Junos Os 104 Release Notes Rev 6

Junos OS 10.
4 Release Notes
Release 10.4R2
11 February 2011
Revision 6
These release notes accompany Release 10.4R2 of the Junos operating system (Junos
OS). They describe device documentation and known problems with the software. Junos
OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX
Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.
You can also find these release notes on the Juniper Networks Junos OS Documentation
Web page, which is located at http://www.juniper.net/techpubs/software/junos.
Contents
Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers,
MX Series Ethernet Service Routers, and T Series Core Routers . . . . . . . . . . . . 6
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
MX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M
Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
MPLS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Copyright 2011, Juniper Networks, Inc.
Downloaded from www.Manualslib.com manuals search engine
JUNOS OS 10.4 Release Notes
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Current Software Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Previous Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Errata and Changes in Documentation for Junos OS Release 10.4 for M
Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . . 77
Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series,
MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Basic Procedure for Upgrading to Release 10.4 . . . . . . . . . . . . . . . . . . . . 83
Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 86
Upgrading Juniper Network Routers Running Draft-Rosen Multicast
VPN to Junos OS Release 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Upgrading the Software for a Routing Matrix . . . . . . . . . . . . . . . . . . . . . . 88
Upgrading Using ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled
for Both PIM and NSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 90
Downgrade from Release 10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Junos OS Release Notes for Juniper Networks SRX Series Services Gateways
and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
New Features in Junos OS Release 10.4 for SRX Series Services Gateways
and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Hardware FeaturesSRX210, SRX220, and SRX240 Services
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Hardware FeaturesSRX220 Services Gateway with Power Over
Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Hardware FeaturesSRX1400 Services Gateway . . . . . . . . . . . . . . . . . . 119
Hardware FeaturesSRX3400 and SRX3600 Services Gateways . . . . 122
Advertising Bandwidth for Neighbors on a Broadcast Link Support . . . . . . . 123
Group VPN Interoperability with Ciscos GET VPN . . . . . . . . . . . . . . . . . . . . . 123
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX
Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 124
Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Integrated Convergence Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 133
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Management and Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Multilink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Virtual LANs (VLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Unsupported CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Accounting-Options Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
AX411 Access Point Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Chassis Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Class-of-Service Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Ethernet-Switching Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Interfaces CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Protocols Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Routing Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Services Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
SNMP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
System Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
IPv6 and MVPN CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Known Limitations in Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 148
AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
DOCSIS Mini-PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 150
Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 154
IPv6 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
NetScreen-Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Point-to-Point Protocol over Ethernet (PPPoE) . . . . . . . . . . . . . . . . . . . 156
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Outstanding Issues In Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . 158
Resolved Issues in Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . 175
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX
Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 178
Errata for the Junos OS Documentation . . . . . . . . . . . . . . . . . . . . . . . . . 179
Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . 186
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 189
Transceiver Compatibility for SRX Series and J Series Devices . . . . . . . 189
Power and Heat Dissipation Requirements for J Series PIMs . . . . . . . . . 189
Supported Third-Party Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
J Series CompactFlash and Memory Requirements . . . . . . . . . . . . . . . . 190
Maximizing ALG Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Integrated Convergence Services Not Supported . . . . . . . . . . . . . . . . . . . . . 192
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX
Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 194
New Features in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . 194
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Limitations in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . . . 197
Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Spanning Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches . . . . . 202
Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Resolved Issues in Junos OS Release 10.4 for EX Series Switches . . . . . . . . 206
Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Errata in Documentation for Junos OS Release 10.4 for EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX
Series Ethernet Service Routers, and T Series Core Routers
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series
Routers on page 6
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX
Series, and T Series Routers on page 42
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55
Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers on page 83
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The following features have been added to Junos OS Release 10.4. Following the
description is the title of the manual or manuals to consult for further information.
Class of Service
Hierarchical policer functionality extended to Modular Interface Cards (MICs) (MX

Series routers)Provides hierarchical policer feature parity with Enhanced Intelligent
Queuing (IQE) PICs. This is useful in provider edge applications using aggregate policing
for general traffic and when applying a separate policer for premium traffic on a logical
or physical interface.
Hierarchical policing on MICs supports the following features:
Ingress traffic is first classified into premium and non-premium traffic before a policer
is applied.
The hierarchical policer contains two policers: premium and aggregate.
Premium traffic is policed by both the premium policer and the aggregate policer. While
the premium policer rate-limits premium traffic, the aggregate policer only decrements
the credits but does not drop packets. Non-premium traffic is rate-limited by the
aggregate policer only, resulting in the following behavior:
Premium traffic is assured to have the bandwidth configured for the premium policer.
Non-premium traffic is policed to the specified rate limit.
For a list of supported MICs, refer to:

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/
general/mic-mx-series-supported.html.
The logical-interface-policer and physical-interface-policer statements provide additional

hierarchical policer parameters beyond those of the IQE PICs.
You can apply the policer at the inet, inet6, or mpls family level, as follows:
[edit interfaces ge-0/1/0 unit 0 family (inet | inet6 | mpls)]
input-hierarchical-policer Test-HP;
By making a hierarchical policer a logical-interface-policer, you can achieve aggregation

within a logical interface. A hierarchical policer configured as a physical-interface-policer
supports aggregation within a physical interface. Please note that you still apply the
hierarchical policer at the interface and traffic of the families that do not have the
hierarchical policer will be policer. This is different from IQE PICs, where you apply a
hierarchical policer at the logical or physical interface.
For hierarchical policing of all traffic through a logical interface, a hierarchical policer
can be made a logical-interface-policer and applied to all families in the logical interface.
Similarly, you can achieve aggregation at the physical interface level.
[Network Interfaces, Class of Service, Policy]
DSCP classification for VPLS at the ingress PE (M320 with Enhanced Type III FPC
and M120)Enables you to configure DSCP classification for VPLS at an ingress PE
for encapsulation types vlan-vpls (IQ2 or IQ2E PICs) or ATM II IQ PIC. To configure,
define the DSCP classifier at the [edit class-of-service classifiers dscp dscp-name]
hierarchy level and apply the DSCP classifier at the [edit interfaces at-fpc-pic-port
unit-logical-unit-number classifiers] hierarchy level. The ATM interface must be included
in the routing instance.
[Class of Service]
Traffic Control Profile (TCP) support at the FRF.16 physical interface levelFRF.16
bundle interfaces support multiple data-link connection identifiers (DLCIs). The
bandwidth of each of these DLCIs was previously limited to one of the following:
An aggregate value based on the number of DLCIs under the FRF.16 interface
A specific percentage through a traffic control profile (TCP) configuration applied

at the logical interface level
When there is a small proportion of traffic or no traffic on an individual DLCI, the

respective member link interface bandwidth is underutilized. Support for TCP features
on the FRF.16 bundle (physical) interface level in Junos OS Release 10.4R2 addresses
this limitation. The supported features include:
Peak Information Rate (PIR)
scheduler-map
delay-buffer
To enable traffic control profiles to be applied at FRF.16 bundle (physical) interface

level, disable the per-unit scheduler, which is enabled by default, by including the
no-per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level.
To specify traffic control profile features applicable to FRF.16 bundle physical interfaces,
include the shaping-rate, delay-buffer-rate, and scheduler-map statements at the [edit
class-of-service traffic-control-profiles profile-name] hierarchy level. The shaping-rate
and delay-buffer-rate must be specified as a percentage.
To apply the TCP configuration to an FRF.16 bundle (physical) interface, include the
output-traffic-control-profile statement at the [edit class-of-service interfaces
interface-name] hierarchy level.
To view the TCP configuration for an FRF.16 bundle, enter the show class-of-service
traffic-control-profile command.
user@host> show class-of-service traffic-control-profile
Traffic control profile: lsq-2/1/0:0, Index: 35757
Shaping rate: 30 percent
Scheduler map: sched_0
Delay Buffer rate: 30 percent
The following is a complete configuration example:

interfaces {
lsq-0/2/0:0 {
no-per-unit-scheduler;
encapsulation multilink-frame-relay-uni-nni;
unit 0 {
dlci 100;
family inet {
address 18.18.18.2/24;
}
}
}
class-of-service {
traffic-control-profiles {
rlsq_tc {
scheduler-map rlsq;
shaping-rate percent 60;
delay-buffer-rate percent 10;
}
}
interfaces {
lsq-0/2/0:0 {
output-traffic-control-profile rlsq_tc;
}
}
}
scheduler-maps {
rlsq {
forwarding-class best-effort scheduler rlsq_scheduler;
forwarding-class expedited-forwarding scheduler rlsq_scheduler1;
}
}
schedulers {
rlsq_scheduler {
transmit-rate percent 20;
priority low;
}
rlsq_scheduler1 {
transmit-rate percent 40;
priority high;
}
}
[Class of Service]
Interfaces and Chassis
Extend support for 64-bit Junos OS to include RE-1800 Series Routing Engines
(M120, M320, MX960, MX480, and MX240 routers)Supported Routing Engines
include:
RE-1800x2-ASupports 64-bit Junos OS on M120 and M320 routers.
RE-1800x2-SSupports 64-bit Junos OS on MX240, MX480, and MX960 routers.
RE-1800x4-SSupports 64-bit Junos OS on MX240, MX480, and MX960 routers.
[System Basics]
Ethernet encapsulation for ATM scheduler (M7i, M10i, M120, and M320 [with
Enhanced III FPC] routers)Enables support for the configuration of an ATM scheduler
map on an Ethernet VPLS over a bridged ATM interface.
[Network Interfaces]
Synchronous Ethernet (SyncE) on MX80 routers and MX Series routers with

MPCsSupports the Ethernet synchronization messaging channel (ESMC), G.8264-like
clock selection mechanism, and external clocking on MX80 routers and MX Series
routers with MPCs. Wireless backhaul and wireline transport services are the primary
applications for these features.
The following features are supported:
On MX80 routers and MX Series routers, MPCs based on G.8261 and G.8262. This
feature does not work on the fixed configuration version of the MX80 routers.
All Ethernet type ports are supported on MX80 routers and MX Series routers with
MPCs
ESMC support as per G.8264
CLI command selection of clock sources
Monitoring clock sources (maximum of two clock sources can be monitored

simultaneously)
Revertive and nonrevertive modes
To configure SyncE, include the synchronization statement and its substatements at

the [edit chassis] hierarchy level.
[Network Interfaces, Interfaces Command Reference]
Enhanced container interface allows ATM children for containersM Series and T
Series routers with ATM2 PICs automatically copy the parent container interface
configuration to the children interfaces. Container interfaces do not go down during
APS switchovers, thereby shielding upper layers. This feature allows the various ATM
features to work over the container ATM for APS.
To specify ATM children within a container interface, use the container-list cin statement
and (primary | standby) option at the [edit interface at-fpc/pic/slot container] hierarchy
level.
To configure a container interface, including its children, use the cin statement and its
options at the [edit interface ci-n] hierarchy level.
Container ATM APS does not support inter-chassis APS. MLPPP over ATM CI is also
not supported.
Signaling neighboring routers of fabric down on T1600 and T640 routersThe

signaling of neighboring routers is supported when a T640 or T1600 router is unable
to carry traffic due to all fabric planes being taken offline for one of the following
reasons:
CLI or offline button pressed
Automatically taken offline by the SPMB due to high temperature.
PIO errors and voltage errors detected by the SPMB CPU to the SIBs.
The following scenarios are not supported by this feature:
All PFEs get destination errors on all planes to all destinations, even with the SIBs
staying online.
Complete fabric loss caused by destination timeouts, with the SIBs still online.
When chassisd detects that all fabric planes are down, the router reboots all FPCs in
the system. When the FPCs come back up, the interfaces will not be created again,
since all fabric planes are down.
Once you diagnose and fix the cause of all fabric planes going down, you must then
bring the SIBs back online. Bringing the SIBs back online brings up the interfaces.
Fabric down signaling to neighboring routers offers the following benefits:
FPCs reboot when the control plane connection to the Routing Engine times out.
Extends a simple approach to reboot FPCs when the dataplane blacks out.
When the router transitions from a state where SIBs are online or spare to a state where
there are no SIBs are online, then all the FPCs in the system are rebooted. An ERRMSG
indicates if all fabric planes are down, and the FPCs will reboot if any fabric planes do
not come up in 2 minutes.
An ERRMSG indicates the reason for FPC reboot on fabric connectivity loss.
The chassisd daemon traces when an FPC comes online, but a PIC attach is not done
because no fabric plane is present.
A CLI warning that the FPCs will reboot is issued when the last fabric plane is taken
offline.
10
You will need to bring the SIBs online after determining why the SIBs were not online.
When the first SIB goes online, and link training with the FPCs completes, the interfaces
will be created.
Fabric down signaling to neighboring routers functionality is available by default, and
no user configuration is required to enable it.
No new CLI commands or alarms are introduced for this feature. Alarms are already
implemented for when the SIBs are not online.
[Network Interfaces, System Basics]
New enterprise-specific MIB to support digital optical monitoring (MX960, MX480,

MX240, and 10-Gigabit Ethernet LAN/WAN PIC with XFP on T640 and T1600
routers)Junos OS Release 10.4 introduces JUNIPER-DOM-MIB, a new
enterprise-specific MIB to extend MIB support for digital optical monitoring.
JUNIPER-DOM-MIB supports the SNMP Get request for statistics and SNMP Trap
notifications for alarms.
JUNIPER-DOM-MIB is part of the JUNIPER-SMI MIB hierarchy level.
The following MIB objects are supported by JUNIPER-DOM-MIB for digital optical
monitoring:
jnxDomCurrentTable
jnxDomAlarmSet
jnxDomAlarmCleared
[SNMP MIBs and Traps Reference]
Logging improvementsYou can now control logging speed at the interface level. To
rate-limit the syslogs generated from a service PIC, include the message-rate-limit
statement at the [edit interfaces interface-name services-options syslog] hierarchy
level. This option configures the maximum number of syslog messages per second
that can formatted and sent from the PIC to either the Routing Engine (local) or to an
external server (remote). The default rates are 10,00 for the Routing Engine and 200,00
for an external server.
Support for SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320,
MX240, MX480, MX960, T640 and T1600 routers) Supports a 4-port SONET/SDH
OC48 Enhanced IQ (IQE) PIC (Type 3) with per data-link connection identifier (DLCI)
queuing. Supported FPCs include T640-FPC3-ES, M320-FPC3-E3, and MX-FPC3.
Class of service (CoS) enables enhanced egress queuing, buffering, and traffic shaping.
CoS supports eight queues per logical interface, a per-unit scheduler, and two shaping
rates: a Committed Information Rate (CIR) and Peak Information Rate (PIR) per
data-link connection identifier (DLCI). Other CoS features include, but are not restricted
to, sharing of excess bandwidth among logical interfaces, five levels of priorities
(including Strict High), ingress behavior aggregate (BA) classification, queue rate-limit
policer, ingress rewrite, egress rewrite, and a forwarding class to queue remapping per
DLCI.
11
The SONET/SDH OC48/STM 16 PIC supports CoS features similar to those in IQ2E
PICs, in terms of behavior and configuration statements. This PIC supports the following
Layer 2 protocols: PPP, Frame Relay, and Cisco HDLC encapsulations.
For more information, see the PC-4OC48-STM16-IQE-SFP documentation for your
router:
SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T1600 Router)
SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T640 Router)
SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (MX Series Routers)
SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320 Router)
[PIC Guide, Network Interfaces, Class of Service]
IPv6 statistics from IQ2 and IQ2E PICs on M320 routers with Enhanced III FPCs and
T Series routersSupport statistical accounting for IPv6 traffic traversing the IQ2 and
IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers.
For IQ2 and IQ2E PIC interfaces, the IPv6 traffic that is reported will be the total statistics
(sum of local and transit IPv6 traffic) in the ingress and egress direction. The IPv6
traffic in the ingress direction will be accounted separately only if the IPv6 family is
configured for the logical interface.
Statistics are maintained for routed IPv6 packets in the egress direction.
Byte and packet counters are maintained in the ingress and egress direction.
Differences in IPv6 statistics for IQ2 interfaces and all other interfaces are as follows:
IQ2 and IQ2E PIC interfaces report the total statistics for the IPv6 traffic. For other
interfaces, the transit statistics are reported.
IQ2 and IQ2E PIC interfaces report all IPv6 traffic received on the logical interface.
For all other interfaces, only the routed traffic is accounted.
IQ2 and IQ2E PIC interfaces report IPv6 statistics for the Layer 2 frame size. For all
other interfaces, the Layer 3 packet size is accounted.
The IPv6 statistics can be viewed by logging in to the individual IQ2 PIC or IQ2E PIC, or
by using the CLI.
Local statistics are not accounted separately.
To display total IPv6 statistics for IQ2 and IQ2E PICs, use the show interfaces extensive
command.
NOTE: The reported IPv6 statistics do not account for the traffic manager
drops in egress direction or the Packet Forwarding Engine/traffic manager
drops in the ingress direction. Transit statistics are not accounted separately
because the IQ2 and IQ2E PICs cannot differentiate between transit and
local statistics.
12
100-Gigabit Ethernet PIC interoperability with VLAN steeringSupports

interoperability with similar PICs from other vendors using a VLAN steering forwarding
option. Previously, the PICs required interconnection to the same model PIC.
Interoperability with interfaces from other vendors was not supported. Junos OS Release
10.4 introduces a new VLAN steering algorithm to configure 100-Gigabit Ethernet PIC
interoperation with similar interfaces from other vendors.
Two packet forwarding modes exist under the forwarding-mode statement. SA multicast
mode, for proprietary connection of two Juniper Networks 100-Gigabit Ethernet PICs,
uses the Ethernet header SA MAC address multicast bit to steer the packets to the
appropriate PFE. VLAN steering mode allows the PIC to connect to non-Juniper
Networks equipment. On ingress, the PIC compares the outer VLAN ID against a
user-defined VLAN ID and VLAN mask combination and steers the packet accordingly.
Modifying the forwarding mode config reboots the PIC.
VLAN steering overview:
In VLAN steering mode, the SA multicast bit is not used for packet steering.
In SA multicast bit steering mode, VLAN ID and VLAN mask configuration is not used
for packet steering.
Configuration of packet forwarding mode and VLAN steering mode uses CLI
commands that result in a PIC reboot.
There are three tag types for ingress packets:
Untagged ingress packetThe packet is sent to PFE1.
Ingress packet with one VLANThe packet forwards based on the VLAN ID.
Ingress packet with two VLANsThe packet forwards based on the outer VLAN
ID.
VLAN rules describe how the router forwards packets. For VLAN steering, you must
use one of the two rules available in the CLI:
Odd-even ruleOdd number VLAN IDs go to PFE1; even number VLAN IDs go to
PFE0.
High-low rule1 through 2047 VLAN IDs go to PFE0; 2048 through 4096 VLAN
IDs go to PFE1.
When configured in VLAN steering mode, the PIC can be configured in two physical
interface mode or in aggregated Ethernet (AE) mode:
Two physical interface modeWhen the PIC is in two physical interface mode, it
creates physical interfaces et-x/0/0:0 and et-x/0/0:1. Each physical interface can
configure its own logical interface and VLAN. CLI enforces the following restrictions
on commit:
The VLAN ID configuration must comply with the selected VLAN rule.
13
The previous restriction implies that the same VLAN ID cannot be configured
on both physical interfaces.
AE modeIn AE mode, the two physical interfaces on the same PIC are aggregated
into one AE physical interface. PIC egress traffic is based on the AE internal hash
algorithm. PIC ingress traffic steering is based on the customized VLAN ID rule. CLI
enforces the following restrictions on commit:
The PIC AE working in VLAN steering mode includes both links of this PIC, and
only the links of this PIC.
The PIC AE working in SA multicast steering mode can include more than one
PIC to achieve more than 100-gigabit capacity.
To configure the PIC forwarding mode, include the forwarding-mode statement and
its options at the [edit chassis fpc number pic number] hierarchy level.
New control queue disable feature (T Series routers with 10-Gigabit Ethernet PIC
with oversubscription)Provides a new CLI statement for disabling the control queue
feature for the 10-Gigabit Ethernet PIC with oversubscription. To disable the control
queue, use the no-pre-classifier statement at the [chassis] hierarchy level.
When the no-pre-classifier statement is set, the control queue feature will be disabled
for all ports on that 10-Gigabit Ethernet PIC with oversubscription. Deleting this
configuration results in the control queue feature being re-enabled on all the ports of
that PIC.
[edit chassis]
fpc 2 {
pic 0 {
no-pre-classifier;
}
}
NOTE:
1. This feature is applicable in both oversubscribed and line-rate modes.
2. The control queue feature is enabled by default in both oversubscribed
and line-rate modes, which can be overridden by the user configuration.

3. CLI show commands remain unchanged. When the control queue is
disabled, various show queue commands continue to show the control

queue in the output. However, all control queue counters are reported
as zeros.
4. Enabling or disabling the control queue feature results in the PIC being
bounced (offline/online).
14
Once the control queue feature is disabled, then the Layer 2 and Layer 3 control packets
are subject to queue selection based on the BA classification. However, the following
control protocol packets are not classified using BA classification, as they might not
have a VLAN, MPLS, or IP header:
Untagged ARP packets
Untagged Layer 2 control packets such as LACP or Ethernet OAM
Untagged IS-IS packets
When the control queue feature is disabled, untagged ARP/IS-IS and other untagged
Layer 2 control packets will go to the restricted queue corresponding to the forwarding
class associated with queue 0.
Microcode remap (M320 and M120 routers)M320 routers with E3 type-1 FPCs and
M120 routers with a single type-1 FPC mapped to an FEB, support a new microcode
map to resolve microcode overflow resulting in bad PIC combinations.
On M320 routers, the new microcode map is enabled by default and is the only option
available.
On M120 routers, you can enable the new microcode map by using the
ucode-imem-remap statement at the [edit chassis feb slot number] hierarchy level. On
M120 routers, the default microcode map remains configured if the ucode-imem-remap
statement is not configured.
[edit chassis]
feb
slot number
ucode-imem-remap
{
}
NOTE: On M120 routers, the FEB is automatically restarted once the

ucode-imem-remap statement is configured and committed.
[System Basics]
Junos OS XML API and Scripting

New Junos OS XML API operational request tag elementsTable 1 on page 16 shows
the Junos OS Extensible Markup Language (XML) operational request tag elements that
are new in Junos OS Release 10.4 along with the corresponding CLI command and
response tag element for each one.
15
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release
10.4
Request Tag Element
CLI Command
Response Tag Element
<requestdhcpv6-serverreconfigure-information>request_dhcpv6_
server_reconfigure_information
request dhcpv6 server reconfigure
NONE
<request-license-update>
request_license_update
request system license update
NONE
<request-package-nonstop-upgrade>
request_package_nonstop_upgrade
request system software nonstop-upgrade
NONE
<get-amt-statistics> get_amt_statistics
show amt statistics
<amt-instance-statistics>
<get-amt-summary> get_amt_summary
show amt summary
<amt-summary>
<get-amt-tunnel-information>
get_amt_tunnel_information
show amt tunnel
<amt-tunnel-information>
<get-rps-chassis-information>
get_rps_chassis_information
show chassis redundant-power-supply
<rps-chassis-information>
<get-bios-version-information>
get_bios_version_information
show chassis routing-engine bios
NONE
<get-coscongestionnotificationinformation>
get_cos_congestion_notification_information
show class-of-service congestion-notification
<cos-congestion-notification-information>
<get-firewall-log-information>
get_firewall_log_information
show firewall filter version
<firewall-information>
<get-interface-information>
get_interface_information
show ingress-replication
<ingress-replication-information>
<get-isis-contextidentifier-origininformation> get_isis_context_
identifier_origin_information
show isis context-identifier
<isis-context-identifier- information>
<get-isis-database-information>
get_isis_database_information
show isis context-identifier identifier
<isis-context-identifier-origin-information>
<get-mpls-cspf-information>
get_mpls_cspf_information
show mpls context-identifier
<mpls-context-identifier- information>
<get-authentication-pending-table>
get_authentication_pending_table
show network-access domain- map statistics
<domain-map-statistics>
16
10.4 (continued)
Request Tag Element
CLI Command
<get-ospf-database-information>
get_ospf_database_information
show ospf context-identifier
<ospf-context-id-information>
<get-rps-power-supply-information>
get_rps_power_supply_information
show redundant-power-supply led
<rps-led-information>
<get-rps-status-information>
get_rps_status_information
show redundant-power-supply power-supply
<rps-power-supply-information>
<get-rps-version-information>
get_rps_version_information
show redundant-power-supply status
<rps-status-information>
<get-rip-general-statistics-information>
get_rip_general_statistics_information
show redundant-power-supply version
<rps-version-information>
<get-idp-policy-template- information>
get_idp_policy_template_information
show security idp policy-commit-status
<idp-policy-commit-status>
<get-service-border-signalinggateway-charging-status>
get_service_border_signaling_
gateway_charging_status
show services border-signaling-gateway

charging statistics
<bsg-charging-statistics>
<get-service-bsg-denied-messages>
get_service_bsg_denied_messages
show services border-signaling-gateway

charging status
<bsg-charging-status>
<get-services-l2tp-radiusaccounting-statistics-information>
get_services_l2tp_radius_acco
unting_statistics_information
show services l2tp destination
<service-l2tp-destination- information>
<get-service-softwire-statistics-information>
get_service_softwire_statistics
_information
show services sessions
<msp-session-table>
<get_service_sfw_
conversation_
information>
get_service_sfw_conversation
_information
show services softwire
<service-softwire-tableinformation>
<get_service_
sfw_flow_analysis_
information>
get_service_sfw_flow_analysi
s_information
show services softwire flows
<service-fwnat-flow-tableinformation>
<get_service_sfw_
flow_table_information>
get_service_sfw_flow_table_i nformation
show services softwire statistics
<service-softwire-statistics-information>
17
10.4 (continued)
Request Tag Element
CLI Command
<get_service_sfw_sip_registerinformation>
get_service_sfw_sip_register_i nformation
show services stateful-firewall flow-analysis
<service-sfw-flow-analysis-information>
<get_synchronous_ethernet_esmc-statistics>
get_synchronous_ethernet_esmc-statistics
show synchronous-ethernet esmc statistics
<clock-synchronization- statistics>
<get_synchronous_ethernet_esmc_transmit>
get_synchronous_ethernet_esmc_transmit
show synchronous-ethernet esmc transmit
<clock-synchronizationesmc-transmit>
<get_synchronous_ethernet_global_information>
get_-synchronous_ethernet_global_information
show synchronous-ethernet
global-information
NONE
<get_system_resource_cleanup_
processes_information>
get_system_resource_cleanup_
processes_information
show system relay group
<relay-group-information>
<get_rollback_information>
get_rollback_information
show system relay member
<relay-group-member>
<get_dhcp_binding_information>
get_dhcp_binding_information
show system relay summary
<relay-summary>
<clear_synchronous_
ethernet_esmc_
statistics>clear_synchronous_
ethernet_e smc_
statistics
clear synchronousethernet esmc

statistics
<clock-synchronizationclear-output>
Layer 2 Ethernet Services
Feature support for Trio 3D MPCs and MICs (MX Series routers)Enables you to
configure the following features through Junos OS Release 9.1: load balancing, Ethernet
OAM IEEE 802.1ag Phase 4 MIP support, LLDP, BPDU guard and loop guard, IRB support
for interworking of LDP-VPLS and BGP-VPLS, BGP multihoming for Inter-AS VPLS,
VPLS Ethernet as a core-facing interface, and limitations on next-hop flooding.
[Layer 2 Configuration]
Ethernet CFM support on Trio 3D MPCs and MICs (MX Series routers)Enables
support for Ethernet connectivity fault management (CFM) defined by IEEE 802.1ag
for family bridge interfaces. However, MEP configuration is not supported on aggregated
Ethernet interfaces.
[Layer 2 Configuration]
18
MPLS Applications
MPLS support on services PICsAdds MPLS label pop support for services PICs on
Junos OS routers. Previously all MPLS traffic would be dropped at the services PIC. No
changes are required to CLI configurations for this enhancement. In-service software
upgrade (unified ISSU) is supported for tag next hops for MPLS on services PIC traffic,
but no support is provided for tags over IPv6 packets or labels on multiple gateways.
[MPLS]
Adding descriptions for bypass LSPYou can now add a text describing a bypass
LSP using the description option at the [edit protocols rsvp interface interface-name
link-protection bypass bypass-lsp-name] hierarchy level. Enclose any descriptive text
that includes spaces in quotation marks (" "). Any descriptive text you include is
displayed in the output of the show rsvp session bypass command and has no effect
on the operation of the bypass LSP.
[MPLS]
Multicast
Nonstop active routing PIM support for IPv6Starting with Release 10.4, Junos OS
extends the nonstop active routing support for Protocol Independent Multicast (PIM),
which is already supported on IPv4, to include the IPv6 address families. The extension
of nonstop active routing PIM support to IPv6 enables IPv6 routers to maintain
self-generation IDs, multicast session states, dynamic interface states, list of neighbors,
and RPSets across Routing Engine switchovers.
The nonstop active routing support for PIM on IPv6 is similar to the nonstop active
routing PIM support on IPv4 except for the following:
Nonstop active routing support for PIM on IPv6 supports an embedded rendezvous
point (RP) on non-RP routers.
Nonstop active routing support for PIM on IPv6 does not support auto-RP, as auto-RP
is not supported on IPv6.
For more information about nonstop active routing PIM support on IPv4 and IPv6, see
the Junos OS High Availability Configuration Guide.
[High Availability, Multicast]
MX Series
Support for MX SeriesWhile these features have been available on the MX Series
routers in the past, we have now qualified the following features on the Trio chipset.
For MPLS, RSVP, and LDP:
BFD session failure action for LDP LSPs (including ECMP)
RSVP Graceful Restart interop with Cisco using Nodal Hello support
Failure action on BFD session down of RSVP LSPs in JUNOS
RSVP transit
19
L3VPN testing using RSVP
NSR: RSVP ingress
BFD via LDP
For Multicast:
OSPF
OSPF Database Protection
RFC 4136 OSPF Refresh and Flooding Reduction in Stable Topologies
PIM SSM in provider space (Draft-Rosen 7)
NG MVPN - PIM-SSM I-PMSI and deployment scenario testing
MVPN C-PIM in plain ASM mode
NGEN MVPN hub and spoke support with GRE S-PMSI transport
PIM Join suppression support
Translating PIM states to IGMP/MLD messages
Disable PIM for IPv6 via CLI
IPv6 multicast support over L3VPNs
PIM neighbor should be maintained wherever possible
Data MDT SAFI (draft-rosen-l3vpn-mvpn-profiles)
Inter-provider Option A support with Rosen 7
Rosen 7 interoperability with Cisco IOS
For VPNs:
VPLS: Configurable label block size (min 2)
Interoperate LDP-VPLS and BGP-VPLS with FEC 128
LDP-VPLS
Interprovider VPLS Option "E": EBGP redistribution of labeled routes
Miscellaneous:
Support to commit configuration from op/event scripts
Per PFE per packet load balancing
Next Hop Handling Enhancements (Phase 3)
Support local-as alias hidden command
20
MIB Enhancements for Manual Bypass Tunnel Management
ISIS LFA
Improve IGMPv3 performance using bulk updates
Improve IGMPv3 performance using bulk updates - with snooping
Allow ASM group override of SSM ranges
Routing Policy and Firewall Filters
Point-to-multipoint (P2MP) LSP load balancing across aggregated Ethernet links

(M Series except M320)Enables you to load-balance VPLS multicast and P2MP
multicast traffic over link aggregation. This feature also re-load-balances traffic after
a change in the next-hop topology. Next-hop topology changes might include but are
not limited to:
Layer 2 membership change in the link aggregation
Indirect next-hop change
Composite next-hop change
No new configuration is required to configure this feature. The load balancing over
aggregated links is automatically enabled with this release. For a sample topology and
configuration example, see Junos OS Policy Framework Configuration Guide.
[Policy]
New routing policy system log messageJunos OS Release 10.3 supports a new
routing policy system log message. The RPD_PLCY_CFG_NH_NETMASK system log
message provides information about ignored netmasks. If you have a policy statement
with a term that contains a next-hop address with a netmask, the netmask is ignored.
The following sample shows the new system log message (depending on your network
configuration, the type of message you see might be different):
Jun 18 11:22:43 pro5-d rpd[1403]: RPD_PLCY_CFG_NH_NETMASK: Netmask ignored for
next hop: 10.0.0.1/24.
[System Log Messages Reference]
Support for displaying the firewall filter version informationYou can display the
version number of the firewall filter installed in the Routing Engine. The initial version
number is 1 and increments by one when you modify the firewall filter settings or an
associated prefix action. To show the version number of the installed firewall filter,
use the show firewall filter version operational mode command.
[Routing Protocols and Policies Command Reference]
Routing Protocols
Support for disabling traps for passive OSPFv2 interfacesYou can now disable
interface state change traps for passive OSPF interfaces. Passive OSPF interfaces
advertise address information as an internal OSPF route, but do not run the actual
protocol. If you are only interested in receiving notifications for active OSPF interfaces,
21
disabling traps for passive OSPF interfaces reduces the number of notifications received
and processed by the SNMP server. This allows you to more quickly and easily scan
the logs for potential issues on active OSPF interfaces.
To disable and stop receiving notifications for state changes in a passive OSPF interface,
include the no-interface-state-traps statement at the following hierarchy levels:
[edit logical-systems logical-system-name protocols ospf area area-id interface

interface-name]
[edit logical-systems logical-system-name routing-instances routing-instance-name

protocols ospf area area-id interface interface-name]
[edit protocols ospf area area-id interface interface-name]
[edit routing-instances routing-instance-name protocols ospf area area-id interface

interface-name]
[Routing Protocols]
Behavior change for BGP-independent AS domainsIndependent domains use the

transitive path attribute 128 (attribute set) messages to tunnel the independent
domains BGP attributes through the internal BGP (IBGP) core. In Junos OS Release
10.3 and later, if you have not configured an independent domain in any routing instance,
BGP treats the received attribute 128 message as an unknown attribute. The AS path
field in the show route command has been updated to display an unrecognized attribute
and associated hexadecimal value if you have not configured an independent domain.
The following is a sample output of the AS path field (depending on your network
configuration, the output might be different):
AS path: [12345] I Unrecognized Attributes: 40 bytes
AS path: Attr flags e0 code 80: 00 09 eb 1a 40 01 01 00 40 02 08 02 03 fd e9 fd e9 01
2d 40 05 04 00 00 00 64 c0
[Routing Protocols]
Support for disabling the attribute set messages on independent AS domains for
BGP loop detectionBGP loop detection for a specific route uses the local autonomous
system (AS) domain for the routing instance. By default, all routing instances belong
to a single primary routing instance domain. Therefore, BGP loop detection uses the
local ASs configured on all of the routing instances. Depending on your network
configuration, this default behavior can cause routes to be looped and hidden.
To limit the local ASs in the primary routing instance, configure an independent AS
domain for a routing instance. Independent domains use the transitive path attribute
128 (attribute set) messages to tunnel the independent domains BGP attributes
through the internal BGP (IBGP) core. If you want to configure independent domains
to maintain the independence of local ASs in the routing instance and perform BGP
loop detection only for the specified local ASs in the routing instance, disable attribute
set messages on the independent domain. To disable attribute set messages, include
the independent-domain no-attrset statement at the following hierarchy levels:
[edit logical-systems logical-system-name routing-instances routing-instance-name

routing-options autonomous-system autonomous-system]
22
[edit routing-instances routing-instance-name routing-options autonomous-system

autonomous-system]
[Routing Protocols]
Services Applications
NAT-PT with DNS ALG support (M Series and T Series routers)You can configure
Domain Name Service (DNS) application-level gateways (ALGs) using NAT with
protocol translation (NAT-PT) for IPv6 to IPv4. The implementation is described in
RFC 2766 and RFC 2694.
When you configure NAT-PT with DNS ALG support, you must configure two NAT rules.
The first NAT rule ensures that the DNS query and response packets are translated
correctly. For this rule to work, you must configure a DNS ALG application and reference
it in the rule. The second rule is required to ensure that NAT sessions are destined to
the address mapped by the DNS ALG.
To configure the correct translation of the DNS query and response packets, include
the dns-alg-pool dns-alg-pool or dns-alg-prefix dns-alg-prefix statement at the [edit
services nat rule rule-name term term-name then translated] hierarchy level.
To configure the DNS ALG application, include the application application-name

statement at the [edit applications] hierarchy level, then reference it at the [edit
services nat rule rule-name term term-name from] hierarchy level.
To configure destination translation with the DNS ALG address map, use the
use-dns-map-for-destination-translation statement at the [edit services nat rule
rule-name term term-name then translated] hierarchy level. This statement correlates
the DNS query or response processing done by the first rule with the actual data
sessions processed by the second rule.
You can also control the translation of IPv6 and IPv4 DNS queries in the following
ways.
For translation control of IPv6 DNS queries, use the

do-not-translate-AAAA-query-to-A-query statement at the [edit applications
application application-name] hierarchy level.
For translation control of IPv4 queries, use the

do-not-translate-A-query-to-AAAA-query statement at the [edit applications
application application-name] hierarchy level.
NOTE: The above two statements cannot be configured together. You

can only configure one at a time, but not both.
To check that the flows are established properly, use the show services
stateful-firewall flows command or the show services stateful-firewall conversations
command.
23
[Services Interfaces]
Enhancements to active flow monitoringAdd support for extraction of bandwidth

usage information for billing purposes in PIC-based sampling configurations. This
capability is supported on M Series, MX Series, and T Series routers and applies only
to IPv4 and IPv6 traffic. It is enabled only at the global instance hierarchy level and is
not available for per Packet Forwarding Engine instances. To configure the sampling
of traffic for billing purposes, include the template as-peer-billing-template-name
statement at the [edit forwarding-options sampling family (inet | inet6) output
flow-server server-name version version-number] hierarchy level. To define the peer-AS
billing functionality, include the peer-as-billing-template statement at the [edit services
flow-monitoring version9 template template-name] hierarchy level. For a list of the
template fields, see the Junos OS Services Interfaces Configuration Guide. You can apply
the existing destination class usage (DCU) policy option configuration for use with this
feature.
In addition, the MPLS top label IP address is added as a new field in the existing
MPLS-IPv4 flow template. You can use this field to gather MPLS forwarding equivalence
class (FEC) -based traffic information for MPLS network capacity planning. These
ALGs that use Junos Services Framework (JSF) (M Series) is a PIC-only feature applied
on sampled traffic and collected by the services PIC or DPC. You can define it for either
global or per Packet Forwarding Engine instances for MPLS traffic.
The show services accounting aggregation template operational command has been
updated to include new output fields that reflect the additional functionality.
[Services Interfaces, System Basics and Services Command Reference]
Support for the RPM timestamp on the Services SDK (M Series, MX Series, and T
Series)Real-time performance monitoring (RPM), which has been supported on the
Adaptive Services (AS) interface, is now supported by the Services SDK. RPM is
supported on all platforms and service PICs that support the Services SDK.
RPM timestamping is needed to account for any latency in packet communications.
You can apply timestamps on the client, the server, or both the client and server. RPM
timestamping is supported only with the icmp-ping, icmp-ping-timestamp, udp-ping,
and udp-ping-timestamp probe types.
To specify the Services SDK interface, include the destination-interface statement at
the [edit services rpm probe probe-owner test test-name] hierarchy level:
destination-interface ms-fpc/pic/port.logical-unit-number;
To specify the RPM client router and the RPM server router, include the rpm statement
at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:
rpm (client | server);
To enable RPM on the Services SDK on the AS interface, configure the object-cache-size,
policy-db-size, and package statements at the [edit chassis fpc slot-number pic
pic-number adaptive-services service-package extension-provider] hierarchy level. For
the Services SDK, package-name in the package package-name statement is
jservices-rpm.
user@host# show chassis
24
fpc 1 {
pic 2 {
adaptive-services {
service-package {
extension-provider {
control-cores 1;
data-cores 1;
object-cache-size 512;
policy-db-size 64;
package jservices-rpm;
syslog daemon any;
}
}
}
}
}
ALGs using Junos OS Services Framework (JSF) (M Series with Multiservices PICs
and MX Series with MS DPCs)Application-level gateways (ALGs) intercept and
analyze specified traffic, allocate resources, and define dynamic policies to permit
traffic to pass securely through a device. Beginning with Junos OS Release 10.4 on the
specified routers, you can use JSF ALGs with the following services:
Stateful firewall
Network Address Translation (NAT)
To use JSF to run ALGs, you must configure the jservices-alg package at the [edit
chassis fpc slot pic slot adaptive-services service-package extension-provider package]
hierarchy level. In addition, you must configure the ALG application at the [edit
applications application application-name] hierarchy level, and reference the application
in the stateful firewall rule or the NAT rule in those respective configurations.
Enhancements to port mirroring with next-hop groups (MX Series only)Adds

support for binding up to two port-mirroring instances to the same MX Series Packet
Fowarding Engine. This enables you to choose multiple mirror destinations by specifying
different port-mirroring instances in the filters. Filters must include the
port-mirror-instance instance-name statement at the [edit firewall filter filter-name term
term-name then] hierarchy level. You must also include the port-mirror-instance
instance-name statement at the [edit chassis fpc number] hierarchy level to specify the
FPC to be used.
Inline port mirroring allows you to configure instances that are not bound to the FPC
specified in the firewall filter then port-mirror-instance instance-name action. Instead,
you can define the then next-hop-group action. Inline port-mirroring aims to decouple
the port-mirror destination from the input parameters, such as rate. While the input
parameters are programmed in the Switch Interface Board (SIB), the next-hop
destination for the mirrored packet is available in the packet itself.
A port-mirroring instance can now inherit input parameters from another instance that
specifies it. To configure this option, include the input-parameters-instance
25
instance-name statement at the [edit forwarding-options port-mirror instance

instance-name] hierarchy level.
You can also now configure port mirroring to next-hop groups using a tunnel interface.
Multiple IDP detector support (MX Series routers, M120 routers, and Enhanced III
FPCs in M320 routers)The IDP detector provides information about services, contexts,
and anomalies that are supported by the associated protocol decoder.
The specified routers now support loading multiple IDP detectors simultaneously.
When a policy is loaded, it is also associated with a detector. If the new policy being
loaded has an associated detector that matches the detector already being used by
the existing policy, the new detector is not loaded and both policies use a single
associated detector. However, if the new detector does not match the current detector,
the new detector is loaded along with the new policy. In this case, each loaded policy
will then use its own associated detector for attack detection. Note that with the
specified routers, a maximum of four detectors can be loaded at any given time.
Multiple IDP detector support for the specified routers functions in a similar way to the
existing IDP detector support on J Series and SRX Series devices, except for the
maximum number of decoder binary instances that are loaded into the process space.
To view the current policy and the corresponding detector version, use the show security
idp status detail command.
For more information, see the Junos OS Security Configuration Guide.
NAT using Junos OS Services Framework (JSF) (M Series and T Series with
Multiservices PICs and MX Series with Multiservices DPCs)The Junos OS Services
Framework (JSF) is a unified framework for Junos OS services integration. JSF Services
integration will allow the option of running Junos OS services on services PICs or DPCs
in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4,
you can use JSF to run NAT on the specified routers.
To use JSF to run NAT, you must configure the jservices-nat package at the [edit chassis
fpc slot pic slot adaptive-services service-package extension-provider package] hierarchy
level. In addition, you must configure NAT rules and a service set with a Multiservice
interface. To check the configuration, use the show configuration services nat command.
To show the run time (dynamic state) information on the interface, use the show
services sessions and show services nat pool commands.
Stateful firewall using Junos OS Services Framework (JSF) (M Series with

