconds before
a key expires. When interacting with a Cisco GET VPN server, a Juniper Networks security
device member would match Cisco behavior.
A Cisco GET VPN member accepts all keys downloaded from the GET VPN server. Policies
associated with the keys are dynamically installed. A policy does not have to be configured
on a Cisco GET VPN member locally, but a deny policy can optionally be configured to
prevent certain traffic from passing through the security policies set by the server. For
example, the server can set a policy to have traffic between subnet A and subnet B be
encrypted by key 1. The member can set a deny policy to allow OSPF traffic between
subnet A and subnet B not be encrypted by key 1. However, the member cannot set a
permit policy to allow more traffic to be protected by the key. The centralized security
policy configuration does not apply to the Juniper Networks security device.
On a Juniper Networks security device, the ipsec-group-vpn configuration statement in
the permit tunnel rule in a scope policy references the group VPN. This allows multiple
policies referencing a VPN to share an SA. This configuration is required to interoperate
with Cisco GET VPN servers.
Logical key hierarchy (LKH), a method for adding and removing group members, is not
supported with group VPN on Juniper Networks security devices.
GET VPN members can be configured for cooperative key servers (COOP KSs), an ordered
list of servers with which the member can register or reregister. Multiple group servers
cannot be configured on group VPN members.
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers
The following current system behavior, configuration statement usage, and operational
mode command usage might not yet be documented in the Junos OS documentation:
124
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Application Identification
that you created, but maintain the predefined application definition package.
predefined(Default) Uninstall from your configuration the predefined application
definition package, but maintain all custom application definitions that you have
created.
125
The show security alg msrpc object-id-map CLI command has a chassis cluster node
option to permit the output to be restricted to a particular node or to query the entire
cluster. The show security alg msrpc object-id-map node CLI command options are
<node-id | all | local | primary>.
AppSecure
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you create
custom application or nested application signatures for Junos OS application
identification, the order value must be unique among all predefined and custom
application signatures. The order value determines the application-matching priority
of the application signature.
NOTE: The order value range for predefined signatures is 1 through 32,767.
We recommend that you use an order range higher than 32,767 for custom
signatures.
The order value is set with the set services application-identification application
application-name signature order command. You can also view all signature order
values by entering the show services application-identification | display set | match order
command. You will need to change the order number of the custom signature if it
conflicts with another application signature.
Chassis Cluster
For SRX Series branch devices (SRX100, SRX210, SRX240, and SRX650), The values
for default cluster heartbeat interval and threshold were changed to 1000ms and 3
respectively from R10.4 branch platforms. In the prior releases the values for cluster
heartbeat interval and threshold defaulted to 2000ms and 8 respectively.
126
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On AX411 Access Points, the possible completions available for the CLI command set
wlan access-point < ap_name > radio < radio_num > radio-options channel number ?
Example 2:
user@host# set wlan access-point ap6 radio 2 radio-options channel number ?
1 Channel 1
2 Channel 2
3 Channel 3
4 Channel 4
5 Channel 5
6 Channel 6
7 Channel 7
8 Channel 8
9 Channel 9
10 Channel 10
11 Channel 11
12 Channel 12
127
13 Channel 13
14 Channel 14
auto Automatically selected
On SRX210 devices, packet drop might be seen while prioritizing multiple data streams
configured with the same multilink class on single-member-link ML bundles that are
configured between SRX Series and J Series devices and other types of devices. As a
workaround, ensure that each forwarding class is configured with one multilink class
on multilink bundles on SRX Series and J Series devices. This will avoid out-of-order
transmission of multilink fragments for a given multilink class. This is not applicable
to LFI traffic; also, when Q is marked for LFI, do not change the Q configuration.
On SRX5600 and SRX5800 devices, the set security end-to-end-debug CLI hierarchy
command has been changed to set security datapath-debug
On AX411 Access Points, the possible completions available for the CLI command set
wlan access-point mav0 radio 1 radio-options mode? have changed from previous
implementations.
Now this CLI command displays the following possible completions:
Example 1:
user@host# set wlan access-point mav0 radio 1 radio-options mode ?
Possible completions:
5GHz Radio Frequency -5GHz-n
a Radio Frequency -a
an Radio Frequency -an
[edit]
Example 2:
user@host# set wlan access-point mav0 radio 2 radio-options mode ?
Possible completions:
2.4GHz Radio Frequency --2.4GHz-n
bg Radio Frequency -bg
bgn Radio Frequency -bgn
128
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On SRX Series devices, the show system storage partitions command now displays the
partitioning scheme details on SRX Series devices.
Example 1:
show system storage partitions (dual root partitioning)
Example 2:
show system storage partitions (single root partitioning)
Example 3:
show system storage partitions (usb)
Configuration
129
On SRX100, SRX210, SRX240, and SRX650 devices, the current Junos OS default
configuration is inconsistent with the one in Secure Services Gateways, thus causing
problems when users migrate to SRX Series devices. As a workaround, users should
ensure the following steps are taken:
The ge-0/0/0 interface should be configured as the Untrust port (with the DHCP
client enabled).
The rest of the on-board ports should be bridged together, with a VLAN IFL and
DHCP server enabled (where applicable).
Default NAT rules should apply interface-nat for all trust->untrust traffic.
DNS/Wins parameters should be passed from server to client and, if not available,
users should preconfigure a DNS server (required for download of security packages).
Dynamic VPN
Working with the Pulse client Junos Pulse enables secure authenticated network
connections to protected resources and services over LANs and WANs. Junos Pulse is
a remote access client developed to replace the earlier access client called Juniper
Networks Access Manager. You must uninstall Access Manager before you install the
Junos Pulse client.
For SRX100, SRX210, SRX220, SRX240, and SRX650 devices running Junos OS Release
10.2 and later, Junos Pulse is supported but must be deployed separately. Users can
download and install the pulse client manually from Juniper support site.
For the flow session log on all SRX Series devices, policy configuration has been
enhanced. Information on the packet incoming interface parameter in the session log
for session-init and session-close and when a session is denied by a policy or by the
application firewall is provided to meet Common Criteria (CC) Medium Robustness
Protection Profiles (MRPP) compliance:
Policy configurationTo configure the policy for the session for which you want to
log matches as log session-init or session-close and to record sessions in syslog:
set security policies from-zone untrustZone to-zone trustZone policy policy13 match
source-address extHost1
set security policies from-zone untrustZone to-zone trustZone policy policy13 match
destination-address intHost1
set security policies from-zone untrustZone to-zone trustZone policy policy13 match
application junos-ping
set security policies from-zone untrustZone to-zone trustZone policy policy13 then
permit
130
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
set security policies from-zone untrustZone to-zone trustZone policy policy13 then log
session-init
set security policies from-zone untrustZone to-zone trustZone policy policy13 then log
session-close
flow match policy13 will record the following information in the log:
<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx650-dut01 RT_FLOW RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.40 source-address="1.1.1.2"
source-port="1" destination-address="2.2.2.2" destination-port="46384"
service-name="icmp" nat-source-address="1.1.1.2" nat-source-port="1"
nat-destination-address="2.2.2.2" nat-destination-port="46384"
src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1"
policy-name="policy1" source-zone-name="trustZone"
destination-zone-name="untrustZone" session-id-32="41"
packet-incoming-interface="ge-0/0/1.0"] session created 1.1.1.2/1-->2.2.2.2/46384
icmp 1.1.1.2/1-->2.2.2.2/46384 None None 1 policy1 trustZone untrustZone 41 ge-0/0/1.0
<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx650-dut01 RT_FLOW RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.40 reason="response received"
source-address="1.1.1.2" source-port="1" destination-address="2.2.2.2"
destination-port="46384" service-name="icmp" nat-source-address="1.1.1.2"
nat-source-port="1" nat-destination-address="2.2.2.2" nat-destination-port="46384"
src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1"
policy-name="policy1" source-zone-name="trustZone"
destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1"
bytes-from-client="84" packets-from-server="1" bytes-from-server="84"
elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] session closed response
received: 1.1.1.2/1-->2.2.2.2/46384 icmp 1.1.1.2/1-->2.2.2.2/46384 None None 1 policy1
trustZone untrustZone 41 1(84) 1(84) 0 ge-0/0/1.0
On SRX Series devices, the factory default for the maximum number of backup
configurations allowed is five. Therefore, you can have one active configuration and a
maximum of five rollback configurations. Increasing this backup configuration number
will result in increased memory usage on disk and increased commit time.
To modify the factory defaults, use the following commands:
root@host# set system max-configurations-on-flash number
root@host# set system max-configuration-rollbacks number
On J Series devices, the following configuration changes must be done after rollback
or upgrade from Junos OS Release 10.4 to 9.6 and earlier releases.
131
If the aforementioned instructions are not followed, the bundle will be incorrectly
processed.
On SRX Series devices, as per the new behavior, on configuring identical IPs on a single
interface users no longer see a warning message; instead, a syslog message appears.
On SRX210 Low Memory devices, ICMP messages generated in flow mode are now
rate-limited to 20 messages every 10 seconds. This rate limit is calculated on a per-CPU
basis.
Installation
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, support for USB
auto-installation is added. This feature simplifies the upgrading of Junos OS images
in cases where there is no console access to an SRX Series device located at a remote
site. This feature allows you to upgrade the Junos OS image with minimum configuration
effort by simply inserting a USB flash drive into the USB port of the SRX Series device
and performing a few simple steps. This feature can also be used for reformatting boot
devices and recovering SRX Series devices after a boot media corruption.
On SRX210 device with Integrated Convergence Services, users cannot clone the
existing configuration for Integrated Convergence Services. The clone option has been
removed from all Convergence Services pages on J-Web.
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, support for USB
auto-installation is added.
On SRX Series devices, to minimize the size of system logs, the default logging level
in the factory configuration has been changed from any any to any critical.
On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set
routing-options flow CLI statements are no longer available, because BGP flow spec
functionality is not supported on these devices.
132
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On J4350 devices, ping does not go through even if the ISDN call is connected and the
dialer watch is configured. This issue occurs only when media MTU on Cisco devices
is bigger than the MTU configured on J Series devices. As a workaround, keep MTU
configured on the J Series device equal to or greater than the one set on the Cisco
device.
On SRX and J Series devices, the help description for the set <int> interface arp-resp
command incorrectly states the default value as unrestricted. The default value is
actually restricted.
On SRX Series and J Series devices, for brute force and time-binding-related attacks,
the logging is to be done only when the match count is equal to the threshold. That is,
only one log is generated within the 60-second period in which the threshold is
measured. This process prevents repetitive logs from being generated and ensures
consistency with other IDP platforms like IDP-standalone.
When no attack is seen within the 60-second period and the BFQ entry is flushed out,
the match count starts afresh, and the new attack match shows up in the attack table,
and the log is generated as explained above.
133
J-Web
On SRX100, SRX210, SRX220, and SRX240 devices, the commit fails when you configure
an interface under security zone - junos-global. In Junos OS Release 10.4, the junos-global
CLI option is deprecated and is therefore not supported.
NOTE: Junos OS Release 10.3 and earlier releases still support the
junos-global CLI option.
The J-Web login page has been updated with the new Juniper Logo and Trademark.
URL separation for J-Web and dynamic VPNThis feature prevents the dynamic VPN
users from accessing J-Web accidentally or intentionally. Unique URLs for J-Web and
dynamic VPN add support to the webserver for parsing all the HTTP requests it receives.
The webserver also provides access permission based on the interfaces enabled for
J-Web and dynamic VPN.
Enabling only Dynamic VPN: Dynamic VPN must have the configured HTTPS
certificate and the webserver to communicate with the client. Therefore, the
configuration at the [edit system services web-management] hierarchy level required
to start the appweb webserver cannot be deleted or deactivated. To disable J-Web,
the administrator must configure a loopback interface of lo0 for HTTP or HTTPS.
This ensures that the webserver rejects all J-Web access requests.
web-management {
traceoptions {
level all;
flag dynamic-vpn;
flag all;
134
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
}
management-url my-jweb;
http {
interface lo0.0;
}
https {
system-generated-certificate;
}
limits {
debug-level 9;
}
session {
session-limit 7;
}
}
Changes in the Web access behavior: The following section illustrates the changes
in the Web access behavior when J-Web and dynamic VPN do not share and do
share the same interface.
Case 1: J-Web and dynamic VPN do not share the same interface.
Scenario
http(s)://server host
http(s)://server
host//configured
attribute
http(s)://server
host//dynamic-vpn
J-Web is enabled,
and dynamic VPN
is configured.
Navigates to the
dynamic VPN login
page
J-Web is not
enabled, and
dynamic VPN is
not configured.
Navigates to the
Page Not Found page
J-Web is enabled,
and dynamic VPN
is not configured.
Navigates to the
Page Not Found page
J-Web is not
enabled, and
dynamic VPN is
configured.
Navigates to the
dynamic VPN login
page
Navigates to the
dynamic VPN login
page
http(s)://server
host
http(s)://server
host//configured attribute
http(s)://server
host//dynamic-vpn
135
J-Web is enabled,
and dynamic VPN is
configured.
Navigates to the
dynamic VPN
login page
Navigates to the
dynamic VPN login
page
J-Web is not
enabled, and
dynamic VPN is not
configured.
Navigates to the
Page Not Found
page
Navigates to the
Page Not Found page
J-Web is enabled,
and dynamic VPN is
not configured.
Navigates to the
J-Web login page
Navigates to the
Page Not Found page
J-Web is not
enabled, and
dynamic VPN is
configured.
Navigates to the
dynamic VPN
login page
Navigates to the
dynamic VPN login
page
The options to configure the Custom Attacks, Custom Attack Groups, and Dynamic
Attack Groups are disabled because they cannot be configured from J-Web.
On SRX5600 and SRX5800 devices running a previous release of Junos OS, security
logs were always timestamped using the UTC time zone. In Junos OS Release 10.4,
you can use the set system time-zone CLI command to specify the local time zone that
the system should use when timestamping the security logs. If you want to timestamp
logs using the UTC time zone, use the set system time-zone utc and set security log
utc-timestamp CLI statements.
The chassis contains an internal CompactFlash used to store the operating system.
By default, only the internal CompactFlash is enabled, and an option to take a snapshot
of the configuration from the internal CompactFlash to the external compact flash is
not supported. This can be done only by using a USB storage device.
136
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Take a snapshot from the internal CompactFlash to the USB storage device by
using the request system snapshot media usb CLI command.
2. Reboot the device from the USB storage device by using the request system reboot
set ext.cf.pref 1
save
reset
5. Once the system is booted from the USB storage device, take a snapshot on the
NOTE: Once the snapshot has been taken on the external CompactFlash,
we recommend you set the ext.cf.pref to 0 at the U-boot prompt.
Multilink
When data and LFI streams are present, we recommend the following configuration
to get less latency for LFI traffic and to avoid out-of-range transmission of data traffic:
Configure the following schedulers
137
Even after this configuration, if out-of-range sequence number drops are observed on
reassembly side, increase the drop-timeout of the bundle to 200 ms.
Security
J Series devices do not support the authentication order password radius or password
ldap in the edit access profile profile-name authentication-order command. Instead, use
the order radius password or ldap password.
Any change in the Unified Access Controls (UAC) contact interval and timeout values
in the SRX Series or J Series device will be effective only after the next reconnection
of the SRX Series or J Series device with the Infranet Controller.
The maximum size of a redirect payload is 1450 bytes. The size of the redirect URL is
restricted to 1407 bytes (excluding a few HTTP headers). If a user accesses a destination
URL that is larger than 1407 bytes, the Infranet Controller authenticates the payload,
the exact length of the redirect URL is calculated, and the destination URL is trimmed
such that it can fit into the redirect URL. The destination URL can be fewer than 1407
bytes based on what else is present in the redirect URL, for example, policy ID. The
destination URL in the default redirect URL is trimmed such that the redirect packet
payload size is limited to 1450 bytes, and if the length of the payload is larger than
1450 bytes, the excess length is trimmed and the user is directed to the destination
URL that has been resized to 1450 bytes.
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following VLAN IDs
are reserved for internal use and cannot be used on customer-facing interfaces:
Reservations
SRX100
SRX210
SRX220
SRX240
SRX650
3968-4047
Reserved
Reserved
4093
Reserved
Reserved
Reserved
Reserved
Reserved
4094
Reserved*
Reserved*
Reserved*
Reserved*
Reserved*
138
Unsupported CLI
This default TAG reservation can be configured to use an alternative tag number or
not to use VLAN tagging at all
While configuring the AX411 Access Point on your SRX Series devices, you must enter
the WLAN admin password using the set wlan admin-authentication password
command. This command prompts for the password and the password entered is
stored in encrypted form.
NOTE:
Without wlan config option enabled, the AX411 Access Points will be
managed with the default password.
The SRX Series devices that are not using the AX411 Access Point can
optionally delete the wlan config option.
Accessing the AX411 Access Point through SSH is disabled by default. You can enable
the SSH access using the set wlan access-point < name > external system services
enable-ssh command.
Unsupported CLI
This section lists unsupported CLI statements and commands.
Accounting-Options Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the accounting,
source-class, and destination-class statements in the [accounting-options] hierarchy
level are not supported.
On SRX100 devices, there are CLI commands for wireless LAN configurations related
to the AX411 Access Point. However, at this time the SRX100 devices do not support
the AX411 Access Point.
Chassis Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following
chassis hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set chassis craft-lockout
set chassis routing-engine on-disk-failure
139
Class-of-Service Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices, the following
class-of-service hierarchy CLI commands are not supported. However, if you enter
these commands in the CLI editor, they appear to succeed and do not display an error
message.
set class-of-service classifiers ieee-802.1ad
set class-of-service interfaces interface-name unit 0 adaptive-shaper
Ethernet-Switching Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following
ethernet-switching hierarchy CLI commands are not supported. However, if you enter
these commands in the CLI editor, they appear to succeed and do not display an error
message.
set ethernet-switching-options bpdu-block disable-timeout
set ethernet-switching-options bpdu-block interface
set ethernet-switching-options mac-notification
set ethernet-switching-options voip interface access-ports
set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class
Firewall Hierarchy
On SRX100, SRX210, SRX220, SRX240 SRX650, and all J Series devices, the following
Firewall hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set firewall family vpls filter
set firewall family mpls dialer-filter d1 term
140
Unsupported CLI
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
request lacp link-switchover ae0
set interfaces ae0 aggregated-ether-options lacp link-protection
set interfaces ae0 aggregated-ether-options link-protection
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces at-1/0/0 container-options
set interfaces at-1/0/0 atm-options ilmi
set interfaces at-1/0/0 atm-options linear-red-profiles
set interfaces at-1/0/0 atm-options no-payload-scrambler
set interfaces at-1/0/0 atm-options payload-scrambler
set interfaces at-1/0/0 atm-options plp-to-clp
set interfaces at-1/0/0 atm-options scheduler-maps
set interfaces at-1/0/0 unit 0 atm-l2circuit-mode
set interfaces at-1/0/0 unit 0 atm-scheduler-map
set interfaces at-1/0/0 unit 0 cell-bundle-size
set interfaces at-1/0/0 unit 0 compression-device
set interfaces at-1/0/0 unit 0 epd-threshold
set interfaces at-1/0/0 unit 0 inverse-arp
set interfaces at-1/0/0 unit 0 layer2-policer
set interfaces at-1/0/0 unit 0 multicast-vci
set interfaces at-1/0/0 unit 0 multipoint
141
Ethernet Interfaces
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces ge-0/0/1 gigether-options ignore-l3-incompletes
set interfaces ge-0/0/1 gigether-options mpls
set interfaces ge-0/0/0 stacked-vlan-tagging
set interfaces ge-0/0/0 native-vlan-id
set interfaces ge-0/0/0 radio-router
set interfaces ge-0/0/0 unit 0 interface-shared-with
set interfaces ge-0/0/0 unit 0 input-vlan-map
set interfaces ge-0/0/0 unit 0 output-vlan-map
set interfaces ge-0/0/0 unit 0 layer2-policer
set interfaces ge-0/0/0 unit 0 accept-source-mac
set interfaces fe-0/0/2 fastether-options source-address-filter
set interfaces fe-0/0/2 fastether-options source-filtering
set interfaces ge-0/0/1 passive-monitor-mode
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces gr-0/0/0 unit 0 ppp-options
set interfaces gr-0/0/0 unit 0 layer2-policer
142
Unsupported CLI
IP Interface CLI
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces ip-0/0/0 unit 0 layer2-policer
set interfaces ip-0/0/0 unit 0 ppp-options
set interfaces ip-0/0/0 unit 0 radio-router
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces lsq-0/0/0 unit 0 layer2-policer
set interfaces lsq-0/0/0 unit 0 family ccc
set interfaces lsq-0/0/0 unit 0 family tcc
set interfaces lsq-0/0/0 unit 0 family vpls
set interfaces lsq-0/0/0 unit 0 multipoint
set interfaces lsq-0/0/0 unit 0 point-to-point
set interfaces lsq-0/0/0 unit 0 radio-router
PT Interface CLI
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces pt-1/0/0 gratuitous-arp-reply
set interfaces pt-1/0/0 link-mode
set interfaces pt-1/0/0 no-gratuitous-arp-reply
set interfaces pt-1/0/0 no-gratuitous-arp-request
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 unit 0 radio-router
set interfaces pt-1/0/0 unit 0 vlan-id
T1 Interface CLI
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces t1-1/0/0 receive-bucket
143
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces vlan unit 0 family tcc
set interfaces vlan unit 0 family vpls
set interfaces vlan unit 0 accounting-profile
set interfaces vlan unit 0 layer2-policer
set interfaces vlan unit 0 ppp-options
set interfaces vlan unit 0 radio-router
Protocols Hierarchy
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following CLI
commands are not supported. However, if you enter these commands in the CLI editor,
they will appear to succeed and will not display an error message.
set protocols bfd no-issu-timer-negotiation
set protocols bgp idle-after-switch-over
144
Unsupported CLI
Routing Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following
routing hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set routing-instances p1 services
set routing-instances p1 multicast-snooping-options
set routing-instances p1 protocols amt
set routing-options bmp
set routing-options flow
Services Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following
services hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set services service-interface-pools
SNMP Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following
SNMP hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set snmp community 90 logical-system
set snmp logical-system-trap-filter
set snmp trap-options logical-system
set snmp trap-group d1 logical-system
145
System Hierarchy
On all SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following system
hierarchy CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set system diag-port-authentication
146
Unsupported CLI
Related
Documentation
set protocols pim apply-groups group apply-groups-except group disable family inet6
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers on page 92
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services
Routers on page 158
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers on page 178
147
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers
AppSecure
Chassis Cluster
On SRX650 devices in a chassis cluster, ping packets sent from the forward node to
the active node are dropped intermittently.
On SRX650 devices in a chassis cluster, the T1/E1 PIC goes offline and does not come
online.
SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster
limitations:
On SRX Series device failover, access points on the Layer 2 switch reboot and all
wireless clients lose connectivity for 4-6 minutes.
148
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Sampling features like J-FLow, packet capture, and port mirror on the reth interface
are not supported.
IDP is not supported for active/active chassis cluster. IDP is supported for
active/backup chassis cluster in Junos OS Release 10.2R2 and later.
Any packet-based services like MPLS and CLNS are not supported.
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, UTM is supported only
for active/backup chassis cluster configuration with both RG0 and RG1 active on the
same node. It is not supported for active/active chassis cluster configuration.
For other limitations in chassis cluster, see Limitations of Chassis Clustering in the Junos
OS Security Configuration Guide.
On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the
device by using the CLI. The number of users allowed to access the device is limited
as follows:
For SRX210 devices: four CLI users and three J-Web users
For SRX240 devices: six CLI users and five J-Web users
149
DOCSIS Mini-PIM
SRX Series and J Series devices do not support DHCPv6 client authentication.
Dynamic VPN
SRX100, SRX210, and SRX240 devices have the following limitations:
The IKE configuration for the dynamic VPN client does not support the hexadecimal
preshared key.
The dynamic VPN client IPsec does not support the Authentication Header (AH)
protocol and the Encapsulating Security Payload (ESP) protocol with NULL
authentication.
When you log in through the Web browser (instead of logging in through the dynamic
VPN client) and a new client is available, you are prompted for a client upgrade even
if the force-upgrade option is configured. Conversely, if you log in using the dynamic
VPN client with the force-upgrade option configured, the client upgrade occurs
automatically (without a prompt).
On SRX Series devices, data plane logs generated in event mode (under set security
log mode options) or logs sent via NSM (under set system syslog) can increase CPU
utilization dramatically, impacting the system stability, especially in chassis cluster
mode.
The service-point zone parameter for the SRX Series MGW configuration is not
supported in Junos OS Release 10.4.
You cannot configure route policies and route patterns in the same dial plan.
You can configure no more than four members in a station group. Station groups are
used for hunt groups and ring groups.
On J Series devices, even when forwarding options are set to drop packets for the ISO
protocol family, the device forms End System-to-Intermediate System (ES-IS)
adjacencies and transmits packets because ES-IS packets are Layer 2 terminating
packets.
150
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On SRX Series and J Series devices, high CPU utilization triggered due to various reasons
like CPU intensive commands, SNMP Walks etc causes the BFD to flap while processing
large BGP updates.
For other limitations in flow and processing, see Limitations of Flow and Processing in
the Junos OS Security Configuration Guide.
Hardware
This section covers filter and policing limitations.
On SRX1400, SRX3400 and SRX3600 devices, the following feature is not supported
by a simple filter:
On SRX1400, SRX3400 and SRX3600 devices, the following features are not supported
by a policer or a three-color-policer:
Filter-specific policer
Policer action
Egress FBF
FTF
SRX1400, SRX3400, and SRX3600 devices have the following limitations of a simple
filter:
In the packet processor on an IOC, up to 100 logical interfaces can be applied with
simple filters.
In the packet processor on an IOC, the maximum number of terms of all simple filters
is 4000.
151
16-port GPIM
24-port GPIMs
On SRX650 devices, the T1/E1 GPIMs (2 or 4 port version) do not work in Junos OS
release 9.6R1. This issue is resolved in Junos OS Release 9.6R2 and later releases, but
if you roll back to the 9.6R1 image, this issue is still seen.
The SRX220 Services Gateway does not support the 1-port SFP Mini-PIM.
On SRX210 devices, the link goes down after an FPGA upgrade is performed. As a
workaround, run the restart fpc command.
On SRX240 High Memory devices, traffic might stop between SRX240 device and
CISCO switch due to link mode mismatch. As a workaround, Juniper Networks
recommends setting auto-negotiation parameters on both ends to the same value.
On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a
workaround, run the restart fpc command and restart the FPC.
On SRX210 devices with VDLS2, ATM COS VBR-related functionality cannot be tested
because of lack of support from the vendor.
On SRX210 High Memory devices, IGMP v2 JOINS messages are dropped on an IRB
interface. As a workaround, enable IGMP snooping to use IGMP over IRB interfaces.
On SRX210, SRX220 and SRX240 devices, every time the VDSL2 PIM is restarted in
the ADSL mode, the first packet passing through the PIM is dropped.
On SRX240 Low Memory devices and SRX240 High Memory devices, the RPM server
operation does not work when the probe is configured with the option
destination-interface.
Link Layer Discovery Protocol (LLDP)The following are the LLDP limitations:
On SRX Series and J Series devices, LLDP over ae interfaces is not supported.
On SRX Series and J Series devices, LLDP is supported only on interface unit 0.
152
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the
user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper
matching the ATM CoS rate must be configured to avoid congestion drops in SAR.
Example:
set interfaces at-5/0/0 unit 0 vci 1.110
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS
set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS
set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER
On SRX210, SRX220, and SRX240 devices, 1-port Gigabit Ethernet SFP mini-PIM does
not support switching in Junos OS Release 10.4.
On SRX650 devices, MAC pause frame and FCS error frame counters are not supported
for the interfaces ge-0/0/0 through ge-0/0/3.