Multiservices PICs, MX Series with Multiservices DPCs, and T Series routers)The
Junos OS Services Framework (JSF) is a unified framework for Junos OS services
integration. JSF Services integration will allow the option of running Junos OS services
on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with
Junos OS Release 10.4, you can use JSF to run stateful firewall on the specified routers.
26
To use JSF to run stateful firewall, you must configure the jservices-sfw package at the
[edit chassis fpc slot pic slot adaptive-services service-package extension-provider
package] hierarchy level. In addition, you must configure stateful firewall rules and a
service set with a Multiservice interface. To check the configuration, use the show
configuration services stateful-firewall command. To show the run time (dynamic state)
information on the interface, use the show services sessions command.
Transition of IPv4 traffic to IPv6 addresses using Dual Stack Lite (DS-Lite)Adds
support for DS-Lite, a means for transitioning IPv4 traffic to IPv6 addresses. This
transition will become necessary as the supply of unique IPv4 addresses nears
exhaustion. New subscriber homes are allocated IPv6 addresses and IPv6-capable
equipment; DS-Lite provides a method for the private IPv4 addresses behind the IPv6
equipment to reach the IPv4 network. An IPv4 host communicates with a NAT endpoint
over an IPv6 network using softwires. DS-Lite creates the IPv6 softwires that terminate
on the services PIC. Packets coming out of the softwire can then have other services
such as NAT applied on them.
[Services Interfaces, System Basics and Services Command Reference]
Round-robin allocation for NATP addressesYou can now specify round-robin address
allocation from NAT pools when you use NATP. In the default method of
address-allocation, NAT addresses are allocated sequentially. All of the addresses in
a given range must be allocated before addresses from a different range are allocated.
The following example illustrates the sequential (legacy) implementation, which is
still available to provide backward compatibility.
pool napt {
address-range low 9.9.99.1 high 9.9.99.3;
port {
range low 3333 high 3334;
}
}
In this example, for each unique source address, a new address range is used for
allocation only when there are no ports available in the previous address range. Address
9.9.99.4:3333 is picked only when all ports for addresses in the first range are exhausted.
The first connection is allocated NAT address 9.9.99.1:3333.
The second connection is allocated 9.9.99.1:3334.
The third connection is allocated 9.9.99.2:3333.
The fourth connection is allocated 9.9.99.2:3334, and so on.
To configure round-robin allocation for NAT pools, include the address-allocation

round-robin configuration statement at the [edit services nat pool pool-name] hierarchy
level. When you use round-robin allocation, one port is allocated from each address
in a range before repeating the process for each address in the next range. After ports
27
have been allocated for all addresses in the last range, the allocation process wraps
around and allocates the next unused port for addresses in the first range.
The first connection is allocated NAT address 9.9.99.1:3333.
The second connection is allocated 9.9.99.2:3333.
The third connection is allocated 9.9.99.3:3333.
The fourth connection is allocated 9.9.99.4:3333.
The fifth connection is allocated address 9.9.99.5:3333.
The sixth connection is allocated address 9.9.99.6:3333.
The seventh connection is allocated address 9.9.99.7:3333.
The eighth connection is allocated address 9.9.99.8:3333.
The ninth connection is allocated address 9.9.99.9:3333.
The tenth connection is allocated address 9.9.99.10:3333.
The eleventh connection is allocated address 9.9.99.11:3333.
The twelfth connection is allocated address 9.9.99.12:3333.
Wraparound occurs and the thirteenth connection is allocated address 9.9.99.1:3334.
Subscriber Access Management
Enhancement to the show services l2tp destination commandThe show services l2tp
destination command has been extended to display the lockout state of the destination
from the LAC. A destination that is reachable is not locked. An unreachable destination
is locked out. L2TP makes no further attempts to connect to this destination until the
timeout period (300 seconds) expires, unless the unreachable destination is the only
destination in the tunnel configuration list. In that case, L2TP ignores the lockout and
continues trying to connect to the destination.
[Subscriber Access]
Redirecting HTTP redirect requests (MX Series routers)Enables support for HTTP
traffic requests from subscribers to be aggregated from access networks onto a BRAS
router, where HTTP traffic can be intercepted and redirected to a captive portal. A
captive portal provides authentication and authorization services for redirected
subscribers before granting access to protected servers outside of a walled garden. A
walled garden defines a group of servers where access is provided to subscribers
without reauthorization through a captive portal. You can use a captive portal page as
the initial page a subscriber sees after logging in to a subscriber session and as a page
used to receive and manage HTTP requests to unauthorized Web resources. An HTTP
redirect remote server that resides in a walled garden behind Junos OS routers processes
HTTP requests redirected to it and responds with a redirect URL to a captive portal.
28
To configure HTTP redirect, include the captive-portal-content-delivery statement at

the [edit services] hierarchy level.
[Subscriber Access]
Filter support for service packet countingYou can count service packets, applying
them to a specific named counter (__junos-dyn-service-counter), for use by RADIUS.
To enable service packet accounting, specify the service-accounting action at the [edit
firewall family family-name filter filter-name term term-name then] hierarchy level.
[Policy Framework, Subscriber Access]
Support for domain maps that apply configuration options based on subscriber
domain names (MX Series and M Series routers)You use domain maps to apply
access options and session-specific parameters to subscribers whose domain name
corresponds to the domain map name. You can also create a default domain map that
the router uses for subscribers whose username does not include a domain name or
has a non-matching domain name.
Domain maps apply subscriber-related characteristics such as profiles (access,
dynamic, and tunnel), target and AAA logical system mapping, address pool usage,
and PADN routing information.
You configure domain maps at the [edit access domain] hierarchy level.
[Subscriber Access]
L2TP LAC support for subscriber management (MX Series routers)You can now
configure an L2TP access concentrator (LAC) on MPC-equipped MX Series routers.
As part of the new L2TP LAC support, you can configure how the router selects a tunnel
for a PPP subscriber from among a set of available tunnels. The default tunnel selection
method is to fail over between tunnel preference levels. When a PPP user tries to log
in to a domain, the router attempts to connect to a destination in that domain by means
of the associated tunnel with the highest preference level. If the destination is
unreachable, the router then moves to the next lower preference level and repeats the
process. No configuration is required for this tunnel selection method.
You can include the fail-over-within-preference statement at the [edit services l2tp]
hierarchy level to configure tunnel selection failover within a preference level. With this
method, when the router tries to connect to a destination and is unsuccessful, it selects
a new destination at the same preference level. If all destinations at a preference level
are marked as unreachable, the router does not attempt to connect to a destination
at that level. It drops to the next lower preference level to select a destination. If all
destinations at all preference levels are marked as unreachable, the router chooses
the destination that failed first and tries to make a connection. If the connection fails,
the router rejects the PPP user session without attempting to contact the remote
router.
By default, the router uses a round-robin selection process among tunnels at the same
preference level. Include the weighted-load-balancing statement at the statement at
the [edit services l2tp] hierarchy level to specify that the tunnel with the highest weight
within a preference is selected until its maximum sessions limit is reached. Then the
29
tunnel with the next highest weight is selected until its limit is reached, and so on. The
tunnel with the highest configured maximum sessions value has the greatest weight.
Another feature of L2TP LACs on MX Series routers is the ability to control whether
the LAC sends the Calling Number AVP 22 to the LNS. The AVP value is derived from
the Calling-Station-Id and identifies the interface that is connected to the customer
in the access network. By default, the LAC includes this AVP in ICRQ packets it sends
to the LNS. In some networks you may wish to conceal your network access information.
To prevent the LAC from sending the Calling Number AVP to the LNS, include the
disable-calling-number-avp statement at the [edit services l2tp] hierarchy level.
[Subscriber Access]
Support for dynamic interface sets (M120, M320, and MX Series routers)Enables
you to configure sets of subscriber interfaces in dynamic profiles. Interface sets are
used for providing hierarchical scheduling. Previously, interface sets were supported
for interfaces configured in the static hierarchies only.
Supported subscriber interfaces include static and dynamic demux, static and dynamic
PPPoE, and static and dynamic VLAN interfaces.
To configure an interface set in a dynamic profile, include the interface-set
interface-set-name statement at the [edit dynamic-profiles interfaces] hierarchy level.
To add a subscriber interface to the set, include the interface interface-name unit
logical-unit-number statement at the [edit dynamic-profiles interfaces interface-set
interface-set-name] hierarchy level. You apply traffic shaping and scheduling parameters
to the interface-set by including the interface-set interface-set-name and
output-traffic-control-profile profile-name statements at the static [edit class-of-service
interfaces] hierarchy level.
A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set
name, and includes a predefined variable, $junos-interface-set-name. The VSA is
supported for RADIUS Access-Accept messages only; change of authorization (CoA)
requests are not supported.
[Subscriber Access]
Support for service session accounting statistics (MX Series routers)You can now
capture accounting statistics for subscriber service sessions. Subscriber management
supports service session accounting based on service activation and deactivation, as
well as interim accounting. Time-based accounting is supported for all service sessions.
Time and volume-based accounting is supported for classic firewall filter and fast
update firewall filter service sessions only.
To provide volume service accounting, the well-known accounting counter
(junos-dyn-service-counter) must also be configured for the classic firewall filter and
fast update firewall filter service. You define the counter at the [edit firewall family
family filter filter term term then] hierarchy level.
30
The following VSAs (vendor ID 4874) are used for service accounting:
Attribute
Number
Attribute Name
Description
Value
26-69
Service-Statistics
Enable or disable
statistics for the
service.
0 = disable
1 = enable time statistics
2 = enable time and

volume statistics
26-83
Acct-Service-Session
Name of the
service.
string: service-name
26-140
Service-Interim-Acct-Interval
Amount of time
between interim
accounting
updates for this
service.
range = 60086400
seconds
0 = disabled
[Subscriber Access]
Subscriber secure policy traffic mirroring supported for L2TP sessions on the LAC
(MX Series routers)The L2TP access concentrator (LAC) implementation supports
RADIUS-initiated per-subscriber traffic mirroring. Both subscriber ingress traffic (from
the subscriber into the tunnel) and subscriber egress traffic (from the tunnel to the
subscriber) is mirrored at the (subscriber-facing) ingress interface on the LAC. The
ingress traffic is mirrored after PPPoE decapsulation and before L2TP encapsulation.
The egress traffic is mirrored after L2TP decapsulation. The mirrored packet includes
the complete HDLC frame sent to the LNS.
[Subscriber Access]
Support for static and dynamic CoS on L2TP LAC subscriber interfaces (M120, M320,
and MX Series routers)Enables you to configure static and dynamic CoS for L2TP
access concentrator (LAC) tunnels that transport PPP subscribers at Layer 2 and Layer
3 of the network.
IP and L2TP headers are added to packets arriving at the LAC from a subscriber before
being tunneled to the L2TP network server (LNS). Classifiers and rewrite-rules enable
you to properly transfer the type-of-service (ToS) value or the 802.1p value from the
inner IP header to the outer IP header of the L2TP packet.
For ingress tunnels, you configure fixed or behavior aggregate (BA) classifiers for the
PPP interface or an underlying VLAN interface at Layer 2. You can configure Layer 3
classifiers for a family of PPP interfaces. Layer 2 and Layer 3 classifiers can co-exist
for a PPP subscriber.
For example, to classify incoming packets for a PPP subscriber, include the classifier
type classifier-name statement at the [edit class-of-service interfaces pp0 unit
logical-unit-number] hierarchy level or at the [edit dynamic-profiles class-of-service
interfaces pp0 unit logical-unit-number] hierarchy level.
On egress tunnels, you configure rewrite rules to set the ToS or 802.1p value of the
outer header. For example, to configure a rewrite-rule definition for an interface with
31
802.1p encapsulation, include the [rewrite-rule ieee-802.1 (rewrite-name | default)

statement at the edit class-of-service interfaces interface-name unit logical-unit-number]
hierarchy level or the [edit dynamic-profiles class-of-service interfaces pp0 unit
logical-unit-number] hierarchy level.
Rewrite rules are applied accordingly to the forwarding class, packet loss priority (PLP),
and code point. The proper transfer of the inner IP header to the outer IP header of the
L2TP packet depends on the classifier and rewrite rule configurations.
The following table shows how the classifier and rewrite-rule values transfer from the
inner IP header to the outer IP header. The inner IP header (ob001) is classified with
assured-forwarding and low loss priority at the ingress interface. Based on the
assured-forwarding class and low loss priority in the rewrite rule, the outer IP header
is set to ob001 at the egress interface.
Inner IP Header
Forwarding Class
Loss Priority
Code Point
Outer IP Header
ob001
assured-forwarding
low
001
ob001
[Subscriber Access, Class of Service]
L2TP tunnel profiles and AAA support for tunnels in subscriber management (MX
Series routers)You can configure a set of attributes to define an L2TP tunnel for PPP
subscribers. More than one tunnel can be defined for a tunnel profile. Tunnel profiles
are applied by a domain map before RADIUS authentication. When the RADIUS
Tunnel-Group VSA [26-64] is specified in the RADIUS login, then the RADIUS tunnel
profile (group) overrides a tunnel profile specified by the domain map. The tunnel is
then configured according to RADIUS tunnel attributes and VSAs.
To configure a tunnel profile, include the tunnel-profile profile-name statement at the
[edit access] hierarchy level. To define a tunnel for a profile, include the tunnel tunnel-id
statement at the [edit access tunnel-profile profile-name] hierarchy level.
Define the attributes of the tunnel at the [edit access tunnel-profile profile-name tunnel
tunnel-id] hierarchy level. You must configure a preference for the tunnel and the IP
address of the LNS tunnel endpoint; all other attributes are optional. Include the
preference number statement to configure the preference. Include the remote-gateway
address server-ip-address statement to configure the LNS address.
You can optionally configure the remaining tunnel attributes. Include the
remote-gateway name server-name statement to configure the LNS hostname. Include
the source -gateway address client-ip-address statement and the source-gateway name
client-name statements to configure the local (LAC) tunnel endpoint. Although you
can configure a medium type (medium type) and protocol type (tunnel tunnel-type)
for the tunnel, only the default values of ipv4 and l2tp are supported in this release.
Include the identification name statement to configure an assignment ID for the tunnel.
Include the max-sessions number statement to configure the maximum number of
sessions permitted for the tunnel. Include the secret password statement to configure
a cleartext password for authentication by the remote tunnel endpoint (LNS). Finally,
you can configure a logical system and routing instance for the tunnel by including the
logical-system logical-system-name and routing-instance routing-instance-name
statements.
32
The following table shows the RADIUS attributes that are now supported for defining
a tunnel.
Attribute
Number
Attribute Name
Description
64
Tunnel-Type
The tunneling protocol to use (in the case of a tunnel

initiator) or the tunneling protocol already in use (in
the case of a tunnel terminator).
Only L2TP tunnels are currently supported.
Transport medium to use when creating a tunnel for

protocols that can operate over multiple transports.
Only IPv4 is currently supported.
65
Tunnel-Medium-Type
66
Tunnel-Client-Endpoint
Address of the initiator end of the tunnel.
67
Tunnel-Server-Endpoint
Address of the server end of the tunnel.
69
Tunnel-Password
Password used to authenticate to a remote server.
82
Tunnel-Assignment -Id
Indicates to the tunnel initiator the particular tunnel to

which a session is assigned.
83
Tunnel-Preference
If more than one set of tunneling attributes is returned

by the RADIUS server to the tunnel initiator, this
attribute is included in each set to indicate the relative
preference assigned to each tunnel.
Included in the Tunnel-Link-Start, the

Tunnel-Link-Reject, and the Tunnel-Link-Stop packets
(LAC only).
90
Tunnel-Client-Auth-Id
Name used by the tunnel initiator during the

authentication phase of tunnel establishment.
91
Tunnel-Server-Auth-Id
Name used by the tunnel terminator during the

authentication phase of tunnel establishment.
The following table shows the RADIUS VSAs that are now supported for defining a
tunnel.
Attribute
Number
Attribute Name
Description
Value
26-8
Tunnel-Virtual-Router
Virtual router name for tunnel

connection.
string:
tunnel-virtual-router
26-9
Tunnel-Password
Tunnel password in clear text.
string:
tunnel-password
26-33
Tunnel-Max-Sessions
Maximum number of sessions

allowed in a tunnel.
integer: 4-octet
26-64
Tunnel-Group
Name of the tunnel group

(profile) assigned to a domain
map.
string:
tunnel-group-name
33
[Subscriber Access]
Dynamic reconfiguration of extended DHCPv6 local server clients (MX Series

routers)You can enable dynamic reconfiguration of DHCPv6 clients to enable the
extended DHCPv6 local server to initiate a client update without waiting for the client
to initiate a request. In subscriber management scenarios, a client may need to be
quickly updated with its network address and configuration in the event of server
changes, such as a restructuring of the service providers addressing scheme or a change
in the local server IP addresses that were provided to the clients. Include the reconfigure
statement to enable dynamic reconfiguration with default values for all DHCPv6 clients
at the [edit system services dhcp-local-server dhcpv6] hierarchy level, and for DHCPv6
clients serviced by a specified group of interfaces at the [edit system services
dhcp-local-server dhcpv6 group group-name] hierarchy level.
Optional statements enable you to modify default reconfiguration values: The number
of reconfiguration attempts, the interval between the first and second attempts, what
happens to the client if all reconfiguration attempts fail, what happens to the client in
the event of a RADIUS-initiated disconnect, whether to bind clients that do not support
reconfiguration, and whether to send an authentication token. Issue the request dhcpv6
server reconfigure command to initiate reconfiguration. Use the show dhcpv6 server
binding and show dhcpv6 server statistics commands to monitor client-server
interactions.
[Subscriber Access]
Support for ascend data filters (RADIUS attribute 242) in subscriber firewall filters
(MX Series routers)You can now configure subscriber management to use ascend
data filters (ADFs) to create and apply firewall filters to subscriber traffic. The ADF
creates a rule that specifies match conditions on the source and destination IP address,
the protocol, and the source and destination port, and also specifies the action to
perform (such as accept or discard). The ADF rule also specifies the filter direction,
and can optionally provide traffic class and policer information. The router supports
ADF rules for family types inet and inet6.
Subscriber management uses dynamic profiles to obtain the ADF rules from the RADIUS
server. You can use the new Junos OS predefined variables ($junos-adf-rule-v4 for
family inet and $junos-adf-rule-v6 for inet6) to map ADF rules to Junos OS functionality,
or you can statically create ADF rules.
To configure ADF support, use the following stanza at the [edit dynamic-profiles
profile-name interfaces interface-name unit logical-unit-number family family] hierarchy
level:
filter {
adf {
counter;
input-precedence precedence;
output-precedence precedence;
rule rule-value;
}
}
[Subscriber Access, System Basics and Services Command Reference]
34
Per-interface DHCP tracing operations (MX Series routers)In addition to the existing
global DHCP tracing operation, you can now trace DHCP operations for a specific
interface or a range of interfaces.
Configuring interface-based tracing is a two-step procedure. First configure the tracing
options that you want to use, such as the file used for the trace operation and the trace
flags. In the second step, enable the tracing operation on the specific interface or range
of interfaces.
To configure the per-interface tracing options, use the interface-traceoptions

statement at the [edit system services dhcp-local-server] hierarchy level for the DHCP
local server or at the [edit forwarding-options dhcp-relay] hierarchy level for the DHCP
relay agent.
To enable tracing on an interface or interface range, use the trace statement at the
[edit system services dhcp-local-server group group-name interface interface-name]
hierarchy level for the DHCP local server, or the [edit forwarding-options dhcp-relay
group group-name interface interface-name] hierarchy level for the DHCP relay agent.
You can also enable tracing for DHCPv6 at the [edit system services dhcp-local-server
dhcpv6 group group-name interface interface-name] hierarchy level.
[Subscriber Access]
Automatic binding of stray DHCP requests (MX Series routers)The default behavior
has changed for handling DHCP requests that are received but which have no entry in
the database (stray requests). Beginning with Junos OS Release 10.4, automatic binding
of stray requests is enabled by default. In Junos OS Release 10.3 and earlier releases,
automatic binding of stray requests is disabled by default.
By default, DHCP relay and DHCP relay proxy now attempt to bind the requesting client
by creating a database entry and forwarding the request to the DHCP server. If the
server responds with an ACK, the client is bound and the ACK is forwarded to the client.
If the server responds with a NAK, the database entry is deleted and the NAK is
forwarded to the client. This behavior occurs regardless of whether authentication is
configured.
In Junos OS Release 10.3 and earlier releases, DHCP relay drops stray requests and
forwards a NAK to the client when authentication is configured. Otherwise, DHCP relay
attempts to bind the requesting client. In those releases, DHCP relay proxy always
drops stray requests and forwards a NAK to the client, regardless of the authentication
configuration.
You can override the new default configuration to cause DHCP relay and DHCP relay
proxy to drop all stray requests instead of attempting to bind the clients. To disable
automatic binding behavior globally, include the no-bind-on-request statement at the
[edit forwarding-options dhcp-relay overrides] hierarchy level. To disable automatic
binding behavior for a group, include the statement at the [edit forwarding-options
dhcp-relay overrides group group-name] hierarchy level. To disable automatic binding
behavior for a specific interface in a group, include the statement at the [edit
forwarding-options dhcp-relay overrides group group-name interface interface-name]
hierarchy level.
35
[Subscriber Access]
Support for VPLS Layer 2 wholesale configuration in a subscriber access

networkEnables you to configure Layer 2 wholesaling within a subscriber access
network. Wholesale access is the process by which an access network provider
(wholesaler) partitions the access network into separately manageable and
accountable subscriber segments for resale to other network providers. An access
network provider may elect to wholesale all or part of its network to one or more service
providers (retailers).
NOTE: In this release, Layer 2 wholesaling supports the use of only the
default logical system using multiple routing instances.
The Juniper Networks Layer 2 wholesale solution is similar to the Layer 3 wholesale
solution in many ways. However, when configuring the Juniper Networks Layer 2
wholesale solution, keep the following in mind:
No Layer 3 components (address assignment, Layer 3 interfaces, and so on) are

involved.
S-VLANs must be unique to any Gigabit Ethernet or Aggregated Ethernet interfaces

within the entire network (not just unique to one router).
Layer 2 wholesale supports only CoA disconnect and variable modification; CoA
service activation is not supported.
NOTE: For general information about configuring dynamic wholesale for

your subscriber access network, see the Broadband Subscriber Management
Solutions Guide.
To configure Layer 2 wholesale for a subscriber access network:
Configure a VLAN dynamic profile. See the Subscriber Access Configuration Guide
for details.
Include the routing-instances statement along with the $junos-routing-instance

dynamic variable at the [edit dynamic-profiles profile-name interface
$junos-interface-name] hierarchy level.
Include the interfaces statement along with the $junos-interface-name dynamic

variable at the [edit dynamic-profiles profile-name interface $junos-interface-name
routing-instances $junos-routing-instance] hierarchy level.
Include the interfaces statement along with the $junos-interface-ifd-name dynamic

variable at the [edit dynamic-profiles profile-name] hierarchy level.
Include the unit statement along with the $junos-interface-unit dynamic variable at
the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name]
hierarchy level.
36
(Optional) Include the encapsulation statement at the [edit dynamic-profiles

profile-name interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy
level and specify the unit encapsulation as vlan-vpls or vlan-ccc.
NOTE: If you choose not to specify an encapsulation for the logical

interface, you must specify encapsulation for the physical interface.
Include the vlan-tags statement and define the outer VLAN tag using the
$junos-stacked-vlan-id dynamic variable and the inner VLAN tag using the
$junos-vlan-id dynamic variable at the [edit dynamic-profiles profile-name interface
$junos-interface-ifd-name unit $junos-interface-unit] hierarchy level.
Include the input-vlan-map statement at the [edit dynamic-profiles profile-name

interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level and
define the map settings as follows:
NOTE: You configure the input-vlan-map statement only when there is

a need to either push an outer tag on a single-tagged subscriber packet
or modify the outer tag in a subscriber dual-tagged packet.
Specify the action that you want the input VLAN map to take. See the Network
Interfaces Configuration Guide for details on how to configure input-vlan-map
statement options.
Include the vlan-id statement along with the $junos-vlan-map-id dynamic variable.
Include the output-vlan-map statement at the [edit dynamic-profiles profile-name

interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level and
specify the action that you want the output VLAN map to take. See the Network
Interfaces Configuration Guide for details on how to configure output-vlan-map
statement options.
NOTE: You configure the output-vlan-map statement only when there

is a need to either pop or modify the outer tag found in a dual-tagged
packet meant for the subscriber.
Specify the unit family as vpls at the [edit dynamic-profiles profile-name interface
$junos-interface-ifd-name unit $junos-interface-unit family] hierarchy level.
Include the flexible-vlan-tagging statement for any interfaces you plan to use at the
[edit interfaces interface-name] hierarchy level.
37
Include the encapsulation statement for any interfaces you plan to use at the [edit
interfaces interface-name] hierarchy level and specify the encapsulation as follows:
flexible-ethernet-services.
Use the vlan-vpls or flexible-ethernet-services options if you specified the vlan-vpls

option for the encapsulation statement at the [edit dynamic-profiles profile-name
interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level.
NOTE: Using the vlan-vpls encapsulation option in both the dynamic

profile and when configuring the physical interface limits the VLAN ID
value to a number greater than or equal to 512. Using the
flexible-ethernet-services encapsulation option does not result in a
limitation to the VLAN ID value.
Use the flexible-ethernet-services option if you plan to configure logical interfaces

with different encapsulations at the [edit dynamic-profiles profile-name interface
NOTE: This encapsulation type does not have a VLAN ID limitation.
Use the extended-vlan-vpls option if you chose not to specify an option for the
encapsulation statement at the [edit dynamic-profiles profile-name interface
NOTE: This encapsulation type can support multiple TPIDs and does
not have a VLAN ID limitation.
Specify the vpls option for the instance-type statement for any retailer routing
instances you plan to use at the [edit routing-instances instance-name] hierarchy
level.
Include the qualified-bum-pruning-mode statement in any retailer routing instances

you plan to use at the [edit routing-instances instance-name] hierarchy level.
Specify the permanent option for the connectivity-type statement at the [edit
routing-instances instance-nameprotocols vpls] hierarchy level to ensure that the
routing instance (pseudo-wire) remains operational.
Configure the VLAN Interfaces to use the dynamic profile. See the Subscriber Access
Configuration Guide for details.
Define access to your RADIUS server and specify the access profile at the [edit
access] hierarchy level.
To view the logical system and routing instance for each subscriber, use the show
subscriber operational command.
38
[Subscriber Access]
System Logging
New and deprecated system log tagsThe following system log messages are new
in this release:
ASP_SFW_DELETE_FLOW
CHASSISD_FM_FABRIC_DOWN
CHASSISD_FPC_FABRIC_DOWN_REBOOT
CHASSISD_FRU_INTEROP_UNSUPPORTED
CHASSISD_RE_CONSOLE_FE_STORM
RPD_AMT_CFG_ADDR_FMLY_INVALID
RPD_AMT_CFG_ANYCAST_INVALID
RPD_AMT_CFG_ANYCAST_MCAST
RPD_AMT_CFG_LOC_ADDR_INVALID
RPD_AMT_CFG_LOC_ADDR_MCAST
RPD_AMT_CFG_PREFIX_LEN_SHORT
RPD_AMT_CFG_RELAY_INVALID
RPD_BGP_CFG_ADDR_INVALID
RPD_BGP_CFG_LOCAL_ASNUM_WARN
RPD_CFG_TRACE_FILE_MISSING
RPD_LDP_GR_CFG_IGNORED
RPD_MC_CFG_FWDCACHE_CONFLICT
RPD_MC_CFG_PREFIX_LEN_SHORT
RPD_MSDP_CFG_SA_LIMITS_CONFLICT
RPD_MSDP_CFG_SRC_INVALID
RPD_MVPN_CFG_PREFIX_LEN_SHORT
RPD_PLCY_CFG_COMMUNITY_FAIL
RPD_PLCY_CFG_FWDCLASS_OVERRIDDEN
RPD_PLCY_CFG_IFALL_NOMATCH
RPD_PLCY_CFG_PARSE_GEN_FAIL
39
RPD_PLCY_CFG_PREFIX_LEN_SHORT
RPD_RSVP_COS_CFG_WARN
RPD_RT_INST_IMPORT_PLCY_WARNING
RPD_OSPF_IF_COST_CHANGE
RPD_OSPF_TOPO_IF_COST_CHANGE
RPD_VPLS_INTF_NOT_IN_SITE
[System Log]
Added interface information to BFD session up/down system log tagsAdded peer
address information for BFDD_TRAP_MHOP_STATE_DOWN and
BFDD_TRAP_MHOP_STATE_UP.
[System Log]
VPNs
Disable TTL propagation behavior for the routes in a VRF routing instanceEnables
you to control TTL decrementing for individual VPNs. In prior releases, Junos OS enabled
control of TTL behavior only at the router level for all LDP-signaled and all
RSVP-signaled label-switched paths. With this feature, you can control the behavior
on individual VPN routes. To configure, include the vrf-propagate-ttl or
no-vrf-propagate-ttl statement at the [edit routing-instances instance-name] hierarchy
level. The instance-specific behavior overrides the router behavior configured at the
[edit protocols mpls] hierarchy level with the no-propagate-ttl statement. The show
route extensive and show route detail commands display the TTL action for each VRF
routing instance.
[VPNs]
Support for Layer 3 VPN composite next hops and a larger number of Layer 3 VPN
labels on T Series routersLayer 3 VPN composite next hops can now be enabled on
T Series routers with Enhanced Scaling FPCs by including the l3vpn-composite-nexthop
statement at the [edit routing options] or [edit logical-systems logical-system-name
routing options] hierarchy levels. This statement enables BGP to accept larger numbers
of Layer 3 VPN BGP updates with unique inner VPN labels. Including the
l3vpn-composite-nexthop statement in the configuration enhances scaling and
convergence performance of PE routers participating in a Layer 3 VPN in a multivendor
environment.
The Junos OS provides the configuration statement memory-enhanced to reallocate
the jtree memory for routes and Layer 3 VPNs. This statement has the following options:
routeInclude this statement when you want to support larger routing tables (with
more routes) over firewall filters. For example, you can enable this option when you
want to support a large number of routes for Layer 3 VPNs implemented using MPLS.
However, we recommend enabling this option only if you do not have a very large
firewall configuration.
40
To allocate more memory for routing tables, include the route statement at the [edit
chassis memory-enhanced] hierarchy level:
[edit chassis memory-enhanced]
route;
vpn-labelInclude this statement when you want to enhance memory to support a
larger number of Layer 3 VPN labels accepted by the l3vpn-composite-nexhop

statement.
To allocate more memory for Layer 3 VPN labels, include the vpn-label statement
at the [edit chassis memory-enhanced] hierarchy level:
[edit chassis memory-enhanced]
vpn-label;
NOTE:
With Junos Release 10.4, the memory-enhanced route statement at the
[edit chassis] hierarchy level replaces the route-memory-enhanced
statement at the [edit chassis] hierarchy level.
[VPNs, System Basics]
Egress protection LSPsIf there is a link or node failure in the core network, a protection
mechanism such as MPLS fast reroute can be triggered on the transport LSPs between
the PE routers to repair the connection within tens of milliseconds. An egress protection
LSP addresses the problem of when a link failure occurs at the edge of the network
(for example, a link failure between a PE router and a CE device).
To enable an egress protection LSP, you need to configure the following statements:
context-identifierSpecifies an IPv4 address used to define the pair of PE routers
participating in the egress protection LSP. The context identifier is used to assign an
identifier to the protector PE router. The identifier is propagated to the other PE
routers participating in the network, making it possible for the protected egress PE
router to signal the egress protection LSP to the protector PE router. Configure the
context-identifier statement at the [edit protocols l2circuit neighbor neighbor-address
interface interface-name egress-protection protector-pe] and the [edit protocols mpls
egress-protection] hierarchy levels.
egress-protectionConfigures the protector information for the protected Layer 2
circuit and also configures the protector Layer 2 circuit itself at the [edit protocols
l2circuit] hierarchy level. Configures an LSP as an egress protection LSP at the [edit
protocols mpls label-switched-path lsp-name] hierarchy level. It also configures the
context identifier at the [edit protocols mpls] hierarchy level.
protected-l2circuitSpecifies which Layer 2 circuit is to be protected by the egress
protect LSP. This statement includes the following sub-statements: ingress-pe,

egress-pe, and virtual-circuit-id. These sub-statements specify the address of the
PE router at the ingress of the Layer 2 circuit, the address of the PE router at the
egress of the Layer 2 circuit, and the Layer 2 circuits identifier respectively. Configure
41
the protected-l2circuit statement at the [edit protocols l2circuit neighbor address

interface interface-name] hierarchy level.
protector-peSpecify the IPv4 address of the protector PE router. The protector PE
router must have a connection to the same CE device as the protected PE router for
the egress protect LSP to function. This statement includes the following
sub-statements: context-identifier and lsp. The lsp statement specifies the LSP to
be used as the actual egress protection LSP. Configure the protector-pe statement
at the [edit protocols l2circuit neighbor neighbor-address interface interface-name
egress-protection] hierarchy level.
[VPNs]
Local switching support for the ignore-encapsulation-mismatch statementThe

ignore-encapsulation-mismatch statement has been extended to support local
switching. You can now configure this statement at the [edit protocols l2circuit
local-switching interface interface-name] hierarchy level. This statement allows a Layer
2 circuit to be established even though the encapsulation configured on the CE device
interface does not match the encapsulation configured on the Layer 2 circuit interface.
Local switching allows you to configure a Layer 2 circuit entirely on the local router,
terminating the circuit on a local interface.
[VPNs]
Related
Documentation
Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series,
MX Series, and T Series Routers on page 77
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and
T Series Routers
Class of Service
Changes to the output of the show interfaces queue commandPreviously, the output
of the show interfaces queue interface-name displayed the max-queues-per-interface
information HW supported queues, as shown below:
Egress queues: 4 supported, 4 in use
The first value indicates either the default or the value specified through the
max-queues-per-interface statement. Now this is changed to HW supported queues.
The first value does not change with respect to the changes to
max-queues-per-interface as before.
[Class of Service]
42
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Forwarding and Sampling
APR packet policing on TCC Ethernet interfacesIn Junos OS Release 10.4, the APR
packet policing is effective on the TCC Ethernet interfaces.
High CPU utilization of the DFWD processYou might notice a high CPU utilization
by the DFWD process if the interface lo0 is configured as part of the interface group
0.
Bridge domain naming (Layer 2 platforms)You cannot include the slash mark (/)
in a bridge domain name at the [edit bridge-domains bridge-domain-name] hierarchy
level.
[Layer 2]
SFC and LCC Routing Engine (RE) name changesThe SFC Routing Engine name is
changed from RE-TXP-SFC to RE-DUO-2600, and the LCC Routing Engine name is
changed from RE-TXP-LCC to RE-DUO-1800.
[Software Installation and Upgrade]
Enhancement to show oam ethernet link-fault-management detail commandThe

output of the show oam ethernet link-fault-management detail command now includes
the following two new fields: OAM total symbol error event information and OAM total
frame error event information. These fields display the total number of errored symbols
and errored frames, respectively, and are updated at every interval regardless of whether
the threshold for sending event TLVs has been crossed. Previously, the show oam
ethernet link-fault management detail command displayed only the number of errored
symbols reported in TLV events transmitted since the OAM layer was reset and displays
the number of errored frames detected since the OAM layer was reset.
[Interfaces Command Reference]
Enhancement to show oam ethernet connectivity-fault-management commandsThe

output of the show oam ethernet connectivity-fault-management mep-statistics, show
oam ethernet connectivity-fault-management interfaces, and show oam ethernet
connectivity-fault-management mep-database commands includes the following three
new fields: Out of sync 1DMs received, which displays the number of out-of-sync one-way
delay measurement packets received; Valid DMMs received, which displays the number
of valid two-way delay measurement request packets received, and Invalid DMMs
received, which displays the number of invalid two-way delay measurement request
packets received.
New command to clear ETH-DM delay-statistics (MX Series routers)A new

command, clear oam ethernet connectivity-fault-management delay-statistics, enables
you to clear ITU-T Y.1731 Ethernet frame delay measurement (ETH-DM) delay-statistics
and ETH-DM frame counts. Use the maintenance-association
maintenance-association-name and maintenance-domain maintenance-domain-name
options to clear delay-statistics and frame counts for specific maintenance associations
43
and maintenance domains. You can also use the one-way and two-way options to
clear only one-way delay statistics or two-way delay statistics, respectively.
Circuit Emulation (CE) interfaces firmware compatibility for ATM IMA on M7i, M10i,
M40e, M120, and M320 routersProvides a Firmware mismatch syslog message and
a show interface command output message in the IMA Group state and IMA Link state
if the PIC's firmware is not compatible in Junos OS Release 10.0 and later releases.
NOTE: CE PICs require firmware version rom-ce-9.3.pbin or rom-ce-10.0.pbin

for ATM IMA functionality on M7i, M10i, M40e, M120, and M320 routers with
Junos OS Release 10.0R1 or later.
CE PICs manufactured with the 560-028081.pbin firmware will produce the following
entry in /var/log/messages when Junos OS is upgraded to Release 10.0R1 or newer
releases:
Firmware mismatch. Need to upgrade PIC PROM Binary CPU firmware for IMA.
If you configure IMA with this combination of Junos OS and CE PIC firmware, the
following entry will be seen.
Firmware error. Need to upgrade PIC PROM Binary CPU firmware for IMA.
The show interfaces ce-fpc/pic/port command output will show the following:
Physical link is Down
IMA Group state
: NE: Firmware Error
IMA Link state
: Line: Firmware Error
The customer must contact JTAC for a PIC firmware upgrade to proceed with IMA.
[Interfaces Command Reference, System Log Messages Reference]
Support for configuring shaping overheadSupport for CLI based configuration of

shaping overhead has been added to the PD-5-10XGE-SFPP Type 4 PIC.
Set bandwidth value on aggregated Ethernet interfacesYou can now set the
bandwidth value by using the bandwidth value statement at the [edit interfaces
aggregate-interface unit number] hierarchy level.
Additionally, the show interfaces aggregate-inteface extensive and the show interfaces
aggregate.logical-interface commands now show the bandwidth of the aggregate when
it is configured. Also, the SNMP OID ifSpeed/ifHighSpeed of the aggregate logical
interface shows the corresponding bandwidth, when it is configured. When it is not
configured, the command shows it as the sum of the bandwidths of the member links
of the aggregate, as before.
Network interfaces show command output (All platforms)The output of the show
interfaces detail/extensive command now adds a table that shows complete (not
truncated) names of the forwarding classes associated with queues.
44
Negotiate IP address option removedThe negotiate IP address option is no longer

allowed in the MLFR and MFR encapsulations.
Hardware restrictions in the output of the show interfaces extensive commandWhen
using the show interfaces extensive command with a 100-Gigabit Ethernet PIC, the
Filter statistics section will not be displayed because the hardware does not include
those counters.
New command to clear Link Aggregation Control Protocol statisticsA new

command, clear lacp statistics, enables you to clear Link Aggregation Control Protocol
(LACP) statistics. Use the interfaces option to clear interface statistics. You can also
clear interface statistics for a specific interface only by using the interfaces
interface-name option.
Change to the show interfaces aenumber extensive commandThe output of the show
interfaces aenumber extensive command no longer displays Link Aggregation Control
Protocol (LACP) statistics. To display LACP statistics, use the show lacp statistics
interfaces command.
Increase in unit numbering for demux0 and pp0 interfacesThe unit numbering for
demux0 and pp0 interfaces has been increased to 1,073,741,823.
Support for Diffie-Hellman 2048-bit encryptionYou can now configure

Diffie-Hellman 2048-bit encryption (group14) for IPsec communications on
Multiservices PICs.
To use Diffie-Hellman 2048-bit encryption, include the dhgroup group14 statement at
the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level.
To configure 2048-bit encryption for an IPsec policy, include the keys group14 option
at the [edit services ipsec-vpn ipsec policy policy-name perfect-forward-secrecy] hierarchy
level.
Show chassis environment cb command on MX80 routersThe show chassis

environment cb command is now available for the MX80 routers.
Junos OS XML API and Scripting
The jcs:load-configuration template now accepts the $commit-options parameterThe

jcs:load-configuration template, included in the import file junos.xsl, now accepts the
$commit-options parameter to customize the commit operation. The parameter must
be passed to the jcs:load-configuration template as a node-set.
The default value for $commit-options is null. Supported options are:
checkCheck the correctness of the candidate configuration syntax, but do not
commit the changes.
force-synchronizeForce the commit on the other Routing Engine (ignore any
warnings).
45
logWrite the specified message to the commit log. This is identical to the CLI
configuration mode command commit comment.
synchronizeSynchronize the commit on both Routing Engines.
To specify commit options, include the desired options within the <commit-options>
tag. Use the := operator to create a node-set and assign it to a variable. Pass this
variable as the argument for the $commit-options parameter when you call the
jcs:load-configuration template.
For example, to commit the configuration with the synchronize and log options, use
the following syntax for the node-set:
var $options := {
<commit-options> {
<synchronize>;
<log> "synchronizing commit";
}
}
[Configuration and Operations Automation Guide]
Junos XML management protocol support for the interface-ranges attribute of the
<get-configuration> operationBy default, the Junos XML protocol operation
<get-configuration> parallels the default behavior of the CLI configuration mode show
command, which displays the [edit interfaces interface-range] hierarchy as a separate
hierarchy in the configuration. To display the inherited tag elements of each interface
range as children of the interface elements that are members of that range, a client
application combines the interface-ranges="interface-ranges" attribute with the
inherit="inherit" attribute in the <get-configuration> tag of a remote procedure call
(RPC).
If the inherit and interface-ranges attributes are included in the <get-configuration>
tag and the client application requests Junos XML-tagged output (the format="xml"
attribute is included or the format attribute is omitted), the Junos XML protocol server
includes the junos:interface-range="source-interface-range" attribute in the opening
tags of configuration elements that are inherited from an interface range. The attribute
does not appear if the client application requests formatted ASCII output by including
the format="text" attribute in the <get-configuration> tag.
[XML Management Protocol]
MPLS Application
Disable RSVP local revertive modeConfigure the no-local-reversion statement at

the [edit protocols rsvp] hierarchy level to disable RSVP local revertive mode (local
revertive mode as specified in RFC 4090, Fast Reroute Extensions to RSVP-TE for LSP).
RSVP local revertive mode is supported on all Juniper Networks routers running the
Junos OS software by default. If you configure the no-local-reversion statement, the
Juniper Networks router uses global revertive mode instead. You might need to disable
RSVP local revertive mode on Juniper Networks routers if your network includes
equipment that does not support this mode.
[MPLS]
46
Enhancement to the show mpls lsp extensive commandIn Junos OS Release 10.3
and later, the show mpls lsp extensive command displays more detailed Constrained
Shortest Path First (CSPF) messages. You can now see the reason(s) for the CSPF
path computation and rejection. The following list shows some of the enhanced CSPF
messages (depending on your network configuration, the type of messages you see
might be different):
17 Aug 3 13:17:33.601 CSPF: computation result ignored, new path less avail bw[3
times]
16 Aug 3 13:02:51.283 CSPF: computation result ignored, new path no benefit[2 times]
[Routing Protocols and Policies Command Reference]
Enhancement to CSPF traceoptionsIn Junos OS Release 10.3 and later, the

Constrained Shortest Path First (CSPF) trace messages have been updated to provide
more detailed information about CSPF path computation and rejection. You configure
the CSPF traceoptions by including the cspf flag at the [edit protocols mpls traceoptions
flag] hierarchy level. The following list shows some of the enhanced CSPF trace
Aug 3 13:26:06.844628 New avail bw 0.91% 100.00% 100.00% 100.00% without

rounding
Aug 3 13:26:06.844676 Old avail bw 0.91% 100.00% 100.00% 100.00% without

rounding
Aug 3 13:26:06.844697 CSPF reoptimize: Avail bw gain on new path 0 (without

rounding 0.00%)
Aug 3 13:26:06.844714 CSPF reoptimize: new path is safe but no benefit
Aug 3 13:26:06.844731 CSPF reoptimize: result rejected, new path no benefit
Aug 3 13:26:06.844765 mpls lsp blue-to-green primary CSPF: computation result

ignored, new path no benefit
[MPLS]
Platform and Infrastructure
Enhancement to show interfaces commandThe show interfaces command includes

a new field, INET6 Address flags, that displays a flag for any IPv6 address that is in a
state other than permanent or ready-to-use.
Routing Protocols
New community-count routing policy match condition for BGP routesYou can now
configure the number of BGP community entries required for an incoming route to
match. This allows you to accept BGP routes based on a specific number of or range
of BGP community entries. To configure the number of community entries, specify the
47
from statement and include the community-count value (equal | orhigher | orlower)
match condition statement at the following hierarchy levels:
[edit policy-options policy-statement policy-name term term-name]
[edit logical-systems logical-system-name policy-options policy-statement policy-name

term term-name]
If you configure multiple community-count match condition statements, the matching

is effectively a logical AND operation. The following example accepts BGP routes with
two, three, or four communities. If a route contains three communities, it is considered
a match and is accepted. If a route contains one community, it is not considered a
match and is rejected.
[edit]
policy-options {
policy-statement import-bgp {
term community {
from {
community-count 2 orhigher;
community-count 4 orlower;
}
then {
accept;
}
}
}
}
[Routing Policy]
Enhancement to the PIM system log messagesThe RPD_PIM_NBRDOWN and the

RPD_PIM_NBRUP system log messages have been updated to include the name of
the routing instance. This enhancement is also applicable to Junos OS Release 10.0R4,
10.1R4, 10.2R2, and 10.3R1. The following sample shows the enhanced PIM system log
Jun 15 21:54:43.831533 RPD_PIM_NBRDOWN: Instance PIM.master: PIM neighbor 11.1.1.2
(so-0/1/3.0) removed due to: the interface is purged
Jun 15 21:53:28.941198 RPD_PIM_NBRUP: Instance PIM.master: PIM new neighbor 11.1.1.2
interface so-0/1/3.0
[System Log Messages Reference]
48
New configuration to avoid IDP traffic loss (M120, M320, MX240, MX480, and
MX960 routers)When the Multiservices PIC or DPC configured for a service set is
either administratively taken offline or undergoes a failure, all the traffic entering the
configured interface with an IDP service set would be dropped without notification. To
avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit
services service-set service-set-name service-set-options] hierarchy level and (for TCP
traffic only) the ignore-errors tcp statement at the [edit interfaces interface-name
services-options] hierarchy level. When you configure these statements, the affected
packets are forwarded, in the event of a Multiservices PIC or DPC failure or offlining,
as though interface-style services were not configured. This issue applies only to M120,
M320, and MX Series routers.
Enhancements to the show services pgcp statistics extensive commandTwo new

fields have been added to the output of the show services pgcp statistics extensive
command: the number of Add commands received that have emergency status, and
the number of inactivity notifications (it/ito) on the root termination.
The following is a sample of the section of the output showing Add commands with
emergency status:
Received Commands
Total
Wildcard
Success
Error
Add
0
Add (emergency) 0
0
0
0
0
0
0
AuditValue
Modify
ServiceChange
Subtract
0
0
0
0
1
1
0
0
0
0
0
0
1
1
0
0
The following is a sample of the section of the output showing inactivity notifications
on the root termination:
ROOT Notify
ocp/mg_overloaded
it/ito
Total
Wildcard
Success
Error
0
1404
0
0
0
1404
0
0
[Border Gateway Function (BGF), System Basics and Services Command Reference]
Support for softwire rulesThe match direction output command is now supported for
softwire rules.
Summary option for the show services nat mapping commandYou can now display
summary statistics for Network Address Translation (NAT) mapping by using the show
services nat mapping summary command. The following example shows the new
output.
49
Total number of address mappings:

Total number of endpoint independent port mappings:
Total number of endpoint independent filters:
500000
500000
0
[System Basics and Services Command Reference]
Command to manage the behavior for reserved ports allocation and port parityPort
allocation in a NAT pool can now be controlled with the preserve-parity and
preserve-range commands. Preserve-parity allocates even ports for packets with even
destination ports, and odd ports for packets with odd destination ports. Preserve-range
allocates ports within a range of 0 through 1023 assuming the original packet contains
a destination port in the reserved range. This behavior is applicable to control sessions
and not to data sessions.
Increase in address-only source dynamic pool addressesThe number of address

ranges in a NAT pool has increased to 32. The total number of addresses in an
address-only source dynamic NAT has increased to 16,777,216.
Border Gateway Function (BGF) apply implicit latching on TCP gates when the gate
is created.By default, latching of gates is done by explicit latch requests. You can
configure implicit latching of gates by entering the set implicit-tcp-latch and set
implicit-tcp-source-filter configuration statements at the [edit services pgcp gateway
gateway-name h248-options] hierarchy level.
The new configuration statements result in the following actions:
implicit-tcp-latchIf explicit latching has been applied (using using ipnapt/latch)
on either gate of a gate pair, implicit latching is not applied. If explicit latching has
not been applied on either gate:
Latching is applied to both gates of the gate pair.
When either of the gates latches, latching is automatically disabled on the other
gate.
implicit-tcp-source-filterApplies source address (but not source port) filtering on
incoming packets, using the current remote destination address under the following
conditions:
Explicit source filtering has not been applied by use of gm/saf.
Explicit latching has not been applied by use of ipnapt/latch.
[Border Gateway Function (BGF), Services Interfaces]
50
Modification to the interface-description-format statementThe

interface-description-format statement has been modified for Junos OS Release 10.4.
As in previous releases, the router includes both the adapter and subinterface as part
of the interface description by default. You can now optionally exclude either or both
the adapter and subinterface from the description.
[Subscriber Access]
Modification to the show pppoe interfaces command (M120, M320, MX Series, and
J Series routers)In Junos OS Release 9.5 and later, the extensive option for the show
pppoe interfaces command is supported only for J Series routers, which can be
configured as Point-to-Point Protocol over Ethernet (PPPoE) clients. The show pppoe
interfaces command no longer supports the extensive option for M120, M320, and MX
Series routers in Junos OS Release 9.5 and later. When an M120, M320, or MX Series
router is configured as an access concentrator server, the statistics for the PPPoE
server interfaces do not increment. As a result, when you issue the show pppoe interfaces
extensive command on an M120, M320, or MX Series router, the statistics are always
displayed as zeros.
Enhancement to the clear pppoe statistics command (M120, M320, MX Series, J Series
routers)The clear pppoe statistics command includes a new option,
underlying-interface-name, for M120, M320, and MX Series routers in Junos OS Release
9.5 and later. The option enables you to reset the statistics of the underlying PPPoE
interface for static and dynamic PPPoE interfaces. In Junos OS Release 9.5 and later,
the interface interface-name option for the clear pppoe statistics command is supported
only for J Series routers. The clear pppoe statistics command no longer supports the
interface interface-name option for the M120, M320 and MX Series routers in Junos OS
Release 9.5 and later.
Support for DSL Forum VSAs (MX Series routers)Digital Subscriber Line (DSL)
attributes are RADIUS VSAs that are defined by the DSL Forum. The attributes transport
DSL information that is not supported by standard RADIUS attributes and which convey
information about the associated DSL subscriber and data rate. The attributes are
defined in RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes. Junos OS uses the
vendor ID 3561, which is assigned by the Internet Assigned Numbers Authority (IANA),
for the DSL Forum VSAs.
Subscriber management supports DSL Forum VSAs in pass-through mode. In
pass-through mode, the router does not process DSL values, but rather passes the
values received from the subscriber to the RADIUS server, without performing any
parsing or manipulation.
[Subscriber Access]
Required pppoe-options subhierarchy for configuring static and dynamic PPPoE

interfaces (M120, M320, MX Series routers)When you configure a static or dynamic
pp0 (PPPoE) logical interface, you must include the pppoe-options subhierarchy in the
51
configuration. Failure to include the pppoe-options subhierarchy causes the commit

operation to fail.
This requirement is in effect for configuration of static PPPoE logical interfaces as of
Junos OS Release 10.2 and later, and has always been in effect for configuration of
dynamic PPPoE subscriber interfaces in a PPPoE dynamic profile. For example, the
following configuration now causes the commit operation to fail for both static and
dynamic PPPoE logical interfaces:
pp0 {
unit 0 {
}
To configure a static PPPoE logical interface in Junos OS Release 10.2 and

higher-numbered releases, you must include the pppoe-options subhierarchy at the
[edit interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit
logical-systems logical-system-name interfaces pp0 unit logical-unit-number] hierarchy
level. At a minimum, the pppoe-options subhierarchy must include the name of the
PPPoE underlying interface and the server statement, which configures the router to
act as a PPPoE server. For example:
[edit interfaces]
...
pp0 {
unit 0 {
pppoe-options {
underlying-interface ge-1/0/0.0;
server;
}
...
}
}
To configure a dynamic PPPoE subscriber interface in a PPPoE dynamic profile, you

must include the pppoe-options subhierarchy at the [edit dynamic-profiles profile-name
interfaces pp0 unit $junos-interface-unit] hierarchy level. At a minimum, the
pppoe-options subhierarchy must include the name of the underlying Ethernet interface,
represented by the $junos-underlying-interface predefined dynamic variable, and the
server statement. For example:
[edit]
dynamic-profiles {
pppoe-profile {
interfaces {
pp0 {
unit "$junos-interface-unit" {
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
...
}
}
}
}
52
[Network Interfaces, Subscriber Access]
Subscriber access statisticsRADIUS reports subscriber statistics as an aggregate

of both IPv4 statistics and IPv6 statistics.
For an IPv4-only configuration, the standard RADIUS attributes report the IPv4
statistics and the IPv6 VSA results are all reported as 0.
For an IPv6-only configuration, the standard RADIUS attributes and the IPv6 VSA
statistics are identical, both reporting the IPv6 statistics.
When both IPv4 and IPv6 are configured, the standard RADIUS attributes report the
combined IPv4 and IPv6 statistics. The IPv6 VSAs report IPv6 statistics.
[Subscriber Access]
Change to operation of RADIUS attribute Framed-IPv6-Prefix [97] (M120, M320,

MX Series routers)The operation of the standard RADIUS attribute
Framed-IPv6-Prefix [97] has been modified in Junos OS Release 10.4 and later. In
these releases, the Framed-IPv6-Prefix attribute communicates the router
advertisement prefix from RADIUS to the network access server (NAS). In Junos OS
Release 10.3 and earlier, the Framed-IPv6-Prefix attribute communicated the DHCPv6
delegated prefix from RADIUS to the NAS.
[Subscriber Access]
User Interface and Configuration
Change in the commit | display detail optionIf the number of commit messages
exceeds a page when the commit command is used with the | display detail pipe option,
the more pagination option on the screen is no longer available. Instead, the messages
roll up on the screen by default, just like using the commit command with the | no more
pipe option.
[CLI User Guide]
New configuration statement to configure retry attempts for checking the keepalive
status of a Point-to-Point (PPP) protocol sessionJunos OS introduces the
keepalive-retries number-of-retries statement at the [edit access profile profile-name
client client-name ppp] hierarchy level. Include this statement in the configuration to
reduce the detection time for PPP client session timeouts or failures if you have
configured the keepalive timeout interval (using the keepalive statement).
[System Basics]
New configuration statement to enable the processing of IPv4-mapped IPv6

addressesJunos OS introduces the allow-v4mapped-packets configuration statement
at the [edit system] hierarchy level. By default, the Junos OS disables the processing
of IPv4-mapped IPv6 packets to protect against malicious packets from entering the
network. To enable the processing of such IPv4-mapped IPv6 packets, include the
allow-v4mapped-packets statement in the CLI configuration.
[System Basics]
53
New option introduced for the show | display inheritance operational mode
commandJunos OS now provides the no-comments option for the show | display
inheritance command. This option enables you to view CLI configuration details without
inline comments marked with ##.
[CLI User Guide]
Enhancement to the show chassis sibs commandThe show chassis sibs command
now displays an appropriate reason when a SIB transitions to the Offline state. For
instance, if ths SIB is taken offline using the request chassis sib command, the output
of the show chassis sibs command displays --- Offlined by cli command --- in the output.
New option for the ping mpls l2vpn and ping mpls l2circuit commandsThe ping mpls
l2vpn and ping mpls l2circuit commands provide a new option reply-mode that enables
you to specify the reply mode for the ping request. The reply-mode option provides the
application-level-control-channel, ip-udp, and no-reply options.
Enhancement to the output of the show chassis hardware detail commandThe show
chassis hardware detail command now displays DIMM information for the following
Routing Engines:
Table 2: Routing Engines Displaying DIMM Information

Routing Engines
Routers
RE-S-1800x2 and RE-S-1800x4
MX240, MX480, and MX960 routers
RE-A-1800x2
M120 and M320 routers
Enhancement to the show chassis fpc commandThe show chassis fpc command
now displays accurate temperature readings for the FPC.
VPNs
SCU support for VRF routing instances with vrf-table-label configuredYou can
now configure source class usage (SCU) to count packets on Layer 3 VPNs configured
with the vrf-table-label statement. Include the source-class-usage statement at the
[edit routing-instances routing-instance-name vrf-table-label] hierarchy level. The
source-class-usage statement at this hierarchy level is supported only for the virtual
routing and forward (VRF) instance type. Previously, you could not enable SCU when
the vrf-table-label statement was configured. Destination class usage (DCU) is not
supported when the vrf-table-label is configured.
[VPNs, Network Interfaces]
Related
Documentation
on page 6
54
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The current software release is Release 10.4R2. For information about obtaining the
software packages, see Upgrade and Downgrade Instructions for Junos OS Release 10.4
for M Series, MX Series, and T Series Routers on page 83.
Current Software Release on page 55
Previous Releases on page 67
Current Software Release

Outstanding Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Class of Service
When a valid rate limit is configured on an interface from a DPCE-R-Q-20GE-2XGE

card, the router might log a message incorrectly that the configuration is not supported.
The rate-limit functionality is, however, correctly implemented in the hardware.
[PR/574764]
A high CPU utilization by the DFWD process might occur if the interface lo0 is configured
as part of the interface group 0. [PR/497242]
When a VPN routing and forwarding table (VRF table) is configured in a logical system,
and there is no loopback filter configured in the VRF table while it is configured on the
logical system and the default router, the packets destined for VRF table reach the
filter configured in the logical system. However, they are expected to reach the filter
configured in the default route table. [PR/575060]
On M Series, T Series, and J Series routers, when the installation of a filter that contains
a logical interface policer or a physical interface policer fails (for example, due to
insufficient jtree memory), the FPC might crash. [PR/579271]
High Availability
The SSH keys are not in sync between the master and backup Routing Engine when
SSH is enabled after a graceful Routing Engine switchover (GRES). [PR/455062]
When the Rx power level is a negative value, the SFP diagnostics output displays an
invalid receiver power level reading. [PR/235771]
Upon a link up event, old packets from the previous link down are still dequeued. This
leads to huge latency reports. [PR/515842]
55
Discrepancies exist in MAC and filter statistics between Trio MPC and Enhanced DPCs.
[PR/517926]
The multipoint-destination configuration statement is not supported on IQE PICs. While

the configuration of this statement is accepted without problems initially, subsequent
reconfiguration of the interface might cause the FPC and Packet Forwarding Engine
to reboot. [PR/529423]
When a configuration contains a large number of logical interfaces, and graceful Routing
Engine switchover is not configured, the restart chassis-control command might result
in some of the FPCs staying offline. As a workaround, enable graceful Routing Engine
switchover (set chassis redundancy graceful-switchover). [PR/532030]
When the show interfaces command is used, no service set attachment information
is displayed. This information is visible under the interfaces hierarchy (configuration).
[PR/541574]
On a 20-port Gigabit Ethernet Enhanced Queuing IP Services DPC and a 2-port

10-Gigabit Ethernet Enhanced DPC, the link status of the interface goes down when
the TX router towards the peer is removed. [PR/542668]
On MX Series routers, the following syslog error messages appear when a configuration
change is made and committed:
UI_DBASE_LOGIN_EVENT: User 'regress' entering configuration mode
UI_COMMIT: User 'regress' requested 'commit synchronize' operation
(comment: none)
Shared memory release
vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state
5123
vcdb_extract_db_from_file reading file /config/vchassis/vc.tlv.db
vcdb_extract_db_from_file Error opening file. errno = 2
vcdb_extract_db_from_file reading file /config/vchassis/vc.db
vcdb_extract_db_from_file: DB Files couldn't be read.
vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state
7171
Shared memory release
sysctl_nd6_mmaxtries: 3, max solicit testing setting of
paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of
paramsysctl_nd6_prune: 1, retrans timer testing setting of
paramsysctl_nd6_prune: 1, retrans timer testing setting of param
[PR/548853]
After an MX80 router is upgraded to Junos OS Release 10.3, the "Front Panel Alarm
Indicators" LEDs do not show any status in the output of the show chassis craft-interface
command, even when there is chassis alarm set on the router. [PR/558046]
Under certain conditions, both the primary and the secondary sections of the interface
might get disabled. To recover from this condition, deactivate and activate the interface
configuration. [PR/559656]
56
On MPC-3D-x Gigabit Ethernet FPCs, the following IDMEM parity error messages
appear:
MX960-LAB fpc3 LU 2 RD_NACK 2 AP[0x04] TOE Write 0x002913a0
MX960-LAB fpc3 LU 2 IDMEM Parity error in Bank 3, Count 10, IDMEM Bank 3
Offset 0x00014899 IDMEM[0x00052274]
These messages repeat as long as the software encounters the error. These error
messages occur within uninitialized memory locations. [PR/569887]
Incorrect K2 bytes might be transmitted if the mode bits are not set correctly by the
apsd process. [PR/569903]
When the maximum transmission unit (MTU) is set on an AE interface, the AE logical
interfaces inherit an MTU value that is equal to the Ethernets MTU value excluding
the Ethernet header. When a VLAN demultiplexing (demux) logical interface is created
with an underlying AE interface, the VLAN demux logical interface inherits an MTU
value equal to the full Ethernet MTU. This is because the MTU on demux interfaces is
not set correctly. As a workaround, set the proper MTU value when the family is
configured on these interfaces. [PR/579957]
The release message is not sent to the DHCP server even though the
send-release-on-delete flag is set under the DHCP relay configuration. As a workaround,
to deactivate or deconfigure an interface, clear all the bindings on the interface before
you deactivate or delete the interface. To deactivate or deconfigure the relay, clear all
the bindings before you deactivate or delete the relay. [PR/498920]
MPLS Applications
On M Series and T Series routers, the MPLS label-switched path (LSP) log messages
are not logged for nonstandby secondary MPLS LSPs. [PR/560069]
The routing protocol process crashes when an MVPN routing instance is activated and
deactivated. [PR/571131]
Network Management
The value of IfHighSpeed for the current bandwidth of an interface is in units of

1,000,000 bits per seconds. According to RFC 2683, the ifHighSpeed must be rounded
to the nearest whole value on both the physical interfaces and logical interfaces.
[PR/507004]
The SFC management interface em0 is often displayed as fxp0 in several warning
messages. [PR/454074]
On restarting with a large-scale configuration (16,000 logical interfaces per MPC), the
MPC-3D-16XGE-SFPP card may take up to 15 minutes to come up. [PR/478548]
The dynamic auto-sensed VPLS interfaces fail after modifications are made to the
routing instance. Before making configuration changes to any routing instance, clear
any active logical interfaces that are part of the routing instance using the clear
auto-configuration interfaces operational command. Modifying a routing instance
57
configuration when the configuration is actively being used by subscribers can result
in an unpredictable behavior. [PR/512902]
An NTP server might not reply to clients with a source address that is explicitly
configured. [PR/540430]
The IPv6 BGP neighbors might not come back to the up state when an FPC associated
with that session is manually taken offline, removed, and re-inserted. [PR/552376]
No ICMP host redirect messages are generated when there are multiple VLANs
configured on an interface (multiple logical interfaces on a single physical interface).
[PR/559317]
When the same local link address is configured on two interfaces, the message "/kernel:
ip6_getpmtu: Invalid Stored MTU" is displayed continuously. [PR/560079]
When IPv6 packets have a size greater than 1232 bytes, the packets get fragmented.
[PR/571596]
After a few graceful Routing Engine switchover, the firewall filter applied on the
loopback interface might affect the internal control packets from the PICs to the
Routing Engine. The PICs might fail to come back online if the packets are blocked.
[PR/578049]
Routing Protocols
When aggregate interfaces are used for VPN applications, load balancing may not
occur with a Layer 2 circuit configuration. [PR/471935]
Under certain circumstances, the BGP path selection does not follow the local
preference. This might lead to incorrect BGP path selections. [PR/513233]
When an interface is added to a routing instance with rpf-check enabled, the routing
protocol process might crash if a route-distinguisher is also changed at the same time.
[PR/539321]
In Junos OS Release 10.0 and later, a direct route to a VRF with a rib-group is not
advertised as an inet-vpn route to the IBGP neighbor due to the error "BGP label
allocation failure: Need a nexthop address on LAN." [PR/552377]
In some cases, MX Series routers might not send the Link Layer Discovery Protocol
(LLDP) notification trap when the LLDP is disabled on the remote neighbor.
[PR/560855]
When a routing protocol process is restarted after a crash or a mastership switch, the
kernel and the reference counters for the routing protocol process flood branch next
hop might not be in sync anymore. The exposure is high in NGEN-MVPN with many
local receivers and constant churn of joins and prunes of multicast groups. The routing
protocol process might assert and restart while deleting a flooded next hop. As a
workaround, restart the system, or deactivate all MVPN instances to get the kernel
and the routing protocol process to be in sync upon a routing protocol process restart.
[PR/561127]
The 3D Packet Forwarding Engines might experience a rare transient error that
temporarily corrupts one of the lookup engines, resulting in packet loss. A set of
messages similar to the following is displayed:
58
fpc0 LU 0 PPE_7 Errors ucode data error 0x00000184

fpc0 PPE Thread Timeout Trap: Count 3, PC 20, 0x0020:
entry_index_nh
0x0020:
entry_index_nh PPE PPE HW Fault Trap:
Count 10831395, PC 2c, 0x002c: entry_policer_nh
Restart the Packet Forwarding Engine to clear this error state. [PR/564998]
The configuration of DSCP ReWrite rules on a 10-port 10-Gigabit Ethernet LAN/WAN

PIC with SFP+ might overwrite the DSCP value coming from the Routing Engine for a
host-generated traffic. [PR/575259]
When a core-facing DPC is restarted, the message "mcsn: cannot perform nh operation
ADDANDGET nhop (null) type indirect index 0 errno 22" appears. A trigger also moves
the interfaces from bridge domains to VPLS instances. To clear this issue, restart
multicast snooping. [PR/576058]
When local AS and auto-export are configured in a hub-spoke environment, hidden

routes might exist. [PR/578833]
The output of the show services ids destination-table command might not display any
flow and related statistics in the IDS anomaly table for a certain period of time after
the flows are activated. [PR/490584]
The data channel applications for protocols such as FTP, TFTP, RTSP, and SIP are not
in the same application group as their control channel applications. For example,
control channel application junos:ftp is in the group junos:file-server, but the
corresponding data application junos:system:ftp-data is not in any group. [PR/507865]
On M Series and MX Series routers, after a hot-standby RMS, all existing flows are
dropped and it takes some time for new flows to appear with the state. This is due to
the limitation of the RMS. All existing traffic is dropped, and RPC is most impacted as
it has a long retry timer and takes a long time to recover. [PR/535597]
When unit 0 of the Multiservices PIC interface is not specified, the monitor interface
traffic command does not display the input packets number properly for that particular
ms-I/F interface. [PR/544318]
When an Snmpwalk operation is performed on the jnxSpSvcSetSvcType object or any

of its subobjects, the SPD_DB_SVC_SET_ADD_FAILURE log message appears.
[PR/546808]
FTP sessions that last long periods (several minutes or hours) are suddenly
disconnected when traffic is still flowing on the data channel. [PR/579475]
In the J-Web interface , the Generate Report option under Monitor Event and Alarms
opens the report in the same web page. [PR/433883]
Selecting the monitor port for any port in the Chassis Viewer page displays the common
Port Monitoring page instead of the corresponding Monitoring page of the selected
port. [PR/446890]
59
On MX Series routers, J-Web does not display the USB-related information under
Monitor>SystemView>System Information>Storage. [PR/465147]
When a new-line character (\n) is used within the op script argument descriptions, the
help output might display incorrectly, and could result in extra output being displayed
when the op script executes. [PR/485253]
In the J-Web interface, the options Access Concentrator, Idle Timeout, and Service Name
for PPPoE logical interfaces are not supported on MX Series routers. [PR/493451]
The J-Web interface does not display the drop-profile-map, excess-priority, excess-rate,
and rate-limit (transmit rate) parameters which are supported for the schedulers
configuration. Use these parameters using the CLI. [PR/495947]
Warning messages related to pending commits are not triggered when the following
operations are performed:
Software->Upload
Software->Install Package
Maintain->Reboot
As a workaround, commit all pending commits before performing the operations listed
above. [PR/514853]
The annotate option does not appear when it is used with the edit private command
for class of service. [PR/535574]
When a HTTPS connection is used for the J-Web interface in the Internet Explorer to
save a report from the View Events page (Monitor->Events and Alarms->View events),
the following error message is displayed Internet Explorer was not able to open the
Internet site.
This issue also appears in the following places on the J-Web interface:
maintain->config management->history
maintain->customer support->support information->Generate Reports
Troubleshoot port->Generate Reports
maintain->files
Monitor->Routing->Route Information->Generate Reports
[PR/542887]
The J-Web pages loads inconsistently when Add IPv4 or IPv6 filters are used in the
Internet Explorer and Firefox Web browsers. [PR/543607]
After the "delete:" action is performed, the "replace" actions do not take effect in the
"load replace terminal" operation. [PR/556971]
The javascript error, "Object Expected" occurs when J-Web pages are navigated before
the page loads completely. [PR/567756]
60
A commit script that activates an apply group might fail to pass the commit check
logic. [PR/576384]
The show system rollback command does not work in the configuration mode, while
the command works from the operational mode. [PR/580645]
Resolved Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Class of Service
On T Series routers, when the class of service scheduling or queueing parameters on

an interface with a high traffic utilization (close to the line rate or oversubscribed) is
changed, the FPC which hosts the interface might restart. This issue is specific to
non-ES type FPCs. [PR/565307: This issue has been resolved.]
When a firewall filter containing the packet loss priority (PLP) rewrite references a
policer that also contains the PLP rewrite, a two time PLP rewrite occurs with the PLP
bits of the packets matching the filter condition set on the PLP set action in the policer,
and later the PLP set action is set on the firewall filter. [PR/566896: This issue has
been resolved.]
When a Routing Engine sampling is configured, and each flow server corresponds to
a different autonomous system type, the packet size of the exported cflowd v5/8/500
packets might increase. [PR/530008: This issue has been resolved.]
On a sampled traffic on a multi services PIC, the multicast convergence slows down
with the message "RPD_KRT_Q_RETRIES: Indirect Next Hop Update: No buffer space
available." [PR/554363: This issue has been resolved.]
Making any circuit cross-connect (CCC) filter changes might render the Packet
Forwarding Engine busy which might cause a slow statistics response. [PR/554722:
This issue has been resolved.]
When a loopback filter is configured, packets sent by the ASIC to the Packet Forwarding
Engines CPU for generation of TTL expiry notification are dropped. [PR/555028: This
issue has been resolved.]
The mib2d process might crash when a race condition exists between the mib2d
process and the dfwd process. [PR/563419: This issue has been resolved.]
When a firewall filter with multiple terms references the same three color policer and
has the same count variable configured, any IP packets that match the second or later
terms might get corrupted. Use different count variables in each term to prevent this
issue. [PR/567546: This issue has been resolved.]
The Radius Accounting Interim message might not be sent immediately after a Change
of Authorization (CoA), even if the CoA is successfully processed and the
coa-immediate-update option is present in the configuration. [PR/570058: This issue
has been resolved.]
61
High Availability
When a container interface (used in AE interfaces) is freed in the memory, the child
nexthop (member link) on the master Routing Engine is also freed. However, in some
cases, the child nexthop on the backup Routing Engine is not freed resulting in a crash.
[PR/562295: This issue has been resolved.]
On TX Matrix Plus routers, the message "fru_is_present: out of range slot 1 for CIP" is
continuously sent on all the LCCs. [PR/48311: This issue has been resolved.]
During initialization, some garbage data can flow into the unused SONET interface.
This data is small in size and does not contain any SOP or EOP information. This data
consumes some D4P buffer memory. The D4P buffer does not remove this data until
more data comes into the buffer. Periodic health check reports the following status:
D4P-10/1: FROML tx48 stream 1 data path stuck. To resolve this issue, purge the D4P
buffer. [PR/424326: This issue has been resolved.]
The queue counter of the aggregated Ethernet is counted up after the statistics are
cleared and the FPC is restarted. [PR/528027: This issue has been resolved.]
On an MX Series router with a mixed MPC and DPC environment, the first and
subsequent cell drops occur at the DPC. [PR/540283: This issue has been resolved.]
When a large OID registration traffic exists from the subagent to the master agent, the
registration packets encounter random errors during transmission. This affects the
registration process. [PR/555345: This issue has been resolved.]
When a member link is added to an existing aggregated interface, a multicast

distribution tree (MDT) mismatch might occur among the FPCs. This issue occurs only
when graceful Routing Engine switchover (GRES) is enabled. [PR/558745: This issue
has been resolved.]
A Layer 2 instability and rapid VRRP mastership change might cause

MPC-3D-16XGE-SFPP to restart. [PR/560716: This issue has been resolved.]
When a MAC address list is moved, the resulting flush process might be interrupted
when the list is processed. [PR/560730: This issue has been resolved.]
If the cable of a TX router is removed from the interface on an MIC-3D-20GE-SFP, the

state of the interface remains in the "up up" state. [PR/561254: This issue has been
resolved.]
When multiple physical interfaces exist in a 4x Channelized DS3 IQ PIC PIC, errors
might occur when each controller physical interface is deleted while the PIC is taken
offline. [PR/561841: This issue has been resolved.]
In some cases, when a DPC or MPC is restarted, a wrong physical interface index is
assigned to the interface which might cause the MPC to crash. [PR/563056: This issue
has been resolved.]
When a change in the bridge domain membership occurs, and the bridge domain has
an IRB interface and a vt-x/y/z interface, the Packet Forwarding Engine that does not
have any local interfaces on that bridge domain might restart. [PR/566878: This issue
has been resolved.]
62
When the chassisd process receives a temporary error code (such as Device Busy, Try
Again, No Buffer Space, or No Memory), while trying to add both the PIC and physical
interfaces present in the PIC to the kernel, the chassisd process may not retry adding
the physical interface back to the kernel until it succeeds. The device or physical
interface will not recover. It is recommended to restart the router or the FPC when this
issue is encountered. [PR/570206: This issue has been resolved.]
On TX Matrix Plus routers, the set craft-lockout command might cause an FPM interrupt
flooding. [PR/571270: This issue has been resolved.]
On any Junos OS device that supports Ethernet OAM, the cfmd process might crash
when a malformed delay measurement message (DMM) is received. [PR/571673: This
The PIM neighborship does not appear over the IRB interface after the dense port
concentrator (DPC) is restarted. [PR/559101: This issue has been resolved.]
MPLS Applications
Under certain circumstances, the routing protocol process might crash when
configuration changes are made to label-switched paths at the [edit protocol mpls]
hierarchy level. [PR/550699: This issue has been resolved.]
When the no-decrement-ttl statement is included at the [edit protocols mpls] or the
[edit protocols mpls label-switched-path path-name] hierarchy level, the VPN Label
TTL action field in the output of the show route extensive command displays
vrf-propagate-ttl as the action. This is a display issue only and has no operational
impact on the forwarding behavior. This is relevant to Layer 3 VPN scenarios where
BGP routes resolve over RSVP LSPs and the no-propagate-ttl statement is not
configured at the [edit protocols mpls] hierarchy level. [PR/563505: This issue has
been resolved.]
A point-to-multipoint LSP with bandwidth requirement might fail to retrace the original
path after a graceful restart, and might not come up until the end of the recovery period.
Network Management
SNMP might stop working after a router, a DPC, an FPC, or an MPC is restarted, or after
a graceful Routing Engine switchover. [PR/525002: This issue has been resolved.]
Under certain circumstances, the message NH: Failed to find nh (xxxx) for deletion
appears for the child links of an aggregate interface. However, this message should
appear only when the child next hop is not found. This message is only cosmetic.
In a Layer 2 circuit setup with a link services intelligent queuing interface (LSQ) in the
core, and the control-word option is enabled, a ping between two CE interfaces fails.
As a workaround, use the no-control-word option. [PR/551207: This issue has been
resolved.]
63
A DPC or an MPC may reset when Aggregate Ethernet (AE) interfaces are provisioned
with IRB. In some case, a DPC may also reset when a member link of an AE interface
flaps. [PR/559887: This issue has been resolved.]
With the IRB and AE interfaces in a bridge-domain, the old nexthop data is not cleared
from the Packet Forwarding Engines when they are updated. This causes the Packet
Forwarding Engine to crash when that nexthop is later referenced. [PR/560813: This
On an MX960 router, when an MPC is installed and OSPF and IS-IS is activated
simultaneously, the "jtree memory free using incorrect value 8 correct 0" message is
displayed for all DPCs. [PR/562719: This issue has been resolved.]
On standalone routers with GRES enabled (using the set chassis redundancy
graceful-switchover command), or on multichassis platforms (TX and TXP routers),
FPCs can crash creating a core file when interfaces are moved from one aggregate
bundle to another aggregate bundle in a single configuration commit operation. As a
workaround, split the operation into two commits. Remove the interface from one
bundle and perform a commit, and later add it to another bundle and perform another
commit. [PR/563473: This issue has been resolved.]
The MPC might crash when multicast traffic is forwarded and interfaces are deactivated.
In Junos OS Release 10.2 and later, the Packet Forwarding Engine process tracing is
enabled by default. This results in the MIB2D process not being able to communicate
with the Packet Forwarding Engine process. [PR/566681: This issue has been resolved.]
On MX Series routers running Junos OS Release 10.2 and later, when a new link from
a newly inserted FPC is configured to an existing aggregate configuration, the newly
added link information might not appear in the Link:, LACP info:, LACP Statistics:, and
Marker Statistics: fields in the output of the show interface aex extensive command.
Deactivate and then activate the aggregate interface to resolve this issue. [PR/571245:
Routing Protocols
In rare situations, the routing protocol process might restart due to a software validation
failure. [PR/476143: This issue has been resolved.]
With a large number of peers in a single BGP group, continuous large route churn may
trigger scheduler slips in the routing protocol process. [PR/544573: This issue has been
resolved.]
In instances with scaled LACP configurations, the periodic packet management process
(ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.]
When a policy matching an extended community using a 4-byte AS and a wildcard is

configured, the match condition might fail to match the relevant communities. As a
workaround, configure exact matches. [PR/550539: This issue has been resolved.]
A rare race condition might cause the routing protocol process to crash when an
(s,g)/(*,g) entry is removed. [PR/551949: This issue has been resolved.]
64
On an NSR LDP, an LDP database entry mismatch exists between the master and the
backup Routing Engines. The backup Routing Engine does not replicate the LDP socket
with the error "jsr_sdrl_set_data: No space dlen." [PR/552945: This issue has been
resolved.]
When a default route target is sent by a BGP peer, th eBGP does not track the VPN
routes covered by this route target. When the default route target goes away, the BGP
does not withdraw the VPN routes that were previously covered by that default route
target. [PR/556432: This issue has been resolved.]
On a 3D MPC, the load balance might be broken when a BGP multipath is configured.
On M Series, MX Series, and T Series routers, the Virtual Router Redundancy Protocol
(VRRP) process might become unresponsive when processing is delegated to the
Packet Forwarding Engine. As a workaround, remove the delegate-processing option
from the [protocols vrrp] hierarchy level. [PR/559033: This issue has been resolved.]
When the advertise-default option is used with the route-target family, and a new VPN
is added, the necessary route refresh is not sent. [PR/561211: This issue has been
resolved.]
When the Link Layer Discovery Protocol (LLDP) advertisement interval value is changed
from 30 seconds to 60 seconds, and the show lldp detail command is executed, the
output shows 60 seconds. However, the Routing Engine forwards the LLDP packet
every 30 seconds. When the interface is deactivated and activated again, the LLDP
packets are forwarded every 60 seconds correctly. [PR/560857: This issue has been
resolved.]
Under certain circumstances, the routing protocol process crashes while receiving the
IGMP SNMP GetNext request. [PR/561842: This issue has been resolved.]
The multicast snooping process might crash and prevent a commit when the
apply-group statement is used at the bridge-domain <*> hierarchy level. [PR/562776:
The routing protocol process might crash in the following environments:
Auto-export is configured for route leaking between VRFs.
Communities are added in the import policy of the second VPN routing and forwarding
(VRF) table.
Packets might not be correctly evaluated by a filter in an MPC that contains

noncontiguous prefixes. As a workaround, replace the noncontiguous prefixes with
equivalent sets of contiguous prefixes. [PR/564286: This issue has been resolved.]
On M10i and M7i routers, the distributed PPMD process is disabled by default. However,
it should be enabled by default since it is supported by the Enhanced CFEB (CFEB-E).
IS-IS might not use the MPLS label-switched paths (LSPs) if the names of the
label-switched paths are similar in the first 32 characters. [PR/568093: This issue has
been resolved.]
65
If the always-compare-med option is configured when a route change occurs, the routing
protocol process might occasionally crash due to a soft assertion. However, the soft
assertion does not impact the user traffic. [PR/568725: This issue has been resolved.]
During a nonstop active routing (NSR) switchover with a large number of remote Layer
3 VPN prefixes, and a local eBGP session with short hold timers, routing protocol
process scheduler slips might occur, which causes the BGP session to flap. [PR/568756:
Under certain circumstances, processing of links with maximum metric set by IS-IS
shortest path first (SPF) computation algorithm might lead to suboptimal routing
decisions. [PR/569649: This issue has been resolved.]
In scaled environments, the thread in the Multiservices PIC or DPC for cflow might run
too long. This causes the PIC or DPC to crash. [PR/494457: This issue has been
resolved.]
On Multiservices 500 PICs with graceful Routing Engine switchover, wrong record
values are seen for the IPv4 netflow export packets. This error occurs when the route
records does not get installed. [PR/545422: This issue has been resolved.]
The Multiservice 400 PIC crashes due to a memory allocation failure when the PIC
tries to respond to a Routing Engine CLI request. [PR/558237: This issue has been
resolved.]
The Multiservices PIC might crash when traffic is received on a Layer 2 Tunneling
Protocol (L2TP) session (MLPPP bundle), and a teardown request is also received at
the same time. [PR/561039: This issue has been resolved.]
If Bidirectional Forwarding Detection protocol (BFD) protection for BGP sessions is

configured on a BGP session in a nonmaster routing instance, the BFD might start for
that session before the kernel ID of the routing instance is set. This might cause the
BFD session to freeze. As a workaround, if the BFD session has the routing table value
of 4294967295, use the clear bfd session command to start a new session that will
address the issue as long as the routing instance's kernel table is allocated. [PR/563161:
If a class-of-service rule is applied to a service set, the inactive timeout under the
user-configured application does not take effect. As a workaround, match the
application in the class-of-service rule. [PR/571304: This issue has been resolved.]
Under certain circumstances, a nested Junos OS configuration group with a wildcard

match might not have the desired effect. [PR/556379: This issue has been resolved.]
When a "validate" RPC is executed using a NETCONF session, some essential

information about the session is not populated in the configuration database.
VPNs
In MVPN routing-instances with local receivers, a flood next hop is created for each
S,G entry for multicast traffic received from the CE. After the local receivers are joined
66
or pruned, a new flood next hop is created. However, old flood nexthops are not deleted.
This leads to a memory leak within the routing protocol process. When this routing
protocol process reaches a size of 2 GB, it triggers an assertion and a restart.
In local-switched Layer 2 Virtual Circuit scenario, the control and forwarding plane
might not be properly updated by the routing protocol process when one of the logical
interfaces forming an Layer 2 Virtual Circuit is taken down. [PR/572780: This issue has
been resolved.]
Previous Releases
Release 10.3R2
The following issues have been resolved since Junos OS Release 10.3R2. The identifier
following the description is the tracking number in our bug database.
Class of Service
When a VLAN ID is changed, the following message appears in the messages log:
"COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL 74. Reason:
File exists. This log message appears when the configuration is committed with VPLS
configured on the Gigabit Ethernet interface, and a class-of-service classifier or rewrite
rules that contain IEEE 802.1P on the interface are used. [PR/408552: This issue has
been resolved.]
When a logical interface set has a shaping-rate less than the sum of transmit-rates of
its queues and when the configuration is corrected so that the logical interface set gets
the correct shaping-rate, ADPC might crash. [PR/523507: This issue has been resolved.]
During a graceful Routing Engine switchover, the traffic control profile might not be
applied on the interfaces. As a workaround, deactivate and reactivate class of service.
When per-unit-scheduler is applied under the interfaces hierarchy level, and shaping
rate is applied under the class-of-service interface hierarchy level in the same commit
operation, port shaping rate does not work and the total logical interface transmitted
byte rate exceeds the physical interface shaping rate. As a workaround, configure
shaping-rate within a traffic-control-profile and apply that to an interface, or deactivate
and activate shaping-rate using the class-of-service interface interface-name shaping-rate
command. [PR/539590: This issue has been resolved.]
Under certain conditions, the class of service configuration might not take effect on
an IQ2 PIC. [PR/541814: This issue has been resolved.]
When the rate-limit option is configured on a physical interface on IQ2 PICs, the show
interface queue command might not display the RL-dropped counters. [PR/547218:
The egress rate limit over a logical interface may drop large packets. [PR/547506: This
In Junos OS Release 10.2 and later, the cosd process might crash while a configured
commit is processed, as this process accesses a memory location that has already
been freed. However, this issue is encountered rarely. [PR/548367: This issue has been
resolved.]
67
Port mirroring does not work under the bridge-domain forwarding-option filter.
The policer counter might be missing in the SNMP walk. Reboot the router to solve this
problem. [PR/535715: This issue has been resolved.]
When logical systems are configured, the show bridge-domains command might time
out and return the following error message: error: timeout communicating with
l2-learning daemon. [PR/536604: This issue has been resolved.]
A scheduler is associated with a forwarding class, and when a forwarding class is

mapped to a different queue, the associated scheduler is not applied to the new queue.
In Junos OS Release 10.2, the Routing Engine-based sampling might not work if the
routing table inet.0 has a route for 128.0.0.1. The issue occurs when this route points
to an external interface. [PR/540891: This issue has been resolved.]
A GRE interface might experience an incoming packet loss if a firewall filter is configured
on the forwarding table. [PR/541901: This issue has been resolved.]
High Availability
On M120 routers, the message: "stream blocked detected message" displays when an
FEB is switched from the backup to the primary. [PR/540644: This issue has been
resolved.]
The output of the monitor interface interface-name command is misaligned. [PR/70077:

An OAM trace displays an incorrect next-hop MAC value. [PR/494588: This issue has
been resolved.]
When traffic flows into the MPC on which a bridge-domain configuration is being
changed or the card is booting up, the forwarding software tries to access uninitialized
memory for a short duration. This is a cosmetic issue and does not have any functional
impact. [PR/506344: This issue has been resolved.]
On M7i routers with Junos OS Release 8.5 or later, the output of the show interfaces
fxp0 command shows the fxp0 interface to be in the link up state even when the
interface is disabled with no cables connected. [PR/508261: This issue has been
resolved.]
When the VRRP6 master changes, there is no log output for VRRP IPv6. [PR/514821:
When the PIC is configured with encapsulation atm-ccc-cell-relay psuedowires, and

the PIC throughput exceeds 152 Mbps, data loss occurs and the following error message
is displayed: [Warning] ce_wp_poll_hspi_stats:2006: PF/Winpath SPI interface error,
rx_err_sm 243. This error message is not seen when encapsulation atm-ccc-vc-mux
is used.
68
As a workaround, use the atm-ccc-vc-mux encapsulation (AAL5 ATM PW), or use

atm-ccc-cell-relay and configure a larger cell bundle size. When the cell bundle size
is 5, the PIC passes 190 Mbps without error. [PR/515632: This issue has been resolved.]
When a SIB is taken offline via a CLI command, the output of the show chassis sibs
command does not display the message Offlined by cli command. However, this
message is correctly displayed for the FPCs. [PR/519842: This issue has been resolved.]
The statistics get for LSQ interfaces fails in a scaled LSQ configuration when the show
interfaces queue lsq-w/x/y:z command is executed. [PR/523260: This issue has been
resolved.]
When MLPPP interfaces of an MS-PIC are taken offline, the following syslog message
displays: RT: itable unset idx 372 to proto MLPPP iftable failed (Invalid arguments)
on FE -1. [PR/528649: This issue has been resolved.]
In Junos OS Release 10.0 and later, a significantly large number of the following
messages appear on the MX960 and SRX5800 routers:
MX960 /kernel: PCF8584(WR): transmit failure on byte 1
MX960 /kernel: PCF8584(WR): (i2c_s1=0x80, group=0xe, device=0x54)
MX960 /kernel: PCF8584(WR): busy at start, attempting to clear
MX960 /kernel: PCF8584(WR): (i2c_s1=0x00, group=0xe, device=0x54)
MX960 /kernel: PCF8584(RD): ack failure on 2nd last byte
These messages are not an indication of a fan failure. They are cosmetic and can be
ignored. [PR/531253: This issue has been resolved.]
On Trio MPCs, multiple changes to a single term in quick succession results in an

incorrect filter state in the Packet Forwarding Engine. This causes the MPC to crash.
An XE circuit on the MPC-3D-16XGE-SFPP might cause a high CPU utilization on the

MPC. [PR/535057: This issue has been resolved.]
On MX960 routers, the link status stays in the "Link ok" state when the SCB is removed
without taking it offline using the CLI or switch. [PR/536860: This issue has been
resolved.]
The SCB displays an incorrect state when it is removed without taking it offline using
the CLI or buttons. This is not a cosmetic error and might impact the traffic.
The "frame-relay-ether-type" encapsulation is not programmed to the hardware

properly. Because of this, the incoming packet parsing fails and the packets are
discarded. [PR/539484: This issue has been resolved.]
On MX Series routers with 10.x Power Budget, after a Power Budget: Chassis
experiencing power shortage alarm occurs, the alarm does not clear even after the
power budget problem is cleared. [PR/540522: This issue has been resolved.]
The MX-MPC1-3D-Q accepts VLAN tagged packets even when the interface is not
configured with VLAN tagging. [PR/540620: This issue has been resolved.]
The link-up time on a 16x 10-Gigabit Ethernet MPC is not less than the other platforms
(ADPC and other MPCs) due to the emission dispersion compensation (EDC)
69
functionality of the PHY device on the MPC. This causes a delay of 50 mS to 150 mS
and cannot be changed. [PR/540694: This issue has been resolved.]
The sonet-options raise-rdi-on-rei and trigger options do not work well together. Turning
the raise-rdi-on-rei option on and off again requires the trigger option to flap in order
to assert or clear the RDI-L alarm. As a workaround, when both sonet-options
raise-rdi-on-rei and trigger options are configured, flap the sonet-options trigger as well.
With Junos OS Release 10.2 and later, when a logical interface on an ATM-II IQ PIC is
disabled, the FPC is taken offline and brought back online, and the PIC is reenabled,
the logical interface stays down with atm_maker_check_indq error messages.
When a Gigabit Ethernet or an XE interface on IQ2 PICs is disabled, and the link status
is up, the traffic received from the interface might still be forwarded. [PR/543388: This
When neither the per-unit scheduler nor the hierarchical-scheduler is configured on a

physical interface and the physical interface has the overhead-accounting bytes
configured, it does not take effect. [PR/544608: This issue has been resolved.]
When logical interfaces are created, the NPC crashes and the FPC goes down.
Chassisd crashes when the show chassis clocks command is executed. [PR/545510:
When configuration changes are made that are unrelated to the interfaces, interface
sets, or PICs, a commit failure occurs with the following error message: "error: iflset
xxxx configured for nonexisting ifd ge-x/x/x." [PR/546184: This issue has been resolved.]
On a 10-Gigabit Ethernet PIC, a log is generated when the SFP is plugged in. However,
no log is generated when the SFP is not plugged in. [PR/548251: This issue has been
resolved.]
A CFM ping command fails when the maintenance domain or maintenance association
is longer than 32 characters. [PR/550014: This issue has been resolved.]
If a bridge-domain contains more than one Aggregated Ethernet, and the IRB interfaces
experiences the right sequence of MAC moves, the FPC might restart. [PR/550824:
On a 10-port oversubscribed 10-Gigabit Ethernet PIC for T Series routers

(PD-5-10XGE-SFPP), the reactions configured under the [optics-options] stanza do
not take effect for "low-light" conditions. [PR/550851: This issue has been resolved.]
If the number of VPLS connection exceeds 31, frequent FPC and NPC crashes might
occur. [PR/552099]
The EOA family configurations over a container ATM interface might be deleted and
added again upon every commit (including unrelated commits). [PR/553077: This
70
When a remote PE's address is configured on a local loopback interface, the MVPN
PIM neighborship to that PE in a different VRF might be affected. [PR/558584]
On MX960 routers with PWR-MX960-4100-AC PEMs (high capacity AC PEMs), the

MPCs and DPCs do not power up when the system boots with only HC-AC PEM2,PEM3
being switched on, and PEM0,PEM1 being present but switched off. [PR/562125]
On MX Series routers, when both the top and bottom fan trays are enhanced and a
mastership switch is performed, the alarm "craftd[1337]: Minor alarm set, Mix of
FAN-TRAYS" displays. This only occurs after a switchover or an upgrade. This alarm
is temporary, is cleared within a few seconds, and does not cause any routing or
forwarding issues on the chassis. [PR/541617: This issue has been resolved.]
The AE interface does not show the system identifier for the attached interfaces in
actor role. Because of this, the AE interface gets stuck in the detached state after it is
rebooted from both ends. Additionally, the AE interface flaps when the backup Routing
Engine is rebooted and a graceful Routing Engine switchover (GRES) is performed.
The DHCP relay bindings remain in a release state with a negative lease time.
The L2CPD might have a memory leak when LLDP is enabled. [PR/549531: This issue
has been resolved.]
MPLS Applications
With BFD enabled over IGP and an RSVP session built across it, when the RSVP peer
does not support RSVP Hello (or is disabled), the BFD session down event triggers
only the IGP neighbor to go down. The RSVP session remains up until a session timeout
occurs. [PR/302921: This issue has been resolved.]
The rlist entry corresponding to the previously existing rlist is not removed, which causes
the routing protocol process to crash. [PR/513160: This issue has been resolved.]
When a protected link flaps, certain RSVP routes do not lose association with the
p2mp_nh. [PR/530750: This issue has been resolved.]
Under NGEN-MVPN with vrf-table-label configured on the provider edge, the provider
router connecting to that provider edge might keep an old P2MP MPLS label entry
upon label-switched path optimization or reroute. There is no workaround. [PR/538144:
An LSP with auto-bw might stay down for approximately 30 minutes after a Routing
Engine switchover or a Routing Engine restart when graceful restart fails. As a
workaround, disable and reenable the MPLS or OSPF stanza. [PR/539524: This issue
has been resolved.]
When RSVP path-mtu allow-fragmentation is configured, traffic redirection away from

its intended destination might occur. [PR/544365: This issue has been resolved.]
On a P2MP LSP setup, the routing protocol process of the transit router might core
when the topology changes with respect to the ingress sub-LSP router. There is no
workaround. [PR/549778: This issue has been resolved.]
71
In Junos OS Release 10.2, when the clear mpls lsp autobandwidth command is executed
at the ingress router, the updated Maximum AvgBW Utilization field displays a value
that is much higher than the actual bandwidth. [PR/550289: This issue has been
resolved.]
On MX80 routers, the MPLS LSP statistics do not record the transit traffic on a
single-hop LSP with an implicit NULL label. [PR/551124: This issue has been resolved.]
When a large number of P2MP LSPs exist during periods of high network instability
with many links flapping, and MBB re-routing of a P2MP LSP occurs, an MPLS route
can become stale. This can cause a routing protocol process assertion failure on a
transit router. [PR/555219: This issue has been resolved.]
Network Management
The SNMP process might restart when a core dump is generated. [PR/517230: This
In Junos OS Release 10.2 and later, the size of the MIB2D process might increase as a
result of memory leaks. This causes the MIB2D process to crash as it reaches its
maximum permitted size. [PR/546872: This issue has been resolved.]
In Junos OS Release 9.2 and later, a memory leak occurs in the subagent in a scenario
where the snmpd process is not running, or there are issues in communication with a
subagent and traps are being generated by the subagent. [PR/547003: This issue has
been resolved.]
When the firewall filter policer configuration is changed, the SNMP MIBs might not
update correctly. As a result, the counters are inaccessible. [PR/555719: This issue has
been resolved.]
Redirect drops that are not real errors is taken into account for "Iwo HDRF" error
statistics that is reported in the output of the show pfe statistics errors command on
I-chip based routers. Since redirect drops are expected in a VPLS (and Ethernet in
general) environment, this behavior could be misleading. [PR/430344: This issue has
been resolved.]
After an 8216 Routing Engine upgrade to Junos OS Release 9.6 with "chassis"
deactivated, the backup Routing Engine starts to reboot with the panic message "panic:
filter_idx_alloc: invalid filter index," and crashes when the chassis configuration is
enabled and committed. After the Routing Engine finally comes online, the CLI response
is slow and the Routing Engine reboots again after approximately three minutes. To
stop these reboots, deactivate the chassis on the backup Routing Engine. [PR/489029:
On T Series routers, the FPC might continuously reboot upon installation. [PR/510414:
When the system default-router a.b.c.d command is used, the default route is not
installed in the Packet Forwarding Engine. [PR/523663: This issue has been resolved.]
72
In an MPLS environment, the source NAT or PAT for traffic between two remote VPNs
does not work when the vrf-table-label option is removed from the VRF where the
inside-service interfaces are located. [PR/524294: This issue has been resolved.]
When VPLS is configured on the router, the following log messages will appear when
the interface goes down:
RT-HAL,rt_entry_delete_msg_proc,XXX: route add posthandler failed
RT-HAL,rt_msg_handler,XXX: route process failed
These messages can be ignored. [PR/524548: This issue has been resolved.]
After the MS-PICs homing PE interfaces used for MVPN are taken offline and brought
back online, the following message may be logged: flip-re0 fpc3 SLCHIP(0): %PFE-3:
Channel 8189 (iif=701) on stream 32 already exists. [PR/527813: This issue has been
resolved.]
The Packet Forwarding Engine incorrectly imposes a rate limit function for the
host-bound virtual LAN tagged packets with IEEE 802.1p value of 1. There is no
workaround. [PR/529862: This issue has been resolved.]
A router might send raw IPv6 host-generated packets over the Ethernet towards its
BGP IPv6 peers. [PR/536336: This issue has been resolved.]
BGP authentication does not work with the 64-bit Junos OS BGP route reflector on a
JCS platform. BGP sessions fail to establish, and the following error message is
observed: "... /kernel: tck_auth_ok Packet from XXX.XXX.XXX.XXX:XXXXX wrong MD5
digest." [PR/538076: This issue has been resolved.]
On M10i routers, an upgrade to Junos OS Release 10.2 fails and aborts when the PIC
combinations are verified. As a workaround, first verify the PIC combinations manually
against PSN-2010-06-777, then use the force option to override the warnings and force
the upgrade. [PR/540468: This issue has been resolved.]
In Junos OS Release 10.3, the following messages may be seen in the syslog: /kernel:
sysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries:
3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing
setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of
paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of param /kernel:
sysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans
timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of
paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1,
retrans timer testing setting of param. These messages are cosmetic. [PR/540808:
During SNMP queries in Junos OS Release 10.2 and later, the size of the MIB2D process
might increase as a result of memory leaks in a statistics-associated library routine
(libstats). This causes the MIB2D process to crash as it reaches its maximum permitted
size. [PR/541251: This issue has been resolved.]
During router bootup, the error messages: "can't re-use a leaf (nd6_prune)!" and "can't
re-use a leaf (nd6_mmaxtries)!" display. [PR/543422: This issue has been resolved.]
73
The backup Routing Engine might cause the kernel to crash when a configuration
change occurs on the AE bundle during a next-hop index allocation. [PR/544092: This
On TX Matrix routers with T640-FPC3 FPCs and a large number of routes, when an
AE interface in an ECMP path is taken down, small packet drops might occur in the
traffic on the other ECMP link. This issue does not occur when an indirect next hop is
used. [PR/545166: This issue has been resolved.]
In Junos OS Release 10.0 and later, the FPCs in M320 and T Series routers might crash
when the error PFE: Detected error next-hop (corrupted next-hop) is encountered.
On M120 routers, multicast packet drops occur when both the Fast Ethernet and the
SFP Gigabit Ethernet PICs are located on the same Packet Forwarding Engine.
In Junos OS Release 9.3 and later, when routers using Enhanced FPCs (T640-FPCx-ES
or T1600-FPC4-ES FPCs) have a configuration involving CBF LSPs and aggregate
interfaces, a jtree corruption might occur when a flap from a member link in the
aggregate occurs on the remote end, or the FPC of the remote router is rebooted. To
avoid this issue, use the indirect-next-hop option (routing-options forwarding-table
indirect-next-hop). The error message PFE: Detected error nexthop:" indicates a jtree
corruption. [PR/548436: This issue has been resolved.]
In a multicast VPN scenario, if the default-vpn-source is configured under protocol