On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the
reserved VLAN address range, and the user is not allowed any configured VLANs from
this range.
On SRX650 devices, the last 4 ports of a 24-Gigabit Ethernet switch GPIM can be used
either as RJ-45 or SFP ports. If both are present and providing power, the SFP media
is preferred. If the SFP media is removed or the link is brought down, then the interface
will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED
for the RJ-45 port might go up and down intermittently. Similarly when the RJ-45
medium is active and an SFP link is brought up, the interface will transition to the SFP
medium, and this transition could also take a few seconds.
On SRX210 devices, the USB modem interface can handle bidirectional traffic of up
to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps
or above), keepalives do not get exchanged, and the interface goes down.
On SRX3400 and SRX3600 devices, BGP based VPLS over aggregated ethernet (ae)
interfaces does not work because it is not supported. It works on child ports and physical
interfaces.
On SRX100, SRX210, SRX240 and SRX650 devices, on the Level 3 ae interface, the
following features are not supported:
Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPOE) on Level 3 ae interfaces
J-Web
153
If SRX series device that are configured for IDP and are upgraded to Junos OS Release
10.4, administrators must install the new security database as old IDP detector might
not be compatible.
Administrators must update the detector by using the request security idp
security-package download full-update command followed by request security idp
security-package install command.
On SRX100, SRX210, SRX240, and SRX650 devices, policy compilation takes a long
time because:
For all other limitations in IDP, see Limitations of IDP in the Junos OS Security
Configuration Guide.
IPv6 support
For limitations in IPv6, see Limitations of IPv6 in the Junos OS Security Configuration
Guide.
J-Web
J-Web browser support for Dell PowerConnect SRX Series and J Series devicesTo
access J-Web for all platforms, your device requires the following supported browsers
and OS:
Browser: Microsoft Internet Explorer version 6.0, 7.0, and Mozilla Firefox version
above 3.0 and below 3.5.
NOTE: Other browser versions might not provide access to J-Web and
only English-version browsers are supported.
154
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
If the device is running the worldwide version of the Junos OS and you are using the
Microsoft Internet Explorer Web browser, you must disable the Use SSL 3.0 option
in the Web browser to access the device.
To use the Chassis View, a recent version of Adobe Flash that supports ActionScript
and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed
by default on the Dashboard page. You can enable or disable it using options in the
Dashboard Preference dialog box, but clearing cookies in Internet Explorer also
causes the Chassis View to be displayed.
On SRX Series devices, in the J-Web interface, there is no support to change the T1
interface to an E1 interface or vice versa. As a workaround, use the CLI to convert from
T1 to E1 and vice versa.
On SRX Series and J Series devices, users cannot differentiate between Active and
Inactive configurations on the System Identity, Management Access, User Management,
and Date & Time pages.
On SRX210, SRX240, and SRX650 devices, the complete contents of the ToolTips are
not displayed in the J-Web Chassis View. As a workaround, drag the Chassis View
image down to see the complete ToolTip.
On SRX210 devices, there is no maximum length when the user commits the hostname
in CLI mode; however, only 58 characters maximum are displayed in the J-Web System
Identification panel.
On J Series devices, some J-Web pages for new features (for example, the Quick
Configuration page for the switching features on J Series devices) display content in
one or more modal pop-up windows. In the modal pop-up windows, you can interact
only with the content in the window and not with the rest of the J-Web page. As a
result, online Help is not available when modal pop-up windows are displayed. You
can access the online Help for a feature only by clicking the Help button on a J-Web
page.
On SRX Series devices, you cannot use J-Web to configure a VLAN interface for an IKE
gateway. VLAN interfaces are not currently supported to be used as IKE
external-interfaces.
NetScreen-Remote
NAT rule capacity changeTo support the use of large-scale NAT (LSN) at the edge
of the carrier network, the device-wide NAT rule capacity has been changed.
The number of destination and static NAT rules has been incremented as shown in
Table 10 on page 156. The limitation on the number of destination-rule-set and
static-rule-set has been increased.
Table 10 on page 156 provides the requirements per device to increase the configuration
limitation as well as scale the capacity for each device.
155
SRX100
SRX210
SRX240
SRX650
SRX3400
SRX3600
SRX5600
SRX5800
J Series
Source NAT
rule
512
512
1024
1024
8192
8192
512
Destination
NAT rule
512
512
1024
1024
8192
8192
512
Static NAT
rule
512
512
1024
1024
8192
8192
512
The restriction on the number of rules per rule set has been increased so that there is
only a device-wide limitation on how many rules a device can support. This restriction
is provided to help you better plan and configure the NAT rules for the device.
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices in a chassis
cluster, the reth interface cannot be used as the underlying interface for Point-to-Point
Protocol over Ethernet (PPPoE).
Security
J Series devices do not support the authentication order password radius or password
ldap in the edit access profile profile-name authentication-order command. Instead, use
order radius password or ldap password.
For all other limitations in security, see Addresses and Address Sets in the Junos OS
Security Configuration Guide.
SNMP
On J Series devices, the SNMP NAT-related MIB is not supported in Junos OS Release
10.4.
Switching
On SRX100, SRX210, SRX240, and SRX650 devices, CoA is not supported with 802.1x.
On SRX100, SRX210, SRX240 and SRX650 devices, on the routed VLAN interface, the
following features are not supported:
156
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Class-of-service
Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPOE etc) on VLAN interfaces
CLNS
PIM
DVMRP
Gratuitous ARP
UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only 512 MB
of memory, you must upgrade the memory to 1 GB to run UTM.
VPNs
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the IPsec NAT-T
tunnels scaling and sustaining issues are as follows:
For a given private IP address, the NAT device should translate both 500 and 4500
private ports to the same public IP address.
The total number of tunnels from a given public translated IP cannot exceed 1000
tunnels.
On SRX100, SRX210, SRX240, and SRX650 devices, while configuring dynamic VPN
using PULSE client, when you select the authentication-algorithm as sha-256 in IKE
proposal, IPsec session might not get established.
The following are the maximum numbers of access points that can be configured and
managed from SRX Series devices:
NOTE: The number of licensed access points can exceed the maximum
number of supported access points. However, you can only configure and
manage the maximum number of access points.
Related
Documentation
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers on page 92
157
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services
Routers on page 158
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers on page 178
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Outstanding Issues In Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers on page 158
Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers on page 175
Outstanding Issues In Junos OS Release 10.4 for SRX Series Services Gateways
and J Series Services Routers
The following problems currently exist in SRX Series and J Series devices. The identifier
following the description is the tracking number in our bug database.
Application Layer Gateways (ALGs)
On SRX5600 devices, if you run the show security alg sip counters command while
doing a bulk call generation, it might bring down the SPU with a flowd core file error.
[PR/292956]
On SRX Series devices, SIP server protection does not work. The set security alg sip
application-screen protect deny command does not work. [PR/512202]
Authentication
On SRX210 PoE devices, the access point reboots when 100 clients are associated
simultaneously and each one is transmitting 512-byte packets at 100 pps. [PR/469418]
On SRX650 devices, when an access point is part of the default cluster and you change
the default cluster after the access point is connected to it, the changes might not be
reflected. As a workaround, restart the wireless LAN service. [PR/497752]
Chassis Cluster
On J Series devices in a chassis cluster, a high load of SIP ALG traffic might result in
some call leaks in active resource manager groups and gates on the backup router.
[PR/268613]
158
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On an SRX210 device in a chassis cluster, sometimes the reth interface MAC address
might not make it to the switch filter table. This results in the dropping of traffic sent
to the reth interface. As a workaround, restart the Packet Forwarding Engine.
[PR/401139]
On SRX5800 devices, SNMP traps might not be generated for the ineligible-primary
state. [PR/434144]
On SRX240 Low Memory and High Memory devices, binding the same IKE policy to a
dynamic gateway and a site-to-site gateway is not allowed. [PR/440833]
On SRX650 devices, the following message appears on the new primary node after a
reboot or an RG0 failover:
WARNING: cli has been replaced by an updated version:
CLI release 9.6B1.5 built by builder on 2009-04-29 08:24:20 UTC
Restart cli using the new version ? [yes,no] (yes) yes
[PR/444470]
On SRX240 devices, the cluster might become destabilized when the file system is
full and logging is configured on JSRPD and chassisd. The log file size for the various
modules should be appropriately set to prevent the file system from getting full.
[PR/454926]
On SRX3600 devices, track IPs on the secondary node remain unreachable after you
disable and enable the corresponding reth interfaces primary and secondary child
interfaces [PR/488890]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, LACP does not work in
Layer 2 transparent mode. [PR/503171]
During a manual failover, a system crash might occur if the nodes have not completely
recovered from a previous failover. To determine if a device is ready for repeated
failovers, perform these recommended best-practice steps before doing a manual
failover.
The best-practice steps we recommend to ensure a proper failover are as follows:
Use the show chassis cluster status command to verify the following for all
redundancy groups:
Both nodes have nonzero priority values unless a monitored interface is down.
Use the show chassis fpc pic-status command to verify that the PIC status is Online.
159
Use the show pfe terse command to verify that the Packet Forwarding Engine status
is Ready and to verify the following:
All slots on the RG0 primary node have the status Online.
All slots on the RG0 secondary node, except the Routing Engine slots, have the
status Valid.
[PR/503389, PR/520093]
On SRX650 devices, when the primary node is synchronizing heavy routes to the
secondary node and the secondary node is rebooted, FPCs on the secondary node
come up very slowly. PICs will not come up until all the routes are synchronized to the
secondary node. [PR/545429]
J4350 and J6350 devices might not have the requisite data buffers needed to meet
expected delay-bandwidth requirements. Lack of data buffers might degrade CoS
performance with smaller (500 bytes or less) packets. [PR/73054]
On J Series devices with a CoS configuration, when you try to delete all the flow sessions
using the clear security flow session command, the WXC application acceleration
platform might fail over with heavy traffic. [PR/273843]
160
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On SRX650 devices, tail drops and keepalive losses are seen at high load on multilink
bundles when queue 3 (out of queue 0 to queue 7) is oversubscribed. As a workaround,
use only queue 3 for keepalive packets, and use other queues for data or voice
transmission. [PR/539353]
Dual-Stack Lite
Enhanced Switching
On J Series devices, if the access port is tagged with the same VLAN that is configured
at the port, the access port accepts tagged packets and determines the MAC.
[PR/302635]
On SRX Series devices, the show security flow session command currently does not
display aggregate session information. Instead, it displays sessions on a per-SPU basis.
[PR/264439]
On J Series devices, outbound filters will be applied twice for host-generated IPv4
traffic. [PR/301199]
On SRX Series devices, configuring the flow filter with the all flag might result in traces
that are not related to the configured filter. As a workaround, use the flow trace flag
basic with the command set security flow traceoptions flag.
161
[PR/304083]
On SRX240 devices, traffic flooding occurs when multiple multicast (MC) IP group
addresses are mapped to the same MAC address because multicast switching is based
on the Layer 2 address. [PR/418519]
On SRX650 devices, the input DA errors are not updated when packets are dropped
because of MAC filtering on the following:
SRX240 device
SRX210 device
On SRX5600 and SRX5800 devices, the network processing bundle configuration CLI
does not check whether PICs in the bundle are valid. [PR/429780]
On SRX650 devices, packet loss is observed when the device interoperates with an
SSG20 with AMI line encoding. [PR/430475]
On SRX3400 and SRX3600 devices, the ramp rate of session creation is slow at times
for fragmented UDP traffic. [PR/434508]
On SRX5800 devices, when there are nonexistent PICs in the network processing
bundle, the traffic is sent out to the PICs and is lost. [PR/434976]
The SRX5600 and SRX5800 devices create more than the expected number of flow
sessions with NAT traffic. [PR/437481]
On J Series devices, NAT traffic that goes to the WXC ISM 200 and returns clear (that
is, not accelerated by the WXC ISM 200) does not work. [PR/438152]
On SRX5800 devices, for any network processing bundle configuration change to take
effect, a reboot is needed. Currently there is no message displayed after a bundle
configuration change. [PR/441546]
162
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On SRX5800 devices, the IOC hot swap is not supported with network processing
bundling. If an IOC configured with network processing bundling is unplugged, all traffic
to that network processor bundle will be lost. [PR/441961]
On SRX5800 devices with interfaces in a network processing bundle, the ICMP flood
or UDP flood cannot be detected at the threshold rate. However, it can be detected
at a higher rate when the per-network processor rate reaches the threshold.
[PR/442376]
On an SRX3400 device in combo mode with two SPCs and one NPC, not all sessions
are created under the stress test. [PR/450482]
On J Series devices, there is a drop in throughput on the 64-byte packet size T3 link
when bidirectional traffic is directed. [PR/452652]
On SRX240 PoE and J4350 devices, the first packet on each multilink class is dropped
on reassembly. [PR/455023]
On SRX5600 and SRX5800 devices, system log messages are not generated when
CPU utilization returns to normal. [PR/456304]
On SRX210, SRX240, and J6350 devices, the serial interface goes down for
long-duration traffic when FPGA version 2.3 is loaded in the device. As a result, the
multilink goes down. This issue is not seen when downgrading the FPGA version from
2.3 to 1.14. [PR/461471]
On J Series devices, interfaces with different bandwidths (even if they are of same
interface type, for example, serial interfaces with different clock rates or channelized
T1/E1 interfaces with different time slots) should not be bundled under one multilink
bundle. [PR/464410]
SRX3400 and SRX3600 devices with one Services Processing Card and two Network
Processing Cards operating under heavy traffic produce fewer flow sessions.
[PR/478939]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the input packets and
bytes counter shows random values both in traffic statistics and IPv6 transit statistics,
when VLAN tagging is added or removed from the IPv6 address configured interface.