PIM, then the FPC holding is configured, the MS-PIC might core when it is taken offline.
A kernel core is generated when a logical interface that is a member of an AE bundle

is activated and deactivated. [PR/553392: This issue has been resolved.]
Routing Protocols
The output of the show ospf statistics command does not display the hello packet
statistics. [PR/427725: This issue has been resolved.]
The mirror receive task variable may not be cleared when the routing protocol process
is heavily scaled. Hence, the NSR replication for RIP status stays in the "InProgress"
state indefinitely. [PR/516003: This issue has been resolved.]
Under rare circumstances, multiple commits might crash both Routing Engines. The
routing protocol process dumps core and restarts only on the master Routing Engine.
This issue occurs when commits are executed within one minute. [PR/516479: This
Upon an NSR mastership switch or ISSU upgrade, the multicast resolve route for IPv4
224/4 or inet6 ff00::/8 might be missing within the forwarding-table. To recover from
this condition, deactivate and activate the protocol pim stanza, or restart the routing
protocol process. [PR/522605: This issue has been resolved.]
For Junos OS Release 9.5 and above, the BGP parse community begins with 0 as the
octal value. This behavior is different in earlier releases. [PR/530086: This issue has
been resolved.]
74
The overload bit in the ISIS LSP MT-TLV may trigger the IS-IS to install a default route
to the overload bit advertiser. And the output of the show isis database extensive
command displays an unknown TLV. [PR/533680: This issue has been resolved.]
The routing protocol process might crash due to an invalid prefix-length value in one
of the flow-spec routes. [PR/534757: This issue has been resolved.]
If there is enough join state associated with a neighbor and that neighbor goes down
and comes back up quickly, then that join state may be stranded in an unresolved state
until the clear pim join command is issued. [PR/539962: This issue has been resolved.]
On Type 2 Trio MPC, multiple changes to a single term in quick succession can cause
an incorrect filter state in the Packet Forwarding Engine. This causes the MPC to crash.
The routing protocol process might crash when a BGP connection attempt meets with
an RST from the peer. This is due to an unlikely race condition. [PR/540895: This issue
has been resolved.]
Under certain timing conditions, an interior gateway protocol topology change can
result in the BGP routes referencing an incorrect egress interface. This problem can
occur when active and inactive BGP routes are learned from the same peer and the
inactive BGP routes are deleted at the time of the topology change. [PR/543911: This
In instances with scaled LACP configurations, the periodic packet management process
(ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.]
When two identical local interface addresses are shared between two VRFs via
auto-export, the routing protocol process might cause a high CPU utilization.
When the primary loopback address changes, the routing protocol process might crash
when a new data mdt is created. [PR/549483: This issue has been resolved.]
If a PIM <S, G> join arrives when there is no route to the source, PIM RPF checking is
disabled, and a matching multicast route is present, the output interfaces associated
with the PIM <S, G> join are not added to the multicast route. [PR/550703: This issue
has been resolved.]
The IPv6 entries are removed from the output of the show pim interfaces command
when the corresponding interface is in the down state. This is a cosmetic issue.
On MX80 routers, even when static routes are configured, the management port does
not forward traffic to the user ports. [PR/552952: This issue has been resolved.]
When an interface-based IPv6 BGP session with a 2-byte AS format is used, the system
might crash. [PR/553772: This issue has been resolved.]
An IS-IS adjacency flap at a precise interval can cause the routing protocol process to
restart on a neighbor, as it is in the process of purging the LSAs of the previously down
node from the local database. [PR/554233: This issue has been resolved.]
75
In Junos OS Release 10.0 and later, the routing instance name is restricted to 63
characters. [PR/533882: This issue has been resolved.]
The BGP_IPV4_NEXT_HOP field on the jflow v9 record matches the originator ID instead
of the BGP next hop. [PR/534598: This issue has been resolved.]
When traffic is forwarded in an L2TP session and a teardown request is received, the
ASPIC crashes with a memory access violation in mlppp_output. [PR/537225: This
On M Series routers configured for L2TP tunneling with several thousands of PPP
connections, when all the PPP sessions expire at the same time, the Multiservices PIC
might hang and become unusable. To recover the service, restart the PIC. [PR/541793:
On Multiservices 500 PICs with graceful Routing Engine switchover (GRES), wrong
record values are seen for the IPv4 netflow export packets. This error occurs when the
route records are not installed. [PR/545422: This issue has been resolved.]
The IPv6 and MPLS route counts are not reflected in the output of the show service
accounting status command. [PR/550793: This issue has been resolved.]
In a router configured with a large number of interfaces, when few interfaces are
constantly added and deleted, a minor memory leak may be observed in the "pfed"
process. [PR/522346: This issue has been resolved.]
While a configuration with a long as-path is displayed in XML format using the show
configuration | display xml | no-more command, the closing tag for the as-path <path>
is wrongly displayed as </path instead of </path>. [PR/525772: This issue has been
resolved.]
The xnm service currently does not support logging of remote-host addresses in system
accounting. [PR/535534: This issue has been resolved.]
It is possible to login to J-Web from a web browser having a cipher strength of 40 and
56 bits. This could create a security issue. As a workaround, use a web browser that
supports 128 bit of cipher strength. [PR/539477: This issue has been resolved.]
The system continues to use the TACACS server configuration even after it is removed.
As a workaround, deactivate and reactivate the accounting configuration. [PR/544770:
When the load set command is used to refresh a script file, the script does not refresh,
and exits from the CLI after displaying the rpc-related errors. [PR/555316: This issue
has been resolved.]
76
Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
VPNs
Related
Documentation
When two MVPN routing instances and at least one L2VPN routing instance are
configured, the commit fails with the following message: RPD_RT_DUPLICATE_RD:
routing-instance xxx has duplicate route-distinguisher." As a workaround, configure
the route-distinguisher-id for each instance manually. [PR/511514: This issue has been
resolved.]
If a VPN routing and forwarding (VRF) instance contains a static route that is resolved
via a route that is auto-exported from another routing instance, the static route may
not be removed when the physical interface goes down. [PR/531540: This issue has
been resolved.]
When a CE-facing interface in a VPLS instance is deactivated, the routing protocol

process may get into a loop leading to a high CPU utilization. [PR/531987: This issue
has been resolved.]
Under certain circumstances, the container interfaces might not send the proper martini
modes to the routing protocol process. This results in incorrect control-word-related
information sent to the Packet Forwarding Engine. [PR/541998: This issue has been
resolved.]
In a Live/Standby MVPN extranet setup, with the primary provider on PE1, the backup
provider on PE2, and a receiver on PE3 and receivers also on PE1 and PE2, traffic drops
occur for 25 seconds after every 35 seconds. [PR/542984: This issue has been resolved.]
on page 6
Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and
T Series Routers
Changes to the Junos OS Documentation Set
The following are the changes made to the Junos OS documentation set:
The new index pages launched for Junos OS technical documentation present
documentation links in categories and include brief descriptions of the content of each
link. Related links to platform documentation pages are included in the right-hand
navigation. The new pages contain all of the content on previous versions of the pages,
only the formatting has changed.
77
Here are the URLs:
Software documentation for Junos M, MX, and T Series:

http://www.juniper.net/techpubs/en_US/junos10.4/information-products/
pathway-pages/product/m-t-mx/10.4/index.html
Hardware documentation for M Series Multiservice Edge Routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/
pathway-pages/m-series/
Hardware documentation for MX Series 3D Universal Edge Routers:

pathway-pages/mx-series/
Hardware documentation for T Series Core Routers:

pathway-pages/t-series/
Hardware documentation for the JCS 1200 platform:

pathway-pages/jcs/
The term Multiplay has been replaced with Session Border Control in the Junos OS
Release Notes.
The Integrated Multi-Service Gateway (IMSG) pathway page now includes three
complete configuration examples:
IMSGBasic Configuration
IMSGDual BGFs
IMSGServer Clusters
The configuration examples are applicable to Junos OS Release 10.2 and later.
The Junos OS Layer 2 Configuration Guide provides an overview of the Layer 2 functions
supported on Juniper Networks routers, including configuring bridge domains, MAC
addresses and VLAN learning and forwarding, and spanning-tree protocols. It also
details the routing instance types used by Layer 2 applications. This material was
formerly covered in the Junos OS MX Series Ethernet Services Routers Layer 2
Configuration Guide.
Documentation for the extended DHCP relay agent feature is no longer included in the
Policy Framework Configuration Guide. For DHCP relay agent documentation, see the
78
Subscriber Access Configuration Guide or the documentation for subscriber access

management.
In Junos OS Release 10.3R1 and later, PDF files are not available for individual HTML
pages in the Junos OS documentation set. PDF files are available for the complete
Junos OS Release 10.3 configuration guides at
http://www.juniper.net/techpubs/software/junos/junos103/index.html. PDF files for the
complete hardware guides are accessible at the following URLs:
For M Series routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa
tion-products/pathway-pages/m-series/
For MX Series routers:

tion-products/pathway-pages/mx-series/
For T Series and TX Matrix routers:

tion-products/pathway-pages/t-series/
In addition, individual HTML pages have a Print link in the upper left corner of the text
area on the page.
Errata
This section lists outstanding issues with the documentation.
High Availability
TX Matrix Plus routers and T1600 routers that are configured as part of a routing matrix
do not currently support nonstop active routing. [High Availability]
For the T320, T640, and T1600 routers, external clock synchronization is not supported
on sonic clock generators (SCG) with DB-9 external clock interfaces.
[System Basics, Hardware Guides]
The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces
Configuration Guide states the following:
For Layer 2 circuit cell relay and Layer 2 trunk modes, include the atm-l2circuit-mode
cell statement at the [edit chassis fpc slot pic slot] hierarchy level and the
encapsulation atm-ccc-cell-relay statement at the [edit interfaces interface-name]
hierarchy level.
This configuration is correct and interoperates with routers running all versions of Junos
OS.
However, the chapter does not mention that you can also include the encapsulation
atm-ccc-cell-relay statement at the [edit interfaces interface-name unit
logical-unit-number] hierarchy level. when you include the statement at the [edit
interfaces interface-name unit logical-unit-number]] hierarchy level, keep the following
points in mind:
79
This configuration interoperates only between Juniper Networks routers running

Junos OS Release 8.2 or earlier.
This configuration does not interoperate with other network equipment, including a
Juniper Networks router running Junos OS Release 8.3 or later, unless it is also
configured with the same use-null-cw statement.
For a Juniper Networks router running Junos OS Release 8.3 or later to interoperate
with another Juniper Networks router running Junos OS Release 8.2 or earlier, on the
router running Junos OS Release 8.3 or later, include the use-null-cw statement at
the [edit interfaces interface-name atm-options] hierarchy level.
The use-null-cw statement inserts (for sending traffic) or strips (for receiving traffic)
an extra null control word in the MPLS packet.
The use-null-cw statement is not supported on a router running Junos OS Release

8.2 or earlier.
With Junos OS Release 10.1 and later, you need not include the tunnel option or the
clear-dont-fragment-bit statement when configuring allow-fragmentation on a tunnel.
J-Web Interface
To access the J-Web interface, your management device requires the following
software:
Supported browsersMicrosoft Internet Explorer version 7.0 or Mozilla Firefox version

3.0
Language supportEnglish-version browsers
Supported OSMicrosoft Windows XP Service Pack 3
MX Series 3D Universal Edge Routers
Some features marked as supported on MX Series 3D Universal Edge Routers are not
currently supported on MX80 routers. For a complete list of available features on MX80
routers please contact your sales engineer or the Juniper Technical Assistance Center.
The MX Series 3D Universal Edge Routers are sometimes referred to as MX Series

Ethernet Services Routers. Both names refer to the same MX Series routers. This will
be standardized to MX Series 3D Universal Edge Routers in the documentation in later
releases.
80
The rate statement for packet sampling is now configured at the following hierarchy
level: [edit forwarding options sampling input family family].

The Subscriber Access Configuration Guide contains the following errors:
The Configuring a Dynamic Profile for Client Access topic erroneously uses the
$junos-underlying-interface variable when a IGMP interface is configured in the client
access dynamic profile. The following example provides the appropriate use of the
$junos-interface-name variable:
[edit dynamic-profiles access-profile]
user@host# set protocols igmp interface $junos-interface-name
Table 25 in the Dynamic Variables Overview topic neglects to define the

$junos-igmp-version predefined dynamic variable. This variable is defined as follows:
$junos-igmp-versionIGMP version configured in a client access profile. The Junos OS
obtains this information from the RADIUS server when a subscriber accesses the router.
The version is applied to the accessing subscriber when the profile is instantiated. You
specify this variable at the [dynamic-profiles profile-name protocols igmp] hierarchy
level for the interface statement.
In addition, the Subscriber Access Configuration Guide erroneously specifies the use of
a colon (:) when you configure the dynamic profile to define the IGMP version for client
interfaces. The following example provides the appropriate syntax for setting the IGMP
interface to obtain the IGMP version from RADIUS:
[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name]
user@host# set version $junos-igmp-version
The Subscriber Access Configuration Guide and the System Basics Configuration Guide
contain information about the override-nas-information statement. This statement
does not appear in the CLI and is not supported.
[Subscriber Access, System Basics]
When you modify dynamic CoS parameters with a RADIUS change of authorization
(CoA) message, the Junos OS accepts invalid configurations. For example, if you specify
that a transmit rate that exceeds the allowed 100 percent, the system does not reject
the configuration and returns unexpected shaping behavior.
[Subscriber Access]
We do not support multicast RIF mapping and ANCP when configured simultaneously
on the same logical interface. For example, we do not support when a multicast VLAN
and ANCP are configured on the same logical interface, and the subscriber VLANs are
the same for both ANCP and multicast.
[Subscriber Access]
The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the Subscriber
Access Configuration Guide erroneously states that dynamic CoS is supported for
81
dynamic VLANs on the Trio MPC/MIC family of products. In the current release, dynamic
CoS is supported only on static VLANs on Trio MPC/MIC interfaces.
[Subscriber Access]
The Subscriber Access Configuration Guide incorrectly describes the authentication-order

statement as it is used for subscriber access management. When configuring the
authentication-order statement for subscriber access management, you must always
specify the radius method. Subscriber access management does not support the
password keyword (the default), and authentication fails when you do not specify an
authentication method.
[Subscriber Access]
In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by
the AAA Service Framework topic and the Specifying an Address Pool in a Domain Map
topic incorrectly indicate that VSA 26-2 (Local-Address-Pool) is supported. Subscriber
management does not support this VSA.
[Subscriber Access]
In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by
the AAA Service Framework table and the RADIUS-Based Mirroring Attributes table
incorrectly describe VSA 26-59. The correct description is as follows:
Attribute Number
Attribute Name
Description
26-59
Med-Dev-Handle
Identifier that associates mirrored traffic to a specific

subscriber.
[Subscriber Access]
The show system statistics bridge command displays system statistics on MX Series
routers. [System Basics Command Reference]
VPNs
In Chapter 19, Configuring VPLS of the VPNs Configuration Guide, an incorrect statement
that caused contradictory information about which platforms support LDP BGP
interworking has been removed. The M7i router was also omitted from the list of
supported platforms. The M7i router does support LDP BGP interworking.
[VPNs]
Related
Documentation
on page 6
82
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T
Series Routers
This section discusses the following topics:
Basic Procedure for Upgrading to Release 10.4 on page 83
Upgrading a Router with Redundant Routing Engines on page 86
Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS

Release 10.1 on page 86
Upgrading the Software for a Routing Matrix on page 88
Upgrading Using ISSU on page 89
Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and
NSR on page 89
Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 90
Downgrade from Release 10.4 on page 91
Basic Procedure for Upgrading to Release 10.4

In order to upgrade to Junos OS 10.0 or later, you must be running Junos OS 9.0S2, 9.1S1,
9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or you must specify the no-validate
option on the request system software install command.
When upgrading or downgrading the Junos OS, always use the jinstall package. Use other
packages (such as the jbundle package) only when so instructed by a Juniper Networks
support representative. For information about the contents of the jinstall package and
details of the installation process, see the Junos OS Installation and Upgrade Guide.
NOTE: With Junos OS Release 9.0 and later, the compact flash disk memory
requirement for Junos OS is 1 GB. For M7i and M10i routers with only 256 MB
memory, see the Customer Support Center JTAC Technical Bulletin
PSN-2007-10-001 at
https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=
PSN-2007-10-001&actionBtn=Search.
83
NOTE: Before upgrading, back up the file system and the currently active
Junos configuration so that you can recover to a known, stable environment
in case the upgrade is unsuccessful. Issue the following command:
user@host> request system snapshot
The installation process rebuilds the file system and completely reinstalls
the Junos OS. Configuration information from the previous software
installation is retained, but the contents of log files might be erased. Stored
files on the routing platform, such as configuration templates and shell scripts
(the only exceptions are the juniper.conf and ssh files) might be removed. To
preserve the stored files, copy them to another system before upgrading or
downgrading the routing platform. For more information, see the Junos OS
System Basics Configuration Guide.
84
The download and installation process for Junos OS Release 10.4 is the same as for
previous Junos OS releases.
If you are not familiar with the download and installation process, follow these steps:
1.
Using a Web browser, follow the links to the download URL on the Juniper Networks
Web page. Choose either Canada and U.S. Version or Worldwide Version:
https://www.juniper.net/support/csc/swdist-domestic/ (customers in the United
States and Canada)
https://www.juniper.net/support/csc/swdist-ww/ (all other customers)
2. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.

3. Download the software to a local host.
4. Copy the software to the routing platform or to your internal software distribution
site.
5. Install the new jinstall package on the routing platform.
NOTE: We recommend that you upgrade all software packages out of

band using the console because in-band connections are lost during the
upgrade process.
Customers in the United States and Canada use the following command:
user@host> request system software add validate reboot
source/jinstall-10.4R2.6-domestic-signed.tgz
All other customers use the following command:

user@host> request system software add validate reboot
source/jinstall-10.4R2.6-export-signed.tgz
Replace source with one of the following values:
/pathnameFor a software package that is installed from a local directory on the
router.
For software packages that are downloaded and installed from a remote location:
ftp://hostname/pathname
http://hostname/pathname
scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
a different release.
85
Adding the reboot command reboots the router after the upgrade is validated and
installed. When the reboot is complete, the router displays the login prompt. The
loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: After you install a Junos OS Release 10.4 jinstall package, you cannot
issue the request system software rollback command to return to the previously
installed software. Instead you must issue the request system software add
validate command and specify the jinstall package that corresponds to the
previously installed software.
NOTE: Before you upgrade a router that you are using for voice traffic, you
should monitor call traffic on each virtual BGF. Confirm that no emergency
calls are active. When you have determined that no emergency calls are
active, you can wait for nonemergency call traffic to drain as a result of
graceful shutdown, or you can force a shutdown. For detailed information
on how to monitor call traffic before upgrading, see the Junos OS Multiplay
Solutions Guide.
Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform a Junos OS installation on each Routing
Engine separately to avoid disrupting network operation as follows:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine while keeping the
currently running software version on the master Routing Engine.

3. After making sure that the new software version is running correctly on the backup
Routing Engine, switch over to the backup Routing Engine to activate the new software.
4. Install the new software on the original master Routing Engine that is now active as
the backup Routing Engine.

For the detailed procedure, see the Junos OS Installation and Upgrade Guide.
Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos

OS Release 10.1
In releases prior to Junos OS Release 10.1, the draft-rosen multicast VPN feature
implements the unicast lo0.x address configured within that instance as the source
address used to establish PIM neighbors and create the multicast tunnel. In this mode,
the multicast VPN loopback address is used for reverse path forwarding (RPF) route
resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN
loopback address is also used as the source address in outgoing PIM control messages.
86
In Junos OS Release 10.1 and later, you can use the routers main instance loopback
(lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM
state for the multicast VPN. We strongly recommend that you perform the following
procedure when upgrading to Junos OS Release 10.1 if your draft-rosen multicast VPN
network includes both Juniper Network routers and other vendors routers functioning
as provider edge (PE) routers. Doing so preserves multicast VPN connectivity throughout
the upgrade process.
Because Junos OS Release 10.1 supports using the routers main instance loopback (lo0.0)
address, it is no longer necessary for the multicast VPN loopback address to match the
main instance loopback adddress lo0.0 to maintain interoperability.
NOTE: You might want to maintain a multicast VPN instance lo0.x address
to use for protocol peering (such as IBGP sessions), or as a stable router
identifier, or to support the PIM bootstrap server function within the VPN
instance.
Complete the following steps when upgrading routers in your draft-rosen multicast VPN
network to Junos OS Release 10.1 if you want to configure the routerss main instance
loopback address for draft-rosen multicast VPN:
1.
Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the
loopback address for draft-rosen Multicast VPN.
NOTE: Do not configure the new feature until all the M7i and M10i routers
in the network have been upgraded to Junos OS Release 10.1.
2. After you have upgraded all routers, configure each routers main instance loopback
address as the source address for multicast interfaces. Include the default-vpn-source
interface-name loopback-interface-name] statement at the [edit protocols pim]
hierarchy level.
3. After you have configured the routers main loopback address on each PE router,
delete the multicast VPN loopback address (lo0.x) from all routers.
We also recommend that you remove the multicast VPN loopback address from all
PE routers from other vendors. In Junos OS releases prior to 10.1, to ensure
interoperability with other vendors routers in a draft-rosen multicast VPN network,
you had to perform additional configuration. Remove that configuration from both
the Juniper Networks routers and the other vendors routers. This configuration should
be on Juniper Networks routers and on the other vendors routers where you configured
the lo0.mvpn address in each VRF instance as the same address as the main loopback
(lo0.0) address.
This configuration is not required when you upgrade to Junos OS Release 10.1 and use
the main loopback address as the source address for multicast interfaces.
87
NOTE: To maintain a loopback address for a specific instance, configure

a loopback address value that does not match the main instance address
(lo0.0).
For more information about configuring the draft-rosen Multicast VPN feature, see the
Junos OS Multicast Configuration Guide.
Upgrading the Software for a Routing Matrix

A routing matrix can use either a TX Matrix router as the switch-card chassis (SCC) or a
TX Matrix Plus router as the switch-fabric chassis (SFC). By default, when you upgrade
software for a TX Matrix router or a TX Matrix Plus router, the new image is loaded onto
the TX Matrix or TX Matrix Plus router (specified in the Junos OS CLI by using the scc or
sfc option) and distributed to all T640 routers or T1600 routers in the routing matrix
(specified in the Junos OS CLI by using the lcc option). To avoid network disruption during
the upgrade, ensure the following conditions before beginning the upgrade process:
A minimum of free disk space and DRAM on each Routing Engine. The software upgrade
will fail on any Routing Engine without the required amount of free disk space and
DRAM. To determine the amount of disk space currently available on all Routing Engines
of the routing matrix, use the CLI show system storage command. To determine the
amount of DRAM currently available on all the Routing Engines in the routing matrix,
use the CLI show chassis routing-engine command.
The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC)
and T640 routers or T1600 routers (LCC) are all re0 or are all re1.
The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC)
and T640 routers or T1600 routers (LCC) are all re1 or are all re0.
All master Routing Engines in all routers run the same version of software. This is
necessary for the routing matrix to operate.
All master and backup Routing Engines run the same version of software before
beginning the upgrade procedure. Different versions of the Junos OS can have
incompatible message formats especially if you turn on GRES. Because the steps in
the process include changing mastership, running the same version of software is
recommended.
For a routing matrix with a TX Matrix router, the same Routing Engine model is used
within a TX Matrix router (SCC) and within a T640 router (LCC) of a routing matrix.
For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using
two RE-1600s is supported. However, an SCC or an LCC with two different Routing
Engine models is not supported. We suggest that all Routing Engines be the same
model throughout all routers in the routing matrix. To determine the Routing Engine
type, use the CLI show chassis hardware | match routing command.
For a routing matrix with a TX Matrix Plus router, the SFC contains two model
RE-DUO-C2600-16G Routing Engines, and each LCC contains two model
RE-DUO-C1800-8G Routing Engines.
88
NOTE: It is considered best practice to make sure that all master Routing
Engines are re0 and all backup Routing Engines are re1 (or vice versa). For
the purposes of this document, the master Routing Engine is re0 and the
backup Routing Engine is re1.
To upgrade the software for a routing matrix, perform the following steps:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
(re0) and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping
the currently running software version on the master Routing Engine (re0).
3. Load the new Junos OS on the backup Routing Engine. After making sure that the new
software version is running correctly on the backup Routing Engine (re1), switch
mastership back to the original master Routing Engine (re0) to activate the new
software.
4. Install the new software on the new backup Routing Engine (re0).
For the detailed procedure, see the Routing Matrix with a TX Matrix Feature Guide or the
Routing Matrix with a TX Matrix Plus Feature Guide.
Upgrading Using ISSU

Unified in-service software upgrade (ISSU) enables you to upgrade between two different
Junos OS releases with no disruption on the control plane and with minimal disruption
of traffic. Unified in-service software upgrade is only supported by dual Routing Engine
platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active
routing (NSR) must be enabled. For additional information about using unified in-service
software upgrade, see the Junos High Availability Configuration Guide.
Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM
and NSR
Junos OS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the
following PIM features are not currently supported with NSR. The commit operation fails
if the configuration includes both NSR and one or more of these features:
Anycast RP
Draft-Rosen multicast VPNs (MVPNs)
Local RP
Next-generation MVPNs with PIM provider tunnels
PIM join load balancing
Junos OS 9.3 Release introduced a new configuration statement that disables NSR for
PIM only, so that you can activate incompatible PIM features and continue to use NSR
for the other protocols on the router: the nonstop-routing disable statement at the [edit
protocols pim] hierarchy level. (Note that this statement disables NSR for all PIM features,
not only incompatible features.)
89
If neither NSR nor PIM is enabled on the router to be upgraded or if one of the unsupported
PIM features is enabled but NSR is not enabled, no additional steps are necessary and
you can use the standard upgrade procedure described in other sections of these
instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use
the standard reboot or ISSU procedures described in the other sections of these
instructions.
Because the nonstop-routing disable statement was not available in Junos OS Release
9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to
be upgraded from Junos OS Release 9.2 or earlier to a later release, you must disable
PIM before the upgrade and reenable it after the router is running the upgraded Junos
OS and you have entered the nonstop-routing disable statement. If your router is running
Junos OS Release 9.3 or later, you can upgrade to a later release without disabling NSR
or PIMsimply use the standard reboot or ISSU procedures described in the other sections
of these instructions.
To disable and reenable PIM:
1.
On the router running Junos OS Release 9.2 or earlier, enter configuration mode and
disable PIM:
[edit]
user@host# deactivate protocols pim
user@host# commit
2. Upgrade to Junos OS Release 9.3 or later software using the instructions appropriate
for the router type. You can either use the standard procedure with reboot or use ISSU.
3. After the router reboots and is running the upgraded Junos OS, enter configuration
mode, disable PIM NSR with the nonstop-routing disable statement, and then reenable
PIM:
[edit]
user@host# set protocols pim nonstop-routing disable
user@host# activate protocols pim
user@host# commit
Upgrade Policy for Junos OS Extended End-Of-Life Releases

An expanded upgrade and downgrade path is now available for the Junos OS Extended
End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of
two adjacent later EEOL releases. You can also downgrade directly from one EEOL release
to one of two adjacent earlier EEOL releases.
For example, Junos OS Releases 9.3, 10.0, and 10.4 are all EEOL releases. You can upgrade
from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to
10.4, you first need to upgrade to Junos OS release 9.3 or 10.0, and then upgrade a second
time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either
10.0 or 9.3. To downgrade from release 10.4 to 8.5, you first need to downgrade to 10.0
or 9.3, and then perform a second downgrade to Release 8.5.
90
For upgrades and downgrades to or from a non-EEOL release, the current policy is that
you can upgrade and downgrade by no more than three releases at a time. This policy
remains unchanged.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
Downgrade from Release 10.4

To downgrade from Release 10.4 to another supported release, follow the procedure for
upgrading, but replace the 10.4 jinstall package with one that corresponds to the
appropriate release.
For more information, see the Junos OS Installation and Upgrade Guide.
Related
Documentation
on page 6
91
Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J
Series Services Routers
Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust
networking and security services. SRX Series Services Gateways range from lower-end
devices designed to secure small distributed enterprise locations to high-end devices
designed to secure enterprise infrastructure, data centers, and server farms. The SRX
Series Services Gateways include the SRX100, SRX210, SRX220, SRX240, SRX650,
SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
Juniper Networks J Series Services Routers running Junos OS provide stable, reliable, and
efficient IP routing, WAN and LAN connectivity, and management services for small to
medium-sized enterprise networks. These routers also provide network security features,
including a stateful firewall with access control policies and screens to protect against
attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320,
J2350, J4350, and J6350 devices.
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers on page 92
Advertising Bandwidth for Neighbors on a Broadcast Link Support on page 123
Group VPN Interoperability with Ciscos GET VPN on page 123
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series
Services Gateways and J Series Services Routers on page 124
Unsupported CLI on page 139
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers on page 148
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services
Routers on page 158
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers on page 178
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways
and J Series Services Routers on page 189
Maximizing ALG Sessions on page 191
Integrated Convergence Services Not Supported on page 192
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services
Routers
The following features have been added to Junos OS Release 10.4. Following the
description is the title of the manual or manuals to consult for further information.
Software Features on page 93
Hardware FeaturesSRX210, SRX220, and SRX240 Services Gateways on page 115
92
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Hardware FeaturesSRX220 Services Gateway with Power Over Ethernet on page 116
Hardware FeaturesSRX1400 Services Gateway on page 119
Hardware FeaturesSRX3400 and SRX3600 Services Gateways on page 122
Software Features
Application Layer Gateways (ALGs)
Rewrite rule for DSCP at VoIP ALGsThis feature is supported on all SRX Series and
J Series devices.
Differentiated Services Code Point (DSCP) is a modification of the type-of-service
byte for class of service (CoS). Six bits of this byte are reallocated for use as the DSCP
field, where each DSCP specifies a particular per-hop behavior that is applied to a
packet.
A rewrite rule modifies the appropriate CoS bits in an outgoing packet to meet the
requirements of the targeted peer. Each rewrite rule reads the current CosS value that
is configured at the voice over IP (VoIP) Application Layer Gateway (ALG) level. Every
packet that hits the VoIP ALG is marked by this CoS value.
You can configure a rewrite rule for a DSCP Differentiated Services (DiffServ) marker
at the VoIP ALG level to address VoIP signaling and its respective Real-Time Transport
Protocol (RTP) streams. You can configure the rewrite rule such that all VoIP traffic
hitting the ALG gets a rewrite marker while its respective RTP/Real-Time Control
Protocol (RTP/RTCP) traffic gets a different rewrite marker.
[Junos OS CLI Reference, Junos OS Integrated Convergence Services Configuration and
Administration Guide]
Chassis Cluster
Increasing the number of zones and virtual routersThis feature is supported on
SRX5600 and SRX5800 devices.
The maximum number of zones, virtual routers, and IFLs (IFLs only for chassis cluster
mode) that can be configured on an SRX5800 device has been increased to 2000.
In a chassis cluster environment, as the number of logical interfaces is scaled upward,
the time before triggering a failover needs to be increased accordingly. At maximum
capacity on an SRX5600 or SRX5800 device, we recommend that you increase the
configured time for failover detection to at least 5 seconds. [Junos OS CLI Reference]
Configuration Wizards
This feature is supported on SRX100, SRX210, SRX240, and SRX650 devices.
The J-Web interface now has a set of wizards that simplify the basic configuration of the
SRX Series devices. The Setup wizard automatically appears when you first start the
device or when it is in factory default mode and you point to the Web management URL.
Three other wizards in the J-Web interface enable you to configure basic firewall policies,
basic IPsec VPN settings, and basic NAT settings.
93
Flow and Processing
J-Flow V9 support This feature is supported on SRX100, SRX210, SRX220, SRX240,

SRX650, and all J Series devices.
J-Flow Services Export Version 9 (J-Flow V9) provides an extensible and flexible method
for using templates to observe packets on a router. Each template indicates the format
in which the device exports data.
In Junos OS Release 10.4, PIC-based J-Flow V9 is introduced along with J-Flow V5 and
V8, which were disabled in Junos OS Release 9.4.
[Junos OS CLI User Guide, Junos OS Interfaces Configuration Guide for Security Devices]
Packet captureThis feature is supported on SRX1400, SRX3400, SRX3600,

SRX5600, and SRX5800 devices.
Packet capture is a datapath-debugging feature that helps you effectively create a
filter for specific traffic and apply an action profile to the traffic. The action profile
specifies a variety of actions at different processing units. One of the supported actions
is packet dump, which sends the packet to the Routing Engine and stores it in propriety
form. You can view the packets by entering the show security datapath-debug capture
command.
The performance of packet capture is improved and is comparable to the trace
performance.
[Junos OS Security Configuration Guide]
Screen logsScreen log enhancement is supported on all SRX Series and J Series
devices.
The new log format captures all required information in the screen log. This allows you
to view all log information for a device instead of having to search through
device-specific logs.
The new log structure is as follows:<67>1 2009-08-18T19:47:23.191 srx5800-00 RT_IDS
- RT_SCREEN_TCP [junos@2636.1.1.1.2.26 attack-name="SYN flood Src-IP based!"
source-address="112.0.0.110" source-port="80" destination-address="111.0.0.113"
destination-port="3033" source-zone-name="mobiles" interface-name="reth1.112"
action="alarm-without-drop"]
94
Integrated Convergence Services

The Integrated Convergence Services features listed in this section are supported on
SRX210 and SRX240 devices with Voice capability.
Accounting featureYou can configure Integrated Convergence Services to collect

and generate accounting information for successful and unsuccessful voice subscriber
transactions. The voice daemon generates and collects accounting data about calls
made and received between Session Initiation Protocol (SIP), Foreign Exchange Station
(FXS), and Foreign Exchange Office (FXO) stations.
You can use the accounting feature for calls made when the SRX Series media gateway
(SRX Series MGW) is in control or when the SRX Series survivable call server (SRX
Series SCS) is in control.
[Junos OS Integrated Convergence Services Configuration and Administration Guide]
Call parkThe call park feature allows users to park an active call and pick up their
call or that of another user later. To use the call park feature, you configure a primary
logical extension, which you can think of as a parking lot. You must also configure a
range of logical extensions following the primary one that are used to park individual
calls.
When you handle a call, you can transfer it to the parking lot without the caller hearing
the transfer process. When you park the call, you are told the logical extension number
of the parking slot before your connection to the call is dropped. You or another user
can pick up the call and resume the conversation from any phone by calling the
extension number of the parking slot.
This feature is supported when the SRX Series SCS is in control. Under normal conditions
when it is reachable, the peer call server provides this service if it is supported.
Defining a SIP registrar address separate from the peer call serverBy default, the
SIP registrar and the peer call server (SIP server) are handled by the same service and
therefore have the same address. Under these circumstances, the SRX Series MGW
sends SIP REGISTRAR and INVITE messages to the IP address configured for the peer
call server.
Direct inward dialing listsYou can associate a list of direct inward dialing (DID)
numbers with a trunk to be used for assignment to stations. You do not need to assign
these DIDs to stations directly. The software assigns a DID number to a single station
exclusively. If an incoming call is made to an unassigned DID number, it is directed to
and handled by auto-attendant.
Disabling SIP registration to the peer call serverThe SRX Series MGW sends
registration messages to the peer call server. For some network environments in which
all media gateways are known to the peer call server, the SRX Series MGW is not
required to register to it. To do so could cause complications. For example, the peer
call server could drop the registration message silently, that is, without informing the
95
SRX Series MGW. In this case, the SRX Series MGW might retransmit the message,
incurring unnecessary processing and adding to the network load.
When you configure peer call server information, you can disable transmission of the
registration message to the peer call server to avoid these problems.
NOTE: Disabling transmission of the SRX Series MGW registration to the

peer call server does not disable registration of an FXS station to the SRX
Series MGW on the device running Integrated Convergence Services.
Disabling SIP registration to the proxy serverBy default, Integrated Convergence

Services SIP trunks register to the SIP service providers peer proxy server. For some
SIP networks, the peer proxy server is informed about all SIP trunks that communicate
with it. In such network environments, the SIP trunk does not need to send a REGISTER
message to the peer proxy server. To do so would increase network load unnecessarily.
To accommodate these network environments, you can configure the SIP trunk not
to register to the peer proxy server.
DSCP marking for RTP packets generated by SRX Series Integrated Convergence
ServicesConfigure DSCP marking to set the desired DSCP bits for Real-Time Transport
Protocol (RTP) packets generated by SRX Series Integrated Convergence Services.
Differentiated Services code point (DSCP) bits are the 6-bit bitmap in the IP header
used by devices to decide the forwarding priority of packet routing. When the DSCP
bits of RTP packets generated by Integrated Convergence Services are configured, the
downstream device can then classify the RTP packets and direct them to a higher
priority queue in order to achieve better voice quality when packet traffic is congested.
Juniper Networks devices provide classification, priority queuing, and other kinds of
class-of-service (CoS) configuration under the CoS configuration hierarchy.
Note that the Integrated Convergence Services DSCP marking feature marks only RTP
packets of calls that it terminates, which include calls to peer call servers and to peer
proxy servers that provide SIP trunks. If a call is not terminated by Integrated
Convergence Services, then DSCP marking does not apply.
To configure the DSCP marking bitmap for calls terminated by Integrated Convergence
Services and the address of the peer call server or peer proxy server to which these
calls are routed, use the media-policy statement at the [edit services converged-services]
hierarchy level.
set services convergence-service service-class < name > dscp < bitmap >
set services convergence-service service-class media-policy < name > term < term-name
> from peer-address [< addresses >]
set services convergence-service service-class media-policy < name > term then
service-class < name >
96
Hunt groupA hunt group enables a group of users to handle calls collectively. A hunt
group specifies a logical extension that outside parties can call. Member stations
belonging to the hunt group are specified in a preconfigured station group. When a call
comes in on the logical extension, the call is directed to the phone whose station is
specified first in the preconfigured station group, and that phone rings. The next
incoming call is directed to the second station specified in the station group and its
phone rings, and so on.
To connect the call, the system hunts through the configured stations in order one at
a time. It rings a phone up to the time limit that you specify before it tries the next phone
in the configured order
Interoperability with Microsoft and Cisco call servers and IP phonesThis feature
addresses SRX Series media gateway (SRX Series MGW) interoperability with Microsoft
and Cisco call servers and IP phones, in addition to the current support for Avaya call
servers and IP phones. This feature helps to provide a comprehensive joint enterprise
communications offering.
Pickup groupPickup groups enable users to handle incoming calls collectively, as a

group. Members of the same pickup group can answer incoming calls directed at any
phone extension number within the group. When a phone is called, the first available
agent takes the call, whether it comes in on their phone or another phone within the
group. To pick up a call, the user dials the digits *8. After the user takes the call, the
phone whose number was called no longer rings. Users can belong to one or more
pickup groups concurrently.
The pickup group feature rings only one phone at a time. If the first phone tried is busy,
the next one is tried, and so on. A pickup group can include up to 20 members, whose
phones can be either analog or SIP, but not a mix of both.
This feature is supported when the SRX Series survivable call server (SRX Series SCS)
is in control. Under normal conditions when it is reachable, the peer call server provides
this service if it is supported.
Ring groupA ring group can include up to five members. A ring group allows incoming
calls to be handled by any member of the group. You configure a ring group with a
logical extension that outside parties can call. Calls coming into the logical extension
are forwarded to all phones simultaneously. The first member to answer the call takes
it, and the phones of other members of the group stop ringing. A ring group can include
both SIP and analog stations.
97
Interfaces and Routing
1-Port Gigabit Ethernet SFP Mini-PIMThis feature is supported on SRX210, SRX220,

and SRX240 devices.
Small form-factor pluggables (SFPs) are hot-pluggable modular interface transceivers
for Gigabit and Fast Ethernet connections. Gigabit Ethernet SFP Mini-PIMs can be used
in copper and optical environments.
The 1-Port Gigabit Ethernet SFP Mini-PIM interfaces a single Gigabit Ethernet device
or a network. It supports a variety of transceivers with data speeds of
10 Mbps/100 Mbps/1 Gbps with extended LAN or WAN connectivity.
The 1-Port SFP Gigabit Ethernet mini-PIM supports the following features:
10 Mbps/100 Mbps/1 Gbps link speed
Half-duplex/full-duplex support
Autonegotiation
Encapsulations
MTU size of 1514 bytes (default) and 9010 bytes (jumbo frames)
Loopback
Online insertion and removal of transceivers
[Junos OS Interfaces Configuration Guide for Security Devices]

IPsec
Virtual router support for route-based VPNsThis feature is supported on all SRX
Series and J Series devices.
This feature includes routing-instance support for route-based VPNs. You can now
configure different subunits of the st0 interface in different routing instances. The
following functions are supported for nondefault routing instances:
NOTE: IKE is not supported in a custom VR (virtual router). The IKE gateway
external interface must reside in the default virtual router (inet.0).
Manual key management
Transit traffic
Self-traffic
VPN monitoring
Hub-and-spoke VPNs
Encapsulating Security Payload (ESP) protocol
Authentication Header (AH) protocol
98
Aggressive mode or main mode
st0 anchored on the loopback (lo0) interface
Maximum number of virtual routers supported on an SRX Series device
Applications such as Application Layer Gateway (ALG), Intrusion Detection and

Prevention (IDP), and Unified Threat Management (UTM)
Dead peer detection (DPD)
Chassis cluster active/backup
OSPF over st0
RIP over st0
[Junos OS Administration Guide for Security Devices, Junos OS CLI Reference, Junos OS
Security Configuration Guide]
IPv6 Support
Active/active chassis clusterThis feature is supported on all SRX Series and J Series
devices.
In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6)
can be deployed in active/active (failover) chassis cluster configurations in addition
to the existing support of active/passive (failover) chassis cluster configurations. [Junos
OS Security Configuration Guide]
Address books and address sets in active/active chassis clusterThis feature is

supported on all SRX Series and J Series devices.
This feature is supported in active/active chassis cluster configurations in addition to
the existing support of active/passive chassis cluster configurations.
SRX Series and J Series devices running IP version 6 (IPv6) deployed in active/active
(failover) chassis cluster configurations, the address book entries can include any
combination of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS)
names.
To configure IPv6 address entries, specify an IPv6 address when you use the address
statement at the [edit security zones security-zone name address-book] hierarchy level.
The address set configuration considers names of the address book entries, and not
the IP addresses, so there are no additional considerations related to IPv6 traffic. [Junos
OS Security Configuration Guide]
Advanced flowThis feature is supported on all SRX Series and J Series devices.
IPv6 advanced flow adds IPv6 support for firewall, NAT, NAT-PT, multicast (local link
and transit), IDP, Junos framework, TCP proxy, and session manager on SRX Series
and J Series devices. MIBs are not used in the IPv6 flow.
IPv6 security is available to avoid impact on the existing IPv4 system. If IPv6 security
is enabled, extended sessions and gates are allocated. The existing address fields and
99
gates are used to store the index of extended sessions or gates. If IPv6 security is
disabled, the IPv6 security related resources are not allocated.
New logs are used for IPv6 flow traffic to prevent impact on performance in the existing
IPv4 system.
The behavior and implementation of the IPv6 advanced flow are the same as those
of the IPv4 flow.
Some of the differences are as follows:
Header parseIPv6 advanced flow stops parsing the headers and interprets the
packet as the corresponding protocol packet if it encounters the following extension
headers:
TCP/UDP
ESP/AH
ICMPv6
IPv6 advanced flow continues parsing headers if it encounters the following extension
headers:
Hop-by-Hop
Routing and Destination, Fragment
IPv6 advanced flow interprets the packets as an unknown protocol packet if it

encounters the extension header No Next Header.
Sanity checksIPv6 advanced flow supports the following sanity checks:
TCP Length
UDP Length
Hop-by-Hop
IP data length error
Layer 3 sanity checks (for example, IP version and IP length)
ICMPv6 packetsIn IPv6 advanced flow, the ICMPv6 packets share the same
behavior as normal IPv6 traffic with the following exceptions:
Embedded ICMPv6 Packet
Path MTU message
Host inbound and outbound trafficIPv6 advanced flow supports all route and
management protocols running on the Routing Engine, including OSPF v3, RIPng,
Telnet, and SSH. Note that flow label is not used in the flow.
Tunnel trafficIPv6 advanced flow supports the following tunnel types:
100
IPv4 IPIP
IPv4 GRE
IPv4 IPsec
Dual-stack lite
DNS ALG for routing, NAT, and NAT-PTThis feature is supported on all SRX Series
and J Series devices.
Domain Name System (DNS) is the part of the ALG that handles DNS traffic. The DNS
ALG module has been working as expected for IPv4. In Junos OS Release 10.4, this
feature implements IPv6 support on DNS ALG for routing, NAT, and NAT-PT.
When the DNS ALG receives a DNS query from the DNS client, a security check is done
on the DNS packet. When the DNS ALG receives a DNS reply from the DNS server, a
similar security check is done, and then the session for the DNS traffic closes.
When the DNS traffic works in NAT mode, the DNS ALG translates the public address
in a DNS reply to a private address when the DNS client is on a private network, and
similarly translates a private address to a public address when the DNS client is on a
public network. When DNS traffic works in NAT-PT mode, the DNS ALG translates the
IP address in a DNS reply packet between the IPv4 address and the IPv6 address when
the DNS client is in an IPv6 network and the server is in an IPv4 network, and vice versa.
To support NAT-PT mode in a DNS ALG, the NAT module should support NAT-PT.
Dual-stack liteThis feature is supported on SRX650, SRX3400, SRX3600, SRX5600,

and SRX5800 devices.
IPv6 dual-stack lite (DS Lite) is a technology for maintaining connectivity between
legacy IPv4 devices and networks despite a depleted IPv4 address pool and as a service
provider networks transition to IPv6-only deployments.
DS Lite allows IPv4 customers to continue accessing IPv4 internet content with
minimum disruption to their home networks, while enabling IPv6 customers to access
IPv6 content.
The DS Lite deployment model consists of the following components:
Softwire Initiator (SI) in the DS Lite home router (SI is not available in Junos release
10.4)
Softwire Concentrator (SC) in the DS Lite carrier-grade Network Address Translation

(NAT)
A softwire is a tunnel-over-IPv6 network. The SI finds the SC address, encapsulates

an IPv4 packet, and transmits it across the softwire. The SC receives an IPv4 packet
in the IPv6 softwire packet and decapsulates the IPv6 software packet to retrieve the
inner IPv4 packet. Multiple SIs can have the same SC as the endpoint of the softwires.
101
The DS Lite carrier-grade NAT performs IPv4-IPv4 address translations to multiple

subscribers through a single global IPv4 address. Overlapping address spaces used by
subscribers are disambiguated through the identification of tunnel endpoints.
A new command for displaying information on softwires, show security softwires, is
available in Junos OS Release 10.4.
[Junos OS Security Configuration Guide Junos OS CLI Reference]
Firewall security policy in active/active chassis clusterThis feature is supported on

all SRX Series and J Series devices.
This feature is now supported in active/active chassis cluster configurations in addition
to the existing support of active/passive chassis cluster configurations.
The matching criteria for security policy rules is based on zones, address objects, and
applications. To support security policy rules for IPv6 traffic, you have to configure
zone and address objects with IPv6 values. You can also select IPv6 applications.
Note that in security policy rules, the meaning of the wildcard any has changed. When
flow support is enabled for IPv6 traffic, the wildcard any matches any IPv4 or IPv6
address. In Junos OS Release 10.4, new wildcards are introduced to match any IPv4 or
any IPv6 address: any-ipv4 and any-ipv6 in active/active chassis cluster. When flow
support is not enabled for IPv6 traffic, any matches IPv4 addresses.
IPv6 support for IDP and UTM are not included in Junos OS Release 10.4. If your current
security policy uses rules with any IP address wildcards and IDP and UTM features
enabled, you will encounter configuration commit errors because IDP and UTM features
do not support IPv6 addresses. To resolve these errors, modify the rule returning the
error so that it uses the any-ipv4 wildcard, and create separate rules for IPv6 traffic
that do not include IDP or UTM features. [Junos OS Security Configuration Guide]
Flow-based processing in active/active chassis clusterThis feature is supported

on all SRX Series and J Series devices.
In Junos OS Release 10.4, we support IPv6 flow-based processing in active/active
(failover) chassis cluster configurations in addition to the existing support of
active/passive chassis cluster configurations.
IPv6 flow support enables processing of IPv6 traffic by the security features of SRX
Series and J Series devices. IPv6 flow support is disabled by default, and IPv6 packets
are dropped.
To enable flow-based processing for IPv6 traffic, modify the mode statement at the
[edit security forwarding-options family inet6] hierarchy level.
The [show security flow session source-prefix] and [show security flow session
destination-prefix] commands you use to monitor session statistics now take IPv6
address arguments. In addition, the [show security flow session family (inet|inet6)]
option is added to filter session statistics by protocol family.
[Junos OS CLI Reference, Junos OS Interfaces Configuration Guide for Security Devices,
Junos OS Security Configuration Guide]
FTP ALG for routingThis feature is supported on all SRX Series and J Series devices.
102
File Transfer Protocol (FTP) is the part of the ALG that handles FTP traffic. The
PORT/PASV requests and corresponding 200/227 responses in FTP are used to
announce the TCP port, which the host listens to for the FTP data connection.
EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG
supports EPRT/EPSV/229 already, but only for IPv4 addresses.
In Junos OS Release 10.4, EPRT/EPSV/229 commands are updated to support both
IPv4 and IPv6 addresses.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
ICMP ALG for routing, NAT, and NAT-PTThis feature is supported on all SRX Series
and J Series devices. ALGs support Internet Control Message Protocol version 6
(ICMPv6) an integral part of IPv6 that must be fully implemented by every IPv6 node.
The ICMP ALG handles ICMP traffic by monitoring all ICMP messages and then
performing the following actions:
Closes the session
Modifies the payload
In routing mode, the ICMP ALG closes a session if it receives one of the following
message types:
Echo reply (type 129) message
Destination unreachable (type 1) error message
In Network Address Translation (NAT mode), the ICMP ALG performs the following
actions:
Closes the session if it receives an echo reply (type 129) message or a destination
unreachable (type 1) error message
Modifies the identifier or sequence number of the echo request
Retains the original identifier and sequence number for the echo reply
Translates the embedded IPv6 packet for the ICMPv6 error message
In a Network Address Translation-Protocol Translation (NAT-PT) environment, the

ALG performs the following actions:
Closes the session if it receives an echo reply (type 129) message or a destination
unreachable (type 1) error message
Translates an ICMPv4 ping message to an ICMPv6 ping message
Translates an ICMPv6 ping message to an ICMPv4 ping message
Translates an ICMPv4 error message to an ICMPv6 error message and translates its
embedded IPv4 packet to an IPv6 packet
Translates an ICMPv6 error message to an ICMPv4 error message and translates its
embedded IPv6 packet to an IPv4 packet
103
ICMP ALG drops ICMP traffic when translation from IPv4 and IPv6 is not possible. Note
that ICMP ALG is always enabled and cannot be disabled by means of the
command-line interface (CLI).
Interfaces in active/active chassis clusterThis feature is supported on all SRX Series

and J Series devices.
A logical interface can be configured with an IPv4 address, IPv6 address, or both in
active/active chassis cluster configurations in addition to the existing support of
active/passive chassis cluster configurations.
To configure an IPv6 address for a logical interface, use the inet6 statement at the
[edit interfaces interface-name unit logical-unit family] hierarchy level. [Junos OS
Interfaces Configuration Guide for Security Devices]
Multicast flowThis feature is supported on all SRX Series and J Series devices.
The IPv6 multicast flow adds or enhances the following features:
IPv6 transit multicast, which includes the following packet functions:
Normal packet handling
Fragment handling
Packet reordering
Protocol-Independent Multicast version 6 (PIMv6) flow handling
Other multicast routing protocols such as Multicast Listener Discover (MLD)
The structure and processing of IPv6 multicast data session are the same as that of
IPv4. Each data session has the following:
One template session
Several sessions
The reverse path forwarding (RPF) check behavior for IPv6 is the same as that of IPv4.
Incoming multicast data is accepted only if RPF check succeeds. In IPv6 multicast
flow, incoming Multicast Listener Discovery (MLD) protocol packets are accepted only
if MLD or PIM is enabled in the security zone for the incoming interface. Sessions for
multicast protocol packets have a default timeout value of 300 seconds. This value
cannot be configured. The null register packet is sent to the rendezvous point.
In IPv6 multicast flow, a mulitcast router has the following three roles:
Designated router
Intermediate router
Rendezvous point
[Junos OS Class of Service Configuration Guide]
NATThis feature is supported on all SRX Series and J Series devices.
104
IPv6 Network Address Translation (IPv6 NAT) provides address translation between
IPv6 hosts. NAT between IPv6 hosts is done in a similar manner and for similar purposes
as IPv4 NAT. IPv6 NAT in Junos OS provides the following NAT types:
Source NAT
Destination NAT
Static NAT
NAT-PTThis feature is supported on all SRX Series and J Series devices.