[PR/489171]
163
On SRX Series devices, the software upload and install package does not show a
warning message when there are pending changes to be committed. [PR/514853]
On SRX240 Low Memory devices, the LSQ interface transmitting both LLQ and non-LLQ
traffic drops out-of-profile packets of the LLQ traffic faster than it was dropping out
earlier. [PR/536588]
On SRX5800 devices, address overlapping is not supported when dual-stack lite works
with the source NAT and enables any of the following options:
persistent-nat
port no-translation
[PR/540816]
On SRX3600 devices, if the interface address is changed to a new address that is also
the dual-stack lite concentrator address with the background traffic target to the
address, the user should manually clear the ipip cleartext sessions with the concentrator
address. The dual-stack lite concentrator will affect the traffic flow. [PR/541747]
On SRX5800 devices, in NAT mode, when SIP traffic is sent from the device packet
drop is seen at the beginning and later processing of traffic stops. [554685]
On SRX3400 and SRX3600 devices, when external radius server is down or terminated,
the mass of authentication requests could cause authd to generate a core file.
[PR/568659]
Hardware
On SRX210 devices, the MTU size is limited to 1518 bytes for the 1-port SFP Mini-PIM.
[PR/296498]
On SRX240 devices, the Mini-PIM LEDs glow red for a short duration (1 second) when
the device is powered on. [PR/429942]
On SRX240 devices, the file installation fails on the right USB slot when both of the
USB slots have USB storage devices installed. [PR/437563]
164
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Infrastructure
On J Series devices, you cannot use a USB device that provides U3 features (such as
the U3 Titanium device from SanDisk Corporation) as the media device during system
boot. You must remove the U3 support before using the device as a boot medium. For
the U3 Titanium device, you can use the U3 Launchpad Removal Tool on a
Windows-based system to remove the U3 features. The tool is available for download
at http://www.sandisk.com/Retail/Default.aspx?CatID=1415 . (To restore the U3 features,
use the U3 Launchpad Installer Tool accessible at
http://www.sandisk.com/Retail/Default.aspx?CatID=1411). [PR/102645]
On J Series devices, if the device does not have an ARP entry for an IP address, the
device drops the first packet from itself to that IP address. [PR/233867]
On J Series devices, when you press the F10 key to save and exit from BIOS configuration
mode, the operation might not work as expected. As a workaround, use the Save and
Exit option from the Exit menu. This issue can be seen on the J4350 and J6350 devices
with BIOS Version 080011 and on the J2320 and J2350 devices with BIOS Version
080012. [PR/237721]
On J Series devices, the Clear NVRAM option in the BIOS configuration mode does not
work as expected. This issue can be seen on the J4350 and J6350 routers with BIOS
Version 080011 and on the J2320 and J2350 routers with BIOS Version 080012. To
help mitigate this issue, note any changes you make to the BIOS configuration so that
you can revert to the default BIOS configuration as needed. [PR/237722]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the SNMP set for the MIB
object usmUserPrivKeyChange does not work. [PR/482475]
Installation
On SRX100, SRX210, SRX240, or SRX650 devices with 1-GB storage flash, when you
use the file copy command to copy the Junos OS package from ftp://<path> to a local
directory, you might get a message saying that the file system is full. Do not use the
file copy command to get the Junos OS package for software upgrade.
The file copy command copies the Junos OS package as a temporary file in/cf/var/tmp
and then copies the file with a package name in a local directory under the /cf/var
partition. This means that a Junos OS package of size X needs 2X space in the /cf/var
partition. For example, a Junos OS package of 197 MB will need 394 MB, whereas the
/cf/var partition is less than 350 MB on a 1-GB storage flash. Thus, the file copy
command will fail. [PR/526030]
SNMP does not provide support for survivable call server (SRX Series SCS) statistics.
[PR/456454]
On SRX210 devices with voice capability, SIP trunking or FXS trunking calls do not work
if the called party supports only the G729AB/G711-Mu-law codec. [PR/504135]
165
On SRX210 and SRX240 devices with Integrated Convergence Services, if the transport
method for the peer call server is TCP, the SRX Series devices do not support SIP
messages of more than 2048 bytes. [PR/510291]
On SRX210 and SRX240 devices with voice capability, the T1PRI calls do not work
when multiple trunk-groups or trunks are created. [PR/514784]
On SRX210 and SRX240 devices with voice capability, the caller ID of the calling party
is displayed as a four-digit local extension number instead of a 7-or 10-digit local or
international number for outgoing calls from PRI. [PR/516021]
On SRX210 and SRX240 devices with Integrated Convergence Services, if you have
the accounting feature configured (Services>Convergence services>Features), you
cannot configure the account code on a per-station basis. [PR/516681]
On SRX240 devices with voice capability, the restart rtdm command is required after
changing the Max-concurrent-value from x to 0, to allow unlimited calls through SIP
trunk or PCS. [PR/536849]
On SRX240 devices with voice capability, the restart rtdm command is required to
make PRI calls successful when both PRI and T1CAS lines are active. [PR/537551]
On SRX650 devices, the following loopback features are not implemented for quad
T1/E1 GPIMs:
Line
FDL payload
In-band line
In-band payload
[PR/425040]
On SRX650 devices, configuring dual and quad T1/E1 framing at the chassis level has
no effect. [PR/432071]
On SRX Series devices, incorrect Layer 2 circuit replication on the backup Routing
Engine might occur when you:
Configure nonstop active routing (NSR) and Layer 2 circuit standby simultaneously
and commit them
Delete the NSR configuration and then add the configuration back when both the
NSR and the Layer 2 circuits are up
166
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
As a workaround:
1.
[PR/440743]
On SRX210 Low Memory devices, the E1 interface flaps and traffic does not pass through
the interface if you restart forwarding while traffic is passing through the interface.
[PR/441312]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you configure the
SAP listen option using the protocol sap listen command in the CLI, listening fails in
both sparse and sparse-dense modes. [PR/441833]
On J Series devices, one member link goes down in a Multilink (ML) bundle during
bidirectional traffic with Multilink Frame Relay (MFR). [PR/445679]
On SRX100, SRX210, and J Series devices, out-of-band dial-in access using a serial
modem does not work. [PR/458114]
On SRX100 and SRX200 devices with VDLS2, multiple carrier transitions (three to
four) are seen during long-duration traffic testing with the ALU 7302 DSLAM. There is
no impact on traffic except for the packet loss after long-duration traffic testing, which
is also seen in the vendor CPE. [PR/467912]
On SRX210 devices with VDLS2, the remote end ping operation fails to go above the
packet size of 1480 because the packets are dropped for the default MTU, which is
1496 on an interface, and because the default MTU of the remote host Ethernet
interface is 1514. [PR/469651]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you change the
multicast scoping to a different multicast address, traffic other than which is configured
for multicast scoping is not received. [PR/482957]
On SRX210 High Memory devices, the physical interface module (PIM) shows time in
ADSL2+ ANNEX-M, even though it is configured for ANNEX-M ADSL2. [PR/497129]
On SRX5600 and SRX5800 devices, load balance does not happen within the
aggregated Ethernet (ae) interface when you prefix the length with /24 while
incrementing the dst ip. [PR/505840]
On SRX100, SRX210, SRX240, and SRX650 devices, egress queues do not function
on VLAN or IRB interfaces. [PR/510568]
On SRX650 devices, in the 2-port 10G XPIM, when the interface is linked with fiber, the
activity LED does not blink when traffic enters the interface. However, the activity LED
blinks properly when traffic goes out of the interface. [PR/513961]
167
On SRX650 devices, the speed for the ae interface shows the interface speed and not
the negotiated speed. [PR/553339]
On SRX650 devices, sometimes quad T1/E1 generates a core file while the user is
configuring it in T1 mode with the traffic sent continuously over the quad T1/E1.
[PR/556716]
On SRX220 devices, when oversubscribed traffic is sent through the gr interface (after
tunnel queuing has been enabled and the shaper has been configured), there is an
increase in tail-dropped packets at the egress of the gr interface. As a result of this,
the output packet rate at the egress of the gr interface is much lower compared to that
of the shaper. [PR/559378]
On SRX1400 devices, the alarm indication is not available if a power supply is not
functioning normally. The system creates log messages in /var/log/chassisd to indicate
the power supply failure conditions. [PR/566210]
The SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices support only
one IDP policy at any given time. When you make changes to the IDP policy and commit,
the current policy is completely removed before the new policy becomes effective.
During the update, IDP will not inspect the traffic that is passing through the device for
attacks. As a result, there is no IDP policy enforcement. [PR/392421]
On SRX210 devices, when the IDP policy contains rules that have the match criteria
for the same attacks, multiple attacks will be reported when the attacks are detected.
No errors or warnings appear during policy compilation. [PR/414416]
On SRX Series devices, the maximum supported sessions count is not displayed when
you run the show security flow session idp summary command. [PR/503721]
On SRX5600 devices, when using a 4096-bit SSL private key for IDP HTTPS traffic
processing, the watchdog aborts the flowd process and reboots the SPC. This is
primarily because of the watchdog timer expiration. The IDP function takes a long time
to decrypt the session when you use a 4096-bit key.
168
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
The SSL function is known to take an exponentially large amount of time when the
key size is increased. Key sizes of 1024 bits and 2096 bits are OK to process because
their processing time is below the watchdog threshold, but the key size of 4096 bits
should not be used when sending stress traffic. Also, IDP uses SSL hardware for <=
1024-bit keys. The throughput is much higher for the traffic using <= 1024-bit SSL
private keys. [PR/524452 ]
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, IDP policies greater than
19 MB do not get loaded. [PR/540856]
On SRX100 and SRX240 High Memory devices, whenever the folder /var/db/idpd is
deleted or any folder /var/db/idpd/db that is under the folder var/db/idpd is deleted,
the system must be rebooted for proper functioning of idpd. [PR/551412]
IPv6
Proxy-ndp does not work in IPv6. Hence, the following issues exist:
publish MAC for specific IPv6 addresses will not work under Interfaces>set interfaces
[PR/549969]
ISSU
In-service software upgrade (ISSU) is not supported for upgrading VPN, NAT, IPv6,
FTP ALG, TFTP ALG, or IDP functionality. If ISSU is used while the noted functionality
is enabled, SRX Series devices might be left in an invalid state. The upgrade options
are either to disable unsupported ISSU features prior to the upgrade or to use a standard
upgrade procedure with a reboot. [PR/558566, PR/530035].
J-Flow
SRX3400, SRX3600, SRX5600, and SRX5800 devices support the 4-byte autonomous
system (AS) for BGP configuration. However, J-Flow template versions 5 and 8 do not
support 4-byte AS because these J-Flow templates have 2 bytes for the SRC/DST AS
field. [PR/416497]
169
J-Web
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the LEDs on the Routing
Engine and PICs are not shown as green when they are up and online on the J-Web
Chassis View. [PR/297693]
On SRX100, SRX210, SRX240, and SRX650 devices, the LED status in the Chassis View
is not in sync with the LED status on the device. [PR/397392]
On SRX210 Low Memory devices, in the rear view of the Chassis View image, the image
of the ExpressCard remains the same whether a 3G card is present or not. [PR/407916]
On SRX Series devices, the CLI Terminal feature does not work in J-Web over IPv6.
[PR/409939]
On SRX100, SRX210, SRX240, SRX650, and all J Series devices, in J-Web, the options
Input filter and Output filter are displayed in the VLAN configuration page. These options
are not supported, and the user cannot obtain or configure any value under these filter
options. [PR/460244]
On SRX100, SRX210, SRX240, SRX650, and all J Series devices, when you have a large
number of static routes configured, and if you have navigated to pages other than to
page 1 in the Route Information table in the J-Web interface (Monitor>Routing>Route
Information), changing the Route Table to query other routes refreshes the page but
does not return you to page 1. For example, if you run the query from page 3 and the
new query returns very few results, the Route Information table continues to display
page 3 with no results. To view the results, navigate to page 1 manually. [PR/476338]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the entry registered into
RIB is not shown in J-Web. [PR/483885]
On SRX210 Low Memory, SRX210 High Memory, and SRX210 PoE devices, in the J-Web
interface, Configuration>Routing>Static Routing does not display the IPv4 static route
configured in rib inet.0. [PR/487597]
On SRX100 (Low Memory and High Memory), SRX210 (Low Memory, High Memory,
and PoE), SRX240 (Low Memory and High Memory), SRX650, J2350, J4350, and J6350
devices, CoS feature commits occur without validation messages, even if you have not
made any changes. [PR/495603]
On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, after a session expires,
a relogin page appears in the wizard window. As a workaround, close the wizard window
when the session expires and log in again. [PR/537475]
On SRX100, SRX210, SRX220, and SRX240 devices, wizards take more time to commit
the configuration setup and to load the page. [PR/548530]
170
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, policies configured under
group global cannot be edited or deleted in the NAT and firewall wizards. [PR/552519]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the queue statistics are
not correct after deletion and re-creation of a logical interface (IFL) or creation of a
new IFL. IFL statistics are not cleared for 15 minutes after chassis-control is restarted.
[PR/417947]
On SRX5600 devices, when the system is in an unstable state (for example SPU
reboot), NFS might generate residual.nfs files under the /var/tmp directory, which can
occupy the disk space for a very long time. As a workaround, run the request sys storage
cleanup command to clean up when the system has low disk space. [PR/420553]
On SRX650 devices, the kernel crashes when the link goes down during TFTP
installation of the srxsme image. [PR/425419]
On SRX650 devices, continuous messages are displayed from syslogd when ports are
in switching mode. [PR/426815]
On SRX240 devices, if a timeout occurs during the TFTP installation, booting the
existing kernel using the boot command might crash the kernel. As a workaround, use
the reboot command from the loader prompt. [PR/431955]
On SRX240 devices, when you configure the system log hostname as 1 or 2, the device
goes to the shell prompt. [PR/435570]
On SRX240 devices, the Scheduler Oinker messages are seen on the console at various
instances with various Mini-PIM combinations. These messages are seen during bootup,
while restarting fwdd, while restarting chassisd, and during configuration commits.
[PR/437553]
On SRX5600 and SRX5800 devices, data path debug trace messages are dropped
at above 1000 packets per second (pps). [PR/446098]
On J2350, J4350, and J6350 devices, extended bit error rate test (BERT) takes an
additional 3 hours to complete even though a BERT period of 24 hours is set.
[PR/447636]
On J4350 devices, when you place internal calls, interface-based persistent NAT
displays only one active hairpinning session instead of two, even after the call is
established. [PR/504932]
On SRX5600 devices, only network addresses are allowed in IPv6 NAT configuration
from Junos OS Release 10.3 onward. This is enforced in commit check. [PR/545330]
171
Under certain stress conditions, SRX1400 will not be able to reach max supported NAT
sessions. [PR/568660]
On SRX240 and SRX210 devices, the output of the PoE operational commands takes
roughly 20 seconds to reflect a new configuration or a change in status of the ports.
[PR/419920]
On SRX210 PoE devices managing AX411 Access Points, the device might not be able
to synchronize time with the configured NTP server. [PR/460111]
On SRX210 devices, the fourth access point connected to the services gateway fails
to boot with the default PoE configuration. As a workaround, configure all the PoE
ports to a maximum power of 12.4 watts. Use the following command to configure the
ports:
root# set poe interface all maximum-power 12.4
[PR/465307]
On SRX210, SRX220, SRX240, and SRX650 devices with factory default configurations,
the device is not able to manage the AX411 Access Point. This might be because of the
DHCP default gateway is not set. [PR/468090]
On SRX210 PoE devices managing AX411 Access Points, traffic of 64 bytes at a speed
of more than 45 megabits per second (Mbps), might result in loss of keepalives and
reboot of the AX411 Access Point. [PR/471357]
On SRX210 PoE devices, high latencies might be observed for the Internet Control
Message Protocol (ICMP) pings between two wireless clients when 32 virtual access
points (VAPs) are configured. [PR/472131]
On SRX210 PoE devices, when AX411 Access Points managed by the SRX Series devices
reboot, the configuration might not be reflected onto the AX411 Access Points. As a
result, the AX411 Access Points retain the factory default configuration. [PR/476850]
On SRX240 PoE devices, during failover, on the secondary node the ADSL Mini-PIM
restarts and takes about 3 to 4 minutes to come up. [PR/528949]
Security
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, you should not configure
rulebase-DDoS rules that have two different application-DDoS objects to run on one
destination service because the traffic destined to one application server can encounter
more than one rule. Essentially, for each protected application server, you have to
configure a single application-level DDoS rule. [PR/467326]
172
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On J Series devices, MAC address-based authentication does not work when the router
is configured as a UAC Layer 2 Enforcer. [PR/431595]
On SRX210 High Memory devices, content filtering provides the ability to block protocol
commands. In some cases, blocking these commands interferes with protocol
continuity, causing the session to hang. For instance, blocking the FETCH command
for the IMAP protocol causes the client to hang without receiving any response.
[PR/303584]
On SRX210 High Memory devices, when the content filtering message type is set to
protocol-only, customized messages appear in the log file. [PR/403602]
On SRX210 High Memory devices, the express antivirus feature does not send a
replacement block message for HTTP upload (POST) transactions if the current
antivirus status is engine-not-ready and the fallback setting for this state is block. An
empty file is generated on the HTTP server that contains no block message.
[PR/412632]
On SRX240, SRX650, and J Series devices, Eudora 7 (through DUT) and Outlook
Express (directly, not through DUT) downloads infected mail (with an EICAR test file)
to the mail server because of which the mail retrieval is slow. [PR/424797]
On SRX650 devices operating under stress conditions, the UTM subsystem file partition
might fill up faster than UTM can process and clean up existing temporary files. In that
case, the user might see error messages. As a workaround, reboot the system.
[PR/435124]
On SRX240 High Memory devices, FTP download for large files (> 4 MB) does not
work in a two-device topology. [PR/435366]
On SRX210, SRX240, and SRX650 devices, the Websense server stops taking new
connections after HTTP stress. All new sessions get blocked. As a workaround, reboot
the Websense server. [PR/435425]
On SRX240 devices, if the device is under UTM stress traffic for several hours, users
might see the following error while using a UTM command:
the utmd subsystem is not responding to management requests.
On SRX100 High Memory, SRX210 High Memory, SRX240 High Memory, and SRX650
devices, more than 1500 antispam requests are not supported because of system
limitation. [PR/451329]
On SRX240 High Memory devices, during UTM web traffic stress test, some leak of AV
scanner contexts is observed in some error pages. [PR/538470]
On SRX650 devices, when express AV is enabled, traffic from the server and client are
buffered at the device. Sometimes, the buffer resource runs out because the traffic
arrives faster than the buffer resource are released and results in the device detecting
173
an out-of-resource state and takes fallback action. This happens only if a burst of
traffic exceeding 20 MB arrives at the device within a very short duration. [PR/556309]
Upgrade
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you are running a previous
Junos OS Release and are already using more than 70 percent of the memory on your
device, we recommended you do not upgrade to Junos OS Release 10.4. New
functionality in Junos OS release 10.4 might use more memory, meaning that you might
run out of memory with a configuration that worked on a previous release. [PR/546069]
USB Modem
On SRX210 High Memory devices and J6350 devices, packet loss is seen during rapid
ping operations between the dialer interfaces when packet size is more than 512 Kbps.
[PR/484507]
On SRX210 High Memory devices, the modem interface can handle bidirectional traffic
of up to 19 Kbps. During oversubscription of 20 Kbps or higher traffic, the keepalive
packets are not exchanged and the interface goes down. [PR/487258]
On SRX210 High Memory devices, IPv6 is not supported on dialer interfaces with a USB
modem. [PR/489960]
On SRX210 High Memory devices, HTTP traffic is very slow through the umd0 interface.
[PR/489961]
On SRX210 High Memory devices and J6350 devices, the D10 link flaps during
long-duration traffic of 15 Kbps and also when the packet size is 256 Kbps or more.
[PR/493943]
On SRX240, SRX650, J4350, and J6350 devices, tagged frames on an access port
with the same VLAN tag are not dropped. [PR/414856]
On SRX100, SRX210, and SRX240 devices, the packets are not sent out of the physical
interface when the VLAN ID associated with the VLAN interface is changed. As a
workaround, you need to clear the ARP. [PR/438151]
On SRX100 Low Memory, SRX100 High Memory, SRX210 Low Memory, SRX210 High
Memory, SRX240 High Memory, and SRX650 devices, the Link Layer Discovery Protocol
(LLDP) organization-specific Type Length Value (TLV), medium attachment unit
(MAU) information always propagates as Unknown. [PR/480361]
On SRX100 High Memory devices and SRX210 Low Memory devices, dot1x
unauthenticated ports accept Link Layer Discovery Protocol (LLDP) Protocol Data
Units (PDUs) from neighbors. [PR/485845]
For SRX210 High Memory devices, during configuration of access and trunk ports, the
individual VLANs from the vlan-range are not listed. [PR/489872]
174
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
VPNs
On SRX210 and SRX240 devices, concurrent login to the device from different
management systems (for example, laptop or desktop computers) is not supported.
The first user session is diconnected when a second user session is started from a
different management system. Also, the status for the first user system is displayed
incorrectly as Connected. [PR/434447]
On SRX Series and J Series devices, the site-to-site policy-based VPNs in a 3 or more
zone scenario will not work if the policies match the address any instead of specific
addresses, and all cross-zone traffic policies point to the single site-to-site VPN tunnel.
As a workaround, configure address books in different zones to match the source and
destination, and use the address book name in the policy to match the source and
destination. [PR/441967]
On SRX100, SRX210, SRX240, and SRX650 devices, Routing Engine level redundancy
for dynamic VPN fails because the tunnels need to renegotiate after RG0 failover.
[PR/513884]
On SRX100, SRX210, SRX240, and SRX650 devices, the dynamic VPN server always
pushes the last configured dynamic client configuration to the client. If the VPN
configuration bound to this dynamic VPN client is not bound to a policy, IKE negotiation
fails when you try to connect to the server. [PR/514033]
On SRX100, SRX210, SRX240, and SRX650 devices, the dynamic VPN client is not
downloaded if there is not enough space in the /jail/var directory in the dynamic VPN
server. [PR/515261]
On SRX3400 and SRX3600 devices, the VPN monitor status in the DEP server side
stays down for some time after RG0 and RG1 failover because there is no active state
sync up for VPN monitoring. [PR/532952]
WLAN
On SRX210, SRX240, and SRX650 devices, J-Web online Help displays the list of all
the countries and is not based on the regulatory domain within which the access point
is deployed. [PR/469941]
When two J Series devices with WXC Integrated Services Modules (WXC ISM 200s)
installed are configured as peers, traceroute fails if redirect-wx is configured on both
peers. [PR/227958]
On J6350 devices, Junos OS does not support policy-based VPN with WXC Integrated
Services Modules (WXC ISM 200s). [PR/281822]
Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and
J Series Services Routers
The following are the issues that have been resolved since Junos OS Release 10.4R1 for
Juniper Networks SRX Series Services Gateways and J Series Services Routers. The
identifier following the descriptions is the tracking number in the Juniper Networks Problem
Report (PR) tracking system.
175
On J4350 devices in a NAT-PT environment, when the client was in an IPv6 environment
and the DNS server was in an IPv4 environment, the DNS server had only the IPv4
address record. When the client looked up the IPv6 address of the record in the DNS
server, DUT performed NAT-PT on the DNS ALG. When the client executed the lookup
action several times, a core file error was returned. [PR/533345: This issue has been
resolved.]
Chassis Cluster
On SRX5600 and SRX5800 devices, the IOC card reset unexpectedly when the
monitored IP addresses under the chassis cluster IP-monitoring configuration was
deleted. In addition, the monitored IP was not deleted from the data plane when it was
specified without the secondary interface. [PR/557687: This issue has been resolved.]
On SRX3600 devices, RG failover to Node0 failed because the FPCs went offline during
the failover. [PR/563391: This issue has been resolved.]
On SRX3600 devices, RG0 failovers caused interface flapping when LACP was used
on reth interfaces. [PR/565617: This issue has been resolved.]
Dual-Stack Lite
On SRX5600 devices, with heavy DS Lite traffic, flowd stopped responding with flow
table corruption because of a function related to flow table operation (for example,
flow_table_find_flow_v6). [PR/548790: This issue has been resolved.]
On SRX210 High Memory devices, the error message JMDX: Thread timed out waiting
for smi write was continuously displayed. [PR/ 536586: This issue has been resolved.]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices under high traffic load,
some part of FTP and TFTP control sessions did not get timed out even after two hours
of stopping the traffic. [PR/548250: This issue has been resolved.]
On SRX5800 devices, TCP out-of-order packets occurred with the SRX Series device
acting as a GRE pass-through device. [PR/558923: This issue has been resolved.]
On SRX210 devices, the modem moved to the dial-out pending state while connecting
or disconnecting the call. [PR/454996: This issue has been resolved.]
176
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On all SRX Series devices, the destination and destination-profile options for address
and unnumbered-address within family inet and inet6 were allowed to be specified
within a dynamic profile but were not supported. [PR/493279: This issue has been
resolved.]
On SRX240 and SRX650 devices, IGMP reports were flooded on all ports that were
part of the same multicast group instead of being sent on only the router interface.
[PR/546444: This issue has been resolved.]
On SRX650 devices, IGMP snooping did not work in q-in-q mode on a trunk port when
the Ethernet type was set to any value other than 0x8100. [PR/554992: This issue has
been resolved.]
On SRX100 devices, the maximum number of MTUs that could be configured on the
Fast Ethernet interface was 1624. Also, MTU configuration from J-Web was not
recommended if you were running Junos OS Release 10.1 or 10.2. [PR/566592: This
issue has been resolved.]
On SRX5800 devices, under certain circumstances, zone screening setting was not
applied properly. [PR/569678: this issue has been resolved.]
On SRX210 High Memory and SRX240 High Memory devices, IDP scaling drop occurred.
[PR/525732: This issue has been resolved.]
On SRX240 High Memory devices, with IDP policy template, policy load failed while
changing the active policy from the recommended option to the IDP_Default policy.
This was because there was not enough memory for IDP to load the IDP_Default policy.
[PR/539486: This issue has been resolved.]
J-Web
On SRX100 devices, in J-Web, users could configure the scheduler without entering
any stop date. The device submitted the scheduler successfully, but the submitted
value was not displayed on the screen or saved in the device. [PR/439636: This issue
has been resolved.]
On J2350 and SRX210 High Memory devices, you could not use the Move/edit button
for moving the IPS rule in IDP policy page. [PR/499499: This issue has been resolved.]
On SRX Series and J Series devices, in the J-Web interface, the Move/edit button did
not work for the exempt rulebase on the IDP Policy configuration page. [PR/503451:
This issue has been resolved.]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web, when you tried
to commit a candidate configuration in the CLI using the Point and Click CLI, an error
was displayed on the configuration page. [PR/514771: This issue has been resolved.]
On SRX220 devices, you could not edit the physical properties of a LAN interface in
J-Web without entering the MAC address. [PR/519818: This issue has been resolved.]
177
On SRX and J Series devices, the user was unable to configure the IPS-Exempt rule
only with attacks. J-Web forced the user to select the address and zones. [PR/ 522197:
This issue has been resolved.]
On SRX100, SRX210, and SRX240 devices, in J-Web, the resource utilization did not
load any data in the dashboard page using Firefox 3.0. [PR/564165: This issue has
been resolved.]
On SRX100 High Memory devices, when you used antispam and antivirus in the same
UTM-policy, spam were not tagged correctly. [PR/575296: This issue has been
resolved.]
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the IRB
(VLAN) interface could not be used as the underlying interface for Point-to-Point
Protocol over Ethernet (PPPoE). [PR/528624: This issue has been resolved.]
VPNs
Related
Documentation
SRX5800 devices in Layer 2 transparent mode, did not allow the IPsec pass-through
VPNs to build. [PR/566160: This issue has been resolved.]
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers on page 92
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers on page 148
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers on page 178
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers
Changes to the Junos OS Documentation Set
This section lists changes in the documentation.
Single Commit on J-Web
The following information pertains to SRX Series devices:
178
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Previously, J-Web online Help instructions were available both in the Help and in the
administration and configuration guides. These topics have been removed from the
guides and are now available only in the online Help.