IPv6 Network Address Translation-Protocol Translation (NAT-PT) provides address
and protocol translation between IPv4 and IPv6 addressed network devices. IPv6
NAT-PT supports both traditional NAT-PT and bidirectional NAT-PT. IPv6 NAT-PT
supports Internet Control Message Protocol (ICMP), TCP, and UDP protocol packets.
Packet filteringThis feature is supported on SRX1400, SRX3400, SRX3600,

SRX5600, and SRX5800 devices.
The packet-filtering options for IPv6 addresses and IPv6 style source prefix, destination
prefix, and interface is supported in addition to the existing functionality of IPv4
datapath-debug.
[Junos OS Security Configuration Guide, Junos OS CLI Reference]
ScreensThis feature is now supported on all SRX Series and J Series devices.
IPv6 support is extended for the following screen features:
Syn-flood/syn-proxy/syn-cookie
Syn-ack-ack-proxy
Ip-spoofing
Zone configuration in active/active chassis clusterThis feature is supported on all

SRX Series and J Series devices.
In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6)
can be deployed in active/active chassis cluster configurations with security zone
configuration in addition to the existing support of active/passive chassis cluster
configurations.
The security zone configuration considers names of the interfaces, and not the IP
addresses, hence there are no additional considerations related to the zone interface
configuration.
You can also use the zone configuration to explictly permit inbound traffic from network
system services and system protocols. Note that you can now use the host inbound
traffic configuration to permit traffic from the following IPv6-related services and
protocols: DHCPv6, neighbor discovery (ND) protocol, OSPF3, and RIPng. [Junos OS
Security Configuration Guide]
105
J-Web
IPv6 addressing support for J-WebThis feature is supported on SRX100, SRX210,

SRX220, SRX240, SRX650, and all J Series devices.
J-Web now supports IPv6 addressing configuring security features such as policies,
zones, screens, address books, host inbound system services, protocols, and
flow-forwarding options.
The following pages have been enhanced:
Zones/Screens Configuration page
Security Policy Configuration page
Security Policy Element Configuration page
Security Flow Element Configuration page
J-Web Chassis ViewThe changes and enhancements to the J-Web Chassis View
apply to SRX1400 devices.
The following enhancements have been made to the J-Web Chassis View on the
Dashboard:
Displays the front or rear panel view of the device and shows which slots are occupied.
When you insert or remove a card, the Chassis View reflects the change immediately.
Port colors change to indicate the port link status. For example, the ge port lights
steadily green when the port is up and red when the port is down.
Displays Help tips when your hover the mouse over a port.
106
MAC limiting
MAC limitingThis feature is supported on SRX100, SRX210, SRX220, and SRX650

devices.
MAC limiting protects against flooding of the Ethernet switching table (also known as
the MAC forwarding table or Layer 2 forwarding table). You enable this feature on
interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing on
access interfaces. You enable this feature on VLANs.
MAC limiting sets a limit on the number of MAC addresses that can be learned
dynamically on a single Layer 2 access interface or on all the Layer 2 access interfaces
on the switch.
You configure the maximum number of dynamic MAC addresses allowed per interface.
When the limit is exceeded, incoming packets with new MAC addresses are treated
as specified by the configuration.
You can choose to have one of the following actions performed when the limit of MAC
addresses or the limit of MAC moves is exceeded:
dropDrop the packet and generate an alarm, an SNMP trap, or a system log entry.
This is the default.
logDo not drop the packet but generate an alarm, an SNMP trap, or a system log
entry.
noneTake no action.
shutdownDisable the interface and generate an alarm. If you have configured the
switch with the port-error-disable statement, the disabled interface recovers

automatically upon expiration of the specified disable timeout. If you have not
configured the switch for autorecovery from port error disabled conditions, you can
bring up the disabled interfaces by running the clear ethernet-switching port-error
command.
NOTE: MAC limit is only applied to new MAC learning requests. If you
already have 10 MACs learned and you configure the limit as 5, all the MACs
will remain in the FDB table. Once the MACs are cleared by the user (using
the clear ethernet-switching table command), or they age out, they will not
be relearned.
MAC limiting does not apply to static MACs. Users can configure any number
of static MACs independent of the MAC limit, and all of them will be added
to FDB.
[Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices]
107
R2CP radio-to-router protocol support
R2CP radio-to-router protocol supportThis feature is supported on all SRX Series and
J Series devices.
Junos OS Release 10.4 supports the Network Centric Waveform (NCW) radio-specific
radio-to-router control protocol (R2CP), which is similar to the PPPoE radio-to-router
protocol. Both of these protocols exchange dynamic metric changes in the network
that the routers use to update the OSPF topologies.
In radio-router topologies, the router connects to the radio over a Gigabit Ethernet link
and the radio transmits packets over the radio frequency (RF) link. The radio periodically
sends metrics to the router, which uses RF link characteristics and other data to inform
the router on the shaping and OSPF link capacity. The router uses this information to
shape the data traffic and provide the OSPF link cost for its SPF calculations. The radio
functions like a Layer 2 switch and can only identify remote radio-router pairs using
Layer 2 MAC addresses. With R2CP the router receives metrics for each neighboring
router, identified by the MAC address of the remote router. The R2CP daemon translates
the MAC addresses to link the local IPv6 addresses and sends the metrics for each
neighbor to OSPF. Processing these metrics is similar to the handling of PPPoE PADQ
metrics. Unlike PPPoE, which is a point-to-point link, these R2CP neighbors are treated
as nodes in a broadcast LAN.
You must configure each neighbor node with a per-unit scheduler for CoS. The scheduler
context defines the attributes of Junos class-of-service(CoS). To define CoS for each
radio, you can configure virtual channels to limit traffic. You need to configure virtual
channels for as many remote radio-router pairs as there are in the network. You
configure virtual channels on a logical interface. You can configure each virtual channel
to have a set of eight queues with a scheduler and an optional shaper. When the radio
initiates the session with a peer radio-router pair, a new session is created with the
remote MAC address of the router and the VLAN over which the traffic flows. Junos
OS chooses from the list of free virtual channels and assigns the remote MAC and the
eight CoS queues and the scheduler to this remote MAC address. All traffic destined
to this remote MAC address is subjected to the CoS that is defined in the virtual channel.
A virtual channel group is a collection of virtual channels. Each radio can have only one
virtual channel group assigned uniquely. If you have more than one radio connected
to the router, you must have one virtual channel group for each local radio-to-router
pair.
Although a virtual channel group is assigned to a logical interface, a virtual channel is
not the same as a logical interface. The only features supported on a virtual channel
are queuing, packet scheduling, and accounting. Rewrite rules and routing protocols
apply to the entire logical interface.
[LN1000 Mobile Secure Router User Guide]
108
Security
Display multiple policy matchesThis feature is supported on all SRX Series and J
Series devices.
The addition of the result-count option in Junos OS Release 10.4 extends the
functionality of the show security match-policies command and lets you display up to
16 policy matches for the given set of criteria. The first policy in the list is the policy
applied to all matching traffic. All policies after the first one are shadow policies
(shadowed by the first one) and are not encountered. [Junos OS Security Configuration
Guide]
DHCPv6 serverThis feature is supported on all SRX Series and J Series devices.
Dynamic Host Configuration Protocol version 6 (DHCPv6) local server is now supported
on all SRX Series and J Series devices to provide addressing for IPv6 clients.
Some features include:
Configuration for a specific interface or a group of interfaces
Stateless Address Autoconfiguration (SLAAC)
Prefix delegation, including access-internal route installation
DHCPv6 server groups
To configure DHCPv6 local server on a device, you include the DHCPv6 statement at
the [edit system services dhcp-local-server] hierarchy level. The DHCPv6 address pool
is configured in the [edit access address-assignment pool] hierarchy level using the
family inet6 statement.
NOTE: Existing DHCPv4 configurations in the [edit system services dchp]

hierarchy will not be impacted when upgrading to 10.4, or by adding a
DCHPv6 configuration.
[Junos OS Administration Guide for Security Devices, Junos OS CLI Reference]
On-box reportingThis feature is supported on SRX100, SRX210, SRX220, SRX240,

SRX650, and all J Series devices.
On-box reporting offers a comprehensive reporting facility where your security
management team can spot a security event when it occurs, immediately access and
review pertinent details about the event, and quickly decide appropriate remedial
action.
J-Web reports provide summary graphics of current security events, Web traffic, and
resource utilization. When event activity occurs, you can quickly drill down to detailed
information about the specific item.
In Junos OS Release 10.4, on-box reporting capabilities include:
Real-time threat event monitoring
Dynamic visuals for quick threat identification, tracking, and analysis
109
Event-specific drill-down to determine traffic characteristics and policy rule matches
Composite reports of recent threats or traffic
[Junos OS Administration Guide for Security Devices]
Optional CP Session Capacity Expansion on Fully Configured DevicesThis feature

is supported on SRX3400, SRX3600, and SRX5800 devices.
The session capacity for the central point (CP) for fully configured SRX3400, SRX3600,
and SRX5800 devices can be expanded as shown in the following list.
Maximum Concurrent CP Sessions on a Fully Loaded System
SRX Series Devices
Default
With Expanded Capacity
SRX3400
2.25 million
3 million
SRX3600
2.25 million
6 million
SRX5800
12.5 million
14.0 million
On an SRX3400 or SRX3600 device, you expand the maximum CP session capacity

by installing the SRX3K-EXTREME-LTU license.
On an SRX5800 device, you expand the maximum CP session capacity by specifying
the maximize-cp-sessions optimization option in the edit security forwarding-process
application-services command. Using this optimization technique precludes other
optimization methods, disables advanced GTP processing, and reduces routing capacity
to 100K prefixes.
SNMP
SNMP enterprise-specific MIBsThis feature is supported on all SRX Series and J

Series devices.
Junos OS Release 10.4 adds support for enterprise-specific MIBs for the SRX1400
device.
[SRX1400, SRX3400, and SRX3600 Services Gateways MIB Reference]
SRX Series Image Upgrade Using a USB Device
This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
The SRX Series Image Upgrade using a USB device feature simplifies the upgrading of
Junos OS images in cases where there is no console access to an SRX Series device
located at a remote site. This feature allows you to upgrade the Junos OS image with
minimum configuration effort by simply inserting a USB flash drive into the USB port
of the SRX Series device and performing a few simple steps.
NOTE: USB upgrades are not supported on chassis clusters.
110
Before you begin the installation, ensure the following prerequisites are met:
Junos OS upgrade image and autoinstall.conf file are copied to the USB device.
Adequate space is available on the SRX Series device to install the software image.
To use a USB flash drive to install the Junos OS image on an SRX Series device:
1.
Insert the USB flash drive into the USB port of the SRX Series device and wait for
the LEDs to blink amber, then steadily light amber, indicating that the SRX Series
device detects the Junos OS image.
If the LEDs do not turn amber, press the Power button or power-cycle the device
and wait for the LEDs to steadily light amber.
2. Press the Reset Config button on the SRX Series device and wait for the LEDs to
turn green, indicating that the Junos OS upgrade image has successfully installed.
If the USB device is plugged in, the Reset Config button always performs as an
image upgrade button. Any other functionality of this button is overridden until you
remove the USB flash drive.
3. Remove the USB flash drive. The SRX Series device restarts automatically and
loads the new Junos OS version.
NOTE: If an installation error occurs, the LEDs light red, which might indicate
that the Junos OS image on the USB flash drive is corrupted. An installation
error can also occur if the current configuration on the SRX Series device
is not compatible with the new Junos OS version on the USB. You must
have console access to the SRX Series device to troubleshoot an installation
error.
[Junos OS Administration Guide for Security Devices]

TCP Session
TCP Session Check Per PolicyThis feature is supported on all SRX Series devices.
By default, TCP SYN check and TCP sequence check options are enabled on all TCP
sessions. The Junos operating system (Junos OS) performs the following operations
during TCP sessions:
Checks for SYN flags in the first packet of a session and rejects any TCP segments
with non- SYN flags attempting to initiate a session.
Validates the TCP sequence numbers during stateful inspection.
The TCP session check per-policy feature enables you to configure SYN checks and
sequence checks for each policy. Currently, the TCP options flags, no-sequence-check
and no-syn-check, are available at a global level to control the behavior of services
gateways. To support per-policy TCP options, the following two options are available:
sequence-check-required: The sequence-check-required value will override the

global value no-sequence-check.
111
syn-check-required: The syn-check-required value will override the global value

no-syn-check.
To configure per-policy TCP options, the respective global options must be turned off;
otherwise, the commit check will fail. If global TCP options are disabled and SYN flood
protection permits the first packet, then the per-policy TCP options will control whether
SYN check and/or sequence check are performed.
NOTE:
The per-policy SYN check required option will not override the behavior of
the set security flow tcp-session no-syn-check-in-tunnel CLI command.
Disabling the global SYN check reduces the effectiveness of the device In
defending against packet flooding.
VPNs
IKE and IPsec predefined proposals for dynamic VPNThis feature is supported on
In earlier releases, the administrators had to configure individual Internet Key Exchange
(IKE) and IP Security (IPsec) proposals for all IKE and IPsec policy configurations. This
procedure was tedious and time consuming when the administrators had to configure
many VPN policies because they had to configure custom proposals for all IKE and
IPsec configurations.
Junos OS Release 10.4 supports proposal-set configuration in IKE and IPsec; the
administrator can select basic, compatible, or standard proposal sets for dynamic VPN
clients. Each proposal set consists of two or more predefined proposals. The server
selects one predefined proposal from the set configured and pushes it to the client in
the client configuration. The client uses this proposal in negotiations with the server
to establish the connection.
The default values for IKE and IPsec security association (SA) rekey timeout are as
follows:
For IKE SA, the rekey timeout is 28800 seconds.
For IPsec SA, the rekey timeout is 3600 seconds.
The basic use cases of proposals are as follows:
IKE and IPsec both use proposal sets.

The server selects a predefined proposal from the proposal set and sends it to the
client, along with the default rekey timeout value.
IKE uses a proposal set, and IPsec uses a custom proposal.

The server sends a predefined IKE proposal from the configured IKE proposal set to
the client, along with the default rekey timeout value. For IPsec, the server sends the
setting that is configured in the IPsec proposal.
IKE uses a custom proposal, and IPsec uses a proposal set.
112
The server sends a predefined IPsec proposal from the configured IPsec proposal
set to the client, along with the default rekey timeout value. For IKE, the server sends
the setting that is configured in the IKE proposal.
NOTE: If IPsec uses the standard proposal set and perfect forward secrecy
(PFS) is not configured, then the default PFS is set as group2. For other
proposal sets, PFS will not be set because it is not configured.
Local authentication and IP address assignment for dynamic VPNThis feature is

supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
A client application sends an authentication request and a request for an IP address
on behalf of an unauthenticated client at the same time. The communication between
the client and AUTHD is minimized because the IP address request is not sent as a
separate message.
After successful local authentication, AUTHD performs the following tasks:
Assigns the address from the predefined (or statically assigned) address pools if
the address matches the criteria specified by the client application.
Assigns attributes such as wins server and name-server address.
Updates the associated client entry in the session database.
Note: For client applications that rely on a RADIUS or other external server for
authentication, AUTHD might not assign IP addresses.
This feature is used to perform the following:
Assign an IP address to the client after successful authentication.
Provide a mechanism in AUTHD for linking an address pool to a client profile and
assigning an IP address to the client from the pool.
Provide a mechanism in AUTHD for assigning IP version 4 (IPv4) addresses to the

users.
Provide different IP addresses for multiple logins by the same user.
Allow configuration changes in the address pool after address assignment.
Address pools are defined at the [edit access address-assignment] hierarchy.

[Junos OS CLI Reference, Junos OS Administration Guide for Security Devices]
Local IP address management for VPN XAuth supportThis feature is supported on

SRX100, SRX210, SRX240, SRX650, J4350, and J6350 devices.
When you configure extended authentication (XAuth), you must enter the username
and password, after the Internet Key Exchange (IKE) phase 1 security association (SA)
is established. AUTHD verifies the credentials received from you.
113
After successful authentication, AUTHD sends the following network parameters to

IKE or XAuth:
IP address
Domain Name System (DNS)
Windows Internet Naming Service (WINS)
The IP address can be drawn from a locally configured IP address pool. AUTHD requires
IKE or XAuth to release the IP address when it is no longer in use.
IKE provides a mechanism for establishing IP Security (IPsec) tunnels.
[Junos OS CLI User Guide, Junos OS Security Configuration Guide]
Support group Internet Key Exchange (IKE) IDs for dynamic VPN configuration This
feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
The existing design of the dynamic virtual private network (VPN) uses unique Internet
Key Exchange (IKE) ID for each user connection. For each user, VPN needs to be
configured with an individual IKE gateway, an IPsec VPN, and a security policy using
the IPsec VPN. This is cumbersome when there are a large number of users. The design
is modified to allow a number of users to share a set of IKE or IPsec VPN (or policy
configuration) using shared-ike-id or group-ike-id. This reduces the number of times
the VPN needs to be configured.
The shared-ike-id and group-ike-id allow you to configure VPN once for multiple users.
All users connecting through a shared-ike-id configuration use the same IKE ID and
preshared key. The user credentials are verified in the extended authentication (XAuth)
phase of AUTHD. The credential of a user is configured either in Radius or in the access
database of AUTHD.
When using group-ike-id or shared-ike-id for user connection management and
licensing, the users on the client PC must use the same user credentials for both
WebAuth and XAuth login (that is, the two client login windows) to prevent undesirable
behavior and incorrect CLI output on the server.
NOTE: We recommend that you use group-ike-id whenever possible.
For group-ike-id, a part of the configuration for a user IKE ID is common to the group.
The IKE ID is the concatenation of an individual part and the common part of IKE ID.
For example, a user can use a group-ike-id configuration with a common part
".juniper.net" and the individual part X. The IKE ID can be "X.juniper.net". Httpd-gk
generates the individual part of the IKE ID.
The group-ike-id does not require extended authentication (XAuth). However, for
dynamic VPN, XAuth is needed to retrieve the network attributes such as IP address
for the client. Therefore, if XAuth is not configured for group-ike-id and the administrator
uses the IKE gateway in a dynamic VPN client, a warning message appears.
This feature introduces new commands for ike sa and dynamic-vpn and new options
in the IKE Gateway Add/Edit page of J-Web.
114
Dynamic VPN access through the Junos Pulse clientThis feature is supported on
Junos Pulse enables secure authenticated network connections to protected resources
and services over LANs and WANs. Junos Pulses is a remote access client developed
to replace the earlier access client called Juniper Networks Access Manager. You must
uninstall Access Manager before you install the Junos Pulse client.
Junos Pulse supports remote virtual private network tunnel connectivity to SRX Series
Services Gateways that are running Junos OS. To configure a firewall access
environment for Junos Pulse clients, you must configure the VPN settings on the SRX
Series device and create and deploy a firewall connection on the Junos Pulse client.
For SRX Series devices running Junos OS Releases 10.2 through 10.4, Junos Pulse is
supported but must be deployed separately. In Junos OS Release 11.1 and later releases,
if the Pulse client does not exist on the client machine, the Pulse client is automatically
downloaded and installed when you log in to an SRX Series device. If the Pulse client
exists on the client machine, you must launch the Pulse client.
Hardware FeaturesSRX210, SRX220, and SRX240 Services Gateways

AX411 Access Point Support on SRX220 Services Gateways
SRX220 Services Gateways running Junos OS Release 10.4R1 or later releases support
the AX411 Access Point in the same manner as do the SRX210, SRX240, and SRX650
Services Gateways. Support for the SRX220 Services Gateway is not documented in the
AX411 Access Point Hardware Guide or in the WLAN Configuration and Administration
Guide, but wherever those guides indicate support for the SRX210 Services Gateway,
that support applies to the SRX220 Services Gateway as well.
1-Port Small Form-Factor Pluggable (SFP) Gigabit Ethernet Mini-Physical Interface
Module (Mini-PIM)
The 1-Port Small Form-Factor Pluggable (SFP) Gigabit Ethernet Mini-Physical Interface
Module (Mini-PIM) complements the on-board 10/100/1000 Mbps Ethernet interfaces
with extended LAN or WAN connectivity. It offers support for a variety of transceivers.
This Mini-PIM can be used in copper and optical environments to provide maximum
flexibility when upgrading from an existing infrastructure to Metro Ethernet. This Mini-PIM
is supported on the following devices:
SRX210 Services Gateway
The following key features are supported on the 1-Port SFP Gigabit Ethernet Mini-PIM:
Online insertion and removal of transceivers
Real-time visual status of connectivity and traffic flows
115
Link Up/Down status
Half/full duplex support
Autonegotiation
For more information on the 1-Port SFP Gigabit Ethernet Mini-PIM, see the SRX Series
Services Gateways for the Branch Physical Interface Modules Hardware Guide.
For information on configuring the 1-Port SFP Gigabit Ethernet Mini-PIM, see the Junos
OS Interfaces Configuration Guide for Security Devices.
Hardware FeaturesSRX220 Services Gateway with Power Over Ethernet

Overview
The Juniper Networks SRX220 Services Gateway with Power over Ethernet (PoE) offers
complete functionality and flexibility for delivering secure, reliable data over IP, along
with multiple interfaces that support WAN and LAN connectivity.
The device provides Internet Protocol Security (IPsec), virtual private network (VPN),
and firewall services for small-sized and medium-sized companies and enterprise branch
and remote offices.
Accessing the SRX220 Services Gateway
Two user interfaces are available for monitoring, configuring, troubleshooting, and
managing the SRX220 Services Gateway:
J-Web interface: Web-based graphical interface that allows you to operate a services
gateway without commands. The J-Web interface provides access to all Junos OS
functionality and features.
Junos OS command-line interface (CLI): Juniper Networks command shell that runs
on top of a UNIX-based operating system kernel. The CLI is a straightforward command
interface. On a single line, you type commands that are executed when you press the
Enter key. The CLI provides command Help and command completion.
Hardware Features
Table 3 on page 116 lists the hardware features supported on the SRX220 Services
Gateway.
Table 3: SRX220 Services Gateway Hardware Features

Feature
SRX220 Services Gateway (SRX220H)

with PoE (SRX220H-POE)
DDR memory
1 GB
1 GB
SIP/analog voice support
No
No
PoE support
No
120 watts supported across eight

ports (0/0 through 0/7)
116
Table 3: SRX220 Services Gateway Hardware Features (continued)

Feature
SRX220 Services Gateway (SRX220H)

with PoE (SRX220H-POE)
Power supply adapter
100 to 240 VAC input
100 to 240 VAC input
60 W, 12V DC output
200 W, 54V DC output
Average power consumption (no Mini-PIMs

installed, no PoE power draw)
28 W
35 W
Gigabit Ethernet ports
Console port
USB ports
Mini-PIM slots
LEDs
Status, Alarm, HA, Power, Mini-PIMs, Port

(TX/RX)
Status, Alarm, HA, Power,

Mini-PIMs, Port (TX/RX and PoE)
CompactFlash
1 externally accessible
1 externally accessible
NOTE: The PoE LED is enabled only on the SRX220H-POE model of the
SRX220 Services Gateway. For the SRX220H model, the PoE LED remains
off.
For more details on the SRX220 Services Gateway software features and licenses, see
the Junos OS Administration Guide for Security Devices.
Hardware Interfaces
Table 4 on page 118 summarizes the interface ports supported on the SRX220 Services
Gateway.
117
Table 4: SRX220 Services Gateway Built-In Hardware Interfaces

Interface Type
Specifications
Description
Gigabit Ethernet
Eight ports that:
The Gigabit Ethernet ports can be used

as follows:
Are labeled 0/0 through 0/7 on the

front panel
Use RJ-45 connectors
Provide link speeds of 10/100/1000

Mbps
Operate in full-duplex and half-duplex

modes
Support flow control
Support autonegotiation and

autosensing
To function as front-end network

ports
To provide LAN and WAN connectivity

to hubs, switches, local servers, and
workstations
To forward incoming data packets to

the device
To receive outgoing data packets from

the device
To connect power devices to receive

network connectivity and electric
power (PoE functionality) (For the
PoE and media gateway model of the
SRX220 Services Gateway)
All Gigabit Ethernet ports support Power

over Ethernet on the PoE and media
gateway model of the SRX220 Services
Gateway.
Universal Serial Bus (USB)
Two ports that:
The USB ports can be used as follows:
Function in full speed and high speed
Comply with USB revision 2.0
To support a USB storage device that

functions as a secondary boot device
in case of CompactFlash failure on
startup (if the USB storage device is
installed and configured).
NOTE: You must install and configure

the USB storage device on the USB port
to use it as secondary boot device.
Additionally, the USB device must have
Junos OS installed.
To provide the USB interfaces that are

used to communicate with many
types of USB storage devices
supported by Juniper Networks.
Contact your Juniper Networks customer

service representative for more
information.
Console
118
One port that:
The console port can be used as follows:
Uses an RJ-45 serial cable connector
To provide the console interface
Supports the RS-232 (EIA-232)

standard
To function as a management port to

log into a device directly
To configure the device using the CLI
Table 4: SRX220 Services Gateway Built-In Hardware Interfaces (continued)

Interface Type
Specifications
Description
Mini-Physical Interface Module

(Mini-PIM)
Two slots for Mini-PIMs
The Mini-PIM slots can be used to

provide LAN and WAN functionality
along with connectivity to various media
types.
For more information about the
supported Mini-PIMs, see the SRX Series
Services Gateways for the Branch
Physical Interface Modules Hardware
Guide.
NOTE: We strongly recommend that only transceivers provided by Juniper

Networks be used on an SRX220 Services Gateway. We cannot guarantee
that the interface module will operate correctly if third-party transceivers
are used. Contact Juniper Networks for the correct transceiver part number
for your device.
Hardware FeaturesSRX1400 Services Gateway
Introduction on page 119
Supported Models on page 120
Hardware Features on page 120
Physical Specifications on page 121
Introduction
This release supports the SRX1400 Services Gateway.
Juniper Networks SRX1400 Services Gateway expands the SRX Series family of
next-generation security platforms, delivering market-leading performance and extensive
service integration to 10 gigabits per second (10 Gbps) environments that require the
features without the massive scalability and aggregated throughput provided by Juniper
Networks SRX3000 line and SRX5000 line. The SRX1400 Services Gateway provides
firewall support with key features such as IP Security (IPsec), virtual private network
(VPN), and high-speed deep packet inspection features such as intrusion detection and
prevention (IDP).
The SRX1400 is ideally suited for small to medium-size data centers, enterprise, and
service provider network security deployments where consolidation of security
functionality, uncompromised 10 Gbps performance, compact environmental footprint,
and affordability are key requirements.
The SRX1400 Services Gateway is three rack units (U) tall. Sixteen devices can be stacked
in a single floor-to-ceiling rack, for increased port density per unit of floor space. The
device provides common form-factor module (CFM) slots that can be populated with
Network and Services Processing Card (NSPC), and I/O cards (IOCs). The device also
119
has one dedicated slot for System I/O card (SYSIOC), one dedicated slot for the Routing
Engine, two slots for power supplies, and one slot for the fan tray and air filter.
The SRX1400 Services Gateway runs Junos OS. You can use the Junos OS command-line
interface (CLI) or J-Web (Web-based graphical interface) to monitor, configure,
troubleshoot, and manage the SRX1400 Services Gateway.
Supported Models
The SRX1400 Services Gateway is available in four models, which are listed in Table 5
on page 120.
Table 5: SRX1400 Services Gateway Models

Model Number
Device Type
SRX1400BASE-GE-AC
SRX1400 Services Gateway with 1-Gigabit Ethernet SYSIOC and

AC power supply
SRX1400BASE-GE-DC

DC power supply
SRX1400BASE-XGE-AC

AC power supply
SRX1400BASE-XGE-DC

DC power supply
Hardware Features
Table 6 on page 120 lists the hardware features supported on the SRX1400 Services
Gateway.
Table 6: SRX1400 Services Gateway Hardware Features

Feature
Description
Input voltage
100 to 240 V AC
-40 to -72 V DC
Power supplies
2
The SRX1400 Services Gateway allows two power supplies
for redundancy. The following types of power supplies are
supported:
AC power supply (for AC-powered devices)
DC power supply (for DC-powered devices)
Ethernet port (10/100/1000 Mbps)
Console port
Universal Serial Bus (USB) ports
120
Table 6: SRX1400 Services Gateway Hardware Features (continued)

Feature
Description
Auxiliary port
Fans
Fan tray
Air filter
Physical Specifications
Table 7 on page 121 summarizes the physical specifications of the SRX1400 Services
Gateway chassis.
Table 7: SRX1400 Services Gateway Physical Specifications

Specification
Value
Chassis height
5.25 in. (13.3 cm), 3 rack units (3 U)
Chassis width
17.5 in. (44.5 cm)
Chassis depth
13.8 in. (35.05 cm)
Chassis weight (base chassis [Chassis with Routing

Engine, SYSIOC, and power supply] )
29.3 lb (13.3 kg)
Routing Engine weight
2.9 lb (1.3 kg)
NSPC weight
7.71 lb (3.5 kg)
SYSIOC weight
2.42 lb (1.102 kg)
IOC weight
2.4 lb (1.1 kg)
Fan tray weight
2.93 lb (1.33 kg)
Air filter weight
0.11 lb (0.054 kg)
DC power supply weight
2.9 lb (1.3 kg)
AC power supply weight
3.1 lb (1.4 kg)
121
Hardware FeaturesSRX3400 and SRX3600 Services Gateways

Enhanced DC Power Supply
The enhanced DC power supply for the SRX3400 and SRX3600 Services Gateways is
an alternative to the standard DC power supply. The enhanced DC power supply helps
your services gateway meet the following NEBS and ETSI standards:
GR-63-CORE
ETSI 300019-2-1
ETSI 300019-2-2
ETSI 300019-2-3
GR-1089-CORE
Each enhanced DC power supply provides up to 1200 watts of power. In the SRX3400
Services Gateway, the enhanced DC power supply lets you configure your device with
more Services Processing Cards (SPCs), Network Processing Cards (NPCs), or I/O cards
(IOCs) than is possible with the standard 850-watt DC power supply.
NOTE: Mixing of standard and enhanced DC power supplies within the same
chassis is not supported. All installed DC power supplies must be either of
standard or enhanced types.
Table 8 on page 122 shows the different SPC, NPC, and IOC configurations applicable to
the standard and enhanced DC power supplies in the SRX3400 Services Gateway.
Table 8: Supported Combinations of SPCs, NPCs, and IOCs for Standard and Enhanced
DC Power Supplies
Enhanced DC Power Supplies (SKU
SRX3K-PWR-DC2) or
AC Power Supplies (SKU SRX3K-PWR-AC)
Standard DC Power Supplies (SKU

SRX3K-PWR-DC)
NPCs
SPCs
NPCs
4 IOCs
4 IOCs
4 IOCs
4 IOCs
4 IOCs
3 IOCs
4 IOCs
3 IOCs
3 IOCs
2 IOCs
2 IOCs
1 IOCs
2 IOCs
1 IOC
0 IOCs
Not
supported
SPCs
In the SRX3600 Services Gateway, the supported SPC, NPC, and IOC configurations are
the same for both the standard and the enhanced DC power supply.
122
Advertising Bandwidth for Neighbors on a Broadcast Link Support
See the SRX3400 Services Gateway Hardware Guide or the SRX3600 Services Gateway
Hardware Guide for detailed information about the enhanced DC power supply and
additional requirements for NEBS and ETSI compliance.
Related
Documentation
Routers on page 158
Advertising Bandwidth for Neighbors on a Broadcast Link Support

This feature is supported on all SRX Series and J Series devices.
You can now advertise bandwidth for neighbors on a broadcast link. The network link is
a point-to-multipoint (P2MP) link in the OSPFv3 link state database. This feature uses
existing OSPF neighbor discovery to provide automatic discovery without configuration.
It allows each node to advertise a different metric to every other node in the network to
accurately represent the cost of communication. To support this feature, a new
interface-type under the OSPFv3 interface configuration has been added to configure
the interface as p2mp-over-lan. OSPFv3 then uses LAN procedures for neighbor discovery
and flooding, but represents the interface as P2MP in the link state database.
The interface type and router LSA are available under the following hierarchies:
[protocols ospf3 area area-id interface interface-name]
[routing-instances routing-instances-name protocols ospf3 area area-id interface

interface-name]
[LN1000 Mobile Secure Router User Guide]
Group VPN Interoperability with Ciscos GET VPN

Ciscos implementation of GDOI is called Group Encryption Transport (GET) VPN. While
group VPN in Junos OS and Cisco's GET VPN are both based on RFC 3547, The Group
Domain of Interpretation, there are some implementation differences that you need to
be aware of when deploying GDOI in a networking environment that includes both Juniper
Networks security devices and Cisco routers. This topic discusses important items to
note when using Cisco routers with GET VPN and Juniper Networks security devices with
group VPN.
Cisco GET VPN members and Juniper Group VPN members can interoperate as long as
the server role is played by a Cisco GET VPN server, Juniper Networks security devices
are group members, and with the following caveats:
The group VPN in Release 10.4 of Junos OS has been tested with Cisco GET VPN servers
running Version 12.4(22)T and Version 12.4(24)T.
123
To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group
includes a Juniper Networks security device. The Cisco GET VPN server implements a
proprietary ACK for unicast rekey messages. If a group member does not respond to the
unicast rekey messages, the group member is removed from the group and is not able
to receive rekeys. An out-of-date key causes the remote peer to treat IPsec packets as
bad SPIs. The Juniper Networks security device can recover from this situation by
reregistering with the server to download the new key.
Antireplay must be disabled on the Cisco server when a VPN group of more than two
members includes a Juniper security device. The Cisco server supports time-based
antireplay by default. A Juniper Networks security device will not be able to interoperate
with a Cisco group member if time-based antireplay is used since the timestamp in the
IPsec packet is proprietary. Juniper Networks security devices are not able to synchronize
time with the Cisco GET VPN server and Cisco GET VPN members as the sync payload
is also proprietary. Counter-based antireplay can be enabled if there are only two group
members.
According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds
before a key expires and the Cisco GET VPN member triggers rekeys 60 seconds before
a key expires. When interacting with a Cisco GET VPN server, a Juniper Networks security
device member would match Cisco behavior.
A Cisco GET VPN member accepts all keys downloaded from the GET VPN server. Policies
associated with the keys are dynamically installed. A policy does not have to be configured
on a Cisco GET VPN member locally, but a deny policy can optionally be configured to
prevent certain traffic from passing through the security policies set by the server. For
example, the server can set a policy to have traffic between subnet A and subnet B be
encrypted by key 1. The member can set a deny policy to allow OSPF traffic between
subnet A and subnet B not be encrypted by key 1. However, the member cannot set a
permit policy to allow more traffic to be protected by the key. The centralized security
policy configuration does not apply to the Juniper Networks security device.
On a Juniper Networks security device, the ipsec-group-vpn configuration statement in
the permit tunnel rule in a scope policy references the group VPN. This allows multiple
policies referencing a VPN to share an SA. This configuration is required to interoperate
with Cisco GET VPN servers.
Logical key hierarchy (LKH), a method for adding and removing group members, is not
supported with group VPN on Juniper Networks security devices.
GET VPN members can be configured for cooperative key servers (COOP KSs), an ordered
list of servers with which the member can register or reregister. Multiple group servers
cannot be configured on group VPN members.
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers
The following current system behavior, configuration statement usage, and operational
mode command usage might not yet be documented in the Junos OS documentation:
124
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Application Identification
Improved uninstall options for predefined and custom application objectsThis

feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800
devices.
The following options have been added to the request services applciation-identificaiton
uninstall command to uninstall the predefined application definition package, all
custom application definitions, or both at one time.
allUninstall from your configuration both the predefined application definition package
and all custom application definitions that you have created.

customer-definedUninstall from your configuration all custom application definitions
that you created, but maintain the predefined application definition package.
predefined(Default) Uninstall from your configuration the predefined application
definition package, but maintain all custom application definitions that you have
created.
125
The show security alg msrpc object-id-map CLI command has a chassis cluster node
option to permit the output to be restricted to a particular node or to query the entire
cluster. The show security alg msrpc object-id-map node CLI command options are
<node-id | all | local | primary>.
AppSecure
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you create
custom application or nested application signatures for Junos OS application
identification, the order value must be unique among all predefined and custom
application signatures. The order value determines the application-matching priority
of the application signature.
NOTE: The order value range for predefined signatures is 1 through 32,767.
We recommend that you use an order range higher than 32,767 for custom
signatures.
The order value is set with the set services application-identification application
application-name signature order command. You can also view all signature order
values by entering the show services application-identification | display set | match order
command. You will need to change the order number of the custom signature if it
conflicts with another application signature.
Chassis Cluster
For SRX Series branch devices (SRX100, SRX210, SRX240, and SRX650), The values
for default cluster heartbeat interval and threshold were changed to 1000ms and 3
respectively from R10.4 branch platforms. In the prior releases the values for cluster
heartbeat interval and threshold defaulted to 2000ms and 8 respectively.
126
Command-Line Interface (CLI)
On AX411 Access Points, the possible completions available for the CLI command set
wlan access-point < ap_name > radio < radio_num > radio-options channel number ?
have changed from previous implementations.