For SRX200 devices, the following support information is missing from the Junos OS
Feature Support Reference for SRX Series and J Series Devices:
SRX220 Support
Active/active chassis cluster (that is, cross-box data forwarding over the fabric interface)
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
No
Multicast routing
Yes
Yes
Yes
Yes
No
179
SRX220 Support
No
No
SRX220 Support
Yes
SRX220 Support
Yes
Yes
SRX220 Support
Yes
SRX220 Support
Wireless LAN
Yes
Yes
The SRX100, SRX210, SRX220, SRX240, and SRX650 Services Gateways MIB Reference,
the SRX1400, SRX3400, and the SRX3600 Services Gateways MIB Reference, and
SRX5600 and SRX5800 Services Gateways MIB Reference incorrectly state the
downloadable version of the Real-Time Media (RTM) and SIP Common MIBs.
The correct URLs are as follows:
RTM MIBhttp://www.juniper.net/techpubs/en_US/junos10.4/topics/
reference/mibs/mib-jnx-rtm.txt
180
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
junos10.4/topics/reference/mibs/mib-jnx-sipcommon.txt
In Chapter 13, Performing Software Upgrades and Reboots for the SRX Series Services
Gateways, of the Junos OS Administration Guide for Security Devices, the word "install"
was duplicated. It has been corrected.
On SRX210 and SRX240 devices with Integrated Convergence Services, the Transport
Layer Security (TLS) option for the SIP transport is not supported in Junos OS Release
10.4. However, it is documented in the Integrated Convergence Services entries of the
Junos OS CLI Reference.
The Junos OS CLI Reference incorrectly shows the show security idp status and clear
security idp status logs. The logs should be as follows:
181
The Junos OS CLI Reference states that the maximum timeout range for IDP policy is
0 through 65,535 seconds, whereas the ip-action timeout range has been modified to
0 through 64,800 seconds.
The Junos OS CLI Reference has missing information about the new CLI option
download-timeout, which has been introduced to set security idp security-package
automatic download-timeout value to configure the download timeout in minutes. The
default value for download-timeout is one minute. If download is completed before
the download times out, the signature is automatically updated after the download.
If the download takes longer than the configured period, the automatic signature
update is aborted.
user@host# set security idp security-package automatic download-timeout ?
Possible completions: <download-timeout>
Maximum time for download to complete (1 - 60 minutes)
[edit]
user@host# set security idp security-package automatic download-timeout
Range: 1 60 minutes
Default: 1 minute
The Junos OS CLI Reference is missing information about the operational CLI command
show security ike active-peer, which is used to list connected active users with peer
address and port details.
user@host> show security ike active-peer
Remote Address
172.27.6.136
Port
8034
Peer IKE-ID
XAUTH username
tleungjtac@650a
tleung
Assigned IP
10.123.80.225
The Junos OS Interfaces Configuration Guide for Security Devices incorrectly states that
the following protocols are supported in Point-to-Point Protocol(PPP) Network Control
Protocols (NCPs). These protocols are not supported:
XNSCP151: Xerox Network Systems (XNS) Internet Datagram Protocol (IDP) Control
Protocol
182
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
The ADSL2+ and ADSL2+ Annex M upstream values given in the Junos OS Interfaces
Configuration Guide for Security Devices are displayed incorrectly. The correct values
are as follows:
Upstream Values
ADSL2+
11.5 Mbps
ADSL2+ Annex M
2.53 Mbps
J-Web
J-Web security package update Help pageThe J-Web Security Package Update
Help page does not contain information about download status.
There is no documentation describing the J-Web pages for media gateways. To find
these pages in J-Web, go to Monitor>Media Gateway.
some of the J-Web configuration example instructions in the Junos administration and
configuration guides became obsolete and thus were removed. For examples that are
missing J-Web instructions, use the provided CLI instructions.
Junos OS Security Configuration Guide
The Junos OS Security Configuration Guide contains outdated information about NSM
support for IPv6. Please consult the NSM release notes for version compatibility,
required schema updates, and up-to-date support information.
The Junos OS Security Configuration Guide does not state that custom attacks and
custom attack groups in IDP policies can now be configured and installed even when
a valid license and signature database are not installed on the device.
The Verifying the Policy Compilation and Load Status section of the Junos OS Security
Configuration Guide has a missing empty/new line before the IDPD Trace file heading,
in the second sample output.
183
The Junos OS Security Configuration Guide states that the following aggressive aging
statements are supported on all SRX Series devices when in fact they are not supported
on SRX3400, SRX3600, SRX5600, and SRX5800 devices:
The Junos OS Security Configuration Guide states that the maximum acceptable timeout
range for an IDP policy is 0 through 65,535 seconds, whereas the ipaction timeout
range has been modified to 0 through 64,800 seconds.
The Junos OS Security Configuration Guide is missing information about the new CLI
option download-timeout, which has been introduced to set security idp security-package
automatic download-timeout < value > to configure the download timeout in minutes.
The default value for download-timeout is one minute. If download is completed before
the download times out, the signature is automatically updated after the download.
If the download takes longer than the configured period, the auto signature update is
aborted.
user@host# set security idp security-package automatic download-timeout ?
Possible completions: < download-timeout >
Maximum time for download to complete (1 - 60 minutes)
[edit]
user@host# set security idp security-package automatic download-timeout
Range: 1 60 seconds
Default: 1 second
The Junos OS Security Configuration Guide states the following limitations in the
Limitations of IDP section:
On SRX Series and J Series devices, IP actions do not work when you select a timeout
value greater than 65,535 in the IDP policy.
This issue has been fixed and is no longer a limitation.
The Junos OS Security Configuration Guide incorrectly states the following limitations
in the Limtations of IDP section:
On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions
supported is 16,000.
The correct information is as follows:
The maximum number of IDP sessions supported is 1600 on SRX210 devices, 32,000
on SRX240 devices, and 128,000 on SRX650 devices.
When specifying a forwarding target after authentication on a captive portal, use the
?target= option followed by either the %dest-url% variable or a specific URL. The
%dest-url% variable forwards authenticated users to the protected resource they
originally specified. A URL forwards authenticated users to a specific site.
184
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Note that when entering a URL with the ?target= option, you must substitute escape
characters for any special characters in the URL. Use the following escape characters
for these common special characters:
In the section Example: Configuring a Redirect URL for Captive Portal (CLI) in the
Junos OS Security Configuration Guide, the procedure description states that, after
authentication, users will be forwarded to the specified URL. Step 2 of the configuration
procedure, however, is incorrect. This command would forward users to
my-website.com before authentication, not after.
To redirect users after authentication, the command must include:
The ?target= option and URL to distinguish a forwarding address to be used after
authentication
Escape characters substituted for any special characters in the URL name
The Disabling Switching on SRX100, SRX210, SRX220, and SRX240 Devices Before
Enabling Chassis Clustering section of the Junos OS Security Configuration Guide
incorrectly states the command to set the root user password. The following set of
commands must be used to set the password:
1.
185
user@host# commit
WLAN
In the J Series Services Routers Hardware Guide, the procedure Installing a DRAM
Module omit the following condition:
All DRAM modules installed in the router must be the same size (in megabytes), type,
and manufacturer. The router might not work properly when DRAM modules of different
sizes, types, or manufacturer are installed.
SRX Series Services Gateways for the Branch Physical Interface Modules Hardware
Guide
In the SRX Series Services Gateway Interfaces Power and Heat requirements section,
the PIM Power Consumption Values table contains the power consumption value for
the 1-port Gigabit Ethernet Small Form-Factor Pluggable (SFP) Mini-PIM value as: 3:18
W
The correct power consumption value for the 1-port Gigabit Ethernet Small Form-Factor
Pluggable (SFP) Mini-PIM is 4:4 W
The SRX1400 Services Gateway Hardware Guide includes the following caution:
CAUTION: To comply with intrabuilding lightning/surge requirements, intrabuilding
wiring must be shielded, and the shield for the wiring must be grounded at both ends.
This caution is not applicable.
The SRX1400 Services Gateway Hardware Guide includes information about the
following DC-powered SRX1400 Services Gateways:
SRX1400BASE-XGE-DC
SRX1400BASE-GE-DC
These models are not available in Junos OS Release 10.4. Contact your Juniper Networks
customer service representative for information on these models.
186
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Fan tray LED table in the Replacing the Fan Tray on the SRX1400 Services Gateway
section of the SRX1400 Services Gateway Hardware Guide erroneously documents
that:
The Amber (On Steadily): Fan tray LED cannot detect fan failure.
The correct information for this section is as follows: Amber LED (on steadily): Fan
tray LED does not indicate fan failure .
Some of the graphics in the SRX1400 Services Gateway Hardware Guide show the
grounding lug attached to the front panel of the device. However, the SRX1400 Services
Gateway is not shipped with grounding lug attached to it.
In the SRX1400 Services Gateway Hardware Guide, the following topics erroneously
document "RE ETHERNET" port as "ETHERNET" port.
The SRX1400 Services Gateway Hardware Guide and the SRX1400 Services Gateway
Getting Started Guide are missing the following note:
NOTE: AC and DC power supply units are not interoperable between the
SRX1400 Services Gateway and the SRX3000 and SRX5000 lines.
The SRX1400 Services Gateway Getting Started Guide includes information about the
following DC-powered SRX1400 Services Gateways:
SRX1400BASE-GE-DC
SRX1400BASE-XGE-DC
These models are not available in Junos OS Release 10.4. Contact your Juniper Networks
customer service representative for information on these models.
In the SRX1400 Services Gateway Getting Started Guide, some of the graphics are shown
with grounding lug attached on the front panel of the device. However, the SRX1400
Services Gateway is not shipped with grounding lug attached to it.
Some of the graphics in the SRX1400 Services Gateway Getting Started Guide show
graphics with the grounding lug attached to the device front panel. The grounding lug
is not attached to the device at the time of shipment.
The SRX1400 Services Gateway Getting Started Guide should document the following
statement:
You can replace the Network and Services Processing Card (NSPC) with the SRX3000
line Services Gateway Network Processing Card (NPC) and Services Processing Card
(SPC). To install the NPC and SPC on the SRX1400 Services Gateway, you must order
the Twin CFM holder tray (SRX1K3K-2CFM-TRAY) to hold two single-wide CFMs (NPC
187
and SPC) separately. Contact your Juniper Networks customer service representative
for more information.
In the SRX1400 Services Gateway Getting Started Guide, the following sections
erroneously documents "RE ETHERNET" port as "ETHERNET" port.
Step 5: Connect the External Devices and IOC Cables to the SRX1400 Services
Gateway
Step 7: Perform the Initial Software Configuration on the SRX1400 Services Gateway
These models are not available in Junos OS Release 10.4. Contact your Juniper Networks
customer service representative for information on these models.
Quick Start Guides
The SRX210 Services Gateway Quick Start and the SRX240 Services Gateway Quick
Start incorrectly document the specified order of the default set of codecs as 711-,
G711-A, G729AB in the Peer Call Server section. The correct values are G711-, G711-A,
G729AB.
The SRX210 Services Gateway Quick Start and the SRX240 Services Gateway Quick
Start are missing the following warning in the Powering Off the Device section:
WARNING: Use the graceful shutdown method to halt, power off, or reboot
the services gateway. Use the forced shutdown method as a last resort to
recover the services gateway if the services gateway operating system is
not responding to the graceful shutdown method.
In the SRX210 Services Gateway 3G ExpressCard Quick Start, several tasks are listed in
the wrong order. Task 6: Connect the External Antenna should appear before Task
3: Check the 3G ExpressCard Status, because the user needs to connect the antenna
before checking the status of the 3G ExpressCard. The correct order of the tasks is as
follows:
In the SRX210 Services Gateway 3G ExpressCard Quick Start, in Task 6: Connect the
External Antenna, the following sentence is incorrect and redundant:
188
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
"The antenna has a magnetic mount, so it must be placed far away from radio frequency
noise sources including network components."
In the SRX210 Services Gateway 3G ExpressCard Quick Start, in the Frequently Asked
Questions section, the answer to the following question contains an inaccurate and
redundant statement:
Q: Is an antenna required? How much does it cost?
A: The required antenna is packaged with the ExpressCard in the SRX210 Services
Gateway 3G ExpressCard kit at no additional charge. The antenna will have a magnetic
mount with ceiling and wall mount kits within the package.
In the answer, the sentence "The antenna will have a magnetic mount with ceiling and
wall mount kits within the package" is incorrect and redundant.
Related
Documentation
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers on page 92
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers on page 148
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services
Routers on page 158
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers
Transceiver Compatibility for SRX Series and J Series Devices on page 189
Power and Heat Dissipation Requirements for J Series PIMs on page 189
189
You can also use CLI commands to choose which PIMs are disabled. For details about
calculating the power and heat dissipation capacity of each PIM and troubleshooting
procedures, see the J Series Services Routers Hardware Guide.
We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR 5637.
Storage Devices
The USB slots on J Series Services Routers accept a USB storage device or USB storage
device adapter with a CompactFlash card installed, as defined in the CompactFlash
Specification published by the CompactFlash Association. When the USB device is
installed and configured, it automatically acts as a secondary boot device if the primary
CompactFlash card fails on startup. Depending on the size of the USB storage device,
you can also configure it to receive any core files generated during a router failure. The
USB device must have a storage capacity of at least 256 MB.
Table 17 on page 190 lists the USB and CompactFlash card devices supported for use with
the J Series Services Routers.
Storage Capacity
256 MB
SDCZ2-256-A10
SanDisk
512 MB
SDCZ3-512-A10
SanDisk
1024 MB
SDCZ7-1024-A10
Kingston
512 MB
DTI/512KR
Kingston
1024 MB
DTI/1GBKR
N/A
SDDR-91-A15
SanDisk CompactFlash
512 MB
SDCFB-512-455
SanDisk CompactFlash
1 GB
SDCFB-1000.A10
190
Related
Documentation
Model
Minimum CompactFlash
Card Required
Minimum DRAM
Required
Maximum DRAM
Supported
J2320
512 MB
512 MB
1 GB
J2350
512 MB
512 MB
1 GB
J4350
512 MB
512 MB
2 GB
J6350
512 MB
1 GB
2 GB
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers on page 92
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers on page 148
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series
Services Gateways and J Series Services Routers on page 124
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services
Routers on page 158
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers on page 192
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers on page 178
RTSP, FTP, and TFTP ALG session capacity: 25,000 sessions per flow SPU
NOTE: Flow session capacity will be reduced to half per flow SPU and the
above capacity numbers will not change on the central point SPU.