Now this CLI command displays the following possible completions:
Example 1:
user@host# set wlan access-point ap6 radio 1 radio-options channel number ? Possible
completions:
36 Channel 36
40 Channel 40
44 Channel 44
48 Channel 48
52 Channel 52
56 Channel 56
60 Channel 60
64 Channel 64
100 Channel 100
108 Channel 108
112 Channel 112
116 Channel 116
120 Channel 120
124 Channel 124
128 Channel 128
132 Channel 132
136 Channel 136
140 Channel 140
149 Channel 149
153 Channel 153
157 Channel 157
161 Channel 161
165 Channel 165
auto Automatically selected
Example 2:
user@host# set wlan access-point ap6 radio 2 radio-options channel number ?
1 Channel 1
2 Channel 2
3 Channel 3
4 Channel 4
5 Channel 5
6 Channel 6
7 Channel 7
8 Channel 8
9 Channel 9
10 Channel 10
11 Channel 11
12 Channel 12
127
13 Channel 13
14 Channel 14
auto Automatically selected
On SRX210 devices, packet drop might be seen while prioritizing multiple data streams
configured with the same multilink class on single-member-link ML bundles that are
configured between SRX Series and J Series devices and other types of devices. As a
workaround, ensure that each forwarding class is configured with one multilink class
on multilink bundles on SRX Series and J Series devices. This will avoid out-of-order
transmission of multilink fragments for a given multilink class. This is not applicable
to LFI traffic; also, when Q is marked for LFI, do not change the Q configuration.
On SRX210 devices with Integrated Convergence Services, TDM configuration change

might interrupt existing TDM calls. The voice calls do not work. Run the CLI restart rtmd
command after making a configuration change.
On SRX210 devices with Integrated Convergence Services, registrations do not work

when PCS is configured and removed through the CLI. The dial tone disappears when
the analog station calls the SIP station. As a workaround, either run the restart rtmd
command or restart the device.
On SRX5600 and SRX5800 devices, the set security end-to-end-debug CLI hierarchy
command has been changed to set security datapath-debug
On AX411 Access Points, the possible completions available for the CLI command set
wlan access-point mav0 radio 1 radio-options mode? have changed from previous
implementations.
Now this CLI command displays the following possible completions:
Example 1:
user@host# set wlan access-point mav0 radio 1 radio-options mode ?
Possible completions:
5GHz Radio Frequency -5GHz-n
a Radio Frequency -a
an Radio Frequency -an
[edit]
Example 2:
user@host# set wlan access-point mav0 radio 2 radio-options mode ?
Possible completions:
2.4GHz Radio Frequency --2.4GHz-n
bg Radio Frequency -bg
bgn Radio Frequency -bgn
128
On SRX Series devices, the show system storage partitions command now displays the
partitioning scheme details on SRX Series devices.
Example 1:
show system storage partitions (dual root partitioning)
user@host# show system storage partitions

Boot Media: internal (da0)
Active Partition: da0s2a
Backup Partition: da0s1a
Currently booted from: active (da0s2a)
Partitions Information:
Partition Size Mountpoint
s1a 293M altroot
s2a 293M /
s3e 24M /config
s3f 342M /var
s4a 30M recovery
Example 2:
show system storage partitions (single root partitioning)

Boot Media: internal (da0)
s1a 898M /
s1e 24M /config
s1f 61M /var
show system storage
partitions (USB)
Example 3:
show system storage partitions (usb)

Boot Media: usb (da1)
Active Partition: da1s1a
Backup Partition: da1s2a
Currently booted from: active (da1s1a)
s1a 293M /
s2a 293M altroot
s3e 24M /config
s3f 342M /var
s4a 30M recovery
Configuration
J Series devices no longer allow a configuration in which a tunnel's source or destination

address falls under the subnet of the same logical interfaces address.
129
On SRX100, SRX210, SRX240, and SRX650 devices, the current Junos OS default
configuration is inconsistent with the one in Secure Services Gateways, thus causing
problems when users migrate to SRX Series devices. As a workaround, users should
ensure the following steps are taken:
The ge-0/0/0 interface should be configured as the Untrust port (with the DHCP
client enabled).
The rest of the on-board ports should be bridged together, with a VLAN IFL and
DHCP server enabled (where applicable).
Default policies should allow trust->untrust traffic.
Default NAT rules should apply interface-nat for all trust->untrust traffic.
DNS/Wins parameters should be passed from server to client and, if not available,
users should preconfigure a DNS server (required for download of security packages).
Dynamic VPN
Working with the Pulse client Junos Pulse enables secure authenticated network
connections to protected resources and services over LANs and WANs. Junos Pulse is
a remote access client developed to replace the earlier access client called Juniper
Networks Access Manager. You must uninstall Access Manager before you install the
Junos Pulse client.
For SRX100, SRX210, SRX220, SRX240, and SRX650 devices running Junos OS Release
10.2 and later, Junos Pulse is supported but must be deployed separately. Users can
download and install the pulse client manually from Juniper support site.
Flow and Processing
For the flow session log on all SRX Series devices, policy configuration has been
enhanced. Information on the packet incoming interface parameter in the session log
for session-init and session-close and when a session is denied by a policy or by the
application firewall is provided to meet Common Criteria (CC) Medium Robustness
Protection Profiles (MRPP) compliance:
Policy configurationTo configure the policy for the session for which you want to
log matches as log session-init or session-close and to record sessions in syslog:
set security policies from-zone untrustZone to-zone trustZone policy policy13 match
source-address extHost1
destination-address intHost1
application junos-ping
set security policies from-zone untrustZone to-zone trustZone policy policy13 then
permit
130
set security policies from-zone untrustZone to-zone trustZone policy policy13 then log
session-init
set security policies from-zone untrustZone to-zone trustZone policy policy13 then log
session-close
flow match policy13 will record the following information in the log:
<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx650-dut01 RT_FLOW RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.40 source-address="1.1.1.2"
source-port="1" destination-address="2.2.2.2" destination-port="46384"
service-name="icmp" nat-source-address="1.1.1.2" nat-source-port="1"
nat-destination-address="2.2.2.2" nat-destination-port="46384"
src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1"
policy-name="policy1" source-zone-name="trustZone"
destination-zone-name="untrustZone" session-id-32="41"
packet-incoming-interface="ge-0/0/1.0"] session created 1.1.1.2/1-->2.2.2.2/46384
icmp 1.1.1.2/1-->2.2.2.2/46384 None None 1 policy1 trustZone untrustZone 41 ge-0/0/1.0
<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx650-dut01 RT_FLOW RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.40 reason="response received"
source-address="1.1.1.2" source-port="1" destination-address="2.2.2.2"
destination-port="46384" service-name="icmp" nat-source-address="1.1.1.2"
nat-source-port="1" nat-destination-address="2.2.2.2" nat-destination-port="46384"
src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1"
policy-name="policy1" source-zone-name="trustZone"
destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1"
bytes-from-client="84" packets-from-server="1" bytes-from-server="84"
elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] session closed response
received: 1.1.1.2/1-->2.2.2.2/46384 icmp 1.1.1.2/1-->2.2.2.2/46384 None None 1 policy1
trustZone untrustZone 41 1(84) 1(84) 0 ge-0/0/1.0
On SRX Series devices, the factory default for the maximum number of backup
configurations allowed is five. Therefore, you can have one active configuration and a
maximum of five rollback configurations. Increasing this backup configuration number
will result in increased memory usage on disk and increased commit time.
To modify the factory defaults, use the following commands:
root@host# set system max-configurations-on-flash number
root@host# set system max-configuration-rollbacks number
where max-configurations-on-flash indicates backup configurations to be stored in the

configuration partition and max-configuration-rollbacks indicates the maximum number
of backup configurations.
On J Series devices, the following configuration changes must be done after rollback
or upgrade from Junos OS Release 10.4 to 9.6 and earlier releases.
Rename lsq-0/0/0 to ls-0/0/0 in all its occurrences.
Remove fragmentation-map from the [class-of-service] hierarchy level and from

[class-of-service interfaces lsq-0/0/0], if configured.
131
Remove multilink-max-classes from [ls-0/0/0 unit 0], if configured.
Remove link-layer-overhead from [ls-0/0/0 unit 0], if configured.
If the LFI forwarding class is mapped to no-fragmentation in fragmentation-map and

the configuration hierarchy is enabled on lsq-0/0/0 in Junos OS Release 10.4, then
Add interleave-fragments under [ls-0/0/0 unit 0]
Adjust classifier configured for LFI on lsq-0/0/0 under [class-of-service] to classify

packets to Q2
If the aforementioned instructions are not followed, the bundle will be incorrectly
processed.
On SRX Series devices, as per the new behavior, on configuring identical IPs on a single
interface users no longer see a warning message; instead, a syslog message appears.
On SRX210 Low Memory devices, ICMP messages generated in flow mode are now
rate-limited to 20 messages every 10 seconds. This rate limit is calculated on a per-CPU
basis.
Installation
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, support for USB
auto-installation is added. This feature simplifies the upgrading of Junos OS images
in cases where there is no console access to an SRX Series device located at a remote
site. This feature allows you to upgrade the Junos OS image with minimum configuration
effort by simply inserting a USB flash drive into the USB port of the SRX Series device
and performing a few simple steps. This feature can also be used for reformatting boot
devices and recovering SRX Series devices after a boot media corruption.
On SRX210 device with Integrated Convergence Services, users cannot clone the
existing configuration for Integrated Convergence Services. The clone option has been
removed from all Convergence Services pages on J-Web.
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, support for USB
auto-installation is added.
On SRX Series devices, to minimize the size of system logs, the default logging level
in the factory configuration has been changed from any any to any critical.
On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set
routing-options flow CLI statements are no longer available, because BGP flow spec
functionality is not supported on these devices.
On SRX100, SRX210, SRX240, and SRX650 devices, the autoinstallation functionality

on an interface enables a DHCP client on the interface and remains in the DHCP client
mode. In previous releases, after a certain period, the interface changed from being a
DHCP client to a DHCP server.
132
On SRX3000 and SRX5000 line devices, the maximum number of traffic-shaping

simple filter rules and policing rules has been changed. For SRX3000 line devices, the
number of simple filter and policing rules is 2000 per I/O card (IOC) for each rule type.
For SRX5000 line devices, the number of simple filter and policing rules is 2000 for
each rule type per PIM on flex I/O cards (FIOCs). This change does not affect ordinary
IOCs on SRX5000 line devices. The previous maximum of 4000 for each rule type is
not achievable because of a hardware limitation.
On T1/E1 Mini-Physical Interface Module installed on SRX210 and SRX240 devices,

the Loopback LED is turned ON based on the Loopback configuration as well as when
the FDL loopback commands are executed from the remote-end. The Loopback LED
remains OFF when no FDL Loopback commands are executed from the remote-end,
even though remote-loopback-respond is configured on the HOST.
On J4350 devices, ping does not go through even if the ISDN call is connected and the
dialer watch is configured. This issue occurs only when media MTU on Cisco devices
is bigger than the MTU configured on J Series devices. As a workaround, keep MTU
configured on the J Series device equal to or greater than the one set on the Cisco
device.
On SRX and J Series devices, the help description for the set <int> interface arp-resp
command incorrectly states the default value as unrestricted. The default value is
actually restricted.
Intrusion Detection and Prevention (IDP)
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you want to change to

maximize-idp-sessions mode, you should configure the security forwarding-process
application-services maximize-idp-sessions command before you reboot the device to
avoid recompiling IDP policies during every commit. [PR/426575]
On SRX3400 devices, FTP traffic does not go through expedited-forwarding queue

class for FTP control connections. All other traffic like http, telnet and ping goes through
expedited-forwarding queue class as expected.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application identification

CLI commands have been moved from the [security idp sensor-configuration
application-identification] hierarchy to the [edit services application-identification]
hierarchy.
On SRX Series and J Series devices, for brute force and time-binding-related attacks,
the logging is to be done only when the match count is equal to the threshold. That is,
only one log is generated within the 60-second period in which the threshold is
measured. This process prevents repetitive logs from being generated and ensures
consistency with other IDP platforms like IDP-standalone.
When no attack is seen within the 60-second period and the BFQ entry is flushed out,
the match count starts afresh, and the new attack match shows up in the attack table,
and the log is generated as explained above.
133
J-Web
On SRX100, SRX210, SRX220, and SRX240 devices, the commit fails when you configure
an interface under security zone - junos-global. In Junos OS Release 10.4, the junos-global
CLI option is deprecated and is therefore not supported.
NOTE: Junos OS Release 10.3 and earlier releases still support the
junos-global CLI option.
The J-Web login page has been updated with the new Juniper Logo and Trademark.
URL separation for J-Web and dynamic VPNThis feature prevents the dynamic VPN
users from accessing J-Web accidentally or intentionally. Unique URLs for J-Web and
dynamic VPN add support to the webserver for parsing all the HTTP requests it receives.
The webserver also provides access permission based on the interfaces enabled for
J-Web and dynamic VPN.
CLI changes: A new configuration attribute management-url is introduced at the

[edit system services web-management] hierarchy level to control J-Web access
when both J-Web and dynamic VPN are enabled on the same interface. The following
example describes the configuration of the new attribute:
web-management {
traceoptions {
level all;
flag dynamic-vpn;
flag all;
}
management-url my-jweb;
http;
https {
system-generated-certificate;
}
limits {
debug-level 9;
}
session {
session-limit 7;
}
}
Enabling only Dynamic VPN: Dynamic VPN must have the configured HTTPS
certificate and the webserver to communicate with the client. Therefore, the
configuration at the [edit system services web-management] hierarchy level required
to start the appweb webserver cannot be deleted or deactivated. To disable J-Web,
the administrator must configure a loopback interface of lo0 for HTTP or HTTPS.
This ensures that the webserver rejects all J-Web access requests.
web-management {
traceoptions {
level all;
flag dynamic-vpn;
flag all;
134
}
management-url my-jweb;
http {
interface lo0.0;
}
https {
system-generated-certificate;
}
limits {
debug-level 9;
}
session {
session-limit 7;
}
}
Changes in the Web access behavior: The following section illustrates the changes
in the Web access behavior when J-Web and dynamic VPN do not share and do
share the same interface.
Case 1: J-Web and dynamic VPN do not share the same interface.
Scenario
http(s)://server host
http(s)://server
host//configured
attribute
http(s)://server
host//dynamic-vpn
J-Web is enabled,
and dynamic VPN
is configured.
Navigates to the J-Web

login page on the
J-Web enabled
interface or to the
dynamic VPN login
page on the dynamic
VPN enabled interface
depending on the
server host chosen

login page if the J-Web
attribute is configured;
otherwise, navigates to
the Page Not Found page
Navigates to the
dynamic VPN login
page
J-Web is not
enabled, and
dynamic VPN is
not configured.
Navigates to the Page

Not Found page

Not Found page
Navigates to the
Page Not Found page
J-Web is enabled,
and dynamic VPN
is not configured.

login page

otherwise, navigates to
the Page Not Found page
Navigates to the
Page Not Found page
J-Web is not
enabled, and
dynamic VPN is
configured.
Navigates to the
dynamic VPN login
page

Not Found page
Navigates to the
dynamic VPN login
page
Case 2: J-Web and dynamic VPN do share the same interface.

Scenario
http(s)://server
host
http(s)://server
host//configured attribute
http(s)://server
host//dynamic-vpn
135
J-Web is enabled,
and dynamic VPN is
configured.
Navigates to the
dynamic VPN
login page

login page if the attribute is
configured; otherwise,
navigates to the Page Not
Found page
Navigates to the
dynamic VPN login
page
J-Web is not
enabled, and
dynamic VPN is not
configured.
Navigates to the
Page Not Found
page
Navigates to the Page Not

Found page
Navigates to the
Page Not Found page
J-Web is enabled,
and dynamic VPN is
not configured.
Navigates to the
J-Web login page

otherwise, navigates to the
Page Not Found page
Navigates to the
Page Not Found page
J-Web is not
enabled, and
dynamic VPN is
configured.
Navigates to the
dynamic VPN
login page
Navigates to the Page Not

Found page
Navigates to the
dynamic VPN login
page
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, to add the Predefined

Attacks and Predefined Attack Groups, users do not need to type the attack names.
Instead, users can select attacks from the Predefined Attacks and Predefined Attack
Group lists and click the left arrow to add them.
The options to configure the Custom Attacks, Custom Attack Groups, and Dynamic
Attack Groups are disabled because they cannot be configured from J-Web.
Management and Administration
On SRX5600 and SRX5800 devices running a previous release of Junos OS, security
logs were always timestamped using the UTC time zone. In Junos OS Release 10.4,
you can use the set system time-zone CLI command to specify the local time zone that
the system should use when timestamping the security logs. If you want to timestamp
logs using the UTC time zone, use the set system time-zone utc and set security log
utc-timestamp CLI statements.
Configuring the external CompactFlash card on SRX650 Services Gateways:

The SRX650 Services Gateway includes 2-GB CompactFlash storage devices:
The Services and Routing Engine (SRE) contains a hot-pluggable CompactFlash

(external CompactFlash) storage device used to upload and download files.
The chassis contains an internal CompactFlash used to store the operating system.
By default, only the internal CompactFlash is enabled, and an option to take a snapshot
of the configuration from the internal CompactFlash to the external compact flash is
not supported. This can be done only by using a USB storage device.
136
To take a snapshot on the external CompactFlash:

1.
Take a snapshot from the internal CompactFlash to the USB storage device by
using the request system snapshot media usb CLI command.
2. Reboot the device from the USB storage device by using the request system reboot
media usb command.

3. Go to the U-boot prompt. For more information, see the Accessing the U-Boot
Prompt section in the Junos OS Administration guide.

4. At the U-boot prompt, set the following variables:
set ext.cf.pref 1
save
reset
5. Once the system is booted from the USB storage device, take a snapshot on the
external CompactFlash by using the request system snapshot media external

command.
NOTE: Once the snapshot has been taken on the external CompactFlash,
we recommend you set the ext.cf.pref to 0 at the U-boot prompt.
Multilink
When data and LFI streams are present, we recommend the following configuration
to get less latency for LFI traffic and to avoid out-of-range transmission of data traffic:
Configure the following schedulers
set class-of-service schedulers S0 buffer-size temporal 20K
set class-of-service schedulers S0 priority low
set class-of-service schedulers S2 priority high
set class-of-service schedulers S3 priority high
Configure the following scheduler map
set class-of-service scheduler-maps lsqlink_map forwarding-class best-effort scheduler

S0
set class-of-service scheduler-maps lsqlink_map forwarding-class assured-forwarding

scheduler S2
set class-of-service scheduler-maps lsqlink_map forwarding-class network-control

scheduler S3
137
Attach the scheduler map to all member links
set class-of-service interfaces t1-2/0/0 unit 0 scheduler-map lsqlink_map
Even after this configuration, if out-of-range sequence number drops are observed on
reassembly side, increase the drop-timeout of the bundle to 200 ms.
Power over Ethernet (PoE)
On SRX210-PoE devices, SDK packages might not work.
Security
J Series devices do not support the authentication order password radius or password
ldap in the edit access profile profile-name authentication-order command. Instead, use
the order radius password or ldap password.
Any change in the Unified Access Controls (UAC) contact interval and timeout values
in the SRX Series or J Series device will be effective only after the next reconnection
of the SRX Series or J Series device with the Infranet Controller.
The maximum size of a redirect payload is 1450 bytes. The size of the redirect URL is
restricted to 1407 bytes (excluding a few HTTP headers). If a user accesses a destination
URL that is larger than 1407 bytes, the Infranet Controller authenticates the payload,
the exact length of the redirect URL is calculated, and the destination URL is trimmed
such that it can fit into the redirect URL. The destination URL can be fewer than 1407
bytes based on what else is present in the redirect URL, for example, policy ID. The
destination URL in the default redirect URL is trimmed such that the redirect packet
payload size is limited to 1450 bytes, and if the length of the payload is larger than
1450 bytes, the excess length is trimmed and the user is directed to the destination
URL that has been resized to 1450 bytes.
Virtual LANs (VLANs)
Native-vlan-id can be configured only when either flexible-vlan-tagging mode or

interface-mode trunk is configured. The commit error has been corrected, which was
previously indicating vlan-tagging mode instead of flexible-vlan-tagging mode.
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following VLAN IDs
are reserved for internal use and cannot be used on customer-facing interfaces:
Table 9: VLAN IDs Reserved for Internal Use

VLAN IDs
Reservations
SRX100
SRX210
SRX220
SRX240
SRX650
3968-4047
Reserved
Reserved
4093
Reserved
Reserved
Reserved
Reserved
Reserved
4094
Reserved*
Reserved*
Reserved*
Reserved*
Reserved*
138
Unsupported CLI
This default TAG reservation can be configured to use an alternative tag number or
not to use VLAN tagging at all
Wireless LAN (WLAN)
While configuring the AX411 Access Point on your SRX Series devices, you must enter
the WLAN admin password using the set wlan admin-authentication password
command. This command prompts for the password and the password entered is
stored in encrypted form.
NOTE:
Without wlan config option enabled, the AX411 Access Points will be
managed with the default password.
Changing the wlan admin-authentication password when the wlan

subsystem option is disabled might result in mismanagement of Access
Points . You might have to power cycle the Access Points manually to
avoid this issue.
The SRX Series devices that are not using the AX411 Access Point can
optionally delete the wlan config option.
Accessing the AX411 Access Point through SSH is disabled by default. You can enable
the SSH access using the set wlan access-point < name > external system services
enable-ssh command.
Unsupported CLI
This section lists unsupported CLI statements and commands.
Accounting-Options Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the accounting,
source-class, and destination-class statements in the [accounting-options] hierarchy
level are not supported.
AX411 Access Point Hierarchy
On SRX100 devices, there are CLI commands for wireless LAN configurations related
to the AX411 Access Point. However, at this time the SRX100 devices do not support
the AX411 Access Point.
Chassis Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following
chassis hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set chassis craft-lockout
set chassis routing-engine on-disk-failure
139
Class-of-Service Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices, the following
class-of-service hierarchy CLI commands are not supported. However, if you enter
these commands in the CLI editor, they appear to succeed and do not display an error
message.
set class-of-service classifiers ieee-802.1ad
set class-of-service interfaces interface-name unit 0 adaptive-shaper
Ethernet-Switching Hierarchy
ethernet-switching hierarchy CLI commands are not supported. However, if you enter
these commands in the CLI editor, they appear to succeed and do not display an error
message.
set ethernet-switching-options bpdu-block disable-timeout
set ethernet-switching-options bpdu-block interface
set ethernet-switching-options mac-notification
set ethernet-switching-options voip interface access-ports
set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class
Firewall Hierarchy
On SRX100, SRX210, SRX220, SRX240 SRX650, and all J Series devices, the following
Firewall hierarchy CLI commands are not supported. However, if you enter these
message.
set firewall family vpls filter
set firewall family mpls dialer-filter d1 term
Interfaces CLI Hierarchy

interface hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error message.
Aggregated Interface CLI on page 141
ATM Interface CLI on page 141
Ethernet Interfaces on page 142
GRE Interface CLI on page 142
IP Interface CLI on page 143
140
Unsupported CLI
LSQ Interface CLI on page 143
PT Interface CLI on page 143
T1 Interface CLI on page 143
VLAN Interface CLI on page 144
Aggregated Interface CLI
The following CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
request lacp link-switchover ae0
set interfaces ae0 aggregated-ether-options lacp link-protection
set interfaces ae0 aggregated-ether-options link-protection
ATM Interface CLI
set interfaces at-1/0/0 container-options
set interfaces at-1/0/0 atm-options ilmi
set interfaces at-1/0/0 atm-options linear-red-profiles
set interfaces at-1/0/0 atm-options no-payload-scrambler
set interfaces at-1/0/0 atm-options payload-scrambler
set interfaces at-1/0/0 atm-options plp-to-clp
set interfaces at-1/0/0 atm-options scheduler-maps
set interfaces at-1/0/0 unit 0 atm-l2circuit-mode
set interfaces at-1/0/0 unit 0 atm-scheduler-map
set interfaces at-1/0/0 unit 0 cell-bundle-size
set interfaces at-1/0/0 unit 0 compression-device
set interfaces at-1/0/0 unit 0 epd-threshold
set interfaces at-1/0/0 unit 0 inverse-arp
set interfaces at-1/0/0 unit 0 layer2-policer
set interfaces at-1/0/0 unit 0 multicast-vci
set interfaces at-1/0/0 unit 0 multipoint
141
set interfaces at-1/0/0 unit 0 plp-to-clp

set interfaces at-1/0/0 unit 0 point-to-point
set interfaces at-1/0/0 unit 0 radio-router
set interfaces at-1/0/0 unit 0 transmit-weight
set interfaces at-1/0/0 unit 0 trunk-bandwidth
Ethernet Interfaces
set interfaces ge-0/0/1 gigether-options ignore-l3-incompletes
set interfaces ge-0/0/1 gigether-options mpls
set interfaces ge-0/0/0 stacked-vlan-tagging
set interfaces ge-0/0/0 native-vlan-id
set interfaces ge-0/0/0 radio-router
set interfaces ge-0/0/0 unit 0 interface-shared-with
set interfaces ge-0/0/0 unit 0 input-vlan-map
set interfaces ge-0/0/0 unit 0 output-vlan-map
set interfaces ge-0/0/0 unit 0 layer2-policer
set interfaces ge-0/0/0 unit 0 accept-source-mac
set interfaces fe-0/0/2 fastether-options source-address-filter
set interfaces fe-0/0/2 fastether-options source-filtering
set interfaces ge-0/0/1 passive-monitor-mode
GRE Interface CLI
set interfaces gr-0/0/0 unit 0 ppp-options
set interfaces gr-0/0/0 unit 0 layer2-policer
142
Unsupported CLI
IP Interface CLI
set interfaces ip-0/0/0 unit 0 layer2-policer
set interfaces ip-0/0/0 unit 0 ppp-options
set interfaces ip-0/0/0 unit 0 radio-router
LSQ Interface CLI
set interfaces lsq-0/0/0 unit 0 layer2-policer
set interfaces lsq-0/0/0 unit 0 family ccc
set interfaces lsq-0/0/0 unit 0 family tcc
set interfaces lsq-0/0/0 unit 0 family vpls
set interfaces lsq-0/0/0 unit 0 multipoint
set interfaces lsq-0/0/0 unit 0 point-to-point
set interfaces lsq-0/0/0 unit 0 radio-router
PT Interface CLI
set interfaces pt-1/0/0 gratuitous-arp-reply
set interfaces pt-1/0/0 link-mode
set interfaces pt-1/0/0 no-gratuitous-arp-reply
set interfaces pt-1/0/0 no-gratuitous-arp-request
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 unit 0 radio-router
set interfaces pt-1/0/0 unit 0 vlan-id
T1 Interface CLI
set interfaces t1-1/0/0 receive-bucket
143
set interfaces t1-1/0/0 transmit-bucket

set interfaces t1-1/0/0 encapsulation ether-vpls-ppp
set interfaces t1-1/0/0 encapsulation extended-frame-relay
set interfaces t1-1/0/0 encapsulation extended-frame-relay-tcc
set interfaces t1-1/0/0 encapsulation frame-relay-port-ccc
set interfaces t1-1/0/0 encapsulation satop
set interfaces t1-1/0/0 unit 0 encapsulation ether-vpls-fr
set interfaces t1-1/0/0 unit 0 encapsulation frame-relay-ppp
set interfaces t1-1/0/0 unit 0 layer2-policer
set interfaces t1-1/0/0 unit 0 radio-router
set interfaces t1-1/0/0 unit 0 family inet dhcp
set interfaces t1-1/0/0 unit 0 inverse-arp
set interfaces t1-1/0/0 unit 0 multicast-dlci
VLAN Interface CLI
set interfaces vlan unit 0 family tcc
set interfaces vlan unit 0 family vpls
set interfaces vlan unit 0 accounting-profile
set interfaces vlan unit 0 layer2-policer
set interfaces vlan unit 0 ppp-options
set interfaces vlan unit 0 radio-router
Protocols Hierarchy
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following CLI
commands are not supported. However, if you enter these commands in the CLI editor,
they will appear to succeed and will not display an error message.
set protocols bfd no-issu-timer-negotiation
set protocols bgp idle-after-switch-over
144
Unsupported CLI
set protocols l2iw

set protocols bgp family inet flow
set protocols bgp family inet-vpn flow
set protocols igmp-snooping vlan all proxy
Routing Hierarchy
routing hierarchy CLI commands are not supported. However, if you enter these
message.
set routing-instances p1 services
set routing-instances p1 multicast-snooping-options
set routing-instances p1 protocols amt
set routing-options bmp
set routing-options flow
Services Hierarchy
services hierarchy CLI commands are not supported. However, if you enter these
message.
set services service-interface-pools
SNMP Hierarchy
SNMP hierarchy CLI commands are not supported. However, if you enter these
message.
set snmp community 90 logical-system
set snmp logical-system-trap-filter
set snmp trap-options logical-system
set snmp trap-group d1 logical-system
145
System Hierarchy
On all SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following system
hierarchy CLI commands are not supported. However, if you enter these commands
set system diag-port-authentication
IPv6 and MVPN CLI
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following

multicast IPv6 and MVPN CLI commands are not supported. However, if you enter
these commands in the CLI editor, they will appear to succeed and will not display an
error message.
show pim interfaces inet6
show pim neighbors inet6
show pim source inet6
show pim rps inet6
show pim join inet6
show pim mvpn
show multicast next-hops inet6
show multicast rpf inet6
show multicast route inet6
show multicast scope inet6
show multicast pim-to-mld-proxy
show multicast statistics inet6
show multicast usage inet6
show msdp sa group group
set protocols pim interface interface family inet6
set protocols pim disable interface interface family inet6
set protocols pim family inet6
set protocols pim disable family inet6
set protocols pim apply-groups group disable family inet6
set protocols pim apply-groups group family inet6
set protocols pim apply-groups-except group disable family inet6
146
Unsupported CLI
Related
Documentation
set protocols pim apply-groups group interface interface family inet6
set protocols pim apply-groups group apply-groups-except group family inet6
set protocols pim apply-groups group apply-groups-except group disable family inet6
set protocols pim assert-timeout timeout-value family inet6
set protocols pim disable apply-groups group family inet6
set protocols pim disable apply-groups-except group family inet6
set protocols pim disable export export-join-policy family inet6
set protocols pim disable dr-election-on-p2p family inet6
set protocols pim dr-election-on-p2p family inet6
set protocols pim export export-join-policy family inet6
set protocols pim import export-join-policy family inet6
set protocols pim disable import export-join-policy family inet6
Routers on page 158
147
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers
AppSecure
Junos OS application identificationWhen you create custom application or nested

application signatures for Junos OS application identification, the order value must be
unique among all predefined and custom application signatures. The order value
determines the application matching priority of the application signature.
The order value is set with the set services application-identification application
application-name signature order command. You can also view all signature order
values by entering the show services application-identification | display set | match order
command. You will need to change the order number of the custom signature if it
conflicts with another application signature.
Chassis Cluster
On SRX650 devices in a chassis cluster, ping packets sent from the forward node to
the active node are dropped intermittently.
On SRX650 devices in a chassis cluster, the T1/E1 PIC goes offline and does not come
online.
In large chassis cluster configurations on SRX3400 or SRX3600 devices, you need to

increase the wait time before triggering failover. In a full-capacity implementation, we
recommend increasing the wait to 8 seconds by modifying heartbeat-threshold and
heartbeat-interval values in the [edit chassis cluster] hierarchy.
The product of the heartbeat-threshold and heartbeat-interval values defines the time
before failover. The default values (heartbeat-threshold of 3 beats and
heartbeat-interval of 1000 milliseconds) produce a wait time of 3 seconds.
To change the wait time, modify the option values so that the product equals the
desired setting. For example, setting the heartbeat-threshold to 8 and maintaining the
default value for the heartbeat-interval (1000 milliseconds) yields a wait time of 8
seconds. Similarly, setting the heartbeat-threshold to 4 and the heartbeat-interval to
2000 milliseconds also yields a wait time of 8 seconds.
SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster
limitations:
Virtual Router Redundancy Protocol (VRRP) is not supported.
In-service software upgrade (ISSU) is not supported.
The 3G dialer interface is not supported.
On SRX Series device failover, access points on the Layer 2 switch reboot and all
wireless clients lose connectivity for 4-6 minutes.
On VDSL mini-PIM, chassis cluster is not supported for VDSL mode.
Queuing on aggregated Ethernet (ae) interface is not supported.
148
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Group VPN is not supported.
Sampling features like J-FLow, packet capture, and port mirror on the reth interface
are not supported.
IDP is not supported for active/active chassis cluster. IDP is supported for
active/backup chassis cluster in Junos OS Release 10.2R2 and later.
Switching is not supported in chassis cluster mode.
Any packet-based services like MPLS and CLNS are not supported.
lsq-0/0/0Link services Multilink Point-to-Point Protocol (MLPPP), Multilink Frame

Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP) are not
supported.
gr-0/0/0Generic routing encapsulation (GRE) and tunneling are not supported.
ip-0/0/0IP-over-IP (IP-IP) encapsulation is not supported.
lt-0/0/0CoS for real-time performance monitoring (RPM) is not supported.
PP0: PPPoE, PPPoEoA is not supported.
ISDN and WXC are not supported in standalone mode.
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, UTM is supported only
for active/backup chassis cluster configuration with both RG0 and RG1 active on the
same node. It is not supported for active/active chassis cluster configuration.
For other limitations in chassis cluster, see Limitations of Chassis Clustering in the Junos
OS Security Configuration Guide.
On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the
device by using the CLI. The number of users allowed to access the device is limited
as follows:
For SRX210 devices: four CLI users and three J-Web users
For SRX240 devices: six CLI users and five J-Web users
On SRX210 devices with Integrated Convergence Services, TDM configuration change

might interrupt existing TDM calls. The voice calls do not work. Run the CLI restart rtmd
command after making a configuration change.
149
DOCSIS Mini-PIM
On SRX210 devices, the DOCSIS Mini-PIM delivers speeds up to a maximum of 100

Mbps throughput in each direction.
Dynamic Host Configuration Protocol (DHCP)
SRX Series and J Series devices do not support DHCPv6 client authentication.
NOTE: Existing DHCPv4 configurations in the [edit system services dhcp]

hierarchy are not affected when you upgrade to Junos OS Release 10.4
from an earlier version or enable DHCPv6 server.
Dynamic VPN
SRX100, SRX210, and SRX240 devices have the following limitations:
The IKE configuration for the dynamic VPN client does not support the hexadecimal
preshared key.
The dynamic VPN client IPsec does not support the Authentication Header (AH)
protocol and the Encapsulating Security Payload (ESP) protocol with NULL
authentication.
When you log in through the Web browser (instead of logging in through the dynamic
VPN client) and a new client is available, you are prompted for a client upgrade even
if the force-upgrade option is configured. Conversely, if you log in using the dynamic
VPN client with the force-upgrade option configured, the client upgrade occurs
automatically (without a prompt).
Flow and Processing
On SRX Series devices, data plane logs generated in event mode (under set security
log mode options) or logs sent via NSM (under set system syslog) can increase CPU
utilization dramatically, impacting the system stability, especially in chassis cluster
mode.
On SRX100 devices, multicast data traffic is not supported on IRB interfaces.
The service-point zone parameter for the SRX Series MGW configuration is not
supported in Junos OS Release 10.4.
You cannot configure route policies and route patterns in the same dial plan.
You can configure no more than four members in a station group. Station groups are
used for hunt groups and ring groups.
On J Series devices, even when forwarding options are set to drop packets for the ISO
protocol family, the device forms End System-to-Intermediate System (ES-IS)
adjacencies and transmits packets because ES-IS packets are Layer 2 terminating
packets.
150
On SRX Series and J Series devices, high CPU utilization triggered due to various reasons
like CPU intensive commands, SNMP Walks etc causes the BFD to flap while processing
large BGP updates.
For other limitations in flow and processing, see Limitations of Flow and Processing in
the Junos OS Security Configuration Guide.
Hardware
This section covers filter and policing limitations.
On SRX1400, SRX3400 and SRX3600 devices, the following feature is not supported
by a simple filter:
Forwarding class as match condition
On SRX1400, SRX3400 and SRX3600 devices, the following features are not supported
by a policer or a three-color-policer:
Color-aware mode of a three-color-policer
Filter-specific policer
Forwarding class as action of a policer
Logical interface policer
Logical interface three-color policer
Logical interface bandwidth policer
Packet loss priority as action of a policer
Packet loss priority as action of a three-color-policer
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following

features are not supported by a firewall filter:
Policer action
Egress FBF
FTF
SRX1400, SRX3400, and SRX3600 devices have the following limitations of a simple
filter:
In the packet processor on an IOC, up to 100 logical interfaces can be applied with
simple filters.
In the packet processor on an IOC, the maximum number of terms of all simple filters
is 4000.
In the packet processor on an IOC, the maximum number of policers is 4000.
151
In the packet processor on an IOC, the maximum number of three-color-policers is

2000.
The maximum burst size of a policer or three-color-policer is 16 MB.
1G half-duplex mode of operation is not supported in the autonegotiation mode for

the following devices:
16-port GPIM
24-port GPIMs
On SRX650 devices, the T1/E1 GPIMs (2 or 4 port version) do not work in Junos OS
release 9.6R1. This issue is resolved in Junos OS Release 9.6R2 and later releases, but
if you roll back to the 9.6R1 image, this issue is still seen.
The SRX220 Services Gateway does not support the 1-port SFP Mini-PIM.
On SRX210 devices, the link goes down after an FPGA upgrade is performed. As a
workaround, run the restart fpc command.
On SRX240 High Memory devices, traffic might stop between SRX240 device and
CISCO switch due to link mode mismatch. As a workaround, Juniper Networks
recommends setting auto-negotiation parameters on both ends to the same value.
On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a
workaround, run the restart fpc command and restart the FPC.
On SRX210 devices with VDLS2, ATM COS VBR-related functionality cannot be tested
because of lack of support from the vendor.
On SRX210 High Memory devices, IGMP v2 JOINS messages are dropped on an IRB
interface. As a workaround, enable IGMP snooping to use IGMP over IRB interfaces.
On J Series devices, the DS3 interface do not have an option to configure

multilink-frame-relay-uni-nni (MFR).
On SRX210, SRX220 and SRX240 devices, every time the VDSL2 PIM is restarted in
the ADSL mode, the first packet passing through the PIM is dropped.
On SRX240 Low Memory devices and SRX240 High Memory devices, the RPM server
operation does not work when the probe is configured with the option
destination-interface.
Link Layer Discovery Protocol (LLDP)The following are the LLDP limitations:
On J Series devices, LLDP is not supported on routed ports.
On SRX Series and J Series devices, LLDP over ae interfaces is not supported.
On SRX Series and J Series devices, LLDP is supported only on interface unit 0.
152
In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the
user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper
matching the ATM CoS rate must be configured to avoid congestion drops in SAR.
Example:
set interfaces at-5/0/0 unit 0 vci 1.110
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS
set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS
set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER
On SRX210, SRX220, and SRX240 devices, 1-port Gigabit Ethernet SFP mini-PIM does
not support switching in Junos OS Release 10.4.
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the Link

Aggregation Control Protocol (LACP) is not supported on Layer 2 interfaces.
On SRX650 devices, MAC pause frame and FCS error frame counters are not supported
for the interfaces ge-0/0/0 through ge-0/0/3.
On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the
reserved VLAN address range, and the user is not allowed any configured VLANs from
this range.
On SRX650 devices, the last 4 ports of a 24-Gigabit Ethernet switch GPIM can be used
either as RJ-45 or SFP ports. If both are present and providing power, the SFP media
is preferred. If the SFP media is removed or the link is brought down, then the interface
will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED
for the RJ-45 port might go up and down intermittently. Similarly when the RJ-45
medium is active and an SFP link is brought up, the interface will transition to the SFP
medium, and this transition could also take a few seconds.
On SRX210 devices, the USB modem interface can handle bidirectional traffic of up
to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps
or above), keepalives do not get exchanged, and the interface goes down.
On SRX3400 and SRX3600 devices, BGP based VPLS over aggregated ethernet (ae)
interfaces does not work because it is not supported. It works on child ports and physical
interfaces.
On SRX100, SRX210, SRX240 and SRX650 devices, on the Level 3 ae interface, the
following features are not supported:
Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPOE) on Level 3 ae interfaces
J-Web
Level 3 ae for 10-Gigabit Ethernet
153
If SRX series device that are configured for IDP and are upgraded to Junos OS Release
10.4, administrators must install the new security database as old IDP detector might
not be compatible.
Administrators must update the detector by using the request security idp
security-package download full-update command followed by request security idp
security-package install command.
IDP does not allow header checks for nonpacket contexts.
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, maximum supported

entries in ASC table for is 100,000 entries. However, since the user land buffer has fix
size of 1MB as a limitation, therefore it displays maximum 38837 cache entries.
On SRX100, SRX210, SRX240, and SRX650 devices, policy compilation takes a long
time because:
Software DFA is now used for attack signature compilation
IDPD daemon gets lesser CPU time slice during compilation
For all other limitations in IDP, see Limitations of IDP in the Junos OS Security
Configuration Guide.
IPv6 support
NOTE: Concerning NSM support, do not follow the information presented in

the Junos OS Security Configuration Guide. Please consult the NSM release
notes for version compatibility, required schema updates, and up-to-date
support information.
For limitations in IPv6, see Limitations of IPv6 in the Junos OS Security Configuration
Guide.
J-Web
J-Web browser support for Dell PowerConnect SRX Series and J Series devicesTo
access J-Web for all platforms, your device requires the following supported browsers
and OS:
Browser: Microsoft Internet Explorer version 6.0, 7.0, and Mozilla Firefox version
above 3.0 and below 3.5.
NOTE: Other browser versions might not provide access to J-Web and
only English-version browsers are supported.
OS: Microsoft Windows XP Service Pack 3
SRX Series and J Series browser compatibility
154
If the device is running the worldwide version of the Junos OS and you are using the
Microsoft Internet Explorer Web browser, you must disable the Use SSL 3.0 option
in the Web browser to access the device.
To use the Chassis View, a recent version of Adobe Flash that supports ActionScript
and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed
by default on the Dashboard page. You can enable or disable it using options in the
Dashboard Preference dialog box, but clearing cookies in Internet Explorer also
causes the Chassis View to be displayed.
On SRX Series devices, in the J-Web interface, there is no support to change the T1
interface to an E1 interface or vice versa. As a workaround, use the CLI to convert from
T1 to E1 and vice versa.
On SRX Series and J Series devices, users cannot differentiate between Active and
Inactive configurations on the System Identity, Management Access, User Management,
and Date & Time pages.
On SRX210, SRX240, and SRX650 devices, the complete contents of the ToolTips are
not displayed in the J-Web Chassis View. As a workaround, drag the Chassis View
image down to see the complete ToolTip.
On SRX210 devices, there is no maximum length when the user commits the hostname
in CLI mode; however, only 58 characters maximum are displayed in the J-Web System
Identification panel.
On J Series devices, some J-Web pages for new features (for example, the Quick
Configuration page for the switching features on J Series devices) display content in
one or more modal pop-up windows. In the modal pop-up windows, you can interact
only with the content in the window and not with the rest of the J-Web page. As a
result, online Help is not available when modal pop-up windows are displayed. You
can access the online Help for a feature only by clicking the Help button on a J-Web
page.
On SRX Series devices, you cannot use J-Web to configure a VLAN interface for an IKE
gateway. VLAN interfaces are not currently supported to be used as IKE
external-interfaces.
NetScreen-Remote
On SRX Series devices, NetScreen-Remote is not supported in Junos OS Release 10.4.
NAT rule capacity changeTo support the use of large-scale NAT (LSN) at the edge
of the carrier network, the device-wide NAT rule capacity has been changed.
The number of destination and static NAT rules has been incremented as shown in
Table 10 on page 156. The limitation on the number of destination-rule-set and
static-rule-set has been increased.
Table 10 on page 156 provides the requirements per device to increase the configuration
limitation as well as scale the capacity for each device.
155
Table 10: Number of Rules on SRX Series and J Series Devices

NAT Rule
Type
SRX100
SRX210
SRX240
SRX650
SRX3400
SRX3600
SRX5600
SRX5800
J Series
Source NAT
rule
512
512
1024
1024
8192
8192
512
Destination
NAT rule
512
512
1024
1024
8192
8192
512
Static NAT
rule
512
512
1024
1024
8192
8192
512
The restriction on the number of rules per rule set has been increased so that there is
only a device-wide limitation on how many rules a device can support. This restriction
is provided to help you better plan and configure the NAT rules for the device.
IKE negotiations involving NAT-TOn SRX1400, SRX3400, SRX3600, SRX5600,

and SRX5800 devices, IKE negotiations involving NAT-Traversal (NAT-T) traversal
do not work if the IKE peer is behind a NAT device that will change the source IP address
of the IKE packets during the negotiation. For example, if the NAT device is configured
with DIP, it changes the source IP because the IKE protocol switches the UDP port from
500 to 4500.
Point-to-Point Protocol over Ethernet (PPPoE)
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices in a chassis
cluster, the reth interface cannot be used as the underlying interface for Point-to-Point
Protocol over Ethernet (PPPoE).
Security
J Series devices do not support the authentication order password radius or password
ldap in the edit access profile profile-name authentication-order command. Instead, use
order radius password or ldap password.
For all other limitations in security, see Addresses and Address Sets in the Junos OS
Security Configuration Guide.
SNMP
On J Series devices, the SNMP NAT-related MIB is not supported in Junos OS Release
10.4.
Switching
On SRX100, SRX210, SRX240, and SRX650 devices, CoA is not supported with 802.1x.
On SRX100, SRX210, SRX240 and SRX650 devices, on the routed VLAN interface, the
following features are not supported:
IPv6 (family inet6)
ISIS (family ISO)
156
Class-of-service
Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPOE etc) on VLAN interfaces
CLNS
PIM
DVMRP
VLAN interface MAC change
Gratuitous ARP
Change VLAN-Id for VLAN interface
Unified Threat Management (UTM)
UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only 512 MB
of memory, you must upgrade the memory to 1 GB to run UTM.
VPNs
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the IPsec NAT-T
tunnels scaling and sustaining issues are as follows:
For a given private IP address, the NAT device should translate both 500 and 4500
private ports to the same public IP address.
The total number of tunnels from a given public translated IP cannot exceed 1000
tunnels.
On SRX100, SRX210, SRX240, and SRX650 devices, while configuring dynamic VPN
using PULSE client, when you select the authentication-algorithm as sha-256 in IKE
proposal, IPsec session might not get established.
Wireless LAN (WLAN)
The following are the maximum numbers of access points that can be configured and
managed from SRX Series devices:
SRX2104 access points
NOTE: The number of licensed access points can exceed the maximum
number of supported access points. However, you can only configure and
manage the maximum number of access points.
Related
Documentation
157
Routers on page 158
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Outstanding Issues In Junos OS Release 10.4 for SRX Series Services Gateways and J
Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J
Outstanding Issues In Junos OS Release 10.4 for SRX Series Services Gateways
and J Series Services Routers
The following problems currently exist in SRX Series and J Series devices. The identifier
following the description is the tracking number in our bug database.
On SRX5600 devices, if you run the show security alg sip counters command while
doing a bulk call generation, it might bring down the SPU with a flowd core file error.
[PR/292956]
On SRX Series devices, SIP server protection does not work. The set security alg sip
application-screen protect deny command does not work. [PR/512202]
Authentication
On J Series devices, after the user is authenticated, if the webauth-policy is deleted or

changed and an entry exists in the firewall authentication table, then an authentication
entry created as a result of webauth will be deleted only if a traffic flow session exists
for that entry. Otherwise, the webauth entry will not get deleted and will only age out.
This behavior will not cause a security breach. [PR/309534]
AX411 Access Point
On SRX210 PoE devices, the access point reboots when 100 clients are associated
simultaneously and each one is transmitting 512-byte packets at 100 pps. [PR/469418]
On SRX650 devices, when an access point is part of the default cluster and you change
the default cluster after the access point is connected to it, the changes might not be
reflected. As a workaround, restart the wireless LAN service. [PR/497752]
Chassis Cluster
On J Series devices in a chassis cluster, a high load of SIP ALG traffic might result in
some call leaks in active resource manager groups and gates on the backup router.
[PR/268613]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, 8-queue configurations

are not reflected on the chassis cluster interface. [PR/389451]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the iflset functionality is

not supported for aggregated interfaces like reth. [PR/391377]
158
On an SRX210 device in a chassis cluster, sometimes the reth interface MAC address
might not make it to the switch filter table. This results in the dropping of traffic sent
to the reth interface. As a workaround, restart the Packet Forwarding Engine.
[PR/401139]
On an SRX210 device in a chassis cluster, the restart forwarding method is not

recommended because restart forwarding on primary node will cause all RGs failover
to other node. [PR/408436]
On SRX5800 devices, SNMP traps might not be generated for the ineligible-primary
state. [PR/434144]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices in chassis cluster

active/active mode, the J-Flow samplings do not occur and the records are not exported
to the cflowd server. [PR/436739]
On SRX240 Low Memory and High Memory devices, binding the same IKE policy to a
dynamic gateway and a site-to-site gateway is not allowed. [PR/440833]
On SRX650 devices, the following message appears on the new primary node after a
reboot or an RG0 failover:
WARNING: cli has been replaced by an updated version:
CLI release 9.6B1.5 built by builder on 2009-04-29 08:24:20 UTC
Restart cli using the new version ? [yes,no] (yes) yes
[PR/444470]
On SRX240 devices, the cluster might become destabilized when the file system is
full and logging is configured on JSRPD and chassisd. The log file size for the various
modules should be appropriately set to prevent the file system from getting full.
[PR/454926]
On SRX3600 devices, track IPs on the secondary node remain unreachable after you
disable and enable the corresponding reth interfaces primary and secondary child
interfaces [PR/488890]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, LACP does not work in
Layer 2 transparent mode. [PR/503171]
During a manual failover, a system crash might occur if the nodes have not completely
recovered from a previous failover. To determine if a device is ready for repeated
failovers, perform these recommended best-practice steps before doing a manual
failover.
The best-practice steps we recommend to ensure a proper failover are as follows:
Use the show chassis cluster status command to verify the following for all
redundancy groups:
One node is primary; the other node is secondary.
Both nodes have nonzero priority values unless a monitored interface is down.
Use the show chassis fpc pic-status command to verify that the PIC status is Online.
159
Use the show pfe terse command to verify that the Packet Forwarding Engine status
is Ready and to verify the following:
All slots on the RG0 primary node have the status Online.
All slots on the RG0 secondary node, except the Routing Engine slots, have the
status Valid.
[PR/503389, PR/520093]
On SRX650 devices, when the primary node is synchronizing heavy routes to the
secondary node and the secondary node is rebooted, FPCs on the secondary node
come up very slowly. PICs will not come up until all the routes are synchronized to the
secondary node. [PR/545429]
Class of Service (CoS)
J4350 and J6350 devices might not have the requisite data buffers needed to meet
expected delay-bandwidth requirements. Lack of data buffers might degrade CoS
performance with smaller (500 bytes or less) packets. [PR/73054]
On J Series devices with a CoS configuration, when you try to delete all the flow sessions
using the clear security flow session command, the WXC application acceleration
platform might fail over with heavy traffic. [PR/273843]
160
On SRX650 devices, tail drops and keepalive losses are seen at high load on multilink
bundles when queue 3 (out of queue 0 to queue 7) is oversubscribed. As a workaround,
use only queue 3 for keepalive packets, and use other queues for data or voice
transmission. [PR/539353]
Dual-Stack Lite
On SRX650, SRX3400, SRX3600, SRX5600 and SRX5800 devices, if the interface

address is changed to a new address which is also the concentrator address with the
background traffic target to the address, you should manually clear the IPIP clear text
sessions with the concentrator address as the destination address, if there are any, so
that the dual-stack lite concentrator could take effect on the traffic flow. [PR/541516]
Dynamic Host Configuration Protocol (DHCP)
On SRX210 and SRX240 devices, when autoinstallation is configured to run on a

particular interface and the default static route is set with the options discard, retain,
and no-advertise, the DHCP client running on the interface tries fetching the
configuration files from the TFTP server. During this process, the UDP data port on the
TFTP server might be unreachable. Because the TFTP server is unreachable, the
autoinstallation process might remain in the configuration acquisition state. When
autoinstallation is disabled, the TFTP might fail. In this case, you should manually fetch
the file from the server or the client through the relay.
As a workaround, remove the static route discard, retain, and no-advertise options
from the configuration. [PR/454189]
Enhanced Switching
On J Series devices, if the access port is tagged with the same VLAN that is configured
at the port, the access port accepts tagged packets and determines the MAC.
[PR/302635]
Flow and Processing
On SRX Series devices, the show security flow session command currently does not
display aggregate session information. Instead, it displays sessions on a per-SPU basis.
[PR/264439]
On J Series devices, OSPF over a multipoint interface connected as a hub-and-spoke

network does not restart when a new path is found to the same destination.
[PR/280771]
On J Series devices, outbound filters will be applied twice for host-generated IPv4
traffic. [PR/301199]
On SRX Series devices, configuring the flow filter with the all flag might result in traces
that are not related to the configured filter. As a workaround, use the flow trace flag
basic with the command set security flow traceoptions flag.
161
NOTE: Be sure to disable flow traceoptions after debugging has been

completed. Flow traceoptions might cause high CPU utilization in the
Routing Engine.
[PR/304083]
On SRX240 devices, traffic flooding occurs when multiple multicast (MC) IP group
addresses are mapped to the same MAC address because multicast switching is based
on the Layer 2 address. [PR/418519]
On SRX650 devices, the input DA errors are not updated when packets are dropped
because of MAC filtering on the following:
SRX240 device
SRX210 device
16-port and 24-port GPIMs
SRX650 front-end port
This is because of MAC filtering implemented in hardware.

[PR/423777]
On SRX5600 and SRX5800 devices, the network processing bundle configuration CLI
does not check whether PICs in the bundle are valid. [PR/429780]
On SRX650 devices, packet loss is observed when the device interoperates with an
SSG20 with AMI line encoding. [PR/430475]
On an SRX210 onboard Ethernet port, an IPv6 multicast packet received is duplicated

at the ingress. This happens only for IPv6 multicast traffic in ingress. [PR/432834]
On SRX3400 and SRX3600 devices, the ramp rate of session creation is slow at times
for fragmented UDP traffic. [PR/434508]
On SRX5800 devices, when there are nonexistent PICs in the network processing
bundle, the traffic is sent out to the PICs and is lost. [PR/434976]
The SRX5600 and SRX5800 devices create more than the expected number of flow
sessions with NAT traffic. [PR/437481]
On J Series devices, NAT traffic that goes to the WXC ISM 200 and returns clear (that
is, not accelerated by the WXC ISM 200) does not work. [PR/438152]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, there is missing information

in the jnxJsFwAuthMultipleFailure trap message. The trap message is required to contain
the username, IP address, application, and trap name, but the username is missing.
[PR/439314]
On SRX5800 devices, for any network processing bundle configuration change to take
effect, a reboot is needed. Currently there is no message displayed after a bundle
configuration change. [PR/441546]
162
On SRX5800 devices, the IOC hot swap is not supported with network processing
bundling. If an IOC configured with network processing bundling is unplugged, all traffic
to that network processor bundle will be lost. [PR/441961]
On SRX5800 devices with interfaces in a network processing bundle, the ICMP flood
or UDP flood cannot be detected at the threshold rate. However, it can be detected
at a higher rate when the per-network processor rate reaches the threshold.
[PR/442376]
On an SRX3400 device in combo mode with two SPCs and one NPC, not all sessions
are created under the stress test. [PR/450482]
On J Series devices, there is a drop in throughput on the 64-byte packet size T3 link
when bidirectional traffic is directed. [PR/452652]
On SRX240 PoE and J4350 devices, the first packet on each multilink class is dropped
on reassembly. [PR/455023]
On SRX5600 and SRX5800 devices, system log messages are not generated when
CPU utilization returns to normal. [PR/456304]
On SRX210, SRX240, and J6350 devices, the serial interface goes down for
long-duration traffic when FPGA version 2.3 is loaded in the device. As a result, the
multilink goes down. This issue is not seen when downgrading the FPGA version from
2.3 to 1.14. [PR/461471]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in end-to-end debugging,

the cp-lbt event actions are not working. There is no change in behavior with or without
the cp-lbt event. [PR/462288]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, during end-to-end

debugging with the jexec event, packet summary trace messages have unknown IP
addresses in the packet summary field. [PR/463534]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, data path-debug rate-limit

does not work properly. When users configure a low rate limit for a large number of
trace messages, the system should suspend the trace messages after the configured
maximum is reached. The system is not suspending the trace messages. [PR/464151]
On SRX5800 devices, the GPRS tunneling protocol (GTP) application is supported

only on well-known ports. Customized application on other ports is not supported.
[PR/464357]
On J Series devices, interfaces with different bandwidths (even if they are of same
interface type, for example, serial interfaces with different clock rates or channelized
T1/E1 interfaces with different time slots) should not be bundled under one multilink
bundle. [PR/464410]
SRX3400 and SRX3600 devices with one Services Processing Card and two Network
Processing Cards operating under heavy traffic produce fewer flow sessions.
[PR/478939]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the input packets and
bytes counter shows random values both in traffic statistics and IPv6 transit statistics,
when VLAN tagging is added or removed from the IPv6 address configured interface.
[PR/489171]
163
On SRX Series devices, the software upload and install package does not show a
warning message when there are pending changes to be committed. [PR/514853]
On SRX240 Low Memory devices, the LSQ interface transmitting both LLQ and non-LLQ
traffic drops out-of-profile packets of the LLQ traffic faster than it was dropping out
earlier. [PR/536588]
On SRX5800 devices, address overlapping is not supported when dual-stack lite works
with the source NAT and enables any of the following options:
persistent-nat
port no-translation
host-address-base (IP shifting)
[PR/540816]
On SRX3600 devices, if the interface address is changed to a new address that is also
the dual-stack lite concentrator address with the background traffic target to the
address, the user should manually clear the ipip cleartext sessions with the concentrator
address. The dual-stack lite concentrator will affect the traffic flow. [PR/541747]
On SRX5800 devices, in NAT mode, when SIP traffic is sent from the device packet
drop is seen at the beginning and later processing of traffic stops. [554685]
On SRX3400 and SRX3600 devices, when external radius server is down or terminated,
the mass of authentication requests could cause authd to generate a core file.
[PR/568659]
Hardware
On SRX210 devices, the MTU size is limited to 1518 bytes for the 1-port SFP Mini-PIM.
[PR/296498]
On SRX240 devices, the Mini-PIM LEDs glow red for a short duration (1 second) when
the device is powered on. [PR/429942]
On SRX240 devices, the file installation fails on the right USB slot when both of the
USB slots have USB storage devices installed. [PR/437563]
On SRX240 devices, the combinations of Mini-PIMs cause SFP-copper links to go down

in some instances during bootup, restarting fwdd, and restarting chassisd. As a
workaround, reboot the device and the link will be up. [PR/437788]
164
Infrastructure
On J Series devices, you cannot use a USB device that provides U3 features (such as
the U3 Titanium device from SanDisk Corporation) as the media device during system
boot. You must remove the U3 support before using the device as a boot medium. For
the U3 Titanium device, you can use the U3 Launchpad Removal Tool on a
Windows-based system to remove the U3 features. The tool is available for download
at http://www.sandisk.com/Retail/Default.aspx?CatID=1415 . (To restore the U3 features,
use the U3 Launchpad Installer Tool accessible at
http://www.sandisk.com/Retail/Default.aspx?CatID=1411). [PR/102645]
On J Series devices, if the device does not have an ARP entry for an IP address, the
device drops the first packet from itself to that IP address. [PR/233867]
On J Series devices, when you press the F10 key to save and exit from BIOS configuration
mode, the operation might not work as expected. As a workaround, use the Save and
Exit option from the Exit menu. This issue can be seen on the J4350 and J6350 devices
with BIOS Version 080011 and on the J2320 and J2350 devices with BIOS Version
080012. [PR/237721]
On J Series devices, the Clear NVRAM option in the BIOS configuration mode does not
work as expected. This issue can be seen on the J4350 and J6350 routers with BIOS
Version 080011 and on the J2320 and J2350 routers with BIOS Version 080012. To
help mitigate this issue, note any changes you make to the BIOS configuration so that
you can revert to the default BIOS configuration as needed. [PR/237722]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the SNMP set for the MIB
object usmUserPrivKeyChange does not work. [PR/482475]
Installation
On SRX100, SRX210, SRX240, or SRX650 devices with 1-GB storage flash, when you
use the file copy command to copy the Junos OS package from ftp://<path> to a local
directory, you might get a message saying that the file system is full. Do not use the
file copy command to get the Junos OS package for software upgrade.
The file copy command copies the Junos OS package as a temporary file in/cf/var/tmp
and then copies the file with a package name in a local directory under the /cf/var
partition. This means that a Junos OS package of size X needs 2X space in the /cf/var
partition. For example, a Junos OS package of 197 MB will need 394 MB, whereas the
/cf/var partition is less than 350 MB on a 1-GB storage flash. Thus, the file copy
command will fail. [PR/526030]

The following issues currently exist in SRX210 and SRX240 devices with Integrated
Convergence Services:
SNMP does not provide support for survivable call server (SRX Series SCS) statistics.
[PR/456454]
On SRX210 devices with voice capability, SIP trunking or FXS trunking calls do not work
if the called party supports only the G729AB/G711-Mu-law codec. [PR/504135]
165
On SRX240 devices with Integrated Convergence Services, the call-pickup feature

does not work in survivable mode. If an analog station in a station group rings, another
analog phone belonging to the same station group cannot pick up the call. As a
workaround, configure three SIP phones (S1, S2, and S3), and add them to the pickup
group (use a station group with S1, S2, and S3) because the pickup group works for
SIP phones, but it does not work for analog phones. [PR/505237]
On SRX210 and SRX240 devices with Integrated Convergence Services, if the transport
method for the peer call server is TCP, the SRX Series devices do not support SIP
messages of more than 2048 bytes. [PR/510291]
On SRX210 and SRX240 devices with voice capability, the T1PRI calls do not work
when multiple trunk-groups or trunks are created. [PR/514784]
On SRX210 and SRX240 devices with voice capability, the caller ID of the calling party
is displayed as a four-digit local extension number instead of a 7-or 10-digit local or
international number for outgoing calls from PRI. [PR/516021]
On SRX210 and SRX240 devices with Integrated Convergence Services, if you have
the accounting feature configured (Services>Convergence services>Features), you
cannot configure the account code on a per-station basis. [PR/516681]
On SRX240 devices with voice capability, the restart rtdm command is required after
changing the Max-concurrent-value from x to 0, to allow unlimited calls through SIP
trunk or PCS. [PR/536849]
On SRX240 devices with voice capability, the restart rtdm command is required to
make PRI calls successful when both PRI and T1CAS lines are active. [PR/537551]
On SRX650 devices, the following loopback features are not implemented for quad
T1/E1 GPIMs:
Line
FDL payload
In-band line
In-band payload
[PR/425040]
On SRX650 devices, configuring dual and quad T1/E1 framing at the chassis level has
no effect. [PR/432071]
On SRX Series devices, incorrect Layer 2 circuit replication on the backup Routing
Engine might occur when you:
Configure nonstop active routing (NSR) and Layer 2 circuit standby simultaneously
and commit them
Delete the NSR configuration and then add the configuration back when both the
NSR and the Layer 2 circuits are up
166
As a workaround:
1.
Configure the Layer 2 circuit for a nonstandby connection.
2. Change the configuration to a standby connection.

3. Add the NSR configuration.
[PR/440743]
On SRX210 Low Memory devices, the E1 interface flaps and traffic does not pass through
the interface if you restart forwarding while traffic is passing through the interface.
[PR/441312]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you configure the
SAP listen option using the protocol sap listen command in the CLI, listening fails in
both sparse and sparse-dense modes. [PR/441833]
On J Series devices, one member link goes down in a Multilink (ML) bundle during
bidirectional traffic with Multilink Frame Relay (MFR). [PR/445679]
On SRX100, SRX210, and J Series devices, out-of-band dial-in access using a serial
modem does not work. [PR/458114]
On SRX100 and SRX200 devices with VDLS2, multiple carrier transitions (three to
four) are seen during long-duration traffic testing with the ALU 7302 DSLAM. There is
no impact on traffic except for the packet loss after long-duration traffic testing, which
is also seen in the vendor CPE. [PR/467912]
On SRX210 devices with VDLS2, the remote end ping operation fails to go above the
packet size of 1480 because the packets are dropped for the default MTU, which is
1496 on an interface, and because the default MTU of the remote host Ethernet
interface is 1514. [PR/469651]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you change the
multicast scoping to a different multicast address, traffic other than which is configured
for multicast scoping is not received. [PR/482957]
On SRX210 High Memory devices, the physical interface module (PIM) shows time in
ADSL2+ ANNEX-M, even though it is configured for ANNEX-M ADSL2. [PR/497129]
On SRX100, SRX210, SRX240, and SRX650 devices, whenever radius-server is

configured under the profile option, radius server is marked as dead permanently if
radius times out. As a workaround, configure radius-server outside the profile option
under the access option. [PR/503717]
On SRX5600 and SRX5800 devices, load balance does not happen within the
aggregated Ethernet (ae) interface when you prefix the length with /24 while
incrementing the dst ip. [PR/505840]
On SRX100, SRX210, SRX240, and SRX650 devices, egress queues do not function
on VLAN or IRB interfaces. [PR/510568]
On SRX650 devices, in the 2-port 10G XPIM, when the interface is linked with fiber, the
activity LED does not blink when traffic enters the interface. However, the activity LED
blinks properly when traffic goes out of the interface. [PR/513961]
167
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if stress FTP traffic is

sustained for several minutes, the device might begin to accept only limited new FTP
connections. This situation might continue for one minute, and then the device returns
to normal functioning. [PR/530142]
On SRX650 devices, the speed for the ae interface shows the interface speed and not
the negotiated speed. [PR/553339]
On SRX220 devices, on multiple reboot or restart forwarding, a link might remain in a

hard down state. [PR/556389]
On SRX650 devices, sometimes quad T1/E1 generates a core file while the user is
configuring it in T1 mode with the traffic sent continuously over the quad T1/E1.
[PR/556716]
On SRX220 devices, when oversubscribed traffic is sent through the gr interface (after
tunnel queuing has been enabled and the shaper has been configured), there is an
increase in tail-dropped packets at the egress of the gr interface. As a result of this,
the output packet rate at the egress of the gr interface is much lower compared to that
of the shaper. [PR/559378]
On SRX1400 devices, the alarm indication is not available if a power supply is not
functioning normally. The system creates log messages in /var/log/chassisd to indicate
the power supply failure conditions. [PR/566210]
The SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices support only
one IDP policy at any given time. When you make changes to the IDP policy and commit,
the current policy is completely removed before the new policy becomes effective.
During the update, IDP will not inspect the traffic that is passing through the device for
attacks. As a result, there is no IDP policy enforcement. [PR/392421]
On SRX210 devices, when the IDP policy contains rules that have the match criteria
for the same attacks, multiple attacks will be reported when the attacks are detected.
No errors or warnings appear during policy compilation. [PR/414416]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you configure a policy

containing more than 200 rules, with each rule containing the predefined attack groups
(Critical, Major, and Minor), the memory constraint of the Routing Engine (500 MB) is
reached. [PR/449731]
On SRX Series devices, the maximum supported sessions count is not displayed when
you run the show security flow session idp summary command. [PR/503721]
On SRX100 and SRX210 devices, depending on configuration, peak performance level

drops up to 30 percent have been observed for IDP and UTM features. This issue
impacts only customers who deploy these devices with peak performance level
requirements for IDP and UTM services. [PR/503446, PR/506500, PR/518737]
On SRX5600 devices, when using a 4096-bit SSL private key for IDP HTTPS traffic
processing, the watchdog aborts the flowd process and reboots the SPC. This is
primarily because of the watchdog timer expiration. The IDP function takes a long time
to decrypt the session when you use a 4096-bit key.
168
The SSL function is known to take an exponentially large amount of time when the
key size is increased. Key sizes of 1024 bits and 2096 bits are OK to process because
their processing time is below the watchdog threshold, but the key size of 4096 bits
should not be used when sending stress traffic. Also, IDP uses SSL hardware for <=
1024-bit keys. The throughput is much higher for the traffic using <= 1024-bit SSL
private keys. [PR/524452 ]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when packet-logging

functionality is configured with an improved pre-attack configuration parameter value,
the resource usage increases proportionally and might affect the performance.
[PR/526155]
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, IDP policies greater than
19 MB do not get loaded. [PR/540856]
On SRX100 and SRX240 High Memory devices, whenever the folder /var/db/idpd is
deleted or any folder /var/db/idpd/db that is under the folder var/db/idpd is deleted,
the system must be rebooted for proper functioning of idpd. [PR/551412]
IPv6
Proxy-ndp does not work in IPv6. Hence, the following issues exist:
proxy-ndp cannot be configured under Security>NAT
publish MAC for specific IPv6 addresses will not work under Interfaces>set interfaces
[PR/549969]
ISSU
In-service software upgrade (ISSU) is not supported for upgrading VPN, NAT, IPv6,
FTP ALG, TFTP ALG, or IDP functionality. If ISSU is used while the noted functionality
is enabled, SRX Series devices might be left in an invalid state. The upgrade options
are either to disable unsupported ISSU features prior to the upgrade or to use a standard
upgrade procedure with a reboot. [PR/558566, PR/530035].
J-Flow
SRX3400, SRX3600, SRX5600, and SRX5800 devices support the 4-byte autonomous
system (AS) for BGP configuration. However, J-Flow template versions 5 and 8 do not
support 4-byte AS because these J-Flow templates have 2 bytes for the SRC/DST AS
field. [PR/416497]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, J-Flow sampling on the

virtual router interface does not show the values of autonomous system (AS) and
mask length. The AS or mask length values of cflowd packets show 0 while sampling
the packet on the virtual router interface. [PR/419563]
169
J-Web
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the LEDs on the Routing
Engine and PICs are not shown as green when they are up and online on the J-Web
Chassis View. [PR/297693]
On SRX100, SRX210, SRX240, and SRX650 devices, the LED status in the Chassis View
is not in sync with the LED status on the device. [PR/397392]
On SRX210 Low Memory devices, in the rear view of the Chassis View image, the image
of the ExpressCard remains the same whether a 3G card is present or not. [PR/407916]
On SRX Series devices, the CLI Terminal feature does not work in J-Web over IPv6.
[PR/409939]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web, the Generate

Report option under Monitor Event and Alarms opens the report in the same webpage.
[PR/433883]
On SRX100, SRX210, SRX240, SRX650, and all J Series devices, in J-Web, the options
Input filter and Output filter are displayed in the VLAN configuration page. These options
are not supported, and the user cannot obtain or configure any value under these filter
options. [PR/460244]
On SRX100, SRX210, SRX240, SRX650, and all J Series devices, when you have a large
number of static routes configured, and if you have navigated to pages other than to
page 1 in the Route Information table in the J-Web interface (Monitor>Routing>Route
Information), changing the Route Table to query other routes refreshes the page but
does not return you to page 1. For example, if you run the query from page 3 and the
new query returns very few results, the Route Information table continues to display
page 3 with no results. To view the results, navigate to page 1 manually. [PR/476338]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the entry registered into
RIB is not shown in J-Web. [PR/483885]
On SRX210 Low Memory, SRX210 High Memory, and SRX210 PoE devices, in the J-Web
interface, Configuration>Routing>Static Routing does not display the IPv4 static route
configured in rib inet.0. [PR/487597]
On SRX100 (Low Memory and High Memory), SRX210 (Low Memory, High Memory,
and PoE), SRX240 (Low Memory and High Memory), SRX650, J2350, J4350, and J6350
devices, CoS feature commits occur without validation messages, even if you have not
made any changes. [PR/495603]
On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, after a session expires,
a relogin page appears in the wizard window. As a workaround, close the wizard window
when the session expires and log in again. [PR/537475]
On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, a matching destination

port configured in the NAT wizard is not pushed to the CLI configuration. As a
workaround, use the CLI. [PR/547630]
On SRX100, SRX210, SRX220, and SRX240 devices, wizards take more time to commit
the configuration setup and to load the page. [PR/548530]
170
On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, the candidate

configuration should be removed from the CLI configuration when validation or commit
from the wizard fails. [PR/549202]
On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, policies configured under
group global cannot be edited or deleted in the NAT and firewall wizards. [PR/552519]
Management and Administration
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the queue statistics are
not correct after deletion and re-creation of a logical interface (IFL) or creation of a
new IFL. IFL statistics are not cleared for 15 minutes after chassis-control is restarted.
[PR/417947]
On SRX5600 devices, when the system is in an unstable state (for example SPU
reboot), NFS might generate residual.nfs files under the /var/tmp directory, which can
occupy the disk space for a very long time. As a workaround, run the request sys storage
cleanup command to clean up when the system has low disk space. [PR/420553]
On SRX650 devices, the kernel crashes when the link goes down during TFTP
installation of the srxsme image. [PR/425419]
On SRX650 devices, continuous messages are displayed from syslogd when ports are
in switching mode. [PR/426815]
On SRX240 devices, if a timeout occurs during the TFTP installation, booting the
existing kernel using the boot command might crash the kernel. As a workaround, use
the reboot command from the loader prompt. [PR/431955]
On SRX240 devices, when you configure the system log hostname as 1 or 2, the device
goes to the shell prompt. [PR/435570]
On SRX240 devices, the Scheduler Oinker messages are seen on the console at various
instances with various Mini-PIM combinations. These messages are seen during bootup,
while restarting fwdd, while restarting chassisd, and during configuration commits.
[PR/437553]
On SRX5800 devices, rebooting is required for any NP bundle configuration change

to take effect. Currently there is no notification displayed after the bundle configuration
change to notify that a reboot is required for the change to take effect. [PR/441546]
On SRX5600 and SRX5800 devices, data path debug trace messages are dropped
at above 1000 packets per second (pps). [PR/446098]
On J2350, J4350, and J6350 devices, extended bit error rate test (BERT) takes an
additional 3 hours to complete even though a BERT period of 24 hours is set.
[PR/447636]
On J4350 devices, when you place internal calls, interface-based persistent NAT
displays only one active hairpinning session instead of two, even after the call is
established. [PR/504932]
On SRX5600 devices, only network addresses are allowed in IPv6 NAT configuration
from Junos OS Release 10.3 onward. This is enforced in commit check. [PR/545330]
171
Under certain stress conditions, SRX1400 will not be able to reach max supported NAT
sessions. [PR/568660]
Power over Ethernet (PoE)
On SRX240 and SRX210 devices, the output of the PoE operational commands takes
roughly 20 seconds to reflect a new configuration or a change in status of the ports.
[PR/419920]
On SRX210 PoE devices managing AX411 Access Points, the device might not be able
to synchronize time with the configured NTP server. [PR/460111]
On SRX210 devices, the fourth access point connected to the services gateway fails
to boot with the default PoE configuration. As a workaround, configure all the PoE
ports to a maximum power of 12.4 watts. Use the following command to configure the
ports:
root# set poe interface all maximum-power 12.4
[PR/465307]
On SRX210, SRX220, SRX240, and SRX650 devices with factory default configurations,
the device is not able to manage the AX411 Access Point. This might be because of the
DHCP default gateway is not set. [PR/468090]
On SRX210 PoE devices managing AX411 Access Points, traffic of 64 bytes at a speed
of more than 45 megabits per second (Mbps), might result in loss of keepalives and
reboot of the AX411 Access Point. [PR/471357]
On SRX210 PoE devices, high latencies might be observed for the Internet Control
Message Protocol (ICMP) pings between two wireless clients when 32 virtual access
points (VAPs) are configured. [PR/472131]
On SRX210 PoE devices, when AX411 Access Points managed by the SRX Series devices
reboot, the configuration might not be reflected onto the AX411 Access Points. As a
result, the AX411 Access Points retain the factory default configuration. [PR/476850]
On SRX240 PoE devices, during failover, on the secondary node the ADSL Mini-PIM
restarts and takes about 3 to 4 minutes to come up. [PR/528949]
Security
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the egress filter-based

forwarding (FBF) feature is not supported. [PR/396849]
On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster,

if the Infranet Controller auth table mapping action is configured as provision auth table
as needed, UAC terminates the existing sessions after Routing Engine failover. You
might have to initiate new sessions. Existing sessions are not affected after Routing
Engine failover if the Infranet Controller auth table mapping action is configured as
always provision auth table. [PR/416843]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, you should not configure
rulebase-DDoS rules that have two different application-DDoS objects to run on one
destination service because the traffic destined to one application server can encounter
more than one rule. Essentially, for each protected application server, you have to
configure a single application-level DDoS rule. [PR/467326]
172
Unified Access Control (UAC)
On J Series devices, MAC address-based authentication does not work when the router
is configured as a UAC Layer 2 Enforcer. [PR/431595]
On SRX210 High Memory devices, content filtering provides the ability to block protocol
commands. In some cases, blocking these commands interferes with protocol
continuity, causing the session to hang. For instance, blocking the FETCH command
for the IMAP protocol causes the client to hang without receiving any response.
[PR/303584]
On SRX210 High Memory devices, when the content filtering message type is set to
protocol-only, customized messages appear in the log file. [PR/403602]
On SRX210 High Memory devices, the express antivirus feature does not send a
replacement block message for HTTP upload (POST) transactions if the current
antivirus status is engine-not-ready and the fallback setting for this state is block. An
empty file is generated on the HTTP server that contains no block message.
[PR/412632]
On SRX240, SRX650, and J Series devices, Eudora 7 (through DUT) and Outlook
Express (directly, not through DUT) downloads infected mail (with an EICAR test file)
to the mail server because of which the mail retrieval is slow. [PR/424797]
On SRX650 devices operating under stress conditions, the UTM subsystem file partition
might fill up faster than UTM can process and clean up existing temporary files. In that
case, the user might see error messages. As a workaround, reboot the system.
[PR/435124]
On SRX240 High Memory devices, FTP download for large files (> 4 MB) does not
work in a two-device topology. [PR/435366]
On SRX210, SRX240, and SRX650 devices, the Websense server stops taking new
connections after HTTP stress. All new sessions get blocked. As a workaround, reboot
the Websense server. [PR/435425]
On SRX240 devices, if the device is under UTM stress traffic for several hours, users
might see the following error while using a UTM command:
the utmd subsystem is not responding to management requests.
As a workaround, restart the utmd process. [PR/436029]
On SRX100 High Memory, SRX210 High Memory, SRX240 High Memory, and SRX650
devices, more than 1500 antispam requests are not supported because of system
limitation. [PR/451329]
On SRX240 High Memory devices, during UTM web traffic stress test, some leak of AV
scanner contexts is observed in some error pages. [PR/538470]
On SRX650 devices, when express AV is enabled, traffic from the server and client are
buffered at the device. Sometimes, the buffer resource runs out because the traffic
arrives faster than the buffer resource are released and results in the device detecting
173
an out-of-resource state and takes fallback action. This happens only if a burst of
traffic exceeding 20 MB arrives at the device within a very short duration. [PR/556309]
Upgrade
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you are running a previous
Junos OS Release and are already using more than 70 percent of the memory on your
device, we recommended you do not upgrade to Junos OS Release 10.4. New
functionality in Junos OS release 10.4 might use more memory, meaning that you might
run out of memory with a configuration that worked on a previous release. [PR/546069]
USB Modem
On SRX210 High Memory devices and J6350 devices, packet loss is seen during rapid
ping operations between the dialer interfaces when packet size is more than 512 Kbps.
[PR/484507]
On SRX210 High Memory devices, the modem interface can handle bidirectional traffic
of up to 19 Kbps. During oversubscription of 20 Kbps or higher traffic, the keepalive
packets are not exchanged and the interface goes down. [PR/487258]
On SRX210 High Memory devices, IPv6 is not supported on dialer interfaces with a USB
modem. [PR/489960]
On SRX210 High Memory devices, HTTP traffic is very slow through the umd0 interface.
[PR/489961]
On SRX210 High Memory devices and J6350 devices, the D10 link flaps during
long-duration traffic of 15 Kbps and also when the packet size is 256 Kbps or more.
[PR/493943]
On SRX240, SRX650, J4350, and J6350 devices, tagged frames on an access port
with the same VLAN tag are not dropped. [PR/414856]
On SRX100, SRX210, and SRX240 devices, the packets are not sent out of the physical
interface when the VLAN ID associated with the VLAN interface is changed. As a
workaround, you need to clear the ARP. [PR/438151]
On SRX100 Low Memory, SRX100 High Memory, SRX210 Low Memory, SRX210 High
Memory, SRX240 High Memory, and SRX650 devices, the Link Layer Discovery Protocol
(LLDP) organization-specific Type Length Value (TLV), medium attachment unit
(MAU) information always propagates as Unknown. [PR/480361]
On SRX100 High Memory devices and SRX210 Low Memory devices, dot1x
unauthenticated ports accept Link Layer Discovery Protocol (LLDP) Protocol Data
Units (PDUs) from neighbors. [PR/485845]
For SRX210 High Memory devices, during configuration of access and trunk ports, the
individual VLANs from the vlan-range are not listed. [PR/489872]
174
VPNs
On SRX210 and SRX240 devices, concurrent login to the device from different
management systems (for example, laptop or desktop computers) is not supported.
The first user session is diconnected when a second user session is started from a
different management system. Also, the status for the first user system is displayed
incorrectly as Connected. [PR/434447]
On SRX Series and J Series devices, the site-to-site policy-based VPNs in a 3 or more
zone scenario will not work if the policies match the address any instead of specific
addresses, and all cross-zone traffic policies point to the single site-to-site VPN tunnel.
As a workaround, configure address books in different zones to match the source and
destination, and use the address book name in the policy to match the source and
destination. [PR/441967]
On SRX100, SRX210, SRX240, and SRX650 devices, Routing Engine level redundancy
for dynamic VPN fails because the tunnels need to renegotiate after RG0 failover.
[PR/513884]
On SRX100, SRX210, SRX240, and SRX650 devices, the dynamic VPN server always
pushes the last configured dynamic client configuration to the client. If the VPN
configuration bound to this dynamic VPN client is not bound to a policy, IKE negotiation
fails when you try to connect to the server. [PR/514033]
On SRX100, SRX210, SRX240, and SRX650 devices, the dynamic VPN client is not
downloaded if there is not enough space in the /jail/var directory in the dynamic VPN
server. [PR/515261]
On SRX3400 and SRX3600 devices, the VPN monitor status in the DEP server side
stays down for some time after RG0 and RG1 failover because there is no active state
sync up for VPN monitoring. [PR/532952]
WLAN
On SRX210, SRX240, and SRX650 devices, J-Web online Help displays the list of all
the countries and is not based on the regulatory domain within which the access point
is deployed. [PR/469941]
WXC Integrated Services Module
When two J Series devices with WXC Integrated Services Modules (WXC ISM 200s)
installed are configured as peers, traceroute fails if redirect-wx is configured on both
peers. [PR/227958]
On J6350 devices, Junos OS does not support policy-based VPN with WXC Integrated
Services Modules (WXC ISM 200s). [PR/281822]
Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and
J Series Services Routers
The following are the issues that have been resolved since Junos OS Release 10.4R1 for
Juniper Networks SRX Series Services Gateways and J Series Services Routers. The
identifier following the descriptions is the tracking number in the Juniper Networks Problem
Report (PR) tracking system.
175
On J4350 devices in a NAT-PT environment, when the client was in an IPv6 environment
and the DNS server was in an IPv4 environment, the DNS server had only the IPv4
address record. When the client looked up the IPv6 address of the record in the DNS
server, DUT performed NAT-PT on the DNS ALG. When the client executed the lookup
action several times, a core file error was returned. [PR/533345: This issue has been
resolved.]
Chassis Cluster
On SRX5600 and SRX5800 devices, the IOC card reset unexpectedly when the
monitored IP addresses under the chassis cluster IP-monitoring configuration was
deleted. In addition, the monitored IP was not deleted from the data plane when it was
specified without the secondary interface. [PR/557687: This issue has been resolved.]
On SRX3600 devices, RG failover to Node0 failed because the FPCs went offline during
the failover. [PR/563391: This issue has been resolved.]
On SRX3600 devices, RG0 failovers caused interface flapping when LACP was used
on reth interfaces. [PR/565617: This issue has been resolved.]
Dual-Stack Lite
On SRX5600 devices, with heavy DS Lite traffic, flowd stopped responding with flow
table corruption because of a function related to flow table operation (for example,
flow_table_find_flow_v6). [PR/548790: This issue has been resolved.]
Flow and Processing
On SRX210 High Memory devices, the error message JMDX: Thread timed out waiting
for smi write was continuously displayed. [PR/ 536586: This issue has been resolved.]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices under high traffic load,
some part of FTP and TFTP control sessions did not get timed out even after two hours
of stopping the traffic. [PR/548250: This issue has been resolved.]
On SRX5800 devices, TCP out-of-order packets occurred with the SRX Series device
acting as a GRE pass-through device. [PR/558923: This issue has been resolved.]
On SRX240 devices with Integrated Convergence Services running in survivable mode,

if two SIP stations were in a call and if either of the SIP stations made an attempt to
park the call by dialing the parking number 7000, the call was not parked. [PR/505240:
On SRX210 devices, the modem moved to the dial-out pending state while connecting
or disconnecting the call. [PR/454996: This issue has been resolved.]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show datapath-debug

counter command gave error messages from the secondary node. [PR/477017: This
176
On all SRX Series devices, the destination and destination-profile options for address
and unnumbered-address within family inet and inet6 were allowed to be specified
within a dynamic profile but were not supported. [PR/493279: This issue has been
resolved.]
On SRX240 and SRX650 devices, IGMP reports were flooded on all ports that were
part of the same multicast group instead of being sent on only the router interface.
On SRX650 devices, IGMP snooping did not work in q-in-q mode on a trunk port when
the Ethernet type was set to any value other than 0x8100. [PR/554992: This issue has
been resolved.]
On SRX100 devices, the maximum number of MTUs that could be configured on the
Fast Ethernet interface was 1624. Also, MTU configuration from J-Web was not
recommended if you were running Junos OS Release 10.1 or 10.2. [PR/566592: This
On SRX5800 devices, under certain circumstances, zone screening setting was not
applied properly. [PR/569678: this issue has been resolved.]
On SRX210 High Memory and SRX240 High Memory devices, IDP scaling drop occurred.
On SRX240 High Memory devices, with IDP policy template, policy load failed while
changing the active policy from the recommended option to the IDP_Default policy.
This was because there was not enough memory for IDP to load the IDP_Default policy.
J-Web
On SRX100 devices, in J-Web, users could configure the scheduler without entering
any stop date. The device submitted the scheduler successfully, but the submitted
value was not displayed on the screen or saved in the device. [PR/439636: This issue
has been resolved.]
On J2350 and SRX210 High Memory devices, you could not use the Move/edit button
for moving the IPS rule in IDP policy page. [PR/499499: This issue has been resolved.]
On SRX Series and J Series devices, in the J-Web interface, the Move/edit button did
not work for the exempt rulebase on the IDP Policy configuration page. [PR/503451:
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web, when you tried
to commit a candidate configuration in the CLI using the Point and Click CLI, an error
was displayed on the configuration page. [PR/514771: This issue has been resolved.]
On SRX220 devices, you could not edit the physical properties of a LAN interface in
J-Web without entering the MAC address. [PR/519818: This issue has been resolved.]
177
On SRX and J Series devices, the user was unable to configure the IPS-Exempt rule
only with attacks. J-Web forced the user to select the address and zones. [PR/ 522197:
On SRX100, SRX210, and SRX240 devices, in J-Web, the resource utilization did not
load any data in the dashboard page using Firefox 3.0. [PR/564165: This issue has
been resolved.]
On SRX100 High Memory devices, when you used antispam and antivirus in the same
UTM-policy, spam were not tagged correctly. [PR/575296: This issue has been
resolved.]
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the IRB
(VLAN) interface could not be used as the underlying interface for Point-to-Point
Protocol over Ethernet (PPPoE). [PR/528624: This issue has been resolved.]
VPNs
Related
Documentation
SRX5800 devices in Layer 2 transparent mode, did not allow the IPsec pass-through
VPNs to build. [PR/566160: This issue has been resolved.]
Changes to the Junos OS Documentation Set
This section lists changes in the documentation.
Single Commit on J-Web
The following information pertains to SRX Series devices:
For all J-Web procedures, follow these instructions to commit a configuration:
If Commit Preference is Validate and commit configuration changes, click OK.
178
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
If Commit Preference is Validate configuration changes, click OK to check your

configuration and save it as a candidate configuration, then click Commit
Options>Commit.
J-Web Online Help
Previously, J-Web online Help instructions were available both in the Help and in the
administration and configuration guides. These topics have been removed from the
guides and are now available only in the online Help.
Errata for the Junos OS Documentation

This section lists outstanding issues with the software documentation.
Feature Support Reference
For SRX200 devices, the following support information is missing from the Junos OS
Feature Support Reference for SRX Series and J Series Devices:
Table 11: Chassis Cluster Support

Feature
SRX220 Support
Active/active chassis cluster (that is, cross-box data forwarding over the fabric interface)
Yes
Yes
Chassis cluster formation
Yes
Control plane failover
Yes
Dampening time between back-to-back redundancy group failovers
Yes
Data plane failover
Yes
Dual control links
No
Dual fabric links
Yes
Junos OS flow-based routing functionality
Yes
Low-impact cluster upgrade (ISSU light)
No
Multicast routing
Yes
Redundancy group 0 (backup for Routing Engine)
Yes
Redundancy groups 1 through 128
Yes
Redundant Ethernet interfaces
Yes
Redundant Ethernet interface link aggregation groups (LAGs)
No
179
Table 11: Chassis Cluster Support (continued)

Feature
SRX220 Support
Upstream device IP address monitoring
No
Upstream device IP address monitoring on a backup interface
No
Table 12: IPv6 Support

Feature
SRX220 Support
Security policy (IDP)
Yes
Table 13: PoE Support

Feature
SRX220 Support
IEEE 802.3 AT standard
Yes
IEEE legacy SRX210 and SRX240 only (pre-standards)
Yes
Table 14: Routing Support

Feature
SRX220 Support
Internet Group Management Protocol (IGMP)
Yes
Table 15: Wireless LAN Support

Feature
SRX220 Support
Wireless LAN
Yes
AX411 Access Point clustering
Yes
Enterprise-Specific MIBs and Traps Guides
The SRX100, SRX210, SRX220, SRX240, and SRX650 Services Gateways MIB Reference,
the SRX1400, SRX3400, and the SRX3600 Services Gateways MIB Reference, and
SRX5600 and SRX5800 Services Gateways MIB Reference incorrectly state the
downloadable version of the Real-Time Media (RTM) and SIP Common MIBs.
The correct URLs are as follows:
RTM MIBhttp://www.juniper.net/techpubs/en_US/junos10.4/topics/
reference/mibs/mib-jnx-rtm.txt
SIP Common MIBhttp://www.juniper.net/techpubs/en_US/
180
junos10.4/topics/reference/mibs/mib-jnx-sipcommon.txt
JUNOS OS Administration Guide for Security Devices
In Chapter 13, Performing Software Upgrades and Reboots for the SRX Series Services
Gateways, of the Junos OS Administration Guide for Security Devices, the word "install"
was duplicated. It has been corrected.
Junos OS CLI Reference
On SRX210 and SRX240 devices with Integrated Convergence Services, the Transport
Layer Security (TLS) option for the SIP transport is not supported in Junos OS Release
10.4. However, it is documented in the Integrated Convergence Services entries of the
Junos OS CLI Reference.
The Junos OS CLI Reference contains Integrated Convergence Services statement

entries for the music-on-hold feature, which is not supported for Junos OS Release
10.4.
The Junos OS CLI Reference incorrectly shows the show security idp status and clear
security idp status logs. The logs should be as follows:
Correct show security idp status log

user@host> show security idp status
State of IDP: 2-default,
Up since: 2010-02-04 13:37:16 UTC (17:15:02
ago)
Packets/second: 5
Peak: 11 @ 2010-02-05 06:51:58 UTC
KBits/second : 2
Peak: 5 @ 2010-02-05 06:52:06 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 82] [UDP: 0] [Other: 0]
Flow Statistics:
ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
TCP: [Current: 2] [Max: 6 @ 2010-02-05 06:52:08 UTC]
UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Session Statistics: [ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
Policy Name : sample
Running Detector Version : 10.4.160091104
Correct clear security idp status log

user@host> clear security idp status
State of IDP: 2-default,
Up since: 2010-02-04 13:37:16 UTC (17:13:45
ago)
Packets/second: 0
Peak: 0 @ 2010-02-05 06:49:51 UTC
KBits/second: 0
Peak: 0 @ 2010-02-05 06:49:51 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Flow Statistics:
ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
TCP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Policy Name: sample
Running Detector Version: 10.4.160091104
181
The Junos OS CLI Reference states that the maximum timeout range for IDP policy is
0 through 65,535 seconds, whereas the ip-action timeout range has been modified to
0 through 64,800 seconds.
The Junos OS CLI Reference has missing information about the new CLI option
download-timeout, which has been introduced to set security idp security-package
automatic download-timeout value to configure the download timeout in minutes. The
default value for download-timeout is one minute. If download is completed before
the download times out, the signature is automatically updated after the download.
If the download takes longer than the configured period, the automatic signature
update is aborted.
user@host# set security idp security-package automatic download-timeout ?
Possible completions: <download-timeout>
Maximum time for download to complete (1 - 60 minutes)
[edit]
user@host# set security idp security-package automatic download-timeout
Range: 1 60 minutes
Default: 1 minute
The Junos OS CLI Reference is missing information about the operational CLI command
show security ike active-peer, which is used to list connected active users with peer
address and port details.
user@host> show security ike active-peer
Remote Address
172.27.6.136
Port
8034
Peer IKE-ID
XAUTH username
tleungjtac@650a
tleung
Assigned IP
10.123.80.225
Junos OS Interfaces Configuration Guide for Security Devices
The Junos OS Interfaces Configuration Guide for Security Devices incorrectly states that
the following protocols are supported in Point-to-Point Protocol(PPP) Network Control
Protocols (NCPs). These protocols are not supported:
BCP151: Bridging Control Protocol
BVCP151: Banyan Vines Control Protocol
DNCP151: DECnet Phase IV Control Protocol
IPXCP151: Novell IPX Control Protocol
LECP151: LAN Extension Control Protocol
NBFCP151: NetBIOS Frames Control Protocol
SDTP151: Serial Data Transport Protocol
SNACP151: Systems Network Architecture (SNA) Control Protocol
XNSCP151: Xerox Network Systems (XNS) Internet Datagram Protocol (IDP) Control
Protocol
182
The ADSL2+ and ADSL2+ Annex M upstream values given in the Junos OS Interfaces
Configuration Guide for Security Devices are displayed incorrectly. The correct values
are as follows:
Table 16: Standard Bandwidths of DSL Operating Modes

Operating Modes
Upstream Values
ADSL2+
11.5 Mbps
ADSL2+ Annex M
2.53 Mbps
Junos OS Integrated Convergence Services Configuration and Administration Guide
The Junos OS Integrated Convergence Services Configuration and Administration Guide

does not include show commands for Junos OS Release 10.4.
J-Web
J-Web security package update Help pageThe J-Web Security Package Update
Help page does not contain information about download status.
J-Web pages for stateless firewall filtersThere is no documentation describing the

J-Web pages for stateless firewall filters. To find these pages in J-Web, go to
Configure>Security>Firewall Filters, then select IPv4 Firewall Filters or IPv6 Firewall
Filters. After configuring filters, select Assign to Interfaces to assign your configured
filters to interfaces.
There is no documentation describing the J-Web pages for media gateways. To find
these pages in J-Web, go to Monitor>Media Gateway.
J-Web Configuration Instructions Because of ongoing J-Web interface enhancements,
some of the J-Web configuration example instructions in the Junos administration and
configuration guides became obsolete and thus were removed. For examples that are
missing J-Web instructions, use the provided CLI instructions.
Junos OS Security Configuration Guide
The Junos OS Security Configuration Guide contains outdated information about NSM
support for IPv6. Please consult the NSM release notes for version compatibility,
required schema updates, and up-to-date support information.
ALG configuration examples in the Junos OS Security Configuration Guide incorrectly

show policy-based NAT configurations. NAT configurations are now rule-based.
The Junos OS Security Configuration Guide does not state that custom attacks and
custom attack groups in IDP policies can now be configured and installed even when
a valid license and signature database are not installed on the device.
The Verifying the Policy Compilation and Load Status section of the Junos OS Security
Configuration Guide has a missing empty/new line before the IDPD Trace file heading,
in the second sample output.
183
The Junos OS Security Configuration Guide states that the following aggressive aging
statements are supported on all SRX Series devices when in fact they are not supported
on SRX3400, SRX3600, SRX5600, and SRX5800 devices:
[edit security flow aging early-ageout]
[edit security flow aging high-watermark]
[edit security flow aging low-watermark
The Junos OS Security Configuration Guide states that the maximum acceptable timeout
range for an IDP policy is 0 through 65,535 seconds, whereas the ipaction timeout
range has been modified to 0 through 64,800 seconds.
The Junos OS Security Configuration Guide is missing information about the new CLI
option download-timeout, which has been introduced to set security idp security-package
automatic download-timeout < value > to configure the download timeout in minutes.
The default value for download-timeout is one minute. If download is completed before
the download times out, the signature is automatically updated after the download.
If the download takes longer than the configured period, the auto signature update is
aborted.
user@host# set security idp security-package automatic download-timeout ?
Possible completions: < download-timeout >
Maximum time for download to complete (1 - 60 minutes)
[edit]
user@host# set security idp security-package automatic download-timeout
Range: 1 60 seconds
Default: 1 second
The Junos OS Security Configuration Guide states the following limitations in the
Limitations of IDP section:
On SRX Series and J Series devices, IP actions do not work when you select a timeout
value greater than 65,535 in the IDP policy.
This issue has been fixed and is no longer a limitation.
The Junos OS Security Configuration Guide incorrectly states the following limitations
in the Limtations of IDP section:
On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions
supported is 16,000.
The correct information is as follows:
The maximum number of IDP sessions supported is 1600 on SRX210 devices, 32,000
on SRX240 devices, and 128,000 on SRX650 devices.
When specifying a forwarding target after authentication on a captive portal, use the
?target= option followed by either the %dest-url% variable or a specific URL. The
%dest-url% variable forwards authenticated users to the protected resource they
originally specified. A URL forwards authenticated users to a specific site.
184
Note that when entering a URL with the ?target= option, you must substitute escape
characters for any special characters in the URL. Use the following escape characters
for these common special characters:
Replace : with %3A
Replace / with %2F
Replace - with %2D
Replace . with %2E
In the section Example: Configuring a Redirect URL for Captive Portal (CLI) in the
Junos OS Security Configuration Guide, the procedure description states that, after
authentication, users will be forwarded to the specified URL. Step 2 of the configuration
procedure, however, is incorrect. This command would forward users to
my-website.com before authentication, not after.
To redirect users after authentication, the command must include:
The IP address of the Infranet Controller to be used for authentication
The ?target= option and URL to distinguish a forwarding address to be used after
authentication
Escape characters substituted for any special characters in the URL name
The following text in Step 2 is incorrect:

[edit services unified-access-control]
user@host# set captive-portal my-captive-portal-policy redirect-url
https://my-website.com
The correct text for Step 2 is as follows:

[edit services unified-access-control]
user@host# set captive-portal my-captive-portal-policy redirect-url
https://192.168.0.100/?target=my%2Dwebsite%2Ecom
The Disabling Switching on SRX100, SRX210, SRX220, and SRX240 Devices Before
Enabling Chassis Clustering section of the Junos OS Security Configuration Guide
incorrectly states the command to set the root user password. The following set of
commands must be used to set the password:
1.
Enter configuration mode.
2. Enter the following commands:
user@host# set system root-authentication plain-text-password
This setting is required if a root user password was not set.

user@host# delete vlans
user@host# delete interfaces
user@host# delete security zones security-zone trust interfaces
user@host# delete security zones security-zone untrust interfaces
185
user@host# commit
In Chapter 9, "Understanding ALG Types," of the Junos OS Security Configuration Guide,

an incorrect statement for configuring FTP_NO_GET and FTP_NO_PUT in the FTP ALG
has been removed.
In Chapter 38, "Reconnaissance Deterrence," of the Junos OS Security Configuration

Guide, the graphics showed the sync check as being done after policy checking, which
is incorrect. The graphics have been corrected.
WLAN
The Junos OS WLAN Configuration and Administration Guide provides information on

AX411 access point clustering. Access point clustering is no longer supported.
Errata for the Junos OS Hardware Documentation