191
You must reboot the device (and its peer in the chassis cluster) for the configuration to
take effect.
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers
In order to upgrade to Junos OS Release 10.4 or later, your device must be running one
of the following Junos OS Releases:
9.1S1
9.2R4
9.3R3
9.4R3
9.5R1 or later
If your device is running an earlier release, upgrade to one of these releases and then to
the 10.4 release. For example, to upgrade from Release 9.2R1, first upgrade to Release
9.2R4 and then to Release 10.4.
For additional upgrade and download information, see the Junos OS Administration Guide
for Security Devices and the Junos OS Migration Guide.
192
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0
or 9.3, and then perform a second downgrade to Release 8.5.
For upgrades and downgrades to or from a non-EEOL release, the current policy is that
you can upgrade and downgrade by no more than three releases at a time. This policy
remains unchanged.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
193
New Features in Junos OS Release 10.4 for EX Series Switches on page 194
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series
Switches on page 196
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202
Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series
Switches on page 211
Hardware
New optical transceiver supportThe SFP+ uplink module in EX4500 switches now
supports one new optical transceiver: EX-SFP-10GE-LRM (10GBase-LRM, 220 m).
194
switches.
on EX8200 switches. You can configure rewrite rules for IPv6 packets.
feature that can be used to prevent man-in-the-middle attacks when the switch is
being used as a Fibre Channel over Ethernet (FCoE) transit switch.
High Availability
EX8200 switches that have multiple Routing Engines installed. You can configure
nonstop active routing to enable the transparent switchover of the Routing Engines
without restart of supported routing protocols. In this Junos OS release, NSR supports
only the OSPFv2 protocol. Other protocols might also work but are not supported.
Infrastructure
EX8200 switches.
J-Web interface support for the 40-port SFP+ line card for EX8200 switchesJ-Web
interface support has been added for the 40-port SFP+ line card for EX8200 switches.
195
Packet Filters
Support for VLAN and router (Layer 3) firewall filters on EX4500 switchesOn EX4500
switches, VLAN and router (Layer 3) firewall filters are supported for IPv4 traffic.
Virtual Chassis
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches
on page 196
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202
Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
on page 211
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches
The following changes in system behavior, configuration statement usage, or operational
mode command usage have occurred since the previous release and might not yet be
documented in the JUNOS OS for EX Series switches documentation:
Class of Service
Beginning in Junos OS Release 10.2, you can configure multiple class-of-service (CoS)
rewrite rules for DSCP, IP precedence, and IEEE 802.1p. Rewrite rules are not assigned
to interfaces by default, and for rewrites to occur, you must assign a user-defined rewrite
196
rule or system-defined rewrite rule to an interface. For releases earlier than Junos OS
Release 10.2, EX8200 switches supported a single global rewrite rule assigned to all
Layer 2 interfaces and routed VLAN interfaces (RVIs).
When you upgrade from Junos OS releases earlier than Release 10.2 to Junos OS Release
10.2 or later, you must configure custom rewrite rules and assign them to an interface or
assign the system-defined rewrite rules to an interface for rewrites to occur.
Related
Documentation
New Features in Junos OS Release 10.4 for EX Series Switches on page 194
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202
Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
on page 211
When you have configured more than 1024 supplicants on a single interface, 802.1X
authentication might not work as expected and the 802.1X process (dot1xd) might fail.
When an external RADIUS server goes offline and comes back online after some time
(perhaps about 30 minutes), subsequent captive portal authentication requests might
fail until the authd daemon is restarted. As a workaround, configure the revert
intervalthe time after which to revert to the primary serverand restart the authd
daemon.
On EX4200 switches, if you have configured bridge protocol data unit (BPDU) protection
on all interfaces and disabled the panning-tree protocol, BPDU protection might not
work.
When a switch is running Virtual Routing Redundancy Protocol (VRRP) and you enable
or disable a large number (on the order of 50 or more) of routed VLAN interfaces (RVIs),
the STP topology might change for a short period of time during the commit process.
197
Class of Service
On EX8200 switches, classification of packets using ingress firewall filter rules with
forwarding-class and loss-priority configurations does not rewrite the DSCP or 802.1p
bits. Rewriting of packets is determined by the forwarding-class and loss-priority values
set in the DSCP classifier applied on the interface.
On EX4200 switches, traffic is shaped at rates above 500 Kbps, even when the shaping
rate configured is less than 500 Kbps.
Ethernet Switching
Firewall Filters
On EX3200 and EX4200 switches, when interface ranges or VLAN ranges are used in
configuring firewall filters, egress firewall filter rules take more than five minutes to
install.
On EX3200 and EX4200 switches, IGMP packets are not matched by user-configured
firewall filters.
When you enable the filter-id attribute on the RADIUS server for a particular client, one
of the required 802.1X authentication rules is not inserted in the IPv6 database. IPv6
traffic on the authenticated interface is not filtered; only IPv4 traffic is filtered on that
interface.
On EX8200 switches and the XRE200 External Routing Engine, if you apply different
firewall filters to different VLANs, only the filter applied to the first VLAN is applied
correctly. For example, if you issue commands to apply filter f1 to VLAN1, filter f2 to
VLAN2, and filter f3 to VLAN3, filter f1 applies correctly, but filters f2 and f3 are not
applied to any VLANs. As a workaround, merge all the VLAN filters into one single filter
and apply that filter to all the VLANs. You can use the vlan match condition in the
firewall filter terms to differentiate the rules for each of the VLANs.
Hardware
On 40-port SFP+ line cards for EX8200 switches, the LEDs on the left of the network
ports do not blink to indicate that there is link activity if you set the speed of the network
ports to 10/100/1000 Mbps. However, if you set the speed to 10 Gbps, the LEDs blink.
If you press the reset button on the Switch Fabric and Routing Engine (SRE) module
in an EX8208 switch without taking the module offline first (by using the CLI), the
fabric planes in the module might not come back online.
198
On 40-port SFP+ line cards installed in EX8200 switches, it takes about 10 seconds
for the network ports to come up after you reboot the switch or restart a line card.
On the LCD Panel, in the Menu Options, under the MAINT (Maintenance Menu), the
option Request VC Port with the further option Set FPC 0?, is not supported on
standalone EX4500 switches even though these options are displayed on the LCD
Panel.
High Availability
Infrastructure
On EX Series switches, an SNMP query fails when the SNMP index size of a table is
greater than 128 bytes, because the Net SNMP tool does not support SNMP index sizes
greater than 128 bytes.
On EX Series switches, the show snmp mib walk etherMIB command does not display
any output, even though the etherMIB is supported. This occurs because the values
are not populated at the module levelthey are populated at the table level only. You
can issue show snmp mib walk dot3StatsTable, show snmp mib walk dot3PauseTable,
and show snmp mib walk dot3ControlTable commands to display the output at the
table level.
When you issue the request system power-off command, the switch halts instead of
turning off power.
In the J-Web interface, the Ethernet Switching Monitor page might not display
monitoring details if the switch has more than 13,000 MAC entries..
In the J-Web interface, changing the port role from Desktop, Desktop and Phone, or
Layer 2 Uplink to another port role might not remove the configurations for enabling
dynamic ARP inspection and DHCP snooping.
On EX3200 and EX4200 switches that are configured with the factory default
configuration, if you use the command set date to change the date, the switches accept
the date but display the following error message: date: connect: Can't assign requested
address.
On EX8208 switches, when a line card that has no interface configurations and is not
connected to any device is taken offline using the command request chassis fpc-slot
199
slot-number offline, the Bidirectional Forwarding Detection process (bfd) starts and
stops repeatedly. The same bfd process behavior occurs on a line card that is connected
to a Layer 3 domain when another line card that is on the same switch and is connected
to a Layer 2 domain is taken offline.
If you install a large configuration (more than 5 MB)for example, if you install more
than four 40-port SFP+ line cardsin an EX8200 switch, the error message
Configuration on the Switch is too large for JWeb to handle. Please use the CLI to
manipulate the configuration" is displayed in the Support Information page (Maintain
> Customer Support > Support Information) in the J-Web interface.
Momentary loss of an inter-Routing Engine IPC message might trigger the alarm that
displays the message Loss of communication with Backup RE. However, no
functionality is affected.
On EX4500 switches running IPv6, when you send a large number of pings to the switch
in quick succession, packet loss might occur because of low values configured for rate
limiting.
Interfaces
EX Series switches do not support queued packet counters. Therefore, the queued
packet counter in the output of the show interfaces interface-name extensive command
always displays a count of 0 and is never updated.
On EX3200 and EX4200 switches, when port mirroring is configured on any interface,
the mirrored packets leaving a tagged interface might contain an incorrect VLAN ID.
On EX8200 switches, when an egress VLAN that belongs to a routed VLAN interface
(RVI) is configured as the input for a port mirroring analyzer, the analyzer incorrectly
appends a dot1q (802.1Q) header to the mirrored packets or does not mirror any packets
at all. As a workaround, configure a port mirroring analyzer with each port of the VLAN
as egress input.
The following interface counters are not supported on routed VLAN interfaces (RVIs):
local statistics, traffic statistics, and transit statistics.
200
EX Series switches do not support IPv6 interface statistics. Therefore, all values in the
output of the show snmp mib walk ipv6IfStatsTable command always display a count
of 0.
On EX Series switches, when a firewall filter is applied on the loopback (lo0) interface,
the switch stops generating local ARP requests for transit traffic.
The show interfaces interface-name detail | extensive command might display double
counting of packets or bytes for the transit statistics and traffic statistics counters.
You can use the counter information displayed under the Physical interface section of
the output.
When MVRP is configured on a trunk interface, you cannot configure connectivity fault
management (CFM) on that interface.
On EX Series switches, if you clear LAG interface statistics while the LAG is down, then
bring up the LAG and pass traffic without checking for statistics, and finally bring the
LAG interface down and check interface statistics again, the statistics might be
inaccurate. As a workaround, use the show interfaces interface-name command to
check LAG interface statistics before bringing down the interface. [PR/542018]
If you insert Gigabit Ethernet transceivers in 40-port SFP+ line cards installed in EX8200
switches, the transceivers are incorrectly shown as copper transceivers in the image
of the switch in the Dashboard page in the J-Web interface.
When you are editing an interface-range configuration in the private mode, if you change
the end of the range of the member-range statement, the configuration might fail. As
a workaround, edit the end of the range of the member-range statement in the
configuration mode.
J-Web Interface
If you try to commit a candidate configuration in the CLI using the Point and Click CLI
in the J-Web interface, an error is displayed on the configuration page.
IGMP snooping is not supported on a VLAN that includes a routed VLAN interface (RVI)
that is configured as part of a virtual routing instance.
Virtual Chassis
On EX8200 Virtual Chassis systems, ECMP might not work for links present between
Virtual Chassis.
On an EX8200 Virtual Chassis with a single hard disk, the hard disk might not boot.
The error message is "TIMEOUT - WRITE_DMA retrying".
201
Related
Documentation
After you reboot or upgrade the software on members of an EX8200 Virtual Chassis,
the FPCs might not come up for more than eight minutes when the Virtual Chassis has
a square topology. (This is a topology in which the Routing Engines of member 0
connect to those of member 8, the Routing Engines of member 1 connect to those of
member 9, member 8 connects to member 9, and a VCP LAG forms between members
0 and 1.)
New Features in Junos OS Release 10.4 for EX Series Switches on page 194
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches
on page 196
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202
Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
on page 211
NOTE: Other software issues that are common to both EX Series switches
and M, MX, and T Series routers are listed in Issues in Junos OS Release 10.4
for M Series, MX Series, and T Series Routers on page 55.
When you configure 802.1X bypass, the client becomes unreachable each time the
MAC age time interval increments. [PR/536316]
When the primary redundant trunk group (RTG) interface is disabled, causing an RTG
switchover, MAC entries on the upstream switches are refreshed. However, when the
primary RTG link is enabled, the MAC entries are not refreshed on the upstream switches.
[PR/555158]
If you enable all VRRP sessions simultaneously on a switch with a large number (on
the order of 200 or more) of VRRP configurations, RSTP convergence might not occur.
As a workaround, do not enable all VRRP sessions simultaneously if the switchs VRRP
configuration is large. [PR/556114]
Ethernet Switching
When the pfem restarts, EX Series switches cannot receive any Q-in-Q frames and
drops them all. [PR/527117]
202
On EX4500 switches, if you activate and then deactivate a firewall filter configuration,
VSTP convergence might not occur properly. As a workaround, restart the Ethernet
switching process (eswd). [PR/548446]
Firewall Filters
On EX4200 switches, if you configure a firewall filter with the match condition
tcp-established, the error message "not supported" is displayed. [PR/543316]
Hardware
On EX4200 switches, the uplink port status LED on the 4-port Gigabit Ethernet SFP
does not properly indicate the status of the uplink port. [PR/528070]
Infrastructure
On EX8200 switches, when you perform a graceful Routing Engine switchover (GRES)
or when you restart Ethernet switching on any spanning-tree protocol domain, a loop
might occur. [PR/516611]
On EX8200 switches, the LACP process (lacpd) might start and stop repeatedly when
traffic to the Routing Engine is heavy. [PR/542897]
On EX4200 switches, the SFP+ uplink module might not work correctly even though
the link status is UP. [PR/569307]
On EX4500 switches, if more than 14 ports in the switch are subscribed to a 10-gigabit
full-duplex rate of traffic, the switch might not be able to achieve a 10-gigabit wire rate
for 64 and 128 byte packets. There is no impact on performance if the number of ports
actively involved in 10-gigabit wire-rate traffic is 14 or fewer or if the packet size is
greater than 150 bytes. [PR/573319]
If you set a custom chassis display message with the set chassis display message
message command, the message might remain on the LCD panel indefinitely even
though you did not include the permanent option in your command. [PR/579234]
On EX8200 switches, when you are upgrading the line cards, the nonstop software
upgrade (NSSU) process might abort. The system generates a core file when this
happens. [PR/580494]
203
J-Web Interface
In the J-Web interface, you cannot commit some configuration changes in the Port
Configuration page and the VLAN Configuration page because of the following
limitations for port mirroring ports and port mirroring VLANs:
A port configured as the output port for an analyzer cannot be a member of any
VLAN other than the default VLAN.