This section lists outstanding issues with the hardware documentation.
J Series Services Routers Hardware Guide
In the J Series Services Routers Hardware Guide, the procedure Installing a DRAM
Module omit the following condition:
All DRAM modules installed in the router must be the same size (in megabytes), type,
and manufacturer. The router might not work properly when DRAM modules of different
sizes, types, or manufacturer are installed.
SRX Series Services Gateways for the Branch Physical Interface Modules Hardware
Guide
In the SRX Series Services Gateway Interfaces Power and Heat requirements section,
the PIM Power Consumption Values table contains the power consumption value for
the 1-port Gigabit Ethernet Small Form-Factor Pluggable (SFP) Mini-PIM value as: 3:18
W
The correct power consumption value for the 1-port Gigabit Ethernet Small Form-Factor
Pluggable (SFP) Mini-PIM is 4:4 W
SRX1400 Services Gateway Hardware Guide
The SRX1400 Services Gateway Hardware Guide includes the following caution:
CAUTION: To comply with intrabuilding lightning/surge requirements, intrabuilding
wiring must be shielded, and the shield for the wiring must be grounded at both ends.
This caution is not applicable.
The SRX1400 Services Gateway Hardware Guide includes information about the
following DC-powered SRX1400 Services Gateways:
SRX1400BASE-XGE-DC
SRX1400BASE-GE-DC
These models are not available in Junos OS Release 10.4. Contact your Juniper Networks
customer service representative for information on these models.
186
Fan tray LED table in the Replacing the Fan Tray on the SRX1400 Services Gateway
section of the SRX1400 Services Gateway Hardware Guide erroneously documents
that:
The Amber (On Steadily): Fan tray LED cannot detect fan failure.
The correct information for this section is as follows: Amber LED (on steadily): Fan
tray LED does not indicate fan failure .
Some of the graphics in the SRX1400 Services Gateway Hardware Guide show the
grounding lug attached to the front panel of the device. However, the SRX1400 Services
Gateway is not shipped with grounding lug attached to it.
In the SRX1400 Services Gateway Hardware Guide, the following topics erroneously
document "RE ETHERNET" port as "ETHERNET" port.
Connecting the SRX1400 Services Gateway to a Network for Out-of-Band

Management
SRX1400 Services Gateway Software Configuration Overview
The SRX1400 Services Gateway Hardware Guide and the SRX1400 Services Gateway
Getting Started Guide are missing the following note:
NOTE: AC and DC power supply units are not interoperable between the
SRX1400 Services Gateway and the SRX3000 and SRX5000 lines.
SRX1400 Services Gateway Getting Started Guide
The SRX1400 Services Gateway Getting Started Guide includes information about the
following DC-powered SRX1400 Services Gateways:
SRX1400BASE-GE-DC
SRX1400BASE-XGE-DC
In the SRX1400 Services Gateway Getting Started Guide, some of the graphics are shown
with grounding lug attached on the front panel of the device. However, the SRX1400
Services Gateway is not shipped with grounding lug attached to it.
Some of the graphics in the SRX1400 Services Gateway Getting Started Guide show
graphics with the grounding lug attached to the device front panel. The grounding lug
is not attached to the device at the time of shipment.
The SRX1400 Services Gateway Getting Started Guide should document the following
statement:
You can replace the Network and Services Processing Card (NSPC) with the SRX3000
line Services Gateway Network Processing Card (NPC) and Services Processing Card
(SPC). To install the NPC and SPC on the SRX1400 Services Gateway, you must order
the Twin CFM holder tray (SRX1K3K-2CFM-TRAY) to hold two single-wide CFMs (NPC
187
and SPC) separately. Contact your Juniper Networks customer service representative
for more information.
In the SRX1400 Services Gateway Getting Started Guide, the following sections
erroneously documents "RE ETHERNET" port as "ETHERNET" port.
Step 5: Connect the External Devices and IOC Cables to the SRX1400 Services
Gateway
Step 7: Perform the Initial Software Configuration on the SRX1400 Services Gateway
Quick Start Guides
The SRX210 Services Gateway Quick Start and the SRX240 Services Gateway Quick
Start incorrectly document the specified order of the default set of codecs as 711-,
G711-A, G729AB in the Peer Call Server section. The correct values are G711-, G711-A,
G729AB.
The SRX210 Services Gateway Quick Start and the SRX240 Services Gateway Quick
Start are missing the following warning in the Powering Off the Device section:
WARNING: Use the graceful shutdown method to halt, power off, or reboot
the services gateway. Use the forced shutdown method as a last resort to
recover the services gateway if the services gateway operating system is
not responding to the graceful shutdown method.
In the SRX210 Services Gateway 3G ExpressCard Quick Start, several tasks are listed in
the wrong order. Task 6: Connect the External Antenna should appear before Task
3: Check the 3G ExpressCard Status, because the user needs to connect the antenna
before checking the status of the 3G ExpressCard. The correct order of the tasks is as
follows:
Before You Begin
Install the 3G ExpressCard
Connect the External Antenna
Check the 3G ExpressCard Status
Configure the 3G ExpressCard
Activate the 3G ExpressCard Options
In the SRX210 Services Gateway 3G ExpressCard Quick Start, in Task 6: Connect the
External Antenna, the following sentence is incorrect and redundant:
188
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
"The antenna has a magnetic mount, so it must be placed far away from radio frequency
noise sources including network components."
In the SRX210 Services Gateway 3G ExpressCard Quick Start, in the Frequently Asked
Questions section, the answer to the following question contains an inaccurate and
redundant statement:
Q: Is an antenna required? How much does it cost?
A: The required antenna is packaged with the ExpressCard in the SRX210 Services
Gateway 3G ExpressCard kit at no additional charge. The antenna will have a magnetic
mount with ceiling and wall mount kits within the package.
In the answer, the sentence "The antenna will have a magnetic mount with ceiling and
wall mount kits within the package" is incorrect and redundant.
Related
Documentation
Routers on page 158
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J
Series Services Routers
Transceiver Compatibility for SRX Series and J Series Devices on page 189
Power and Heat Dissipation Requirements for J Series PIMs on page 189
Supported Third-Party Hardware on page 190
J Series CompactFlash and Memory Requirements on page 190
Transceiver Compatibility for SRX Series and J Series Devices

We strongly recommend that only transceivers provided by Juniper Networks be used
on SRX Series and J Series interface modules. Different transceiver types (long-range,
short-range, copper, and others) can be used together on multiport SFP interface modules
as long as they are provided by Juniper Networks. We cannot guarantee that the interface
module will operate correctly if third-party transceivers are used.
Please contact Juniper Networks for the correct transceiver part number for your device.
Power and Heat Dissipation Requirements for J Series PIMs

On J Series Services Routers, the system monitors the PIMs and verifies that the PIMs
fall within the power and heat dissipation capacity of the chassis. If power management
is enabled and the capacity is exceeded, the system prevents one or more of the PIMs
from becoming active.
CAUTION: Disabling power management can result in hardware damage if

you overload the chassis capacities.
189
You can also use CLI commands to choose which PIMs are disabled. For details about
calculating the power and heat dissipation capacity of each PIM and troubleshooting
procedures, see the J Series Services Routers Hardware Guide.
Supported Third-Party Hardware

The following third-party hardware is supported for use with J Series Services Routers
running Junos OS.
USB Modem
We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR 5637.
Storage Devices
The USB slots on J Series Services Routers accept a USB storage device or USB storage
device adapter with a CompactFlash card installed, as defined in the CompactFlash
Specification published by the CompactFlash Association. When the USB device is
installed and configured, it automatically acts as a secondary boot device if the primary
CompactFlash card fails on startup. Depending on the size of the USB storage device,
you can also configure it to receive any core files generated during a router failure. The
USB device must have a storage capacity of at least 256 MB.
Table 17 on page 190 lists the USB and CompactFlash card devices supported for use with
the J Series Services Routers.
Table 17: Supported Storage Devices on the J Series Services Routers

Manufacturer
Storage Capacity
Third-Party Part Number
SanDiskCruzer Mini 2.0
256 MB
SDCZ2-256-A10
SanDisk
512 MB
SDCZ3-512-A10
SanDisk
1024 MB
SDCZ7-1024-A10
Kingston
512 MB
DTI/512KR
Kingston
1024 MB
DTI/1GBKR
SanDiskImageMate USB 2.0

Reader/Writer for CompactFlash Type I
and II
N/A
SDDR-91-A15
SanDisk CompactFlash
512 MB
SDCFB-512-455
SanDisk CompactFlash
1 GB
SDCFB-1000.A10
J Series CompactFlash and Memory Requirements

Table 18 on page 191 lists the CompactFlash card and DRAM requirements for J Series
Services Routers.
190
Maximizing ALG Sessions
Table 18: J Series CompactFlash Card and DRAM Requirements
Related
Documentation
Model
Minimum CompactFlash
Card Required
Minimum DRAM
Required
Maximum DRAM
Supported
J2320
512 MB
512 MB
1 GB
J2350
512 MB
512 MB
1 GB
J4350
512 MB
512 MB
2 GB
J6350
512 MB
1 GB
2 GB
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series
Services Gateways and J Series Services Routers on page 124
Routers on page 158
Maximizing ALG Sessions

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, by default, the session
capacity number for RTSP, FTP, and TFTP ALG sessions is 10,000 per flow SPU. The
maximize-alg-sessions option enables you to increase defaults as follows:
RTSP, FTP, and TFTP ALG session capacity: 25,000 sessions per flow SPU
TCP Proxy connection capacity: 40,000 sessions per flow SPU
NOTE: Flow session capacity will be reduced to half per flow SPU and the
above capacity numbers will not change on the central point SPU.
191
You can configure maximum ALG sessions as follows:

security {
forwarding-process {
application-services {
maximize-alg-sessions;
}
}
}
You must reboot the device (and its peer in the chassis cluster) for the configuration to
take effect.
Integrated Convergence Services Not Supported

Integrated Convergence Services is no longer supported. The Media-Gateway (MGW)
versions of SRX Series low-end devices have been discontinued and are no longer
supported. If you have an ICS-supported SKU, please contact Juniper Networks for further
guidance.
In order to upgrade to Junos OS Release 10.4 or later, your device must be running one
of the following Junos OS Releases:
9.1S1
9.2R4
9.3R3
9.4R3
9.5R1 or later
If your device is running an earlier release, upgrade to one of these releases and then to
the 10.4 release. For example, to upgrade from Release 9.2R1, first upgrade to Release
9.2R4 and then to Release 10.4.
For additional upgrade and download information, see the Junos OS Administration Guide
for Security Devices and the Junos OS Migration Guide.

10.4, you first need to upgrade to Junos OS Release 9.3 or 10.0, and then upgrade a second
192
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0
remains unchanged.
193
Junos OS Release Notes for EX Series Switches
New Features in Junos OS Release 10.4 for EX Series Switches on page 194
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series
Switches on page 196
Limitations in Junos OS Release 10.4 for EX Series Switches on page 197
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202
Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series
New Features in Junos OS Release 10.4 for EX Series Switches

New features in Release 10.4 of the Junos operating system (Junos OS) for EX Series
switches are described in this section.
Not all EX Series software features are supported on all EX Series switches in the current
release. For a list of all EX Series software features and their platform support, see EX
Series Switch Software Features Overview.
New features are described on the following pages:
Hardware on page 194
Bridging, VLANs, and Spanning Trees on page 195
Class of Service (CoS) on page 195
Fibre Channel over Ethernet on page 195
High Availability on page 195
Infrastructure on page 195
Management and RMON on page 195
Packet Filters on page 196
Virtual Chassis on page 196
Hardware
XRE200 External Routing EngineThe XRE200 External Routing Engine is used to
create a Virtual Chassis composed of Juniper Networks EX8200 Ethernet Switches. A

Virtual Chassis is multiple switches connected together that operate as a single network
entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis
include better-managed bandwidth at a network layer, simplified configuration and
maintenance because multiple devices can be managed as a single device, and a
simplified Layer 2 network topology that minimizes or eliminates the need for
loop-prevention protocols such as Spanning Tree Protocol (STP).
New optical transceiver supportThe SFP+ uplink module in EX4500 switches now
supports one new optical transceiver: EX-SFP-10GE-LRM (10GBase-LRM, 220 m).
194
New Features in Junos OS Release 10.4 for EX Series Switches
Bridging, VLANs, and Spanning Trees
PVLAN configurationA private VLAN (PVLAN) can be configured to span multiple
switches.
Class of Service (CoS)
IPv6 CoS support on EX8200 switchesClassification of IPv6 packets is now supported
on EX8200 switches. You can configure rewrite rules for IPv6 packets.
Fibre Channel over Ethernet
FIP snoopingFIP snooping is supported on EX4500 switches. FIP snooping is a security
feature that can be used to prevent man-in-the-middle attacks when the switch is
being used as a Fibre Channel over Ethernet (FCoE) transit switch.
Priority-based flow controlPriority-based flow control (PFC) is supported on EX4500
switches. PFC, IEEE standard 802.1Qbb, is a link-level flow-control mechanism that

allows you to selectively pause traffic according to its class. PFC must be used for Fibre
Channel over Ethernet (FCoE) traffic.
High Availability
Nonstop active routing (NSR)Nonstop active routing (NSR) is now supported on
EX8200 switches that have multiple Routing Engines installed. You can configure
nonstop active routing to enable the transparent switchover of the Routing Engines
without restart of supported routing protocols. In this Junos OS release, NSR supports
only the OSPFv2 protocol. Other protocols might also work but are not supported.
Nonstop software upgrade (NSSU)Nonstop software upgrade (NSSU) is a new high
availability feature supported on EX8200 switches with redundant Routing Engines.

An NSSU upgrades the software running on both Routing Engines with a single
command and with minimal traffic disruption.
Infrastructure
Distributed Periodic Packet Management (PPM) Bidirection Forwarding Detection (BFD)

SupportPPM processing of BFD traffic is now supported on EX3200, EX4200, and
EX8200 switches.
IPv6 support on EX4500 switchesEX4500 switches support IPv6 addresses for
in-band management on the management interface and on network interfaces.
Multicast storm controlOn EX Series switches, storm control, when enabled on an
interface, applies to multicast traffic in addition to broadcast and unknown unicast

traffic. On EX8200 switches, you can selectively disable storm control on registered
multicast traffic, unregistered multicast traffic, or both types of multicast traffic.
Management and RMON
J-Web interface support for the 40-port SFP+ line card for EX8200 switchesJ-Web
interface support has been added for the 40-port SFP+ line card for EX8200 switches.
195
sFlow technology enhancementsYou can now specify an egress or ingress rate at
which packets can be sampled.
Packet Filters
Firewall filters on a management interfaceYou can now configure a firewall filter on
a management interface on an EX Series switch to filter ingress or egress traffic on the

interface.
Support for VLAN and router (Layer 3) firewall filters on EX4500 switchesOn EX4500
switches, VLAN and router (Layer 3) firewall filters are supported for IPv4 traffic.
Virtual Chassis
EX8200 Virtual ChassisEX8200 switches can now be connected to form a Virtual
Chassis. The EX8200 Virtual Chassis is formed by connecting EX8200 switches to an

XRE200 External Routing Engine. An EX8200 Virtual Chassis is multiple EX8200
switches connected together that operate as a single network entity. The advantages
of connecting multiple EX8200 switches into a Virtual Chassis include better-managed
bandwidth at a network layer, simplified configuration and maintenance because
multiple devices can be managed as a single device, and a simplified Layer 2 network
topology that minimizes or eliminates the need for loop-prevention protocols such as
Spanning Tree Protocol (STP).
Related
Documentation
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches
on page 196
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
on page 211
The following changes in system behavior, configuration statement usage, or operational
mode command usage have occurred since the previous release and might not yet be
documented in the JUNOS OS for EX Series switches documentation:

Layer 2 protocol tunneling (L2PT) on EX Series switches now supports the Unidirectional
Link Detection (UDLD) protocol.
Class of Service
Beginning in Junos OS Release 10.2, you can configure multiple class-of-service (CoS)
rewrite rules for DSCP, IP precedence, and IEEE 802.1p. Rewrite rules are not assigned
to interfaces by default, and for rewrites to occur, you must assign a user-defined rewrite
196
Limitations in Junos OS Release 10.4 for EX Series Switches
rule or system-defined rewrite rule to an interface. For releases earlier than Junos OS
Release 10.2, EX8200 switches supported a single global rewrite rule assigned to all
Layer 2 interfaces and routed VLAN interfaces (RVIs).
When you upgrade from Junos OS releases earlier than Release 10.2 to Junos OS Release
10.2 or later, you must configure custom rewrite rules and assign them to an interface or
assign the system-defined rewrite rules to an interface for rewrites to occur.
Related
Documentation
on page 211

This section lists the limitations in Junos OS Release 10.4R2 for EX Series switches.
Access Control and Port Security
When you have configured more than 1024 supplicants on a single interface, 802.1X
authentication might not work as expected and the 802.1X process (dot1xd) might fail.
The RADIUS request sent by an EX Series switch contains both Extensible

Authentication Protocol (EAP) Identity Response and State attributes.
When an external RADIUS server goes offline and comes back online after some time
(perhaps about 30 minutes), subsequent captive portal authentication requests might
fail until the authd daemon is restarted. As a workaround, configure the revert
intervalthe time after which to revert to the primary serverand restart the authd
daemon.
On EX4200 switches, if you have used the EAP-TTLS authentication protocol to

authenticate 802.1X supplicants when configuring the RADIUS server, and if the
supplicant sends invalid credentials, the host never starts because the RADIUS server
does not send a failure message to the switch.
On EX4200 switches, if you have configured bridge protocol data unit (BPDU) protection
on all interfaces and disabled the panning-tree protocol, BPDU protection might not
work.
When a switch is running Virtual Routing Redundancy Protocol (VRRP) and you enable
or disable a large number (on the order of 50 or more) of routed VLAN interfaces (RVIs),
the STP topology might change for a short period of time during the commit process.
197
Class of Service
On EX8200 switches, classification of packets using ingress firewall filter rules with
forwarding-class and loss-priority configurations does not rewrite the DSCP or 802.1p
bits. Rewriting of packets is determined by the forwarding-class and loss-priority values
set in the DSCP classifier applied on the interface.
On EX4200 switches, traffic is shaped at rates above 500 Kbps, even when the shaping
rate configured is less than 500 Kbps.
Ethernet Switching
If you perform graceful Routing Engine switchover (GRES) on an EX4200 or an EX8200

switch, the Ethernet switching table might not refresh because the Packet Forwarding
Engine retains the forwarding database (FDB) entries. The result is that traffic is flooded
to the affected MAC addresses. As a workaround, refresh the Ethernet switching table
by issuing the clear ethernet-switching table command.
Firewall Filters
On EX3200 and EX4200 switches, when interface ranges or VLAN ranges are used in
configuring firewall filters, egress firewall filter rules take more than five minutes to
install.
On EX3200 and EX4200 switches, IGMP packets are not matched by user-configured
firewall filters.
When you enable the filter-id attribute on the RADIUS server for a particular client, one
of the required 802.1X authentication rules is not inserted in the IPv6 database. IPv6
traffic on the authenticated interface is not filtered; only IPv4 traffic is filtered on that
interface.
On EX8200 switches and the XRE200 External Routing Engine, if you apply different
firewall filters to different VLANs, only the filter applied to the first VLAN is applied
correctly. For example, if you issue commands to apply filter f1 to VLAN1, filter f2 to
VLAN2, and filter f3 to VLAN3, filter f1 applies correctly, but filters f2 and f3 are not
applied to any VLANs. As a workaround, merge all the VLAN filters into one single filter
and apply that filter to all the VLANs. You can use the vlan match condition in the
firewall filter terms to differentiate the rules for each of the VLANs.
Hardware
On 40-port SFP+ line cards for EX8200 switches, the LEDs on the left of the network
ports do not blink to indicate that there is link activity if you set the speed of the network
ports to 10/100/1000 Mbps. However, if you set the speed to 10 Gbps, the LEDs blink.
If you press the reset button on the Switch Fabric and Routing Engine (SRE) module
in an EX8208 switch without taking the module offline first (by using the CLI), the
fabric planes in the module might not come back online.
198
On 40-port SFP+ line cards installed in EX8200 switches, it takes about 10 seconds
for the network ports to come up after you reboot the switch or restart a line card.
On the LCD Panel, in the Menu Options, under the MAINT (Maintenance Menu), the
option Request VC Port with the further option Set FPC 0?, is not supported on
standalone EX4500 switches even though these options are displayed on the LCD
Panel.
High Availability
On EX8216 switches on which nonstop active routing (NSR) is configured, after a

graceful Routing Engine switchover (GRES), the routing protocol process (rpd) might
be delayed until state replication finishes. The duration of the delay depends on the
scale of the setup. During this delay, operational mode commands for the rpd process
do not provide current information.
Infrastructure
If you configure interface parameters on an EX3200 or an EX4200 switch running Junos

OS Release 9.2 or Release 9.3 for EX Series switches and then attempt to upgrade to
a later release or a later version of Release 9.3 than the one that is currently installed,
the switch might display the following error message: init: interface-control is thrashing
, not restarted. As a workaround, on the interfaces you had previously configured,
configure no-auto-negotiation and set the link mode to full-duplex, then commit the
revised configuration.
On EX Series switches, an SNMP query fails when the SNMP index size of a table is
greater than 128 bytes, because the Net SNMP tool does not support SNMP index sizes
greater than 128 bytes.
On EX Series switches, the show snmp mib walk etherMIB command does not display
any output, even though the etherMIB is supported. This occurs because the values
are not populated at the module levelthey are populated at the table level only. You
can issue show snmp mib walk dot3StatsTable, show snmp mib walk dot3PauseTable,
and show snmp mib walk dot3ControlTable commands to display the output at the
table level.
When you issue the request system power-off command, the switch halts instead of
turning off power.
In the J-Web interface, the Ethernet Switching Monitor page might not display
monitoring details if the switch has more than 13,000 MAC entries..
In the J-Web interface, changing the port role from Desktop, Desktop and Phone, or
Layer 2 Uplink to another port role might not remove the configurations for enabling
dynamic ARP inspection and DHCP snooping.
On EX3200 and EX4200 switches that are configured with the factory default
configuration, if you use the command set date to change the date, the switches accept
the date but display the following error message: date: connect: Can't assign requested
address.
On EX8208 switches, when a line card that has no interface configurations and is not
connected to any device is taken offline using the command request chassis fpc-slot
199
slot-number offline, the Bidirectional Forwarding Detection process (bfd) starts and
stops repeatedly. The same bfd process behavior occurs on a line card that is connected
to a Layer 3 domain when another line card that is on the same switch and is connected
to a Layer 2 domain is taken offline.
If you install a large configuration (more than 5 MB)for example, if you install more
than four 40-port SFP+ line cardsin an EX8200 switch, the error message
Configuration on the Switch is too large for JWeb to handle. Please use the CLI to
manipulate the configuration" is displayed in the Support Information page (Maintain
> Customer Support > Support Information) in the J-Web interface.
If you perform a graceful Routing Engine switchover (GRES) on an EX Series switch

that has a large number (on the order of 1000 or more) of unresolved ARP entries, core
files are created on the backup Routing Engine.
On EX8200 switches, if IS-IS is enabled on routed VLAN interfaces (RVIs), IS-IS

adjacency states go down and come up after a graceful Routing Engine switchover
(GRES).
Momentary loss of an inter-Routing Engine IPC message might trigger the alarm that
displays the message Loss of communication with Backup RE. However, no
functionality is affected.
If you perform graceful Routing Engine switchover (GRES) on an EX4200 or an EX8200

switch, the Ethernet switching table might not refresh because the Packet Forwarding
Engine retains the forwarding database (FDB) entries. The result is that traffic is flooded
to the affected MAC addresses. As a workaround, refresh the Ethernet switching table
by issuing the clear ethernet-switching table command.
On EX4500 switches running IPv6, when you send a large number of pings to the switch
in quick succession, packet loss might occur because of low values configured for rate
limiting.
Interfaces
EX Series switches do not support queued packet counters. Therefore, the queued
packet counter in the output of the show interfaces interface-name extensive command
always displays a count of 0 and is never updated.
On EX3200 and EX4200 switches, when port mirroring is configured on any interface,
the mirrored packets leaving a tagged interface might contain an incorrect VLAN ID.
On EX8200 switches, port mirroring configuration is not supported on a Layer 3 interface

with the output configured to a VLAN.
On EX8200 switches, when an egress VLAN that belongs to a routed VLAN interface
(RVI) is configured as the input for a port mirroring analyzer, the analyzer incorrectly
appends a dot1q (802.1Q) header to the mirrored packets or does not mirror any packets
at all. As a workaround, configure a port mirroring analyzer with each port of the VLAN
as egress input.
The following interface counters are not supported on routed VLAN interfaces (RVIs):
local statistics, traffic statistics, and transit statistics.
200
EX Series switches do not support IPv6 interface statistics. Therefore, all values in the
output of the show snmp mib walk ipv6IfStatsTable command always display a count
of 0.
On EX Series switches, when a firewall filter is applied on the loopback (lo0) interface,
the switch stops generating local ARP requests for transit traffic.
The show interfaces interface-name detail | extensive command might display double
counting of packets or bytes for the transit statistics and traffic statistics counters.
You can use the counter information displayed under the Physical interface section of
the output.
When MVRP is configured on a trunk interface, you cannot configure connectivity fault
management (CFM) on that interface.
On EX Series switches, if you clear LAG interface statistics while the LAG is down, then
bring up the LAG and pass traffic without checking for statistics, and finally bring the
LAG interface down and check interface statistics again, the statistics might be
inaccurate. As a workaround, use the show interfaces interface-name command to
check LAG interface statistics before bringing down the interface. [PR/542018]
If you insert Gigabit Ethernet transceivers in 40-port SFP+ line cards installed in EX8200
switches, the transceivers are incorrectly shown as copper transceivers in the image
of the switch in the Dashboard page in the J-Web interface.
When you are editing an interface-range configuration in the private mode, if you change
the end of the range of the member-range statement, the configuration might fail. As
a workaround, edit the end of the range of the member-range statement in the
configuration mode.
J-Web Interface
If you try to commit a candidate configuration in the CLI using the Point and Click CLI
in the J-Web interface, an error is displayed on the configuration page.
Layer 2 and Layer 3 Protocols
IGMP snooping is not supported on a VLAN that includes a routed VLAN interface (RVI)
that is configured as part of a virtual routing instance.
Spanning Tree Protocols
If you delete multiple spanning-tree protocol interfaces from a configuration using a

single commit command and then add the interfaces back to the configuration, the
spanning-tree protocol packets might be dropped. As a workaround, use a separate
commit command to delete each spanning-tree protocol interface.
Virtual Chassis
On EX8200 Virtual Chassis systems, ECMP might not work for links present between
Virtual Chassis.
On an EX8200 Virtual Chassis with a single hard disk, the hard disk might not boot.
The error message is "TIMEOUT - WRITE_DMA retrying".
201
Related
Documentation
After you reboot or upgrade the software on members of an EX8200 Virtual Chassis,
the FPCs might not come up for more than eight minutes when the Virtual Chassis has
a square topology. (This is a topology in which the Routing Engines of member 0
connect to those of member 8, the Routing Engines of member 1 connect to those of
member 9, member 8 connects to member 9, and a VCP LAG forms between members
0 and 1.)
on page 196
on page 211
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches

The following are outstanding issues in Junos OS Release 10.4R2 for EX Series switches.
The identifier following the description is the tracking number in our bug database.
NOTE: Other software issues that are common to both EX Series switches
and M, MX, and T Series routers are listed in Issues in Junos OS Release 10.4
When you configure 802.1X bypass, the client becomes unreachable each time the
MAC age time interval increments. [PR/536316]
When the primary redundant trunk group (RTG) interface is disabled, causing an RTG
switchover, MAC entries on the upstream switches are refreshed. However, when the
primary RTG link is enabled, the MAC entries are not refreshed on the upstream switches.
[PR/555158]
If you enable all VRRP sessions simultaneously on a switch with a large number (on
the order of 200 or more) of VRRP configurations, RSTP convergence might not occur.
As a workaround, do not enable all VRRP sessions simultaneously if the switchs VRRP
configuration is large. [PR/556114]
Ethernet Switching
When the pfem restarts, EX Series switches cannot receive any Q-in-Q frames and
drops them all. [PR/527117]
202
On EX4500 switches, if you activate and then deactivate a firewall filter configuration,
VSTP convergence might not occur properly. As a workaround, restart the Ethernet
switching process (eswd). [PR/548446]
On an interface that is receiving storm traffic, if you use the set

ethernet-switching-options storm-control action-shutdown command to disable the
interface, it can take up to 30 seconds for the interface to shut down. [PR/556107]
Firewall Filters
On EX4200 switches, if you configure a firewall filter with the match condition
tcp-established, the error message "not supported" is displayed. [PR/543316]
Hardware
On EX4200 switches, the uplink port status LED on the 4-port Gigabit Ethernet SFP
does not properly indicate the status of the uplink port. [PR/528070]
If no Intraconnect module or Virtual Chassis module is installed in EX4500 switches,

the switch boots but is not fully functional. Traffic loss can occur during packet
forwarding. [PR/544628]
Infrastructure
On EX8200 switches, when IGMP snooping is enabled on an interface, the IPv6

multicast Layer 2 control frame is not forwarded to other interfaces in the same VLAN.
The result is that IPv6 and VRRP for IPv6 neighbor solicitation fails. [PR/456700]
On EX8200 switches, when you perform a graceful Routing Engine switchover (GRES)
or when you restart Ethernet switching on any spanning-tree protocol domain, a loop
might occur. [PR/516611]
On EX8200 switches, if a log or a syslog action is configured along with an interface

action in a firewall filter configuration, logging does not work. [PR/540097]
On EX8200 switches, the LACP process (lacpd) might start and stop repeatedly when
traffic to the Routing Engine is heavy. [PR/542897]
On EX4200 switches, the SFP+ uplink module might not work correctly even though
the link status is UP. [PR/569307]
On EX4500 switches, if more than 14 ports in the switch are subscribed to a 10-gigabit
full-duplex rate of traffic, the switch might not be able to achieve a 10-gigabit wire rate
for 64 and 128 byte packets. There is no impact on performance if the number of ports
actively involved in 10-gigabit wire-rate traffic is 14 or fewer or if the packet size is
greater than 150 bytes. [PR/573319]
If you set a custom chassis display message with the set chassis display message
message command, the message might remain on the LCD panel indefinitely even
though you did not include the permanent option in your command. [PR/579234]
On EX8200 switches, when you are upgrading the line cards, the nonstop software
upgrade (NSSU) process might abort. The system generates a core file when this
happens. [PR/580494]
203
J-Web Interface
In the J-Web interface, you cannot commit some configuration changes in the Port
Configuration page and the VLAN Configuration page because of the following
limitations for port mirroring ports and port mirroring VLANs:
A port configured as the output port for an analyzer cannot be a member of any
VLAN other than the default VLAN.
A VLAN configured to receive analyzer output can be associated with only one port.
[PR/400814]
When you use the Microsoft Internet Explorer browser to open a report from the
following pages in the J-Web interface, the report opens in the same browser session:
Files page (Maintain > Files)
History page (Maintain > Config Management > History)
Port Troubleshooting page (Troubleshoot > Troubleshoot > Troubleshoot Port)
Static Routing page (Monitor > Routing > Route Information)
Support Information page (Maintain > Customer Support > Support Information)
View Events page (Monitor > Events and Alarms > View Events)
As a workaround, save the report and then open it.

[PR/433883]
In the J-Web interface, in the Port Security Configuration page, you are required to
configure action when you configure MAC limit even though configuring an action value
is not mandatory in the CLI. [PR/434836]
In the J-Web interface, in the OSPF Global Settings table in the OSPF Configuration
page, the Global Information table in the BGP Configuration page, or the Add Interface
window in the LACP Configuration page, if you try to change the position of columns
using the drag-and-drop method, only the column header moves to the new position
instead of the entire column. [PR/465030]
If a large number of static routes are configured and if you have navigated to pages
other than page 1 in the Route Information table in the J-Web interface (Monitor >
Routing > Route Information), changing the Route Table to query other routes refreshes
the page but does not return to page 1. For example, if you run a query from page 3 and
the new query returns very few results, the Results table continues to display page 3
and shows no results. To view the results, navigate to page 1 manually. [PR/476338]
In the J-Web interface, the dashboard does not display the uplink ports or uplink module
ports unless transceivers are plugged into the ports. [PR/477549]
The J-Web interface Static Routing page might not display details on entries registered
in the routing table. [PR/483885]
In the J-Web interface, the Software Upload and Install Package option might not display
a warning message when there are pending changes to be committed. [PR/514853]
204
On EX4500 switches, the J-Web interface might display the following as valid options
although these options are not supported on EX4500 switches:
DHCP snooping in the Edit Port Role window in the Ports Configuration page
Input filter association in the VLAN Configuration page
[PR/525671]
When you use an HTTPS connection in the Microsoft Internet Explorer browser to save
a report from the following pages in the J-Web interface, the error message Internet
Explorer was not able to open the Internet site is displayed:
Files page (Maintain > Files)
History page (Maintain > Config Management > History)
Port Troubleshooting page (Troubleshoot > Troubleshoot > Troubleshoot Port)
Static Routing page (Monitor > Routing > Route Information)
Support Information page (Maintain > Customer Support > Support Information)
View Events page (Monitor > Events and Alarms > View Events)
[PR/542887]
If you configure 802.1X on an EX Series switch, the J-Web interface performance slows
down. [PR/543298]
On EX4500 switches and on EX4200-24F switches, the total number of ports displayed
in the dashboard (Dashboard > Capacity Utilization > Total number of ports) in the
J-Web interface increases every 2 seconds, each time an automatic refresh occurs.
[PR/543913]
When you open a J-Web session using HTTPS, then enter a username and password
and click on the Login button, the J-Web interface takes 20 seconds longer to launch
and load the Dashboard page than it does if you use HTTP. [PR/549934]
If you navigate to a new page before all the components of a page in the J-Web interface
are loaded, a pop-up window with the error message Object Expected is displayed.
[PR/567756]
In the J-Web interface, aggregated Ethernet interfaces are not populated in the Port
Association table. [PR/579555]
On EX8200 switches, if you take a line card offline when GRES and IGMP snooping are
enabled, existing multicast traffic might be affected because indexes are not updated
correctly. [PR/569637]
On an EX4200 Virtual Chassis, when you configure the RPM hardware timestamp with
the hardware-timestamp configuration statement, the show services rpm probe-results
command displays the hardware timestamp status as "No hardware timestamps". As
a workaround, do not configure a source address for RPM probes. Packets are sent
205
and received on the same interface. This problem does not occur if both egress and
ingress interfaces are on the same Virtual Chassis member. [PR/578734]
Management and RMON
On EX8200 switches, when an egress VLAN that belongs to a routed VLAN interface
(RVI) is configured as the input for a port mirroring analyzer, the analyzer appends an
incorrect dot1q (802.1Q) header to the mirrored packets on the routed traffic or does
not mirror any packets on the routed traffic. As a workaround, configure a port mirroring
analyzer with each port of the VLAN as egress input. [PR/445393]
Virtual Chassis
Related
Documentation
On an EX4200 Virtual Chassis, an automatic software update fails if you have

configured preprovisioning or mastership priority. [PR/557981]
on page 196
on page 211
Resolved Issues in Junos OS Release 10.4 for EX Series Switches

The following are the issues that have been resolved since Junos OS Release 10.3 for EX
Series switches. The identifier following the descriptions is the tracking number in our
bug database.
NOTE: Other software issues that are common to both EX Series switches
and M, MX, and T Series routers are listed in Issues in Junos OS Release 10.4
206
If you connect a computer to a phone that is connected to an interface supporting

multiple supplicants on an EX2200 switch, the Telecommunications Industry
Association (TIA) network policy in the LLDP-MED packets from the EX2200 switch
reports an incorrect VLAN and the phone might lose connectivity. [PR/542810: This
Ethernet Switching
A LAG between an EX4200 Virtual Chassis and Cisco 6500 switch might not recover
when the EX Virtual Chassis master switch is power-cycled. [PR/505069: This issue
has been resolved.]
Hardware
EX8200 switches might not detect the front-panel LCD display. [PR/553144: This
After you have disabled an interface on an EX2200 switch, the LED is still lit on that
interface. [PR/553219: This issue has been resolved.]
Infrastructure
If an SRE module, RE module, SF module, line card, or Virtual Chassis member is in

offline mode, the J-Web interface might not update the dashboard image accordingly.
On EX Series switches, MAC addresses not present in the forwarding database (FDB)
because of hash collision are not removed from the Ethernet switching process (eswd).
These MAC addresses do not age out of the Ethernet switching table even if traffic is
stopped completely and are never relearned when traffic is sent to these MAC
addresses, even when there is no hash collision. As a workaround, clear those MAC
addresses from the Ethernet switching table. [PR/451431: This issue has been resolved.]
When multicast packets are transmitted from interfaces on which PIM is not enabled,
VRRP might flap. [PR/520194: This issue has been resolved.]
On EX8200 switches, packets with unregistered Layer 2 multicast MAC addresses are
not dropped on interfaces in the STP blocked state, resulting in some traffic loops that
might impact network performance. [PR/541123: This issue has been resolved.]
On EX2200, EX3200, EX4200, and EX4500 switches, if you configure a large number
of VLANS and aggregated Ethernet interfaces and commit the configuration, the
forwarding process (pfem) utilization stays at 80 percent for more than 60 minutes.
As a result, the aggregated Ethernet interfaces cannot be used until the pfem usage
reduces to normal limits. [PR/544433: This issue has been resolved.]
On EX4200 switches, spurious packets (packets with unsupported fields) arriving at

the backup Routing Engine while a GRES operation is in progress can cause a kernel
crash (vmcore). [PR/546314: This issue has been resolved]
207
When the configured DNS server is not reachable, name resolution for localhost takes
a long time and the output of the show ntp association command takes a long time to
appear. [PR/551739: This issue has been resolved.]
During a nonstop software upgrade (NSSU) on EX8200 switches, if the number of

routes is greater than about 100,000, the graceful Routing Engine switchover (GRES)
and nonstop active routing (NSR) synchronization might take longer than two minutes.
The result is that the NSSU timers expire and the NSSU operation aborts. [PR/559223:
If a Routing Engine fails over to the backup Routing Engine, not all multicast groups
that were active on the switch recover. [PR/563030: This issue has been resolved.]
During the TFTP transfer portion of an automatic software download procedure, the
software package might be truncated or corrupted. [PR/570901: This issue has been
resolved.]
The Ethernet switching process (eswd) might crash and then recover when the following
change is made in CLI (either in a single commit or in separate commits):
First, you remove an interface from interface range on which VoIP is configured.
Then, you either delete the removed interface or change its address family to a family
other than ethernet-switching.
On an EX4200 Virtual Chassis, a pfem core file might be created if all the 802.1x (dot1x)
interfaces are in the held state or the connecting state. [PR/571865: This issue has
been resolved.]
On an EX4200 Virtual Chassis, a large number of awk processes and defunct processes
might be running. [PR/576621: This issue has been resolved.]
Interfaces
On a 40-port SFP+ line card in an EX8200 switch, if you assign different shaping rates
to different ports in a port group, you do not receive an error message when you commit
the configuration, and no error is logged in the system log. As a workaround, configure
the same shaping rate on all ports in a port group. [PR/524073: This issue has been
resolved.]
In a Q-in-Q tunneling configuration that includes aggregated Ethernet interfaces (LAGs),

after a pfem process restart, the member interfaces in the VLAN might be incorrectly
set. [PR/527117: This issue has been resolved.]
On EX Series switches, the configured interface hold time does not work. [PR/537477:
On EX4500 switches, when you are configuring Gigabit Ethernet interfaces from the
command-line interface (CLI), automatic command completion does not work.
208
On EX4500 switches, when you are configuring Gigabit Ethernet interfaces from the
command-line interface (CLI), automatic command completion does not work.
[PR/561695]
On EX4200 switches, autonegotiation bypass on an EX4200 switch, which allows a

link in Gigabit Ethernet SFPs to begin operation even if autonegotiation on the link
partner is disabled, fails to bring up the link. [PR/571198: This issue has been resolved.]
J-Web Interface
In the J-Web interface, the automatic command-completion feature might not be

disabled in the password field. As a workaround, you can disable the automatic
command-completion feature in the browser. [PR/508425: This issue has been
resolved.]
If you have a candidate configuration in the CLI and you try to commit configuration
changes using the Point and Click CLI in the J-Web interface, the configuration page
displays an error. [PR/514771: This issue has been resolved.]
In the J-Web interface, when you select the Ethernet Switching Monitor page (Monitor
> Switching > Ethernet Switching), the MAC learning log might not display information.
In the LACP (Link Aggregation Control Protocol) Configuration page in the J-Web
interface (Configure > Interfaces > Link Aggregation), the Delete button is disabled
even when you select an aggregated Ethernet interface configured with a physical
interface, VLAN, and IP option. As a workaround, delete the physical interface, VLAN,
and IP option from the aggregated Ethernet interface using the CLI. [PR/546411: This
In the J-Web interface, when you use an HTTPS connection in the Microsoft Internet
Explorer browser, you cannot upload (Maintain > Config Management > Upload) or
download (Maintain > Config Management > History > Configuration History) a
configuration file. As a workaround, use an HTTP connection. [PR/551200: This issue
has been resolved.]
When no line card is installed in an EX8208 switch, if you:
Navigate to the Port Monitoring page (Monitor > Interfaces) in the J-Web interface,
a pop-up window with the error message 'gridData.0' is null or not an object is
displayed.
Select the displayed interface and click the Show Graph button, a pop-up window
with the error message 'selected FpcName' is undefined is displayed.
The dashboard in the J-Web interface might not refresh automatically if you navigate
back and forth between the Dashboard page and other pages. [PR/566359: This issue
has been resolved.]
209
If there are many joins associated with a neighbor and that neighbor goes down and
comes back up quickly, then those joins might be stranded in an unresolved state until
the clear pim join command is issued. [PR/539962: This issue has been resolved.]
PIM join messages sent from an EX8208 switch to a Cisco RP using Auto-RP show the
upstream neighbor as being the EX8208 switch itself and not the Cisco RP. [PR/557130:
Management and RMON
On EX4200 switches, the LACP process (lacpd) creates core files when an SNMP MIB
lookup is performed. [PR/533226: This issue has been resolved.]
Virtual Chassis
Related
Documentation
On an EX4200 Virtual Chassis, after you run the request system reboot member
master-member-id member-id command, the master Virtual Chassis member fails to
reboot. That is, you cannot reboot only the master switch on the Virtual Chassis.
on page 196
on page 211
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches

This section lists outstanding issues with the documentation.
J-Web Interface
To access the J-Web interface, your management device requires the following
software:
Supported browsersMicrosoft Internet Explorer version 7.0 or Mozilla Firefox version

3.0
Language supportEnglish-version browsers
210
Supported OSMicrosoft Windows XP Service Pack 3
Virtual Chassis
Related
Documentation
The EX Series Switch Software Features Overview topic in the EX Series Junos OS
Release 10.4R1 documentation incorrectly states that, on EX8200 Virtual Chassis, the
IP source guard feature is supported in Junos OS Release 10.3R1 and that the multicast
storm control feature is supported in Junos OS Release 10.3R2. These features are not
supported on EX8200 Virtual Chassis.
on page 196
on page 211
The following pages list the issues in Junos OS Release 10.4R2 for EX Series switches
regarding software upgrade or downgrade:
Upgrading Software on page 211
Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series

Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series

Upgrading Software
You can use this procedure to upgrade Junos OS on an EX Series switch with a single
Routing Engine, including an individual member of an EX4200 Virtual Chassis or all
members of an EX4200 Virtual Chassis or an EX8200 switch using a single Routing
Engine. To upgrade software on an EX8200 switch running two Routing Engines, see
Installing Software on an EX8200 Switch with Redundant Routing Engines (CLI Procedure)
or Upgrading Software Using Nonstop Software Upgrade (CLI Procedure).

To install software upgrades on a switch with a single Routing Engine:
1.
Download the software package as described in Downloading Software Packages from

Juniper Networks.
2. (Optional) Back up the current software configuration to a second storage option.
See the Junos OS Installation and Upgrade Guide at

http://www.juniper.net/techpubs/software/junos/index.html for instructions.
211
3. (Optional) Copy the software package to the switch. We recommend that you use
FTP to copy the file to the /var/tmp directory.

This step is optional because Junos OS can also be upgraded when the software
image is stored at a remote location.
4. Install the new package on the switch:
user@switch> request system software add package
Replace package with one of the following paths:
For a software package in a local directory on the switch/var/tmp/package.tgz.
For a software package on a remote server:
ftp://hostname/pathname/package.tgz
http://hostname/pathname/package.tgz
where package.tgz is, for example, jinstall-ex-4200-10.3R1.8-domestic-signed.tgz.

Include the optional member option to install the software package on only one
member of an EX4200 Virtual Chassis:
user@switch> request system software add source member member-id reboot
Other members of the Virtual Chassis are not affected. To install the software on all
members of the Virtual Chassis, do not include the member option.
NOTE: To abort the installation, do not reboot your device; instead, finish
the installation and then issue the request system software delete
package.tgz command, where package.tgz is, for example,
jinstall-ex-8200-10.2R1.8-domestic-signed.tgz. This is your last chance to
stop the installation.
5. Reboot to start the new software:
user@switch> request system reboot

6. After the reboot has completed, log in and verify that the new version of the software
is properly installed:
user@switch> show version

10.4, you first need to upgrade to Junos OS Release 9.3 or 10.0, and then upgrade a second
212
10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0
remains unchanged.
Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series Switches

The ARP aging time configuration in the system configuration stanza in Junos OS Release
9.4R1 is incompatible with the ARP aging time configuration in Junos OS Release 9.3R1
or earlier and Junos OS Release 9.4R2 or later. If you have configured system arp
aging-timer aging-time on EX Series switches running Junos OS Release 9.4R1 and upgrade
to Junos OS Release 9.4R2 or later or downgrade to Junos OS Release 9.3R1 or earlier,
the switch will display configuration errors on booting up after the upgrade or downgrade.
As a workaround, delete the arp aging-timer aging-time configuration in the system
configuration stanza and reapply the configuration after you complete the upgrade or
downgrade.
The format of the file in which the EX4200 Virtual Chassis topology information is stored
was changed in Junos OS Release 9.4. When you downgrade Junos OS Release 9.4 or
later running on EX4200 switches in a Virtual Chassis to Junos OS Release 9.3 or earlier,
make topology changes, and then upgrade to Junos OS Release 9.4 or later, the topology
changes you have made using Junos OS Release 9.3 or earlier are not retained. The switch
restores the last topology change you have made using Junos OS Release 9.4.
Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series Switches
If you are upgrading from Junos OS Release 9.3R1 and have voice over IP (VoIP) enabled
on a private VLAN (PVLAN), you must remove this configuration before upgrading, to
prevent upgrade problems. VoIP on PVLAN interfaces is not supported in releases later
than Junos OS Release 9.3R1.
Related
Documentation
on page 196
213
Junos OS Documentation and Release Notes

For a list of related Junos OS documentation, see
http://www.juniper.net/techpubs/software/junos/ .
If the information in the latest release notes differs from the information in the
documentation, follow the Junos OS Release Notes.
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/ .
Juniper Networks supports a technical book program to publish books by Juniper Networks
engineers and subject matter experts with book publishers around the world. These
books go beyond the technical documentation to explore the nuances of network
architecture, deployment, and administration using the Junos operating system (Junos
OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,
published in conjunction with O'Reilly Media, explores improving network security,
reliability, and availability using Junos OS configuration techniques. All the books are for
sale at technical bookstores and book outlets around the world. The current list can be
viewed at http://www.juniper.net/books .
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
Document name
Document part number
Page number
Software release version
Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need postsales technical support, you can access
our tools and resources online or open a case with JTAC.
JTAC policiesFor a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
Product warrantiesFor product warranty information, visit

http://www.juniper.net/support/warranty/.
214
Requesting Technical Support
JTAC Hours of Operation The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html.
If you are reporting a hardware or software problem, issue the following command from
the CLI before contacting support:
user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip
utility, rename the file to include your company name, and copy it to
ftp.juniper.net:pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
support@juniper.net. For documentation issues, fill out the bug report form located at
https://www.juniper.net/cgi-bin/docbugreport/.
215
Revision History
11 February 2011Revision 6, JUNOS Release 10.4R2
04 February 2011Revision 5, JUNOS Release 10.4R1
25 January 2011Revision 4, JUNOS Release 10.4R1
14 January 2011Revision 3, JUNOS Release 10.4R1
21 December 2010Revision 2, JUNOS Release 10.4R1
Copyright 2011, Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
216

Junos Os 104 Release Notes Rev 6

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Junos Os 104 Release Notes Rev 6

Enviado por

Direitos autorais:

Formatos disponíveis

Junos OS 10.

Copyright 2011, Juniper Networks, Inc.

Downloaded from www.Manualslib.com manuals search engine