A VLAN configured to receive analyzer output can be associated with only one port.
[PR/400814]
When you use the Microsoft Internet Explorer browser to open a report from the
following pages in the J-Web interface, the report opens in the same browser session:
Support Information page (Maintain > Customer Support > Support Information)
View Events page (Monitor > Events and Alarms > View Events)
In the J-Web interface, in the Port Security Configuration page, you are required to
configure action when you configure MAC limit even though configuring an action value
is not mandatory in the CLI. [PR/434836]
In the J-Web interface, in the OSPF Global Settings table in the OSPF Configuration
page, the Global Information table in the BGP Configuration page, or the Add Interface
window in the LACP Configuration page, if you try to change the position of columns
using the drag-and-drop method, only the column header moves to the new position
instead of the entire column. [PR/465030]
If a large number of static routes are configured and if you have navigated to pages
other than page 1 in the Route Information table in the J-Web interface (Monitor >
Routing > Route Information), changing the Route Table to query other routes refreshes
the page but does not return to page 1. For example, if you run a query from page 3 and
the new query returns very few results, the Results table continues to display page 3
and shows no results. To view the results, navigate to page 1 manually. [PR/476338]
In the J-Web interface, the dashboard does not display the uplink ports or uplink module
ports unless transceivers are plugged into the ports. [PR/477549]
The J-Web interface Static Routing page might not display details on entries registered
in the routing table. [PR/483885]
In the J-Web interface, the Software Upload and Install Package option might not display
a warning message when there are pending changes to be committed. [PR/514853]
204
On EX4500 switches, the J-Web interface might display the following as valid options
although these options are not supported on EX4500 switches:
DHCP snooping in the Edit Port Role window in the Ports Configuration page
[PR/525671]
When you use an HTTPS connection in the Microsoft Internet Explorer browser to save
a report from the following pages in the J-Web interface, the error message Internet
Explorer was not able to open the Internet site is displayed:
Support Information page (Maintain > Customer Support > Support Information)
View Events page (Monitor > Events and Alarms > View Events)
[PR/542887]
If you configure 802.1X on an EX Series switch, the J-Web interface performance slows
down. [PR/543298]
On EX4500 switches and on EX4200-24F switches, the total number of ports displayed
in the dashboard (Dashboard > Capacity Utilization > Total number of ports) in the
J-Web interface increases every 2 seconds, each time an automatic refresh occurs.
[PR/543913]
When you open a J-Web session using HTTPS, then enter a username and password
and click on the Login button, the J-Web interface takes 20 seconds longer to launch
and load the Dashboard page than it does if you use HTTP. [PR/549934]
If you navigate to a new page before all the components of a page in the J-Web interface
are loaded, a pop-up window with the error message Object Expected is displayed.
[PR/567756]
In the J-Web interface, aggregated Ethernet interfaces are not populated in the Port
Association table. [PR/579555]
On EX8200 switches, if you take a line card offline when GRES and IGMP snooping are
enabled, existing multicast traffic might be affected because indexes are not updated
correctly. [PR/569637]
On an EX4200 Virtual Chassis, when you configure the RPM hardware timestamp with
the hardware-timestamp configuration statement, the show services rpm probe-results
command displays the hardware timestamp status as "No hardware timestamps". As
a workaround, do not configure a source address for RPM probes. Packets are sent
205
and received on the same interface. This problem does not occur if both egress and
ingress interfaces are on the same Virtual Chassis member. [PR/578734]
On EX8200 switches, when an egress VLAN that belongs to a routed VLAN interface
(RVI) is configured as the input for a port mirroring analyzer, the analyzer appends an
incorrect dot1q (802.1Q) header to the mirrored packets on the routed traffic or does
not mirror any packets on the routed traffic. As a workaround, configure a port mirroring
analyzer with each port of the VLAN as egress input. [PR/445393]
Virtual Chassis
Related
Documentation
New Features in Junos OS Release 10.4 for EX Series Switches on page 194
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches
on page 196
Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
on page 211
NOTE: Other software issues that are common to both EX Series switches
and M, MX, and T Series routers are listed in Issues in Junos OS Release 10.4
for M Series, MX Series, and T Series Routers on page 55.
206
Ethernet Switching
A LAG between an EX4200 Virtual Chassis and Cisco 6500 switch might not recover
when the EX Virtual Chassis master switch is power-cycled. [PR/505069: This issue
has been resolved.]
Hardware
EX8200 switches might not detect the front-panel LCD display. [PR/553144: This
issue has been resolved.]
After you have disabled an interface on an EX2200 switch, the LED is still lit on that
interface. [PR/553219: This issue has been resolved.]
Infrastructure
On EX Series switches, MAC addresses not present in the forwarding database (FDB)
because of hash collision are not removed from the Ethernet switching process (eswd).
These MAC addresses do not age out of the Ethernet switching table even if traffic is
stopped completely and are never relearned when traffic is sent to these MAC
addresses, even when there is no hash collision. As a workaround, clear those MAC
addresses from the Ethernet switching table. [PR/451431: This issue has been resolved.]
When multicast packets are transmitted from interfaces on which PIM is not enabled,
VRRP might flap. [PR/520194: This issue has been resolved.]
On EX8200 switches, packets with unregistered Layer 2 multicast MAC addresses are
not dropped on interfaces in the STP blocked state, resulting in some traffic loops that
might impact network performance. [PR/541123: This issue has been resolved.]
On EX2200, EX3200, EX4200, and EX4500 switches, if you configure a large number
of VLANS and aggregated Ethernet interfaces and commit the configuration, the
forwarding process (pfem) utilization stays at 80 percent for more than 60 minutes.
As a result, the aggregated Ethernet interfaces cannot be used until the pfem usage
reduces to normal limits. [PR/544433: This issue has been resolved.]
207
When the configured DNS server is not reachable, name resolution for localhost takes
a long time and the output of the show ntp association command takes a long time to
appear. [PR/551739: This issue has been resolved.]
If a Routing Engine fails over to the backup Routing Engine, not all multicast groups
that were active on the switch recover. [PR/563030: This issue has been resolved.]
During the TFTP transfer portion of an automatic software download procedure, the
software package might be truncated or corrupted. [PR/570901: This issue has been
resolved.]
The Ethernet switching process (eswd) might crash and then recover when the following
change is made in CLI (either in a single commit or in separate commits):
First, you remove an interface from interface range on which VoIP is configured.
Then, you either delete the removed interface or change its address family to a family
other than ethernet-switching.
On an EX4200 Virtual Chassis, a pfem core file might be created if all the 802.1x (dot1x)
interfaces are in the held state or the connecting state. [PR/571865: This issue has
been resolved.]
On an EX4200 Virtual Chassis, a large number of awk processes and defunct processes
might be running. [PR/576621: This issue has been resolved.]
Interfaces
On a 40-port SFP+ line card in an EX8200 switch, if you assign different shaping rates
to different ports in a port group, you do not receive an error message when you commit
the configuration, and no error is logged in the system log. As a workaround, configure
the same shaping rate on all ports in a port group. [PR/524073: This issue has been
resolved.]
On EX Series switches, the configured interface hold time does not work. [PR/537477:
This issue has been resolved.]
On EX4500 switches, when you are configuring Gigabit Ethernet interfaces from the
command-line interface (CLI), automatic command completion does not work.
[PR/561565: This issue has been resolved.]
208
On EX4500 switches, when you are configuring Gigabit Ethernet interfaces from the
command-line interface (CLI), automatic command completion does not work.
[PR/561695]
J-Web Interface
If you have a candidate configuration in the CLI and you try to commit configuration
changes using the Point and Click CLI in the J-Web interface, the configuration page
displays an error. [PR/514771: This issue has been resolved.]
In the J-Web interface, when you select the Ethernet Switching Monitor page (Monitor
> Switching > Ethernet Switching), the MAC learning log might not display information.
[PR/535200: This issue has been resolved.]
In the LACP (Link Aggregation Control Protocol) Configuration page in the J-Web
interface (Configure > Interfaces > Link Aggregation), the Delete button is disabled
even when you select an aggregated Ethernet interface configured with a physical
interface, VLAN, and IP option. As a workaround, delete the physical interface, VLAN,
and IP option from the aggregated Ethernet interface using the CLI. [PR/546411: This
issue has been resolved.]
In the J-Web interface, when you use an HTTPS connection in the Microsoft Internet
Explorer browser, you cannot upload (Maintain > Config Management > Upload) or
download (Maintain > Config Management > History > Configuration History) a
configuration file. As a workaround, use an HTTP connection. [PR/551200: This issue
has been resolved.]
Navigate to the Port Monitoring page (Monitor > Interfaces) in the J-Web interface,
a pop-up window with the error message 'gridData.0' is null or not an object is
displayed.
Select the displayed interface and click the Show Graph button, a pop-up window
with the error message 'selected FpcName' is undefined is displayed.
The dashboard in the J-Web interface might not refresh automatically if you navigate
back and forth between the Dashboard page and other pages. [PR/566359: This issue
has been resolved.]
209
If there are many joins associated with a neighbor and that neighbor goes down and
comes back up quickly, then those joins might be stranded in an unresolved state until
the clear pim join command is issued. [PR/539962: This issue has been resolved.]
PIM join messages sent from an EX8208 switch to a Cisco RP using Auto-RP show the
upstream neighbor as being the EX8208 switch itself and not the Cisco RP. [PR/557130:
This issue has been resolved.]
On EX4200 switches, the LACP process (lacpd) creates core files when an SNMP MIB
lookup is performed. [PR/533226: This issue has been resolved.]
Virtual Chassis
Related
Documentation
On an EX4200 Virtual Chassis, after you run the request system reboot member
master-member-id member-id command, the master Virtual Chassis member fails to
reboot. That is, you cannot reboot only the master switch on the Virtual Chassis.
[PR/572936: This issue has been resolved.]
New Features in Junos OS Release 10.4 for EX Series Switches on page 194
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches
on page 196
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
on page 211
J-Web Interface
To access the J-Web interface, your management device requires the following
software:
210
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
Virtual Chassis
Related
Documentation
The EX Series Switch Software Features Overview topic in the EX Series Junos OS
Release 10.4R1 documentation incorrectly states that, on EX8200 Virtual Chassis, the
IP source guard feature is supported in Junos OS Release 10.3R1 and that the multicast
storm control feature is supported in Junos OS Release 10.3R2. These features are not
supported on EX8200 Virtual Chassis.
New Features in Junos OS Release 10.4 for EX Series Switches on page 194
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches
on page 196
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202
Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
on page 211
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
The following pages list the issues in Junos OS Release 10.4R2 for EX Series switches
regarding software upgrade or downgrade:
Upgrading Software
You can use this procedure to upgrade Junos OS on an EX Series switch with a single
Routing Engine, including an individual member of an EX4200 Virtual Chassis or all
members of an EX4200 Virtual Chassis or an EX8200 switch using a single Routing
Engine. To upgrade software on an EX8200 switch running two Routing Engines, see
Installing Software on an EX8200 Switch with Redundant Routing Engines (CLI Procedure)
211
3. (Optional) Copy the software package to the switch. We recommend that you use
ftp://hostname/pathname/package.tgz
http://hostname/pathname/package.tgz
Other members of the Virtual Chassis are not affected. To install the software on all
members of the Virtual Chassis, do not include the member option.
NOTE: To abort the installation, do not reboot your device; instead, finish
the installation and then issue the request system software delete
package.tgz command, where package.tgz is, for example,
jinstall-ex-8200-10.2R1.8-domestic-signed.tgz. This is your last chance to
stop the installation.
is properly installed:
user@switch> show version
212
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0
or 9.3, and then perform a second downgrade to Release 8.5.
For upgrades and downgrades to or from a non-EEOL release, the current policy is that
you can upgrade and downgrade by no more than three releases at a time. This policy
remains unchanged.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series Switches
If you are upgrading from Junos OS Release 9.3R1 and have voice over IP (VoIP) enabled
on a private VLAN (PVLAN), you must remove this configuration before upgrading, to
prevent upgrade problems. VoIP on PVLAN interfaces is not supported in releases later
than Junos OS Release 9.3R1.
Related
Documentation
New Features in Junos OS Release 10.4 for EX Series Switches on page 194
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches
on page 196
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202
Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210
213
If the information in the latest release notes differs from the information in the
documentation, follow the Junos OS Release Notes.
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/ .
Juniper Networks supports a technical book program to publish books by Juniper Networks
engineers and subject matter experts with book publishers around the world. These
books go beyond the technical documentation to explore the nuances of network
architecture, deployment, and administration using the Junos operating system (Junos
OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,
published in conjunction with O'Reilly Media, explores improving network security,
reliability, and availability using Junos OS configuration techniques. All the books are for
sale at technical bookstores and book outlets around the world. The current list can be
viewed at http://www.juniper.net/books .
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
Document name
Page number
214
JTAC Hours of Operation The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
To provide a core file to Juniper Networks for analysis, compress the file with the gzip
utility, rename the file to include your company name, and copy it to
ftp.juniper.net:pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
support@juniper.net. For documentation issues, fill out the bug report form located at
https://www.juniper.net/cgi-bin/docbugreport/.
215
Revision History
11 February 2011Revision 6, JUNOS Release 10.4R2
04 February 2011Revision 5, JUNOS Release 10.4R1
25 January 2011Revision 4, JUNOS Release 10.4R1
14 January 2011Revision 3, JUNOS Release 10.4R1
21 December 2010Revision 2, JUNOS Release 10.4R1
216